search

canonical / lxd

Powerful system container and virtual machine manager
https://canonical.com/lxd
GNU Affero General Public License v3.0
4.38k stars 931 forks source link

Invalid `tc` filter usage with old `iproute2` version #12239

Open simondeziel opened 1 year ago

simondeziel commented 1 year ago

When configuring an egress limit on an interface, LXD generates a tc filter rule that isn't compatible with iproute2 version 5.5.0 which is what comes with Ubuntu 20.04 or the core20 snap that is used by the 5.0 LXD snap.

lxc config device set juju-9be460-0 eth0 limits.egress=1bit 

Error: Failed to update device "eth0": Failed to create ingress tc filter: Failed to run: tc filter add dev vethb10b5f4f parent ffff:0 protocol all u32 match u32 0 0 police rate 1bit burst 1024k mtu 64kb drop: exit status 1 ("rate" or "avrate" MUST be specified.
Illegal "police")

The same config device works well with LXD latest/edge that uses core22 and it also accepts limits.egress=0bit.

Here's a simplified reproducer:

$ lxc launch ubuntu:20.04 tc2004
$ lxc exec tc2004 -- tc qdisc add dev eth0 root handle ffff:0 prio
$ lxc exec tc2004 -- tc filter add dev eth0 parent ffff:0 protocol all u32 match u32 0 0 police rate 1bit burst 1024k mtu 64kb drop
"rate" or "avrate" MUST be specified.
Illegal "police"

With the old iproute2 version, the rate has to be expressed in bps:

$ lxc exec tc2004 -- tc filter add dev eth0 parent ffff:0 protocol all u32 match u32 0 0 police rate 1bps burst 1024kbit mtu 64kb drop
# works

Furthermore, the old iproute2 version doesn't accept 0bps as a valid rate either:

$ lxc exec tc2004 -- tc filter add dev eth0 parent ffff:0 protocol all u32 match u32 0 0 police rate 0bps burst 1024kbit mtu 64kb drop
"rate" or "avrate" MUST be specified.
Illegal "police"
tomponline commented 1 year ago

This should get resolved when 5.0/stable gets moved to core22