The Linux traffic control subsystem (tc) sits between the routing layer and the NIC driver. It lets you limit bandwidth, shape bursts, prioritize certain traffic, and simulate bad network conditions. Container runtimes, Kubernetes, and cloud providers all use tc under the hood for network QoS and isolation.
Qdiscs — Queuing Disciplines
What is a qdisc?
A qdisc (queuing discipline) is an algorithm that decides the order and rate at which packets leave an interface. Every network interface has at least one qdisc. The default is pfifo_fast (a simple priority FIFO). More sophisticated qdiscs can rate-limit traffic, enforce fairness, simulate packet loss/delay, or prioritize video over file downloads.
# View current qdiscs on all interfaces
tc qdisc show
# qdisc noqueue 0: dev lo root refcnt 2
# qdisc fq_codel 0: dev eth0 root refcnt 2 limit 10240p flows 1024 ...
# tc hierarchy:
# Interface
# └── Root qdisc (e.g., HTB, TBF, fq_codel)
# └── Classes (e.g., 1:1, 1:10, 1:20)
# └── Leaf qdisc (e.g., fq_codel, sfq)
# └── Filters (classify packets into classes)
Simple Rate Limiting with TBF
# TBF (Token Bucket Filter) — classic rate limiter
# Limit outbound traffic on eth0 to 10Mbit/s
# Add TBF qdisc
tc qdisc add dev eth0 root tbf rate 10mbit burst 32kbit latency 400ms
# Parameters:
# rate = sustained rate (10mbit = 10 Mbit/s)
# burst = bucket size — how much can burst above rate
# latency = max time a packet waits in the bucket
# View it:
tc qdisc show dev eth0
# qdisc tbf 8001: root refcnt 2 rate 10Mbit burst 32Kb lat 400.0ms
# Remove:
tc qdisc del dev eth0 root
# Rate limit upload AND download (download = limit on ingress — tricky):
# Use IFB (Intermediate Functional Block) device for ingress shaping
HTB — Hierarchical Token Bucket
HTB lets you create classes with different rates and priorities, then classify packets into them using filters. Used for complex QoS: guarantee bandwidth for VoIP while limiting file downloads.
# Setup: 100Mbit total, VoIP gets 10Mbit guaranteed, HTTP gets rest
# Root qdisc
tc qdisc add dev eth0 root handle 1: htb default 20
# Root class — total bandwidth
tc class add dev eth0 parent 1: classid 1:1 htb rate 100mbit
# VoIP class — 10Mbit guaranteed, can burst to 20Mbit
tc class add dev eth0 parent 1:1 classid 1:10 htb rate 10mbit ceil 20mbit prio 1
# HTTP class — 5Mbit guaranteed, can use whatever's left
tc class add dev eth0 parent 1:1 classid 1:20 htb rate 5mbit ceil 100mbit prio 2
# Add fair queuing inside each class
tc qdisc add dev eth0 parent 1:10 handle 10: fq_codel
tc qdisc add dev eth0 parent 1:20 handle 20: fq_codel
# Filters — classify packets into classes
# VoIP traffic (UDP port 5060 = SIP, 10000-20000 = RTP)
tc filter add dev eth0 protocol ip parent 1: u32 \
match ip protocol 17 0xff \
match ip dport 5060 0xffff \
flowid 1:10
# HTTP traffic to class 1:20 (default handles rest)
netem — Simulate Bad Networks
How do you test how your app handles packet loss, delays, or jitter?
netem (Network Emulator) qdisc simulates adverse network conditions on any interface. You can add delay, jitter, packet loss, duplication, and reordering. Essential for testing how your application handles real-world network conditions before deploying.
# Add 100ms delay to outgoing packets on eth0
tc qdisc add dev eth0 root netem delay 100ms
# Add delay with jitter (100ms ± 20ms, normally distributed)
tc qdisc add dev eth0 root netem delay 100ms 20ms distribution normal
# Simulate 5% packet loss
tc qdisc add dev eth0 root netem loss 5%
# Combine: 100ms delay + 1% loss + 0.1% corruption
tc qdisc add dev eth0 root netem delay 100ms loss 1% corrupt 0.1%
# Simulate slow 3G mobile (2Mbit, 100ms delay, 1% loss)
tc qdisc add dev eth0 root handle 1: tbf rate 2mbit burst 32kbit latency 400ms
tc qdisc add dev eth0 parent 1:1 netem delay 100ms loss 1%
# Remove simulation:
tc qdisc del dev eth0 root
CAKE — Modern All-in-One Solution
CAKE (Common Applications Kept Enhanced) is a modern qdisc that combines bandwidth shaping, fair queuing, and bufferbloat mitigation in one. Recommended over TBF + fq_codel for home routers and ISP equipment.
# CAKE — simple and effective
tc qdisc add dev eth0 root cake bandwidth 100mbit
# For a home router (set to your actual upload speed):
tc qdisc add dev pppoe-wan root cake bandwidth 20mbit
# With options:
tc qdisc add dev eth0 root cake bandwidth 100mbit \
diffserv4 \ # DSCP-based flow classification
dual-srchost \ # fairness per source host
nat \ # works behind NAT
washinterval 3s # reset flow state after idle
Frequently Asked Questions
What will I learn here?
This page covers the core concepts and techniques you need to understand the topic and progress confidently to the next lesson.
How should I use this page?
Start with the overview, then follow the section links to deepen your understanding. Use the table of contents on the right to jump to specific sections.
What should I read next?
Use the navigation below to continue to the next lesson or explore related topics.