|Tobias DiPasquale on 15 Sep 2004 17:17:02 -0000|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Sep 15, 2004, at 12:51 PM, Malcolm wrote:
I'm trying to work out if it's possible to limit bandwidth usage on a per
If you're planning on running this on an SMP machine, you're out of luck, because the particular iptables module you need has a known race and will likely hang the box on occassion.
If not, read on.
What you want to do is to determine the PIDs of the processes you need to limit bandwidth to. Once you have those, you will install iptables rules using the owner match, specifying the PID in question for a particular process for each rule, and then target the rule to a MARK specifying a unique fwmark number (unique for a rule).
Then, install a class under the egress device using tc and install an associated filter keyed to the mark above (the one that you are setting with -j MARK) that will send all traffic with that fwmark to the class you just created.
Here's an example:
ip link set imq0 up
tc qdisc add dev imq0 root handle 1: htb
tc class add dev imq0 parent 1: classid 1:2 htb rate 50kbit ceil 100kbit burst 1590 cburst 1590 quantum 1590
tc filter add dev imq0 protocol ip parent 1: prio 1 handle 2 fw classid 1:2
iptables -t mangle -A PREROUTING -m owner --pid-owner <PID of process> - -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -j IMQ --todev 0
This will mark all traffic destined for the PID in question with a fwmark of 2, which will filter it into the traffic shaping class 1:1 which has a rate of 50kbit and a ceiling rate of 100kbit. You will need variations of rules 3, 4 and 5 for each PID you wish to limit traffic into.
Make sure you still a base class that has the full bandwidth of the interface as the rate and mark any traffic you DON'T want limited with a mark that will filter into that class.
To do this, you will need IMQ support in your kernel (http://www.linuximq.net), as well as the iptables (>= 1.2.7a) and iproute (>= 2.4.7) packages installed. Try to use a 2.6.x kernel if you can.
Without IMQ, you can't really effectively limit bandwidth to the local machine (the standard netfilter ingress policer is not great). With IMQ, you can attach regular egress tc qdiscs, classes and filters to the IMQ devices and shunt traffic to them via iptables rules in the pre- and postrouting mangle chains. You can limit bandwidth on the way in _and_ out by using both IMQ devices and some more iptables rules. And, as I said, don't try using the owner match on an SMP machine.
You will definitely want to check out LARTC (http://lartc.org/) for more information on this and other topics. Good luck! :)
- -- Tobias DiPasquale 202A 04C4 2CE6 B985 8520 88D6 CD25 1A6C B9B5 1595 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (Darwin)
iD8DBQFBSHjfzSUabLm1FZURAjxsAJ9HaTrpV64SfV3her2kIRCIauMT2ACfcBuE 1aEY2/DqIemRCwSkVIw0eio= =co+e -----END PGP SIGNATURE-----
___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug