🔨Dropping Packets Using tc | Advanced Traffic Control Techniques 🏗️

Ronald BartelsRonald Bartels
4 min read

In the realm of network management, tc (Traffic Control) is often associated with Quality of Service (QoS) and traffic shaping. However, its capabilities extend beyond these traditional uses. tc can also be employed as a powerful tool for packet filtration at layer 3 (IP) and layer 4 (transport protocols). This article delves into using tc to drop packets and simulate network conditions such as packet loss, jitter, and reordering with Netem.

Packet Filtration with tc

The tc filter command allows for traffic classification and can be configured to drop specific types of traffic. The following example demonstrates how to use tc to drop GRE traffic (protocol 47) arriving at the eth0 interface:

Example: Dropping GRE Traffic

# tc qdisc add dev eth0 ingress
# tc filter add dev eth0 parent ffff: protocol ip prio 1 u32 match ip protocol 47 0x47 action drop

Explanation:

  1. qdisc add dev eth0 ingress:

    • Adds an ingress queuing discipline to the eth0 interface. Ingress filters allow you to process traffic entering the interface.

  2. filter add dev eth0 parent ffff::

    • Specifies the parent queuing discipline. ffff: is a special handle for ingress filtering.

  3. protocol ip:

    • Indicates that the rule applies to IP traffic.

  4. prio 1:

    • Sets the priority of the rule. Lower numbers have higher priority.

  5. u32 match ip protocol 47 0x47:

    • Matches packets where the IP protocol field equals 47 (GRE).

  6. action drop:

    • Specifies the action to take on matching packets, in this case, dropping them.

This approach is stateless, lightweight, and highly efficient, making it ideal for scenarios where high throughput is required.

Simulating Network Issues with Netem

In addition to packet filtering, tc offers Netem, a queuing discipline designed to simulate network conditions such as packet loss, latency, jitter, and reordering. These features are invaluable for testing and troubleshooting network-dependent applications under various conditions.

Example: Introducing Packet Loss

To simulate a 3% packet loss rate on the outgoing traffic of the eth0 interface:

# tc qdisc add dev eth0 root netem loss 3%

Explanation:

  1. qdisc add dev eth0 root:

    • Adds a queuing discipline to the root of the traffic control tree for eth0.

  2. netem loss 3%:

    • Specifies a packet loss rate of 3%.

Handling Incoming Traffic with IFB

By default, Netem operates on outgoing traffic. To apply Netem to incoming traffic, you can use an Intermediate Functional Block (IFB), a pseudo-device that allows traffic redirection.

Steps for Simulating Packet Loss on Incoming Traffic:

  1. Load the IFB kernel module:

     # modprobe ifb

  2. Create an IFB device (e.g., ifb0):

     # ip link add ifb0 type ifb
 # ip link set dev ifb0 up

  3. Redirect ingress traffic from eth0 to ifb0:

     # tc qdisc add dev eth0 ingress
 # tc filter add dev eth0 parent ffff: protocol ip u32 match u32 0 0 action mirred egress redirect dev ifb0

  4. Apply Netem to the IFB device:

     # tc qdisc add dev ifb0 root netem loss 3%

This setup allows you to simulate packet loss, jitter, and other network issues for incoming traffic.

Additional Netem Features

Netem provides several other options for simulating complex network conditions:

  1. Jitter (Variable Latency): Add 100ms latency with ±20ms variation:

     # tc qdisc add dev eth0 root netem delay 100ms 20ms

  2. Reordering Packets: Reorder 25% of packets:

     # tc qdisc add dev eth0 root netem reorder 25%

  3. Corrupting Packets: Corrupt 1% of packets:

     # tc qdisc add dev eth0 root netem corrupt 1%

Advantages of Using tc

  1. Granularity: Fine-grained control over traffic based on specific protocols, IP ranges, or ports.

  2. Efficiency: Stateless filtering ensures minimal performance overhead.

  3. Simulation Capabilities: Netem enables comprehensive testing of network-dependent applications.

  4. Ingress and Egress: Can handle both incoming and outgoing traffic when combined with IFB.

Limitations

  1. Layer 3 and 4 Only: Like other stateless filters, tc cannot inspect application-layer data.

  2. Complexity: Advanced configurations can become intricate, especially when using IFB devices.

  3. Limited Protocol Matching: Protocol matching in tc requires explicit values and does not support broader pattern matching.

Wrap

The tc command is a versatile tool that goes beyond traditional QoS management to include packet filtration and network condition simulation. Whether you're looking to drop unwanted traffic, mitigate attacks, or test application resilience under adverse conditions, tc offers a lightweight and flexible solution.

For advanced scenarios, the combination of Netem and IFB expands the capabilities to include incoming traffic and complex simulations. By mastering tc, network administrators can add a powerful tool to their arsenal for managing and troubleshooting modern networks.

https://hubandspoke.amastelek.com/linux-traffic-control-tc-the-backbone-of-qos-in-sd-wan
5
Subscribe to my newsletter

Read articles from Ronald Bartels directly inside your inbox. Subscribe to the newsletter, and don't miss out.

LinuxDropping packetstc

Written by

Ronald Bartels
Ronald Bartels

Driving SD-WAN Adoption in South Africa