bandwidth: possibility to exclude some subnets from traffic shaping

what changed:

we had to refactor the bandwidth plugin and switch from a classless qdisc (tbf)
to a classful qdisc (htb).

subnets are to be provided in config or runtimeconfig just like other parameters

unit and integration tests were also adapted in consequence

unrelated changes:

test fixes: the most important tests were just silently skipped due to ginkgo Measure deprecation
(the ones actually checking the effectiveness of the traffic control)

Signed-off-by: Raphael <oOraph@users.noreply.github.com>

integration/integration_linux_test.go

@@ -17,6 +17,7 @@ import (
 	"bytes"
 	"fmt"
 	"io"
+	"log"
 	"math/rand"
 	"net"
 	"os"
@@ -60,6 +61,13 @@ var _ = Describe("Basic PTP using cnitool", func() {
 			netConfPath, err := filepath.Abs("./testdata")
 			Expect(err).NotTo(HaveOccurred())
 
+			// Flush ipam stores to avoid conflicts
+			err = os.RemoveAll("/tmp/chained-ptp-bandwidth-test")
+			Expect(err).NotTo(HaveOccurred())
+
+			err = os.RemoveAll("/tmp/basic-ptp-test")
+			Expect(err).NotTo(HaveOccurred())
+
 			env = TestEnv([]string{
 				"CNI_PATH=" + cniPath,
 				"NETCONFPATH=" + netConfPath,
@@ -82,6 +90,7 @@ var _ = Describe("Basic PTP using cnitool", func() {
 			env.runInNS(hostNS, cnitoolBin, "add", netName, contNS.LongName())
 
 			addrOutput := env.runInNS(contNS, "ip", "addr")
+
 			Expect(addrOutput).To(ContainSubstring(expectedIPPrefix))
 
 			env.runInNS(hostNS, cnitoolBin, "del", netName, contNS.LongName())
@@ -145,9 +154,13 @@ var _ = Describe("Basic PTP using cnitool", func() {
 
 			chainedBridgeBandwidthEnv.runInNS(hostNS, cnitoolBin, "del", "network-chain-test", contNS1.LongName())
 			basicBridgeEnv.runInNS(hostNS, cnitoolBin, "del", "network-chain-test", contNS2.LongName())
+
+			contNS1.Del()
+			contNS2.Del()
+			hostNS.Del()
 		})
 
-		Measure("limits traffic only on the restricted bandwidth veth device", func(b Benchmarker) {
+		It("limits traffic only on the restricted bandwidth veth device", func() {
 			ipRegexp := regexp.MustCompile(`10\.1[12]\.2\.\d{1,3}`)
 
 			By(fmt.Sprintf("adding %s to %s\n\n", "chained-bridge-bandwidth", contNS1.ShortName()))
@@ -168,21 +181,23 @@ var _ = Describe("Basic PTP using cnitool", func() {
 			By(fmt.Sprintf("starting echo server in %s\n\n", contNS2.ShortName()))
 			basicBridgePort, basicBridgeSession = startEchoServerInNamespace(contNS2)
 
-			packetInBytes := 20000 // The shaper needs to 'warm'. Send enough to cause it to throttle,
-			// balanced by run time.
+			packetInBytes := 3000
 
 			By(fmt.Sprintf("sending tcp traffic to the chained, bridged, traffic shaped container on ip address '%s:%d'\n\n", chainedBridgeIP, chainedBridgeBandwidthPort))
-			runtimeWithLimit := b.Time("with chained bridge and bandwidth plugins", func() {
-				makeTCPClientInNS(hostNS.ShortName(), chainedBridgeIP, chainedBridgeBandwidthPort, packetInBytes)
-			})
+			start := time.Now()
+			makeTCPClientInNS(hostNS.ShortName(), chainedBridgeIP, chainedBridgeBandwidthPort, packetInBytes)
+			runtimeWithLimit := time.Since(start)
+
+			log.Printf("Runtime with qos limit %.2f seconds", runtimeWithLimit.Seconds())
 
 			By(fmt.Sprintf("sending tcp traffic to the basic bridged container on ip address '%s:%d'\n\n", basicBridgeIP, basicBridgePort))
-			runtimeWithoutLimit := b.Time("with basic bridged plugin", func() {
-				makeTCPClientInNS(hostNS.ShortName(), basicBridgeIP, basicBridgePort, packetInBytes)
-			})
+			start = time.Now()
+			makeTCPClientInNS(hostNS.ShortName(), basicBridgeIP, basicBridgePort, packetInBytes)
+			runtimeWithoutLimit := time.Since(start)
+			log.Printf("Runtime without qos limit %.2f seconds", runtimeWithLimit.Seconds())
 
 			Expect(runtimeWithLimit).To(BeNumerically(">", runtimeWithoutLimit+1000*time.Millisecond))
-		}, 1)
+		})
 	})
 })
 

integration/testdata/basic-ptp.json

@@ -6,6 +6,7 @@
     "mtu": 512,
     "ipam": {
         "type": "host-local",
-        "subnet": "10.1.2.0/24"
+        "subnet": "10.1.2.0/24",
+        "dataDir": "/tmp/basic-ptp-test"
     }
 }

integration/testdata/chained-ptp-bandwidth.conflist

@@ -8,7 +8,8 @@
             "mtu": 512,
             "ipam": {
                 "type": "host-local",
-                "subnet": "10.9.2.0/24"
+                "subnet": "10.9.2.0/24",
+                "dataDir": "/tmp/chained-ptp-bandwidth-test"
             }
         },
         {

plugins/meta/bandwidth/bandwidth_suite_test.go

@@ -33,7 +33,7 @@ import (
 	"github.com/containernetworking/plugins/pkg/ns"
 )
 
-func TestTBF(t *testing.T) {
+func TestHTB(t *testing.T) {
 	RegisterFailHandler(Fail)
 	RunSpecs(t, "plugins/meta/bandwidth")
 }

plugins/meta/bandwidth/ifb_creator.go

@@ -15,6 +15,8 @@
 package main
 
 import (
+	"bytes"
+	"encoding/binary"
 	"fmt"
 	"net"
 	"syscall"
@@ -24,14 +26,23 @@ import (
 	"github.com/containernetworking/plugins/pkg/ip"
 )
 
-const latencyInMillis = 25
+const (
+	latencyInMillis            = 25
+	UncappedRate        uint64 = 100_000_000_000
+	DefaultClassMinorID        = 48
+)
+
+func CreateIfb(ifbDeviceName string, mtu int, qlen int) error {
+	if qlen < 1000 {
+		qlen = 1000
+	}
 
-func CreateIfb(ifbDeviceName string, mtu int) error {
 	err := netlink.LinkAdd(&netlink.Ifb{
 		LinkAttrs: netlink.LinkAttrs{
-			Name:  ifbDeviceName,
-			Flags: net.FlagUp,
-			MTU:   mtu,
+			Name:   ifbDeviceName,
+			Flags:  net.FlagUp,
+			MTU:    mtu,
+			TxQLen: qlen,
 		},
 	})
 	if err != nil {
@@ -49,15 +60,15 @@ func TeardownIfb(deviceName string) error {
 	return err
 }
 
-func CreateIngressQdisc(rateInBits, burstInBits uint64, hostDeviceName string) error {
+func CreateIngressQdisc(rateInBits, burstInBits uint64, excludeSubnets []string, hostDeviceName string) error {
 	hostDevice, err := netlink.LinkByName(hostDeviceName)
 	if err != nil {
 		return fmt.Errorf("get host device: %s", err)
 	}
-	return createTBF(rateInBits, burstInBits, hostDevice.Attrs().Index)
+	return createHTB(rateInBits, burstInBits, hostDevice.Attrs().Index, excludeSubnets)
 }
 
-func CreateEgressQdisc(rateInBits, burstInBits uint64, hostDeviceName string, ifbDeviceName string) error {
+func CreateEgressQdisc(rateInBits, burstInBits uint64, excludeSubnets []string, hostDeviceName string, ifbDeviceName string) error {
 	ifbDevice, err := netlink.LinkByName(ifbDeviceName)
 	if err != nil {
 		return fmt.Errorf("get ifb device: %s", err)
@@ -105,43 +116,201 @@ func CreateEgressQdisc(rateInBits, burstInBits uint64, hostDeviceName string, if
 	}
 
 	// throttle traffic on ifb device
-	err = createTBF(rateInBits, burstInBits, ifbDevice.Attrs().Index)
+	err = createHTB(rateInBits, burstInBits, ifbDevice.Attrs().Index, excludeSubnets)
 	if err != nil {
-		return fmt.Errorf("create ifb qdisc: %s", err)
+		// egress from the container/netns pov = ingress from the main netns/host pov
+		return fmt.Errorf("create htb container egress qos rules: %s", err)
 	}
 	return nil
 }
 
-func createTBF(rateInBits, burstInBits uint64, linkIndex int) error {
-	// Equivalent to
-	// tc qdisc add dev link root tbf
-	//		rate netConf.BandwidthLimits.Rate
-	//		burst netConf.BandwidthLimits.Burst
-	if rateInBits <= 0 {
-		return fmt.Errorf("invalid rate: %d", rateInBits)
-	}
-	if burstInBits <= 0 {
-		return fmt.Errorf("invalid burst: %d", burstInBits)
-	}
-	rateInBytes := rateInBits / 8
-	burstInBytes := burstInBits / 8
-	bufferInBytes := buffer(rateInBytes, uint32(burstInBytes))
-	latency := latencyInUsec(latencyInMillis)
-	limitInBytes := limit(rateInBytes, latency, uint32(burstInBytes))
+func createHTB(rateInBits, burstInBits uint64, linkIndex int, excludeSubnets []string) error {
+	// Netlink struct fields are not clear, let's use shell
 
-	qdisc := &netlink.Tbf{
+	// Step 1 qdisc
+	// cmd := exec.Command("/usr/sbin/tc", "qdisc", "add", "dev", interfaceName, "root", "handle", "1:", "htb", "default", "30")
+	qdisc := &netlink.Htb{
 		QdiscAttrs: netlink.QdiscAttrs{
 			LinkIndex: linkIndex,
 			Handle:    netlink.MakeHandle(1, 0),
 			Parent:    netlink.HANDLE_ROOT,
 		},
-		Limit:  limitInBytes,
-		Rate:   rateInBytes,
-		Buffer: bufferInBytes,
+		Defcls: DefaultClassMinorID,
+		// No idea what these are so let's keep the default values from source code...
+		Version:      3,
+		Rate2Quantum: 10,
 	}
 	err := netlink.QdiscAdd(qdisc)
 	if err != nil {
-		return fmt.Errorf("create qdisc: %s", err)
+		return fmt.Errorf("error while creating qdisc: %s", err)
+	}
+
+	// Step 2 classes
+
+	rateInBytes := rateInBits / 8
+	burstInBytes := burstInBits / 8
+	bufferInBytes := buffer(rateInBytes, uint32(burstInBytes))
+
+	// The capped class for all but excluded subnets
+	// cmd = exec.Command("/usr/sbin/tc", "class", "add", "dev", interfaceName, "parent", "1:", "classid", "1:30", "htb", "rate",
+	//       fmt.Sprintf("%d", rateInBits), "burst", fmt.Sprintf("%d", burstInBits))
+	defClass := &netlink.HtbClass{
+		ClassAttrs: netlink.ClassAttrs{
+			LinkIndex: linkIndex,
+			Handle:    netlink.MakeHandle(1, DefaultClassMinorID),
+			Parent:    netlink.MakeHandle(1, 0),
+		},
+		Rate:   rateInBytes,
+		Buffer: bufferInBytes,
+		// Let's set up the "burst" rate to twice the specified rate
+		Ceil:    2 * rateInBytes,
+		Cbuffer: bufferInBytes,
+	}
+
+	err = netlink.ClassAdd(defClass)
+	if err != nil {
+		return fmt.Errorf("error while creating htb default class: %s", err)
+	}
+
+	// The uncapped class for the excluded subnets
+	// cmd = exec.Command("/usr/sbin/tc", "class", "add", "dev", interfaceName, "parent", "1:", "classid", "1:1", "htb",
+	// 	"rate", "100000000000")
+	bigRate := UncappedRate
+	uncappedClass := &netlink.HtbClass{
+		ClassAttrs: netlink.ClassAttrs{
+			LinkIndex: linkIndex,
+			Handle:    netlink.MakeHandle(1, 1),
+			Parent:    qdisc.Handle,
+		},
+		Rate: bigRate,
+		Ceil: bigRate,
+		// No need for any burst, the minimum buffer size in q_htb.c should be enough to handle the rate which
+		// is already more than enough
+	}
+	err = netlink.ClassAdd(uncappedClass)
+	if err != nil {
+		return fmt.Errorf("error while creating htb uncapped class: %s", err)
+	}
+
+	// Now add filters to redirect excluded subnets to the class 1 instead of the default one (30)
+
+	for _, subnet := range excludeSubnets {
+
+		// cmd = exec.Command("/usr/sbin/tc", "filter", "add", "dev", interfaceName, "parent", "1:", "protocol", protocol,
+		// "prio", "16", "u32", "match", "ip", "dst", subnet, "flowid", "1:1")
+
+		_, nw, err := net.ParseCIDR(subnet)
+		if err != nil {
+			return fmt.Errorf("bad subnet %s: %s", subnet, err)
+		}
+		var maskBytes []byte = nw.Mask
+		var subnetBytes []byte = nw.IP
+
+		if len(maskBytes) != len(subnetBytes) {
+			return fmt.Errorf("error using net lib for subnet %s len(maskBytes) != len(subnetBytes) "+
+				"(%d != %d) should not happen", subnet, len(maskBytes), len(subnetBytes))
+		}
+
+		isIpv4 := nw.IP.To4() != nil
+		protocol := syscall.ETH_P_IPV6
+		var prio uint16 = 15
+		var offset int32 = 24
+		keepBytes := 16
+		if isIpv4 {
+			protocol = syscall.ETH_P_IP
+			offset = 16
+			keepBytes = 4
+			// prio/pref needs to be changed if we change the protocol, looks like we cannot mix protocols with the same pref
+			prio = 16
+
+		}
+
+		// protocol := syscall.ETH_P_ALL
+
+		if len(maskBytes) < keepBytes {
+			return fmt.Errorf("error with net lib, unexpected count of bytes for ipv4 mask (%d < %d)",
+				len(maskBytes), keepBytes)
+		}
+		if len(subnetBytes) < keepBytes {
+			return fmt.Errorf("error with net lib, unexpected count of bytes for ipv4 subnet (%d < %d)",
+				len(subnetBytes), keepBytes)
+		}
+		maskBytes = maskBytes[len(maskBytes)-keepBytes:]
+		subnetBytes = subnetBytes[len(subnetBytes)-keepBytes:]
+
+		// For ipv4 we should have at most 1 key, for ipv6 at most 4
+		keys := make([]netlink.TcU32Key, 0, 4)
+
+		for i := 0; i < len(maskBytes); i += 4 {
+			var mask, subnetI uint32
+			buf := bytes.NewReader(maskBytes[i : i+4])
+			err = binary.Read(buf, binary.BigEndian, &mask)
+			if err != nil {
+				return fmt.Errorf("error, htb filter, unable to build mask match filter, iter %d for subnet %s",
+					i, subnet)
+			}
+
+			if mask != 0 {
+				// If mask == 0, any value on this section will be a match and we do not need a filter for this
+				buf = bytes.NewReader(subnetBytes[i : i+4])
+				err = binary.Read(buf, binary.BigEndian, &subnetI)
+				if err != nil {
+					return fmt.Errorf("error, htb filter, unable to build subnet match filter, iter %d for subnet %s",
+						i, subnet)
+				}
+				keys = append(keys, netlink.TcU32Key{
+					Mask:    mask,
+					Val:     subnetI,
+					Off:     offset,
+					OffMask: 0,
+				})
+			}
+
+			offset += 4
+		}
+
+		if len(keys) != cap(keys) {
+			shrinkedKeys := make([]netlink.TcU32Key, len(keys))
+			copied := copy(shrinkedKeys, keys)
+			if copied != len(keys) {
+				return fmt.Errorf("copy tc u32 keys error, for subnet %s copied %d != keys %d", subnet, copied, len(keys))
+			}
+			keys = shrinkedKeys
+		}
+
+		if isIpv4 && len(keys) > 1 {
+			return fmt.Errorf("error, htb ipv4 filter, unexpected rule length (%d > 1), for subnet %s",
+				len(keys), subnet)
+		} else if len(keys) > 4 {
+			return fmt.Errorf("error, htb ipv6 filter, unexpected rule length (%d > 4), for subnet %s",
+				len(keys), subnet)
+		}
+
+		// If len(keys) == 0, it means that we want to wildcard all traffic on the non default/uncapped class
+		var selector *netlink.TcU32Sel
+		if len(keys) > 0 {
+			selector = &netlink.TcU32Sel{
+				Nkeys: uint8(len(keys)),
+				Flags: netlink.TC_U32_TERMINAL,
+				Keys:  keys,
+			}
+		}
+
+		tcFilter := netlink.U32{
+			FilterAttrs: netlink.FilterAttrs{
+				LinkIndex: linkIndex,
+				Parent:    qdisc.Handle,
+				Priority:  prio,
+				Protocol:  uint16(protocol),
+			},
+			ClassId: uncappedClass.Handle,
+			Sel:     selector,
+		}
+
+		err = netlink.FilterAdd(&tcFilter)
+		if err != nil {
+			return fmt.Errorf("error, unable to create htb filter, details %s", err)
+		}
 	}
 	return nil
 }
@@ -153,11 +322,3 @@ func time2Tick(time uint32) uint32 {
 func buffer(rate uint64, burst uint32) uint32 {
 	return time2Tick(uint32(float64(burst) * float64(netlink.TIME_UNITS_PER_SEC) / float64(rate)))
 }
-
-func limit(rate uint64, latency float64, buffer uint32) uint32 {
-	return uint32(float64(rate)*latency/float64(netlink.TIME_UNITS_PER_SEC)) + buffer
-}
-
-func latencyInUsec(latencyInMillis float64) float64 {
-	return float64(netlink.TIME_UNITS_PER_SEC) * (latencyInMillis / 1000.0)
-}

plugins/meta/bandwidth/main.go

@@ -18,6 +18,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"math"
+	"net"
 
 	"github.com/vishvananda/netlink"
 
@@ -39,8 +40,9 @@ const (
 // BandwidthEntry corresponds to a single entry in the bandwidth argument,
 // see CONVENTIONS.md
 type BandwidthEntry struct {
-	IngressRate  uint64 `json:"ingressRate"`  // Bandwidth rate in bps for traffic through container. 0 for no limit. If ingressRate is set, ingressBurst must also be set
-	IngressBurst uint64 `json:"ingressBurst"` // Bandwidth burst in bits for traffic through container. 0 for no limit. If ingressBurst is set, ingressRate must also be set
+	NonShapedSubnets []string `json:"nonShapedSubnets"` // Ipv4/ipv6 subnets to be excluded from traffic shaping
+	IngressRate      uint64   `json:"ingressRate"`      // Bandwidth rate in bps for traffic through container. 0 for no limit. If ingressRate is set, ingressBurst must also be set
+	IngressBurst     uint64   `json:"ingressBurst"`     // Bandwidth burst in bits for traffic through container. 0 for no limit. If ingressBurst is set, ingressRate must also be set
 
 	EgressRate  uint64 `json:"egressRate"`  // Bandwidth rate in bps for traffic through container. 0 for no limit. If egressRate is set, egressBurst must also be set
 	EgressBurst uint64 `json:"egressBurst"` // Bandwidth burst in bits for traffic through container. 0 for no limit. If egressBurst is set, egressRate must also be set
@@ -96,10 +98,16 @@ func parseConfig(stdin []byte) (*PluginConf, error) {
 }
 
 func getBandwidth(conf *PluginConf) *BandwidthEntry {
-	if conf.BandwidthEntry == nil && conf.RuntimeConfig.Bandwidth != nil {
-		return conf.RuntimeConfig.Bandwidth
+	bw := conf.BandwidthEntry
+	if bw == nil && conf.RuntimeConfig.Bandwidth != nil {
+		bw = conf.RuntimeConfig.Bandwidth
 	}
-	return conf.BandwidthEntry
+
+	if bw != nil && bw.NonShapedSubnets == nil {
+		bw.NonShapedSubnets = make([]string, 0)
+	}
+
+	return bw
 }
 
 func validateRateAndBurst(rate, burst uint64) error {
@@ -119,13 +127,13 @@ func getIfbDeviceName(networkName string, containerID string) string {
 	return utils.MustFormatHashWithPrefix(maxIfbDeviceLength, ifbDevicePrefix, networkName+containerID)
 }
 
-func getMTU(deviceName string) (int, error) {
+func getMTUAndQLen(deviceName string) (int, int, error) {
 	link, err := netlink.LinkByName(deviceName)
 	if err != nil {
-		return -1, err
+		return -1, -1, err
 	}
 
-	return link.Attrs().MTU, nil
+	return link.Attrs().MTU, link.Attrs().TxQLen, nil
 }
 
 // get the veth peer of container interface in host namespace
@@ -159,6 +167,16 @@ func getHostInterface(interfaces []*current.Interface, containerIfName string, n
 	return nil, fmt.Errorf("no veth peer of container interface found in host ns")
 }
 
+func validateSubnets(subnets []string) error {
+	for _, subnet := range subnets {
+		_, _, err := net.ParseCIDR(subnet)
+		if err != nil {
+			return fmt.Errorf("bad subnet %q provided, details %s", subnet, err)
+		}
+	}
+	return nil
+}
+
 func cmdAdd(args *skel.CmdArgs) error {
 	conf, err := parseConfig(args.StdinData)
 	if err != nil {
@@ -170,6 +188,10 @@ func cmdAdd(args *skel.CmdArgs) error {
 		return types.PrintResult(conf.PrevResult, conf.CNIVersion)
 	}
 
+	if err = validateSubnets(bandwidth.NonShapedSubnets); err != nil {
+		return err
+	}
+
 	if conf.PrevResult == nil {
 		return fmt.Errorf("must be called as chained plugin")
 	}
@@ -191,21 +213,22 @@ func cmdAdd(args *skel.CmdArgs) error {
 	}
 
 	if bandwidth.IngressRate > 0 && bandwidth.IngressBurst > 0 {
-		err = CreateIngressQdisc(bandwidth.IngressRate, bandwidth.IngressBurst, hostInterface.Name)
+		err = CreateIngressQdisc(bandwidth.IngressRate, bandwidth.IngressBurst,
+			bandwidth.NonShapedSubnets, hostInterface.Name)
 		if err != nil {
 			return err
 		}
 	}
 
 	if bandwidth.EgressRate > 0 && bandwidth.EgressBurst > 0 {
-		mtu, err := getMTU(hostInterface.Name)
+		mtu, qlen, err := getMTUAndQLen(hostInterface.Name)
 		if err != nil {
 			return err
 		}
 
 		ifbDeviceName := getIfbDeviceName(conf.Name, args.ContainerID)
 
-		err = CreateIfb(ifbDeviceName, mtu)
+		err = CreateIfb(ifbDeviceName, mtu, qlen)
 		if err != nil {
 			return err
 		}
@@ -219,7 +242,8 @@ func cmdAdd(args *skel.CmdArgs) error {
 			Name: ifbDeviceName,
 			Mac:  ifbDevice.Attrs().HardwareAddr.String(),
 		})
-		err = CreateEgressQdisc(bandwidth.EgressRate, bandwidth.EgressBurst, hostInterface.Name, ifbDeviceName)
+		err = CreateEgressQdisc(bandwidth.EgressRate, bandwidth.EgressBurst,
+			bandwidth.NonShapedSubnets, hostInterface.Name, ifbDeviceName)
 		if err != nil {
 			return err
 		}
@@ -292,75 +316,98 @@ func cmdCheck(args *skel.CmdArgs) error {
 
 	bandwidth := getBandwidth(bwConf)
 
+	err = validateSubnets(bandwidth.NonShapedSubnets)
+	if err != nil {
+		return fmt.Errorf("failed to check subnets, details %s", err)
+	}
+
 	if bandwidth.IngressRate > 0 && bandwidth.IngressBurst > 0 {
 		rateInBytes := bandwidth.IngressRate / 8
 		burstInBytes := bandwidth.IngressBurst / 8
 		bufferInBytes := buffer(rateInBytes, uint32(burstInBytes))
-		latency := latencyInUsec(latencyInMillis)
-		limitInBytes := limit(rateInBytes, latency, uint32(burstInBytes))
-
-		qdiscs, err := SafeQdiscList(link)
+		err = checkHTB(link, rateInBytes, bufferInBytes)
 		if err != nil {
 			return err
 		}
-		if len(qdiscs) == 0 {
-			return fmt.Errorf("Failed to find qdisc")
-		}
-
-		for _, qdisc := range qdiscs {
-			tbf, isTbf := qdisc.(*netlink.Tbf)
-			if !isTbf {
-				break
-			}
-			if tbf.Rate != rateInBytes {
-				return fmt.Errorf("Rate doesn't match")
-			}
-			if tbf.Limit != limitInBytes {
-				return fmt.Errorf("Limit doesn't match")
-			}
-			if tbf.Buffer != bufferInBytes {
-				return fmt.Errorf("Buffer doesn't match")
-			}
-		}
 	}
-
 	if bandwidth.EgressRate > 0 && bandwidth.EgressBurst > 0 {
 		rateInBytes := bandwidth.EgressRate / 8
 		burstInBytes := bandwidth.EgressBurst / 8
 		bufferInBytes := buffer(rateInBytes, uint32(burstInBytes))
-		latency := latencyInUsec(latencyInMillis)
-		limitInBytes := limit(rateInBytes, latency, uint32(burstInBytes))
-
 		ifbDeviceName := getIfbDeviceName(bwConf.Name, args.ContainerID)
-
 		ifbDevice, err := netlink.LinkByName(ifbDeviceName)
 		if err != nil {
 			return fmt.Errorf("get ifb device: %s", err)
 		}
-
-		qdiscs, err := SafeQdiscList(ifbDevice)
+		err = checkHTB(ifbDevice, rateInBytes, bufferInBytes)
 		if err != nil {
 			return err
 		}
-		if len(qdiscs) == 0 {
-			return fmt.Errorf("Failed to find qdisc")
+	}
+	return nil
+}
+
+func checkHTB(link netlink.Link, rateInBytes uint64, bufferInBytes uint32) error {
+	qdiscs, err := SafeQdiscList(link)
+	if err != nil {
+		return err
+	}
+	if len(qdiscs) == 0 {
+		return fmt.Errorf("Failed to find qdisc")
+	}
+	foundHTB := false
+	for _, qdisc := range qdiscs {
+		htb, isHtb := qdisc.(*netlink.Htb)
+		if !isHtb {
+			continue
 		}
 
-		for _, qdisc := range qdiscs {
-			tbf, isTbf := qdisc.(*netlink.Tbf)
-			if !isTbf {
-				break
+		if foundHTB {
+			return fmt.Errorf("Several htb qdisc found for device %s", link.Attrs().Name)
+		}
+
+		foundHTB = true
+		if htb.Defcls != DefaultClassMinorID {
+			return fmt.Errorf("Default class does not match")
+		}
+
+		classes, err := netlink.ClassList(link, htb.Handle)
+		if err != nil {
+			return fmt.Errorf("Unable to list classes bound to htb qdisc for device %s. Details %s",
+				link.Attrs().Name, err)
+		}
+		if len(classes) != 2 {
+			return fmt.Errorf("Number of htb classes does not match for device %s (%d != 2)",
+				link.Attrs().Name, len(classes))
+		}
+
+		for _, c := range classes {
+			htbClass, isHtb := c.(*netlink.HtbClass)
+			if !isHtb {
+				return fmt.Errorf("Unexpected class for parent htb qdisc bound to device %s", link.Attrs().Name)
 			}
-			if tbf.Rate != rateInBytes {
-				return fmt.Errorf("Rate doesn't match")
-			}
-			if tbf.Limit != limitInBytes {
-				return fmt.Errorf("Limit doesn't match")
-			}
-			if tbf.Buffer != bufferInBytes {
-				return fmt.Errorf("Buffer doesn't match")
+			if htbClass.Handle == htb.Defcls {
+				if htbClass.Rate != rateInBytes {
+					return fmt.Errorf("Rate does not match for the default class for device %s (%d != %d)",
+						link.Attrs().Name, htbClass.Rate, rateInBytes)
+				}
+
+				if htbClass.Buffer != bufferInBytes {
+					return fmt.Errorf("Burst buffer size does not match for the default class for device %s (%d != %d)",
+						link.Attrs().Name, htbClass.Buffer, bufferInBytes)
+				}
+			} else if htbClass.Handle == netlink.MakeHandle(1, 1) {
+				if htbClass.Rate != UncappedRate {
+					return fmt.Errorf("Rate does not match for the uncapped class for device %s (%d != %d)",
+						link.Attrs().Name, htbClass.Rate, UncappedRate)
+				}
 			}
 		}
+
+		// TODO: check non shaped subnet filters
+		// if bandwidth.NonShapedSubnets {
+		// 	filters, err := netlink.FilterList(link, htb.Handle)
+		// }
 	}
 
 	return nil