Page MenuHomeVyOS Platform
Create Task
Maniphest T6338

Ability to use per-user traffic shaper or policy limits based on the network
Open, WishlistPublicFEATURE REQUEST
Actions

Description

Ability to use per-user traffic shaper or policy limits based on the network prefix.
For example, we have the network 100.64.0.0/24 and want to limit each IP address in the network to 10mbit.

Nftables support limits in bytes or mbytes/second, It probably will be better to create the batch file with limits instead of doing tc
https://wiki.nftables.org/wiki-nftables/index.php/Rate_limiting_matchings

The example of nft rules in https://vyos.dev/T5929

An example of a basic CLI (should be improved):

set qos per-user-limits shaper <myshaper> speed 10mbit
set qos per-user-limits shaper <myshaper> interface eth1
set qos per-user-limits shaper <myshaper> network 100.64.0.0/24

Mikrotik uses PCQ for it, which most likely is not present in the Linux TC

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature (new functionality)

Related Objects

Event Timeline

Viacheslav created this task.May 15 2024, 8:00 AM
Viacheslav triaged this task as Wishlist priority.
pasik subscribed.May 15 2024, 8:10 AM
Thunderstorm subscribed.May 21 2024, 8:48 PM
L0crian subscribed.Jun 2 2024, 1:41 PM

NFT rate-limiting is effectively a policer instead of a shaper, so I don't think it'd be a good way to accomplish this. All drops would be aggressive and not tail-drops.

It also doesn't have a good way to scale to individual IPs, just like tc. I think it might be best to stick with tc to accomplish this.

This wouldn't be a "good" way to solve it, but I don't know there's any better way. I think you'd just have to iterate over the subnet, and generate a class and filter for each IP in the given subnet. So 100.64.0.0/24 would have classes like 1:0 to 1:ff, with 256 individual filters calling each class individually.

NOTE: The NFT rate-limiting could actually make a pretty good CoPP feature though.
dongjunbo subscribed.Jun 2 2024, 2:41 PM
Viacheslav added a comment.Jun 3 2024, 7:31 AM

@L0crian Some TC combinations are affected by locks, so they are impossible to use with, for example, /16 networks.

It is not a problem for NFT with hash maps.