Vitale Alessandro wrote:> I would like to test police in ingress.
> I use kernel 2.4.20.
FWIW if you try a 2.6 whether or not policers will see marks will depend
on your config - Packet action will give a new policer that hooks before
netfilter.
> I use this configuration:
>
> iptables -t mangle -A PREROUTING -i eth0 -s 10.31.12.2 -d 10.31.11.2 -p udp
--dport 1001 -j MARK --set-mark 1
> iptables -t mangle -A PREROUTING -i eth0 -s 10.31.12.2 -d 10.31.11.2 -p udp
--dport 1002 -j MARK --set-mark 2
> iptables -t mangle -A PREROUTING -i eth0 -s 10.31.12.2 -d 10.31.11.2 -p udp
--dport 1003 -j MARK --set-mark 3
> iptables -t mangle -A PREROUTING -i eth0 -s 10.31.12.2 -d 10.31.11.2 -p udp
--dport 1004 -j MARK --set-mark 4
>
> tc qdisc add dev eth0 handle ffff: ingress
> tc filter add dev eth0 parent ffff: protocol ip prio 1 handle 1 fw police
rate 2500000 burst 90k drop
> tc filter add dev eth0 parent ffff: protocol ip prio 1 handle 2 fw police
rate 1500000 burst 90k drop
> tc filter add dev eth0 parent ffff: protocol ip prio 1 handle 3 fw police
rate 1000000 burst 90k drop
>
>
> I generate traffic with smartbits and i made this test:
> 1)len packet layer2 64 byte,
Is that actually possible on eth?
packets per second 5500 = 2810000 bit per second> 2)len packet layer2 1000 byte, packets per second 350 = 2800000 bit per
second
>
> The 2 test is good i receive a trafiic with 2500000 rate limit !
> The problem is with 1 test because i received full band 2810000 without any
limit!
>
> Is there any problem with police rate? It doesn''t work with small
packets?
> I''ve to set some other usefull parameter?
On eth shapers/policers will see packets as ip length +14 but there are
more overheads/mpu.
Currently you can''t specify mpu/overhead for policers, It may be added
soon - but that will be 2.6s I guess.
Andy.