Editing Traffic shaping with tc
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.
The edit can be undone.
Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
− | Sometimes it's necessary to limit traffic bandwidth from and to a [[ | + | Sometimes it's necessary to limit traffic bandwidth from and to a [[VE]]. |
You can do it using ordinary <code>tc</code> tool. | You can do it using ordinary <code>tc</code> tool. | ||
== Packet routes == | == Packet routes == | ||
− | First of all, a few words about how packets travel from and to a [[ | + | First of all, a few words about how packets travel from and to a [[VE]]. |
− | Suppose we have [[Hardware Node]] (HN) with a | + | Suppose we have [[Hardware Node]] (HN) with a VE on it, and this VE talks |
− | + | to some Remote Host (RH). HN has one "real" network interface <tt>eth0</tt> and, | |
− | <tt>eth0</tt> and, | ||
thanks to OpenVZ, there is also "virtual" network interface <tt>venet0</tt>. | thanks to OpenVZ, there is also "virtual" network interface <tt>venet0</tt>. | ||
− | Inside the | + | Inside the VE we have interface <tt>venet0:0</tt>. |
<pre> | <pre> | ||
venet0:0 venet0 eth0 | venet0:0 venet0 eth0 | ||
− | + | VE >------------->-------------> HN >--------->--------> RH | |
venet0:0 venet0 eth0 | venet0:0 venet0 eth0 | ||
− | + | VE <-------------<-------------< HN <---------<--------< RH | |
</pre> | </pre> | ||
== Limiting outgoing bandwidth == | == Limiting outgoing bandwidth == | ||
− | We can limit | + | We can limit VE outgoing bandwidth by setting the <tt>tc</tt> filter on <tt>eth0</tt>. |
<pre> | <pre> | ||
DEV=eth0 | DEV=eth0 | ||
Line 28: | Line 27: | ||
tc qdisc add dev $DEV parent 1:1 sfq perturb 10 | tc qdisc add dev $DEV parent 1:1 sfq perturb 10 | ||
</pre> | </pre> | ||
− | X.X.X.X is an IP address of | + | X.X.X.X is an IP address of VE. |
== Limiting incoming bandwidth == | == Limiting incoming bandwidth == | ||
Line 40: | Line 39: | ||
tc qdisc add dev $DEV parent 1:1 sfq perturb 10 | tc qdisc add dev $DEV parent 1:1 sfq perturb 10 | ||
</pre> | </pre> | ||
− | Note that <code>X.X.X.X</code> is an IP address of | + | Note that <code>X.X.X.X</code> is an IP address of VE. |
− | == Limiting | + | == Limiting VE to HN talks == |
− | As you can see, two filters above don't limit [[ | + | As you can see, two filters above don't limit [[VE]] to [[HN]] talks. |
− | I mean a [[ | + | I mean a [[VE]] can emit as much traffic as it wishes. To make such a limitation from the [[HN]], |
it is necessary to use <tt>tc</tt> police on <tt>venet0</tt>: | it is necessary to use <tt>tc</tt> police on <tt>venet0</tt>: | ||
<pre> | <pre> | ||
Line 51: | Line 50: | ||
</pre> | </pre> | ||
− | == Limiting packets per second rate from | + | == Limiting packets per second rate from VE == |
− | To prevent dos atacks from the | + | To prevent dos atacks from the VE you can limit packets per second rate using iptables. |
− | < | + | <pre> |
DEV=eth0 | DEV=eth0 | ||
iptables -I FORWARD 1 -o $DEV -s X.X.X.X -m limit --limit 200/sec -j ACCEPT | iptables -I FORWARD 1 -o $DEV -s X.X.X.X -m limit --limit 200/sec -j ACCEPT | ||
iptables -I FORWARD 2 -o $DEV -s X.X.X.X -j DROP | iptables -I FORWARD 2 -o $DEV -s X.X.X.X -j DROP | ||
− | </ | + | </pre> |
− | Here <code>X.X.X.X</code> is an IP address of | + | Here <code>X.X.X.X</code> is an IP address of VE |
− | == An alternate | + | == An alternate approch using HTB == |
For details refer to the [http://luxik.cdi.cz/~devik/qos/htb/ HTB Home Page] | For details refer to the [http://luxik.cdi.cz/~devik/qos/htb/ HTB Home Page] | ||
Line 69: | Line 68: | ||
# Incoming traffic control | # Incoming traffic control | ||
# | # | ||
− | + | VE_IP1=$1 | |
− | + | VE_IP2=$2 | |
DEV=venet0 | DEV=venet0 | ||
# | # | ||
Line 86: | Line 85: | ||
tc qdisc add dev $DEV parent 1:30 handle 30: sfq perturb 10 | tc qdisc add dev $DEV parent 1:30 handle 30: sfq perturb 10 | ||
# | # | ||
− | if [ ! -z $ | + | if [ ! -z $VE_IP1 ]; then |
− | tc filter add dev $DEV protocol ip parent 1:0 prio 1 u32 match ip dst "$ | + | tc filter add dev $DEV protocol ip parent 1:0 prio 1 u32 match ip dst "$VE_IP1" flowid 1:20 |
fi | fi | ||
− | if [ ! -z $ | + | if [ ! -z $VE_IP2 ]; then |
− | tc filter add dev $DEV protocol ip parent 1:0 prio 1 u32 match ip dst "$ | + | tc filter add dev $DEV protocol ip parent 1:0 prio 1 u32 match ip dst "$VE_IP2" flowid 1:30 |
fi | fi | ||
# | # | ||
Line 115: | Line 114: | ||
tc qdisc add dev $DEV parent 1:30 handle 30: sfq perturb 10 | tc qdisc add dev $DEV parent 1:30 handle 30: sfq perturb 10 | ||
# | # | ||
− | if [ ! -z $ | + | if [ ! -z $VE_IP1 ]; then |
− | tc filter add dev $DEV protocol ip parent 1:0 prio 1 u32 match ip src "$ | + | tc filter add dev $DEV protocol ip parent 1:0 prio 1 u32 match ip src "$VE_IP1" flowid 1:20 |
fi | fi | ||
− | if [ ! -z $ | + | if [ ! -z $VE_IP2 ]; then |
− | tc filter add dev $DEV protocol ip parent 1:0 prio 1 u32 match ip src "$ | + | tc filter add dev $DEV protocol ip parent 1:0 prio 1 u32 match ip src "$VE_IP2" flowid 1:30 |
fi | fi | ||
# | # | ||
Line 127: | Line 126: | ||
tc filter show dev $DEV | tc filter show dev $DEV | ||
</source> | </source> | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
== External links == | == External links == |