From: Michael Zintakis <michael.zintakis@googlemail.com>
To: netfilter-devel@vger.kernel.org
Cc: pablo@netfilter.org
Subject: [PATCH 1/3 nfnetlink_acct] numerous changes and improvements to the kernel code
Date: Sat, 23 Mar 2013 12:17:09 +0000 [thread overview]
Message-ID: <514D9D45.6090804@googlemail.com> (raw)
The following is a first patch of a series of 3 patches dealing with the
following kernel changes to nfnetlink_acct:
* fmt and bthr (format and bytes threshold) properties have been added to
the nfacct object.
* ability to change all nfacct object properties (with the exception of
name) has been added.
* as a result of the above, a full save/restore is now possible, even if
the accounting object is in use by iptables.
Signed-off-by: Michael Zintakis <michael.zintakis@googlemail.com>
---
include/uapi/linux/netfilter/nfnetlink_acct.h | 2 +
net/netfilter/nfnetlink_acct.c | 63 ++++++++++++++++++++++++-
2 files changed, 64 insertions(+), 1 deletion(-)
diff --git a/include/uapi/linux/netfilter/nfnetlink_acct.h b/include/uapi/linux/netfilter/nfnetlink_acct.h
index c7b6269..f07e825 100644
--- a/include/uapi/linux/netfilter/nfnetlink_acct.h
+++ b/include/uapi/linux/netfilter/nfnetlink_acct.h
@@ -18,6 +18,8 @@ enum nfnl_acct_type {
NFACCT_NAME,
NFACCT_PKTS,
NFACCT_BYTES,
+ NFACCT_BTHR,
+ NFACCT_FMT,
NFACCT_USE,
__NFACCT_MAX
};
diff --git a/net/netfilter/nfnetlink_acct.c b/net/netfilter/nfnetlink_acct.c
index 589d686..bcd4ae8 100644
--- a/net/netfilter/nfnetlink_acct.c
+++ b/net/netfilter/nfnetlink_acct.c
@@ -32,6 +32,8 @@ static LIST_HEAD(nfnl_acct_list);
struct nf_acct {
atomic64_t pkts;
atomic64_t bytes;
+ atomic64_t bthr;
+ atomic_t fmt;
struct list_head head;
atomic_t refcnt;
char name[NFACCT_NAME_MAX];
@@ -63,9 +65,55 @@ nfnl_acct_new(struct sock *nfnl, struct sk_buff *skb,
if (matching) {
if (nlh->nlmsg_flags & NLM_F_REPLACE) {
- /* reset counters if you request a replacement. */
+ /* reset counters if you request a replacement */
+ if (!tb[NFACCT_PKTS]) {
+ /*
+ * Prevent resetting the packets counter if
+ * either fmt or bthr are specified.
+ *
+ * This is done for backward compatibility,
+ * otherwise resetting these counters should
+ * only be allowed when tb[NFACCT_PKTS] is
+ * explicitly specified and == 0.
+ *
+ */
+ if (!tb[NFACCT_FMT] &&
+ !tb[NFACCT_BTHR]) {
atomic64_set(&matching->pkts, 0);
+ }
+ } else {
+ atomic64_set(&matching->pkts,
+ be64_to_cpu(nla_get_be64(tb[NFACCT_PKTS])));
+ }
+ if (!tb[NFACCT_BYTES]) {
+ /*
+ * Prevent resetting the packets counter if
+ * either fmt or bthr are specified.
+ *
+ * This is done for backward compatibility,
+ * otherwise resetting these counters should
+ * only be allowed when tb[NFACCT_BYTES] is
+ * explicitly specified and == 0.
+ *
+ */
+ if (!tb[NFACCT_FMT] &&
+ !tb[NFACCT_BTHR]) {
atomic64_set(&matching->bytes, 0);
+ }
+ } else {
+ atomic64_set(&matching->bytes,
+ be64_to_cpu(nla_get_be64(tb[NFACCT_BYTES])));
+ }
+ /* ...and change the format... */
+ if (tb[NFACCT_FMT]) {
+ atomic_set(&matching->fmt,
+ be32_to_cpu(nla_get_be32(tb[NFACCT_FMT])));
+ }
+ /* ... as well as the bytes threshold */
+ if (tb[NFACCT_BTHR]) {
+ atomic64_set(&matching->bthr,
+ be64_to_cpu(nla_get_be64(tb[NFACCT_BTHR])));
+ }
return 0;
}
return -EBUSY;
@@ -85,6 +133,14 @@ nfnl_acct_new(struct sock *nfnl, struct sk_buff *skb,
atomic64_set(&nfacct->pkts,
be64_to_cpu(nla_get_be64(tb[NFACCT_PKTS])));
}
+ if (tb[NFACCT_FMT]) {
+ atomic_set(&nfacct->fmt,
+ be32_to_cpu(nla_get_be32(tb[NFACCT_FMT])));
+ }
+ if (tb[NFACCT_BTHR]) {
+ atomic64_set(&nfacct->bthr,
+ be64_to_cpu(nla_get_be64(tb[NFACCT_BTHR])));
+ }
atomic_set(&nfacct->refcnt, 1);
list_add_tail_rcu(&nfacct->head, &nfnl_acct_list);
return 0;
@@ -121,6 +177,9 @@ nfnl_acct_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
}
if (nla_put_be64(skb, NFACCT_PKTS, cpu_to_be64(pkts)) ||
nla_put_be64(skb, NFACCT_BYTES, cpu_to_be64(bytes)) ||
+ nla_put_be64(skb, NFACCT_BTHR,
+ cpu_to_be64(atomic64_read(&acct->bthr))) ||
+ nla_put_be32(skb, NFACCT_FMT, htonl(atomic_read(&acct->fmt))) ||
nla_put_be32(skb, NFACCT_USE, htonl(atomic_read(&acct->refcnt))))
goto nla_put_failure;
@@ -265,6 +324,8 @@ static const struct nla_policy nfnl_acct_policy[NFACCT_MAX+1] = {
[NFACCT_NAME] = { .type = NLA_NUL_STRING, .len = NFACCT_NAME_MAX-1 },
[NFACCT_BYTES] = { .type = NLA_U64 },
[NFACCT_PKTS] = { .type = NLA_U64 },
+ [NFACCT_BTHR] = { .type = NLA_U64 },
+ [NFACCT_FMT] = { .type = NLA_U32 },
};
static const struct nfnl_callback nfnl_acct_cb[NFNL_MSG_ACCT_MAX] = {
next reply other threads:[~2013-03-23 12:17 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-03-23 12:17 Michael Zintakis [this message]
2013-03-23 15:12 ` [PATCH 1/3 nfnetlink_acct] numerous changes and improvements to the kernel code Pablo Neira Ayuso
2013-03-26 20:24 ` Michael Zintakis
2013-04-03 10:46 ` Pablo Neira Ayuso
2013-04-04 20:37 ` Michael Zintakis
2013-04-11 10:18 ` Pablo Neira Ayuso
2013-04-14 9:50 ` Michael Zintakis
2013-04-19 2:04 ` Pablo Neira Ayuso
2013-07-10 18:22 ` Michael Zintakis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=514D9D45.6090804@googlemail.com \
--to=michael.zintakis@googlemail.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).