Using tc to delay packets to only a single IP address

linux traffic-shaping tc

I am new to using tc and netem. I want to delay packets being sent to a specific IP address. However, the commands below cause all packets on the system to be delayed, instead of just to the IP address 1.2.3.4:

tc qdisc del dev eth0 root
tc qdisc add dev eth0 root handle 1: prio
tc qdisc add dev eth0 parent 1:1 handle 2: netem delay 500ms
tc filter add dev eth0 parent 1:0 protocol ip pref 55 handle ::55 u32 match ip dst 1.2.3.4 flowid 2:1

My guess is that I need some kind of catch-all filter at the end to specify that all remaining traffic should not go through netem. But I can't get anything to work. How would I get this to work?


Solution 1:

The chosen answer is incorrect/incomplete. I faced a similar issue, the chosen answer gave some help, but not enough.

First, the following command is not really needed.

tc qdisc del dev eth0 root

It will 'delete' the root qdisc, but inmediately gets substituted by a pfifo_fast one (so you don't lose connectivity).

The second command:

tc qdisc add dev eth0 root handle 1: prio

Will substitute the pfifo_fast qdisc with the prio one. By default, the prio queue has 3 bands (0, 1, 2) each managed by one class (1:1, 1:2 and 1:3).

The packets will be sent to one of those bands using the TOS field of the IP package. This configuration is shown when you execute:

tc qdisc ls

looking at the 'priomap' values.

Then, you add a netem qdisc:

tc qdisc add dev eth0 parent 1:1 handle 2: netem delay 500ms

With this command you delay all traffic going to the 1:1 band (until the filter is in place).

But there are two caveats:

  • Your traffic can have a different TOS value and then being sent to another band.
  • The prio qdisc can be configured so the traffic goes to another band.

The following solved my issue to not be affected by the netem while the filter is not applied. Instead of the above steps, I did:

tc qdisc add dev eth0 root handle 1: prio priomap 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2

This will send all traffic by default to the band 1:3.

Then, I added the rule to delay traffic:

tc qdisc add dev eth0 parent 1:1 handle 10: netem delay 100ms 10ms

This creates the qdisc in the band 0, but since all traffic goes to band 3, it didn't affect me.

Afterwards, I added the filter:

tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip dst 10.0.0.1/32 match ip dport 80 0xffff flowid 1:1

Now with the filter, only the chosen IP/port will be affected, since we redirect the chosen traffic to the band 0.

All the other traffic continues unaffected since it continues to flow to band 3.

Solution 2:

Ok, I solved my own problem. It turns out that if you execute the first 3 lines above (the "tc qdisc" ones), it will delay all packets because there are no filters yet. The 4th line changes it to only delay packets from that single IP address. Additional filter lines can be added to add additional IP addresses to the "delayed" list. So: don't create a "netem delay" line without a filter pointing to it.

Solution 3:

Simple example from https://wiki.linuxfoundation.org/networking/netem that lets you delay packets to a given IP without affecting any other traffic, even during configuration:

tc qdisc del dev eth0 root # Ensure you start from a clean slate
tc qdisc add dev eth0 root handle 1: prio
tc qdisc add dev eth0 parent 1:3 handle 30: netem delay 500ms
tc filter add dev eth0 protocol ip parent 1:0 prio 3 u32 \
   match ip dst 192.168.1.2 flowid 1:3

Related

how to connect to mongodb server via ssh tunnel
Iptables: "-p udp --state ESTABLISHED"
apt-get update getting 404 on debian lenny
Turning a log file into a sort of circular buffer
Is it possible to get OpenSSH to log the public key that was used in authentication?
What is the network address (x.x.x.0) used for? [duplicate]
Restrict access to IIS site to an AD Group
What does %st mean in top?
logrotate not rotating the logs
Avoid to keep command in history
Serve http (port 80) and https (port 443) on same VirtualHost
Hidden Features of Solaris/OpenSolaris