3

I am happily limiting upload speed by port - but really want to limit download by process.

It seems iptables did have functionality for matching and marking packets by process in the form of --pid-owner or --cmd-owner - but both have now been removed?

$ iptables -m owner --help
...
owner match options:
[!] --uid-owner userid[-userid]      Match local UID
[!] --gid-owner groupid[-groupid]    Match local GID
[!] --socket-exists                  Match if socket exists

seems there are options to match by user or group, but not process.

I am aware of trickle, and wondershaper - but neither allow shaping of an already running process

Chozabu
  • 121
  • 2
  • 8
  • one end of the connection will probably have a "random" port number, perhaps you can use that port-number for shaping. – Jasen Dec 06 '16 at 04:07
  • [Related (and maybe duplicate?)](http://unix.stackexchange.com/questions/34116/how-can-i-limit-the-bandwidth-used-by-a-process) – Ikaros Dec 06 '16 at 09:13
  • 1
    @Ikaros nope - the accepted answer --pid-owner or --cwd-owner has been removed from iptables, followed by trickle, which cannot limit an already rnning process – Chozabu Dec 09 '16 at 03:47
  • You are right, no problem then :) – Ikaros Dec 09 '16 at 10:48
  • 1
    @Ikaros I'd seen it before writing this question, and intended to limit it - but somehow did not (will do next time) – Chozabu Dec 09 '16 at 11:57
  • 1
    I'm interested too. Did you find a solution? – rraallvv Nov 10 '18 at 21:40
  • @rraallvv Not exactly. I started writing a solution. https://github.com/chozabu/LinNetLim IIRC I got it working to limit upload, but not download reliably – Chozabu Nov 11 '18 at 22:24
  • From what I've found in random post, it seems there is no reliable way to limit downloads. Maybe because packages have already arrived, but I'm not sure. – rraallvv Nov 12 '18 at 00:19
  • @rraallvv I think there is - netlimiter on windows seems to manage fairly well, as does "trickle" on Linux (but the limited process must be launched via trickle). With TCP discarding some incoming packets may be enough to slow down the send rate. Not sure though, and very unsure about UDP! – Chozabu Nov 13 '18 at 21:17
  • Seems this is indeed the case with TCP https://serverfault.com/a/336292/389774 – Chozabu Nov 13 '18 at 21:19

1 Answers1

5

Put the process into a net_cls cgroup, use the cgroup to set the class of the packets, and then use a classful filter in tc to rate limit packets in that class. For example:

cgcreate -g net_cls:slow
echo 0x10001 > /sys/fs/cgroup/net_cls/slow/net_cls.classid
cgclassify -g net_cls:slow <pid of the process you want to limit>
tc qdisc add dev eth0 root handle 1: htb
tc filter add dev eth0 parent 1: handle 1: cgroup
tc class add dev eth0 parent 1: classid 1:1 htb rate 1mbps

That should then mean that the process you specify (and any of its child processes) are limited to 1 megabyte per second of bandwidth - tweak the parameter to the last command to whatever bandwidth you want.

Philip Kendall
  • 593
  • 3
  • 9
  • Hmm, this does not seem to work for me cgcreate -g net_cls:slow echo 0x10001 > /sys/fs/cgroup/net_cls/slow/net_cls.classid cgclassify -g net_cls:slow 25775 tc qdisc add dev wlp3s0 root handle 1: htb tc filter add dev wlp3s0 parent 1: handle 1: cgroup tc class add dev wlp3s0 parent 1: classid 1:1 htb rate 10kbit – Chozabu Dec 09 '16 at 03:54
  • gawd, sorry about comment formatting! I should say, not sure how this would limit download speed, there is no mention of "ingress"? – Chozabu Dec 09 '16 at 03:54