https://wiki.openvz.org/api.php?action=feedcontributions&feedformat=atom&user=BillWOpenVZ Virtuozzo Containers Wiki - User contributions [en]2026-05-15T18:53:52ZUser contributionsMediaWiki 1.31.1https://wiki.openvz.org/index.php?title=Traffic_shaping_with_tc&diff=3163Traffic shaping with tc2007-06-05T13:37:14Z<p>BillW: /* An alternate approch using HTB */</p>
<hr />
<div>Sometimes it's necessary to limit traffic bandwidth from and to a [[VE]].<br />
You can do it using ordinary <code>tc</code> tool.<br />
<br />
== Packet routes ==<br />
First of all, a few words about how packets travel from and to a [[VE]].<br />
Suppose we have [[Hardware Node]] (HN) with a VE on it, and this VE talks<br />
to some Remote Host (RH). HN has one "real" network interface <tt>eth0</tt> and, <br />
thanks to OpenVZ, there is also "virtual" network interface <tt>venet0</tt>.<br />
Inside the VE we have interface <tt>venet0:0</tt>.<br />
<br />
<pre><br />
venet0:0 venet0 eth0<br />
VE >------------->-------------> HN >--------->--------> RH<br />
<br />
venet0:0 venet0 eth0<br />
VE <-------------<-------------< HN <---------<--------< RH<br />
</pre><br />
<br />
== Limiting outgoing bandwidth ==<br />
We can limit VE outgoing bandwidth by setting the <tt>tc</tt> filter on <tt>eth0</tt>.<br />
<pre><br />
DEV=eth0<br />
tc qdisc del dev $DEV root<br />
tc qdisc add dev $DEV root handle 1: cbq avpkt 1000 bandwidth 100mbit<br />
tc class add dev $DEV parent 1: classid 1:1 cbq rate 256kbit allot 1500 prio 5 bounded isolated<br />
tc filter add dev $DEV parent 1: protocol ip prio 16 u32 match ip src X.X.X.X flowid 1:1<br />
tc qdisc add dev $DEV parent 1:1 sfq perturb 10<br />
</pre><br />
X.X.X.X is an IP address of VE.<br />
<br />
== Limiting incoming bandwidth ==<br />
This can be done by setting the <code>tc</code> filter on <code>venet0</code>:<br />
<pre><br />
DEV=venet0<br />
tc qdisc del dev $DEV root<br />
tc qdisc add dev $DEV root handle 1: cbq avpkt 1000 bandwidth 100mbit<br />
tc class add dev $DEV parent 1: classid 1:1 cbq rate 256kbit allot 1500 prio 5 bounded isolated<br />
tc filter add dev $DEV parent 1: protocol ip prio 16 u32 match ip dst X.X.X.X flowid 1:1<br />
tc qdisc add dev $DEV parent 1:1 sfq perturb 10<br />
</pre><br />
Note that <code>X.X.X.X</code> is an IP address of VE.<br />
<br />
== Limiting VE to HN talks ==<br />
As you can see, two filters above don't limit [[VE]] to [[HN]] talks.<br />
I mean a [[VE]] can emit as much traffic as it wishes. To make such a limitation from the [[HN]],<br />
it is necessary to use <tt>tc</tt> police on <tt>venet0</tt>:<br />
<pre><br />
DEV=venet0<br />
tc filter add dev $DEV parent 1: protocol ip prio 20 u32 match u32 1 0x0000 police rate 2kbit buffer 10k drop flowid :1<br />
</pre><br />
<br />
== Limiting packets per second rate from VE ==<br />
To prevent dos atacks from the VE you can limit packets per second rate using iptables.<br />
<pre><br />
DEV=eth0<br />
iptables -I FORWARD 1 -o $DEV -s X.X.X.X -m limit --limit 200/sec -j ACCEPT<br />
iptables -I FORWARD 2 -o $DEV -s X.X.X.X -j DROP<br />
</pre><br />
Here <code>X.X.X.X</code> is an IP address of VE<br />
<br />
== An alternate approch using HTB ==<br />
<br />
For details refer to the [http://luxik.cdi.cz/~devik/qos/htb/ HTB Home Page]<br />
<br />
<pre><br />
#!/bin/sh<br />
#<br />
# Incoming traffic control<br />
#<br />
VE_IP1=$1<br />
VE_IP2=$2<br />
DEV=venet0<br />
#<br />
tc qdisc del dev $DEV root<br />
#<br />
tc qdisc add dev $DEV root handle 1: htb default 10<br />
#<br />
tc class add dev $DEV parent 1: classid 1:1 htb rate 100mbit burst 15k<br />
tc class add dev $DEV parent 1:1 classid 1:10 htb rate 10mbit ceil 10mbit burst 15k<br />
tc class add dev $DEV parent 1:1 classid 1:20 htb rate 20mbit ceil 20mbit burst 15k<br />
tc class add dev $DEV parent 1:1 classid 1:30 htb rate 30mbit ceil 30mbit burst 15k<br />
#<br />
tc qdisc add dev $DEV parent 1:10 handle 10: sfq perturb 10<br />
tc qdisc add dev $DEV parent 1:20 handle 20: sfq perturb 10<br />
tc qdisc add dev $DEV parent 1:30 handle 30: sfq perturb 10<br />
#<br />
if [ ! -z $VE_IP1 ]; then<br />
tc filter add dev $DEV protocol ip parent 1:0 prio 1 u32 match ip dst "$VE_IP1" flowid 1:20 <br />
fi<br />
if [ ! -z $VE_IP2 ]; then<br />
tc filter add dev $DEV protocol ip parent 1:0 prio 1 u32 match ip dst "$VE_IP2" flowid 1:30 <br />
fi<br />
#<br />
echo;echo "tc configuration for $DEV:"<br />
tc qdisc show dev $DEV<br />
tc class show dev $DEV<br />
tc filter show dev $DEV<br />
#<br />
# Outgoing traffic control<br />
#<br />
DEV=eth0<br />
#<br />
tc qdisc del dev $DEV root<br />
#<br />
tc qdisc add dev $DEV root handle 1: htb default 10<br />
#<br />
tc class add dev $DEV parent 1: classid 1:1 htb rate 100mbit burst 15k<br />
tc class add dev $DEV parent 1:1 classid 1:10 htb rate 10mbit ceil 10mbit burst 15k<br />
tc class add dev $DEV parent 1:1 classid 1:20 htb rate 20mbit ceil 20mbit burst 15k<br />
tc class add dev $DEV parent 1:1 classid 1:30 htb rate 30mbit ceil 30mbit burst 15k<br />
#<br />
tc qdisc add dev $DEV parent 1:10 handle 10: sfq perturb 10<br />
tc qdisc add dev $DEV parent 1:20 handle 20: sfq perturb 10<br />
tc qdisc add dev $DEV parent 1:30 handle 30: sfq perturb 10<br />
#<br />
if [ ! -z $VE_IP1 ]; then<br />
tc filter add dev $DEV protocol ip parent 1:0 prio 1 u32 match ip src "$VE_IP1" flowid 1:20<br />
fi<br />
if [ ! -z $VE_IP2 ]; then<br />
tc filter add dev $DEV protocol ip parent 1:0 prio 1 u32 match ip src "$VE_IP2" flowid 1:30<br />
fi<br />
#<br />
echo;echo "tc configuration for $DEV:"<br />
tc qdisc show dev $DEV<br />
tc class show dev $DEV<br />
tc filter show dev $DEV<br />
</pre><br />
<br />
== External links ==<br />
* [http://lartc.org/howto/ Linux Advanced Routing & Traffic Control HOWTO]<br />
<br />
[[Category: HOWTO]]<br />
[[Category: Networking]]</div>BillWhttps://wiki.openvz.org/index.php?title=Traffic_shaping_with_tc&diff=3159Traffic shaping with tc2007-06-04T20:01:08Z<p>BillW: </p>
<hr />
<div>Sometimes it's necessary to limit traffic bandwidth from and to a [[VE]].<br />
You can do it using ordinary <code>tc</code> tool.<br />
<br />
== Packet routes ==<br />
First of all, a few words about how packets travel from and to a [[VE]].<br />
Suppose we have [[Hardware Node]] (HN) with a VE on it, and this VE talks<br />
to some Remote Host (RH). HN has one "real" network interface <tt>eth0</tt> and, <br />
thanks to OpenVZ, there is also "virtual" network interface <tt>venet0</tt>.<br />
Inside the VE we have interface <tt>venet0:0</tt>.<br />
<br />
<pre><br />
venet0:0 venet0 eth0<br />
VE >------------->-------------> HN >--------->--------> RH<br />
<br />
venet0:0 venet0 eth0<br />
VE <-------------<-------------< HN <---------<--------< RH<br />
</pre><br />
<br />
== Limiting outgoing bandwidth ==<br />
We can limit VE outgoing bandwidth by setting the <tt>tc</tt> filter on <tt>eth0</tt>.<br />
<pre><br />
DEV=eth0<br />
tc qdisc del dev $DEV root<br />
tc qdisc add dev $DEV root handle 1: cbq avpkt 1000 bandwidth 100mbit<br />
tc class add dev $DEV parent 1: classid 1:1 cbq rate 256kbit allot 1500 prio 5 bounded isolated<br />
tc filter add dev $DEV parent 1: protocol ip prio 16 u32 match ip src X.X.X.X flowid 1:1<br />
tc qdisc add dev $DEV parent 1:1 sfq perturb 10<br />
</pre><br />
X.X.X.X is an IP address of VE.<br />
<br />
== Limiting incoming bandwidth ==<br />
This can be done by setting the <code>tc</code> filter on <code>venet0</code>:<br />
<pre><br />
DEV=venet0<br />
tc qdisc del dev $DEV root<br />
tc qdisc add dev $DEV root handle 1: cbq avpkt 1000 bandwidth 100mbit<br />
tc class add dev $DEV parent 1: classid 1:1 cbq rate 256kbit allot 1500 prio 5 bounded isolated<br />
tc filter add dev $DEV parent 1: protocol ip prio 16 u32 match ip dst X.X.X.X flowid 1:1<br />
tc qdisc add dev $DEV parent 1:1 sfq perturb 10<br />
</pre><br />
Note that <code>X.X.X.X</code> is an IP address of VE.<br />
<br />
== Limiting VE to HN talks ==<br />
As you can see, two filters above don't limit [[VE]] to [[HN]] talks.<br />
I mean a [[VE]] can emit as much traffic as it wishes. To make such a limitation from the [[HN]],<br />
it is necessary to use <tt>tc</tt> police on <tt>venet0</tt>:<br />
<pre><br />
DEV=venet0<br />
tc filter add dev $DEV parent 1: protocol ip prio 20 u32 match u32 1 0x0000 police rate 2kbit buffer 10k drop flowid :1<br />
</pre><br />
<br />
== Limiting packets per second rate from VE ==<br />
To prevent dos atacks from the VE you can limit packets per second rate using iptables.<br />
<pre><br />
DEV=eth0<br />
iptables -I FORWARD 1 -o $DEV -s X.X.X.X -m limit --limit 200/sec -j ACCEPT<br />
iptables -I FORWARD 2 -o $DEV -s X.X.X.X -j DROP<br />
</pre><br />
Here <code>X.X.X.X</code> is an IP address of VE<br />
<br />
== An alternate approch using HTB ==<br />
<br />
For details refer to the [http://luxik.cdi.cz/~devik/qos/htb/ HTB Home Page]<br />
<br />
<pre><br />
#!/bin/sh<br />
#<br />
# Incominfg traffic control<br />
#<br />
VE_IP1=$1<br />
VE_IP2=$2<br />
DEV=venet0<br />
#<br />
tc qdisc del dev $DEV root<br />
#<br />
tc qdisc add dev $DEV root handle 1: htb default 10<br />
#<br />
tc class add dev $DEV parent 1: classid 1:1 htb rate 100mbit burst 15k<br />
tc class add dev $DEV parent 1:1 classid 1:10 htb rate 10mbit ceil 10mbit burst 15k<br />
tc class add dev $DEV parent 1:1 classid 1:20 htb rate 20mbit ceil 20mbit burst 15k<br />
tc class add dev $DEV parent 1:1 classid 1:30 htb rate 30mbit ceil 30mbit burst 15k<br />
#<br />
tc qdisc add dev $DEV parent 1:10 handle 10: sfq perturb 10<br />
tc qdisc add dev $DEV parent 1:20 handle 20: sfq perturb 10<br />
tc qdisc add dev $DEV parent 1:30 handle 30: sfq perturb 10<br />
#<br />
if [ ! -z $VE_IP1 ]; then<br />
tc filter add dev $DEV protocol ip parent 1:0 prio 1 u32 match ip dst "$VE_IP1" flowid 1:20 <br />
fi<br />
if [ ! -z $VE_IP2 ]; then<br />
tc filter add dev $DEV protocol ip parent 1:0 prio 1 u32 match ip dst "$VE_IP2" flowid 1:30 <br />
fi<br />
#<br />
echo;echo "tc configuration for $DEV:"<br />
tc qdisc show dev $DEV<br />
tc class show dev $DEV<br />
tc filter show dev $DEV<br />
#<br />
# Outgoing traffic control<br />
#<br />
DEV=eth0<br />
#<br />
tc qdisc del dev $DEV root<br />
#<br />
tc qdisc add dev $DEV root handle 1: htb default 10<br />
#<br />
tc class add dev $DEV parent 1: classid 1:1 htb rate 100mbit burst 15k<br />
tc class add dev $DEV parent 1:1 classid 1:10 htb rate 10mbit ceil 10mbit burst 15k<br />
tc class add dev $DEV parent 1:1 classid 1:20 htb rate 20mbit ceil 20mbit burst 15k<br />
tc class add dev $DEV parent 1:1 classid 1:30 htb rate 30mbit ceil 30mbit burst 15k<br />
#<br />
tc qdisc add dev $DEV parent 1:10 handle 10: sfq perturb 10<br />
tc qdisc add dev $DEV parent 1:20 handle 20: sfq perturb 10<br />
tc qdisc add dev $DEV parent 1:30 handle 30: sfq perturb 10<br />
#<br />
if [ ! -z $VE_IP1 ]; then<br />
tc filter add dev $DEV protocol ip parent 1:0 prio 1 u32 match ip src "$VE_IP1" flowid 1:20<br />
fi<br />
if [ ! -z $VE_IP2 ]; then<br />
tc filter add dev $DEV protocol ip parent 1:0 prio 1 u32 match ip src "$VE_IP2" flowid 1:30<br />
fi<br />
#<br />
echo;echo "tc configuration for $DEV:"<br />
tc qdisc show dev $DEV<br />
tc class show dev $DEV<br />
tc filter show dev $DEV<br />
</pre><br />
== External links ==<br />
* [http://lartc.org/howto/ Linux Advanced Routing & Traffic Control HOWTO]<br />
<br />
[[Category: HOWTO]]<br />
[[Category: Networking]]</div>BillW