Determining whether to rate limit traffic

We claim: 1. For a gateway datapath that executes on a gateway device to implement first and second logical routers for a set of logical networks and process traffic between the set of logical networks and an external network, a method comprising: receiving a plurality of data messages at the gateway device; to process each of a set of data messages, executing a set of processing stages comprising a processing stage for the first logical router or the second logical router; and as part of the processing stage for each of the first or second logical router: using a first or second access control list (ACL) table to determine whether each data message processed for the first or second logical router is subject to rate limiting controls defined for the first or second logical router; and only when the data message is subject to rate limiting controls, determining whether to allow the data message according to a rate limiting mechanism for the first or second logical router, the first ACL table associated with the first logical router and storing a first plurality of ACL rules for the first logical router and the second ACL table associated with the second logical router and storing a second plurality of ACL rules for the second logical router, at least two ACL rules in each table specifying two different rate limiting controls for two different data message flows processed by the processing stage of the table's associated logical router. 2. The method of claim 1 , wherein the gateway device stores, for the first logical router, (i) an ingress ACL table for data traffic entering the logical network and (ii) an egress ACL table for data traffic exiting the logical network, wherein the first ACL table used to determine whether each data message is subject to rate limiting controls is one of the ingress and egress ACL tables. 3. The method of claim 1 , wherein: each data message is for a particular tenant logical network; the first logical router is a tenant logical router of the particular tenant logical network; and the gateway device stores ACL tables for logical routers of a plurality of different tenant logical networks. 4. The method of claim 1 , wherein using the first or second ACL table to determine whether the data message is subject to rate limiting controls defined for the first or second logical router comprises: extracting a set of header field values from the data message; and matching the extracted set of header field values against the plurality of rules in the first or second ACL table. 5. The method of claim 4 , wherein the set of header field values comprises a protocol field indicating a transport layer protocol of the data message, source and destination network addresses, source and destination transport layer ports, a differentiated services code point (DSCP) value, and a class of service (CoS) value. 6. The method of claim 4 , wherein the set of header field values comprises a protocol field indicating a transport layer protocol of the data message, source and destination network addresses, source and destination transport layer ports, a type of service (ToS) value, and a class of service (CoS) value. 7. The method of claim 4 , wherein: extracting the set of header field values comprises generating an ACL match key comprising (i) the set of header field values and (ii) a set of bits indicating whether each of the header field values is present in the data message; and matching the extracted set of header field values against the plurality of rules comprises matching the ACL match key. 8. The method of claim 7 , wherein the ACL match key is a fixed length buffer such that when a particular header field is not present in the data message, generating the ACL match key comprises: using a default value for the header field value corresponding to the particular header field in the ACL match key; and setting a particular bit corresponding to the particular header field in the set of bits of the ACL match key to indicate that the particular header field is not present in the data message, wherein when the particular header field is not present, the data message only matches rules in the first or second ACL table that do not require presence of the particular header field. 9. The method of claim 4 , wherein when no rule is found in the plurality of rules that matches the extracted set of header fields, the data message is not subject to rate limiting controls and the rate limiting mechanism is not applied to the data message. 10. The method of claim 4 , wherein when the extracted set of header fields matches a particular rule in the first ACL table, the particular rule specifies whether the data message is subject to rate limiting controls. 11. The method of claim 4 , wherein: the first plurality of rules in the first ACL table are arranged in a priority order; and when the extracted set of header fields matches multiple rules in the first ACL table, the matched rule with the highest priority is applied to the data message. 12. The method of claim 1 , wherein: the gateway device stores, for the first logical router, (i) ACL table for data traffic with Internet Protocol version 4 (IPv4) network addresses and (ii) ACL table for data traffic with IP version 6 (IPv6) network addresses; IPv4 and IPv6 network addresses have different lengths; and each of the IPv4 and IPv6 ACL tables uses a respective fixed length buffer generated from fields of data messages for matching operations. 13. The method of claim 1 further comprising generating a flow cache entry based on the executed set of processing stages, the flow cache entry used to process subsequent data messages belonging to a same data flow as the data message without executing the set of processing stages for the subsequent data messages. 14. The method of claim 13 , wherein: the flow cache entry matches on at least all data message fields used by the first or second ACL table so that additional use of the ACL table is not required for the subsequent data messages; and when the data message is subject to the rate limiting controls, the subsequent data messages are also subject to the rate limiting controls. 15. The method of claim 1 , wherein: a QoS data structure associated with the particular logical router specifies a current amount of data that can be processed for the particular logical router; and determining whether to allow the data message comprises comparing a size of the data message to the current amount of data specified by the QoS data structure. 16. The method of claim 15 , wherein determining whether to allow the data message further comprises dropping the data message when the size of the data message is greater than the current amount of data specified by the QoS data structure. 17. The method of claim 16 , wherein determining whether to allow the data message further comprises allowing the data message when the size of the data message is less than the current amount of data specified by the QoS data structure. 18. The method of claim 17 , wherein allowing the data message comprises setting a DSCP value for the data message to a particular value indicating that the data message is a high priority data message. 19. The method of claim 15 , wherein determining whether to allow the data message further comprises, when the size of the data message is greater than the current amount of data specified by the QoS data structure, setting a DSCP value for the data message to a particular value indicating that the data message is a low pr