Hi! On 5/23/17, å¼ æ”€ <zhang...@yunshan.net.cn> wrote: > Hi guys, > > > I looked into the source code of vpp/src/plugin/acl/fa_node.c, > in function full_acl_match_5tuple(), it seems that every ingress packet is > matching against each ACL rule stored in acl_main->acls in a for-loop > manner. This seems not fairly effective.
You're absolutely right on both counts. First make it work, then make it right, then make it fast :-) I have some ideas that I wanted to experiment with there, would you be interested to help ? ACL matching is a fairly distinct function operation to not affect much else. > > > Besides, I notice that in vpp/src/plugin/acl/acl.c,when you call the > function acl_hook_l2_input_classify(), you will create a > vnet_classify_table, but I didn't see any code which adds classify_session > to it, why? I had used classify table for storing the sessions in the pre-1704 version of the ACL plugin. in 1704 as I was adding the L3, I moved to the new data path while keeping the old one still around, and potentially switchable (not terribly gracefully, but still). In the current master the classifier is used merely as a hook to get into the packet processing within the L2 packet path - that's why you see no sessions added. > > > Is there any document/idea could basically explain the relationships between > acl/fa_node and vnet_classify? In a gerrit draft that I am working now on, which aims to provide the multicore support, there is text file with the history and the description of operation. If you like, I can add you to the reviewers list so you can have a look at that - just send me your email that you use in gerrit. --a > > > Any help will be much appreciated. > > > Best Regards, > > > Pan _______________________________________________ vpp-dev mailing list vpp-dev@lists.fd.io https://lists.fd.io/mailman/listinfo/vpp-dev
