Shared Block Support

Shared Block Support

tc shared block is a feature that enables binding several ports to the same list of filter rules.

Consider a case where you have 2 netdevices, you create clsact qdisc on both. Now if you want to add an identical set of filter rules to both, you need to add them twice. One port for each qdisc. That is of course doable, but when the filters are offloaded to the hardware with a limited number of entries, the duplication may become a scale issue. Sharing of blocks aims to resolve that.

To share blocks, you need to request the share from the kernel at the qdisc creation stage:

tc qdisc add dev sw1p2 ingress_block 1 clsact
tc qdisc add dev sw1p3 ingress_block 1 clsact

These two commands add clsact qdiscs to both netdevices. Note that the ingress_block option identifies the block index that is shared between the corresponding qdiscs.

Both ingress_block and egress_block can be added to the same qdisc with just one command:

tc qdisc add dev sw1p1 ingress_block 1 egress_block 2 clsact

NOTE: egress_block is supported only by clsact qdisc.

If you list the existing qdiscs, you see the block sharing information in the output:

tc qdisc

Example output:

qdisc clsact ffff: dev sw1p2 parent ffff:fff1 ingress_block 1
qdisc clsact ffff: dev sw1p3 parent ffff:fff1 ingress_block 1

The number of qdiscs that can share the same block is not limited. Once the qdisc block is shared, you can no longer manipulate the filters using the dev handle. Instead, use the block index as a handle:

tc filter add block 1 protocol ip pref 20 flower dst_ip 192.168.0.0/16 action drop

In addition to clsact qdisc, block sharing is also supported for ingress qdisc:

tc qdisc add dev sw1p5 ingress_block 2 ingress