ACL POLICE target - What does it do ?


Userlevel 1
I'm wondering what teh POLICE ip(6)tables target ( & equivalent 'police' ebtable target) do more precisely.

Are they terminal rules ? So, will other rules be evaluated after ?

I can see three way this could be implemented / act :

1) It's a terminal rule that will definitely decide of the fate of the packets.

Packet inside traffic limit -> equivalent to ACCEPT
Packet outside traffic limit -> equivalent to DROP

2) It's a conditionnal 'DROP' that prevents too many packet from going through. What's outside the limit is dropped, the rest continues normal processing through all the other rules.

Packet inside traffic limit -> equivalent to no-op, packet will go through the rest of the rules
Packet outside traffic limit -> equivalent to DROP

3) It's a conditional 'ACCEPT' that ensures a given traffic will always get accepted. Whatever is above the limit goes through the rest of the rules.

Packet inside traffic limit -> equivalent to ACCEPT
Packet outside traffic limit -> equivalent to no-op, packet will go through the rest of the rules

8 replies

Userlevel 3
A policer is a rate limiter with the behavior conforming to the second description:
- If the packet conforms to the limit, it will carry out any marking options, and proceed to the next rule.
- If the packet exceeds the limit, it is dropped.
If you want to stop processing rules, you can put a "... -j ACCEPT" rule immediately after the POLICE rule.
Userlevel 1
Jason Guy wrote:

A policer is a rate limiter with the behavior conforming to the second description:
- If the pack...

Thanks.

My follow up to that is then isn't there an issue with the default policy ?

in 00control_plane.rules there is a bunch of POLICE/police for different protocols, and also applying a class but without ACCEPT.

Then in 99control_plane_catch_all.rules, there is a final catch all with a much lower rate.

So wouldn't the packet just all end up hitting the catch all and be limited to the lower rate ?

Userlevel 4
Jason Guy wrote:

A policer is a rate limiter with the behavior conforming to the second description:
- If the pack...

That is the INPUT chain, or just traffic where the destination IS the switch. The forward chain is through the switch (what you usually want to configure). Make sense?
Userlevel 1
Jason Guy wrote:

A policer is a rate limiter with the behavior conforming to the second description:
- If the pack...

Yes, I understand the difference between the INPUT and FORWARD chains.

But the 00control_plane.rules and 99control_plane_catch_all.rules are both installed by default. Their role seems to be to have sensible defaults to protect the control plane / switch CPU to be overloaded.

AFAIU the "00" one places limits on a bunch of protocols that are commonly used and required for normal operation (STP / ARP / ...). Then finally in "99" there is a catch all with lower limits for whatever wasn't configured by the user and the default "00" ruleset.

For instance you have for BGP:

-A $INGRESS_CHAIN --in-interface $INGRESS_INTF -p tcp --dport bgp -j SETCLASS --class 7
-A $INGRESS_CHAIN -p tcp --dport bgp -j POLICE --set-mode pkt --set-rate 2000 --set-burst 2000

So will will DROP any packet above that rate. But since there is no ACCEPT, processing will continue and eventually hit the rules defined in "99" :

-A $INGRESS_CHAIN --in-interface $INGRESS_INTF -m addrtype --dst-type LOCAL -j POLICE --set-mode pkt --set-rate 1000 --set-burst 1000 --set-class 0
-A $INGRESS_CHAIN --in-interface $INGRESS_INTF -m addrtype --dst-type IPROUTER -j POLICE --set-mode pkt --set-rate 400 --set-burst 100 --set-class 0
-A $INGRESS_CHAIN --in-interface $INGRESS_INTF -j SETCLASS --class 0
And so the same bgp packet will now be limited to a lower rate and DROP'd if they're above.

It would seem the intent would have been to ACCEPT them at the higher rate defined in the "00" rule set.

(And as a side note, why are the two rules in "00" split as 2 rules, one with --in-interface and one without, one doing the rate and the other doing the SETCLASS and not a single POLICE with --set-class option ?)
Userlevel 4
To add to what Jason said you can either use NCLU to see what "order" the rules are in or use the --line numbers with iptables (e.g. iptables -L --line-numbers)
Userlevel 3
So I did a little digging, and I was mistaken. All rules are terminating. So as soon as the BGP packet hits the POLICE rule, it conforms, and is accepted. If it exceeds, it is dropped. Apologies for the confusion...I will make sure the docs are clear on these fine details.
Userlevel 1
Jason Guy wrote:

So I did a little digging, and I was mistaken. All rules are terminating. So as soon as th...

Thanks for the follow up !
Userlevel 1
Jason Guy wrote:

So I did a little digging, and I was mistaken. All rules are terminating. So as soon as th...

And if I may offer a suggestion: Using 10control_plane.rules instead of 00control_plane.rules would be better IMHO. This would allow users to add filtering rules prior to the rate limiting.

Reply