• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1
2gact <ACTION> [RAND] [INDEX]
3
4Where:
5	ACTION := reclassify | drop | continue | pass | ok
6	RAND := random <RANDTYPE> <ACTION> <VAL>
7	RANDTYPE := netrand | determ
8        VAL : = value not exceeding 10000
9        INDEX := index value used
10
11ACTION semantics
12- pass and ok are equivalent to accept
13- continue allows to restart classification lookup
14- drop drops packets
15- reclassify implies continue classification where we left off
16
17randomization
18--------------
19
20At the moment there are only two algorithms. One is deterministic
21and the other uses internal kernel netrand.
22
23Examples:
24
25Rules can be installed on both ingress and egress - this shows ingress
26only
27
28tc qdisc add dev eth0 ingress
29
30# example 1
31tc filter add dev eth0 parent ffff: protocol ip prio 6 u32 match ip src \
3210.0.0.9/32 flowid 1:16 action drop
33
34ping -c 20 10.0.0.9
35
36--
37filter u32
38filter u32 fh 800: ht divisor 1
39filter u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:16  (rule hit 32 success 20)
40  match 0a000009/ffffffff at 12 (success 20 )
41        action order 1: gact action drop
42         random type none pass val 0
43         index 1 ref 1 bind 1 installed 59 sec used 35 sec
44         Sent 1680 bytes 20 pkts (dropped 20, overlimits 0 )
45
46----
47
48# example 2
49#allow 1 out 10 randomly using the netrand generator
50tc filter add dev eth0 parent ffff: protocol ip prio 6 u32 match ip src \
5110.0.0.9/32 flowid 1:16 action drop random netrand ok 10
52
53ping -c 20 10.0.0.9
54
55----
56filter protocol ip pref 6 u32 filter protocol ip pref 6 u32 fh 800: ht divisor 1filter protocol ip pref 6 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:16  (rule hit 20 success 20)
57  match 0a000009/ffffffff at 12 (success 20 )
58        action order 1: gact action drop
59         random type netrand pass val 10
60         index 5 ref 1 bind 1 installed 49 sec used 25 sec
61         Sent 1680 bytes 20 pkts (dropped 16, overlimits 0 )
62
63--------
64#alternative: deterministically accept every second packet
65tc filter add dev eth0 parent ffff: protocol ip prio 6 u32 match ip src \
6610.0.0.9/32 flowid 1:16 action drop random determ ok 2
67
68ping -c 20 10.0.0.9
69
70tc -s filter show parent ffff: dev eth0
71-----
72filter protocol ip pref 6 u32 filter protocol ip pref 6 u32 fh 800: ht divisor 1filter protocol ip pref 6 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:16  (rule hit 20 success 20)
73  match 0a000009/ffffffff at 12 (success 20 )
74        action order 1: gact action drop
75         random type determ pass val 2
76         index 4 ref 1 bind 1 installed 118 sec used 82 sec
77         Sent 1680 bytes 20 pkts (dropped 10, overlimits 0 )
78-----
79
80