On 07/25/2014 08:01 PM, Pablo Neira Ayuso wrote:
Hi Alexey,
On Fri, Jul 25, 2014 at 12:05:12PM +0400, Alexey Perevalov wrote:
Hello Pablo and Mathieu.
I would like to thank you for quota with notification implementation
in nfacct.
But also I want to discuss about resetting counters value. Right now
nfacct has 2 way to get counter
NFNL_MSG_ACCT_GET and NFNL_MSG_ACCT_GET_CTRZERO, last one is
intended to nullify accumulated counter.
It resets counters with and without populated quota value. After
commit 683399eddb nfacct really operates
with 2 different entities: pure counter and quota based counter. If
so, why not to operate with it separately,
maybe by some filter (flag).
Also it was strange for me, why reset is not a command of command
line tool nfacct, like get? Ok, if it's an argument of get, why not
it's a flag (attribute) in netlink serialization?
Why I'm asking such questions. My use case requires periodic reset
of the counters, also I have quota based counters and I don't want
to reset them.
I could work around it from user space, for example, I could get
quota based counter before I'm going to reset counters, delete it
and key it in after counters reset. As you could see too much
operations. Or I could could avoid reseting, but in this case I need
to operates with deltas in user space and it's not robust in
situation when my daemon is restarting. Every variant in user space
leads to more run time complexity.
And my final question, will you accept a patch, which will move
CTRZERO to netlink attribute and CTRZERO will be expanded to
CTRZERO_OVERAL, CTRZERO_COUNTER and CTRZERO_QUOTA? For both kernel
side and user space part (nfacct tool with libraries).
You can make a patch that uses NFACCT_FLAGS in the nfnl_acct_get()
path to specify the filtering criteria. In the nfnl_acct_get() path,
you can use c->data in struct netlink_dump_control to attach the
filter, which needs to be allocated before the dump_start() call and
released through the dump_done() callback. If no NFACCT_FLAGS are
specified, no filter is specified and all counters should be cleared
as it happens now.
Thank you Pablo for such detailed advice, I hope I'll send patches next
week.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
