summaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorMathieu Poirier <mathieu.poirier@linaro.org>2014-04-20 18:58:16 -0600
committerPablo Neira Ayuso <pablo@netfilter.org>2014-04-24 12:46:17 +0200
commitba16753ccb2c72041fb33678ddbafeecde3996e3 (patch)
treeb375556c4153da90cf8a6fe81104ece2f860760a /include
parent1199b76dd09a07c87446894f762f1cddd8c07fbf (diff)
nfacct: adding quota capabilities
The accounting framework now supports quota at the packet and byte level. The tool is simply enhanced with two optional arguments to specify the whether accounting for byte of packet and the limit associated with each. Also adding a monitor mode that listens for quota attainment notification. Examples: /* create an accounting object that isn't associated to a quota */ $ nfacct add first_no_quota /* create a quota object with byte count limited to 50 byte */ $ nfacct add second_quota byte 50 /* create a quota object with packet count limited to 5 */ $ nfacct add third_quota packet 5 From there the accounting objects can be used in iptables the same way as they did before: /* limit the number of icmp packets allowed through the OUTPUT chain */ $ iptables -I OUTPUT -p icmp -m nfacct --nfacct-name third_quota -j REJECT /* listening for quota attainment notification */ $ nfacct monitor Everything else works the same way. Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include')
-rw-r--r--include/linux/netfilter/nfnetlink.h4
-rw-r--r--include/linux/netfilter/nfnetlink_acct.h9
2 files changed, 13 insertions, 0 deletions
diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h
index b64454c..ea27bb6 100644
--- a/include/linux/netfilter/nfnetlink.h
+++ b/include/linux/netfilter/nfnetlink.h
@@ -18,6 +18,10 @@ enum nfnetlink_groups {
#define NFNLGRP_CONNTRACK_EXP_UPDATE NFNLGRP_CONNTRACK_EXP_UPDATE
NFNLGRP_CONNTRACK_EXP_DESTROY,
#define NFNLGRP_CONNTRACK_EXP_DESTROY NFNLGRP_CONNTRACK_EXP_DESTROY
+ NFNLGRP_NFTABLES,
+#define NFNLGRP_NFTABLES NFNLGRP_NFTABLES
+ NFNLGRP_ACCT_QUOTA,
+#define NFNLGRP_ACCT_QUOTA NFNLGRP_ACCT_QUOTA
__NFNLGRP_MAX,
};
#define NFNLGRP_MAX (__NFNLGRP_MAX - 1)
diff --git a/include/linux/netfilter/nfnetlink_acct.h b/include/linux/netfilter/nfnetlink_acct.h
index 7c4279b..44dcd17 100644
--- a/include/linux/netfilter/nfnetlink_acct.h
+++ b/include/linux/netfilter/nfnetlink_acct.h
@@ -10,15 +10,24 @@ enum nfnl_acct_msg_types {
NFNL_MSG_ACCT_GET,
NFNL_MSG_ACCT_GET_CTRZERO,
NFNL_MSG_ACCT_DEL,
+ NFNL_MSG_ACCT_OVERQUOTA,
NFNL_MSG_ACCT_MAX
};
+enum nfnl_acct_flags {
+ NFACCT_F_QUOTA_PKTS = (1 << 0),
+ NFACCT_F_QUOTA_BYTES = (1 << 1),
+ NFACCT_F_OVERQUOTA = (1 << 2), /* can't be set from userspace */
+};
+
enum nfnl_acct_type {
NFACCT_UNSPEC,
NFACCT_NAME,
NFACCT_PKTS,
NFACCT_BYTES,
NFACCT_USE,
+ NFACCT_FLAGS,
+ NFACCT_QUOTA,
__NFACCT_MAX
};
#define NFACCT_MAX (__NFACCT_MAX - 1)