From faf36cd8d75442ce8e19e426e86456f9a844dd8d Mon Sep 17 00:00:00 2001
From: Henri DF <henridf@gmail.com>
Date: Thu, 24 Mar 2016 13:53:49 -0700
Subject: [PATCH] Use new sysdig support for fast processing of in-exprs

---
 userspace/digwatch/lua/compiler.lua    |  4 ++--
 userspace/digwatch/lua/rule_loader.lua | 16 +++++++++++++++-
 2 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/userspace/digwatch/lua/compiler.lua b/userspace/digwatch/lua/compiler.lua
index ca12f7f1..f2cc3555 100644
--- a/userspace/digwatch/lua/compiler.lua
+++ b/userspace/digwatch/lua/compiler.lua
@@ -529,7 +529,7 @@ function compiler.compile_line(line, macro_defs)
    check_macros(ast)
 
    if (ast.type == "MacroDef") then
-      expand_in(ast.value)
+      --expand_in(ast.value)
 
       -- Parsed line is a macro definition, so update our dictionary of macros and
       -- return
@@ -540,7 +540,7 @@ function compiler.compile_line(line, macro_defs)
       -- Line is a filter, so expand in-clauses and macro references, then
       -- stitch it into global ast
 
-      expand_in(ast.filter)
+      --expand_in(ast.filter)
 
       repeat
 	 expanded  = expand_macros(ast, macro_defs, false)
diff --git a/userspace/digwatch/lua/rule_loader.lua b/userspace/digwatch/lua/rule_loader.lua
index d5fc2619..21799203 100644
--- a/userspace/digwatch/lua/rule_loader.lua
+++ b/userspace/digwatch/lua/rule_loader.lua
@@ -33,6 +33,15 @@ local function mark_relational_nodes(ast, index)
    end
 end
 
+function map(f, arr)
+   local res = {}
+   for i,v in ipairs(arr) do
+      res[i] = f(v)
+   end
+   return res
+end
+
+
 --[[
    Take a filter AST and set it up in the libsinsp runtime, using the filter API.
 --]]
@@ -63,7 +72,12 @@ local function install_filter(node, parent_bool_op)
       filter.unnest() -- io.write(")")
 
    elseif t == "BinaryRelOp" then
-      filter.rel_expr(node.left.value, node.operator, node.right.value, node.index)
+      if (node.operator == "in") then
+	 elements = map(function (el) return el.value end, node.right.elements)
+	 filter.rel_expr(node.left.value, node.operator, elements, node.index)
+      else
+	 filter.rel_expr(node.left.value, node.operator, node.right.value, node.index)
+      end
       -- io.write(node.left.value.." "..node.operator.." "..node.right.value)
 
    elseif t == "UnaryRelOp"  then