For some reason, the default rules for IPv4 and IPv6 are formatted differently. For IPv4, there are two rules: one to set class and matching the input interface and one to police. The documentation says the two rules are bound together in the ASIC. But for IPv6, only a police rule is used and it uses the --set-class argument to achieve a similar result.
-A $INGRESS_CHAIN --in-interface $INGRESS_INTF -p udp --dport $BFD_ECHO_PORT -j SETCLASS --class 7
-A $INGRESS_CHAIN -p udp --dport $BFD_ECHO_PORT -j POLICE --set-mode pkt --set-rate 2000 --set-burst 2000
-A $INGRESS_CHAIN --in-interface $INGRESS_INTF -p udp --dport $BFD_ECHO_PORT -j POLICE --set-mode pkt --set-rate 2000 --set-burst 2000 --set-class 7
Why the difference?
Also, there is no counters attached to the rules. Is there a way to check if policing is happening or not? I have some packet drop and I want to know if this is because of policing. I am on a Mellanox SN2100. It's also unclear if these default rules also apply when using VRF and VLAN. I have stuff like that:
And Quagga listening on the VRF. Do the BGP policing rules apply in this case? I am worried I am hitting the more restrictive catch-all rules.