From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Subject: [PATCH v2,nf-next 07/11] netfilter: nft_quota: dump consumed quota
Date: Fri, 2 Dec 2016 19:08:37 +0100 [thread overview]
Message-ID: <1480702121-1782-8-git-send-email-pablo@netfilter.org> (raw)
In-Reply-To: <1480702121-1782-1-git-send-email-pablo@netfilter.org>
Add a new attribute NFTA_QUOTA_CONSUMED that displays the amount of
quota that has been already consumed. This allows us to restore the
internal state of the quota object between reboots as well as to monitor
how wasted it is.
This patch changes the logic to account for the consumed bytes, instead
of the bytes that remain to be consumed.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
v2: Fix dump logic, nft_quota_do_dump() should include consumed bytes
larger than the total quota.
include/uapi/linux/netfilter/nf_tables.h | 2 ++
net/netfilter/nft_quota.c | 20 +++++++++++++++-----
2 files changed, 17 insertions(+), 5 deletions(-)
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index e1b11aa777f2..d4b0b652e76f 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -984,12 +984,14 @@ enum nft_quota_flags {
*
* @NFTA_QUOTA_BYTES: quota in bytes (NLA_U16)
* @NFTA_QUOTA_FLAGS: flags (NLA_U32)
+ * @NFTA_QUOTA_CONSUMED: quota already consumed in bytes (NLA_U64)
*/
enum nft_quota_attributes {
NFTA_QUOTA_UNSPEC,
NFTA_QUOTA_BYTES,
NFTA_QUOTA_FLAGS,
NFTA_QUOTA_PAD,
+ NFTA_QUOTA_CONSUMED,
__NFTA_QUOTA_MAX
};
#define NFTA_QUOTA_MAX (__NFTA_QUOTA_MAX - 1)
diff --git a/net/netfilter/nft_quota.c b/net/netfilter/nft_quota.c
index 6fcd41b1a251..e98c0c70f40a 100644
--- a/net/netfilter/nft_quota.c
+++ b/net/netfilter/nft_quota.c
@@ -18,20 +18,20 @@
struct nft_quota {
u64 quota;
bool invert;
- atomic64_t remain;
+ atomic64_t consumed;
};
static inline bool nft_overquota(struct nft_quota *priv,
- const struct nft_pktinfo *pkt)
+ const struct sk_buff *skb)
{
- return atomic64_sub_return(pkt->skb->len, &priv->remain) < 0;
+ return atomic64_add_return(skb->len, &priv->consumed) >= priv->quota;
}
static inline void nft_quota_do_eval(struct nft_quota *priv,
struct nft_regs *regs,
const struct nft_pktinfo *pkt)
{
- if (nft_overquota(priv, pkt) ^ priv->invert)
+ if (nft_overquota(priv, pkt->skb) ^ priv->invert)
regs->verdict.code = NFT_BREAK;
}
@@ -70,7 +70,7 @@ static int nft_quota_do_init(const struct nlattr * const tb[],
priv->quota = quota;
priv->invert = (flags & NFT_QUOTA_F_INV) ? true : false;
- atomic64_set(&priv->remain, quota);
+ atomic64_set(&priv->consumed, 0);
return 0;
}
@@ -87,9 +87,19 @@ static int nft_quota_do_dump(struct sk_buff *skb, struct nft_quota *priv,
bool reset)
{
u32 flags = priv->invert ? NFT_QUOTA_F_INV : 0;
+ u64 consumed;
+
+ consumed = atomic64_read(&priv->consumed);
+ /* Since we inconditionally increment the quota for each packet that we
+ * see, don't puzzle userspace with a number going over the quota.
+ */
+ if (consumed > priv->quota)
+ consumed = priv->quota;
if (nla_put_be64(skb, NFTA_QUOTA_BYTES, cpu_to_be64(priv->quota),
NFTA_QUOTA_PAD) ||
+ nla_put_be64(skb, NFTA_QUOTA_CONSUMED, cpu_to_be64(consumed),
+ NFTA_QUOTA_PAD) ||
nla_put_be32(skb, NFTA_QUOTA_FLAGS, htonl(flags)))
goto nla_put_failure;
return 0;
--
2.1.4
next prev parent reply other threads:[~2016-12-02 18:09 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-02 18:08 [PATCH v2,nf-next 00/11] nf_tables: add stateful objects Pablo Neira Ayuso
2016-12-02 18:08 ` [PATCH v2,nf-next 01/11] netfilter: " Pablo Neira Ayuso
2016-12-02 18:08 ` [PATCH v2,nf-next 02/11] netfilter: nft_counter: add stateful object type Pablo Neira Ayuso
2016-12-02 18:08 ` [PATCH v2,nf-next 03/11] netfilter: nft_quota: " Pablo Neira Ayuso
2016-12-02 18:08 ` [PATCH v2,nf-next 04/11] netfilter: nf_tables: add stateful object reference expression Pablo Neira Ayuso
2016-12-02 18:08 ` [PATCH v2,nf-next 05/11] netfilter: nf_tables: atomic dump and reset for stateful objects Pablo Neira Ayuso
2016-12-02 18:08 ` [PATCH v2,nf-next 06/11] netfilter: nf_tables: notify internal updates of " Pablo Neira Ayuso
2016-12-02 18:08 ` Pablo Neira Ayuso [this message]
2016-12-02 18:08 ` [PATCH v2,nf-next 08/11] netfilter: nft_quota: add depleted flag for objects Pablo Neira Ayuso
2016-12-02 18:08 ` [PATCH v2,nf-next 09/11] netfilter: nf_tables: add stateful object reference to set elements Pablo Neira Ayuso
2016-12-02 18:08 ` [PATCH v2,nf-next 10/11] netfilter: nft_objref: support for stateful object maps Pablo Neira Ayuso
2016-12-02 18:08 ` [PATCH nf-next 11/11] netfilter: nf_tables: allow to filter stateful object dumps by type Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1480702121-1782-8-git-send-email-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).