Master Linux Traffic Shaping with TC: Limit Bandwidth per IP and Port

1. Linux Traffic Shaping Principles

Linux controls packet transmission by queuing packets, a technique known as traffic shaping. Shaping can add delay, drop packets, reorder them, duplicate or corrupt data, and enforce rate limits. Implementing rate control with the qdisc‑class‑filter hierarchy requires three steps: create a qdisc queue, define classes for different bandwidth policies, and add filters that bind IP/Port criteria to those classes.

2. Limiting Outbound Traffic for Specific IP/Port

2.1 View Network Interface

ifconfig

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 1.1.1.1  netmask 255.255.254.0  broadcast 1.1.1.1
        inet6 1::1:1:1:1  prefixlen 64  scopeid 0x20<link>
        ether 1:1:1:1:1:1  txqueuelen 1000  (Ethernet)
        RX packets 2980910  bytes 2662352343 (2.4 GiB)
        TX packets 1475969  bytes 122254809 (116.5 MiB)

2.2 Configure qdisc‑class‑filter

Create the root qdisc

tc qdisc add dev eth0 root handle 1: htb default 1

Create the first‑level class allocating the total bandwidth (6 MBps ≈ 48 Mbps)

tc class add dev eth0 parent 1:0 classid 1:1 htb rate 6MBps burst 15k

Create a child class for finer control (rate 6 MBps, ceiling 10 MBps)

tc class add dev eth0 parent 1:1 classid 1:10 htb rate 6MBps ceil 10MBps burst 15k

The ceil value defines the maximum burst speed; normal traffic is limited to 6 MBps, but idle periods may reach up to 10 MBps.

Add a filter to bind a destination IP to the child class

tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip dst 1.2.3.3 flowid 1:10

This rule limits traffic to 1.2.3.3 to the 6 MBps rate (class 1:10). The same approach works for entire subnets such as 1.2.0.0/16.

2.3 View and Clean Up Configuration

Show class settings

tc class show dev eth0

class htb 1:10 parent 1:1 leaf 10: prio 0 rate 48Mbit ceil 80Mbit burst 15Kb cburst 1600b
class htb 1:1 root rate 48Mbit ceil 48Mbit burst 15Kb cburst 1590b

Show filter settings

tc filter show dev eth0

filter parent 1: protocol ip pref 1 u32 chain 0
filter parent 1: protocol ip pref 1 u32 chain 0 fh 800: ht divisor 1
filter parent 1: protocol ip pref 1 u32 chain 0 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:10 not_in_hw
  match 01020303/ffffffff at 16

Delete all qdisc rules

tc qdisc del dev eth0 root

3. Limiting Inbound Traffic (Ingress) Using an IFB Device

Ingress traffic cannot be shaped directly, so it is redirected to a virtual IFB interface, where egress shaping can be applied.

3.1 Enable the IFB Virtual Interface

modprobe ifb numifbs=1

ip link set dev ifb0 up

3.2 Configure qdisc‑class‑filter on IFB

Add an ingress qdisc on the physical NIC tc qdisc add dev eth0 handle ffff: ingress Redirect incoming packets to

ifb0

tc filter add dev eth0 parent ffff: protocol ip u32 match u32 0 0 action mirred egress redirect dev ifb0

Add shaping rules on the IFB device

tc qdisc add dev ifb0 root handle 1: htb default 10
tc class add dev ifb0 parent 1:0 classid 1:1 htb rate 6Mbps
tc class add dev ifb0 parent 1:1 classid 1:10 htb rate 6Mbps
tc filter add dev ifb0 parent 1:0 protocol ip prio 16 u32 match ip dst 1.2.3.4 flowid 1:10

3.3 View and Clean Up IFB Configuration

Monitoring diagram (traffic limited to 6 MBps inbound)

Show class configuration on IFB

tc class show dev ifb0

class htb 1:10 parent 1:1 prio 0 rate 48Mbit ceil 48Mbit burst 1590b cburst 1590b
class htb 1:1 root rate 48Mbit ceil 48Mbit burst 1590b cburst 1590b

Show filter configuration on IFB

tc filter show dev ifb0

filter parent 1: protocol ip pref 16 u32 chain 0
filter parent 1: protocol ip pref 16 u32 chain 0 fh 800: ht divisor 1
filter parent 1: protocol ip pref 16 u32 chain 0 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:10 not_in_hw
  match 01020304/ffffffff at 16

Remove all shaping rules

tc qdisc del dev eth0 ingress
tc qdisc del dev ifb0 root
modprobe -r ifb

4. References

https://arthurchiao.art/blog/lartc-qdisc-zh/

https://serverfault.com/questions/350023/tc-ingress-policing-and-ifb-mirroring