Cool, would be really nice to get bigger company hacking on this stuff! :-)
So what I am really after is to have a mergeable implementation of this sketch: https://gerrit.fd.io/r/c/vpp/+/28083 Which in turn enables things like this for example: https://gerrit.fd.io/r/c/vpp/+/28513 So in the combo of these two changes above we are using the existing “connection” infra, but replace the policy lookup completely. This was the initial trigger. But I would like to be able to decouple things more, since it would allow much more flexibility for everyone to plug their own stuff - whether open source or not, without redoing all the boring jobs of packet parsing and plumbing. The other point of usefulness is the above pipeline is currently unified for v4/v6, l2/l3, in/out, so you get 8 nodes for the price of maintenance of one. --a > On 5 Mar 2021, at 22:04, hem...@mnkcg.com wrote: > > > When I get a chance later tonight, I will take a look at your gerrit changes > and also the ACL code and get back. I have yet to implement the Varghese > paper. > > Thanks. > > Hemant > > From: Andrew 👽 Yourtchenko <ayour...@gmail.com> > Sent: Friday, March 05, 2021 3:21 PM > To: hem...@mnkcg.com > Cc: bga...@cisco.com; vpp-dev@lists.fd.io > Subject: Re: [vpp-dev] IP subnet and port range match? > > Yeah trade offs is the name of the game... I’d say it’s worth implementing > the code to see how it fares, wanna take a shot? > > I am working on https://gerrit.fd.io/r/c/vpp/+/30342 which eventually should > make it possible to plug in both your own session management gearing and the > policy based gearing... so you could grab one of the revs there as a basis, > rip out the existing ACL match algorithm and see how this paper fares... > > Later then we could combine them as interchangeable modules... > > Squeezing those remaining 3-4% of the performance loss due to making it > multistage is hard, so I am not progressing as fast as I want to... > > The gerrit stuff is a squash of about 20+ local commits that I can share it > you’re game to hack on it. (We can do it via GitHub branch, for example). > > Thoughts ? > > —a > > > On 5 Mar 2021, at 17:56, hem...@mnkcg.com wrote: > > Thanks, Andrew. I want to avoid any algorithms that support specific data. > This is why I pointed to a general algorithm in a Varghese paper: > http://cseweb.ucsd.edu/~susingh/papers/hyp-sigcomm03.pdf > > This paper creates rules, e.g., Rule1 to match IP prefix, Rule2 to match > range, Rule3 to exact match, etc. Even ACLs create such rules. However, how > does one implement matching all rules using least memory, using how many cpu > cycles, and support, say, 50k entries, is tricky. > > Hemant > > -----Original Message----- > From: Andrew 👽 Yourtchenko <ayour...@gmail.com> > Sent: Friday, March 05, 2021 11:05 AM > To: bga...@cisco.com > Cc: hem...@mnkcg.com; vpp-dev@lists.fd.io > Subject: Re: [vpp-dev] IP subnet and port range match? > > Buyer beware :-) > > ACL plugin handles the ranges more as an exception case, based on the > real-world config data analysis back in the day... > > --a > > > On 5 Mar 2021, at 13:58, Benoit Ganne (bganne) via lists.fd.io > <bganne=cisco....@lists.fd.io> wrote: > > > > Am I correct that VPP classifier does not support matching both an IP > subnet and layer-4 port range? The classifier matches IP subnet and > then another function matches range. > > The VPP classifier matches bitmasks, so technically you can match ranges as > long as they can be expressed as bitmasks. > If your port range does not (usual case) you can use VPP ACL plugin which > does support this kind of match. > > ben > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#18872): https://lists.fd.io/g/vpp-dev/message/18872 Mute This Topic: https://lists.fd.io/mt/81084196/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
