source-git / iproute

Clone
Source Code
GIT

Blame doc/actions/gact-usage

c8 c8s master
  1.   9dfd3431b53225f391ffd52faf65373bf65dfce3
  2.   doc
  3.   actions
  4.   gact-usage
Blob History Raw
Packit d3f73b
Packit d3f73b 
gact <ACTION> [RAND] [INDEX]
Packit d3f73b
Packit d3f73b 
Where:
Packit d3f73b 
	ACTION := reclassify | drop | continue | pass | ok
Packit d3f73b 
	RAND := random <RANDTYPE> <ACTION> <VAL>
Packit d3f73b 
	RANDTYPE := netrand | determ
Packit d3f73b 
        VAL : = value not exceeding 10000
Packit d3f73b 
        INDEX := index value used
Packit d3f73b
Packit d3f73b 
ACTION semantics
Packit d3f73b 
- pass and ok are equivalent to accept
Packit d3f73b 
- continue allows to restart classification lookup
Packit d3f73b 
- drop drops packets
Packit d3f73b 
- reclassify implies continue classification where we left off
Packit d3f73b
Packit d3f73b 
randomization
Packit d3f73b 
--------------
Packit d3f73b
Packit d3f73b 
At the moment there are only two algorithms. One is deterministic
Packit d3f73b 
and the other uses internal kernel netrand.
Packit d3f73b
Packit d3f73b 
Examples:
Packit d3f73b
Packit d3f73b 
Rules can be installed on both ingress and egress - this shows ingress
Packit d3f73b 
only
Packit d3f73b
Packit d3f73b 
tc qdisc add dev eth0 ingress
Packit d3f73b
Packit d3f73b 
# example 1
Packit d3f73b 
tc filter add dev eth0 parent ffff: protocol ip prio 6 u32 match ip src \
Packit d3f73b 
10.0.0.9/32 flowid 1:16 action drop
Packit d3f73b
Packit d3f73b 
ping -c 20 10.0.0.9
Packit d3f73b
Packit d3f73b 
--
Packit d3f73b 
filter u32
Packit d3f73b 
filter u32 fh 800: ht divisor 1
Packit d3f73b 
filter u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:16  (rule hit 32 success 20)
Packit d3f73b 
  match 0a000009/ffffffff at 12 (success 20 )
Packit d3f73b 
        action order 1: gact action drop
Packit d3f73b 
         random type none pass val 0
Packit d3f73b 
         index 1 ref 1 bind 1 installed 59 sec used 35 sec
Packit d3f73b 
         Sent 1680 bytes 20 pkts (dropped 20, overlimits 0 )
Packit d3f73b
Packit d3f73b 
----
Packit d3f73b
Packit d3f73b 
# example 2
Packit d3f73b 
#allow 1 out 10 randomly using the netrand generator
Packit d3f73b 
tc filter add dev eth0 parent ffff: protocol ip prio 6 u32 match ip src \
Packit d3f73b 
10.0.0.9/32 flowid 1:16 action drop random netrand ok 10
Packit d3f73b
Packit d3f73b 
ping -c 20 10.0.0.9
Packit d3f73b
Packit d3f73b 
----
Packit d3f73b 
filter protocol ip pref 6 u32 filter protocol ip pref 6 u32 fh 800: ht divisor 1filter protocol ip pref 6 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:16  (rule hit 20 success 20)
Packit d3f73b 
  match 0a000009/ffffffff at 12 (success 20 )
Packit d3f73b 
        action order 1: gact action drop
Packit d3f73b 
         random type netrand pass val 10
Packit d3f73b 
         index 5 ref 1 bind 1 installed 49 sec used 25 sec
Packit d3f73b 
         Sent 1680 bytes 20 pkts (dropped 16, overlimits 0 )
Packit d3f73b
Packit d3f73b 
--------
Packit d3f73b 
#alternative: deterministically accept every second packet
Packit d3f73b 
tc filter add dev eth0 parent ffff: protocol ip prio 6 u32 match ip src \
Packit d3f73b 
10.0.0.9/32 flowid 1:16 action drop random determ ok 2
Packit d3f73b
Packit d3f73b 
ping -c 20 10.0.0.9
Packit d3f73b
Packit d3f73b 
tc -s filter show parent ffff: dev eth0
Packit d3f73b 
-----
Packit d3f73b 
filter protocol ip pref 6 u32 filter protocol ip pref 6 u32 fh 800: ht divisor 1filter protocol ip pref 6 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:16  (rule hit 20 success 20)
Packit d3f73b 
  match 0a000009/ffffffff at 12 (success 20 )
Packit d3f73b 
        action order 1: gact action drop
Packit d3f73b 
         random type determ pass val 2
Packit d3f73b 
         index 4 ref 1 bind 1 installed 118 sec used 82 sec
Packit d3f73b 
         Sent 1680 bytes 20 pkts (dropped 10, overlimits 0 )
Packit d3f73b 
-----

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation