1

I want to reduce the priority of specific network traffic using tc in particular tc-u32 in my Linux server. In other words all other traffic must have higher priority than traffic with specified IP-proto.

I'm trying to apply this tc filter rule to make outgoing ICMP traffic lower priority:

tc f a dev eno1 parent 1: prio 2 u32 match ip protocol 1 0xff

But it returns this error:

RTNETLINK answers: Invalid argument
We have an error talking to the kernel

Here are some things are still unclear to me about tc in this context:

  1. How to make this rule work properly?
  2. Do I need some another rule to tell Linux something like "all other traffic goes with 1 priority" or this is done by default?
  3. What is the basic logic behind such naming - 1:, 2:, etc.? What does 0xff mean? Should I explicitly specify classid field?
red0ct
  • 374
  • 2
  • 10

1 Answers1

3

This could be done the way I describing below.

First we should change the root discipline of interface (usually pfifo_fast) with the prio one:

tc q a dev eno1 root handle 1: prio

This command creates qdisc on eno1 with 3 classes by default (1:1 - the highest priority, 1:2 - middle, 1:3 - the lowest priority). Normally all the regular traffic goes to 1:2, the traffic with the highest priority (e.g. through ToS/DSCP) goes to 1:1.
We can check the result via:

tc -d -s class show dev eno1

Then we can add filter rule to direct all the traffic with IP protocol = 1 to 3rd (lower priority) class:

tc f a dev eno1 parent 1: prio 1 u32 match ip protocol 1 0xff flowid 1:3

parent 1: - this filter is attached to qdisc. Based on filter result qdisc decides to which class this traffic should be directed.
prio 1 - this filter's priority (filters with a lower prio are used first - specifically in this case doesn't matter, because there is only one filter)
u32 - traffic classifier
match ip protocol 1 0xff - triggering the filter when packets with IP-proto 1 arrive. 0xff - is a bitmask for IP protocol match.
flowid 1:3 - the class to be used.

You can initiate some ICMP traffic and watch the Sent results via:

watch -d -n1 'tc -d -s class show dev eno1'
red0ct
  • 374
  • 2
  • 10