Master Linux TC: Control Bandwidth with HTB, Classes, and Filters

TC Overview

Linux TC (traffic control) provides two primary shaping methods: CBQ and HTB . HTB is designed to replace CBQ and implements a hierarchical filtering framework for managing outbound traffic.

Core Components

TC consists of three building blocks:

qdisc (queueing discipline) – buffers packets and controls send‑rate without interrupting TCP connections. Linux only reliably controls the sending queue, not the receive queue.

class – defines a bandwidth policy (rate, ceil, priority) that can be applied to specific IPs or services.

filter – assigns packets to a class based on criteria such as fwmark or u32 matches, often using iptables marks.

Queue Disciplines

Common qdisc types include:

pfifo – simple FIFO queue.

FIFO, RED, SFQ, Token Bucket, CBQ – various algorithms for fairness and congestion control.

Filters and Marking

Filters can use fwmark (netfilter marks) or u32 matches. A typical flow is:

packet → iptables (set mark) → TC class → TC qdisc

Practical Example: Limiting Bandwidth on eth0

Add a root HTB qdisc on the external interface.

tc qdisc add dev eth0 root handle 1: htb default 1

Create top‑level classes that define the maximum outbound rate.

tc class add dev eth0 parent 1:0 classid 1:30 htb rate 2mbit ceil 4mbit prio 2

Parameters: rate – guaranteed bandwidth for the class. ceil – maximum bandwidth the class may borrow. prio – lower numbers mean higher priority.

Define sub‑classes for individual applications or IPs.

tc class add dev eth0 parent 1:30 classid 1:31 htb rate 0.5mbit ceil 2mbit prio 3

Attach a random‑fair queue (SFQ) to avoid a single flow monopolising the link:

tc qdisc add dev eth0 parent 1:31 handle 31: sfq perturb 10

Add a filter that maps marked packets to the appropriate class.

tc filter add dev eth0 parent 1: protocol ip prio 31 handle 31 fw flowid 1:31

Mark packets with iptables (or use u32 directly).

iptables -t mangle -I FORWARD -i !eth1 -p tcp --sport 80 -s 192.0.2.10 -j MARK --set-mark 31

Rate, Ceil, Burst and Cburst

rate

guarantees a minimum bandwidth; ceil caps the maximum a class can borrow. burst and cburst define how much data may be sent at the interface’s physical peak before the average rate limits apply. Both values must be at least as large as those of any child class.

TC Command Reference

tc qdisc [add|change|replace|link] dev DEV [parent qdisc-id|root] [handle qdisc-id] qdisc [parameters]

tc class [add|change|replace] dev DEV parent qdisc-id classid CLASSID htb rate RATE ceil CEIL prio PRIO

tc filter [add|change|replace] dev DEV parent qdisc-id protocol PROTO prio PRIORITY filtertype [options] flowid FLOWID

# Show configuration
tc -s -d qdisc show dev eth0
tc -s -d class show dev eth0

Sample Configurations

Limit a single IP (192.168.1.2) to 30 Mbit guaranteed and 60 Mbit peak:

tc qdisc add dev eth0 root handle 1: htb r2q 1

tc class add dev eth0 parent 1: classid 1:1 htb rate 30mbit ceil 60mbit

tc filter add dev eth0 parent 1: protocol ip prio 16 u32 match ip dst 192.168.1.2 flowid 1:1

Limit an entire subnet (192.168.111.0/24) to 3000 kbit with a burst of 10 k:

tc class add dev eth0 parent 1: classid 1:2 htb rate 3000kbit ceil 3000kbit burst 10k

tc filter add dev eth0 parent 1: protocol ip prio 16 u32 match ip dst 192.168.111.0/24 flowid 1:2

Adding an SFQ qdisc under a class prevents a single IP from hogging the whole bandwidth:

tc qdisc add dev eth0 parent 1:2 handle 2: sfq perturb 10

Illustration