Master Linux Traffic Shaping: Limit Bandwidth per IP and Port with TC

1. Linux Traffic Control Overview

Traffic shaping in Linux is performed by queuing packets. The tc utility manipulates a hierarchy of qdisc (queueing discipline), class , and filter objects. The typical workflow is:

Create a root qdisc on the target network interface.

Create one or more classes that define rate limits (rate, ceil, burst).

Create filters that match traffic (IP address, port, protocol) and bind it to a class.

TC is the foundation for many eBPF‑based networking solutions.

2. Shaping Egress Traffic for a Specific Destination

2.1 Identify the interface

ifconfig eth0
# Example output
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
    inet 1.1.1.1  netmask 255.255.254.0  broadcast 1.1.1.1
    inet6 1::1:1:1:1  prefixlen 64  scopeid 0x20<link>
    ether 1:1:1:1:1:1  txqueuelen 1000  (Ethernet)

2.2 Build the qdisc/class/filter tree

Root qdisc (HTB, handle 1:)

tc qdisc add dev eth0 root handle 1: htb default 1

Parent class that reserves the total bandwidth of the interface. In this example the interface is limited to 6 MBps (≈48 Mbit/s).

tc class add dev eth0 parent 1:0 classid 1:1 htb rate 6MBps burst 15k

Child class for the specific destination. The ceil parameter defines the absolute upper bound; normal traffic is limited to rate, but bursts may reach ceil.

tc class add dev eth0 parent 1:1 classid 1:10 htb rate 6MBps ceil 10MBps burst 15k

Filter that matches the destination IP (or subnet) and directs the packets to the child class.

tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 \
    match ip dst 1.2.3.4/32 flowid 1:10

Replace 1.2.3.4 with any IPv4 address or CIDR block (e.g., 1.2.0.0/16) to apply the same limit to a larger range.

2.3 Verify and clean up

Show class configuration tc class show dev eth0 Show filter configuration tc filter show dev eth0 Delete the entire hierarchy

tc qdisc del dev eth0 root

3. Shaping Ingress Traffic (Outbound from the host) to a Specific Destination

TC can only shape traffic on egress. To limit inbound traffic destined for the host, the packets are redirected to an ifb (Intermediate Functional Block) device, which then treats the redirected traffic as egress.

3.1 Load and enable the ifb module

modprobe ifb numifbs=1
ip link set dev ifb0 up

3.2 Configure ingress redirection and shaping on ifb0

Add an ingress qdisc on the physical interface. tc qdisc add dev eth0 handle ffff: ingress Redirect all inbound packets to ifb0.

tc filter add dev eth0 parent ffff: protocol ip u32 \
    match u32 0 0 action mirred egress redirect dev ifb0

Attach an HTB root qdisc to ifb0 and create the same class hierarchy as in section 2.

tc qdisc add dev ifb0 root handle 1: htb default 10
tc class add dev ifb0 parent 1:0 classid 1:1 htb rate 6MBps burst 15k
tc class add dev ifb0 parent 1:1 classid 1:10 htb rate 6MBps ceil 10MBps burst 15k
tc filter add dev ifb0 parent 1:0 protocol ip prio 16 u32 \
    match ip dst 1.2.3.4/32 flowid 1:10

3.3 Verify and clean up

Show class configuration on

ifb0

tc class show dev ifb0

Show filter configuration on

ifb0

tc filter show dev ifb0

Remove all rules

tc qdisc del dev eth0 ingress
tc qdisc del dev ifb0 root
modprobe -r ifb

4. References

https://arthurchiao.art/blog/lartc-qdisc-zh/

https://serverfault.com/questions/350023/tc-ingress-policing-and-ifb-mirroring