Is it possible to throttle upload bandwidth per `IP` basis using `tc`, `htb` and `iptables` ? (Download limitation not required)

Question

Problem

I've searched internet like anything but couldn't find much about limiting upload. The solutions given are not limiting IP basis like this one but LAN as a whole.

             +-----+
+--------+   |  S  |
| User A |---+  W  |
+--------+   |  I  |
+--------+   |  T  |     +--------+        +----------+
| User B |---+  C  +-----| Router |--------| Internet |
+--------+   |  H  |     +--------+        +----------+
   ....     ... / ...
+--------+   |  H  |
| User N |---+  U  |
+--------+   |  B  |
             +-----+

UserA:172.16.10.2

UserB:172.16.10.3 RouterPrivate:172.16.0.1

UserC:172.16.10.4

I want to limit only upload of 172.16.10.3 & 172.16.10.4 using tc htb and iptables

What I've already tried

altered the script as per my requirement

IF_INET=external

# upload bandwidth limit for interface
BW_MAX=2000

# upload bandwidth limit for 172.16.16.11
BW_CLIENT=900


# first, clear previous settings
tc qdisc del dev ${IF_INET} root

# top-level htb queue discipline; send unclassified data into class 1:10
tc qdisc add dev ${IF_INET} root handle 1: htb default 10

# parent class (wrap everything in this class to allow bandwidth borrowing)
tc class add dev externel parent 1: classid 1:1 htb \
  rate ${BW_MAX}kbit ceil ${BW_MAX}kbit

# two child classes
#

# the default child class
tc class add dev ${IF_INET} parent 1:1 \
  classid 1:10 htb rate $((${BW_MAX} - ${BW_CLIENT}))kbit ceil ${BW_MAX}kbit

# the child class for traffic from 172.16.16.11
tc class add dev ${IF_INET} parent 1:1 \
  classid 1:20 htb rate ${BW_CLIENT}kbit ceil ${BW_MAX}kbit

# classify traffic
tc filter add dev ${IF_INET} parent 1:0 protocol ip prio 1 u32 \
  match ip src 172.16.16.11/32 flowid 1:20

but this will not work for limiting upload. So what's the solution?

Your [referenced link](http://www.linuxquestions.org/questions/linux-networking-3/limiting-upload-with-tc-4175470860/) already does what you want. It limits by (source) LAN IP address. In your case you need to limit two IP addresses. In the example it limits one. — roaima, Jun 11 '15 at 17:20
No! It will not work, it will take the default class's limitation speed, just give it a try by altering the rate and ceil of classes. **So my question remains same!** — Adi, Jun 12 '15 at 05:33

StefanKaerst · Answer 1 · 2020-10-30T17:40:30.423

why did you use 172.16.16.11 as source IP instead of .10.3 and/or .10.4 ?!

I used local VMs (running "nc -klvp 42 >/dev/null") connected to a local open-vswitch interface. to demonstrate traffic shaping for some src IPs, I removed "ceil" parameter at "class 1:20".

my tc script:

#!/bin/bash
export IF_INET=ovs-br0
export UNIT=kbps

export BW_MAX=2048
export BW_CLIENT=128

tc qdisc del dev ${IF_INET} root &>/dev/null
tc qdisc add dev ${IF_INET} root handle 1: htb default 10

tc class add dev ${IF_INET} parent 1: classid 1:1 htb rate ${BW_MAX}$UNIT
tc class add dev ${IF_INET} parent 1:1 classid 1:10 htb rate $((${BW_MAX} - ${BW_CLIENT}))$UNIT ceil ${BW_MAX}$UNIT
tc class add dev ${IF_INET} parent 1:1 classid 1:20 htb rate ${BW_CLIENT}$UNIT 

tc filter add dev ${IF_INET} parent 1:0 protocol ip prio 1 u32 match ip src 172.16.10.3/32 flowid 1:20
tc filter add dev ${IF_INET} parent 1:0 protocol ip prio 1 u32 match ip src 172.16.10.4/32 flowid 1:20

local ip addresses/routes with different src IPs:

section61:~ # ip a s dev ovs-br0 | grep 172.16.1
inet 172.16.10.4/24 scope global ovs-br0
inet 172.16.10.3/24 scope global secondary ovs-br0
inet 172.16.10.5/24 scope global secondary ovs-br0
inet 172.16.10.6/24 scope global secondary ovs-br0

section61:~ # ip route get 172.16.10.13 | grep -v cache 
172.16.10.13 dev ovs-br0 src 172.16.10.3 uid 0 
section61:~ # ip route get 172.16.10.14 | grep -v cache 
172.16.10.14 dev ovs-br0 src 172.16.10.4 uid 0 
section61:~ # ip route get 172.16.10.15 | grep -v cache 
172.16.10.15 dev ovs-br0 src 172.16.10.5 uid 0 
section61:~ # ip route get 172.16.10.16 | grep -v cache 
172.16.10.16 dev ovs-br0 src 172.16.10.6 uid 0

two data streams using different source IPs

section61:~ # dd if=/dev/zero of=/dev/stdout count=$((1*1024*1024)) bs=1024 | pv | nc 172.16.10.13 42
7.03MiB 0:00:58 [ 120KiB/s] [                                                                          <=>               ]

section61:~ # dd if=/dev/zero of=/dev/stdout count=$((4*1024*1024)) bs=1024 | pv | nc 172.16.10.15 42
 135MiB 0:01:17 [1.76MiB/s] [                                        <=>                                                 ]

to check the traffic shaping of qdisc classes I strongly recommend running bmon

hints:

if you use "ceil" at class 1:20, then you have to create two data streams at the same time to fully saturate 1:10! otherwise 1:20 will get the unused reminder of 1:10
using "iptables mangle .. match-set" to classify packets should be working too.

HTH
Regards!

Stefan K.

openSUSE Leap 15.1 - Linux 4.12.14-lp151.28.75-default

Is it possible to throttle upload bandwidth per `IP` basis using `tc`, `htb` and `iptables` ? (Download limitation not required)

1 Answers1