Re: [libvirt] [PATCH V3 2/4] Create rules for each member of a list
On 10/27/2011 06:14 AM, Daniel P. Berrange wrote:
On Mon, Oct 24, 2011 at 12:07:28PM -0400, Stefan Berger wrote:
> This patch extends the NWFilter driver for Linux (ebiptables) to create
> rules for each member of a previously introduced list. If for example
> an attribute value (internally) looks like this:
>
> IP = [10.0.0.1, 10.0.0.2, 10.0.0.3]
>
> then 3 rules will be generated for a rule accessing the variable 'IP',
> one for each member of the list. The effect of this is that this now
> allows for filtering for multiple values in one field. This can then be
> used to support for filtering/allowing of multiple IP addresses per
> interface.
>
> An interator is introduced that extracts each member of a list and
> puts it into a hash table which then is passed to the function creating
> a rule. For the above example the iterator would cause 3 loops.
>
> v2:
> - pass the iterator all the way to the function that accesses the
> hash table and provide a function to pick the value of a variable
> that is reflected by the current state of the iterator
>
> Signed-off-by: Stefan Berger<stefanb(a)linux.vnet.ibm.com>
>
> ---
> src/conf/nwfilter_params.c | 129 ++++++++++++++++++++++++++++++
> src/conf/nwfilter_params.h | 25 +++++
> src/libvirt_private.syms | 4
> src/nwfilter/nwfilter_ebiptables_driver.c | 84 +++++++++++++------
> 4 files changed, 215 insertions(+), 27 deletions(-)
ACK
I now modified the iterator to NOT create every combination of the items
of multiple lists, but have all lists processed in parallel. I think
this is for now the needed behaviour. So if someone has a rule
containing $IP and $MAC, then both lists have to have the same size and
their elements will be accessed $IP[m] and $MAC[m] to instantiate the
rule. To have them independently processed we'll need to go through how
the variables are accessed and then maybe a notation of $IP[@1] and
$MAC[@2] will create all possible combinations. Sorry for the confusion.
Stefan
Daniel