turekt
commented
1 year ago Hi @ProjectIcarusX,
from the following output:
$ nft add table inet quota_demo
$ nft --debug=mnl add quota inet quota_demo q_test { over 100 mbytes \; comment "test" }
---------------- ------------------
| 0000000020 | | message length |
| 02576 | R--- | | type | flags |
| 0000000000 | | sequence number|
| 0000000000 | | port ID |
---------------- ------------------
| 00 00 00 00 | | extra header |
---------------- ------------------
---------------- ------------------
| 0000000020 | | message length |
| 02561 | R--- | | type | flags |
| 0000000000 | | sequence number|
| 0000000000 | | port ID |
---------------- ------------------
| 00 00 00 00 | | extra header |
---------------- ------------------
---------------- ------------------
| 0000000020 | | message length |
| 02576 | R--- | | type | flags |
| 0000000000 | | sequence number|
| 0000000000 | | port ID |
---------------- ------------------
| 00 00 00 00 | | extra header |
---------------- ------------------
---------------- ------------------
| 0000000020 | | message length |
| 00016 | R--- | | type | flags |
| 0000000000 | | sequence number|
| 0000000000 | | port ID |
---------------- ------------------
| 00 00 00 0a | | extra header |
---------------- ------------------
---------------- ------------------
| 0000000104 | | message length |
| 02578 | R--- | | type | flags |
| 0000000001 | | sequence number|
| 0000000000 | | port ID |
---------------- ------------------
| 01 00 00 00 | | extra header |
|00015|--|00001| |len |flags| type|
| 71 75 6f 74 | | data | q u o t
| 61 5f 64 65 | | data | a _ d e
| 6d 6f 00 00 | | data | m o
|00011|--|00002| |len |flags| type|
| 71 5f 74 65 | | data | q _ t e
| 73 74 00 00 | | data | s t
|00008|--|00003| |len |flags| type|
| 00 00 00 02 | | data |
|00011|--|00008| |len |flags| type|
| 00 05 74 65 | | data | t e
| 73 74 00 00 | | data | s t
|00036|N-|00004| |len |flags| type|
|00012|--|00001| |len |flags| type|
| 00 00 00 00 | | data |
| 06 40 00 00 | | data | @
|00012|--|00004| |len |flags| type|
| 00 00 00 00 | | data |
| 00 00 00 00 | | data |
|00008|--|00002| |len |flags| type|
| 00 00 00 01 | | data |
---------------- ------------------
---------------- ------------------
| 0000000020 | | message length |
| 00017 | R--- | | type | flags |
| 0000000002 | | sequence number|
| 0000000000 | | port ID |
---------------- ------------------
| 00 00 00 0a | | extra header |
---------------- ------------------The netlink message corresponds to nft_object_attributes as specified here:
https://git.netfilter.org/libnftnl/tree/include/linux/netfilter/nf_tables.h?id=3eaa940bc33a3186dc7ba1e30640ec79b5f261b9#n1637
Dissection of the netlink message:
|00015|--|00001| quota_demo\x00\x00 --> NFTA_OBJ_TABLE
|00011|--|00002| q_test\x00\x00 --> NFTA_OBJ_NAME
|00008|--|00003| \x00\x00\x00\x02 --> NFTA_OBJ_TYPE (value 2 = NFT_OBJECT_QUOTA)
|00011|--|00008| \x00\x05test\x00\x00 --> NFTA_OBJ_USERDATA (TLV struct for quota name)
|00036|N-|00004| --> NFTA_OBJ_DATA (NLA_NESTED, holds nft_quota_attributes struct)
|00012|--|00001| \x00\x00\x00\x00\x06\x40\x00\x00 --> NFTA_QUOTA_BYTES (0x06400000 = 104857600 B = 100 MB)
|00012|--|00004| \x00\x00\x00\x00\x00\x00\x00\x00 --> NFTA_QUOTA_CONSUMED (0)
|00008|--|00002| \x00\x00\x00\x01 --> NFTA_QUOTA_FLAGS (1 = NFT_QUOTA_F_INV)
---------------- ------------------As far as I see in the nftables Go code, this expression is not currently implemented. You can implement it and send a PR if you want, otherwise I can look into it in the next few weeks.
Hi,
Is it possible to add/create/list/delete named quotas through the library? Also is it possible to use them as the map values? NFTables support them and they can be added through CLI. The library currently lists maps with quota values as normal sets with value undefined.