aboutsummaryrefslogtreecommitdiffstats
path: root/src/plugins/acl
diff options
context:
space:
mode:
authorJon Loeliger <jdl@netgate.com>2017-10-30 15:04:26 -0500
committerJon Loeliger <jdl@netgate.com>2017-10-30 15:04:26 -0500
commit5611ca711cd37058177078eb4591bb9e7338675d (patch)
tree2a7ed7299781e0640c7e0741ec23eef9456b9947 /src/plugins/acl
parent310518e522aff7ab6f4c5799765d39ecf0c7fb4c (diff)
Minor copyedit fixes to ACL Hash doc.
Change-Id: I7fe34e99f566dd2e0a36a9ba38f894973989ca8a Signed-off-by: Jon Loeliger <jdl@netgate.com>
Diffstat (limited to 'src/plugins/acl')
-rw-r--r--src/plugins/acl/acl_hash_lookup_doc.md13
1 files changed, 6 insertions, 7 deletions
diff --git a/src/plugins/acl/acl_hash_lookup_doc.md b/src/plugins/acl/acl_hash_lookup_doc.md
index cb93df04bff..6b08e1bc953 100644
--- a/src/plugins/acl/acl_hash_lookup_doc.md
+++ b/src/plugins/acl/acl_hash_lookup_doc.md
@@ -24,20 +24,19 @@ parts of information related to that ACL, primarily the array of
*hash_ace_info_t* structures - each of the members of that array
corresponding to one of the rules (ACEs) in the original ACL,
for this they have a pair of *(acl_index, ace_index)* to keep track,
-predominantly for the debugging.
+predominantly for debugging.
Why do we need a whole separate structure, and are not adding new fields
-to the existing rile structure ? First, encapsulation, to minimize
+to the existing rule structure? First, encapsulation, to minimize
the pollution of the main ACL code with the hash-based lookup artifacts.
-
Second, one rule may correspond to more than one "hash-based" ACE.
In fact, most of the rules do correspond to two of those. Why ?
Consider that the current ACL lookup logic is that if a packet
is not the initial fragment, and there is an L4 entry acting on the packet,
the comparison will be made only on the L4 protocol field value rather
-than on the protocol and port values. This beaviour is governed by
-*l4_match_nonfirst_fragment* flag in the *acl_main*, and was needed to
+than on the protocol and port values. This behavior is governed by
+*l4_match_nonfirst_fragment* flag in the *acl_main*, and is needed to
maintain the compatibility with the existing software switch implementation.
While for the sequential check in *single_acl_match_5tuple()*
@@ -108,7 +107,7 @@ The future optimized per-packet lookup may be batched in three phases:
2. Lookup the keys in the bihash in a batch manner, collecting the
result with lowest u64 (acl index within vector, ACE index) from
the hash lookup value, and performing the list walk if necessary
- (for portranges)
+ (for portranges).
3. Take the action from the ACL record as defined by (ACL#, ACE#) from the
resulting lookup winner, or, if no match found, then perform default deny.
@@ -183,7 +182,7 @@ to have an effect, but for for the terminology sake we do not care).
The more formal definition:
```
-shadowed(aceA, aceB) := !redundante(aceA, aceB) &&
+shadowed(aceA, aceB) := !redundant(aceA, aceB) &&
!independent(aceA, aceB) &&
is_after(aceA, aceB)
```