172
edits
Changes
Initial edition of article
Sometimes it's necessary to limit traffic bandwidth from and to the VPS.
You can do it using ordinary <tt>tc</tt> tool.
== Packet routes ==
Before all some words about how packets travel from and to VE.
Suppose we have Harware Node (HN) with VE in it, and this VE talks
to some Remote Host (RH). HN has one "real" network interface <tt>eth0</tt> and,
thanks to OpenVZ, there is also "virtual" network interface <tt>venet0</tt>.
Inside VPS we have interface venet0:0.
<pre>
venet0:0 venet0 eth0
VE >------------->-------------> HN >--------->--------> RH
venet0:0 venet0 eth0
VE <-------------<-------------< HN <---------<--------< RH
</pre>
== Limiting outgoing bandwidth ==
We can limit VE outgoing bandwidth by setting the <tt>tc</tt> filter on <tt>eth0</tt>.
<pre>
DEV=eth0
tc qdisc del dev $DEV root
tc qdisc add dev $DEV root handle 1: cbq avpkt 1000 bandwidth 100mbit
tc class add dev $DEV parent 1: classid 1:1 cbq rate 256kbit allot 1500 prio 5 bounded isolated
tc filter add dev $DEV parent 1: protocol ip prio 16 u32 match ip src X.X.X.X flowid 1:1
tc qdisc add dev $DEV parent 1:1 sfq perturb 10
</pre>
X.X.X.X is an IP address of VE.
== Limiting incoming bandwidth ==
I can be done by setting the <tt>tc</tt> filter on <tt>venet0</tt>:
<pre>
DEV=venet0
tc qdisc del dev $DEV root
tc qdisc add dev $DEV root handle 1: cbq avpkt 1000 bandwidth 100mbit
tc class add dev $DEV parent 1: classid 1:1 cbq rate 256kbit allot 1500 prio 5 bounded isolated
tc filter add dev $DEV parent 1: protocol ip prio 16 u32 match ip dst X.X.X.X flowid 1:1
tc qdisc add dev $DEV parent 1:1 sfq perturb 10
</pre>
X.X.X.X is an IP address of VE.
== Limiting VE to HN talks ==
As you can see, two filters above don't limit VE to HN talks.
I mean, that VE can emmit as much traffic as it wish. To make such limitation from HN,
it's necessary to use <tt>tc</tt> policer on <tt>venet0</tt>:
<pre>
DEV=venet0
tc filter add dev $DEV parent 1: protocol ip prio 20 u32 match u32 1 0x0000 police rate 2kbit buffer 10k drop flowid :1
</pre>
[[Category: HOWTO]]
[[Category: Networking]]
You can do it using ordinary <tt>tc</tt> tool.
== Packet routes ==
Before all some words about how packets travel from and to VE.
Suppose we have Harware Node (HN) with VE in it, and this VE talks
to some Remote Host (RH). HN has one "real" network interface <tt>eth0</tt> and,
thanks to OpenVZ, there is also "virtual" network interface <tt>venet0</tt>.
Inside VPS we have interface venet0:0.
<pre>
venet0:0 venet0 eth0
VE >------------->-------------> HN >--------->--------> RH
venet0:0 venet0 eth0
VE <-------------<-------------< HN <---------<--------< RH
</pre>
== Limiting outgoing bandwidth ==
We can limit VE outgoing bandwidth by setting the <tt>tc</tt> filter on <tt>eth0</tt>.
<pre>
DEV=eth0
tc qdisc del dev $DEV root
tc qdisc add dev $DEV root handle 1: cbq avpkt 1000 bandwidth 100mbit
tc class add dev $DEV parent 1: classid 1:1 cbq rate 256kbit allot 1500 prio 5 bounded isolated
tc filter add dev $DEV parent 1: protocol ip prio 16 u32 match ip src X.X.X.X flowid 1:1
tc qdisc add dev $DEV parent 1:1 sfq perturb 10
</pre>
X.X.X.X is an IP address of VE.
== Limiting incoming bandwidth ==
I can be done by setting the <tt>tc</tt> filter on <tt>venet0</tt>:
<pre>
DEV=venet0
tc qdisc del dev $DEV root
tc qdisc add dev $DEV root handle 1: cbq avpkt 1000 bandwidth 100mbit
tc class add dev $DEV parent 1: classid 1:1 cbq rate 256kbit allot 1500 prio 5 bounded isolated
tc filter add dev $DEV parent 1: protocol ip prio 16 u32 match ip dst X.X.X.X flowid 1:1
tc qdisc add dev $DEV parent 1:1 sfq perturb 10
</pre>
X.X.X.X is an IP address of VE.
== Limiting VE to HN talks ==
As you can see, two filters above don't limit VE to HN talks.
I mean, that VE can emmit as much traffic as it wish. To make such limitation from HN,
it's necessary to use <tt>tc</tt> policer on <tt>venet0</tt>:
<pre>
DEV=venet0
tc filter add dev $DEV parent 1: protocol ip prio 20 u32 match u32 1 0x0000 police rate 2kbit buffer 10k drop flowid :1
</pre>
[[Category: HOWTO]]
[[Category: Networking]]