Re: [libvirt] [PATCH V4] nwfilter: Add support for ipset
On 05/14/2012 07:00 PM, Stefan Berger wrote:
This patch adds support for the recent ipset iptables extension
to libvirt's nwfilter subsystem. Ipset allows to maintain 'sets'
of IP addresses, ports and other packet parameters and allows for
faster lookup (in the order of O(1) vs. O(n)) and rule evaluation
to achieve higher throughput than what can be achieved with
individual iptables rules.
FYI: Here is the man page for ipset:
https://ipset.netfilter.org/ipset.man.html
s/https/http/
+static bool
+ipsetValidator(enum attrDatatype datatype ATTRIBUTE_UNUSED, union data
*val,
Not sure why this line wrapped in my reply, but I don't think it is a
problem in the real patch.
+static bool
+ipsetFlagsFormatter(virBufferPtr buf,
+ virNWFilterRuleDefPtr nwf ATTRIBUTE_UNUSED,
+ nwItemDesc *item)
+{
+ uint8_t ctr;
+
+ for (ctr = 0; ctr < item->u.ipset.numFlags; ctr++) {
+ if (ctr != 0)
+ virBufferAddLit(buf, ",");
I would have used this, but I don't think it makes any difference in speed:
virBufferAddChar(buf, ',')
+ case DATATYPE_IPSETFLAGS:
+
+ flags = virBufferContentAndReset(&vb);
+
+ if (snprintf(buf, bufsize, "%s", flags) >= bufsize) {
+ virNWFilterReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("Buffer too small for IPSETFLAGS
type"));
Missed an instance of virStrncpy being nicer than snprintf.
Other than that, you hit all my review points, so you have my:
ACK.
If by Tuesday, no one speaks up with a counter-argument against this
patch as-is, then I say go ahead and apply with the nits fixed.
--
Eric Blake eblake(a)redhat.com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
Attachments:
- signature.asc (application/pgp-signature — 620 bytes)