Fix policing performance issues with VIFs.

Policing is configured with the "tc" command.  By default, it picks up
the MTU from the interface having policy applied.  When a guest operating
systems is configured for segmentation offloading, the packets handed to
DOM0 may be substantially larger than the MTU.  The policing code was
dropping these packets, which caused performance to dive.  We now
configure policing with an MTU of 64K, which solves the problem.

Thanks to Ben for diagnosing the problem.

diff --git a/lib/netdev.c b/lib/netdev.c
index f1dd5c49ba46f98e9555ff91c9113335d593ace7..5704777ca3129ffdfe2ba2437d34b0c3ca84b7c4 100644 (file)
--- a/lib/netdev.c
+++ b/lib/netdev.c
@@ -1194,7 +1194,7 @@ netdev_get_stats(const struct netdev *netdev, struct netdev_stats *stats)
 }
 
 #define POLICE_ADD_CMD "/sbin/tc qdisc add dev %s handle ffff: ingress"
-#define POLICE_CONFIG_CMD "/sbin/tc filter add dev %s parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate %dkbit burst %dk drop flowid :1"
+#define POLICE_CONFIG_CMD "/sbin/tc filter add dev %s parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate %dkbit burst %dk mtu 65535 drop flowid :1"
 #define POLICE_DEL_CMD "/sbin/tc qdisc del dev %s handle ffff: ingress"
 
 /* Attempts to set input rate limiting (policing) policy. */