--- title: "How to manage traffic with tc" slug: "how-to-manage-traffic-with-qdisc" updated: 2025-12-23T14:59:03Z published: 2025-12-23T14:59:03Z canonical: "docs.swxtch.io/how-to-manage-traffic-with-qdisc" stale: true --- > ## Documentation Index > Fetch the complete documentation index at: https://docs.swxtch.io/llms.txt > Use this file to discover all available pages before exploring further. # How to manage traffic with tc **WHAT TO EXPECT** **In this article**, users will learn how to manage network traffic in Linux using `tc`. ## Managing Multicast Traffic The following are some `tc` commands (Traffic Control) that can be useful when it comes to allowing/denying either incoming or outgoing multicast traffic on producer and consumer pods. You **must** run these commands **inside** the target producer/consumer pods so that the correct interface name (eth0 in the examples) is picked up. By default, **ALL** multicast traffic is **allowed** on every pod. > [!NOTE] > **PLEASE NOTE** > > The tc man page is available [here](https://man7.org/linux/man-pages/man8/tc.8.html). ### Outgoing (Traffic leaving the Pod) #### **Deny ALL outgoing multicast** To deny all outgoing multicast, use the following commands: **Specific syntax:** ```shell # DENY ALL OUTGOING tc qdisc add dev eth0 root handle 1: prio tc filter add dev eth0 parent 1: protocol ip u32 match ip dst 224.0.0.0/4 action drop ``` Alternatively, users can deny outgoing multicast to specific groups: **General Syntax:** ```shell # DENY OUTGOING TO SPECIFIC GROUP(S) tc qdisc add dev eth0 root handle 1: prio tc filter add dev eth0 parent 1: protocol ip u32 match ip dst action drop ... tc filter add dev eth0 parent 1: protocol ip u32 match ip dst action drop ``` Example: denying outgoing traffic to a multicast group `239.0.0.1`: ```shell tc qdisc add dev eth0 root handle 1: prio tc filter add dev eth0 parent 1: protocol ip u32 match ip dst 239.0.0.1/32 action drop ``` #### **Allow outgoing multicast to a specific group(s) - Deny any other** ```shell # DENY ALL OUTGOING tc qdisc add dev eth0 root handle 1: prio tc filter add dev eth0 parent 1: protocol ip u32 match ip dst 224.0.0.0/4 action drop # ALLOW SPECIFIC GROUP(S) tc filter add dev eth0 parent 1: protocol ip u32 match ip dst action ok ... tc filter add dev eth0 parent 1: protocol ip u32 match ip dst action ok ``` **Example**: allowing outgoing traffic ONLY to the multicast group `239.0.0.1`: ```shell tc qdisc add dev eth0 root handle 1: prio tc filter add dev eth0 parent 1: protocol ip u32 match ip dst 224.0.0.0/4 action drop tc filter add dev eth0 parent 1: protocol ip u32 match ip dst 239.0.0.1/32 action ok ``` ### Incoming (Traffic entering the Pod) #### **Deny ALL incoming multicast** To deny ALL incoming multicast, use the following command: **Specific syntax:** ```shell # DENY ALL INCOMING tc qdisc add dev eth0 ingress tc qdisc add dev eth0 parent ffff: protocol ip u32 match ip dst 224.0.0.0/4 action drop ``` **Alternatively, users can deny incoming multicast for a specific group(s)** **General syntax:** ```shell # DENY INCOMING TO SPECIFIC GROUP(S) tc qdisc add dev eth0 ingress tc filter add dev eth0 parent ffff: protocol ip u32 match ip dst action drop ... tc filter add dev eth0 parent ffff: protocol ip u32 match ip dst action drop ``` **Example**: denying incoming multicast traffic to a multicast group `239.0.0.1`: ```shell tc qdisc add dev eth0 ingress tc filter add dev eth0 parent ffff: protocol ip u32 match ip dst 239.0.0.1/32 action drop ``` #### **Allow incoming multicast to a specific group(s) - Deny any other** In addition, users can specify allowing incoming multicast by a specific group(s) while denying any other: **General syntax:** ```shell # DENY ALL INCOMING tc qdisc add dev eth0 ingress tc qdisc add dev eth0 parent ffff: protocol ip u32 match ip dst 224.0.0.0/4 action drop # ALLOW SPECIFIC GROUP(S) tc filter add dev eth0 parent ffff: protocol ip u32 match ip dst action ok ... tc filter add dev eth0 parent ffff: protocol ip u32 match ip dst action ok ``` **Example**: allowing incoming traffic **ONLY** to the multicast group `239.0.0.1`: ```shell tc qdisc add dev eth0 ingress tc qdisc add dev eth0 parent ffff: protocol ip u32 match ip dst 224.0.0.0/4 action drop tc filter add dev eth0 parent ffff: protocol ip u32 match ip dst 239.0.0.1/32 action ok ```