Re: [iptables] extensions: Add tests and description for xt_quota module

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Oct 09, 2018 at 04:47:20PM -0700, Maciej Żenczykowski wrote:
> Ah, yes, the (2**64 - 1) + 1 problem.
> 
> The fact max allowed remaining is (2**64 - 2) is perhaps surprising...
> should we clamp? or warn?
> 
> userspace has:
>   if (cb->entry->id == O_REMAIN)  info->remain++;
> should this error out in userspace if we end up at zero?
> 
> +-m quota --quota 18446744073709551615 --remain 18446744073709551614;;FAIL
> 
> this one really should also pass...

:-)

> kernel has:
>   if (atomic64_read(&q->counter) > q->quota + 1)
> this should probably be:
>   if (atomic64_read(&q->counter) && atomic64_read(&q->counter) - 1 > q->quota)
> 
> Also I think there's something ugly with
>  -m quota --quota 18446744073709551614
> vs
>  -m quota --quota 18446744073709551615
> 
> and thus possibly:
>   if (current_count <= skb->len) {
> should actually be
>   if (current_count && current_count <= skb->len) {
> 
> Maybe all of this would actually be easier if we were counting bytes
> used instead of bytes remaining.

I think so. This is still net-next, so noone is using it yet apart
from developers? Probably we can still change this to become
--consumed rather than --remain. I would take patches for nf-next if
you follow that path, no problem.

Thanks.



[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux