Difference between revisions of "Traffic shaping with tc"

From OpenVZ Virtuozzo Containers Wiki
Jump to: navigation, search
(Minor English fixes in Limiting incoming bandwidth)
Line 49: Line 49:
 
tc filter add dev $DEV parent 1: protocol ip prio 20 u32 match u32 1 0x0000 police rate 2kbit buffer 10k drop flowid :1
 
tc filter add dev $DEV parent 1: protocol ip prio 20 u32 match u32 1 0x0000 police rate 2kbit buffer 10k drop flowid :1
 
</pre>
 
</pre>
 +
 +
== Limiting packages per second rate from VE ==
 +
To prevent dos atacks from the VE you can limit packages per second rate using iptables.
 +
<pre>
 +
DEV=eth0
 +
iptables -I FORWARD 1 -o $DEV -s X.X.X.X -m limit --limit 200/sec -j ACCEPT
 +
iptables -I FORWARD 2 -o $DEV -s X.X.X.X -j DROP
 +
</pre>
 +
X.X.X.X is an IP address of VE
  
 
== External links ==
 
== External links ==

Revision as of 13:10, 16 June 2006

Sometimes it's necessary to limit traffic bandwidth from and to the VPS. You can do it using ordinary tc tool.

Packet routes

First of all, a few words about how packets travel from and to a VE. Suppose we have Hardware Node (HN) with a VE on it, and this VE talks to some Remote Host (RH). HN has one "real" network interface eth0 and, thanks to OpenVZ, there is also "virtual" network interface venet0. Inside VPS we have interface venet0:0.

    venet0:0               venet0    eth0
VE >------------->-------------> HN >--------->--------> RH

    venet0:0               venet0    eth0
VE <-------------<-------------< HN <---------<--------< RH

Limiting outgoing bandwidth

We can limit VE outgoing bandwidth by setting the tc filter on eth0.

DEV=eth0
tc qdisc del dev $DEV root
tc qdisc add dev $DEV root handle 1: cbq avpkt 1000 bandwidth 100mbit
tc class add dev $DEV parent 1: classid 1:1 cbq rate 256kbit allot 1500 prio 5 bounded isolated
tc filter add dev $DEV parent 1: protocol ip prio 16 u32 match ip src X.X.X.X flowid 1:1
tc qdisc add dev $DEV parent 1:1 sfq perturb 10

X.X.X.X is an IP address of VE.

Limiting incoming bandwidth

This can be done by setting the tc filter on venet0:

DEV=venet0
tc qdisc del dev $DEV root
tc qdisc add dev $DEV root handle 1: cbq avpkt 1000 bandwidth 100mbit
tc class add dev $DEV parent 1: classid 1:1 cbq rate 256kbit allot 1500 prio 5 bounded isolated
tc filter add dev $DEV parent 1: protocol ip prio 16 u32 match ip dst X.X.X.X flowid 1:1
tc qdisc add dev $DEV parent 1:1 sfq perturb 10

Note that X.X.X.X is an IP address of VE.

Limiting VE to HN talks

As you can see, two filters above don't limit VE to HN talks. I mean a VE can emit as much traffic as it wishes. To make such a limitation from the HN, it is necessary to use tc police on venet0:

DEV=venet0
tc filter add dev $DEV parent 1: protocol ip prio 20 u32 match u32 1 0x0000 police rate 2kbit buffer 10k drop flowid :1

Limiting packages per second rate from VE

To prevent dos atacks from the VE you can limit packages per second rate using iptables.

DEV=eth0
iptables -I FORWARD 1 -o $DEV -s X.X.X.X -m limit --limit 200/sec -j ACCEPT
iptables -I FORWARD 2 -o $DEV -s X.X.X.X -j DROP

X.X.X.X is an IP address of VE

External links