From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Mathieu Poirier <mathieu.poirier@linaro.org>
Cc: netfilter-devel@vger.kernel.org, netfilter@vger.kernel.org,
John Stultz <john.stultz@linaro.org>, JP Abgrall <jpa@google.com>
Subject: Re: [PATCH 1/1] netfilter: xtables: add quota support to nfacct
Date: Thu, 19 Dec 2013 20:43:39 +0100 [thread overview]
Message-ID: <20131219194339.GA4561@localhost> (raw)
In-Reply-To: <CANLsYkxMzdFCpJ3456PPd8KsEPi-U70kJDqGv8c3BhCsKY8RiQ@mail.gmail.com>
On Thu, Dec 19, 2013 at 10:20:56AM -0700, Mathieu Poirier wrote:
> > NFNLGRP_CONNTRACK_EXP_DESTROY,
> > #define NFNLGRP_CONNTRACK_EXP_DESTROY
> NFNLGRP_CONNTRACK_EXP_DESTROY
> > + NFNLGRP_CONNTRACK_QUOTA,
> > +#define NFNLGRP_CONNTRACK_QUOTA
> NFNLGRP_CONNTRACK_QUOTA
> Use NFNLGRP_ACCT_QUOTA, this has nothing to do with conntrack.
>
> Please confirm that you suggest to create a
> "enum nfnl_acct_groups{}"
> in include/uapi/linux/netfilter/nfnetlink_acct.h, the same way as
> above?
No. I just mean that you rename that since it this has nothing to do
with conntrack.
> > __NFNLGRP_MAX,
> > };
> > #define NFNLGRP_MAX (__NFNLGRP_MAX - 1)
> > diff --git a/include/uapi/linux/netfilter/nfnetlink_acct.h
> b/include/uapi/linux/netfilter/nfnetlink_acct.h
> > index c7b6269..ae8ea0a 100644
> > --- a/include/uapi/linux/netfilter/nfnetlink_acct.h
> > +++ b/include/uapi/linux/netfilter/nfnetlink_acct.h
> > @@ -19,6 +19,7 @@ enum nfnl_acct_type {
> > NFACCT_PKTS,
> > NFACCT_BYTES,
> > NFACCT_USE,
> > + NFACCT_QUOTA,
> > __NFACCT_MAX
> > };
> > #define NFACCT_MAX (__NFACCT_MAX - 1)
> > diff --git a/include/uapi/linux/netfilter/xt_nfacct.h
> b/include/uapi/linux/netfilter/xt_nfacct.h
> > index 3e19c8a..c2e49a6 100644
> > --- a/include/uapi/linux/netfilter/xt_nfacct.h
> > +++ b/include/uapi/linux/netfilter/xt_nfacct.h
> > @@ -3,11 +3,22 @@
> >
> > #include <linux/netfilter/nfnetlink_acct.h>
> >
> > +enum xt_quota_flags {
> > + XT_QUOTA_INVERT = 1 << 0,
> I don't understand the interaction of invert and the event delivery.
>
> It was added for flexibility [...]
I mean: This is currently broken in your patch, it is always
delivering an event when the quota is reached, no matter if invert is
set or not.
> > + XT_QUOTA_PACKET = 1 << 1,
> > + XT_QUOTA_QUOTA = 1 << 2,
> XT_QUOTA_QUOTA ? :-)
>
> Yes - quotas are not mandatory [...]
I'm just proposing a plain rename:
s/XT_QUOTA_PACKET/XT_NFACCT_QUOTA_PKTS
s/XT_QUOTA_QUOTA/XT_NFACCT_QUOTA_BYTES
XT_QUOTA refers to the xt_quota match, which is a different iptables
match extensions.
Thinking again on the event delivery, I think it's better if the
nfacct match using the new --quota does not deliver the event itself.
You can use libnetfilter_queue instead, eg.
iptables -I INPUT -p icmp \
-m nfacct icmp --quota 12345 --mode bytes --match-once \
-j NFLOG --nflog-prefix "icmp: " --nflog-group 34
The --once parameter tells to match only if you just crossed the quota
limit (so the event is sent once). The idea is to use nflog to deliver
the event, which is way more flexible as it includes useful
information.
P.S: please disable HTML in your emails. Thanks.
next prev parent reply other threads:[~2013-12-19 19:43 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-12-11 16:53 [PATCH 0/1] Add quota capabilities to nfacct mathieu.poirier
2013-12-11 16:53 ` [PATCH 1/1] netfilter: xtables: add quota support " mathieu.poirier
2013-12-18 9:53 ` Pablo Neira Ayuso
[not found] ` <CANLsYkxMzdFCpJ3456PPd8KsEPi-U70kJDqGv8c3BhCsKY8RiQ@mail.gmail.com>
2013-12-19 19:43 ` Pablo Neira Ayuso [this message]
2013-12-20 20:34 ` Mathieu Poirier
2013-12-21 8:55 ` Pablo Neira Ayuso
2013-12-29 21:53 ` Mathieu Poirier
2013-12-30 17:36 ` Pablo Neira Ayuso
2013-12-30 17:56 ` Mathieu Poirier
2013-12-30 21:46 ` Florian Westphal
2013-12-30 22:17 ` Mathieu Poirier
2013-12-30 23:14 ` Mathieu Poirier
2013-12-30 23:31 ` Florian Westphal
2014-01-03 15:54 ` Pablo Neira Ayuso
2014-01-03 20:38 ` Mathieu Poirier
2014-01-04 2:32 ` Pablo Neira Ayuso
[not found] ` <CANLsYkw4UhBGpUcvO9qqqvgz8j00=E6zojMxxXCsPQhStQtGXg@mail.gmail.com>
2014-01-13 21:50 ` Mathieu Poirier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131219194339.GA4561@localhost \
--to=pablo@netfilter.org \
--cc=john.stultz@linaro.org \
--cc=jpa@google.com \
--cc=mathieu.poirier@linaro.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).