Skip to content

acl: combine ACL types#515

Merged
AltraMayor merged 1 commit intomasterfrom
acl_compact
Jul 30, 2021
Merged

acl: combine ACL types#515
AltraMayor merged 1 commit intomasterfrom
acl_compact

Conversation

@AltraMayor
Copy link
Owner

@AltraMayor AltraMayor commented Jul 30, 2021

Combining ACL types reduces effort while classifying packets, and increases the number of packets passed to callback functions.

While the impact of this pull request varies with what the NICs support, it's expected to affect IPv6 more than IPv4 ACL rules. For example, consider the ACLs for IPv4 and IPv6 for front and back interfaces on our XIA1 server before this pull request:

(gdb) p config.front.ipv4_acls
$1 = {acls = {0x17044d140, 0x227da60640, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  funcs = {0x5555556e8f7f <drop_unmatched_pkts>, 0x55555569d389 <submit_icmp>, 0x5555556221ab <cps_submit_direct>, 0x0 <repeats 13 times>},
  ext_funcs = {0x0, 0x55555569e8cf <match_icmp>, 0x555555627067 <match_tcp4>, 0x0 <repeats 13 times>},
  func_count = 3, enabled = true}

(gdb) p config.front.ipv6_acls
$2 = {acls = {0x17044aa80, 0x227da5e1c0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  funcs = {0x5555556e8f7f <drop_unmatched_pkts>, 0x55555569ea43 <submit_icmp6>, 0x55555569ea43 <submit_icmp6>, 0x55555569ea43 <submit_icmp6>, 0x55555569ea43 <submit_icmp6>, 0x55555569ea43 <submit_icmp6>, 0x5555556221ab <cps_submit_direct>, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
  ext_funcs = {0x0, 0x55555569ff89 <match_icmp6>, 0x0, 0x0, 0x0, 0x0, 0x555555627160 <match_tcp6>, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
  func_count = 7, enabled = true}

(gdb) p config.back.ipv4_acls
$3 = {acls = {0x17044c240, 0x227da5f800, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  funcs = {0x5555556e8f7f <drop_unmatched_pkts>, 0x55555569d389 <submit_icmp>, 0x555555648ddb <submit_ggu>, 0x5555556221ab <cps_submit_direct>, 0x0 <repeats 12 times>},
  ext_funcs = {0x0, 0x55555569e8cf <match_icmp>, 0x0, 0x555555627067 <match_tcp4>, 0x0 <repeats 12 times>},
  func_count = 4, enabled = true}

(gdb) p config.back.ipv6_acls
$4 = {acls = {0x1704492c0, 0x227da5cb80, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  funcs = {0x5555556e8f7f <drop_unmatched_pkts>, 0x55555569ea43 <submit_icmp6>, 0x55555569ea43 <submit_icmp6>, 0x55555569ea43 <submit_icmp6>, 0x55555569ea43 <submit_icmp6>, 0x55555569ea43 <submit_icmp6>, 0x555555648ddb <submit_ggu>, 0x5555556221ab <cps_submit_direct>, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
  ext_funcs = {0x0, 0x55555569ff89 <match_icmp6>, 0x0, 0x0, 0x0, 0x0, 0x0, 0x555555627160 <match_tcp6>, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
  func_count = 8, enabled = true}

The output above was obtained with a breakpoint at finalize_stage2(), so the ACLs were complete. Below is the same output after this pull request:

(gdb) p config.front.ipv4_acls
$1 = {acls = {0x17044d140, 0x227da60640, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  funcs = {0x5555556e8f7f <drop_unmatched_pkts>, 0x55555569d389 <submit_icmp>, 0x5555556221ab <cps_submit_direct>, 0x0 <repeats 13 times>},
  ext_funcs = {0x0, 0x55555569e8cf <match_icmp>, 0x555555627067 <match_tcp4>, 0x0 <repeats 13 times>},
  func_count = 3, enabled = true}

(gdb) p config.front.ipv6_acls
$2 = {acls = {0x17044aa80, 0x227da5e1c0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  funcs = {0x5555556e8f7f <drop_unmatched_pkts>, 0x55555569ea43 <submit_icmp6>, 0x5555556221ab <cps_submit_direct>, 
    0x0 <repeats 13 times>},
  ext_funcs = {0x0, 0x55555569ff89 <match_icmp6>, 0x555555627160 <match_tcp6>, 0x0 <repeats 13 times>},
  func_count = 3, enabled = true}

(gdb) p config.back.ipv4_acls
$3 = {acls = {0x17044c240, 0x227da5f800, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  funcs = {0x5555556e8f7f <drop_unmatched_pkts>, 0x55555569d389 <submit_icmp>, 0x555555648ddb <submit_ggu>, 0x5555556221ab <cps_submit_direct>, 0x0 <repeats 12 times>},
  ext_funcs = {0x0, 0x55555569e8cf <match_icmp>, 0x0, 0x555555627067 <match_tcp4>, 0x0 <repeats 12 times>},
  func_count = 4, enabled = true}

(gdb) p config.back.ipv6_acls
$4 = {acls = {0x1704492c0, 0x227da5cb80, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  funcs = {0x5555556e8f7f <drop_unmatched_pkts>, 0x55555569ea43 <submit_icmp6>, 0x555555648ddb <submit_ggu>, 
    0x5555556221ab <cps_submit_direct>, 0x0 <repeats 12 times>},
  ext_funcs = {0x0, 0x55555569ff89 <match_icmp6>, 0x0, 0x555555627160 <match_tcp6>, 0x0 <repeats 12 times>},
  func_count = 4, enabled = true}

@AltraMayor
acl: combine ACL types
6fe55bb 
Combining ACL types reduces effort while classifying packets, and
increases the number of packets passed to callback functions.
@AltraMayor AltraMayor added this to the First deployment milestone Jul 30, 2021
@AltraMayor
Copy link
Owner Author

AltraMayor commented Jul 30, 2021

Tested on our XIA1 server.

@AltraMayor AltraMayor merged commit dfca2aa into master Jul 30, 2021
@AltraMayor AltraMayor deleted the acl_compact branch July 30, 2021 16:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

enhancement

Projects

None yet

Milestone

First deployment

Development

Successfully merging this pull request may close these issues.

1 participant

@AltraMayor