Question:
There is a Debian server that distributes the Internet to clients. Server tasks include shaping and NAT. Due to the fact that there is NAT, it is impossible to do full-fledged shaping (NAT on the output interface is triggered earlier and changes src_ip, respectively, it is impossible to send a packet to the desired tc class). Therefore, we do shaping for incoming traffic, and for outgoing traffic we have to use policing.
Actually the question: How can you use policing to set the speed for several ip, for example, the contract has 3 ip addresses and you need to make sure that the speed is shared between this group of ip addresses. Naturally, all this needs to be implemented in the context of hash tables.
What is now – a small but full-fledged piece of config limiting traffic on one ip
tc filter add dev eth2 parent 1:0 prio 30 handle 2: protocol ip u32 divisor 256
tc filter add dev eth2 parent ffff: prio 30 handle 2: protocol ip u32 divisor 256
tc filter add dev eth2 protocol ip parent 1:0 prio 30 u32 ht 800:: match ip dst 192.168.222.0/24 hashkey mask 0x000000ff at 16 link 2:
tc filter add dev eth2 protocol ip parent ffff: prio 30 u32 ht 800:: match ip src 192.168.222.0/24 hashkey mask 0x000000ff at 12 link 2:
tc filter add dev eth2 parent 1: protocol ip prio 30 u32 ht 2:c7 match ip dst 192.168.222.199 flowid 1:a03
tc filter add dev eth2 parent ffff: protocol ip prio 30 u32 ht 2:c7 match ip src 192.168.222.199 police rate 4096000 burst 409600b drop flowid ffff:
tc class add dev eth2 parent 1:1 classid 1:a03 htb rate 4096000
Answer:
On this occasion, I would add the use of the Netfilter to mark packets with subsequent processing of the tags in tc , or even transfer the entire traffic sample to the Netfilter, where there are an order of magnitude more possibilities for this. The logic is simple – Netfilter hangs a label on whatever it wants, and already tc needs only to apply the correct policy on the label. The plus is that in this way you can catch packets at any stage of processing (and by any criterion), including even before NAT. The downside is that this is a complication of the configuration and an additional speed drawdown due to the Netfilter.
Examples of such a configuration can be found .