ACL POLICE target - What does it do ?

  • 1
  • Question
  • Updated 1 year ago
I'm wondering what teh POLICE ip(6)tables target ( & equivalent 'police' ebtable target) do more precisely.

Are they terminal rules ? So, will other rules be evaluated after ?

I can see three way this could be implemented / act :

1) It's a terminal rule that will definitely decide of the fate of the packets.

Packet inside traffic limit -> equivalent to ACCEPT
Packet outside traffic limit -> equivalent to DROP

2) It's a conditionnal 'DROP' that prevents too many packet from going through. What's outside the limit is dropped, the rest continues normal processing through all the other rules.

Packet inside traffic limit -> equivalent to no-op, packet will go through the rest of the rules
Packet outside traffic limit -> equivalent to DROP


3) It's a conditional 'ACCEPT' that ensures a given traffic will always get accepted. Whatever is above the limit goes through the rest of the rules.

Packet inside traffic limit -> equivalent to ACCEPT
Packet outside traffic limit -> equivalent to no-op, packet will go through the rest of the rules
Photo of Sylvain Munaut

Sylvain Munaut

  • 746 Points 500 badge 2x thumb

Posted 1 year ago

  • 1
Photo of Jason Guy

Jason Guy, Employee

  • 1,712 Points 1k badge 2x thumb
A policer is a rate limiter with the behavior conforming to the second description:
- If the packet conforms to the limit, it will carry out any marking options, and proceed to the next rule.
- If the packet exceeds the limit, it is dropped.
If you want to stop processing rules, you can put a "... -j ACCEPT" rule immediately after the POLICE rule.
Photo of Sylvain Munaut

Sylvain Munaut

  • 746 Points 500 badge 2x thumb
Thanks.

My follow up to that is then isn't there an issue with the default policy ?

in 00control_plane.rules there is a bunch of POLICE/police for different protocols, and also applying a class but without ACCEPT.

Then in 99control_plane_catch_all.rules, there is a final catch all with a much lower rate.

So wouldn't the packet just all end up hitting the catch all and be limited to the lower rate ?
Photo of Sean Cavanaugh

Sean Cavanaugh, Alum

  • 3,380 Points 3k badge 2x thumb
That is the INPUT chain, or just traffic where the destination IS the switch.  The forward chain is through the switch (what you usually want to configure).  Make sense?
Photo of Sylvain Munaut

Sylvain Munaut

  • 746 Points 500 badge 2x thumb
Yes, I understand the difference between the INPUT and FORWARD chains.

But the 00control_plane.rules and 99control_plane_catch_all.rules are both installed by default. Their role seems to be to have sensible defaults to protect the control plane / switch CPU to be overloaded.

AFAIU the "00" one places limits on a bunch of protocols that are commonly used and required for normal operation (STP / ARP / ...). Then finally in "99" there is a catch all with lower limits for whatever wasn't configured by the user and the default "00" ruleset.

For instance you have for BGP:

-A $INGRESS_CHAIN --in-interface $INGRESS_INTF -p tcp --dport bgp -j SETCLASS --class 7
-A $INGRESS_CHAIN -p tcp --dport bgp -j POLICE --set-mode pkt --set-rate 2000 --set-burst 2000

So will will DROP any packet above that rate. But since there is no ACCEPT, processing will continue and eventually hit the rules defined in "99" :

-A $INGRESS_CHAIN --in-interface $INGRESS_INTF -m addrtype --dst-type LOCAL -j POLICE --set-mode pkt --set-rate 1000 --set-burst 1000 --set-class 0
-A $INGRESS_CHAIN --in-interface $INGRESS_INTF -m addrtype --dst-type IPROUTER -j POLICE --set-mode pkt --set-rate 400 --set-burst 100 --set-class 0
-A $INGRESS_CHAIN --in-interface $INGRESS_INTF -j SETCLASS --class 0
And so the same bgp packet will now be limited to a lower rate and DROP'd if they're above.

It would seem the intent would have been to ACCEPT them at the higher rate defined in the "00" rule set.

(And as a side note, why are the two rules in "00" split as 2 rules, one with --in-interface and one without, one doing the rate and the other doing the SETCLASS and not a single POLICE with --set-class option ?)
(Edited)
Photo of Sean Cavanaugh

Sean Cavanaugh, Alum

  • 3,380 Points 3k badge 2x thumb
To add to what Jason said you can either use NCLU to see what "order" the rules are in or use the --line numbers with iptables (e.g. iptables -L --line-numbers)
Photo of Jason Guy

Jason Guy, Employee

  • 1,712 Points 1k badge 2x thumb
So I did a little digging, and I was mistaken. All rules are terminating. So as soon as the BGP packet hits the POLICE rule, it conforms, and is accepted. If it exceeds, it is dropped. Apologies for the confusion...I will make sure the docs are clear on these fine details.
Photo of Sylvain Munaut

Sylvain Munaut

  • 746 Points 500 badge 2x thumb
Thanks for the follow up !
Photo of Sylvain Munaut

Sylvain Munaut

  • 746 Points 500 badge 2x thumb
And if I may offer a suggestion: Using 10control_plane.rules instead of 00control_plane.rules would be better IMHO. This would allow users to add filtering rules prior to the rate limiting.