使用tc ingress来限速接收方向

Linux中的QoS分为入口(Ingress)部分和出口(Egress)部分，入口部分主要用于进行入口流量限速(policing)，出口部分主要用于队列调度(queuing scheduling)。大多数排队规则(qdisc)都是用于输出方向的，输入方向只有一个排队规则，即ingress qdisc。ingress qdisc本身的功能很有限，如下;

Ingress qdisc 
The ingress qdisc itself does not require any parameters. It differs from other qdiscs in that it does not occupy the root of a device. Attach it like this:
# tc qdisc add dev eth0 ingress
This allows you to have other, sending qdiscs on your device besides the ingress qdisc. 

About the ingress qdisc
Ingress qdisc (known as ffff:) can't have any children classes. (hence the existence of IMQ)
The only thing you can do with the ingress qdisc is attach filters. 

About filtering on the ingress qdisc
Since there are no classes to which to direct the packets, the only reasonable option is to drop the packets.
With clever use of filtering, you can limit particular traffic signatures to particular uses of your bandwidth.

具体使用如下命令，进行限速：

tc qdisc add dev vnet1 handle ffff: ingress
tc filter add dev vnet1 parent ffff: protocol all prio 49 basic police rate 10mbit burst 1mb mtu 65535 drop

根据tc相关文档描述，使用tc ingress限速，功能有限，似乎只能选择丢弃，并且也不支持分类。实际应用中，我们可以将业务流重定向到ifb设备上，业务流从这个ifb设备中出去，再又相应的端口接收，那我们就可以像正常使用tc对egress限速一样，来对ifb设备进行egress限速，就可以达到对接收方向的限速了。具体原理可以参考最下面列出的文档。

ifb模块需要手动加载。
# modprobe ifb

启用虚拟设备ifb0
# ip link set dev ifb0 up

接下来配置ifb0的过滤规则

tc qdisc add dev ens3f3 handle ffff: ingress
tc filter add dev ens3f3 parent ffff: protocol ip u32 match u32 0 0 action mirred egress redirect dev ifb0
tc qdisc add dev ifb0 root handle 1: htb default 10
tc class add dev ifb0 parent 1: classid 1:1 htb rate 10000mbit
tc class add dev ifb0 parent 1:1 classid 1:10 htb rate 1000mbit ceil 1000mbit

注：上述配置可以针对端口来限速配置，但是不能与cgroup配合完成对某些进程组限速。

本来是想用cgroup，像限速egress侧一样，限速ingress侧，但是实践后发现不生效，查过了相关的网络资料，很多人讲在ingress侧，是无法达到像cgroup一样限制带宽的，具体是与cgroup标记的先后有关系。

be aware that if you use iptable to mark your packet and then filters them, you can't use ifb since all ingress trafic will be forwarded BEFORE any marking. so you will se your class stay at 0 and all forwarded to the default. IMQ seem the rigth solution for iptables users.

来自 <https://serverfault.com/questions/350023/tc-ingress-policing-and-ifb-mirroring

但可以通过报文中的源ip进行限速控制，如下配置：

tc qdisc add dev ifb0 root handle 1: htb default 20
tc class add dev ifb0 parent 1: classid 1:1 htb rate 10000mbit
tc class add dev ifb0 parent 1:1 classid 1:10 htb rate 2000mbit
tc class add dev ifb0 parent 1:1 classid 1:20 htb rate 1000mbit
tc class add dev ifb0 parent 1:1 classid 1:30 htb rate 500mbit
tc filter add dev ifb0 protocol ip parent 1:0 prio 1 u32 match ip src 129.9.123.85 flowid 1:10
tc filter add dev ifb0 protocol ip parent 1:0 prio 1 u32 match ip src 129.9.123.89 flowid 1:20 
tc filter add dev ifb0 protocol ip parent 1:0 prio 1 u32 match ip src 129.9.123.88 flowid 1:20 

当然我们也可以通过源端口和目的端口来限速，如下配置：

tc filter add dev ifb0 protocol ip parent 1:0 prio 1 u32 match ip dport 50051 0xffff flowid 1:30
tc filter add dev ifb0 protocol ip parent 1:0 prio 1 u32 match ip sport 45678 0xffff flowid 1:30

参考文档：

https://blog.csdn.net/zhangskd/article/details/8240290 
https://www.cnblogs.com/CasonChan/p/4919921.html