Ingress Policing with Linux and tc

linux penguinI am simply amazed at the things GNU/Linux can now do, especially with regard to IP networking. I use pf under OpenBSD, a Unix-like operating system that is not Linux, to keep untrusted wireless access traffic from my trusted wired network at home. Lately, I have been working with Linux operating systems in a corporate environment and needed packet policing. It feels good to be able to get similar features to a Cisco device without the need to make a 4500USD purchase.

An ingress policy can decrease the amount of incoming traffic, but it depends on well-behaved TCP/IP stacks and a transport protocol that supports throttling on the sending hosts. The following commands install an ingress queue to eth0 and applies a filter that applies a policy rate of 512kbit.


tc qdisc add dev eth0 handle ffff: ingress
tc filter add dev eth0 parent ffff: protocol ip prio 50 \
   u32 match ip src 0.0.0.0/0 police rate 256kbit \
   burst 10k drop flowid :1

tc qdisc add dev eth0 root tbf \
   rate 256kbit latency 25ms burst 10k

16 Responses to “Ingress Policing with Linux and tc”

  1. Manjunath Says:

    Almost 10 year back blog, but trying now. I tried in my router but it is not working for me. Can anyone suggest why it is not working

  2. congelli501 Says:

    Thanks for this example, it is simple and effective.

    Do you know if it is possible to add classes for ingress QoS ?
    I want to add an IPv4 and an IPv6 block to a single ingress filter, which doesn’t seem possible without a class.

  3. z Says:

    Thanks. works for me too

  4. Francois Says:

    I know this blog is old but it helped me out so I just wanted to add a little to it.

    I found that setting the bust to 10% of the rate works for me. So for example to have it limit incoming traffic to 4mbit, I set the bust to 0.4mbit:

    tc filter add dev bond0 parent ffff: protocol ip prio 50 \
    u32 match ip src 0.0.0.0/0 police rate 4mbit \
    burst .4m drop flowid :1

    Thanks for posting this!

  5. Kohai Says:

    After hours of working with this thing, it turned out that I needed to increase the burst in order to get it to behave correctly. If you find that you raise the rate but the throughput kB/s doesn’t go up, then increase the burst. I have mine at 50 and my kbit at 2000.

    I did not use the tbf line which one doc I found said it was the preferred method for doing this due to it being network friendly. The tbf line may apply to outbound traffic and the ingress to inbound traffic.

Leave a Reply