[libvirt] [PATCH V4] nwfilter: Add support for ipset
Eric Blake
eblake at redhat.com
Fri May 18 20:19:43 UTC 2012
On 05/14/2012 07:00 PM, Stefan Berger wrote:
> This patch adds support for the recent ipset iptables extension
> to libvirt's nwfilter subsystem. Ipset allows to maintain 'sets'
> of IP addresses, ports and other packet parameters and allows for
> faster lookup (in the order of O(1) vs. O(n)) and rule evaluation
> to achieve higher throughput than what can be achieved with
> individual iptables rules.
>
>
> FYI: Here is the man page for ipset:
>
> https://ipset.netfilter.org/ipset.man.html
s/https/http/
>
> +static bool
> +ipsetValidator(enum attrDatatype datatype ATTRIBUTE_UNUSED, union data
> *val,
Not sure why this line wrapped in my reply, but I don't think it is a
problem in the real patch.
> +static bool
> +ipsetFlagsFormatter(virBufferPtr buf,
> + virNWFilterRuleDefPtr nwf ATTRIBUTE_UNUSED,
> + nwItemDesc *item)
> +{
> + uint8_t ctr;
> +
> + for (ctr = 0; ctr < item->u.ipset.numFlags; ctr++) {
> + if (ctr != 0)
> + virBufferAddLit(buf, ",");
I would have used this, but I don't think it makes any difference in speed:
virBufferAddChar(buf, ',')
> + case DATATYPE_IPSETFLAGS:
> +
> + flags = virBufferContentAndReset(&vb);
> +
> + if (snprintf(buf, bufsize, "%s", flags) >= bufsize) {
> + virNWFilterReportError(VIR_ERR_INTERNAL_ERROR, "%s",
> + _("Buffer too small for IPSETFLAGS
> type"));
Missed an instance of virStrncpy being nicer than snprintf.
Other than that, you hit all my review points, so you have my:
ACK.
If by Tuesday, no one speaks up with a counter-argument against this
patch as-is, then I say go ahead and apply with the nits fixed.
--
Eric Blake eblake at redhat.com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 620 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20120518/1048c2ef/attachment-0001.sig>
More information about the libvir-list
mailing list