DPDK usage discussions
 help / color / mirror / Atom feed
From: Дмитрий Степанов <stepanov.dmit@gmail.com>
To: Dmitry Kozlyuk <dmitry.kozliuk@gmail.com>
Cc: Steffen Weise <stweise.linux@gmail.com>, users@dpdk.org
Subject: Re: Find all matches with DPDK ACL
Date: Fri, 26 Nov 2021 17:56:27 +0300
Message-ID: <CA+-SuJ3pYHcsNn_4ZhVDERe8FdWM8Qaia+My+Qx8OEkA90kLuQ@mail.gmail.com> (raw)
In-Reply-To: <20211126171232.401fefca@sovereign>

[-- Attachment #1: Type: text/plain, Size: 1653 bytes --]

I have approx 5K-10K (5 000 - 10 000) rules.
On average I have 10-20 matches (60 max).
I don't need to insert/delete/update rules frequently - you can consider
rules being permanent which are loaded once on startup.

пт, 26 нояб. 2021 г. в 17:12, Dmitry Kozlyuk <dmitry.kozliuk@gmail.com>:

> 2021-11-26 16:53 (UTC+0300), Дмитрий Степанов:
> > Hi!
> > I have a big number of IPv4 5-tuple rules, every rule corresponds to some
> > action. I need to find all matched rules and perform all tied actions.
> I rather meant the subject field,
> like splitting the flows or access control is a typical application of ACL.
> I'm asking partially out of curiosity,
> but also because there may be a better solution then DPDK ACL.
> > The search time greatly affects overall system performance, so I can't
> just
> > scan all rules. ACL is based on multi-bit tries and provides great
> > performance, so I'm looking for nearly the same performance with the
> > ability to find all matches within a single request.
> Some regex libraries, Hyperscan or DPDK regexdev in particular,
> take a database of rules, compile it to an efficient form
> (Hyperscan generates vector instructions, regexdev may use HW
> acceleration),
> and then allow to match input to the entire database in a single request,
> yielding every match for every expression.
> From my experience, performance is decent,
> but of course it depends on the number or rules and their complexity.
> How many rules do you have?
> How many rules are expected to match (avg/max)?
> How often do you need to insert/delete/update rules?

[-- Attachment #2: Type: text/html, Size: 2040 bytes --]

  reply	other threads:[~2021-11-28 12:57 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-11-18 16:55 Дмитрий Степанов
2021-11-24 10:06 ` Steffen Weise
2021-11-24 15:19   ` Dmitry Kozlyuk
2021-11-26 13:53     ` Дмитрий Степанов
2021-11-26 14:12       ` Dmitry Kozlyuk
2021-11-26 14:56         ` Дмитрий Степанов [this message]
2021-11-26 23:56           ` Dmitry Kozlyuk

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CA+-SuJ3pYHcsNn_4ZhVDERe8FdWM8Qaia+My+Qx8OEkA90kLuQ@mail.gmail.com \
    --to=stepanov.dmit@gmail.com \
    --cc=dmitry.kozliuk@gmail.com \
    --cc=stweise.linux@gmail.com \
    --cc=users@dpdk.org \


* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

DPDK usage discussions

This inbox may be cloned and mirrored by anyone:

	git clone --mirror http://inbox.dpdk.org/users/0 users/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 users users/ http://inbox.dpdk.org/users \
	public-inbox-index users

Example config snippet for mirrors.
Newsgroup available over NNTP:

AGPL code for this site: git clone https://public-inbox.org/public-inbox.git