Hoi,
On 20.01.2026 12:01, Pim van Pelt via lists.fd.io wrote:
. Today, we are currently inconsistent in policers:
.. On output, we sit before ip[46]-output (which only works for L3,
and uses the IP size)
.. For L2, we sit before l2-input (ethernet size)
.. For L2 classifier, we sit before l2-input (ethernet size)
.. For IP4/IP6 classifier, we sit before ip[46]-unicast already (IP size)
.. As an aside: we do not police non-ip (eg MPLS) or ip[46]-multicast
in any L3 policer.
. One thing the gerrit does do, is create consistency: for any(and
all) L3 policers, now the IP size will be used. for any(and all) L2
policers, the ethernet size will be used. In return, it does change
the contract for 'L3 input' policers, as you saw
Quick correction as what I wrote above is incorrect. Looking at the test
output:
pim@summer:~/src/vpp$ make test TEST=test_policer_subif V=2 | grep
'policer stats'
00:59:54,854 L2 sub-interface input policer stats: {'conform_packets':
6, 'conform_bytes': 876, 'exceed_packets': 0, 'exceed_bytes': 0,
'violate_packets': 61, 'violate_bytes': 8906}
00:59:55,813 L2 sub-interface output policer stats: {'conform_packets':
6, 'conform_bytes': 876, 'exceed_packets': 0, 'exceed_bytes': 0,
'violate_packets': 61, 'violate_bytes': 8906}
00:59:56,795 L3 sub-interface input policer stats: {'conform_packets':
7, 'conform_bytes': 896, 'exceed_packets': 0, 'exceed_bytes': 0,
'violate_packets': 60, 'violate_bytes': 7680}
00:59:57,763 L3 sub-interface output policer stats: {'conform_packets':
6, 'conform_bytes': 876, 'exceed_packets': 0, 'exceed_bytes': 0,
'violate_packets': 61, 'violate_bytes': 8906}
The L2 input, L2 output and L3 output policer all work on the whole
ethernet frame (146 bytes == 18b header + 128b IP datagram), while the
(now changed) L3 input policer works on the 128b IP datagram, which used
to be the whole ethernet frame as well. I do have a fix, but it requires
running something like this snippet for each packet in the policer node.
It will correct the accounting, at the cost of a few extra CPU cycles
per packet on ingress in L3 mode:
+ u16 overhead = 0;
+ if (dir == DIR_RX) {
+ vnet_hw_interface_t *hi = vnet_get_sup_hw_interface (vnm, sw_if_index);
+ if (hi->hw_class_index == ethernet_hw_interface_class.index) {
+ vnet_sw_interface_t *si = vnet_get_sw_interface (vnm, sw_if_index);
+ if (si->type == VNET_SW_INTERFACE_TYPE_SUB) {
+ if (si->sub.eth.flags.two_tags)
+ overhead = 22; /* Base Ethernet (14) + 2 VLAN tags (8) */
+ else if (si->sub.eth.flags.one_tag)
+ overhead = 18; /* Base Ethernet (14) + 1 VLAN tag (4) */
+ } else overhead = 14; /* Base Ethernet(14), no tags */
+ }
+ }
Is there perhaps a smarter way to do this?
--
Pim van Pelt <[email protected]>
PBVP1-RIPE https://ipng.ch/
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#26725): https://lists.fd.io/g/vpp-dev/message/26725
Mute This Topic: https://lists.fd.io/mt/117359534/21656
Group Owner: [email protected]
Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/14379924/21656/631435203/xyzzy
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
