nfacct: setting quotas does not seem to work.

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* nfacct: setting quotas does not seem to work.
@ 2016-08-11 14:00 Josue Alvarez
  2016-08-17 22:44 ` Pablo Neira Ayuso
  0 siblings, 1 reply; 4+ messages in thread
From: Josue Alvarez @ 2016-08-11 14:00 UTC (permalink / raw)
  To: netfilter-devel

Hi,

I tried to play a little bit with the quota features of the extended 
accounting infrastructure.
However, it seemed that the quotas were not registered when creating the 
accounting objects.

Example :
# nfacct add testquota packet 5
# iptables -I OUTPUT -p icmp -m nfacct --nfacct-name testquota
# nfacct get testquota
{ pkts = 00000000000000000000, bytes = 00000000000000000000 } = testquota;

When I ping the machine, I see the counters go above 5 packets, however 
I get no output when running :
# nfacct monitor

After a little bit of investigation in the code of nfacct, I checked 
that the NFACCT_ATTR_FLAGS and NFACCT_ATTR_QUOTA attributes were set. (i 
managed to call _nfacct_cmd_add with flags=NFACCT_F_QUOTA_PKTS).

However, the kernel code in netfilter/net/nfnetlink_acct.c somehow did 
not "get" the flags : the execution didn't enter in the  "if 
(tb[NFACCT_FLAGS]) { ... }" in nfnl_acct_new(). (checked that using printk).

Any idea how this could happen ?

Thanks :)

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: nfacct: setting quotas does not seem to work.
  2016-08-11 14:00 nfacct: setting quotas does not seem to work Josue Alvarez
@ 2016-08-17 22:44 ` Pablo Neira Ayuso
  2016-08-18  7:34   ` Josue Alvarez
  0 siblings, 1 reply; 4+ messages in thread
From: Pablo Neira Ayuso @ 2016-08-17 22:44 UTC (permalink / raw)
  To: Josue Alvarez; +Cc: netfilter-devel

On Thu, Aug 11, 2016 at 04:00:37PM +0200, Josue Alvarez wrote:
> Hi,
> 
> I tried to play a little bit with the quota features of the extended
> accounting infrastructure.
> However, it seemed that the quotas were not registered when creating the
> accounting objects.
> 
> Example :
> # nfacct add testquota packet 5
> # iptables -I OUTPUT -p icmp -m nfacct --nfacct-name testquota
> # nfacct get testquota
> { pkts = 00000000000000000000, bytes = 00000000000000000000 } = testquota;
> 
> When I ping the machine, I see the counters go above 5 packets, however I
> get no output when running :
> # nfacct monitor

I get this here:

{ pkts = 00000000000000000005, bytes = 00000000000000000420, quota =
00000000000000000005, mode = packet, overquota = yes } = testquota;

> After a little bit of investigation in the code of nfacct, I checked that
> the NFACCT_ATTR_FLAGS and NFACCT_ATTR_QUOTA attributes were set. (i managed
> to call _nfacct_cmd_add with flags=NFACCT_F_QUOTA_PKTS).
> 
> However, the kernel code in netfilter/net/nfnetlink_acct.c somehow did not
> "get" the flags : the execution didn't enter in the  "if (tb[NFACCT_FLAGS])
> { ... }" in nfnl_acct_new(). (checked that using printk).
> 
> Any idea how this could happen ?

Probably using an old kernel version with no quota support?

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: nfacct: setting quotas does not seem to work.
  2016-08-17 22:44 ` Pablo Neira Ayuso
@ 2016-08-18  7:34   ` Josue Alvarez
  2016-08-18 14:54     ` Pablo Neira Ayuso
  0 siblings, 1 reply; 4+ messages in thread
From: Josue Alvarez @ 2016-08-18  7:34 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter-devel

On 18/08/2016 00:44, Pablo Neira Ayuso wrote:
> Probably using an old kernel version with no quota support? 

I found out that the issue came from libnetfilter_acct, from which I had 
one package installed (1.0.2) and some binaries from the git version 
installed with 'make install' from the sources. The linking happened on 
the 1.0.2, which does not seem to support quotas (nfacct_attr_set and 
nfacct_attr_get do not handle the cases NFACCT_ATTR_QUOTA and 
NFACCT_ATTR_FLAGS).
After removing that package it worked well.

By the way, there's actually no release of libnetfilter_acct with quota 
support, am I wrong ?
That's not a problem for me, but it could be for other users.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: nfacct: setting quotas does not seem to work.
  2016-08-18  7:34   ` Josue Alvarez
@ 2016-08-18 14:54     ` Pablo Neira Ayuso
  0 siblings, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2016-08-18 14:54 UTC (permalink / raw)
  To: Josue Alvarez; +Cc: netfilter-devel

On Thu, Aug 18, 2016 at 09:34:04AM +0200, Josue Alvarez wrote:
> On 18/08/2016 00:44, Pablo Neira Ayuso wrote:
> >Probably using an old kernel version with no quota support?
> 
> I found out that the issue came from libnetfilter_acct, from which I had one
> package installed (1.0.2) and some binaries from the git version installed
> with 'make install' from the sources. The linking happened on the 1.0.2,
> which does not seem to support quotas (nfacct_attr_set and nfacct_attr_get
> do not handle the cases NFACCT_ATTR_QUOTA and NFACCT_ATTR_FLAGS).
> After removing that package it worked well.
> 
> By the way, there's actually no release of libnetfilter_acct with quota
> support, am I wrong ?
> That's not a problem for me, but it could be for other users.

Will include this in the scheduled release of libnetfilter_conntrack
and conntrack-tools.

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2016-08-19  6:48 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-08-11 14:00 nfacct: setting quotas does not seem to work Josue Alvarez
2016-08-17 22:44 ` Pablo Neira Ayuso
2016-08-18  7:34   ` Josue Alvarez
2016-08-18 14:54     ` Pablo Neira Ayuso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).