netfilter: nfnetlink_acct: Adding quota support to accounting framework

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

nfacct objects already support accounting at the byte and packet
level. As such it is a natural extension to add the possiblity to
define a ceiling limit for both metrics.

All the support for quotas itself is added to nfnetlink acctounting
framework to stay coherent with current accounting object management.
Quota limit checks are implemented in xt_nfacct filter where
statistic collection is already done.

Pablo Neira Ayuso has also contributed to this feature.

Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

authored by

Mathieu Poirier and committed by

Pablo Neira Ayuso 12 years ago 683399ed 1404c3ab

+107 -2

5 changed files

expand all

include

linux

netfilter

nfnetlink_acct.h

uapi

linux

netfilter

nfnetlink.h

nfnetlink_acct.h

net

netfilter

nfnetlink_acct.c

xt_nfacct.c

+7 -1

include/linux/netfilter/nfnetlink_acct.h

··· 3 3 4 4 #include <uapi/linux/netfilter/nfnetlink_acct.h> 5 5 6 + enum { 7 + NFACCT_NO_QUOTA = -1, 8 + NFACCT_UNDERQUOTA, 9 + NFACCT_OVERQUOTA, 10 + }; 6 11 7 12 struct nf_acct; 8 13 9 14 struct nf_acct *nfnl_acct_find_get(const char *filter_name); 10 15 void nfnl_acct_put(struct nf_acct *acct); 11 16 void nfnl_acct_update(const struct sk_buff *skb, struct nf_acct *nfacct); 12 - 17 + extern int nfnl_acct_overquota(const struct sk_buff *skb, 18 + struct nf_acct *nfacct); 13 19 #endif /* _NFNL_ACCT_H */

include/uapi/linux/netfilter/nfnetlink.h

··· 20 20 #define NFNLGRP_CONNTRACK_EXP_DESTROY NFNLGRP_CONNTRACK_EXP_DESTROY 21 21 NFNLGRP_NFTABLES, 22 22 #define NFNLGRP_NFTABLES NFNLGRP_NFTABLES 23 + NFNLGRP_ACCT_QUOTA, 24 + #define NFNLGRP_ACCT_QUOTA NFNLGRP_ACCT_QUOTA 23 25 __NFNLGRP_MAX, 24 26 }; 25 27 #define NFNLGRP_MAX (__NFNLGRP_MAX - 1)

include/uapi/linux/netfilter/nfnetlink_acct.h

··· 10 10 NFNL_MSG_ACCT_GET, 11 11 NFNL_MSG_ACCT_GET_CTRZERO, 12 12 NFNL_MSG_ACCT_DEL, 13 + NFNL_MSG_ACCT_OVERQUOTA, 13 14 NFNL_MSG_ACCT_MAX 15 + }; 16 + 17 + enum nfnl_acct_flags { 18 + NFACCT_F_QUOTA_PKTS = (1 << 0), 19 + NFACCT_F_QUOTA_BYTES = (1 << 1), 20 + NFACCT_F_OVERQUOTA = (1 << 2), /* can't be set from userspace */ 14 21 }; 15 22 16 23 enum nfnl_acct_type { ··· 26 19 NFACCT_PKTS, 27 20 NFACCT_BYTES, 28 21 NFACCT_USE, 22 + NFACCT_FLAGS, 23 + NFACCT_QUOTA, 29 24 __NFACCT_MAX 30 25 }; 31 26 #define NFACCT_MAX (__NFACCT_MAX - 1)

+85

net/netfilter/nfnetlink_acct.c

··· 32 32 struct nf_acct { 33 33 atomic64_t pkts; 34 34 atomic64_t bytes; 35 + unsigned long flags; 35 36 struct list_head head; 36 37 atomic_t refcnt; 37 38 char name[NFACCT_NAME_MAX]; 38 39 struct rcu_head rcu_head; 40 + char data[0]; 39 41 }; 42 + 43 + #define NFACCT_F_QUOTA (NFACCT_F_QUOTA_PKTS | NFACCT_F_QUOTA_BYTES) 40 44 41 45 static int 42 46 nfnl_acct_new(struct sock *nfnl, struct sk_buff *skb, ··· 48 44 { 49 45 struct nf_acct *nfacct, *matching = NULL; 50 46 char *acct_name; 47 + unsigned int size = 0; 48 + u32 flags = 0; 51 49 52 50 if (!tb[NFACCT_NAME]) 53 51 return -EINVAL; ··· 74 68 /* reset counters if you request a replacement. */ 75 69 atomic64_set(&matching->pkts, 0); 76 70 atomic64_set(&matching->bytes, 0); 71 + smp_mb__before_clear_bit(); 72 + /* reset overquota flag if quota is enabled. */ 73 + if ((matching->flags & NFACCT_F_QUOTA)) 74 + clear_bit(NFACCT_F_OVERQUOTA, &matching->flags); 77 75 return 0; 78 76 } 79 77 return -EBUSY; 80 78 } 81 79 82 80 nfacct = kzalloc(sizeof(struct nf_acct), GFP_KERNEL); 81 + if (tb[NFACCT_FLAGS]) { 82 + flags = ntohl(nla_get_be32(tb[NFACCT_FLAGS])); 83 + if (flags & ~NFACCT_F_QUOTA) 84 + return -EOPNOTSUPP; 85 + if ((flags & NFACCT_F_QUOTA) == NFACCT_F_QUOTA) 86 + return -EINVAL; 87 + if (flags & NFACCT_F_OVERQUOTA) 88 + return -EINVAL; 89 + 90 + size += sizeof(u64); 91 + } 92 + 93 + nfacct = kzalloc(sizeof(struct nf_acct) + size, GFP_KERNEL); 83 94 if (nfacct == NULL) 84 95 return -ENOMEM; 96 + 97 + if (flags & NFACCT_F_QUOTA) { 98 + u64 *quota = (u64 *)nfacct->data; 99 + 100 + *quota = be64_to_cpu(nla_get_be64(tb[NFACCT_QUOTA])); 101 + nfacct->flags = flags; 102 + } 85 103 86 104 strncpy(nfacct->name, nla_data(tb[NFACCT_NAME]), NFACCT_NAME_MAX); 87 105 ··· 147 117 if (type == NFNL_MSG_ACCT_GET_CTRZERO) { 148 118 pkts = atomic64_xchg(&acct->pkts, 0); 149 119 bytes = atomic64_xchg(&acct->bytes, 0); 120 + smp_mb__before_clear_bit(); 121 + if (acct->flags & NFACCT_F_QUOTA) 122 + clear_bit(NFACCT_F_OVERQUOTA, &acct->flags); 150 123 } else { 151 124 pkts = atomic64_read(&acct->pkts); 152 125 bytes = atomic64_read(&acct->bytes); ··· 158 125 nla_put_be64(skb, NFACCT_BYTES, cpu_to_be64(bytes)) || 159 126 nla_put_be32(skb, NFACCT_USE, htonl(atomic_read(&acct->refcnt)))) 160 127 goto nla_put_failure; 128 + if (acct->flags & NFACCT_F_QUOTA) { 129 + u64 *quota = (u64 *)acct->data; 161 130 131 + if (nla_put_be32(skb, NFACCT_FLAGS, htonl(acct->flags)) || 132 + nla_put_be64(skb, NFACCT_QUOTA, cpu_to_be64(*quota))) 133 + goto nla_put_failure; 134 + } 162 135 nlmsg_end(skb, nlh); 163 136 return skb->len; 164 137 ··· 309 270 [NFACCT_NAME] = { .type = NLA_NUL_STRING, .len = NFACCT_NAME_MAX-1 }, 310 271 [NFACCT_BYTES] = { .type = NLA_U64 }, 311 272 [NFACCT_PKTS] = { .type = NLA_U64 }, 273 + [NFACCT_FLAGS] = { .type = NLA_U32 }, 274 + [NFACCT_QUOTA] = { .type = NLA_U64 }, 312 275 }; 313 276 314 277 static const struct nfnl_callback nfnl_acct_cb[NFNL_MSG_ACCT_MAX] = { ··· 376 335 atomic64_add(skb->len, &nfacct->bytes); 377 336 } 378 337 EXPORT_SYMBOL_GPL(nfnl_acct_update); 338 + 339 + static void nfnl_overquota_report(struct nf_acct *nfacct) 340 + { 341 + int ret; 342 + struct sk_buff *skb; 343 + 344 + skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC); 345 + if (skb == NULL) 346 + return; 347 + 348 + ret = nfnl_acct_fill_info(skb, 0, 0, NFNL_MSG_ACCT_OVERQUOTA, 0, 349 + nfacct); 350 + if (ret <= 0) { 351 + kfree_skb(skb); 352 + return; 353 + } 354 + netlink_broadcast(init_net.nfnl, skb, 0, NFNLGRP_ACCT_QUOTA, 355 + GFP_ATOMIC); 356 + } 357 + 358 + int nfnl_acct_overquota(const struct sk_buff *skb, struct nf_acct *nfacct) 359 + { 360 + u64 now; 361 + u64 *quota; 362 + int ret = NFACCT_UNDERQUOTA; 363 + 364 + /* no place here if we don't have a quota */ 365 + if (!(nfacct->flags & NFACCT_F_QUOTA)) 366 + return NFACCT_NO_QUOTA; 367 + 368 + quota = (u64 *)nfacct->data; 369 + now = (nfacct->flags & NFACCT_F_QUOTA_PKTS) ? 370 + atomic64_read(&nfacct->pkts) : atomic64_read(&nfacct->bytes); 371 + 372 + ret = now > *quota; 373 + 374 + if (now >= *quota && 375 + !test_and_set_bit(NFACCT_F_OVERQUOTA, &nfacct->flags)) { 376 + nfnl_overquota_report(nfacct); 377 + } 378 + 379 + return ret; 380 + } 381 + EXPORT_SYMBOL_GPL(nfnl_acct_overquota); 379 382 380 383 static int __init nfnl_acct_init(void) 381 384 {

+4 -1

net/netfilter/xt_nfacct.c

··· 21 21 22 22 static bool nfacct_mt(const struct sk_buff *skb, struct xt_action_param *par) 23 23 { 24 + int overquota; 24 25 const struct xt_nfacct_match_info *info = par->targinfo; 25 26 26 27 nfnl_acct_update(skb, info->nfacct); 27 28 28 - return true; 29 + overquota = nfnl_acct_overquota(skb, info->nfacct); 30 + 31 + return overquota == NFACCT_UNDERQUOTA ? false : true; 29 32 } 30 33 31 34 static int