[PATCH] nfacct: add filter in to the list operation

[PATCH] nfacct: add filter in to the list operation

[Alexey Perevalov]

It's implementation for client side of the filtering support, introduced in
"netfilter: nfnetlink_acct: add filter support to nfacct" patch.

Patch adds byte_quota, packet_quotas, counters and overquota arguments to the
list (list reset) command. nfacct hasn't any help/usage function,
in case of misprint end user will get genral message.

BR,
Alexey

Alexey Perevalov (1):
  nfacct: add filter in to the list operation

 include/linux/netfilter/nfnetlink_acct.h |    8 ++++
 src/nfacct.c                             |   62 ++++++++++++++++++++++++++++++
 2 files changed, 70 insertions(+)

-- 
1.7.9.5

[PATCH] nfacct: add filter in to the list operation

[Alexey Perevalov]

Filter feature is working through NFACCT_FILTER netlink attribute.
If kernel doesn't support it, client will not get an error
and silently will work as before.

Signed-off-by: Alexey Perevalov <a.perevalov@samsung.com>
---
 include/linux/netfilter/nfnetlink_acct.h |    8 ++++
 src/nfacct.c                             |   62 ++++++++++++++++++++++++++++++
 2 files changed, 70 insertions(+)

diff --git a/include/linux/netfilter/nfnetlink_acct.h b/include/linux/netfilter/nfnetlink_acct.h
index 44dcd17..7542c70 100644
--- a/include/linux/netfilter/nfnetlink_acct.h
+++ b/include/linux/netfilter/nfnetlink_acct.h
@@ -28,10 +28,18 @@ enum nfnl_acct_type {
 	NFACCT_USE,
 	NFACCT_FLAGS,
 	NFACCT_QUOTA,
+	NFACCT_FILTER,
 	__NFACCT_MAX
 };
 #define NFACCT_MAX (__NFACCT_MAX - 1)
 
+enum nfnl_attr_filter_type {
+	NFACCT_FILTER_ATTR_UNSPEC,
+	NFACCT_FILTER_ATTR_MASK,
+	NFACCT_FILTER_ATTR_VALUE,
+	__NFACCT_FILTER_ATTR_MAX
+};
+
 #ifdef __KERNEL__
 
 struct nf_acct;
diff --git a/src/nfacct.c b/src/nfacct.c
index 091a5c9..860436d 100644
--- a/src/nfacct.c
+++ b/src/nfacct.c
@@ -166,6 +166,49 @@ err:
 	return MNL_CB_OK;
 }
 
+enum filter_selection {
+	NFACCT_FILTER_UNSPEC,
+	NFACCT_FILTER_COUNTERS,
+	NFACCT_FILTER_QUOTA_BYTES,
+	NFACCT_FILTER_QUOTA_PACKETS,
+	NFACCT_FILTER_OVERQUOTA,
+};
+
+#define NFACCT_F_QUOTAS (NFACCT_F_QUOTA_BYTES | NFACCT_F_QUOTA_PKTS)
+
+static void nlmsg_build_filter_payload(enum filter_selection *selection,
+					 struct nlmsghdr *nlh)
+{
+	struct nlattr *nest;
+	uint32_t mask = 0, value = 0;
+
+	if (!selection || *selection == NFACCT_FILTER_UNSPEC)
+		return;
+
+	nest = mnl_attr_nest_start(nlh, NFACCT_FILTER);
+	if (nest == NULL)
+		return;
+
+	if (*selection == NFACCT_FILTER_QUOTA_BYTES) {
+		mask = NFACCT_F_QUOTA_BYTES;
+		value = NFACCT_F_QUOTA_BYTES;
+	} else if (*selection == NFACCT_FILTER_QUOTA_PACKETS) {
+		mask = NFACCT_F_QUOTA_PKTS;
+		value = NFACCT_F_QUOTA_PKTS;
+	} else if (*selection == NFACCT_FILTER_COUNTERS) {
+		mask = NFACCT_F_QUOTAS;
+		value = 0; /* counters isn't quotas */
+	} else if (*selection == NFACCT_FILTER_OVERQUOTA) {
+		mask = NFACCT_F_OVERQUOTA;
+		value = NFACCT_F_OVERQUOTA;
+	}
+
+	mnl_attr_put_u32(nlh, NFACCT_FILTER_ATTR_MASK, mask);
+	mnl_attr_put_u32(nlh, NFACCT_FILTER_ATTR_VALUE, value);
+
+	mnl_attr_nest_end(nlh, nest);
+}
+
 static int nfacct_cmd_list(int argc, char *argv[])
 {
 	bool zeroctr = false, xml = false;
@@ -174,12 +217,30 @@ static int nfacct_cmd_list(int argc, char *argv[])
 	struct nlmsghdr *nlh;
 	unsigned int seq, portid;
 	int ret, i;
+	enum filter_selection selection = NFACCT_FILTER_UNSPEC;
+	struct nfacct *nfacct = nfacct_alloc();
+
+	if (nfacct == NULL) {
+		nfacct_perror("OOM");
+		return -1;
+	}
 
 	for (i=2; i<argc; i++) {
 		if (strncmp(argv[i], "reset", strlen(argv[i])) == 0) {
 			zeroctr = true;
 		} else if (strncmp(argv[i], "xml", strlen(argv[i])) == 0) {
 			xml = true;
+		} else if (strncmp(argv[i], "counters", strlen(argv[i])) == 0) {
+			selection = NFACCT_FILTER_COUNTERS;
+		} else if (strncmp(argv[i], "byte_quotas", strlen(argv[i]))
+			   == 0) {
+			selection = NFACCT_FILTER_QUOTA_BYTES;
+		} else if (strncmp(argv[i], "packet_quotas", strlen(argv[i]))
+			   == 0) {
+			selection = NFACCT_FILTER_QUOTA_PACKETS;
+		} else if (strncmp(argv[i], "overquota", strlen(argv[i]))
+			   == 0) {
+			selection = NFACCT_FILTER_OVERQUOTA;
 		} else {
 			nfacct_perror("unknown argument");
 			return -1;
@@ -192,6 +253,7 @@ static int nfacct_cmd_list(int argc, char *argv[])
 					NFNL_MSG_ACCT_GET,
 				     NLM_F_DUMP, seq);
 
+	nlmsg_build_filter_payload(&selection, nlh);
 	nl = mnl_socket_open(NETLINK_NETFILTER);
 	if (nl == NULL) {
 		nfacct_perror("mnl_socket_open");
-- 
1.7.9.5

Re: [PATCH] nfacct: add filter in to the list operation

[Pablo Neira Ayuso]

Hi Alexey,

I need some minor comestic changes, please address them and resubmit.
See below.

On Wed, Aug 06, 2014 at 02:53:04PM +0400, Alexey Perevalov wrote:
> Filter feature is working through NFACCT_FILTER netlink attribute.
> If kernel doesn't support it, client will not get an error
> and silently will work as before.

Could you add some example usage to the description? Users google for
this, it will be helpful to them.

> Signed-off-by: Alexey Perevalov <a.perevalov@samsung.com>
> ---
>  include/linux/netfilter/nfnetlink_acct.h |    8 ++++
>  src/nfacct.c                             |   62 ++++++++++++++++++++++++++++++
>  2 files changed, 70 insertions(+)
> 
> diff --git a/include/linux/netfilter/nfnetlink_acct.h b/include/linux/netfilter/nfnetlink_acct.h
> index 44dcd17..7542c70 100644
> --- a/include/linux/netfilter/nfnetlink_acct.h
> +++ b/include/linux/netfilter/nfnetlink_acct.h
> @@ -28,10 +28,18 @@ enum nfnl_acct_type {
>  	NFACCT_USE,
>  	NFACCT_FLAGS,
>  	NFACCT_QUOTA,
> +	NFACCT_FILTER,
>  	__NFACCT_MAX
>  };
>  #define NFACCT_MAX (__NFACCT_MAX - 1)
>  
> +enum nfnl_attr_filter_type {
> +	NFACCT_FILTER_ATTR_UNSPEC,
> +	NFACCT_FILTER_ATTR_MASK,
> +	NFACCT_FILTER_ATTR_VALUE,
> +	__NFACCT_FILTER_ATTR_MAX
> +};
> +
>  #ifdef __KERNEL__
>  
>  struct nf_acct;
> diff --git a/src/nfacct.c b/src/nfacct.c
> index 091a5c9..860436d 100644
> --- a/src/nfacct.c
> +++ b/src/nfacct.c
> @@ -166,6 +166,49 @@ err:
>  	return MNL_CB_OK;
>  }
>  
> +enum filter_selection {
> +	NFACCT_FILTER_UNSPEC,
> +	NFACCT_FILTER_COUNTERS,
> +	NFACCT_FILTER_QUOTA_BYTES,
> +	NFACCT_FILTER_QUOTA_PACKETS,
> +	NFACCT_FILTER_OVERQUOTA,
> +};
> +
> +#define NFACCT_F_QUOTAS (NFACCT_F_QUOTA_BYTES | NFACCT_F_QUOTA_PKTS)
> +
> +static void nlmsg_build_filter_payload(enum filter_selection *selection,
> +					 struct nlmsghdr *nlh)
> +{
> +	struct nlattr *nest;
> +	uint32_t mask = 0, value = 0;
> +
> +	if (!selection || *selection == NFACCT_FILTER_UNSPEC)
> +		return;

You can use selection == NFACCT_FILTER_UNSPEC instead of !selection,
so you can skip the use of the pointer.

> +
> +	nest = mnl_attr_nest_start(nlh, NFACCT_FILTER);
> +	if (nest == NULL)
> +		return;
> +
> +	if (*selection == NFACCT_FILTER_QUOTA_BYTES) {
> +		mask = NFACCT_F_QUOTA_BYTES;
> +		value = NFACCT_F_QUOTA_BYTES;
> +	} else if (*selection == NFACCT_FILTER_QUOTA_PACKETS) {
> +		mask = NFACCT_F_QUOTA_PKTS;
> +		value = NFACCT_F_QUOTA_PKTS;
> +	} else if (*selection == NFACCT_FILTER_COUNTERS) {
> +		mask = NFACCT_F_QUOTAS;
> +		value = 0; /* counters isn't quotas */
> +	} else if (*selection == NFACCT_FILTER_OVERQUOTA) {
> +		mask = NFACCT_F_OVERQUOTA;
> +		value = NFACCT_F_OVERQUOTA;
> +	}
> +
> +	mnl_attr_put_u32(nlh, NFACCT_FILTER_ATTR_MASK, mask);
> +	mnl_attr_put_u32(nlh, NFACCT_FILTER_ATTR_VALUE, value);
> +
> +	mnl_attr_nest_end(nlh, nest);
> +}
> +
>  static int nfacct_cmd_list(int argc, char *argv[])
>  {
>  	bool zeroctr = false, xml = false;
> @@ -174,12 +217,30 @@ static int nfacct_cmd_list(int argc, char *argv[])
>  	struct nlmsghdr *nlh;
>  	unsigned int seq, portid;
>  	int ret, i;
> +	enum filter_selection selection = NFACCT_FILTER_UNSPEC;
> +	struct nfacct *nfacct = nfacct_alloc();
> +
> +	if (nfacct == NULL) {
> +		nfacct_perror("OOM");
> +		return -1;
> +	}
>  
>  	for (i=2; i<argc; i++) {
>  		if (strncmp(argv[i], "reset", strlen(argv[i])) == 0) {
>  			zeroctr = true;
>  		} else if (strncmp(argv[i], "xml", strlen(argv[i])) == 0) {
>  			xml = true;
> +		} else if (strncmp(argv[i], "counters", strlen(argv[i])) == 0) {
> +			selection = NFACCT_FILTER_COUNTERS;
> +		} else if (strncmp(argv[i], "byte_quotas", strlen(argv[i]))

quota-byte instead of byte_quotas.

> +			   == 0) {
> +			selection = NFACCT_FILTER_QUOTA_BYTES;
> +		} else if (strncmp(argv[i], "packet_quotas", strlen(argv[i]))

quota-packet instead.

> +			   == 0) {
> +			selection = NFACCT_FILTER_QUOTA_PACKETS;
> +		} else if (strncmp(argv[i], "overquota", strlen(argv[i]))
> +			   == 0) {
> +			selection = NFACCT_FILTER_OVERQUOTA;
>  		} else {
>  			nfacct_perror("unknown argument");
>  			return -1;
> @@ -192,6 +253,7 @@ static int nfacct_cmd_list(int argc, char *argv[])
>  					NFNL_MSG_ACCT_GET,
>  				     NLM_F_DUMP, seq);
>  
> +	nlmsg_build_filter_payload(&selection, nlh);
>  	nl = mnl_socket_open(NETLINK_NETFILTER);
>  	if (nl == NULL) {
>  		nfacct_perror("mnl_socket_open");
> -- 
> 1.7.9.5
> 

Re: nfacct: add filter in to the list operation

[Alexey Perevalov]

Hello Pablo,

Also I have several remarks about command line parsing of the nfacct tool,
 in general.
1. reset and other options, including new, they are position insensetive.
e.g. reset could follow after counters
2. option occurrences, e.g. #nfacct list reset reset reset.
Maybe it wasn't so important before, but now for filter options it's important.
For example #nfacct list counters overquota
will show overquoted counters only, end user, in this case, will not get any
error.

So, do you think it worth to fix?
Also do you plan to include nfacct functionality into nft tool?

ps. Sorry I forgot in previous mail to cc netfilter-devel.

Alexey Perevalov (1):
  nfacct: add filter in to the list operation

 include/linux/netfilter/nfnetlink_acct.h |    8 ++++
 src/nfacct.c                             |   63 ++++++++++++++++++++++++++++++
 2 files changed, 71 insertions(+)

-- 
1.7.9.5

[PATCH V2] nfacct: add filter in to the list operation

[Alexey Perevalov]

Filter feature is working through NFACCT_FILTER netlink attribute.
If kernel doesn't support it, client will not get an error
and silently will work as before.

This patch adds following command line arguments: counters, overquota,
quota-byte, quota-packet. Which could be used with list operation.
Combination of these command line options isn't allowed. If user specified
several filter options in current implementation, latest of the mentioned above
option will be chosen.

For example.
#nfacct list counters
will show counters without byte/packet based quota
#nfacct list reset overquota
will reset value for overquoted counters only

Signed-off-by: Alexey Perevalov <a.perevalov@samsung.com>
---
 include/linux/netfilter/nfnetlink_acct.h |    8 ++++
 src/nfacct.c                             |   63 ++++++++++++++++++++++++++++++
 2 files changed, 71 insertions(+)

diff --git a/include/linux/netfilter/nfnetlink_acct.h b/include/linux/netfilter/nfnetlink_acct.h
index 44dcd17..6c99213 100644
--- a/include/linux/netfilter/nfnetlink_acct.h
+++ b/include/linux/netfilter/nfnetlink_acct.h
@@ -28,10 +28,18 @@ enum nfnl_acct_type {
 	NFACCT_USE,
 	NFACCT_FLAGS,
 	NFACCT_QUOTA,
+	NFACCT_FILTER,
 	__NFACCT_MAX
 };
 #define NFACCT_MAX (__NFACCT_MAX - 1)
 
+enum nfnl_attr_filter_type {
+	NFACCT_FILTER_UNSPEC,
+	NFACCT_FILTER_MASK,
+	NFACCT_FILTER_VALUE,
+	__NFACCT_FILTER_MAX
+};
+
 #ifdef __KERNEL__
 
 struct nf_acct;
diff --git a/src/nfacct.c b/src/nfacct.c
index 091a5c9..344a88b 100644
--- a/src/nfacct.c
+++ b/src/nfacct.c
@@ -19,6 +19,7 @@
 #include <unistd.h>
 #include <time.h>
 #include <errno.h>
+#include <arpa/inet.h>
 
 #include <libmnl/libmnl.h>
 #include <libnetfilter_acct/libnetfilter_acct.h>
@@ -166,6 +167,49 @@ err:
 	return MNL_CB_OK;
 }
 
+enum filter_selection {
+	NFACCT_SELECTION_UNSPEC,
+	NFACCT_SELECTION_COUNTERS,
+	NFACCT_SELECTION_QUOTA_BYTES,
+	NFACCT_SELECTION_QUOTA_PACKETS,
+	NFACCT_SELECTION_OVERQUOTA,
+};
+
+#define NFACCT_F_QUOTAS (NFACCT_F_QUOTA_BYTES | NFACCT_F_QUOTA_PKTS)
+
+static void nlmsg_build_filter_payload(enum filter_selection selection,
+					 struct nlmsghdr *nlh)
+{
+	struct nlattr *nest;
+	uint32_t mask = 0, value = 0;
+
+	if (selection == NFACCT_SELECTION_UNSPEC)
+		return;
+
+	nest = mnl_attr_nest_start(nlh, NFACCT_FILTER);
+	if (nest == NULL)
+		return;
+
+	if (selection == NFACCT_SELECTION_QUOTA_BYTES) {
+		mask = NFACCT_F_QUOTA_BYTES;
+		value = NFACCT_F_QUOTA_BYTES;
+	} else if (selection == NFACCT_SELECTION_QUOTA_PACKETS) {
+		mask = NFACCT_F_QUOTA_PKTS;
+		value = NFACCT_F_QUOTA_PKTS;
+	} else if (selection == NFACCT_SELECTION_COUNTERS) {
+		mask = NFACCT_F_QUOTAS;
+		value = 0; /* counters isn't quotas */
+	} else if (selection == NFACCT_SELECTION_OVERQUOTA) {
+		mask = NFACCT_F_OVERQUOTA;
+		value = NFACCT_F_OVERQUOTA;
+	}
+
+	mnl_attr_put_u32(nlh, NFACCT_FILTER_MASK, htonl(mask));
+	mnl_attr_put_u32(nlh, NFACCT_FILTER_VALUE, htonl(value));
+
+	mnl_attr_nest_end(nlh, nest);
+}
+
 static int nfacct_cmd_list(int argc, char *argv[])
 {
 	bool zeroctr = false, xml = false;
@@ -174,12 +218,30 @@ static int nfacct_cmd_list(int argc, char *argv[])
 	struct nlmsghdr *nlh;
 	unsigned int seq, portid;
 	int ret, i;
+	enum filter_selection selection = NFACCT_SELECTION_UNSPEC;
+	struct nfacct *nfacct = nfacct_alloc();
+
+	if (nfacct == NULL) {
+		nfacct_perror("OOM");
+		return -1;
+	}
 
 	for (i=2; i<argc; i++) {
 		if (strncmp(argv[i], "reset", strlen(argv[i])) == 0) {
 			zeroctr = true;
 		} else if (strncmp(argv[i], "xml", strlen(argv[i])) == 0) {
 			xml = true;
+		} else if (strncmp(argv[i], "counters", strlen(argv[i])) == 0) {
+			selection = NFACCT_SELECTION_COUNTERS;
+		} else if (strncmp(argv[i], "quota-byte", strlen(argv[i]))
+			   == 0) {
+			selection = NFACCT_SELECTION_QUOTA_BYTES;
+		} else if (strncmp(argv[i], "quota-packet", strlen(argv[i]))
+			   == 0) {
+			selection = NFACCT_SELECTION_QUOTA_PACKETS;
+		} else if (strncmp(argv[i], "overquota", strlen(argv[i]))
+			   == 0) {
+			selection = NFACCT_SELECTION_OVERQUOTA;
 		} else {
 			nfacct_perror("unknown argument");
 			return -1;
@@ -192,6 +254,7 @@ static int nfacct_cmd_list(int argc, char *argv[])
 					NFNL_MSG_ACCT_GET,
 				     NLM_F_DUMP, seq);
 
+	nlmsg_build_filter_payload(selection, nlh);
 	nl = mnl_socket_open(NETLINK_NETFILTER);
 	if (nl == NULL) {
 		nfacct_perror("mnl_socket_open");
-- 
1.7.9.5