2021-11-24 11:06 (UTC+0100), Steffen Weise:
> > Hi folks!
> >
> > I'm using DPDK's ACL library to classify incoming packets by IPv4 5 tuple
> > match (src address, dst address, src port, dst port, protocol). Right now
> > it is possible to find only the best match based on the rule's priority.
> > Is there any way (maybe a custom patch for the ACL library exists?) to
> > find all matches in a single request? Decreased performance and even some
> > false-positive matches are acceptable.
> > It could be a big number of matches so using categories is not an option.
> >
> > Thanks,
> > Dmitriy Stepanov
> > 
>
> Hi,
>
> I have the very same question. Such a mechanism would help me in my
> applications. Currently I go for lookup on multiple separate tables.
>
> Cheers,
> Steffen Weise

Hi,

I wonder what is the original problem you're solving.

A set of IPv4 5-tuple rules can be viewed as a set of regular expressions:

ACL:    src 1.1.1.0/24 dst 2.2.2.2/32 sport any dport 0x0035 proto tcp
Regex:  ^\x01\x01\x01.\x02\x02\x02\x02..\x00\x35\x06$

Here, "." stands for "any byte".
For masks/ranges not aligned on 8 bits regex ranges can be used, e.g.:

ACL:    sport 100-200
        # this one is easy, just one byte varies
Regex:  \x00[\x64-\xC8]

ACL:    sport 200-300
        # this one is hard, needs an algorithm to transform
        # 200-300 => 200-255,256-300 => 0xC8-0xFF,0x0100-0x012C
Regex:  (?:\x00[\xC8-xFF]|\x01[\x00-\x2C])

ACL:    src 192.0.2.64/26
        # this one is easy, there are also hard examples like above
Regex:  \xC0\x00\x02[\x40-\x7F]

IIUC, you need all matching expressions for every packet,
which is represented as a 4+4+2+2+1 byte "string".
This is exactly what Hyperscan library does, for example:
http://intel.github.io/hyperscan/dev-reference/runtime.html

There is now regexdev in DPDK,
take a look at it, maybe it will suit your needs and HW.