https://wiki.openvz.org/api.php?action=feedcontributions&feedformat=atom&user=PacketsnotpackagesOpenVZ Virtuozzo Containers Wiki - User contributions [en]2026-06-10T04:40:52ZUser contributionsMediaWiki 1.31.1https://wiki.openvz.org/index.php?title=Traffic_shaping_with_tc&diff=2164Traffic shaping with tc2006-09-01T20:53:46Z<p>Packetsnotpackages: Changed packages to packets</p>
<hr />
<div>Sometimes it's necessary to limit traffic bandwidth from and to a [[VE]].<br />
You can do it using ordinary <code>tc</code> tool.<br />
<br />
== Packet routes ==<br />
First of all, a few words about how packets travel from and to a [[VE]].<br />
Suppose we have [[Hardware Node]] (HN) with a VE on it, and this VE talks<br />
to some Remote Host (RH). HN has one "real" network interface <tt>eth0</tt> and, <br />
thanks to OpenVZ, there is also "virtual" network interface <tt>venet0</tt>.<br />
Inside the VE we have interface <tt>venet0:0</tt>.<br />
<br />
<pre><br />
venet0:0 venet0 eth0<br />
VE >------------->-------------> HN >--------->--------> RH<br />
<br />
venet0:0 venet0 eth0<br />
VE <-------------<-------------< HN <---------<--------< RH<br />
</pre><br />
<br />
== Limiting outgoing bandwidth ==<br />
We can limit VE outgoing bandwidth by setting the <tt>tc</tt> filter on <tt>eth0</tt>.<br />
<pre><br />
DEV=eth0<br />
tc qdisc del dev $DEV root<br />
tc qdisc add dev $DEV root handle 1: cbq avpkt 1000 bandwidth 100mbit<br />
tc class add dev $DEV parent 1: classid 1:1 cbq rate 256kbit allot 1500 prio 5 bounded isolated<br />
tc filter add dev $DEV parent 1: protocol ip prio 16 u32 match ip src X.X.X.X flowid 1:1<br />
tc qdisc add dev $DEV parent 1:1 sfq perturb 10<br />
</pre><br />
X.X.X.X is an IP address of VE.<br />
<br />
== Limiting incoming bandwidth ==<br />
This can be done by setting the <code>tc</code> filter on <code>venet0</code>:<br />
<pre><br />
DEV=venet0<br />
tc qdisc del dev $DEV root<br />
tc qdisc add dev $DEV root handle 1: cbq avpkt 1000 bandwidth 100mbit<br />
tc class add dev $DEV parent 1: classid 1:1 cbq rate 256kbit allot 1500 prio 5 bounded isolated<br />
tc filter add dev $DEV parent 1: protocol ip prio 16 u32 match ip dst X.X.X.X flowid 1:1<br />
tc qdisc add dev $DEV parent 1:1 sfq perturb 10<br />
</pre><br />
Note that <code>X.X.X.X</code> is an IP address of VE.<br />
<br />
== Limiting VE to HN talks ==<br />
As you can see, two filters above don't limit [[VE]] to [[HN]] talks.<br />
I mean a [[VE]] can emit as much traffic as it wishes. To make such a limitation from the [[HN]],<br />
it is necessary to use <tt>tc</tt> police on <tt>venet0</tt>:<br />
<pre><br />
DEV=venet0<br />
tc filter add dev $DEV parent 1: protocol ip prio 20 u32 match u32 1 0x0000 police rate 2kbit buffer 10k drop flowid :1<br />
</pre><br />
<br />
== Limiting packets per second rate from VE ==<br />
To prevent dos atacks from the VE you can limit packets per second rate using iptables.<br />
<pre><br />
DEV=eth0<br />
iptables -I FORWARD 1 -o $DEV -s X.X.X.X -m limit --limit 200/sec -j ACCEPT<br />
iptables -I FORWARD 2 -o $DEV -s X.X.X.X -j DROP<br />
</pre><br />
Here <code>X.X.X.X</code> is an IP address of VE<br />
<br />
== External links ==<br />
* [http://lartc.org/howto/ Linux Advanced Routing & Traffic Control HOWTO]<br />
<br />
[[Category: HOWTO]]<br />
[[Category: Networking]]</div>Packetsnotpackages