Tobias DiPasquale on 15 Sep 2004 17:17:02 -0000

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] per process bandwidth limitation?

Hash: SHA1

On Sep 15, 2004, at 12:51 PM, Malcolm wrote:
I'm trying to work out if it's possible to limit bandwidth usage on a per
process level under linux, but haven't found anything in my searches so I
figured I'd ask here.

Ok well there's two ways to go:

If you're planning on running this on an SMP machine, you're out of luck, because the particular iptables module you need has a known race and will likely hang the box on occassion.

If not, read on.

What you want to do is to determine the PIDs of the processes you need to limit bandwidth to. Once you have those, you will install iptables rules using the owner match, specifying the PID in question for a particular process for each rule, and then target the rule to a MARK specifying a unique fwmark number (unique for a rule).

Then, install a class under the egress device using tc and install an associated filter keyed to the mark above (the one that you are setting with -j MARK) that will send all traffic with that fwmark to the class you just created.

Here's an example:

ip link set imq0 up
tc qdisc add dev imq0 root handle 1: htb
tc class add dev imq0 parent 1: classid 1:2 htb rate 50kbit ceil 100kbit burst 1590 cburst 1590 quantum 1590
tc filter add dev imq0 protocol ip parent 1: prio 1 handle 2 fw classid 1:2
iptables -t mangle -A PREROUTING -m owner --pid-owner <PID of process> - -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -j IMQ --todev 0

This will mark all traffic destined for the PID in question with a fwmark of 2, which will filter it into the traffic shaping class 1:1 which has a rate of 50kbit and a ceiling rate of 100kbit. You will need variations of rules 3, 4 and 5 for each PID you wish to limit traffic into.

Make sure you still a base class that has the full bandwidth of the interface as the rate and mark any traffic you DON'T want limited with a mark that will filter into that class.

To do this, you will need IMQ support in your kernel (, as well as the iptables (>= 1.2.7a) and iproute (>= 2.4.7) packages installed. Try to use a 2.6.x kernel if you can.

Without IMQ, you can't really effectively limit bandwidth to the local machine (the standard netfilter ingress policer is not great). With IMQ, you can attach regular egress tc qdiscs, classes and filters to the IMQ devices and shunt traffic to them via iptables rules in the pre- and postrouting mangle chains. You can limit bandwidth on the way in _and_ out by using both IMQ devices and some more iptables rules. And, as I said, don't try using the owner match on an SMP machine.

You will definitely want to check out LARTC ( for more information on this and other topics. Good luck! :)

- --
Tobias DiPasquale
202A 04C4 2CE6 B985 8520  88D6 CD25 1A6C B9B5 1595
Version: GnuPG v1.2.5 (Darwin)


Philadelphia Linux Users Group         --
Announcements -
General Discussion  --