Linux – Limit packets per second

linux

I am using kvm with bridge networking and I want to limit packets per second for all virtual machines.

I know how to do that with iptables, but it's not working. All iptables rules don't apply to the routed vm ips, although net.bridge.bridge-nf-call-iptables = 1.

Best Answer

You need to tell the kernel to pass packets passing through the bridge to netfilter/iptables:

/proc/sys/net/bridge/bridge-nf-call-iptables => pass (1) or don't pass (0) bridged IPv4 traffic to iptables' chains.
/proc/sys/net/bridge/bridge-nf-call-ip6tables => pass (1) or don't pass (0) bridged IPv6 traffic to ip6tables' chains.
/proc/sys/net/bridge/bridge-nf-filter-vlan-tagged => pass (1) or don't pass (0) bridged vlan-tagged ARP/IP traffic to arptables/iptables.

So to filter IPv4 traffic, you need to set:

echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables

If you're using VLAN's, you'll probably need to enable the filter-vlan-tagged option too.

Related Topic