Policing action in tc(8)  (20 Jan 2015)  Policing action in tc(8)

     NAME
          police - policing action

     SYNOPSIS
          tc ... action police [ rate RATE burst BYTES[/BYTES] ] [
                  pkts_rate RATE pkts_burst PACKETS] [ mtu
                  BYTES[/BYTES] ] [ peakrate RATE ] [ overhead BYTES ]
                  [ linklayer TYPE ] [ CONTROL ]

          tc ... filter ... [ estimator SAMPLE AVERAGE ] action police
                  avrate RATE [ CONTROL ]

          CONTROL := conform-exceed EXCEEDACT[/NOTEXCEEDACT

          EXCEEDACT/NOTEXCEEDACT := {  pipe | ok | reclassify |

     DESCRIPTION
          The police action allows limiting of the byte or packet rate
          of traffic matched by the filter it is attached to.

          There are two different algorithms available to measure the
          byte rate: The first one uses an internal dual token bucket
          and is configured using the rate, burst, mtu, parameters.
          The second one uses an in-kernel sampling mechanism. It can
          be fine-tuned using the estimator filter parameter.

          There is one algorithm available to measure packet rate and
          it is similar to the first algorithm described for byte
          rate. It is configured using the pkt_rate and pkt_burst
          parameters.

          At least one of the rate and pkt_rate parameters must be
          configured.

     OPTIONS
          rate RATE
               The maximum byte rate of packets passing this action.
               Those exceeding it will be treated as defined by the
               conform-exceed option.

          burst BYTES[/BYTES]
               Set the maximum allowed burst in bytes, optionally fol-
               lowed by a slash ('/') sign and cell size which must be
               a power of 2.

          pkt_rate RATE
               The maximum packet rate or packets passing this action.
               Those exceeding it will be treated as defined by the
               conform-exceed option.

     Page 1                      iproute2            (printed 5/24/22)

     Policing action in tc(8)  (20 Jan 2015)  Policing action in tc(8)

          pkt_burst PACKETS
               Set the maximum allowed burst in packets.

          mtu BYTES[/BYTES]
               This is the maximum packet size handled by the policer
               (larger ones will be handled like they exceeded the
               configured rate). Setting this value correctly will
               improve the scheduler's precision.  Value formatting is
               identical to burst above. Defaults to unlimited.

          peakrate RATE
               Set the maximum bucket depletion rate, exceeding rate.

          avrate RATE
               Make use of an in-kernel bandwidth rate estimator and
               match the given RATE against it.

          overhead BYTES
               Account for protocol overhead of encapsulating output
               devices when computing rate and peakrate.

          linklayer TYPE
               Specify the link layer type.  TYPE may be one of
               ethernet (the default), atm or adsl (which are syn-
               onyms). It is used to align the precomputed rate tables
               to ATM cell sizes, for ethernet no action is taken.

          estimator SAMPLE AVERAGE
               Fine-tune the in-kernel packet rate estimator.  SAMPLE
               and AVERAGE are time values and control the frequency
               in which samples are taken and over what timespan an
               average is built.

          conform-exceed EXCEEDACT[/NOTEXCEEDACT]
               Define how to handle packets which exceed or conform
               the configured bandwidth limit. Possible values are:

               continue
                    Don't do anything, just continue with the next
                    action in line.

               drop Drop the packet immediately.

               shot This is a synonym to drop.

               ok   Accept the packet. This is the default for con-
                    forming packets.

               pass This is a synonym to ok.

               reclassify
                    Treat the packet as non-matching to the filter

     Page 2                      iproute2            (printed 5/24/22)

     Policing action in tc(8)  (20 Jan 2015)  Policing action in tc(8)

                    this action is attached to and continue with the
                    next filter in line (if any). This is the default
                    for exceeding packets.

               pipe Pass the packet to the next action in line.

     EXAMPLES
          A typical application of the police action is to enforce
          ingress traffic rate by dropping exceeding packets. Although
          better done on the sender's side, especially in scenarios
          with lack of peer control (e.g. with dial-up providers) this
          is often the best one can do in order to keep latencies low
          under high load. The following establishes input bandwidth
          policing to 1mbit/s using the ingress qdisc and u32 filter:

               # tc qdisc add dev eth0 handle ffff: ingress
               # tc filter add dev eth0 parent ffff: u32 \
                    match u32 0 0 \
                    police rate 1mbit burst 100k

          As an action can not live on it's own, there always has to
          be a filter involved as link between qdisc and action. The
          example above uses u32 for that, which is configured to
          effectively match any packet (passing it to the police
          action thereby).

     SEE ALSO
          tc(8)

     Page 3                      iproute2            (printed 5/24/22)