add port-based ingress policing based packet-per-second rate-limiting

OVS has support for using policing to enforce a rate limit in kilobits per second. This is configured using OVSDB. f.e. $ ovs-vsctl set interface tap0 ingress_policing_rate=1000 $ ovs-vsctl set interface tap0 ingress_policing_burst=100 This patch adds a related feature, allowing policing to enforce a rate limit in kilo-packets per second. This is also configured using OVSDB. $ ovs-vsctl set interface tap0 ingress_policing_kpkts_rate=1000 $ ovs-vsctl set interface tap0 ingress_policing_kpkts_burst=100 The kilo-bit and kilo-packet rate limits may be used separately or in combination. Add separate action for BPS and PPS in netlink message. Revise code and change action result to pipe to allow traffic pipe into second action. This patch implements the feature for: * OVSDB (northbound API) * TC policer when used both with and without TC offload (kernel API) Signed-off-by: Yong Xu <yong.xu@corigine.com> Signed-off-by: Simon Horman <simon.horman@netronome.com>
author: Yong Xu <yong.xu@corigine.com> 2021-06-09 11:52:08 +0200
committer: Simon Horman <simon.horman@netronome.com> 2021-07-01 20:44:07 +0200
commit: c2567e533f8a83cf705f008c4a6688e457d8f756 (patch)
tree: 04eb38878e0256d727febcdaa7fc82e4cc5e306e /vswitchd
parent: b6c5f30cfa9994a1069bc6bef28a270bbb61df6c (diff)
download: openvswitch-c2567e533f8a83cf705f008c4a6688e457d8f756.tar.gz
3 files changed, 69 insertions, 6 deletions
diff --git a/vswitchd/bridge.c b/vswitchd/bridge.c
index 5ed7e8234..2591e29d8 100644
--- a/vswitchd/bridge.c
+++ b/vswitchd/bridge.c
@@ -4895,8 +4895,10 @@ iface_configure_qos(struct iface *iface, const struct ovsrec_qos *qos)
     }
 
     netdev_set_policing(iface->netdev,
-                        MIN(UINT32_MAX, iface->cfg->ingress_policing_rate),
-                        MIN(UINT32_MAX, iface->cfg->ingress_policing_burst));
+                MIN(UINT32_MAX, iface->cfg->ingress_policing_rate),
+                MIN(UINT32_MAX, iface->cfg->ingress_policing_burst),
+                MIN(UINT32_MAX, iface->cfg->ingress_policing_kpkts_rate),
+                MIN(UINT32_MAX, iface->cfg->ingress_policing_kpkts_burst));
 
     ofpbuf_uninit(&queues_buf);
 }
diff --git a/vswitchd/vswitch.ovsschema b/vswitchd/vswitch.ovsschema
index 0666c8c76..4873cfde7 100644
--- a/vswitchd/vswitch.ovsschema
+++ b/vswitchd/vswitch.ovsschema
@@ -1,6 +1,6 @@
 {"name": "Open_vSwitch",
- "version": "8.2.0",
- "cksum": "1076640191 26427",
+ "version": "8.3.0",
+ "cksum": "3781850481 26690",
  "tables": {
    "Open_vSwitch": {
      "columns": {
@@ -242,6 +242,12 @@
        "ingress_policing_burst": {
          "type": {"key": {"type": "integer",
                           "minInteger": 0}}},
+       "ingress_policing_kpkts_rate": {
+         "type": {"key": {"type": "integer",
+                          "minInteger": 0}}},
+       "ingress_policing_kpkts_burst": {
+         "type": {"key": {"type": "integer",
+                          "minInteger": 0}}},
        "mac_in_use": {
          "type": {"key": {"type": "string"},
                   "min": 0, "max": 1},
diff --git a/vswitchd/vswitch.xml b/vswitchd/vswitch.xml
index 4597a215d..3522b2497 100644
--- a/vswitchd/vswitch.xml
+++ b/vswitchd/vswitch.xml
@@ -3654,8 +3654,18 @@ ovs-vsctl add-port br0 p0 -- set Interface p0 type=patch options:peer=p1 \
         table="Queue"/> tables).
       </p>
       <p>
-        Policing is currently implemented on Linux and OVS with DPDK. Both
-        implementations use a simple ``token bucket'' approach:
+        Policing settings can be set with byte rate or packet rate, and they
+        can be configured together, in which case they take effect together,
+        that means the smaller speed limit of them is in effect.
+      </p>
+      <p>
+        Currently, byte rate policing is implemented on Linux and OVS with
+        DPDK, while packet rate policing is only implemented on Linux.  Both
+        Linux and OVS DPDK implementations use a simple ``token bucket''
+        approach.
+      </p>
+      <p>
+        Byte rate policing:
       </p>
       <ul>
         <li>
@@ -3674,6 +3684,26 @@ ovs-vsctl add-port br0 p0 -- set Interface p0 type=patch options:peer=p1 \
         </li>
       </ul>
       <p>
+        Packet rate policing:
+      </p>
+      <ul>
+        <li>
+          The size of the bucket corresponds to <ref
+          column="ingress_policing_kpkts_burst"/>.  Initially the bucket is
+          full.
+        </li>
+        <li>
+          Whenever a packet is received, it will consume one token from the
+          current bucket.  If the token is available in the bucket, it's
+          removed and the packet is forwarded.  Otherwise, the packet is
+          dropped.
+        </li>
+        <li>
+          Whenever it is not full, the bucket is refilled with tokens at the
+          rate specified by <ref column="ingress_policing_kpkts_rate"/>.
+        </li>
+      </ul>
+      <p>
         Policing interacts badly with some network protocols, and especially
         with fragmented IP packets.  Suppose that there is enough network
         activity to keep the bucket nearly empty all the time.  Then this token
@@ -3698,6 +3728,14 @@ ovs-vsctl add-port br0 p0 -- set Interface p0 type=patch options:peer=p1 \
         </p>
       </column>
 
+      <column name="ingress_policing_kpkts_rate">
+        <p>
+          Maximum rate for data received on this interface, in kpps (1 kpps is
+          1000 pps).  Data received faster than this rate is dropped.  Set to
+          <code>0</code> (the default) to disable policing.
+        </p>
+      </column>
+
       <column name="ingress_policing_burst">
         <p>Maximum burst size for data received on this interface, in kb.  The
         default burst size if set to <code>0</code> is 8000 kbit.  This value
@@ -3712,6 +3750,23 @@ ovs-vsctl add-port br0 p0 -- set Interface p0 type=patch options:peer=p1 \
           closer to achieving the full rate.
         </p>
       </column>
+
+      <column name="ingress_policing_kpkts_burst">
+        <p>
+          Maximum burst size for data received on this interface, in kpkts (1
+          kpkts is 1000 packets).  The default burst size if set to
+          <code>0</code> is 16 kpkts.  This value has no effect if
+          <ref column="ingress_policing_kpkts_rate"/> is <code>0</code>.
+        </p>
+        <p>
+          Specifying a larger burst size lets the algorithm be more forgiving,
+          which is important for protocols like TCP that react severely to
+          dropped packets.  Specifying a value that is numerically at least as
+          large as 80% of <ref column="ingress_policing_kpkts_rate"/> helps TCP
+          come closer to achieving the full rate.
+        </p>
+      </column>
+
     </group>
 
     <group title="Bidirectional Forwarding Detection (BFD)">
author	Yong Xu <yong.xu@corigine.com>	2021-06-09 11:52:08 +0200
committer	Simon Horman <simon.horman@netronome.com>	2021-07-01 20:44:07 +0200
commit	c2567e533f8a83cf705f008c4a6688e457d8f756 (patch)
tree	04eb38878e0256d727febcdaa7fc82e4cc5e306e /vswitchd
parent	b6c5f30cfa9994a1069bc6bef28a270bbb61df6c (diff)
download	openvswitch-c2567e533f8a83cf705f008c4a6688e457d8f756.tar.gz