netdev-linux: Use matchall classifier for ingress policing.

Currently ingress policing uses the basic classifier to apply traffic control filters if hardware offload is not enabled, in which case it uses matchall. This change changes the behavior to always use matchall, and fall back onto basic if the kernel is built without matchall support. The system tests are modified to allow either basic or matchall classification on the ingestion filter, and to allow either 10000 or 10240 packets for the packet burst filter. 10000 is accurate for kernel 5.14 and the most recent iproute2, however, 10240 is left for compatibility with older kernels. Acked-by: Eelco Chaudron <echaudro@redhat.com> Signed-off-by: Mike Pattrick <mkp@redhat.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2025-08-31 14:25:26 +00:00 · 2021-12-03 18:06:33 -05:00
parent 3b489a3b1b
commit eb1ab5357b
3 changed files with 32 additions and 22 deletions
--- a/lib/netdev-linux.c
+++ b/lib/netdev-linux.c
@@ -2776,8 +2776,7 @@ netdev_linux_set_policing(struct netdev *netdev_, uint32_t kbits_rate,
            error = tc_add_matchall_policer(netdev_, kbits_rate, kbits_burst,
                                            kpkts_rate, kpkts_burst);
        }
-        ovs_mutex_unlock(&netdev->mutex);
-        return error;
+        goto out;
    }

    error = get_ifindex(netdev_, &ifindex);
@@ -2794,6 +2793,8 @@ netdev_linux_set_policing(struct netdev *netdev_, uint32_t kbits_rate,
    }

    if (kbits_rate || kpkts_rate) {
+        const char *cls_name = "matchall";
+
        error = tc_add_del_qdisc(ifindex, true, 0, TC_INGRESS);
        if (error) {
            VLOG_WARN_RL(&rl, "%s: adding policing qdisc failed: %s",
@@ -2801,21 +2802,30 @@ netdev_linux_set_policing(struct netdev *netdev_, uint32_t kbits_rate,
            goto out;
        }

-        error = tc_add_policer(netdev_, kbits_rate, kbits_burst,
-                               kpkts_rate, kpkts_burst);
+        error = tc_add_matchall_policer(netdev_, kbits_rate, kbits_burst,
+                                        kpkts_rate, kpkts_burst);
+        if (error == ENOENT) {
+            cls_name = "basic";
+            /* This error is returned when the matchall classifier is missing.
+             * Fall back to the basic classifier.  */
+            error = tc_add_policer(netdev_, kbits_rate, kbits_burst,
+                                   kpkts_rate, kpkts_burst);
+        }
        if (error){
-            VLOG_WARN_RL(&rl, "%s: adding policing action failed: %s",
-                    netdev_name, ovs_strerror(error));
+            VLOG_WARN_RL(&rl, "%s: adding cls_%s policing action failed: %s",
+                         netdev_name, cls_name, ovs_strerror(error));
            goto out;
        }
    }

-    netdev->kbits_rate = kbits_rate;
-    netdev->kbits_burst = kbits_burst;
-    netdev->kpkts_rate = kpkts_rate;
-    netdev->kpkts_burst = kpkts_burst;
-
 out:
+    if (!error) {
+        netdev->kbits_rate = kbits_rate;
+        netdev->kbits_burst = kbits_burst;
+        netdev->kpkts_rate = kpkts_rate;
+        netdev->kpkts_burst = kpkts_burst;
+    }
+
    if (!error || error == ENODEV) {
        netdev->netdev_policing_error = error;
        netdev->cache_valid |= VALID_POLICING;