From 5611ca711cd37058177078eb4591bb9e7338675d Mon Sep 17 00:00:00 2001 From: Jon Loeliger Date: Mon, 30 Oct 2017 15:04:26 -0500 Subject: Minor copyedit fixes to ACL Hash doc. Change-Id: I7fe34e99f566dd2e0a36a9ba38f894973989ca8a Signed-off-by: Jon Loeliger --- src/plugins/acl/acl_hash_lookup_doc.md | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) (limited to 'src/plugins/acl/acl_hash_lookup_doc.md') diff --git a/src/plugins/acl/acl_hash_lookup_doc.md b/src/plugins/acl/acl_hash_lookup_doc.md index cb93df04bff..6b08e1bc953 100644 --- a/src/plugins/acl/acl_hash_lookup_doc.md +++ b/src/plugins/acl/acl_hash_lookup_doc.md @@ -24,20 +24,19 @@ parts of information related to that ACL, primarily the array of *hash_ace_info_t* structures - each of the members of that array corresponding to one of the rules (ACEs) in the original ACL, for this they have a pair of *(acl_index, ace_index)* to keep track, -predominantly for the debugging. +predominantly for debugging. Why do we need a whole separate structure, and are not adding new fields -to the existing rile structure ? First, encapsulation, to minimize +to the existing rule structure? First, encapsulation, to minimize the pollution of the main ACL code with the hash-based lookup artifacts. - Second, one rule may correspond to more than one "hash-based" ACE. In fact, most of the rules do correspond to two of those. Why ? Consider that the current ACL lookup logic is that if a packet is not the initial fragment, and there is an L4 entry acting on the packet, the comparison will be made only on the L4 protocol field value rather -than on the protocol and port values. This beaviour is governed by -*l4_match_nonfirst_fragment* flag in the *acl_main*, and was needed to +than on the protocol and port values. This behavior is governed by +*l4_match_nonfirst_fragment* flag in the *acl_main*, and is needed to maintain the compatibility with the existing software switch implementation. While for the sequential check in *single_acl_match_5tuple()* @@ -108,7 +107,7 @@ The future optimized per-packet lookup may be batched in three phases: 2. Lookup the keys in the bihash in a batch manner, collecting the result with lowest u64 (acl index within vector, ACE index) from the hash lookup value, and performing the list walk if necessary - (for portranges) + (for portranges). 3. Take the action from the ACL record as defined by (ACL#, ACE#) from the resulting lookup winner, or, if no match found, then perform default deny. @@ -183,7 +182,7 @@ to have an effect, but for for the terminology sake we do not care). The more formal definition: ``` -shadowed(aceA, aceB) := !redundante(aceA, aceB) && +shadowed(aceA, aceB) := !redundant(aceA, aceB) && !independent(aceA, aceB) && is_after(aceA, aceB) ``` -- cgit 1.2.3-korg