Function expansion

[lvh]

Right now, we have a lot of sample queries like:

(= (:ip x) "10.0.0.1")

... but (:ip x) can mean a lot of things. Specifically, that probably means either source or destination IP. However, you don't necessarily want to duplicate all of the data that we might be querying for, for two reasons:

• Your segments/events will grow excruciatingly large.
• In the case of {:src-ip a :dst-ip b} and querying for :ip, you can't make both of those work because you have two objects but are comparing against 1; unless you want to implement a type that implements IEquiv and makes that set membership under the hood; which is obviously a gross no-good hack.

So,

(= (:ip x) "10.0.0.1")

should probably expand to

(or (= (:src-ip x) "10.0.0.1")
     (= (:dst-ip x) "10.0.0.1"))

(although the level at which that expansion happens, logic-program level or dsl->dsl level, is up to the implementor)