1Policing action in tc(8)             Linux            Policing action in tc(8)
2
3
4

NAME

6       police - policing action
7

SYNOPSIS

9       tc ... action police [ rate RATE burst BYTES[/BYTES] ] [ pkts_rate RATE
10               pkts_burst PACKETS] [ mtu BYTES[/BYTES] ] [ peakrate RATE  ]  [
11               overhead BYTES ] [ linklayer TYPE ] [ CONTROL ]
12
13       tc  ...  filter  ...  [ estimator SAMPLE AVERAGE ] action police avrate
14               RATE [ CONTROL ]
15
16       CONTROL := conform-exceed EXCEEDACT[/NOTEXCEEDACT
17
18       EXCEEDACT/NOTEXCEEDACT := { pipe | ok | reclassify | drop | continue  |
19               goto chain CHAIN_INDEX }
20

DESCRIPTION

22       The police action allows limiting of the byte or packet rate of traffic
23       matched by the filter it is attached to.
24
25       There are two different algorithms available to measure the byte  rate:
26       The  first one uses an internal dual token bucket and is configured us‐
27       ing the rate, burst, mtu, peakrate, overhead and linklayer  parameters.
28       The  second  one  uses an in-kernel sampling mechanism. It can be fine-
29       tuned using the estimator filter parameter.
30
31       There is one algorithm available to measure packet rate and it is simi‐
32       lar  to  the  first algorithm described for byte rate. It is configured
33       using the pkt_rate and pkt_burst parameters.
34
35       At least one of the rate and pkt_rate parameters must be configured.
36

OPTIONS

38       rate RATE
39              The maximum byte rate of packets passing this action. Those  ex‐
40              ceeding  it will be treated as defined by the conform-exceed op‐
41              tion.
42
43       burst BYTES[/BYTES]
44              Set the maximum allowed burst in bytes, optionally followed by a
45              slash ('/') sign and cell size which must be a power of 2.
46
47       pkt_rate RATE
48              The  maximum  packet  rate or packets passing this action. Those
49              exceeding it will be treated as defined  by  the  conform-exceed
50              option.
51
52       pkt_burst PACKETS
53              Set the maximum allowed burst in packets.
54
55       mtu BYTES[/BYTES]
56              This  is  the maximum packet size handled by the policer (larger
57              ones will be handled like they exceeded  the  configured  rate).
58              Setting this value correctly will improve the scheduler's preci‐
59              sion.  Value formatting is identical to burst above. Defaults to
60              unlimited.
61
62       peakrate RATE
63              Set the maximum bucket depletion rate, exceeding rate.
64
65       avrate RATE
66              Make  use of an in-kernel bandwidth rate estimator and match the
67              given RATE against it.
68
69       overhead BYTES
70              Account for protocol overhead of  encapsulating  output  devices
71              when computing rate and peakrate.
72
73       linklayer TYPE
74              Specify  the  link layer type.  TYPE may be one of ethernet (the
75              default), atm or adsl (which are synonyms). It is used to  align
76              the  precomputed  rate tables to ATM cell sizes, for ethernet no
77              action is taken.
78
79       estimator SAMPLE AVERAGE
80              Fine-tune the in-kernel packet rate estimator.  SAMPLE and AVER‐
81              AGE  are  time values and control the frequency in which samples
82              are taken and over what timespan an average is built.
83
84       conform-exceed EXCEEDACT[/NOTEXCEEDACT]
85              Define how to handle packets which exceed or conform the config‐
86              ured bandwidth limit. Possible values are:
87
88              continue
89                     Don't  do anything, just continue with the next action in
90                     line.
91
92              drop   Drop the packet immediately.
93
94              shot   This is a synonym to drop.
95
96              ok     Accept the packet. This is  the  default  for  conforming
97                     packets.
98
99              pass   This is a synonym to ok.
100
101              reclassify
102                     Treat  the  packet as non-matching to the filter this ac‐
103                     tion is attached to and continue with the next filter  in
104                     line (if any). This is the default for exceeding packets.
105
106              pipe   Pass the packet to the next action in line.
107

EXAMPLES

109       A  typical application of the police action is to enforce ingress traf‐
110       fic rate by dropping exceeding packets. Although  better  done  on  the
111       sender's  side, especially in scenarios with lack of peer control (e.g.
112       with dial-up providers) this is often the best one can do in  order  to
113       keep  latencies  low  under  high load. The following establishes input
114       bandwidth policing to 1mbit/s using the ingress qdisc and u32 filter:
115
116              # tc qdisc add dev eth0 handle ffff: ingress
117              # tc filter add dev eth0 parent ffff: u32 \
118                   match u32 0 0 \
119                   police rate 1mbit burst 100k
120
121       As an action can not live on it's own, there always has to be a  filter
122       involved  as  link between qdisc and action. The example above uses u32
123       for that, which is configured to effectively match any packet  (passing
124       it to the police action thereby).
125
126

SEE ALSO

128       tc(8)
129
130
131
132iproute2                          20 Jan 2015         Policing action in tc(8)
Impressum