How to manage traffic with tc

  • Published on Oct 21, 2025
  • 2 minute(s) read
Prev Next

WHAT TO EXPECT

In this article, users will learn how to manage network traffic in Linux using tc.

Managing Multicast Traffic

The following are some tc commands (Traffic Control) that can be useful when it comes to allowing/denying either incoming or outgoing multicast traffic on producer and consumer pods. You must run these commands inside the target producer/consumer pods so that the correct interface name (eth0 in the examples) is picked up.

By default, ALL multicast traffic is allowed on every pod.

For Outgoing (Traffic leaving the Pod)

Deny ALL outgoing multicast

To deny all outgoing multicast, use the following commands:

Specific syntax:

# DENY ALL OUTGOING
tc qdisc add dev eth0 root handle 1: prio
tc filter add dev eth0 parent 1: protocol ip u32 match ip dst 224.0.0.0/4 action drop

Alternatively, users can deny outgoing multicast to specific groups:

General Syntax:

# DENY OUTGOING TO SPECIFIC GROUP(S)
tc qdisc add dev eth0 root handle 1: prio
tc filter add dev eth0 parent 1: protocol ip u32 match ip dst <multicast_group_0> action drop
...
tc filter add dev eth0 parent 1: protocol ip u32 match ip dst <multicast_group_n> action drop

Example: denying outgoing traffic to a multicast group 239.0.0.1:

tc qdisc add dev eth0 root handle 1: prio
tc filter add dev eth0 parent 1: protocol ip u32 match ip dst 239.0.0.1/32 action drop

Allow outgoing multicast to a specific group(s) - Deny any other

# DENY ALL OUTGOING
tc qdisc add dev eth0 root handle 1: prio
tc filter add dev eth0 parent 1: protocol ip u32 match ip dst 224.0.0.0/4 action drop
# ALLOW SPECIFIC GROUP(S)
tc filter add dev eth0 parent 1: protocol ip u32 match ip dst <multicast_group_0> action ok
...
tc filter add dev eth0 parent 1: protocol ip u32 match ip dst <multicast_group_n> action ok

Example: allowing outgoing traffic ONLY to the multicast group 239.0.0.1:

tc qdisc add dev eth0 root handle 1: prio
tc filter add dev eth0 parent 1: protocol ip u32 match ip dst 224.0.0.0/4 action drop
tc filter add dev eth0 parent 1: protocol ip u32 match ip dst 239.0.0.1/32 action ok

Incoming (Traffic entering the Pod)

To deny ALL incoming multicast, use the following command:

Specific syntax:

# DENY ALL INCOMING
tc qdisc add dev eth0 ingress
tc qdisc add dev eth0 parent ffff: protocol ip u32 match ip dst 224.0.0.0/4 action drop

Alternatively, users can deny incoming multicast for a specific group(s)

General syntax:

# DENY INCOMING TO SPECIFIC GROUP(S)
tc qdisc add dev eth0 ingress
tc filter add dev eth0 parent ffff: protocol ip u32 match ip dst <multicast_group_0> action drop
...
tc filter add dev eth0 parent ffff: protocol ip u32 match ip dst <multicast_group_n> action drop

Example: denying incoming multicast traffic to a multicast group 239.0.0.1:

tc qdisc add dev eth0 ingress
tc filter add dev eth0 parent ffff: protocol ip u32 match ip dst 239.0.0.1/32 action drop

In addition, users can specify allowing incoming multicast by a specific group(s) while denying any other:

General syntax:

# DENY ALL INCOMING
tc qdisc add dev eth0 ingress
tc qdisc add dev eth0 parent ffff: protocol ip u32 match ip dst 224.0.0.0/4 action drop
# ALLOW SPECIFIC GROUP(S)
tc filter add dev eth0 parent ffff: protocol ip u32 match ip dst <multicast_group_0> action ok
...
tc filter add dev eth0 parent ffff: protocol ip u32 match ip dst <multicast_group_n> action ok

Example: allowing incoming traffic ONLY to the multicast group 239.0.0.1:

tc qdisc add dev eth0 ingress
tc qdisc add dev eth0 parent ffff: protocol ip u32 match ip dst 224.0.0.0/4 action drop
tc filter add dev eth0 parent ffff: protocol ip u32 match ip dst 239.0.0.1/32 action ok