Page MenuHomeVyOS Platform
Create Task
Maniphest T6796

QoS match filter by interface doesn't work
Closed, ResolvedPublicBUG
Actions

Description

sagitta:

vyos@vyos# run show configuration commands | grep qos
set qos interface eth1 ingress 'test'
set qos policy limiter test class 10 bandwidth '100mbit'
set qos policy limiter test class 10 match test_match interface 'eth2'
set qos policy limiter test default bandwidth '100gbit'
[edit]
vyos@vyos# tc -d filter show dev eth1 ingress
filter parent ffff: protocol all pref 255 basic chain 0 
filter parent ffff: protocol all pref 255 basic chain 0 handle 0x1 flowid ffff:b 
        action order 1:  police 0x1 rate 100Gbit burst 0b mtu 2Kb action drop overhead 0b linklayer ethernet 
        ref 1 bind 1

equuleus:

vyos@vyos# run show configuration commands | grep traf
set interfaces ethernet eth1 traffic-policy in 'test'
set traffic-policy limiter test class 10 bandwidth '100mbit'
set traffic-policy limiter test class 10 match test_match interface 'eth2'
set traffic-policy limiter test default bandwidth '100gbit'
[edit]
vyos@vyos# tc -d filter show dev eth1 ingress
filter parent ffff: protocol all pref 20 basic chain 0 
filter parent ffff: protocol all pref 20 basic chain 0 handle 0x1 flowid ffff:a 
  meta(rt_iif eq 4)

        action order 1:  police 0x1 rate 100Mbit burst 15337b mtu 2Kb action drop overhead 0b linklayer ethernet 
        ref 1 bind 1

filter parent ffff: protocol all pref 255 basic chain 0 
filter parent ffff: protocol all pref 255 basic chain 0 handle 0x1 flowid ffff:b 
        action order 1:  police 0x3 rate 100Gbit burst 0b mtu 2Kb action drop overhead 0b linklayer ethernet 
        ref 1 bind 1

Details

Version
VyOS 1.4.1-beta1
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Related Objects
Search...

Event Timeline

HollyGurza created this task.Oct 21 2024, 1:25 PM
HollyGurza added projects: VyOS 1.4 Sagitta (1.4.1), Bugs.Oct 21 2024, 1:27 PM
HollyGurza changed Version from - to VyOS 1.4.1-beta1.
HollyGurza changed Issue type from Unspecified (please specify) to Bug (incorrect behavior).
HollyGurza changed the subtype of this task from "Task" to "Bug".
Viacheslav added a parent task: T6797: Root task for remaining 1.4.1 bugs.Oct 21 2024, 3:54 PM
pasik subscribed.Oct 22 2024, 9:36 AM
syncer edited projects, added VyOS Rolling; removed VyOS 1.4 Sagitta (1.4.1), VyOS 1.5 Circinus.Nov 1 2024, 8:36 PM
syncer added a subscriber: Global Notifications.Nov 1 2024, 9:19 PM
HollyGurza renamed this task from [QoS] Policy Limiter class match filter by interface doesn't work to [QoS] match filter by interface doesn't work.Nov 12 2024, 4:36 AM
HollyGurza added a comment.Nov 12 2024, 6:30 AM

https://github.com/vyos/vyos-1x/pull/4188

Implemented handling for the CLI command to set a filter by interface(rt_iif).
Implemented a command such as set qos policy limiter test class 10 match test_match interface 'eth1' to generate filters similar to those used in VyOS 1.3.

Although the command successfully generates filters, these filters appear to not function correctly on the kernel or iproute2 side.
I have tested this filter across various VyOS versions, from 1.8 to rolling, and observed no statistics in qdisc, class, or filter indicating that filtering by rt_iif is working.
However, this approach works as expected in Vyatta (VC6.5R1), where rt_iif filtering is visible in statistics.

HollyGurza added a comment.Nov 12 2024, 6:50 AM

exmaple test with shaper policy:

conf
set qos interface eth1 egress 'test'
set qos policy shaper test bandwidth '100gbit'
set qos policy shaper test class 22 bandwidth '22mbit'
set qos policy shaper test class 22 match m22 interface 'eth1'
set qos policy shaper test class 22 queue-type 'fair-queue'
set qos policy shaper test class 33 bandwidth '33mbit'
set qos policy shaper test class 33 match m33 interface 'eth0'
set qos policy shaper test class 33 queue-type 'fair-queue'
set qos policy shaper test default bandwidth '10mbit'
set qos policy shaper test default queue-type 'fair-queue'
commit

generate some traffic through eth1:

vyos@vyos# ping -I eth1 10.0.0.10
PING 10.0.0.10 (10.0.0.10) from 10.0.0.1 eth1: 56(84) bytes of data.
64 bytes from 10.0.0.10: icmp_seq=1 ttl=64 time=1.72 ms
64 bytes from 10.0.0.10: icmp_seq=2 ttl=64 time=1.68 ms
64 bytes from 10.0.0.10: icmp_seq=3 ttl=64 time=1.69 ms
64 bytes from 10.0.0.10: icmp_seq=4 ttl=64 time=2.01 ms

check tc statistics:

vyos@vyos# tc -s qdisc show dev eth1
qdisc htb 1: root refcnt 2 r2q 62500 default 0x22 direct_packets_stat 0 direct_qlen 1000
 Sent 966 bytes 11 pkt (dropped 0, overlimits 1 requeues 0) 
 backlog 0b 0p requeues 0
qdisc sfq 8096: parent 1:16 limit 127p quantum 1514b depth 127 divisor 1024 
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) 
 backlog 0b 0p requeues 0
qdisc sfq 8098: parent 1:22 limit 127p quantum 1514b depth 127 divisor 1024 
 Sent 966 bytes 11 pkt (dropped 0, overlimits 0 requeues 0) 
 backlog 0b 0p requeues 0
qdisc sfq 8097: parent 1:21 limit 127p quantum 1514b depth 127 divisor 1024 
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) 
 backlog 0b 0p requeues 0
[edit]
vyos@vyos# tc -s class show dev eth1
class htb 1:22 parent 1:1 leaf 8098: prio 7 rate 10Mbit ceil 10Mbit burst 15Kb cburst 1600b
 Sent 966 bytes 11 pkt (dropped 0, overlimits 0 requeues 0) 
 backlog 0b 0p requeues 0
 lended: 11 borrowed: 0 giants: 0
 tokens: 190775 ctokens: 18775

class htb 1:1 root rate 100Gbit ceil 100Gbit burst 0b cburst 0b
 Sent 966 bytes 11 pkt (dropped 0, overlimits 1 requeues 0) 
 backlog 0b 0p requeues 0
 lended: 0 borrowed: 0 giants: 0
 tokens: -1 ctokens: -1

class htb 1:21 parent 1:1 leaf 8097: prio 0 rate 33Mbit ceil 33Mbit burst 15Kb cburst 1592b
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) 
 backlog 0b 0p requeues 0
 lended: 0 borrowed: 0 giants: 0
 tokens: 58171 ctokens: 6046

class htb 1:16 parent 1:1 leaf 8096: prio 0 rate 22Mbit ceil 22Mbit burst 15Kb cburst 1595b
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) 
 backlog 0b 0p requeues 0
 lended: 0 borrowed: 0 giants: 0
 tokens: 87265 ctokens: 9078

[edit]
vyos@vyos# tc -s filter show dev eth1
filter parent 1: protocol all pref 1 basic chain 0 
filter parent 1: protocol all pref 1 basic chain 0 handle 0x2 flowid 1:21 
  meta(rt_iif eq 2)

        action order 1:  police 0x2 rate 33Mbit burst 15Kb mtu 2Kb action reclassify overhead 0b 
        ref 1 bind 1  installed 54 sec used 54 sec
        Action statistics:
        Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) 
        backlog 0b 0p requeues 0

filter parent 1: protocol all pref 1 basic chain 0 handle 0x1 flowid 1:16 
  meta(rt_iif eq 3)

        action order 1:  police 0x1 rate 22Mbit burst 15Kb mtu 2Kb action reclassify overhead 0b 
        ref 1 bind 1  installed 54 sec used 54 sec
        Action statistics:
        Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) 
        backlog 0b 0p requeues 0

[edit]

as we can see all packets go to the default way and no one by iif filter the same behaviours reproduced when we use filter without action police like in vyatta e.g.
tc filter add dev eth1 parent 1: protocol all prio 1 basic match "meta(rt_iif eq 3)" flowid 1:16

and the same example from vyatta:

conf
set interfaces ethernet eth1 traffic-policy out 'test'
set traffic-policy shaper test bandwidth '100gbit'
set traffic-policy shaper test class 22 bandwidth '22mbit'
set traffic-policy shaper test class 22 match m22 interface 'eth1'
set traffic-policy shaper test class 22 queue-type 'fair-queue'
set traffic-policy shaper test class 33 bandwidth '33mbit'
set traffic-policy shaper test class 33 match m33 interface 'eth0'
set traffic-policy shaper test class 33 queue-type 'fair-queue'
set traffic-policy shaper test default bandwidth '10mbit'
set traffic-policy shaper test default queue-type 'fair-queue'
commit

generate traffic:

vyatta@vyatta# ping -I eth1 10.0.0.10
PING 10.0.0.10 (10.0.0.10) from 10.0.0.11 eth1: 56(84) bytes of data.
64 bytes from 10.0.0.10: icmp_req=1 ttl=64 time=0.843 ms
64 bytes from 10.0.0.10: icmp_req=2 ttl=64 time=1.84 ms
64 bytes from 10.0.0.10: icmp_req=3 ttl=64 time=1.85 ms
64 bytes from 10.0.0.10: icmp_req=4 ttl=64 time=1.91 ms
^C
--- 10.0.0.10 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 0.843/1.616/1.916/0.449 ms

check tc statistics:

vyatta@vyatta# /sbin/tc -s qdisc show dev eth1
qdisc htb 1: root refcnt 2 r2q 62500 default 22 direct_packets_stat 0
 Sent 392 bytes 4 pkt (dropped 0, overlimits 0 requeues 0) 
 backlog 0b 0p requeues 0 
qdisc sfq 8007: parent 1:22 limit 127p quantum 1514b depth 127 divisor 1024 
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) 
 backlog 0b 0p requeues 0 
qdisc sfq 8008: parent 1:16 limit 127p quantum 1514b depth 127 divisor 1024 
 Sent 392 bytes 4 pkt (dropped 0, overlimits 0 requeues 0) 
 backlog 0b 0p requeues 0 
qdisc sfq 8009: parent 1:21 limit 127p quantum 1514b depth 127 divisor 1024 
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) 
 backlog 0b 0p requeues 0 
[edit]
vyatta@vyatta# /sbin/tc -s class show dev eth1
class htb 1:22 parent 1:1 leaf 8007: prio 0 rate 10000Kbit ceil 10000Kbit burst 15Kb cburst 1600b 
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) 
 rate 0bit 0pps backlog 0b 0p requeues 0 
 lended: 0 borrowed: 0 giants: 0
 tokens: 192000 ctokens: 20000

class htb 1:1 root rate 31281Mbit ceil 31281Mbit burst 0b cburst 0b 
 Sent 392 bytes 4 pkt (dropped 0, overlimits 0 requeues 0) 
 rate 0bit 0pps backlog 0b 0p requeues 0 
 lended: 0 borrowed: 0 giants: 0
 tokens: 0 ctokens: 0

class htb 1:21 parent 1:1 leaf 8009: prio 0 rate 33000Kbit ceil 33000Kbit burst 15Kb cburst 1592b 
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) 
 rate 0bit 0pps backlog 0b 0p requeues 0 
 lended: 0 borrowed: 0 giants: 0
 tokens: 58171 ctokens: 6046

class htb 1:16 parent 1:1 leaf 8008: prio 0 rate 22000Kbit ceil 22000Kbit burst 15Kb cburst 1595b 
 Sent 392 bytes 4 pkt (dropped 0, overlimits 0 requeues 0) 
 rate 0bit 0pps backlog 0b 0p requeues 0 
 lended: 4 borrowed: 0 giants: 0
 tokens: 86687 ctokens: 8500

[edit]
vyatta@vyatta# /sbin/tc -s filter show dev eth1
filter parent 1: protocol all pref 1 basic 
filter parent 1: protocol all pref 1 basic handle 0x2 flowid 1:21 
  meta(rt_iif mask 0x00000000 eq 2)

filter parent 1: protocol all pref 1 basic handle 0x1 flowid 1:16 
  meta(rt_iif mask 0x00000000 eq 3)

[edit]

here we can see packets in 1:16 class and qdisc which is used filter by eth1

HollyGurza added a comment.EditedNov 12 2024, 6:53 AM

forum post with the same problem: https://forum.vyos.io/t/vyos-1-2-traffic-policy-shaper-match-interface-not-working/8389

related task https://vyos.dev/T4232

HollyGurza changed the task status from Open to In progress.Nov 12 2024, 6:55 AM
HollyGurza set Forum thread to https://forum.vyos.io/t/vyos-1-2-traffic-policy-shaper-match-interface-not-working/8389.
HollyGurza removed Forum thread.
HollyGurza claimed this task.Nov 13 2024, 2:23 AM
Restricted Repository Identity mentioned this in rVYOSONEXb51cf400b42d: T6796: QoS: match filter by interface(iif) (#4188).Nov 21 2024, 7:41 AM
Unknown Object (User) changed the task status from In progress to Needs testing.Aug 28 2025, 10:24 AM
c-po added projects: VyOS 1.5 Circinus (1.5-stream-2025-Q3), VyOS 1.4 Sagitta (1.4.4).Aug 28 2025, 11:49 AM
Viacheslav closed this task as Resolved.Sep 25 2025, 1:19 AM
Viacheslav moved this task from Need Triage to Completed on the VyOS Rolling board.
Viacheslav moved this task from Open to Finished on the VyOS 1.5 Circinus (1.5-stream-2025-Q3) board.
Viacheslav moved this task from Backlog to Finished on the VyOS 1.4 Sagitta (1.4.4) board.
dmbaturin renamed this task from [QoS] match filter by interface doesn't work to QoS match filter by interface doesn't work.Thu, Nov 13, 1:18 AM
dmbaturin edited projects, added VyOS 1.5 Circinus (2025.11); removed VyOS 1.4 Sagitta (1.4.4), VyOS 1.5 Circinus (1.5-stream-2025-Q3), VyOS Rolling, Bugs.
dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.