
On 05/14/2012 07:00 PM, Stefan Berger wrote:
This patch adds support for the recent ipset iptables extension to libvirt's nwfilter subsystem. Ipset allows to maintain 'sets' of IP addresses, ports and other packet parameters and allows for faster lookup (in the order of O(1) vs. O(n)) and rule evaluation to achieve higher throughput than what can be achieved with individual iptables rules.
FYI: Here is the man page for ipset:
s/https/http/
+static bool +ipsetValidator(enum attrDatatype datatype ATTRIBUTE_UNUSED, union data *val,
Not sure why this line wrapped in my reply, but I don't think it is a problem in the real patch.
+static bool +ipsetFlagsFormatter(virBufferPtr buf, + virNWFilterRuleDefPtr nwf ATTRIBUTE_UNUSED, + nwItemDesc *item) +{ + uint8_t ctr; + + for (ctr = 0; ctr < item->u.ipset.numFlags; ctr++) { + if (ctr != 0) + virBufferAddLit(buf, ",");
I would have used this, but I don't think it makes any difference in speed: virBufferAddChar(buf, ',')
+ case DATATYPE_IPSETFLAGS:
+ + flags = virBufferContentAndReset(&vb); + + if (snprintf(buf, bufsize, "%s", flags) >= bufsize) { + virNWFilterReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("Buffer too small for IPSETFLAGS type"));
Missed an instance of virStrncpy being nicer than snprintf. Other than that, you hit all my review points, so you have my: ACK. If by Tuesday, no one speaks up with a counter-argument against this patch as-is, then I say go ahead and apply with the nits fixed. -- Eric Blake eblake@redhat.com +1-919-301-3266 Libvirt virtualization library http://libvirt.org