Hi Andrew!
------------------ Original ------------------
From: "Andrew 👽 Yourtchenko"<ayour...@gmail.com>;
Date: Tue, May 23, 2017 07:56 PM
To: "张攀"<zhang...@yunshan.net.cn>;
Cc: "vpp-dev"<vpp-dev@lists.fd.io>;
Subject: Re: [vpp-dev] ACL Match in fa_node.c
Hi!
On 5/23/17, 张攀 <zhang...@yunshan.net.cn> wrote:
> Hi guys,
>
>
> I looked into the source code of vpp/src/plugin/acl/fa_node.c,
> in function full_acl_match_5tuple(), it seems that every ingress packet is
> matching against each ACL rule stored in acl_main->acls in a for-loop
> manner. This seems not fairly effective.
You're absolutely right on both counts. First make it work, then make
it right, then make it fast :-) I have some ideas that I wanted to
experiment with there, would you be interested to help ? ACL matching
is a fairly distinct function operation to not affect much else.
[PAN]: I would be very pleased to help as I am also a addicted person to high
performance programming :D
>
>
> Besides, I notice that in vpp/src/plugin/acl/acl.c,when you call the
> function acl_hook_l2_input_classify(), you will create a
> vnet_classify_table, but I didn't see any code which adds classify_session
> to it, why?
I had used classify table for storing the sessions in the pre-1704
version of the ACL plugin.
in 1704 as I was adding the L3, I moved to the new data path while
keeping the old one still around, and potentially switchable (not
terribly gracefully, but still).
In the current master the classifier is used merely as a hook to get
into the packet processing within the L2 packet path - that's why you
see no sessions added.
[PAN]: Cool. Correct me if I am wrong: ingress packet will first check against
if there is matched session existing
in fa_node.c and if not, the packet will check against ACL then to decide
whether to create a new session or drop.
Is there any 'match then action' alike behavior existing in fa_node? And a
long standing mystery question for me: what
does "fa" stand for :p
>
>
> Is there any document/idea could basically explain the relationships between
> acl/fa_node and vnet_classify?
In a gerrit draft that I am working now on, which aims to provide the
multicore support, there is text file with the history and the
description of operation. If you like, I can add you to the reviewers
list so you can have a look at that - just send me your email that you
use in gerrit.
[PAN]: Thank you Andrew, I believe this will help a lot. My email is
dazhang...@gmail.com
--a
>
>
> Any help will be much appreciated.
>
>
> Best Regards,
>
>
> Pan
_______________________________________________
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev
