Solved

ACL: Bandwidth limitation in both directions

  • 13 December 2018
  • 7 replies
  • 524 views

Hello,

I'm trying to rate limit via an ACL a port. This is working fine for the input flow with this rule:

code:
-A FORWARD -i swp4 -j POLICE --set-mode KB --set-rate 1024 --set-burst 1 --set-class 0


However, this works only in one direction, so I tried this:

code:
-A FORWARD -o swp4 -j POLICE --set-mode KB --set-rate 51024 --set-burst 1 --set-class 0


But I get the following error when I try to apply rules:

Reading rule file /etc/cumulus/acl/policy.d/00control_plane.rules ...
Processing rules in file /etc/cumulus/acl/policy.d/00control_plane.rules ...
Reading rule file /etc/cumulus/acl/policy.d/40ratelimit_internet.rules ...
Processing rules in file /etc/cumulus/acl/policy.d/40ratelimit_internet.rules ...
Reading rule file /etc/cumulus/acl/policy.d/99control_plane_catch_all.rules ...
Processing rules in file /etc/cumulus/acl/policy.d/99control_plane_catch_all.rules ...
Installing acl policy
error: hw sync failed (sync_acl hardware installation failed)
Rolling back ..
failed.


I also tried with ebtables, but I get the same behavior.

How I can rate limit the bandwidth on a port in both direction ?

I have cumulus 3.7.2 on a S3048ON.

Thanks for your help!
icon

Best answer by mcuony_arcanite 29 January 2019, 09:42

Hello,

Sorry, we found the issue and I forgot to update the topic :/

The setup is using a MLAG (2 interface on 2 switches). Only one interface per switch is connected.

I applied two rule on the two ports, that resulted on the outgoing traffic not being rate limited (but the incoming one was ok).

I was assuming it should be working, especially since there was only one interface connected. (Minus the traffic on the other switch with his own policies, of course).

Applying rule on the bond of the two interfaces applied the rate limit in both direction, witch make sense :)

Have a nice day!
View original

7 replies

Userlevel 4
@mcuony_arcanite is the source of the outbound traffic a bridge? And is the rule applied to the bridge? In the ACL docs, under Where to Assign Rules, is this caveat:

"When using the OUTPUT chain, rules must be assigned to the source. For example, if a rule is assigned to the switch port in the direction of traffic but the source is a bridge (VLAN), the traffic is not affected by the rule and must be applied to the bridge."

Let me know if this helps.
The source is a bride yes, but I'm in the FORWARD chain, not the OUTPUT chain, so I ignored this ;)

However I tried just in case and it fixed my problem. It didn't work using the bridge as the source port, but if I set this:

code:
-A FORWARD -i swp+ -o swp4 -j POLICE --set-mode KB --set-rate 51024 --set-burst 1 --set-class 0


It works ;)

So it's just semms the in interface must be set, and setting it to all ports fix the problem. Maybe the documentation should be updated ?

I'm not sure if the limit will be enforced per port to swp4 or on the sum of all port to swp4, but it's enought in my case.

Thanks a lot !
Userlevel 4
D'oh! I knew that didn't sound right! But it still works. Let me run it by engineering and see what's going on, and update the docs if need be. Thanks for trying it out.
Hi,

I think that something fooled me into believing it worked, but it actually doesn't.

Did you receive any feedback from your engineering team ?

Thanks for your help !
Userlevel 4
Hi @mcuony_arcanite I asked engineering and they were wondering what isn't working: is the rule getting hit? Is the patcket hitting some other rule? Or the policing is not happening? Any details/output/error messages you can provide here would be super helpful. Thanks!
Hello,

Sorry, we found the issue and I forgot to update the topic :/

The setup is using a MLAG (2 interface on 2 switches). Only one interface per switch is connected.

I applied two rule on the two ports, that resulted on the outgoing traffic not being rate limited (but the incoming one was ok).

I was assuming it should be working, especially since there was only one interface connected. (Minus the traffic on the other switch with his own policies, of course).

Applying rule on the bond of the two interfaces applied the rate limit in both direction, witch make sense :)

Have a nice day!
Userlevel 4
Great, thanks for updating us @mcuony_arcanite and, more importantly, you figured it out!

Reply