nixos/estuary: Implement bandwidth limiting

2022-07-10 19:12:16 +01:00 · 2022-07-10 19:12:16 +01:00 · e240b9a54e
commit e240b9a54e
parent ee7b79c686
1 changed files with 57 additions and 0 deletions
--- a/nixos/boxes/colony/vms/estuary/default.nix
+++ b/nixos/boxes/colony/vms/estuary/default.nix
@ -80,6 +80,7 @@
                  waitOnline = "systemd-networkd-wait-online@wan.service";
                in
                {
+                  description = "Frequent ICMP6 neighbour solicitations";
                  enable = true;
                  requires = [ waitOnline ];
                  after = [ waitOnline ];
@ -91,6 +92,29 @@
                  '';
                  wantedBy = [ "multi-user.target" ];
                };
+
+                # systemd-networkd doesn't support tc filtering
+                wan-filter-to-ifb =
+                let
+                  waitOnline = [
+                    "systemd-networkd-wait-online@wan.service"
+                    "systemd-networkd-wait-online@ifb-wan.service"
+                  ];
+                in
+                {
+                  description = "Install tc filter to pass WAN traffic to IFB";
+                  enable = true;
+                  bindsTo = waitOnline;
+                  after = waitOnline;
+                  serviceConfig = {
+                    Type = "oneshot";
+                    RemainAfterExit = true;
+                  };
+                  script = ''
+                    ${pkgs.iproute2}/bin/tc filter add dev wan parent ffff: u32 match u32 0 0 action mirred egress redirect dev ifb-wan
+                  '';
+                  wantedBy = [ "multi-user.target" ];
+                };
              };
            };

@ -111,6 +135,13 @@
                };
              };

+              netdevs = {
+                "25-ifb-wan".netdevConfig = {
+                  Name = "ifb-wan";
+                  Kind = "ifb";
+                };
+              };
+
              networks = {
                "80-wan" = {
                  matchConfig.Name = "wan";
@ -129,7 +160,33 @@
                    LinkLocalAddressing = "no";
                    IPv6AcceptRA = false;
                  };
+                  extraConfig = ''
+                    [QDisc]
+                    Parent=ingress
+                    Handle=ffff
+
+                    # Outbound traffic limiting
+                    [TokenBucketFilter]
+                    Parent=root
+                    LatencySec=0.3
+                    BurstBytes=512K
+                    # *bits
+                    Rate=245M
+                  '';
                };
+                "80-ifb-wan" = {
+                  matchConfig.Name = "ifb-wan";
+                  extraConfig = ''
+                    # Inbound traffic limiting
+                    [TokenBucketFilter]
+                    Parent=root
+                    LatencySec=0.3
+                    BurstBytes=512K
+                    # *bits
+                    Rate=245M
+                  '';
+                };
+
                "80-base" = mkMerge [
                  (networkdAssignment "base" assignments.base)
                  {