PSFP (Per Stream Filtering and Policing)

PSFP works on ingress and allows filtering and policing on a per-stream basis.

PSFP was originally defined in 802.1Qci-2017 but is now part of 802.1Q-2018.

PSFP is implemented by a tc flower filter that is hardware offloaded via the IS1 VCAP.

See the TC Introduction page for a general introduction to tc commands and the TC and VCAP page for more information about how to configure VCAPs by using tc commands.

The examples shown here will match on destination MAC address and VLAN ID, also known as a Null Stream identification function as defined in 802.1CB-2017.

The stream filter implementation is able to match on everything that is supported in the IS1 VCAP and this includes the other two passive stream identification functions defined in 802.1CB-2017:

  • Source MAC and VLAN Stream identification function

  • IP Stream identification


Just like with any other tc filter command, you must create a 'clsact' qdisc:

# tc qdisc add dev eth0 clsact


To setup a stream filter with a stream gate and a flow meter:

# tc filter add dev eth0 ingress chain 10000 prio 1 handle 2 protocol 802.1q flower skip_sw \
dst_mac 00:00:00:00:00:11 \
vlan_id 100 \
vlan_ethtype all \
action gate base-time 0 sched-entry open 10000000 3 8m sched-entry close 90000000 \
action police rate 100000000 burst 15000 mtu 1200 conform-exceed drop \
action goto chain 11000


All packets with DMAC 00:00:00:00:00:11 and VID 100 are matched.
Gate is open in 10mS and closed in 90mS. Cycle time is implicit at 100mS.
Frames that pass the gate are assigned an internal priority value of 3.
A maximum of 8 megabytes can pass the gate during open time.
Policer rate is 100 mbps and burst size is 15000 bytes.
Frames larger than 1200 bytes are discarded.

It is possible to create a stream filter with only a stream gate or a flow meter by removing the line with 'gate' or 'police'.

If you want to limit the max sdu without policing, you must still create a flow meter but with a rate that exceeds the line speed.

If you want to use the stream gate or flow meter in several stream filters, you can create them explicitly and giving them an index:

# tc actions add action gate base-time 0 sched-entry open 10000000 3 8m sched-entry close 90000000 index 42
# tc actions add action police rate 100000000 burst 15000 mtu 1200 conform-exceed drop index 20


Then use the same indexes in several stream filters:

# tc filter add dev eth0 ingress chain 10000 prio 1 handle 2 protocol 802.1q flower skip_sw \
dst_mac 00:00:00:00:00:11 \
vlan_id 100 \
vlan_ethtype all \
action gate index 42 \
action police index 20 \
action goto chain 11000

# tc filter add dev eth0 ingress chain 10000 prio 1 handle 3 protocol 802.1q flower skip_sw \
dst_mac 00:00:00:00:00:22 \
vlan_id 200 \
vlan_ethtype all \
action gate index 42 \
action police index 20 \
action goto chain 11000


Use the 'tc filter show' command to see the statistics:

# tc -s filter show dev eth0 ingress
filter protocol 802.1Q pref 1 flower chain 10000
filter protocol 802.1Q pref 1 flower chain 10000 handle 0x2
  vlan_id 100
  vlan_ethtype all
  dst_mac 00:00:00:00:00:22
  eth_type 0003
  skip_sw
  in_hw in_hw_count 1
       action order 1:
       priority wildcard       clockid TAI     flags 0
       base-time 0ns   cycle-time 100ms        cycle-time-ext 0ns
       schedule:
        number    0    gate-state open         interval 10ms    ipv 3           max-octets 8Mb
        number    1    gate-state close        interval 90ms    ipv wildcard    max-octets wildcard
       pipe
        index 42 ref 2 bind 1 installed 9 sec used 2 sec
       Action statistics:
       Sent 0 bytes 10000 pkt (dropped 9849, overlimits 0 requeues 0)
       Sent software 0 bytes 0 pkt
       Sent hardware 0 bytes 10000 pkt
       backlog 0b 0p requeues 0
       used_hw_stats immediate

       action order 2:  police 0x14 rate 100Mbit burst 15000b mtu 1200b action reclassify overhead 0b
       ref 2 bind 1 installed 8 sec used 2 sec
       Action statistics:
       Sent 0 bytes 10000 pkt (dropped 9849, overlimits 0 requeues 0)
       Sent software 0 bytes 0 pkt
       Sent hardware 0 bytes 10000 pkt
       backlog 0b 0p requeues 0
       used_hw_stats immediate

       action order 3: gact action goto chain 11000
        random type none pass val 0
        index 1 ref 1 bind 1 installed 7 sec used 2 sec
       Action statistics:
       Sent 0 bytes 10000 pkt (dropped 9849, overlimits 0 requeues 0)
       Sent software 0 bytes 0 pkt
       Sent hardware 0 bytes 10000 pkt
       backlog 0b 0p requeues 0
       used_hw_stats immediate


As seen above, it is not possible to see all the PSFP specific counters. The "10000 pkt" corresponds to the matching_frames_count The "dropped 9849" is the sum of not_passing_frames_count, not_passing_sdu_count and red_frames_count.


In order to see all the PSFP counters you can use a debug command:

# cat /sys/kernel/debug/lan966x/qos_show
PSFP Stream Filter Pool:
  ix 0: mfc: 10000 pfc: 866 npfc: 9134 psc: 866 npsc: 0 rfc: 715 lu: 17179620
PSFP Stream Gate Pool:
  ix 0: user 1 id 42 ref_cnt 1
PSFP and ACL Policer Pool:
  ix 81: user 1 id 20 ref_cnt 1
ptp current time    :           52.109889569 sec


Here the PSFP counters are shown as:

  • mfc - matching_frames_count

  • pfc - passing_frames_count

  • npfc - not_passing_frames_count

  • psc - passing_sdu_count

  • npsc - not_passing_sdu_count

  • rfc - red_frames_count

  • lu - last update time in jiffies


Up to 256 stream filters are supported and each stream filter can have its own stream gate and flow meter.

The valid values for open and close time in a stream gate are >= 1uS and < 1S.

Maximum number of scheduler entries in a stream gate is 4.

The unit for rate is bits per second and valid values are from 100000 to 1000000000.

The resolution in hardware is 33 1/3 kbps and the value is rounded up to the nearest next supported value.

The unit for burst is bytes and valid values are from 4096 to 245760 bytes.

The resolution in hardware is 4096 bytes and the value is rounded up to the nearest next supported value.