[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
Re: [PLUG] per process bandwidth limitation?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sep 15, 2004, at 12:51 PM, Malcolm wrote:
I'm trying to work out if it's possible to limit bandwidth usage on a
per
process level under linux, but haven't found anything in my searches
so I
figured I'd ask here.
Ok well there's two ways to go:
If you're planning on running this on an SMP machine, you're out of
luck, because the particular iptables module you need has a known race
and will likely hang the box on occassion.
If not, read on.
What you want to do is to determine the PIDs of the processes you need
to limit bandwidth to. Once you have those, you will install iptables
rules using the owner match, specifying the PID in question for a
particular process for each rule, and then target the rule to a MARK
specifying a unique fwmark number (unique for a rule).
Then, install a class under the egress device using tc and install an
associated filter keyed to the mark above (the one that you are setting
with -j MARK) that will send all traffic with that fwmark to the class
you just created.
Here's an example:
ip link set imq0 up
tc qdisc add dev imq0 root handle 1: htb
tc class add dev imq0 parent 1: classid 1:2 htb rate 50kbit ceil
100kbit burst 1590 cburst 1590 quantum 1590
tc filter add dev imq0 protocol ip parent 1: prio 1 handle 2 fw classid
1:2
iptables -t mangle -A PREROUTING -m owner --pid-owner <PID of process>
- -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -j IMQ --todev 0
This will mark all traffic destined for the PID in question with a
fwmark of 2, which will filter it into the traffic shaping class 1:1
which has a rate of 50kbit and a ceiling rate of 100kbit. You will need
variations of rules 3, 4 and 5 for each PID you wish to limit traffic
into.
Make sure you still a base class that has the full bandwidth of the
interface as the rate and mark any traffic you DON'T want limited with
a mark that will filter into that class.
To do this, you will need IMQ support in your kernel
(http://www.linuximq.net), as well as the iptables (>= 1.2.7a) and
iproute (>= 2.4.7) packages installed. Try to use a 2.6.x kernel if you
can.
Without IMQ, you can't really effectively limit bandwidth to the local
machine (the standard netfilter ingress policer is not great). With
IMQ, you can attach regular egress tc qdiscs, classes and filters to
the IMQ devices and shunt traffic to them via iptables rules in the
pre- and postrouting mangle chains. You can limit bandwidth on the way
in _and_ out by using both IMQ devices and some more iptables rules.
And, as I said, don't try using the owner match on an SMP machine.
You will definitely want to check out LARTC (http://lartc.org/) for
more information on this and other topics. Good luck! :)
- --
Tobias DiPasquale
202A 04C4 2CE6 B985 8520 88D6 CD25 1A6C B9B5 1595
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (Darwin)
iD8DBQFBSHjfzSUabLm1FZURAjxsAJ9HaTrpV64SfV3her2kIRCIauMT2ACfcBuE
1aEY2/DqIemRCwSkVIw0eio=
=co+e
-----END PGP SIGNATURE-----
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug