PSFP (Per Stream Filtering and Policing)
PSFP works on ingress and allows filtering and policing on a per-stream basis.
PSFP was originally defined in 802.1Qci-2017 but is now part of 802.1Q-2018.
PSFP is implemented by a tc flower filter that is hardware offloaded via the
ingress VCAP using the skip_sw flag. The PSFP filter, gate, and flow meter
actions must be specified inline in the tc filter add command.
See the TC Introduction page for a general introduction
to tc commands and the TC and VCAP page for
details on VCAP chain numbers and how to configure VCAPs using tc.
1. Chain numbers
PSFP uses the ingress VCAP lookup chains. The chain numbers are the same across all platforms:
| Description | Chain | VCAP type |
|---|---|---|
PSFP lookup |
1100000 |
IS1 (lan966x, lan9645x) / IS0/CLM (sparx5, lan969x) |
Next lookup (goto target) |
1200000 |
IS1 L2 / IS0 L2 |
All examples below use chain 1100000 for the PSFP filter and chain 1200000 as the goto target.
2. Stream identification
The examples below match on source MAC address and VLAN ID. The stream filter can match on any key supported by the ingress VCAP at the PSFP chain, such as source or destination MAC, VLAN ID, or IP fields.
The available match keys depend on the platform and the VCAP keyset selected for the chain. Refer to the TC and VCAP page for details.
3. Setup
A clsact qdisc must be created on the ingress port, and a matchall rule on
chain 0 is needed to enter the VCAP lookup pipeline:
$ tc qdisc add dev eth0 clsact
$ tc filter add dev eth0 ingress chain 0 prio 10000 handle 10000 \
matchall skip_sw action goto chain 11000004. Stream filter with flow meter
A flow meter polices traffic to a given rate. Frames exceeding the rate or the MTU are dropped.
$ tc filter add dev eth0 ingress chain 1100000 prio 1 handle 1 \
protocol 802.1q flower skip_sw \
src_mac 00:00:00:00:00:11 \
vlan_id 100 \
vlan_ethtype all \
action police rate 100000000 burst 15000 mtu 1200 conform-exceed drop \
action goto chain 1200000This polices all VLAN 100 traffic from source MAC 00:00:00:00:00:11 at 100 Mbps with a 15 KB burst size. Frames larger than 1200 bytes are discarded.
Verify that the filter is offloaded by checking for in_hw:
$ tc -s filter show dev eth0 ingress chain 1100000
filter protocol 802.1Q pref 1 flower
filter protocol 802.1Q pref 1 flower handle 0x1
vlan_id 100
vlan_ethtype all
src_mac 00:00:00:00:00:11
skip_sw
in_hw in_hw_count 1
action order 1: police 0x1 rate 100Mbit burst 15000b mtu 1200b action drop overhead 0b
ref 1 bind 1
Action statistics:
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
used_hw_stats immediate
action order 2: gact action goto chain 1200000
Action statistics:
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
used_hw_stats immediateIf you want to limit the max SDU without policing, create a flow meter with a
rate that exceeds the line speed, e.g. rate 2gbit burst 100k mtu 1500.
5. Stream filter with stream gate
A stream gate controls when traffic is allowed to pass using a time-based schedule. The gate opens and closes according to the schedule entries.
$ tc filter add dev eth0 ingress chain 1100000 prio 1 handle 1 \
protocol 802.1q flower skip_sw \
src_mac 00:00:00:00:00:11 \
vlan_id 100 \
vlan_ethtype all \
action gate base-time 0 \
sched-entry open 10000000 3 8m \
sched-entry close 90000000 \
action goto chain 1200000The gate is open for 10 ms and closed for 90 ms, giving a cycle time of 100 ms. Frames that pass the gate during the open interval are assigned an internal priority value (IPV) of 3. A maximum of 8 megabytes can pass the gate during the open window.
$ tc -s filter show dev eth0 ingress chain 1100000
filter protocol 802.1Q pref 1 flower
filter protocol 802.1Q pref 1 flower handle 0x1
vlan_id 100
vlan_ethtype all
src_mac 00:00:00:00:00:11
skip_sw
in_hw in_hw_count 1
action order 1:
priority wildcard clockid TAI flags 0x85db4
base-time 0ns cycle-time 100ms cycle-time-ext 0ns
schedule:
number 0 gate-state open interval 10ms ipv 3 max-octets 8Mb
number 1 gate-state close interval 90ms ipv wildcard max-octets wildcard
pipe
index 1 ref 1 bind 1
Action statistics:
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
used_hw_stats immediate
action order 2: gact action goto chain 1200000
Action statistics:
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
used_hw_stats immediate6. Stream filter with gate and flow meter
A stream gate and flow meter can be combined in a single stream filter. The gate controls when traffic is allowed to pass, and the flow meter polices the admitted traffic.
$ tc filter add dev eth0 ingress chain 1100000 prio 1 handle 1 \
protocol 802.1q flower skip_sw \
src_mac 00:00:00:00:00:11 \
vlan_id 100 \
vlan_ethtype all \
action gate base-time 0 \
sched-entry open 10000000 3 8m \
sched-entry close 90000000 \
action police rate 100000000 burst 15000 mtu 1200 conform-exceed drop \
action goto chain 1200000$ tc -s filter show dev eth0 ingress chain 1100000
filter protocol 802.1Q pref 1 flower
filter protocol 802.1Q pref 1 flower handle 0x1
vlan_id 100
vlan_ethtype all
src_mac 00:00:00:00:00:11
skip_sw
in_hw in_hw_count 1
action order 1:
priority wildcard clockid TAI flags 0x85db4
base-time 0ns cycle-time 100ms cycle-time-ext 0ns
schedule:
number 0 gate-state open interval 10ms ipv 3 max-octets 8Mb
number 1 gate-state close interval 90ms ipv wildcard max-octets wildcard
pipe
index 1 ref 1 bind 1
Action statistics:
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
used_hw_stats immediate
action order 2: police 0x1 rate 100Mbit burst 15000b mtu 1200b action drop overhead 0b
ref 1 bind 1
Action statistics:
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
used_hw_stats immediate
action order 3: gact action goto chain 1200000
Action statistics:
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
used_hw_stats immediate7. Cleanup
To remove a PSFP stream filter:
$ tc filter del dev eth0 ingress chain 1100000 prio 1 handle 1 protocol 802.1q flowerTo remove everything:
$ tc filter del dev eth0 ingress
$ tc qdisc del dev eth0 clsact8. Debug counters
The tc -s filter show output provides basic statistics but does not break out
all PSFP-specific counters. The debugfs interface provides more detail. The path
and format differ per platform:
8.1. lan966x
$ cat /sys/kernel/debug/lan966x/qos_show
PSFP Stream Filter Pool:
ix 0: mfc: 10000 pfc: 866 npfc: 9134 psc: 866 npsc: 0 rfc: 715 lu: 17179620
PSFP Stream Gate Pool:
ix 0: user 1 id 42 ref_cnt 1
PSFP and ACL Policer Pool:
ix 81: user 1 id 20 ref_cnt 1
ptp current time : 52.109889569 secThe PSFP counters in qos_show are:
-
mfc - matching_frames_count
-
pfc - passing_frames_count
-
npfc - not_passing_frames_count
-
psc - passing_sdu_count
-
npsc - not_passing_sdu_count
-
rfc - red_frames_count
-
lu - last update time in jiffies
9. Limits
The limits vary per platform:
| Resource | lan9645x | lan966x | sparx5 | lan969x |
|---|---|---|---|---|
Stream filters |
128 |
256 |
1024 |
1024 |
Stream gates |
128 |
256 |
1024 |
1024 |
Gate schedule entries |
4 |
4 |
4 |
4 |
Max IPV |
7 |
7 |
7 |
7 |
The valid values for gate open and close times are >= 1 uS and < 1 S.
The unit for rate is bits per second. The resolution in hardware is 33 1/3 kbps and the value is rounded up to the nearest supported value.
The unit for burst is bytes. The resolution in hardware is 4,096 bytes and the value is rounded up to the nearest supported value.
conform-exceed drop must be specified explicitly when creating a flow meter.
The default (reclassify) is not supported by hardware offload.