Master Linux TC: Shape Bandwidth and Control Traffic with HTB, Qdisc, and Filters

TC Overview

In Linux, the Traffic Control (TC) subsystem offers two shaping methods, CBQ and HTB, with HTB designed to replace CBQ. TC is built from three basic blocks: queueing disciplines (qdisc), classes, and filters.

Queueing Discipline (qdisc)

A qdisc controls the rate of packet transmission. Linux typically uses only the egress (sending) queue because inbound queue control is limited. The kernel places packets into the configured qdisc for an interface, then dequeues them for the network driver.

The simplest qdisc is pfifo, which processes packets FIFO without modification. Other qdisc types include FIFO, RED, SFQ, Token Bucket, CBQ, and hierarchical structures.

Classes

Classes represent traffic‑shaping policies. Different IPs or services can be assigned to distinct classes to enforce separate bandwidth limits.

Filters

Filters map packets to the appropriate class. They can use marks set by iptables (e.g., MARK) or the u32 classifier to match IP addresses.

Typical filter chain: packet → iptables (set mark) → TC class → TC qdisc.

Configuration Steps

Add a root qdisc on the outbound interface (e.g., eth0 ) using HTB: tc qdisc add dev eth0 root handle 1: htb default 1 Create a top‑level class to define the overall rate limit:

tc class add dev eth0 parent 1: classid 1:1 htb rate 2mbit ceil 4mbit prio 2

Here rate is the guaranteed bandwidth, ceil the maximum, and prio the priority (lower value = higher priority).

Define child classes for specific applications or IP groups:

tc class add dev eth0 parent 1:1 classid 1:10 htb rate 0.5mbit ceil 2mbit prio 3

Optionally attach an SFQ qdisc to the class to prevent a single flow from monopolising bandwidth: tc qdisc add dev eth0 parent 1:10 handle 10: sfq perturb 10 Add filters to direct traffic into the appropriate class, for example by matching destination IP:

tc filter add dev eth0 parent 1: protocol ip prio 16 u32 match ip dst 192.168.1.2 flowid 1:10

Mark packets with iptables (or use u32) so TC can classify them:

iptables -t mangle -I FORWARD -i !eth1 -p tcp --sport 80 -s xxx.xxx.xxx.xxx -j MARK --set-mark 31

Burst and Cburst Parameters

Network hardware can send packets at its line rate, but software can burst above the configured rate for short periods. The burst and cburst parameters define how much data may be sent at the hardware's maximum speed before the rate limit (or ceil) takes effect. They must be at least as large as the values of any child class.

TC Command Reference

tc qdisc [add|change|replace|link] dev DEV [parent qdisc-id|root] [handle qdisc-id] qdisc [qdisc‑specific parameters]

tc class [add|change|replace] dev DEV parent qdisc-id [classid class-id] qdisc [qdisc‑specific parameters]

tc filter [add|change|replace] dev DEV [parent qdisc-id|root] protocol PROTO prio PRIORITY filtertype [filtertype‑specific parameters] flowid FLOW-ID

tc -s -d qdisc show dev DEV

tc -s -d class show dev DEV

tc qdisc del dev DEV root

Practical Examples

Limit a single IP's download speed:

tc qdisc add dev eth0 root handle 1: htb r2q 1
tc class add dev eth0 parent 1: classid 1:1 htb rate 30mbit ceil 60mbit
tc filter add dev eth0 parent 1: protocol ip prio 16 u32 match ip dst 192.168.1.2 flowid 1:1

This caps the IP 192.168.1.2 at 30 Mbit/s (up to 60 Mbit/s burst).

Limit an entire subnet:

tc qdisc add dev eth0 root handle 1: htb r2q 1
tc class add dev eth0 parent 1: classid 1:1 htb rate 50mbit ceil 1000mbit
tc filter add dev eth0 parent 1: protocol ip prio 16 u32 match ip dst 192.168.111.0/24 flowid 1:1

All hosts in 192.168.111.0/24 share roughly 200 kbit/s.

Add SFQ to prevent a single host from hogging bandwidth:

tc qdisc add dev eth0 root handle 1: htb r2q 1
tc class add dev eth0 parent 1: classid 1:1 htb rate 3000kbit burst 10k
tc qdisc add dev eth0 parent 1:1 handle 10: sfq perturb 10
tc filter add dev eth0 parent 1: protocol ip prio 16 u32 match ip dst 192.168.111.168 flowid 1:1

SFQ ensures fair distribution among IPs within the class.