Re: Ingress filter is overly aggressive

[Andy Furniss <andyqos@ukfsn.org>]

Neil Aggarwal wrote:
> Hello:
>
> I have these rules set up for an interface:
>
> IP=a.b.c.d
> DEV=v1208
> /sbin/tc qdisc del dev $DEV root
> /sbin/tc qdisc add dev $DEV root handle 1: htb default 30
> /sbin/tc class add dev $DEV parent 1: classid 1:1 htb rate 5mbit
> /sbin/tc class add dev $DEV parent 1: classid 1:2 htb rate 5mbit
> /sbin/tc filter add dev $DEV protocol ip parent 1:0 prio 1 u32 match ip dst
> $IP flowid 1:1
> /sbin/tc filter add dev $DEV protocol ip parent 1:0 prio 1 u32 match ip src
> $IP flowid 1:2
> /sbin/tc qdisc del dev $DEV ingress
> /sbin/tc qdisc add dev $DEV ingress handle ffff:
> /sbin/tc filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip
> src 0.0.0.0/0 police rate 5mbit burst 500k drop flowid :1
>
> According to these rules, the ingress police rate should be 5 mbit/sec, but
> I am barely
> getting 50 kbits/sec through the interface.
>
> If I remove the filter, the interface operates at full line rate.
>
> Any ideas why the ingress filter is being so aggressive?

Hmm, I just tested and got the same.

It seems the problem is that you don't specify mtu adding mtu 3100 fixed 
for me.

I think there is an issue with policer and kernel receive offload - 
which on my box at least makes it look like double size packets are 
arriving (you can turn it off with ethtool).

Last time I looked with ifb it seemed that anything on that actually saw 
the packets as normal size (1514 on eth).

Testing above policer with mtu 1600 doesn't work though (well it works 
slowly as I guess tcp is eventually beaten into sending one packet at a 
time), so it seems policer is seeing double size phony packets as mtu 
3100 does work.

Policers can be over aggresive even when working eg. though 500k burst 
seemed to work for one file testing on 100mbit eth I don't know if It 
would be too big for many connections - but then setting too small is 
also likely to hurt - needs lots of testing with real workloads I guess.