How can I rate limit network traffic on a docker container

I'm surprised at how difficult it was to find the answer to this question. Most answers on the various forums are incorrect (I tested them with two iperf3 nodes and found that the solutions didn't work or only limited one direction of traffic (only incoming or only outgoing). A P2P application that has much more symmetric data usage than traditional client/server applications so traffic must be limited in both directions.

The best way I've found is to limit network bandwidth (both incoming and outgoing) for a Docker container is to use Linux's own traffic control settings within the running container. Execute the tc commands inside the container before you start your P2P application.

For example, you could create a start-up script like the following, copy it into your docker image and invoke it as the ENTRYPOINT.

Dockerfile (snippet):

COPY start-my-p2p.sh /RUN chmod +x /start-my-p2p.sh    ENTRYPOINT /start-my-p2p.sh   

Put something like this in your start-my-p2p.sh (the tc cmdlines are probably what you've been searching the Internet for):

#/bin/sh# Limit all incoming and outgoing network to 1mbit/stc qdisc add dev eth0 handle 1: ingresstc filter add dev eth0 parent 1: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate 1mbit burst 10k drop flowid :1tc qdisc add dev eth0 root tbf rate 1mbit latency 25ms burst 10k`# Now start your p2p applicationmyp2pservice -d 

IMPORTANT: When starting the container you'll need to use --cap-add=NET_ADMIN:

docker run --rm -it --cap-add=NET_ADMIN -p6969:p6969 myimage

You could use the iptables limits module. For example, you could add a rule to the PREROUTING table using the options "-m limit --limit 10/s" to limit a particular port to receive only 10 connections per second.