I've had the need to implement bandwidth throttling on a debian router at a colo. We are connected to a 100Mbit pipe, and we are charged for anything over 1Mbit/sec in or out. (95th percentile). I found all kinds of helpful hints for throttling outbound bandwidth, but I found throttling inbound traffic a bit more touchy. I also needed to be able to throttle from traffic behind the router as well as traffic initiated from the router itself. Here's what I came up with. (Works very well, btw).

Anybody have any suggestions or better solutions?

#!/bin/bash
tc qdisc del dev eth1 ingress
tc qdisc add dev eth1 ingress
tc filter add dev eth1 parent ffff: protocol ip prio 10 u32 match ip dst 0/0 \
   police rate 1024kbit burst 10kb drop flowid :1
tc qdisc del dev eth1 root
tc qdisc add dev eth1 root tbf rate 1024kbit burst 10kb latency 25ms


The colo is connected to our main office via an ipsec tunnel. the only issues I have with this is some ugly error logs, I assume complaining about the packet police dropping packets to get speed down to an acceptable rate.


Aug  6 12:11:48 fw-rich kernel: klips_error:ipsec_xmit_send: ip_send() failed, err=-1
Aug  6 12:11:48 fw-rich kernel: klips_error:ipsec_xmit_send: ip_send() failed, err=-1
Aug  6 12:11:49 fw-rich kernel: klips_error:ipsec_xmit_send: ip_send() failed, err=-1
Aug  6 12:11:49 fw-rich kernel: klips_error:ipsec_xmit_send: ip_send() failed, err=-1
Aug  6 12:11:49 fw-rich kernel: klips_error:ipsec_xmit_send: ip_send() failed, err=-1