Changes

Sometimes it's necessary to limit traffic bandwidth from and to a [[VEcontainer]].

First of all, a few words about how packets travel from and to a [[VEcontainer]].Suppose we have [[Hardware Node]] (HN) with a VE container (CT) on it, and this VE container talksto some Remote Host (RH). HN has one "real" network interface <tt>eth0</tt> and,

Inside the VE container we have interface <tt>venet0:0</tt>.

VE CT >------------->-------------> HN >--------->--------> RH

VE CT <-------------<-------------< HN <---------<--------< RH

We can limit VE container outgoing bandwidth by setting the <tt>tc</tt> filter on <tt>eth0</tt>.

X.X.X.X is an IP address of VEcontainer.

Note that <code>X.X.X.X</code> is an IP address of VEcontainer.

== Limiting VE CT to HN talks ==As you can see, two filters above don't limit [[VEcontainer]] to [[HN]] talks.I mean a [[VEcontainer]] can emit as much traffic as it wishes. To make such a limitation from the [[HN]],

== Limiting packets per second rate from VE container ==To prevent dos atacks from the VE container you can limit packets per second rate using iptables.

Here <code>X.X.X.X</code> is an IP address of VEcontainer.

VE_IP1CT_IP1=$1VE_IP2CT_IP2=$2

if [ ! -z $VE_IP1 CT_IP1 ]; then tc filter add dev $DEV protocol ip parent 1:0 prio 1 u32 match ip dst "$VE_IP1CT_IP1" flowid 1:20

if [ ! -z $VE_IP2 CT_IP2 ]; then tc filter add dev $DEV protocol ip parent 1:0 prio 1 u32 match ip dst "$VE_IP2CT_IP2" flowid 1:30

if [ ! -z $VE_IP1 CT_IP1 ]; then tc filter add dev $DEV protocol ip parent 1:0 prio 1 u32 match ip src "$VE_IP1CT_IP1" flowid 1:20

if [ ! -z $VE_IP2 CT_IP2 ]; then tc filter add dev $DEV protocol ip parent 1:0 prio 1 u32 match ip src "$VE_IP2CT_IP2" flowid 1:30