From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 3C7B5A0548 for ; Sun, 28 Nov 2021 13:57:31 +0100 (CET) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id B361F4276F; Sun, 28 Nov 2021 13:57:17 +0100 (CET) Received: from mail-lj1-f180.google.com (mail-lj1-f180.google.com [209.85.208.180]) by mails.dpdk.org (Postfix) with ESMTP id 1108A42752 for ; Fri, 26 Nov 2021 15:56:39 +0100 (CET) Received: by mail-lj1-f180.google.com with SMTP id k2so19305210lji.4 for ; Fri, 26 Nov 2021 06:56:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=zbtMC1kmYjIXPjU3QSoaW9+FFo+y92ent961IuOAtnw=; b=KwdEiWMBRDMNFKNo2ypaBUSG/ljZ088My0uJscqeMQypxMrJYA0S9meEOl6eEFGGTz qsMGH3a/nyhXBokK3LTCWXp1963JKDZg090rm4cvkBKWEy6t3BGr07B/6DZ4V1idOZIZ iMTKGvFuZXzHV2B/v61fCwoNtrFToU4kFapItmaH78g9rkw7TnK0Gl0AW/8TNZ+7Jbso gazEVEsMPBt4Qw3ndE7yZDnuOpIHYE8abij0nyaNVlGh3wvvrOHKY7KmD/6MT6H77ezW ihMqVfxhNirBv+XEODsuft/2ExHtZ4Og2xthZucCEupQVpekSfJcRw75qbnX6B0ma5zX WIaw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=zbtMC1kmYjIXPjU3QSoaW9+FFo+y92ent961IuOAtnw=; b=WgtKk/TMu/UyWwIv2GJKiDQ4SwYRFQ018wD0VBA2Y+BpmGPd+uzFO1FQlKLIcRvIrq bMzpZO4lG2EkUTErMhJI49Hu323LaJV+lewF54IA5vqs8ELtGaAhMZ4MnrCv3xNsvy+G T6vk7ySwhUhYejeq0imT3riNHxDPIUvqWcRqEETn9jKdw9nKBllcldNqzXjZRZDAErXV pxfL8O6wPvq6VpPjC899TrqmGYb5tBodIEdRk+BJAhxNTT8VaRFJk0r2FpVlcRRLMqq9 xaFlXArwxr6YMDnMQ86K2q4xIf1+HdxcI6LP5qZ7e3kaVDpmjBdC9e/e0w3//dCjHlyW WMkA== X-Gm-Message-State: AOAM532d2GrCrg+PO2lPXcxoq2Ixx4IvRTQkgL0s/eFZY/VvIjwgveKo GMvyluQHZyM63aWi6O9UngG7m8WtBa4GUyHS7+s= X-Google-Smtp-Source: ABdhPJzSbgbSxcMg1WBQXJVWnX3RHGQhDMGzjLnNLsfC647x2WlSlHDunC5HuH/sAQVVrdHWcp23rs1HFRZZBHdU5kw= X-Received: by 2002:a2e:9843:: with SMTP id e3mr31092635ljj.358.1637938598600; Fri, 26 Nov 2021 06:56:38 -0800 (PST) MIME-Version: 1.0 References: <20211124181958.212f1179@sovereign> <20211126171232.401fefca@sovereign> In-Reply-To: <20211126171232.401fefca@sovereign> From: =?UTF-8?B?0JTQvNC40YLRgNC40Lkg0KHRgtC10L/QsNC90L7Qsg==?= Date: Fri, 26 Nov 2021 17:56:27 +0300 Message-ID: Subject: Re: Find all matches with DPDK ACL To: Dmitry Kozlyuk Cc: Steffen Weise , users@dpdk.org Content-Type: multipart/alternative; boundary="0000000000005562c805d1b24c22" X-Mailman-Approved-At: Sun, 28 Nov 2021 13:57:15 +0100 X-BeenThere: users@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK usage discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: users-bounces@dpdk.org --0000000000005562c805d1b24c22 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I have approx 5K-10K (5 000 - 10 000) rules. On average I have 10-20 matches (60 max). I don't need to insert/delete/update rules frequently - you can consider rules being permanent which are loaded once on startup. =D0=BF=D1=82, 26 =D0=BD=D0=BE=D1=8F=D0=B1. 2021 =D0=B3. =D0=B2 17:12, Dmitr= y Kozlyuk : > 2021-11-26 16:53 (UTC+0300), =D0=94=D0=BC=D0=B8=D1=82=D1=80=D0=B8=D0=B9 = =D0=A1=D1=82=D0=B5=D0=BF=D0=B0=D0=BD=D0=BE=D0=B2: > > Hi! > > I have a big number of IPv4 5-tuple rules, every rule corresponds to so= me > > action. I need to find all matched rules and perform all tied actions. > > I rather meant the subject field, > like splitting the flows or access control is a typical application of AC= L. > I'm asking partially out of curiosity, > but also because there may be a better solution then DPDK ACL. > > > The search time greatly affects overall system performance, so I can't > just > > scan all rules. ACL is based on multi-bit tries and provides great > > performance, so I'm looking for nearly the same performance with the > > ability to find all matches within a single request. > > Some regex libraries, Hyperscan or DPDK regexdev in particular, > take a database of rules, compile it to an efficient form > (Hyperscan generates vector instructions, regexdev may use HW > acceleration), > and then allow to match input to the entire database in a single request, > yielding every match for every expression. > > From my experience, performance is decent, > but of course it depends on the number or rules and their complexity. > How many rules do you have? > How many rules are expected to match (avg/max)? > How often do you need to insert/delete/update rules? > --0000000000005562c805d1b24c22 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I have approx 5K-10K (5 000 - 10 000) rules.=C2=A0
On = average I have 10-20 matches (60 max).=C2=A0
I don't need to = insert/delete/update rules frequently - you can consider rules being perman= ent which are loaded once on startup.=C2=A0

=D0=BF=D1=82, 26 =D0=BD=D0= =BE=D1=8F=D0=B1. 2021 =D0=B3. =D0=B2 17:12, Dmitry Kozlyuk <dmitry.kozliuk@gmail.com>:
=
2021-11-26 16:53 (UTC+030= 0), =D0=94=D0=BC=D0=B8=D1=82=D1=80=D0=B8=D0=B9 =D0=A1=D1=82=D0=B5=D0=BF=D0= =B0=D0=BD=D0=BE=D0=B2:
> Hi!
> I have a big number of IPv4 5-tuple rules, every rule corresponds to s= ome
> action. I need to find all matched rules and perform all tied actions.=

I rather meant the subject field,
like splitting the flows or access control is a typical application of ACL.=
I'm asking partially out of curiosity,
but also because there may be a better solution then DPDK ACL.

> The search time greatly affects overall system performance, so I can&#= 39;t just
> scan all rules. ACL is based on multi-bit tries and provides great
> performance, so I'm looking for nearly the same performance with t= he
> ability to find all matches within a single request.

Some regex libraries, Hyperscan or DPDK regexdev in particular,
take a database of rules, compile it to an efficient form
(Hyperscan generates vector instructions, regexdev may use HW acceleration)= ,
and then allow to match input to the entire database in a single request, yielding every match for every expression.

>From my experience, performance is decent,
but of course it depends on the number or rules and their complexity.
How many rules do you have?
How many rules are expected to match (avg/max)?
How often do you need to insert/delete/update rules?
--0000000000005562c805d1b24c22--