On Mon, Oct 24, 2011 at 12:07:28PM -0400, Stefan Berger wrote:
This patch extends the NWFilter driver for Linux (ebiptables) to create rules for each member of a previously introduced list. If for example an attribute value (internally) looks like this:
IP = [10.0.0.1, 10.0.0.2, 10.0.0.3]
then 3 rules will be generated for a rule accessing the variable 'IP', one for each member of the list. The effect of this is that this now allows for filtering for multiple values in one field. This can then be used to support for filtering/allowing of multiple IP addresses per interface.
An interator is introduced that extracts each member of a list and puts it into a hash table which then is passed to the function creating a rule. For the above example the iterator would cause 3 loops.
v2: - pass the iterator all the way to the function that accesses the hash table and provide a function to pick the value of a variable that is reflected by the current state of the iterator
Signed-off-by: Stefan Berger<stefanb@linux.vnet.ibm.com>
--- src/conf/nwfilter_params.c | 129 ++++++++++++++++++++++++++++++ src/conf/nwfilter_params.h | 25 +++++ src/libvirt_private.syms | 4 src/nwfilter/nwfilter_ebiptables_driver.c | 84 +++++++++++++------ 4 files changed, 215 insertions(+), 27 deletions(-) ACK I now modified the iterator to NOT create every combination of the items of multiple lists, but have all lists processed in parallel. I think
On 10/27/2011 06:14 AM, Daniel P. Berrange wrote: this is for now the needed behaviour. So if someone has a rule containing $IP and $MAC, then both lists have to have the same size and their elements will be accessed $IP[m] and $MAC[m] to instantiate the rule. To have them independently processed we'll need to go through how the variables are accessed and then maybe a notation of $IP[@1] and $MAC[@2] will create all possible combinations. Sorry for the confusion. Stefan
Daniel