[PATCH v3 0/2] nfacct: add filter in to the list operation

[PATCH v3 0/2] nfacct: add filter in to the list operation

[Alexey Perevalov]

Hello Pablo,

It's third version of patch for filtering, but also with fix for argument
singleness.

Changes since v2.
	selection enum/variable was removed according to comment

I thought about singleness of one category's options. It's possibe to do without
refactoring, but code looks like overloaded by lines, so I would prefer to use some
general approach. Where we could use some special parser, but I feel you have one
in nft. So this serie includes straightforward approach.

Alexey Perevalov (2):
  nfacct: check cmd line argument for singleness
  nfacct: add filter in to the list operation

 include/linux/netfilter/nfnetlink_acct.h |    8 ++++
 src/nfacct.c                             |   60 +++++++++++++++++++++++++++++-
 2 files changed, 67 insertions(+), 1 deletion(-)

-- 
1.7.9.5

[PATCH v3 1/2] nfacct: check cmd line argument for singleness

[Alexey Perevalov]

It was possible to specify several equal options for list operation.

Signed-off-by: Alexey Perevalov <a.perevalov@samsung.com>
---
 src/nfacct.c |   16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/src/nfacct.c b/src/nfacct.c
index 091a5c9..d77a57e 100644
--- a/src/nfacct.c
+++ b/src/nfacct.c
@@ -25,6 +25,13 @@
 #include <linux/netfilter/nfnetlink_acct.h>
 #include <linux/netfilter/nfnetlink.h>
 
+#define CHECK_OPT_PLURARITY(opt_name, msg) \
+	opt_name += 1; \
+	if (opt_name > 1) { \
+		nfacct_perror(msg); \
+		return -1; \
+	}
+
 enum {
 	NFACCT_CMD_NONE = 0,
 	NFACCT_CMD_LIST,
@@ -166,6 +173,8 @@ err:
 	return MNL_CB_OK;
 }
 
+#define NFACCT_F_QUOTAS (NFACCT_F_QUOTA_BYTES | NFACCT_F_QUOTA_PKTS)
+
 static int nfacct_cmd_list(int argc, char *argv[])
 {
 	bool zeroctr = false, xml = false;
@@ -177,8 +186,14 @@ static int nfacct_cmd_list(int argc, char *argv[])
 
 	for (i=2; i<argc; i++) {
 		if (strncmp(argv[i], "reset", strlen(argv[i])) == 0) {
+			static int opt_reset;
+			CHECK_OPT_PLURARITY(opt_reset, "reset couldn't be "
+				            "defined more than once");
 			zeroctr = true;
 		} else if (strncmp(argv[i], "xml", strlen(argv[i])) == 0) {
+			static int opt_xml;
+			CHECK_OPT_PLURARITY(opt_xml, "xml couldn't be defined "
+					    "more than once");
 			xml = true;
 		} else {
 			nfacct_perror("unknown argument");
@@ -191,7 +206,6 @@ static int nfacct_cmd_list(int argc, char *argv[])
 					NFNL_MSG_ACCT_GET_CTRZERO :
 					NFNL_MSG_ACCT_GET,
 				     NLM_F_DUMP, seq);
-
 	nl = mnl_socket_open(NETLINK_NETFILTER);
 	if (nl == NULL) {
 		nfacct_perror("mnl_socket_open");
-- 
1.7.9.5

[PATCH v3 2/2] nfacct: add filter in to the list operation

[Alexey Perevalov]

Filter feature is working through NFACCT_FILTER netlink attribute.
If kernel doesn't support it, client will not get an error
and silently will work as before.

This patch adds following command line arguments: counters, overquota,
quota-byte, quota-packet. Which could be used with list operation.
Combination of these command line options isn't allowed.

For example.
will show counters without byte/packet based quota
will reset value for overquoted counters only

Signed-off-by: Alexey Perevalov <a.perevalov@samsung.com>
---
 include/linux/netfilter/nfnetlink_acct.h |    8 ++++++
 src/nfacct.c                             |   44 ++++++++++++++++++++++++++++++
 2 files changed, 52 insertions(+)

diff --git a/include/linux/netfilter/nfnetlink_acct.h b/include/linux/netfilter/nfnetlink_acct.h
index 44dcd17..6c99213 100644
--- a/include/linux/netfilter/nfnetlink_acct.h
+++ b/include/linux/netfilter/nfnetlink_acct.h
@@ -28,10 +28,18 @@ enum nfnl_acct_type {
 	NFACCT_USE,
 	NFACCT_FLAGS,
 	NFACCT_QUOTA,
+	NFACCT_FILTER,
 	__NFACCT_MAX
 };
 #define NFACCT_MAX (__NFACCT_MAX - 1)
 
+enum nfnl_attr_filter_type {
+	NFACCT_FILTER_UNSPEC,
+	NFACCT_FILTER_MASK,
+	NFACCT_FILTER_VALUE,
+	__NFACCT_FILTER_MAX
+};
+
 #ifdef __KERNEL__
 
 struct nf_acct;
diff --git a/src/nfacct.c b/src/nfacct.c
index d77a57e..fbbd189 100644
--- a/src/nfacct.c
+++ b/src/nfacct.c
@@ -19,6 +19,7 @@
 #include <unistd.h>
 #include <time.h>
 #include <errno.h>
+#include <arpa/inet.h>
 
 #include <libmnl/libmnl.h>
 #include <libnetfilter_acct/libnetfilter_acct.h>
@@ -183,6 +184,8 @@ static int nfacct_cmd_list(int argc, char *argv[])
 	struct nlmsghdr *nlh;
 	unsigned int seq, portid;
 	int ret, i;
+	uint32_t mask = 0, value = 0;
+	int opt_quota_cat = 0;
 
 	for (i=2; i<argc; i++) {
 		if (strncmp(argv[i], "reset", strlen(argv[i])) == 0) {
@@ -195,6 +198,41 @@ static int nfacct_cmd_list(int argc, char *argv[])
 			CHECK_OPT_PLURARITY(opt_xml, "xml couldn't be defined "
 					    "more than once");
 			xml = true;
+		} else if (strncmp(argv[i], "counters", strlen(argv[i])) == 0) {
+			static int opt_counters;
+			CHECK_OPT_PLURARITY(opt_counters, "counters couldn't be"
+					    " defined more than once");
+			CHECK_OPT_PLURARITY(opt_quota_cat, "only one option is"
+			" allowed: counters, quota-byte, quota-packet, overquota");
+			mask = NFACCT_F_QUOTAS;
+			value = 0; /* counters isn't quotas */
+		} else if (strncmp(argv[i], "quota-byte", strlen(argv[i]))
+			   == 0) {
+			static int opt_quota_byte;
+			CHECK_OPT_PLURARITY(opt_quota_byte, "quota-byte "
+					    " couldn't be defined more than once");
+			CHECK_OPT_PLURARITY(opt_quota_cat, "only one option is"
+			" allowed: counters, quota-byte, quota-packet, overquota");
+			mask = NFACCT_F_QUOTA_BYTES;
+			value = NFACCT_F_QUOTA_BYTES;
+		} else if (strncmp(argv[i], "quota-packet", strlen(argv[i]))
+			   == 0) {
+			static int opt_quota_packet;
+			CHECK_OPT_PLURARITY(opt_quota_packet, "quota-packet "
+					    " couldn't be defined more than once");
+			CHECK_OPT_PLURARITY(opt_quota_cat, "only one option is"
+			" allowed: counters, quota-byte, quota-packet, overquota");
+			mask = NFACCT_F_QUOTA_PKTS;
+			value = NFACCT_F_QUOTA_PKTS;
+		} else if (strncmp(argv[i], "overquota", strlen(argv[i]))
+			   == 0) {
+			static int opt_overquota;
+			CHECK_OPT_PLURARITY(opt_overquota, "overquota couldn't"
+					    " be defined more than once");
+			CHECK_OPT_PLURARITY(opt_quota_cat, "only one option is"
+			" allowed: counters, quota-byte, quota-packet, overquota");
+			mask = NFACCT_F_OVERQUOTA;
+			value = NFACCT_F_OVERQUOTA;
 		} else {
 			nfacct_perror("unknown argument");
 			return -1;
@@ -206,6 +244,12 @@ static int nfacct_cmd_list(int argc, char *argv[])
 					NFNL_MSG_ACCT_GET_CTRZERO :
 					NFNL_MSG_ACCT_GET,
 				     NLM_F_DUMP, seq);
+	if (mask || value) {
+		struct nlattr *nest = mnl_attr_nest_start(nlh, NFACCT_FILTER);
+		mnl_attr_put_u32(nlh, NFACCT_FILTER_MASK, htonl(mask));
+		mnl_attr_put_u32(nlh, NFACCT_FILTER_VALUE, htonl(value));
+		mnl_attr_nest_end(nlh, nest);
+	}
 	nl = mnl_socket_open(NETLINK_NETFILTER);
 	if (nl == NULL) {
 		nfacct_perror("mnl_socket_open");
-- 
1.7.9.5

Re: [PATCH v3 1/2] nfacct: check cmd line argument for singleness

[Pablo Neira Ayuso]

On Thu, Sep 11, 2014 at 07:50:39PM +0400, Alexey Perevalov wrote:
> It was possible to specify several equal options for list operation.
> 
> Signed-off-by: Alexey Perevalov <a.perevalov@samsung.com>
> ---
>  src/nfacct.c |   16 +++++++++++++++-
>  1 file changed, 15 insertions(+), 1 deletion(-)
> 
> diff --git a/src/nfacct.c b/src/nfacct.c
> index 091a5c9..d77a57e 100644
> --- a/src/nfacct.c
> +++ b/src/nfacct.c
> @@ -25,6 +25,13 @@
>  #include <linux/netfilter/nfnetlink_acct.h>
>  #include <linux/netfilter/nfnetlink.h>
>  
> +#define CHECK_OPT_PLURARITY(opt_name, msg) \
> +	opt_name += 1; \
> +	if (opt_name > 1) { \
> +		nfacct_perror(msg); \
> +		return -1; \
> +	}
> +
>  enum {
>  	NFACCT_CMD_NONE = 0,
>  	NFACCT_CMD_LIST,
> @@ -166,6 +173,8 @@ err:
>  	return MNL_CB_OK;
>  }
>  
> +#define NFACCT_F_QUOTAS (NFACCT_F_QUOTA_BYTES | NFACCT_F_QUOTA_PKTS)
> +
>  static int nfacct_cmd_list(int argc, char *argv[])
>  {
>  	bool zeroctr = false, xml = false;
> @@ -177,8 +186,14 @@ static int nfacct_cmd_list(int argc, char *argv[])
>  
>  	for (i=2; i<argc; i++) {
>  		if (strncmp(argv[i], "reset", strlen(argv[i])) == 0) {
> +			static int opt_reset;
> +			CHECK_OPT_PLURARITY(opt_reset, "reset couldn't be "
> +				            "defined more than once");

I prefer if you add something similar to what iproute2 provides:

void duparg2(const char *key, const char *arg)
{
        fprintf(stderr, "Error: either \"%s\" is duplicate, or \"%s\" is a garbage.\n", key, arg);
        exit(-1);
}

You can probably check:

                        if (zeroctr)
                                duparg2("reset", argv[i]);

>  			zeroctr = true;
>  		} else if (strncmp(argv[i], "xml", strlen(argv[i])) == 0) {
> +			static int opt_xml;
> +			CHECK_OPT_PLURARITY(opt_xml, "xml couldn't be defined "
> +					    "more than once");

Similar thing here.

I always wanted to get this code more in line iproute2, but failed to
find the time, later.

So please, do it the way I'm proposing so we start looking into
converging to iproute2.

Thanks.

Re: [PATCH v3 1/2] nfacct: check cmd line argument for singleness

[Alexey Perevalov]

On 09/11/2014 08:55 PM, Pablo Neira Ayuso wrote:
> On Thu, Sep 11, 2014 at 07:50:39PM +0400, Alexey Perevalov wrote:
>> It was possible to specify several equal options for list operation.
>>
>> Signed-off-by: Alexey Perevalov <a.perevalov@samsung.com>
>> ---
>>   src/nfacct.c |   16 +++++++++++++++-
>>   1 file changed, 15 insertions(+), 1 deletion(-)
>>
>> diff --git a/src/nfacct.c b/src/nfacct.c
>> index 091a5c9..d77a57e 100644
>> --- a/src/nfacct.c
>> +++ b/src/nfacct.c
>> @@ -25,6 +25,13 @@
>>   #include <linux/netfilter/nfnetlink_acct.h>
>>   #include <linux/netfilter/nfnetlink.h>
>>   
>> +#define CHECK_OPT_PLURARITY(opt_name, msg) \
>> +	opt_name += 1; \
>> +	if (opt_name > 1) { \
>> +		nfacct_perror(msg); \
>> +		return -1; \
>> +	}
>> +
>>   enum {
>>   	NFACCT_CMD_NONE = 0,
>>   	NFACCT_CMD_LIST,
>> @@ -166,6 +173,8 @@ err:
>>   	return MNL_CB_OK;
>>   }
>>   
>> +#define NFACCT_F_QUOTAS (NFACCT_F_QUOTA_BYTES | NFACCT_F_QUOTA_PKTS)
>> +
>>   static int nfacct_cmd_list(int argc, char *argv[])
>>   {
>>   	bool zeroctr = false, xml = false;
>> @@ -177,8 +186,14 @@ static int nfacct_cmd_list(int argc, char *argv[])
>>   
>>   	for (i=2; i<argc; i++) {
>>   		if (strncmp(argv[i], "reset", strlen(argv[i])) == 0) {
>> +			static int opt_reset;
>> +			CHECK_OPT_PLURARITY(opt_reset, "reset couldn't be "
>> +				            "defined more than once");
> I prefer if you add something similar to what iproute2 provides:
>
> void duparg2(const char *key, const char *arg)
> {
>          fprintf(stderr, "Error: either \"%s\" is duplicate, or \"%s\" is a garbage.\n", key, arg);
>          exit(-1);
> }
>
> You can probably check:
>
>                          if (zeroctr)
>                                  duparg2("reset", argv[i]);
>
>>   			zeroctr = true;
>>   		} else if (strncmp(argv[i], "xml", strlen(argv[i])) == 0) {
>> +			static int opt_xml;
>> +			CHECK_OPT_PLURARITY(opt_xml, "xml couldn't be defined "
>> +					    "more than once");
> Similar thing here.
>
> I always wanted to get this code more in line iproute2, but failed to
> find the time, later.
>
> So please, do it the way I'm proposing so we start looking into
> converging to iproute2.
ok, but now nfacct doesn't use iprout2, so suggested function should by 
copy-pasted, maybe with modification,
because "is a garbage" I think no necessary.
Do you want to make nfacct code more similar with iproute2 code, to 
merge it in future?

>
> Thanks.
>


-- 
Best regards,
Alexey Perevalov,
Tizen Developer,
phone: +7 (495) 797 25 00 ext 3969
e-mail: a.perevalov@samsung.com <mailto:a.perevalov@samsumng.com>

Mobile group, Samsung R&D Institute Rus
12 Dvintsev street, building 1
127018, Moscow, Russian Federation

Re: [PATCH v3 1/2] nfacct: check cmd line argument for singleness

[Pablo Neira Ayuso]

On Fri, Sep 12, 2014 at 12:24:51PM +0400, Alexey Perevalov wrote:
> On 09/11/2014 08:55 PM, Pablo Neira Ayuso wrote:
> >On Thu, Sep 11, 2014 at 07:50:39PM +0400, Alexey Perevalov wrote:
> >>It was possible to specify several equal options for list operation.
> >>
> >>Signed-off-by: Alexey Perevalov <a.perevalov@samsung.com>
> >>---
> >>  src/nfacct.c |   16 +++++++++++++++-
> >>  1 file changed, 15 insertions(+), 1 deletion(-)
> >>
> >>diff --git a/src/nfacct.c b/src/nfacct.c
> >>index 091a5c9..d77a57e 100644
> >>--- a/src/nfacct.c
> >>+++ b/src/nfacct.c
> >>@@ -25,6 +25,13 @@
> >>  #include <linux/netfilter/nfnetlink_acct.h>
> >>  #include <linux/netfilter/nfnetlink.h>
> >>+#define CHECK_OPT_PLURARITY(opt_name, msg) \
> >>+	opt_name += 1; \
> >>+	if (opt_name > 1) { \
> >>+		nfacct_perror(msg); \
> >>+		return -1; \
> >>+	}
> >>+
> >>  enum {
> >>  	NFACCT_CMD_NONE = 0,
> >>  	NFACCT_CMD_LIST,
> >>@@ -166,6 +173,8 @@ err:
> >>  	return MNL_CB_OK;
> >>  }
> >>+#define NFACCT_F_QUOTAS (NFACCT_F_QUOTA_BYTES | NFACCT_F_QUOTA_PKTS)
> >>+
> >>  static int nfacct_cmd_list(int argc, char *argv[])
> >>  {
> >>  	bool zeroctr = false, xml = false;
> >>@@ -177,8 +186,14 @@ static int nfacct_cmd_list(int argc, char *argv[])
> >>  	for (i=2; i<argc; i++) {
> >>  		if (strncmp(argv[i], "reset", strlen(argv[i])) == 0) {
> >>+			static int opt_reset;
> >>+			CHECK_OPT_PLURARITY(opt_reset, "reset couldn't be "
> >>+				            "defined more than once");
> >I prefer if you add something similar to what iproute2 provides:
> >
> >void duparg2(const char *key, const char *arg)
> >{
> >         fprintf(stderr, "Error: either \"%s\" is duplicate, or \"%s\" is a garbage.\n", key, arg);
> >         exit(-1);
> >}
> >
> >You can probably check:
> >
> >                         if (zeroctr)
> >                                 duparg2("reset", argv[i]);
> >
> >>  			zeroctr = true;
> >>  		} else if (strncmp(argv[i], "xml", strlen(argv[i])) == 0) {
> >>+			static int opt_xml;
> >>+			CHECK_OPT_PLURARITY(opt_xml, "xml couldn't be defined "
> >>+					    "more than once");
> >Similar thing here.
> >
> >I always wanted to get this code more in line iproute2, but failed to
> >find the time, later.
> >
> >So please, do it the way I'm proposing so we start looking into
> >converging to iproute2.
> ok, but now nfacct doesn't use iprout2, so suggested function should
> by copy-pasted, maybe with modification,
> because "is a garbage" I think no necessary.

Right, that was just an example. Actually, duparg (instead of duparg2)
should better fit that.

> Do you want to make nfacct code more similar with iproute2 code, to
> merge it in future?

No for merge, I'm just pointing to it as a coding style reference. The
parser is very simple, error reporting and so on is rather simple, and
it matches with what we have in nfacct.