SeaRiver Blog

Ïà¹Ø×ÊÁÏ:

 Limiting outgoing bandwidth

We can limit VE outgoing bandwidth by setting the tc filter on eth0.

DEV=eth0  tc qdisc del dev $DEV root  tc qdisc add dev $DEV root handle 1: cbq avpkt 1000 bandwidth 100mbit  tc class add dev $DEV parent 1: classid 1:1 cbq rate 256kbit allot 1500 prio 5 bounded isolated  tc filter add dev $DEV parent 1: protocol ip prio 16 u32 match ip src X.X.X.X flowid 1:1  tc qdisc add dev $DEV parent 1:1 sfq perturb 10  

X.X.X.X is an IP address of VE.

Limiting incoming bandwidth

This can be done by setting the tc filter on venet0:

DEV=venet0  tc qdisc del dev $DEV root  tc qdisc add dev $DEV root handle 1: cbq avpkt 1000 bandwidth 100mbit  tc class add dev $DEV parent 1: classid 1:1 cbq rate 256kbit allot 1500 prio 5 bounded isolated  tc filter add dev $DEV parent 1: protocol ip prio 16 u32 match ip dst X.X.X.X flowid 1:1  tc qdisc add dev $DEV parent 1:1 sfq perturb 10  

Note that X.X.X.X is an IP address of VE.

 Limiting VE to HN talks

As you can see, two filters above don't limit VE to HN talks. I mean a VE can emit as much traffic as it wishes. To make such a limitation from the HN, it is necessary to use tc police on venet0:

DEV=venet0:1  

Limiting packets per second rate from VE

To prevent dos atacks from the VE you can limit packets per second rate using iptables.

DEV=eth0  iptables -I FORWARD 1 -o $DEV -s X.X.X.X -m limit --limit 200/sec -j ACCEPT  iptables -I FORWARD 2 -o $DEV -s X.X.X.X -j DROP  

Here X.X.X.X is an IP address of VE

 External links