Ingress Policing with Linux and tc
I am simply amazed at the things GNU/Linux can now do, especially with regard to IP networking. I use pf under OpenBSD, a Unix-like operating system that is not Linux, to keep untrusted wireless access traffic from my trusted wired network at home. Lately, I have been working with Linux operating systems in a corporate environment and needed packet policing. It feels good to be able to get similar features to a Cisco device without the need to make a 4500USD purchase.
An ingress policy can decrease the amount of incoming traffic, but it depends on well-behaved TCP/IP stacks and a transport protocol that supports throttling on the sending hosts. The following commands install an ingress queue to eth0 and applies a filter that applies a policy rate of 512kbit.
tc qdisc add dev eth0 handle ffff: ingress tc filter add dev eth0 parent ffff: protocol ip prio 50 \ u32 match ip src 0.0.0.0/0 police rate 256kbit \ burst 10k drop flowid :1 tc qdisc add dev eth0 root tbf \ rate 256kbit latency 25ms burst 10k
November 12th, 2016 at 9:50 am
Almost 10 year back blog, but trying now. I tried in my router but it is not working for me. Can anyone suggest why it is not working
October 28th, 2012 at 3:14 am
Thanks for this example, it is simple and effective.
Do you know if it is possible to add classes for ingress QoS ?
I want to add an IPv4 and an IPv6 block to a single ingress filter, which doesn’t seem possible without a class.
April 16th, 2010 at 7:07 pm
Thanks. works for me too
March 18th, 2010 at 10:33 pm
I know this blog is old but it helped me out so I just wanted to add a little to it.
I found that setting the bust to 10% of the rate works for me. So for example to have it limit incoming traffic to 4mbit, I set the bust to 0.4mbit:
tc filter add dev bond0 parent ffff: protocol ip prio 50 \
u32 match ip src 0.0.0.0/0 police rate 4mbit \
burst .4m drop flowid :1
Thanks for posting this!
August 3rd, 2009 at 2:29 pm
After hours of working with this thing, it turned out that I needed to increase the burst in order to get it to behave correctly. If you find that you raise the rate but the throughput kB/s doesn’t go up, then increase the burst. I have mine at 50 and my kbit at 2000.
I did not use the tbf line which one doc I found said it was the preferred method for doing this due to it being network friendly. The tbf line may apply to outbound traffic and the ingress to inbound traffic.
July 29th, 2009 at 2:25 pm
Damn, that sound’s so easy if you think about it.
January 26th, 2009 at 6:04 am
Save the commands in an executable script, and add a link to this script in your /etc/rc.local file
December 10th, 2008 at 4:57 pm
Thanks for this. Just one question. How can i make these settings permanent so that they will survive a reboot?
August 26th, 2008 at 11:09 pm
thanks i’m gonna try this. how can i give each user an equal amount of BW. ive got some docs but the ones i tried really slow down the server. dunno if this is the norm. it is a mid to low level spec machine tho.
August 22nd, 2008 at 8:02 am
This don’t work for me.
I want to limit incoming traffic too, but in this case, the link goes slower and slower, but don’t stay at specific speed.
at filter, there is a “flowid :1”, but, where is this class There isn’t any class called “:1”, right?
I did read the lartc, but it’s getting confused.
If someone can help me, please send me an email.