Difference between revisions of "Traffic shaping with tc"

From OpenVZ Virtuozzo Containers Wiki
Jump to: navigation, search
m (An alternate approch using HTB: use source tag)
m (Limiting packets per second rate from VE: use source tag)
Line 52: Line 52:
 
== Limiting packets per second rate from VE ==
 
== Limiting packets per second rate from VE ==
 
To prevent dos atacks from the VE you can limit packets per second rate using iptables.
 
To prevent dos atacks from the VE you can limit packets per second rate using iptables.
<pre>
+
<source lang="bash">
 
DEV=eth0
 
DEV=eth0
 
iptables -I FORWARD 1 -o $DEV -s X.X.X.X -m limit --limit 200/sec -j ACCEPT
 
iptables -I FORWARD 1 -o $DEV -s X.X.X.X -m limit --limit 200/sec -j ACCEPT
 
iptables -I FORWARD 2 -o $DEV -s X.X.X.X -j DROP
 
iptables -I FORWARD 2 -o $DEV -s X.X.X.X -j DROP
</pre>
+
</source>
 
Here <code>X.X.X.X</code> is an IP address of VE
 
Here <code>X.X.X.X</code> is an IP address of VE
  

Revision as of 05:23, 25 December 2007

Sometimes it's necessary to limit traffic bandwidth from and to a VE. You can do it using ordinary tc tool.

Packet routes

First of all, a few words about how packets travel from and to a VE. Suppose we have Hardware Node (HN) with a VE on it, and this VE talks to some Remote Host (RH). HN has one "real" network interface eth0 and, thanks to OpenVZ, there is also "virtual" network interface venet0. Inside the VE we have interface venet0:0. 

    venet0:0               venet0    eth0
VE >------------->-------------> HN >--------->--------> RH

    venet0:0               venet0    eth0
VE <-------------<-------------< HN <---------<--------< RH

Limiting outgoing bandwidth

We can limit VE outgoing bandwidth by setting the tc filter on eth0. 

DEV=eth0
tc qdisc del dev $DEV root
tc qdisc add dev $DEV root handle 1: cbq avpkt 1000 bandwidth 100mbit
tc class add dev $DEV parent 1: classid 1:1 cbq rate 256kbit allot 1500 prio 5 bounded isolated
tc filter add dev $DEV parent 1: protocol ip prio 16 u32 match ip src X.X.X.X flowid 1:1
tc qdisc add dev $DEV parent 1:1 sfq perturb 10

X.X.X.X is an IP address of VE.

Limiting incoming bandwidth

This can be done by setting the tc filter on venet0: 

DEV=venet0
tc qdisc del dev $DEV root
tc qdisc add dev $DEV root handle 1: cbq avpkt 1000 bandwidth 100mbit
tc class add dev $DEV parent 1: classid 1:1 cbq rate 256kbit allot 1500 prio 5 bounded isolated
tc filter add dev $DEV parent 1: protocol ip prio 16 u32 match ip dst X.X.X.X flowid 1:1
tc qdisc add dev $DEV parent 1:1 sfq perturb 10

Note that X.X.X.X is an IP address of VE.

Limiting VE to HN talks

As you can see, two filters above don't limit VE to HN talks. I mean a VE can emit as much traffic as it wishes. To make such a limitation from the HN, it is necessary to use tc police on venet0: 

DEV=venet0
tc filter add dev $DEV parent 1: protocol ip prio 20 u32 match u32 1 0x0000 police rate 2kbit buffer 10k drop flowid :1

Limiting packets per second rate from VE

To prevent dos atacks from the VE you can limit packets per second rate using iptables. 

DEV=eth0
iptables -I FORWARD 1 -o $DEV -s X.X.X.X -m limit --limit 200/sec -j ACCEPT
iptables -I FORWARD 2 -o $DEV -s X.X.X.X -j DROP

Here X.X.X.X is an IP address of VE

An alternate approch using HTB

For details refer to the HTB Home Page 

#!/bin/sh
#
# Incoming traffic control
#
VE_IP1=$1
VE_IP2=$2
DEV=venet0
#
tc qdisc del dev $DEV root
#
tc qdisc add dev $DEV root handle 1: htb default 10
#
tc class add dev $DEV parent 1: classid 1:1 htb rate 100mbit burst 15k
tc class add dev $DEV parent 1:1 classid 1:10 htb rate 10mbit ceil 10mbit burst 15k
tc class add dev $DEV parent 1:1 classid 1:20 htb rate 20mbit ceil 20mbit burst 15k
tc class add dev $DEV parent 1:1 classid 1:30 htb rate 30mbit ceil 30mbit burst 15k
#
tc qdisc add dev $DEV parent 1:10 handle 10: sfq perturb 10
tc qdisc add dev $DEV parent 1:20 handle 20: sfq perturb 10
tc qdisc add dev $DEV parent 1:30 handle 30: sfq perturb 10
#
if [ ! -z $VE_IP1 ]; then
    tc filter add dev $DEV protocol ip parent 1:0 prio 1 u32 match ip dst "$VE_IP1" flowid 1:20 
fi
if [ ! -z $VE_IP2 ]; then
    tc filter add dev $DEV protocol ip parent 1:0 prio 1 u32 match ip dst "$VE_IP2" flowid 1:30 
fi
#
echo;echo "tc configuration for $DEV:"
tc qdisc show dev $DEV
tc class show dev $DEV
tc filter show dev $DEV
#
# Outgoing traffic control
#
DEV=eth0
#
tc qdisc del dev $DEV root
#
tc qdisc add dev $DEV root handle 1: htb default 10
#
tc class add dev $DEV parent 1: classid 1:1 htb rate 100mbit burst 15k
tc class add dev $DEV parent 1:1 classid 1:10 htb rate 10mbit ceil 10mbit burst 15k
tc class add dev $DEV parent 1:1 classid 1:20 htb rate 20mbit ceil 20mbit burst 15k
tc class add dev $DEV parent 1:1 classid 1:30 htb rate 30mbit ceil 30mbit burst 15k
#
tc qdisc add dev $DEV parent 1:10 handle 10: sfq perturb 10
tc qdisc add dev $DEV parent 1:20 handle 20: sfq perturb 10
tc qdisc add dev $DEV parent 1:30 handle 30: sfq perturb 10
#
if [ ! -z $VE_IP1 ]; then
    tc filter add dev $DEV protocol ip parent 1:0 prio 1 u32 match ip src "$VE_IP1" flowid 1:20
fi
if [ ! -z $VE_IP2 ]; then
    tc filter add dev $DEV protocol ip parent 1:0 prio 1 u32 match ip src "$VE_IP2" flowid 1:30
fi
#
echo;echo "tc configuration for $DEV:"
tc qdisc show dev $DEV
tc class show dev $DEV
tc filter show dev $DEV

External links

Retrieved from "https://wiki.openvz.org/index.php?title=Traffic_shaping_with_tc&oldid=3822"