diff options
author | Jon Loeliger <jdl@netgate.com> | 2017-10-30 15:04:26 -0500 |
---|---|---|
committer | Jon Loeliger <jdl@netgate.com> | 2017-10-30 15:04:26 -0500 |
commit | 5611ca711cd37058177078eb4591bb9e7338675d (patch) | |
tree | 2a7ed7299781e0640c7e0741ec23eef9456b9947 /src/plugins/acl | |
parent | 310518e522aff7ab6f4c5799765d39ecf0c7fb4c (diff) |
Minor copyedit fixes to ACL Hash doc.
Change-Id: I7fe34e99f566dd2e0a36a9ba38f894973989ca8a
Signed-off-by: Jon Loeliger <jdl@netgate.com>
Diffstat (limited to 'src/plugins/acl')
-rw-r--r-- | src/plugins/acl/acl_hash_lookup_doc.md | 13 |
1 files changed, 6 insertions, 7 deletions
diff --git a/src/plugins/acl/acl_hash_lookup_doc.md b/src/plugins/acl/acl_hash_lookup_doc.md index cb93df04bff..6b08e1bc953 100644 --- a/src/plugins/acl/acl_hash_lookup_doc.md +++ b/src/plugins/acl/acl_hash_lookup_doc.md @@ -24,20 +24,19 @@ parts of information related to that ACL, primarily the array of *hash_ace_info_t* structures - each of the members of that array corresponding to one of the rules (ACEs) in the original ACL, for this they have a pair of *(acl_index, ace_index)* to keep track, -predominantly for the debugging. +predominantly for debugging. Why do we need a whole separate structure, and are not adding new fields -to the existing rile structure ? First, encapsulation, to minimize +to the existing rule structure? First, encapsulation, to minimize the pollution of the main ACL code with the hash-based lookup artifacts. - Second, one rule may correspond to more than one "hash-based" ACE. In fact, most of the rules do correspond to two of those. Why ? Consider that the current ACL lookup logic is that if a packet is not the initial fragment, and there is an L4 entry acting on the packet, the comparison will be made only on the L4 protocol field value rather -than on the protocol and port values. This beaviour is governed by -*l4_match_nonfirst_fragment* flag in the *acl_main*, and was needed to +than on the protocol and port values. This behavior is governed by +*l4_match_nonfirst_fragment* flag in the *acl_main*, and is needed to maintain the compatibility with the existing software switch implementation. While for the sequential check in *single_acl_match_5tuple()* @@ -108,7 +107,7 @@ The future optimized per-packet lookup may be batched in three phases: 2. Lookup the keys in the bihash in a batch manner, collecting the result with lowest u64 (acl index within vector, ACE index) from the hash lookup value, and performing the list walk if necessary - (for portranges) + (for portranges). 3. Take the action from the ACL record as defined by (ACL#, ACE#) from the resulting lookup winner, or, if no match found, then perform default deny. @@ -183,7 +182,7 @@ to have an effect, but for for the terminology sake we do not care). The more formal definition: ``` -shadowed(aceA, aceB) := !redundante(aceA, aceB) && +shadowed(aceA, aceB) := !redundant(aceA, aceB) && !independent(aceA, aceB) && is_after(aceA, aceB) ``` |