ACL: Bandwidth limitation in both directions


I'm trying to rate limit via an ACL a port. This is working fine for the input flow with this rule:

-A FORWARD -i swp4 -j POLICE --set-mode KB --set-rate 1024 --set-burst 1 --set-class 0

However, this works only in one direction, so I tried this:

-A FORWARD -o swp4 -j POLICE --set-mode KB --set-rate 51024 --set-burst 1 --set-class 0

But I get the following error when I try to apply rules:

Reading rule file /etc/cumulus/acl/policy.d/00control_plane.rules ...
Processing rules in file /etc/cumulus/acl/policy.d/00control_plane.rules ...
Reading rule file /etc/cumulus/acl/policy.d/40ratelimit_internet.rules ...
Processing rules in file /etc/cumulus/acl/policy.d/40ratelimit_internet.rules ...
Reading rule file /etc/cumulus/acl/policy.d/99control_plane_catch_all.rules ...
Processing rules in file /etc/cumulus/acl/policy.d/99control_plane_catch_all.rules ...
Installing acl policy
error: hw sync failed (sync_acl hardware installation failed)
Rolling back ..

I also tried with ebtables, but I get the same behavior.

How I can rate limit the bandwidth on a port in both direction ?

I have cumulus 3.7.2 on a S3048ON.

Thanks for your help!

3 replies

Userlevel 3
@mcuony_arcanite is the source of the outbound traffic a bridge? And is the rule applied to the bridge? In the ACL docs, under Where to Assign Rules, is this caveat:

"When using the OUTPUT chain, rules must be assigned to the source. For example, if a rule is assigned to the switch port in the direction of traffic but the source is a bridge (VLAN), the traffic is not affected by the rule and must be applied to the bridge."

Let me know if this helps.
The source is a bride yes, but I'm in the FORWARD chain, not the OUTPUT chain, so I ignored this 😉

However I tried just in case and it fixed my problem. It didn't work using the bridge as the source port, but if I set this:

-A FORWARD -i swp+ -o swp4 -j POLICE --set-mode KB --set-rate 51024 --set-burst 1 --set-class 0

It works 😉

So it's just semms the in interface must be set, and setting it to all ports fix the problem. Maybe the documentation should be updated ?

I'm not sure if the limit will be enforced per port to swp4 or on the sum of all port to swp4, but it's enought in my case.

Thanks a lot !
Userlevel 3
D'oh! I knew that didn't sound right! But it still works. Let me run it by engineering and see what's going on, and update the docs if need be. Thanks for trying it out.