1 2gact <ACTION> [RAND] [INDEX] 3 4Where: 5 ACTION := reclassify | drop | continue | pass | ok 6 RAND := random <RANDTYPE> <ACTION> <VAL> 7 RANDTYPE := netrand | determ 8 VAL : = value not exceeding 10000 9 INDEX := index value used 10 11ACTION semantics 12- pass and ok are equivalent to accept 13- continue allows to restart classification lookup 14- drop drops packets 15- reclassify implies continue classification where we left off 16 17randomization 18-------------- 19 20At the moment there are only two algorithms. One is deterministic 21and the other uses internal kernel netrand. 22 23Examples: 24 25Rules can be installed on both ingress and egress - this shows ingress 26only 27 28tc qdisc add dev eth0 ingress 29 30# example 1 31tc filter add dev eth0 parent ffff: protocol ip prio 6 u32 match ip src \ 3210.0.0.9/32 flowid 1:16 action drop 33 34ping -c 20 10.0.0.9 35 36-- 37filter u32 38filter u32 fh 800: ht divisor 1 39filter u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:16 (rule hit 32 success 20) 40 match 0a000009/ffffffff at 12 (success 20 ) 41 action order 1: gact action drop 42 random type none pass val 0 43 index 1 ref 1 bind 1 installed 59 sec used 35 sec 44 Sent 1680 bytes 20 pkts (dropped 20, overlimits 0 ) 45 46---- 47 48# example 2 49#allow 1 out 10 randomly using the netrand generator 50tc filter add dev eth0 parent ffff: protocol ip prio 6 u32 match ip src \ 5110.0.0.9/32 flowid 1:16 action drop random netrand ok 10 52 53ping -c 20 10.0.0.9 54 55---- 56filter protocol ip pref 6 u32 filter protocol ip pref 6 u32 fh 800: ht divisor 1filter protocol ip pref 6 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:16 (rule hit 20 success 20) 57 match 0a000009/ffffffff at 12 (success 20 ) 58 action order 1: gact action drop 59 random type netrand pass val 10 60 index 5 ref 1 bind 1 installed 49 sec used 25 sec 61 Sent 1680 bytes 20 pkts (dropped 16, overlimits 0 ) 62 63-------- 64#alternative: deterministically accept every second packet 65tc filter add dev eth0 parent ffff: protocol ip prio 6 u32 match ip src \ 6610.0.0.9/32 flowid 1:16 action drop random determ ok 2 67 68ping -c 20 10.0.0.9 69 70tc -s filter show parent ffff: dev eth0 71----- 72filter protocol ip pref 6 u32 filter protocol ip pref 6 u32 fh 800: ht divisor 1filter protocol ip pref 6 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:16 (rule hit 20 success 20) 73 match 0a000009/ffffffff at 12 (success 20 ) 74 action order 1: gact action drop 75 random type determ pass val 2 76 index 4 ref 1 bind 1 installed 118 sec used 82 sec 77 Sent 1680 bytes 20 pkts (dropped 10, overlimits 0 ) 78----- 79 80