When I get a chance later tonight, I will take a look at your gerrit changes and also the ACL code and get back. I have yet to implement the Varghese paper.
Thanks. Hemant From: Andrew 👽 Yourtchenko <ayour...@gmail.com> Sent: Friday, March 05, 2021 3:21 PM To: hem...@mnkcg.com Cc: bga...@cisco.com; vpp-dev@lists.fd.io Subject: Re: [vpp-dev] IP subnet and port range match? Yeah trade offs is the name of the game... I’d say it’s worth implementing the code to see how it fares, wanna take a shot? I am working on https://gerrit.fd.io/r/c/vpp/+/30342 which eventually should make it possible to plug in both your own session management gearing and the policy based gearing... so you could grab one of the revs there as a basis, rip out the existing ACL match algorithm and see how this paper fares... Later then we could combine them as interchangeable modules... Squeezing those remaining 3-4% of the performance loss due to making it multistage is hard, so I am not progressing as fast as I want to... The gerrit stuff is a squash of about 20+ local commits that I can share it you’re game to hack on it. (We can do it via GitHub branch, for example). Thoughts ? —a On 5 Mar 2021, at 17:56, hem...@mnkcg.com <mailto:hem...@mnkcg.com> wrote: Thanks, Andrew. I want to avoid any algorithms that support specific data. This is why I pointed to a general algorithm in a Varghese paper: http://cseweb.ucsd.edu/~susingh/papers/hyp-sigcomm03.pdf This paper creates rules, e.g., Rule1 to match IP prefix, Rule2 to match range, Rule3 to exact match, etc. Even ACLs create such rules. However, how does one implement matching all rules using least memory, using how many cpu cycles, and support, say, 50k entries, is tricky. Hemant -----Original Message----- From: Andrew 👽 Yourtchenko <ayour...@gmail.com <mailto:ayour...@gmail.com> > Sent: Friday, March 05, 2021 11:05 AM To: bga...@cisco.com <mailto:bga...@cisco.com> Cc: hem...@mnkcg.com <mailto:hem...@mnkcg.com> ; vpp-dev@lists.fd.io <mailto:vpp-dev@lists.fd.io> Subject: Re: [vpp-dev] IP subnet and port range match? Buyer beware :-) ACL plugin handles the ranges more as an exception case, based on the real-world config data analysis back in the day... --a On 5 Mar 2021, at 13:58, Benoit Ganne (bganne) via lists.fd.io <bganne=cisco....@lists.fd.io <mailto:bganne=cisco....@lists.fd.io> > wrote:  Am I correct that VPP classifier does not support matching both an IP subnet and layer-4 port range? The classifier matches IP subnet and then another function matches range. The VPP classifier matches bitmasks, so technically you can match ranges as long as they can be expressed as bitmasks. If your port range does not (usual case) you can use VPP ACL plugin which does support this kind of match. ben
smime.p7s
Description: S/MIME cryptographic signature
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#18871): https://lists.fd.io/g/vpp-dev/message/18871 Mute This Topic: https://lists.fd.io/mt/81084196/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
