BestHub
Sign in
Operations 10 min read

Master Linux Traffic Shaping: Limit IP/Port Bandwidth with TC and IFB

Learn how to control Linux network traffic by creating qdisc, class, and filter rules with tc, set bandwidth limits for specific IPs or ports, and use an ifb virtual interface to shape inbound traffic, including step-by-step commands, configuration examples, and cleanup procedures.

Liangxu Linux
Liangxu Linux
Liangxu Linux
Master Linux Traffic Shaping: Limit IP/Port Bandwidth with TC and IFB

1. Linux Traffic Control Principles

Linux shapes traffic by queuing packets, a process known as data shaping. The main actions include:

Increasing latency

Dropping packets

Reordering packets

Duplicating or corrupting packets

Rate limiting

Under the qdisc‑class‑filter architecture, shaping requires three steps:

Create a qdisc queue

Create class classifications that define bandwidth policies

Create filters that bind specific IPs/Ports to the classes

The tc tool is the standard Linux traffic‑control utility and forms the basis for many eBPF‑based networking components.

2. Limiting Outbound Speed for Specific IP/Port

2.1 View Network Interface

ifconfig

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 1.1.1.1  netmask 255.255.254.0  broadcast 1.1.1.1
        inet6 1::1:1:1:1  prefixlen 64  scopeid 0x20<link>
        ether 1:1:1:1:1:1  txqueuelen 1000  (Ethernet)
        RX packets 2980910  bytes 2662352343 (2.4 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1475969  bytes 122254809 (116.5 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

2.2 Configuration

Create the root qdisc

tc qdisc add dev eth0 root handle 1: htb default 1

Create the first‑level class that holds the total bandwidth

The unit used here is 6 MBps (≈ 48 Mbps).

tc class add dev eth0 parent 1:0 classid 1:1 htb rate 6MBps burst 15k

Create a child class for finer control

tc class add dev eth0 parent 1:1 classid 1:10 htb rate 6MBps ceil 10MBps burst 15k

The ceil value sets the upper bound; normal traffic is limited to 6 MBps, but bursts can reach 10 MBps when the link is idle.

Create a filter that binds a destination IP to the child class

tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip dst 1.2.3.3 flowid 1:10

This limits traffic to 1.2.3.3 to the 6 MBps class (flow 1:10). The same rule can be applied to an entire subnet, e.g., 1.2.0.0/16.

2.3 View and Clean Up

Show class configuration

tc class show dev eth0

class htb 1:10 parent 1:1 leaf 10: prio 0 rate 48Mbit ceil 80Mbit burst 15Kb cburst 1600b
class htb 1:1 root rate 48Mbit ceil 48Mbit burst 15Kb cburst 1590b

Show filter configuration

tc filter show dev eth0

filter parent 1: protocol ip pref 1 u32 chain 0
filter parent 1: protocol ip pref 1 u32 chain 0 fh 800: ht divisor 1
filter parent 1: protocol ip pref 1 u32 chain 0 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:10 not_in_hw
  match 01020303/ffffffff at 16

Delete all configurations

tc qdisc del dev eth0 root

3. Limiting Inbound Speed for Specific IP/Port

Ingress traffic cannot be directly shaped, so it must be redirected to an ifb (Intermediate Functional Block) device and then shaped on its egress side.

3.1 Enable Virtual Interface

modprobe ifb numifbs=1
ip link set dev ifb0 up

3.2 Configuration

Add an ingress qdisc to the physical NIC tc qdisc add dev eth0 handle ffff: ingress Redirect incoming traffic to

ifb0
tc filter add dev eth0 parent ffff: protocol ip u32 match u32 0 0 action mirred egress redirect dev ifb0

Add qdisc, class, and filter on

ifb0
tc qdisc add dev ifb0 root handle 1: htb default 10
tc class add dev ifb0 parent 1:0 classid 1:1 htb rate 6Mbps
tc class add dev ifb0 parent 1:1 classid 1:10 htb rate 6Mbps
tc filter add dev ifb0 parent 1:0 protocol ip prio 16 u32 match ip dst 1.2.3.4 flowid 1:10

3.3 View and Clean Up

Monitoring graph (inbound traffic limited to 6 MBps, outbound unrestricted)

Show class configuration on

ifb0
tc class show dev ifb0

class htb 1:10 parent 1:1 prio 0 rate 48Mbit ceil 48Mbit burst 1590b cburst 1590b
class htb 1:1 root rate 48Mbit ceil 48Mbit burst 1590b cburst 1590b

Show filter configuration on

ifb0
tc filter show dev ifb0

filter parent 1: protocol ip pref 16 u32 chain 0
filter parent 1: protocol ip pref 16 u32 chain 0 fh 800: ht divisor 1
filter parent 1: protocol ip pref 16 u32 chain 0 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:10 not_in_hw
  match 01020304/ffffffff at 16

Delete all configurations

tc qdisc del dev eth0 ingress
tc qdisc del dev ifb0 root
modprobe -r ifb

4. References

https://arthurchiao.art/blog/lartc-qdisc-zh/

https://serverfault.com/questions/350023/tc-ingress-policing-and-ifb-mirroring

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

networkTraffic Shapingbandwidth limitingtcqdiscifb
Liangxu Linux
Written by

Liangxu Linux

Liangxu, a self‑taught IT professional now working as a Linux development engineer at a Fortune 500 multinational, shares extensive Linux knowledge—fundamentals, applications, tools, plus Git, databases, Raspberry Pi, etc. (Reply “Linux” to receive essential resources.)

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment