[PATCH v4 0/2] nfacct: add filter in to the list operation

[PATCH v4 0/2] nfacct: add filter in to the list operation

[Alexey Perevalov]

Hello Pablo,

It's fourth version of patch for filtering, but also with fix for argument
singleness.

Changes since v3.
	avoid introducing new variable for checking sigleness and report from
function instead of macro

Alexey Perevalov (2):
  nfacct: check cmd line argument for singleness
  nfacct: add filter in to the list operation

 include/linux/netfilter/nfnetlink_acct.h |    8 ++++++
 src/nfacct.c                             |   44 ++++++++++++++++++++++++++++++
 2 files changed, 52 insertions(+)

-- 
1.7.9.5

[PATCH v4 1/2] nfacct: check cmd line argument for singleness

[Alexey Perevalov]

It was possible to specify several equal options for list operation.

Signed-off-by: Alexey Perevalov <a.perevalov@samsung.com>
---
 src/nfacct.c |   11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/nfacct.c b/src/nfacct.c
index 091a5c9..e58b9af 100644
--- a/src/nfacct.c
+++ b/src/nfacct.c
@@ -63,6 +63,13 @@ static void nfacct_perror(const char *msg)
 	}
 }
 
+static void duparg(const char *key)
+{
+	fprintf(stderr, "Error: duplicate \"%s\" or collision with another "
+		"option \n", key);
+	exit(EXIT_FAILURE);
+}
+
 int main(int argc, char *argv[])
 {
 	int cmd = NFACCT_CMD_NONE, ret = 0;
@@ -177,8 +184,12 @@ static int nfacct_cmd_list(int argc, char *argv[])
 
 	for (i=2; i<argc; i++) {
 		if (strncmp(argv[i], "reset", strlen(argv[i])) == 0) {
+			if (zeroctr)
+				duparg(argv[i]);
 			zeroctr = true;
 		} else if (strncmp(argv[i], "xml", strlen(argv[i])) == 0) {
+			if (xml)
+				duparg(argv[i]);
 			xml = true;
 		} else {
 			nfacct_perror("unknown argument");
-- 
1.7.9.5

[PATCH v4 2/2] nfacct: add filter in to the list operation

[Alexey Perevalov]

Filter feature is working through NFACCT_FILTER netlink attribute.
If kernel doesn't support it, client will not get an error
and silently will work as before.

This patch adds following command line arguments: counters, overquota,
quota-byte, quota-packet. Which could be used with list operation.
Combination of these command line options isn't allowed.

For example.
user@root:/#nfacct list counters
will show counters without byte/packet based quota
user@root:/#nfacct list reset overquota
will reset value for overquoted counters only

Signed-off-by: Alexey Perevalov <a.perevalov@samsung.com>
---
 include/linux/netfilter/nfnetlink_acct.h |    8 ++++++++
 src/nfacct.c                             |   33 ++++++++++++++++++++++++++++++
 2 files changed, 41 insertions(+)

diff --git a/include/linux/netfilter/nfnetlink_acct.h b/include/linux/netfilter/nfnetlink_acct.h
index 44dcd17..6c99213 100644
--- a/include/linux/netfilter/nfnetlink_acct.h
+++ b/include/linux/netfilter/nfnetlink_acct.h
@@ -28,10 +28,18 @@ enum nfnl_acct_type {
 	NFACCT_USE,
 	NFACCT_FLAGS,
 	NFACCT_QUOTA,
+	NFACCT_FILTER,
 	__NFACCT_MAX
 };
 #define NFACCT_MAX (__NFACCT_MAX - 1)
 
+enum nfnl_attr_filter_type {
+	NFACCT_FILTER_UNSPEC,
+	NFACCT_FILTER_MASK,
+	NFACCT_FILTER_VALUE,
+	__NFACCT_FILTER_MAX
+};
+
 #ifdef __KERNEL__
 
 struct nf_acct;
diff --git a/src/nfacct.c b/src/nfacct.c
index e58b9af..014aa6f 100644
--- a/src/nfacct.c
+++ b/src/nfacct.c
@@ -19,6 +19,7 @@
 #include <unistd.h>
 #include <time.h>
 #include <errno.h>
+#include <arpa/inet.h>
 
 #include <libmnl/libmnl.h>
 #include <libnetfilter_acct/libnetfilter_acct.h>
@@ -173,6 +174,8 @@ err:
 	return MNL_CB_OK;
 }
 
+#define NFACCT_F_QUOTAS (NFACCT_F_QUOTA_BYTES | NFACCT_F_QUOTA_PKTS)
+
 static int nfacct_cmd_list(int argc, char *argv[])
 {
 	bool zeroctr = false, xml = false;
@@ -181,6 +184,7 @@ static int nfacct_cmd_list(int argc, char *argv[])
 	struct nlmsghdr *nlh;
 	unsigned int seq, portid;
 	int ret, i;
+	uint32_t mask = 0, value = 0;
 
 	for (i=2; i<argc; i++) {
 		if (strncmp(argv[i], "reset", strlen(argv[i])) == 0) {
@@ -191,6 +195,29 @@ static int nfacct_cmd_list(int argc, char *argv[])
 			if (xml)
 				duparg(argv[i]);
 			xml = true;
+		} else if (strncmp(argv[i], "counters", strlen(argv[i])) == 0) {
+			if (mask || value)
+				duparg(argv[i]);
+			mask = NFACCT_F_QUOTAS;
+			value = 0; /* counters isn't quotas */
+		} else if (strncmp(argv[i], "quota-byte", strlen(argv[i]))
+			   == 0) {
+			if (mask || value)
+				duparg(argv[i]);
+			mask = NFACCT_F_QUOTA_BYTES;
+			value = NFACCT_F_QUOTA_BYTES;
+		} else if (strncmp(argv[i], "quota-packet", strlen(argv[i]))
+			   == 0) {
+			if (mask || value)
+				duparg(argv[i]);
+			mask = NFACCT_F_QUOTA_PKTS;
+			value = NFACCT_F_QUOTA_PKTS;
+		} else if (strncmp(argv[i], "overquota", strlen(argv[i]))
+			   == 0) {
+			if (mask || value)
+				duparg(argv[i]);
+			mask = NFACCT_F_OVERQUOTA;
+			value = NFACCT_F_OVERQUOTA;
 		} else {
 			nfacct_perror("unknown argument");
 			return -1;
@@ -202,6 +229,12 @@ static int nfacct_cmd_list(int argc, char *argv[])
 					NFNL_MSG_ACCT_GET_CTRZERO :
 					NFNL_MSG_ACCT_GET,
 				     NLM_F_DUMP, seq);
+	if (mask || value) {
+		struct nlattr *nest = mnl_attr_nest_start(nlh, NFACCT_FILTER);
+		mnl_attr_put_u32(nlh, NFACCT_FILTER_MASK, htonl(mask));
+		mnl_attr_put_u32(nlh, NFACCT_FILTER_VALUE, htonl(value));
+		mnl_attr_nest_end(nlh, nest);
+	}
 
 	nl = mnl_socket_open(NETLINK_NETFILTER);
 	if (nl == NULL) {
-- 
1.7.9.5

Re: [PATCH v4 0/2] nfacct: add filter in to the list operation

[Pablo Neira Ayuso]

On Fri, Sep 12, 2014 at 02:56:56PM +0400, Alexey Perevalov wrote:
> Hello Pablo,
> 
> It's fourth version of patch for filtering, but also with fix for argument
> singleness.

Applied, thanks Alexey.

I have made also some mostly comestic changes on it:

- Avoid line break at 80 chars in strncmp(). We can replace strncmp by
  a new function that takes only two parameters, then avoid the line
  break.

- Removed NFACCT_F_QUOTAS, it's only used once. We can introduce this
  later if we have more spots where we can use it.

- Rename quota-bytes to bytes-quota and quota-packets to pkts-quota.
  The reason for this is that nfacct allows shortened syntax, eg.

  nfacct l r

which is actually 'list reset'. By swapping the words, we can now use:

  nfacct l r p

which only resets packet-based quotas.

Re: [PATCH v4 0/2] nfacct: add filter in to the list operation

[Alexey Perevalov]

On 09/15/2014 08:45 PM, Pablo Neira Ayuso wrote:
> On Fri, Sep 12, 2014 at 02:56:56PM +0400, Alexey Perevalov wrote:
>> Hello Pablo,
>>
>> It's fourth version of patch for filtering, but also with fix for argument
>> singleness.
> Applied, thanks Alexey.
>
> I have made also some mostly comestic changes on it:
>
> - Avoid line break at 80 chars in strncmp(). We can replace strncmp by
>    a new function that takes only two parameters, then avoid the line
>    break.
>
> - Removed NFACCT_F_QUOTAS, it's only used once. We can introduce this
>    later if we have more spots where we can use it.
>
> - Rename quota-bytes to bytes-quota and quota-packets to pkts-quota.
>    The reason for this is that nfacct allows shortened syntax, eg.
>
>    nfacct l r
>
> which is actually 'list reset'. By swapping the words, we can now use:
>
>    nfacct l r p
>
> which only resets packet-based quotas.
Thank you for collaboration,
btw, I know about command line shortened syntax, but it also allows 
following:
nfacct li res
instead of nfacct list reset,
and I was wonder bug it or not )

>


-- 
Best regards,
Alexey Perevalov

Re: [PATCH v4 0/2] nfacct: add filter in to the list operation

[Pablo Neira Ayuso]

On Tue, Sep 16, 2014 at 11:08:44AM +0400, Alexey Perevalov wrote:
> On 09/15/2014 08:45 PM, Pablo Neira Ayuso wrote:
> >On Fri, Sep 12, 2014 at 02:56:56PM +0400, Alexey Perevalov wrote:
> >>Hello Pablo,
> >>
> >>It's fourth version of patch for filtering, but also with fix for argument
> >>singleness.
> >Applied, thanks Alexey.
> >
> >I have made also some mostly comestic changes on it:
> >
> >- Avoid line break at 80 chars in strncmp(). We can replace strncmp by
> >   a new function that takes only two parameters, then avoid the line
> >   break.
> >
> >- Removed NFACCT_F_QUOTAS, it's only used once. We can introduce this
> >   later if we have more spots where we can use it.
> >
> >- Rename quota-bytes to bytes-quota and quota-packets to pkts-quota.
> >   The reason for this is that nfacct allows shortened syntax, eg.
> >
> >   nfacct l r
> >
> >which is actually 'list reset'. By swapping the words, we can now use:
> >
> >   nfacct l r p
> >
> >which only resets packet-based quotas.
> Thank you for collaboration,
> btw, I know about command line shortened syntax, but it also allows
> following:
> nfacct li res
> instead of nfacct list reset,
> and I was wonder bug it or not )

Just like iproute2:

# ip ad ls
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
...