There is a server on Debian that distributes Internet clients. The tasks of the server include shaping and NAT. Due to the fact that there is NAT it is impossible to do a full-fledged shaping (NAT on the output interface works earlier and changes src_ip accordingly, it is impossible to send a packet to the desired tc class). Therefore, we do shaping for incoming traffic, and for outgoing traffic we have to use polishing.

Actually the question is: How can I use speeding for several ips using polising? For example, the contract has 3 ip addresses and you need to make sure that the speed is shared between this group of ip addresses. Naturally, all this needs to be implemented in the context of hash tables.

What is now - a small but full piece of config limiting traffic on one ip

tc filter add dev eth2 parent 1:0 prio 30 handle 2: protocol ip u32 divisor 256 tc filter add dev eth2 parent ffff: prio 30 handle 2: protocol ip u32 divisor 256 tc filter add dev eth2 protocol ip parent 1:0 prio 30 u32 ht 800:: match ip dst 192.168.222.0/24 hashkey mask 0x000000ff at 16 link 2: tc filter add dev eth2 protocol ip parent ffff: prio 30 u32 ht 800:: match ip src 192.168.222.0/24 hashkey mask 0x000000ff at 12 link 2: tc filter add dev eth2 parent 1: protocol ip prio 30 u32 ht 2:c7 match ip dst 192.168.222.199 flowid 1:a03 tc filter add dev eth2 parent ffff: protocol ip prio 30 u32 ht 2:c7 match ip src 192.168.222.199 police rate 4096000 burst 409600b drop flowid ffff: tc class add dev eth2 parent 1:1 classid 1:a03 htb rate 4096000
  • It seems to me that doing so will not work. It's easier to score and let for each ip of the contract be the full rate of the rate for outgoing traffic - Kotkov Evgeny

1 answer 1

On this occasion, I would add the use of a Netfilter for labeling packets with the subsequent processing of tags in tc , or transfer the entire traffic sample to Netfilter, where there are an order of magnitude more possibilities for this. The logic is simple - the Netfilter places a label on anything they want, but tc can only apply the correct policy on the label. The advantage is that in this way it is possible to catch packages at any stage of processing (and by any criteria), including also before NAT. The downside is that this is a complicated configuration and an additional speed drawdown due to the Netfilter.

Examples of this configuration can be found .

  • one
    The issue has long been resolved. From polising refused. The virtual ifb0 interface is used to limit the speed of outgoing traffic from clients. Shaping is done on the virtual interface. To limit the speed of incoming traffic to clients, shaping is used on the physical interface looking inside the network. - Kotkov Evgeny
  • This is also an option, yes. - Roman Khimov