Ingress Policing with Linux and tc
I am simply amazed at the things GNU/Linux can now do, especially with regard to IP networking. I use pf under OpenBSD, a Unix-like operating system that is not Linux, to keep untrusted wireless access traffic from my trusted wired network at home. Lately, I have been working with Linux operating systems in a corporate environment and needed packet policing. It feels good to be able to get similar features to a Cisco device without the need to make a 4500USD purchase.
An ingress policy can decrease the amount of incoming traffic, but it depends on well-behaved TCP/IP stacks and a transport protocol that supports throttling on the sending hosts. The following commands install an ingress queue to eth0 and applies a filter that applies a policy rate of 512kbit.
tc qdisc add dev eth0 handle ffff: ingress
tc filter add dev eth0 parent ffff: protocol ip prio 50 \
u32 match ip src 0.0.0.0/0 police rate 256kbit \
burst 10k drop flowid :1
tc qdisc add dev eth0 root tbf \
rate 256kbit latency 25ms burst 10k
May 9th, 2008 at 1:10 pm
The idea is that you slow down the TCP ACKs to the local computer so that it can’t eat up all the incoming bandwidth in the future (not for packets that have already arrived). So instead of a steady stream of packets coming at full speed, you get intervals of silence where the server is waiting for the previous packet to be acknowledged. In those intervals of silence things of higher priority can get a chance to come in.
January 15th, 2008 at 10:59 pm
Albert, how you can ‘shape’ packets which are already sent? There is no way to shape incoming packets.
May 1st, 2007 at 7:48 am
Hi There!! There is something that I still don’t get it. Is there a posibility to enqueue incoming traffic and how?
I can see that the example limits the incoming traffic to a fixed rate. But how could I use a hierarchy of queues to do the job. I read the “Linux Advanced Routing & Traffic Control HOWTO” but I couldn’t figured out how can I enqueue the incoming traffic.
Thanks for the time.
June 19th, 2006 at 3:31 am
That’s a good approach as it allows people to get some actual results quickly. If someone wants to get deeper into details and get more control, they can always read the papers.
May 17th, 2006 at 7:41 pm
It took me awhile to sit down and wade through documentation, which tended to go through too much theory and background information. The folks that support the Linux Documentation Project are great, and it is through their work that I learned the differences between packet policing and packet shaping. I simply intended this post to serve as a quick howto on setting it up. I’m glad it helped.
May 17th, 2006 at 3:00 pm
Excellent! Works flawlessly. I’d also like to report that this works fine throttling NAT’ed traffic from an ethernet interface to a VLAN interface. *VERY* useful considering I’ve found using tc to limit outgoing traffic on a VLAN interface does *not* work (unless my tests were wrong!).