Example of TC usage

Unclassified qdisc example

The demand for eth1 Nic egress bandwidth limit is 100 Mbit

This can be done using the classless qdisc.

TC-s qdisc ls Dev eth1

TC qdisc add Dev eth1 root TBF rate200kbit latency 50 ms burst1540

The bandwidth is limited to 200 kbit, the latency is 50 ms, and the buffer zone is 1540 bytes.

Mostly for simple rule restrictions

 

Here is an example of a classified qidsc.

1. If I want to pin the eth1 egress traffic of the Local Machine, limit the traffic of the target IP address 10.1.1.1

1. TC-s qdisc ls Dev eth1

2. tcqdisc del Dev eth1 Root

3. tcqdisc add Dev eth1 root handle 1: htb

4. tcclass add Dev eth1 parent 1:0 classid htb rate 1000 Mbit Ceil 1000 Mbit

5. tcclass add Dev eth1 parent classid htb rate 500 Mbit Ceil 5 Mbit

5. tcfilter add Dev eth1 parent 1: Protocol ip prio 1 u32 Match ip DST 10.1.1.1/32 flowid :10

Speaking of Ceil, we need to talk about the concept of token. in TC, I personally understand that if the defined bandwidth is insufficient, such as the above rules, if the eth1 egress traffic of the local machine reaches the destination IP address 10.1.1.1 has exceeded 500 Mbit, because it is an htb rule, it will borrow bandwidth from the parent class for. The borrowed bandwidth is called a token, ceil is the limit. If the bandwidth limit is exceeded, only 5 Mbit bandwidth can be lent to the parent class.

 

Test

Run the following command on 10.1.1.1:

Iperf-S

Run on Local Machine

Iperf-C 10.1.1.1 result

[3] local 10.13.144.228 port 22988 connectedwith 10.13.144.229 port 5001

[ID] interval transfer bandwidth

[3] 0.0-10.3 sec 6.65 Mbytes 5.40 Mbits/sec

The maximum bandwidth is 5 Mbit.

 

 

2. For example, I want to limit the outbound traffic of port 80 and port 22 on the local machine. The port 80 is limited to 500 Mbit, and the port 22 is limited to 400 Mbit.

TC qdisc add Dev eth1 root handle 1: htb
TC class add deveth1 parent 1: classid htb rate 1000 Mbit

TC class add Dev eth1 parent classid htb rate 500 mbitceil 600 Mbit PRIO 1
TC class add deveth1 parent classid htb rate 400 Mbit Ceil 500 Mbit PRIO 0
TC filter add deveth1 parent 1:0 PRIO 1 Protocol IP handle 5 FW flowid
TC filter add deveth1 parent 1:0 PRIO 0 Protocol IP handle 6 FW flowid
Iptables-A output-T mangle-p tcp -- Sport 80-J mark -- Set-mark 5
Iptables-A output-T mangle-p tcp -- Sport 22-J mark -- Set-mark 6

This involves the tag concept. TC can be used together with ipatbles and cgroup.

In other words, iptables marks ports 80 and 22 generated by the local machine as 5 and 6 respectively.

The number of tags that are applied to iptables in the filter of TC. This is the combined use of iptables + TC.

 

 

3. For example, I want to restrict the outbound traffic of multiple processes on the local machine.

TC qdisc add Dev eth1 root handle 1: htb
TC class add deveth1 parent 1: classid htb rate 1000 Mbit

TC class add Dev eth1 parent classid htb rate 500 mbitceil 600 Mbit PRIO 1
TC class add deveth1 parent classid htb rate 400 Mbit Ceil 500 Mbit PRIO 0

TC filter add Dev eth1 parent 1:0 PRIO 1 Protocol IP handle1: 2 cgroup

From the above we can see that handle is written when class is called in the filter, instead of the previous flowid. In the filter, there are several rules that can be divided into u32 and used with iptables, the three syntaxes are different from those used by cgroup. If you use the cgroup label and change handle to flowid, an error is returned.

Mount-T cgroup net_cls-O net_cls/cgroup/net_cls/

Vim/Cgroup/net_cls/tasksAdd the process number to this file.

 

4. If you want to restrict the specific command

TC qdisc add Dev eth1 root handle 1: htb
TC class add deveth1 parent 1: classid htb rate 1000 Mbit

TC class add Dev eth1 parent classid htb rate 500 mbitceil 600 Mbit PRIO 1
TC class add deveth1 parent classid htb rate 400 Mbit Ceil 500 Mbit PRIO 0

TC filter add Dev eth1 parent 1:0 PRIO 1 Protocol IP handle1: 2 cgroup

Mount-T cgroup net_cls-O net_cls/cgroup/net_cls/

Cgexec-gnet_cls: Group Command

Example of TC usage