RE: [PATCH] netfilter: nfnetlink_acct: use flag to reset counters

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




----------------------------------------
> Date: Tue, 29 Jul 2014 18:32:09 +0200
> From: pablo@xxxxxxxxxxxxx
> To: a.perevalov@xxxxxxxxxxx
> CC: kyungmin.park@xxxxxxxxxxx; hs81.go@xxxxxxxxxxx; netfilter-devel@xxxxxxxxxxxxxxx; alexey.perevalov@xxxxxxxxxxx; mathieu.poirier@xxxxxxxxxx
> Subject: Re: [PATCH] netfilter: nfnetlink_acct: use flag to reset counters
>
> On Tue, Jul 29, 2014 at 03:46:00PM +0400, Alexey Perevalov wrote:
> [...]
>>>>@@ -143,7 +157,9 @@ nfnl_acct_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
>>>> if (nla_put_string(skb, NFACCT_NAME, acct->name))
>>>> goto nla_put_failure;
>>>>- if (type == NFNL_MSG_ACCT_GET_CTRZERO) {
>>>>+ if (type == NFNL_MSG_ACCT_GET_CTRZERO &&
>>>>+ (!nfacct_flags || is_counters_reset(nfacct_flags, acct->flags) ||
>>>>+ is_quotas_reset(nfacct_flags, acct->flags))) {
>>>Replacing this:
>>>
>>> acct->flags & nfacct_flags == nfacct_flags
>>>
>>>I think it should be enough.
>>>
>> Yes, agree, but how to be with just counters without a quota,
>> at first look it should be
>> #define NFACCT_F_COUNTER ~(NFACCT_F_QUOTA_PKTS |
>> NFACCT_F_QUOTA_BYTES | NFACCT_F_OVERQUOTA)
>
> Right. I get the problem, what I proposed is not enough.
>
> We can extend this in a more flexible way to allow better filtering
> from userspace, eg.
>
> NFACCT_FLAGS_FILTER (nest)
> NFACCT_VALUE (u32)
> NFACCT_MASK (u32)
>
> The use the value and the mask to perform:
>
> value & filter->mask == filter->data
>
> Where filter comes from netlink cb->data.
>
> Please, see this thread:
>
> http://www.spinics.net/lists/netfilter-devel/msg32173.html
>
> The idea is very similar. We should only have one single key after
> your patch to filter by flags.
>
> Is this OK for your needs?
I think yes, due filter mechanism should be extendible. As an example,
also I don't want to  receive not yet touched counters (which has 0 bytes).

>
>> Also I decided to put such condition not into nfnl_acct_fill_info,
>> but directly into nfnl_acct_dump, it will make this feature more
>> general,
>> client will get ability to filter it not only for reset command, but
>> also for list command, also nfnl_acct_fill_info is using in many
>> places, e.g.
>> just get command or nfnl_overquota_report.
>
> Right, the filtering should be generic for both list and reset
> commands.
>
>> And finally, I found strange approach for working with
>> NFACCT_F_OVERQUOTA (value 1 << 2, 4), in nfnl_acct_overquota the
>> test_and_set_bit function is used, which wants
>> Nth bit, and that Nth bit is 4, but not 2. Clearing is fine
>> clear_bit accept Nth bit as well,
>> but nfnl_acct_new gets from netlink attribute NFACCT_F_OVERQUOTA not
>> as offset value.
>
> That's a bug. Would you also send a separated patch for that, please?
Ok, but I need to know you opinion. My opinion is following:
if you have 1st, 2nd, 3rd bit for flags, you should use 1st,  2nd, 3rd, and using power of 2
not robust, I think bug was hidden due it was the latest bit. But on other hand, usage of set_bit and clear_bit looks
really perfect. So right now user/kernel space serialization is using NFACCT_F_QUOTA_PKTS|BYTES their values are 1 and 2, I think it's not too late to change the value of enum nfnl_acct_flags to sequential number, but not power of 2 and then use bit helper functions.
But you could stay on old used approach, power of 2 in enum and no bit helpers.

>
>> I took a look at it because of:
>> 1. It's not convenient to keep combined bit set for
>> NFACCT_F_COUNTER, because NFACCT_F_OVERQUOTA not what we have in
>> acct->flags. Of course if you not against such bit set.
>> 2. nlnf_overquata_report sends to user space _forth_ activated bit,
>> but not _second_ for NFACCT_F_OVERQUOTA, but
>> NFACCT_F_QUOTA_[BYTES|PKTS] was being sent as is. Output of the
>> nfacct, after overquota event occurred, not so clear, in case of
>> bytes quota it's just changing to package. It's not a big deal to
>> fix it to print "overquoted", but I feel it's better to use some
>> unified method to set bits.
>
> That's inconsistent and this of course needs a fix. Patch? Thanks
No problem. 
 		 	   		  --
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux