I have approx 5K-10K (5 000 - 10 000) rules. On average I have 10-20 matches (60 max). I don't need to insert/delete/update rules frequently - you can consider rules being permanent which are loaded once on startup.
пт, 26 нояб. 2021 г. в 17:12, Dmitry Kozlyuk <dmitry.kozl...@gmail.com>: > 2021-11-26 16:53 (UTC+0300), Дмитрий Степанов: > > Hi! > > I have a big number of IPv4 5-tuple rules, every rule corresponds to some > > action. I need to find all matched rules and perform all tied actions. > > I rather meant the subject field, > like splitting the flows or access control is a typical application of ACL. > I'm asking partially out of curiosity, > but also because there may be a better solution then DPDK ACL. > > > The search time greatly affects overall system performance, so I can't > just > > scan all rules. ACL is based on multi-bit tries and provides great > > performance, so I'm looking for nearly the same performance with the > > ability to find all matches within a single request. > > Some regex libraries, Hyperscan or DPDK regexdev in particular, > take a database of rules, compile it to an efficient form > (Hyperscan generates vector instructions, regexdev may use HW > acceleration), > and then allow to match input to the entire database in a single request, > yielding every match for every expression. > > From my experience, performance is decent, > but of course it depends on the number or rules and their complexity. > How many rules do you have? > How many rules are expected to match (avg/max)? > How often do you need to insert/delete/update rules? >
