d8/dec/hash__lookup_8c_source.html

/*

 *------------------------------------------------------------------

 * Copyright (c) 2017 Cisco and/or its affiliates.

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at:

 *

 *     http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 *------------------------------------------------------------------

 */


#include <stddef.h>

#include <netinet/in.h>


#include <vlibapi/api.h>

#include <vlibmemory/api.h>


#include <vlib/vlib.h>

#include <vnet/vnet.h>

#include <vppinfra/error.h>

#include <vnet/plugin/plugin.h>

#include <acl/acl.h>

#include <vppinfra/bihash_48_8.h>


#include "hash_lookup.h"

#include "hash_lookup_private.h"


always_inline applied_hash_ace_entry_t **get_applied_hash_aces(acl_main_t *am, u32 lc_index)

{

  applied_hash_ace_entry_t **applied_hash_aces = vec_elt_at_index(am->hash_entry_vec_by_lc_index, lc_index);


/*is_input ? vec_elt_at_index(am->input_hash_entry_vec_by_sw_if_index, sw_if_index)

                                                          : vec_elt_at_index(am->output_hash_entry_vec_by_sw_if_index, sw_if_index);

*/

  return applied_hash_aces;

}


static void

hashtable_add_del(acl_main_t *am, clib_bihash_kv_48_8_t *kv, int is_add)

{

    DBG("HASH ADD/DEL: %016llx %016llx %016llx %016llx %016llx %016llx %016llx add %d",

                        kv->key[0], kv->key[1], kv->key[2],

                        kv->key[3], kv->key[4], kv->key[5], kv->value, is_add);

    BV (clib_bihash_add_del) (&am->acl_lookup_hash, kv, is_add);

}


/*

 * TupleMerge

 *

 * Initial adaptation by Valerio Bruschi (valerio.bruschi@telecom-paristech.fr)

 * based on the TupleMerge [1] simulator kindly made available

 * by  James Daly (dalyjamese@gmail.com) and  Eric Torng (torng@cse.msu.edu)

 * ( http://www.cse.msu.edu/~dalyjame/ or http://www.cse.msu.edu/~torng/ ),

 * refactoring by Andrew Yourtchenko.

 *

 * [1] James Daly, Eric Torng "TupleMerge: Building Online Packet Classifiers

 * by Omitting Bits", In Proc. IEEE ICCCN 2017, pp. 1-10

 *

 */


static int

count_bits (u64 word)

{

  int counter = 0;

  while (word)

    {

      counter += word & 1;

      word >>= 1;

    }

  return counter;

}


/* check if mask2 can be contained by mask1 */

static u8

first_mask_contains_second_mask(int is_ip6, fa_5tuple_t * mask1, fa_5tuple_t * mask2)

{

  int i;

  if (is_ip6)

    {

      for (i = 0; i < 2; i++)

        {

          if ((mask1->ip6_addr[0].as_u64[i] & mask2->ip6_addr[0].as_u64[i]) !=

              mask1->ip6_addr[0].as_u64[i])

            return 0;

          if ((mask1->ip6_addr[1].as_u64[i] & mask2->ip6_addr[1].as_u64[i]) !=

              mask1->ip6_addr[1].as_u64[i])

            return 0;

        }

    }

  else

    {

      /* check the pads, both masks must have it 0 */

      u32 padcheck = 0;

      int i;

      for (i=0; i<6; i++) {

        padcheck |= mask1->l3_zero_pad[i];

        padcheck |= mask2->l3_zero_pad[i];

      }

      if (padcheck != 0)

        return 0;

      if ((mask1->ip4_addr[0].as_u32 & mask2->ip4_addr[0].as_u32) !=

          mask1->ip4_addr[0].as_u32)

        return 0;

      if ((mask1->ip4_addr[1].as_u32 & mask2->ip4_addr[1].as_u32) !=

          mask1->ip4_addr[1].as_u32)

        return 0;

    }


  /* take care if port are not exact-match  */

  if ((mask1->l4.as_u64 & mask2->l4.as_u64) != mask1->l4.as_u64)

    return 0;


  if ((mask1->pkt.as_u64 & mask2->pkt.as_u64) != mask1->pkt.as_u64)

    return 0;


  return 1;

}


/*

 * TupleMerge:

 *

 * Consider the situation when we have to create a new table

 * T for a given rule R. This occurs for the first rule inserted and

 * for later rules if it is incompatible with all existing tables.

 * In this event, we need to determine mT for a new table.

 * Setting mT = mR is not a good strategy; if another similar,

 * but slightly less specific, rule appears we will be unable to

 * add it to T and will thus have to create another new table. We

 * thus consider two factors: is the rule more strongly aligned

 * with source or destination addresses (usually the two most

 * important fields) and how much slack needs to be given to

 * allow for other rules. If the source and destination addresses

 * are close together (within 4 bits for our experiments), we use

 * both of them. Otherwise, we drop the smaller (less specific)

 * address and its associated port field from consideration; R is

 * predominantly aligned with one of the two fields and should

 * be grouped with other similar rules. This is similar to TSS

 * dropping port fields, but since it is based on observable rule

 * characteristics it is more likely to keep important fields and

 * discard less useful ones.

 * We then look at the absolute lengths of the addresses. If

 * the address is long, we are more likely to try to add shorter

 * lengths and likewise the reverse. We thus remove a few bits

 * from both address fields with more bits removed from longer

 * addresses. For 32 bit addresses, we remove 4 bits, 3 for more

 * than 24, 2 for more than 16, and so on (so 8 and fewer bits

 * don’t have any removed). We only do this for prefix fields like

 * addresses; both range fields (like ports) and exact match fields

 * (like protocol) should remain as they are.

 */


static u32

shift_ip4_if(u32 mask, u32 thresh, int numshifts, u32 else_val)

{

  if (mask > thresh)

     return clib_host_to_net_u32((clib_net_to_host_u32(mask) << numshifts) & 0xFFFFFFFF);

  else

     return else_val;

}


static void

relax_ip4_addr(ip4_address_t *ip4_mask, int relax2) {

  int shifts_per_relax[2][4] = { { 6, 5, 4, 2 }, { 3, 2, 1, 1 } };


  int *shifts = shifts_per_relax[relax2];

  if(ip4_mask->as_u32 == 0xffffffff)

    ip4_mask->as_u32 = clib_host_to_net_u32((clib_net_to_host_u32(ip4_mask->as_u32) << shifts[0])&0xFFFFFFFF);

  else

    ip4_mask->as_u32 = shift_ip4_if(ip4_mask->as_u32, 0xffffff00, shifts[1],

                        shift_ip4_if(ip4_mask->as_u32, 0xffff0000, shifts[2],

                          shift_ip4_if(ip4_mask->as_u32, 0xff000000, shifts[3], ip4_mask->as_u32)));

}


static void

relax_ip6_addr(ip6_address_t *ip6_mask, int relax2) {

  /*

   * This "better than nothing" relax logic is based on heuristics

   * from IPv6 knowledge, and may not be optimal.

   * Some further tuning may be needed in the future.

   */

  if (ip6_mask->as_u64[0] == 0xffffffffffffffffULL) {

    if (ip6_mask->as_u64[1] == 0xffffffffffffffffULL) {

      /* relax a /128 down to /64  - likely to have more hosts */

      ip6_mask->as_u64[1] = 0;

    } else if (ip6_mask->as_u64[1] == 0) {

      /* relax a /64 down to /56 - likely to have more subnets */

      ip6_mask->as_u64[0] = clib_host_to_net_u64(0xffffffffffffff00ULL);

    }

  }

}


static void

relax_tuple(fa_5tuple_t *mask, int is_ip6, int relax2){

        fa_5tuple_t save_mask = *mask;


        int counter_s = 0, counter_d = 0;

        if (is_ip6) {

          int i;

          for(i=0; i<2; i++){

                counter_s += count_bits(mask->ip6_addr[0].as_u64[i]);

                counter_d += count_bits(mask->ip6_addr[1].as_u64[i]);

          }

        } else {

                counter_s += count_bits(mask->ip4_addr[0].as_u32);

                counter_d += count_bits(mask->ip4_addr[1].as_u32);

        }


/*

 * is the rule more strongly aligned with source or destination addresses

 * (usually the two most important fields) and how much slack needs to be

 * given to allow for other rules. If the source and destination addresses

 * are close together (within 4 bits for our experiments), we use both of them.

 * Otherwise, we drop the smaller (less specific) address and its associated

 * port field from consideration

 */

        const int deltaThreshold = 4;

        /* const int deltaThreshold = 8; if IPV6? */

        int delta = counter_s - counter_d;

        if (-delta > deltaThreshold) {

                if (is_ip6)

                  mask->ip6_addr[0].as_u64[1] = mask->ip6_addr[0].as_u64[0] = 0;

                else

                  mask->ip4_addr[0].as_u32 = 0;

                mask->l4.port[0] = 0;

        } else if (delta > deltaThreshold) {

                if (is_ip6)

                  mask->ip6_addr[1].as_u64[1] = mask->ip6_addr[1].as_u64[0] = 0;

                else

                  mask->ip4_addr[1].as_u32 = 0;

                mask->l4.port[1] = 0;

        }


        if (is_ip6) {

          relax_ip6_addr(&mask->ip6_addr[0], relax2);

          relax_ip6_addr(&mask->ip6_addr[1], relax2);

        } else {

          relax_ip4_addr(&mask->ip4_addr[0], relax2);

          relax_ip4_addr(&mask->ip4_addr[1], relax2);

        }

        mask->pkt.is_nonfirst_fragment = 0;

        mask->pkt.l4_valid = 0;

        if(!first_mask_contains_second_mask(is_ip6, mask, &save_mask)){

                DBG( "TM-relaxing-ERROR");

                *mask = save_mask;

        }

        DBG( "TM-relaxing-end");

}


static u32

find_mask_type_index(acl_main_t *am, fa_5tuple_t *mask)

{

  ace_mask_type_entry_t *mte;

  /* *INDENT-OFF* */

  pool_foreach (mte, am->ace_mask_type_pool)

   {

    if(memcmp(&mte->mask, mask, sizeof(*mask)) == 0)

      return (mte - am->ace_mask_type_pool);

  }

  /* *INDENT-ON* */

  return ~0;

}


static u32

assign_mask_type_index(acl_main_t *am, fa_5tuple_t *mask)

{

  u32 mask_type_index = find_mask_type_index(am, mask);

  ace_mask_type_entry_t *mte;

  if(~0 == mask_type_index) {

    pool_get_aligned (am->ace_mask_type_pool, mte, CLIB_CACHE_LINE_BYTES);

    mask_type_index = mte - am->ace_mask_type_pool;

    clib_memcpy_fast(&mte->mask, mask, sizeof(mte->mask));

    mte->refcount = 0;


    /*

     * We can use only 16 bits, since in the match there is only u16 field.

     * Realistically, once you go to 64K of mask types, it is a huge

     * problem anyway, so we might as well stop half way.

     */

    ASSERT(mask_type_index < 32768);

  }

  mte = am->ace_mask_type_pool + mask_type_index;

  mte->refcount++;

  DBG0("ASSIGN MTE index %d new refcount %d", mask_type_index, mte->refcount);

  return mask_type_index;

}


static void

lock_mask_type_index(acl_main_t *am, u32 mask_type_index)

{

  DBG0("LOCK MTE index %d", mask_type_index);

  ace_mask_type_entry_t *mte = pool_elt_at_index(am->ace_mask_type_pool, mask_type_index);

  mte->refcount++;

  DBG0("LOCK MTE index %d new refcount %d", mask_type_index, mte->refcount);

}


static void

release_mask_type_index(acl_main_t *am, u32 mask_type_index)

{

  DBG0("RELEAS MTE index %d", mask_type_index);

  ace_mask_type_entry_t *mte = pool_elt_at_index(am->ace_mask_type_pool, mask_type_index);

  mte->refcount--;

  DBG0("RELEAS MTE index %d new refcount %d", mask_type_index, mte->refcount);

  if (mte->refcount == 0) {

    /* we are not using this entry anymore */

    clib_memset(mte, 0xae, sizeof(*mte));

    pool_put(am->ace_mask_type_pool, mte);

  }

}


static u32

tm_assign_mask_type_index(acl_main_t *am, fa_5tuple_t *mask, int is_ip6, u32 lc_index)

{

        u32 mask_type_index = ~0;

        u32 for_mask_type_index = ~0;

        ace_mask_type_entry_t *mte = 0;

        int order_index;

        /* look for existing mask comparable with the one in input */


        hash_applied_mask_info_t **hash_applied_mask_info_vec = vec_elt_at_index(am->hash_applied_mask_info_vec_by_lc_index, lc_index);

        hash_applied_mask_info_t *minfo;


        if (vec_len(*hash_applied_mask_info_vec) > 0) {

            for(order_index = vec_len((*hash_applied_mask_info_vec)) -1; order_index >= 0; order_index--) {

                minfo = vec_elt_at_index((*hash_applied_mask_info_vec), order_index);

                for_mask_type_index = minfo->mask_type_index;

                mte = vec_elt_at_index(am->ace_mask_type_pool, for_mask_type_index);

                if(first_mask_contains_second_mask(is_ip6, &mte->mask, mask)){

                        mask_type_index = (mte - am->ace_mask_type_pool);

                        lock_mask_type_index(am, mask_type_index);

                        break;

                }

            }

        }


        if(~0 == mask_type_index) {

                /* if no mask is found, then let's use a relaxed version of the original one, in order to be used by new ace_entries */

                DBG( "TM-assigning mask type index-new one");

                fa_5tuple_t relaxed_mask = *mask;

                relax_tuple(&relaxed_mask, is_ip6, 0);

                mask_type_index = assign_mask_type_index(am, &relaxed_mask);


                hash_applied_mask_info_t **hash_applied_mask_info_vec = vec_elt_at_index(am->hash_applied_mask_info_vec_by_lc_index, lc_index);


                int spot = vec_len((*hash_applied_mask_info_vec));

                vec_validate((*hash_applied_mask_info_vec), spot);

                minfo = vec_elt_at_index((*hash_applied_mask_info_vec), spot);

                minfo->mask_type_index = mask_type_index;

                minfo->num_entries = 0;

                minfo->max_collisions = 0;

                minfo->first_rule_index = ~0;


                /*

                 * We can use only 16 bits, since in the match there is only u16 field.

                 * Realistically, once you go to 64K of mask types, it is a huge

                 * problem anyway, so we might as well stop half way.

                 */

                ASSERT(mask_type_index < 32768);

        }

        mte = am->ace_mask_type_pool + mask_type_index;

        DBG0("TM-ASSIGN MTE index %d new refcount %d", mask_type_index, mte->refcount);

        return mask_type_index;

}


static void

fill_applied_hash_ace_kv(acl_main_t *am,

                            applied_hash_ace_entry_t **applied_hash_aces,

                            u32 lc_index,

                            u32 new_index, clib_bihash_kv_48_8_t *kv)

{

  fa_5tuple_t *kv_key = (fa_5tuple_t *)kv->key;

  hash_acl_lookup_value_t *kv_val = (hash_acl_lookup_value_t *)&kv->value;

  applied_hash_ace_entry_t *pae = vec_elt_at_index((*applied_hash_aces), new_index);

  hash_acl_info_t *ha = vec_elt_at_index(am->hash_acl_infos, pae->acl_index);


  /* apply the mask to ace key */

  hash_ace_info_t *ace_info = vec_elt_at_index(ha->rules, pae->hash_ace_info_index);

  ace_mask_type_entry_t *mte = vec_elt_at_index(am->ace_mask_type_pool, pae->mask_type_index);


  u64 *pmatch = (u64 *) &ace_info->match;

  u64 *pmask = (u64 *)&mte->mask;

  u64 *pkey = (u64 *)kv->key;


  *pkey++ = *pmatch++ & *pmask++;

  *pkey++ = *pmatch++ & *pmask++;

  *pkey++ = *pmatch++ & *pmask++;

  *pkey++ = *pmatch++ & *pmask++;

  *pkey++ = *pmatch++ & *pmask++;

  *pkey++ = *pmatch++ & *pmask++;


  kv_key->pkt.mask_type_index_lsb = pae->mask_type_index;

  kv_key->pkt.lc_index = lc_index;

  kv_val->as_u64 = 0;

  kv_val->applied_entry_index = new_index;

}


static void

add_del_hashtable_entry(acl_main_t *am,

                            u32 lc_index,

                            applied_hash_ace_entry_t **applied_hash_aces,

                            u32 index, int is_add)

{

  clib_bihash_kv_48_8_t kv;


  fill_applied_hash_ace_kv(am, applied_hash_aces, lc_index, index, &kv);

  hashtable_add_del(am, &kv, is_add);

}


static void

remake_hash_applied_mask_info_vec (acl_main_t * am,

                                   applied_hash_ace_entry_t **

                                   applied_hash_aces, u32 lc_index)

{

  DBG0("remake applied hash mask info lc_index %d", lc_index);

  hash_applied_mask_info_t *new_hash_applied_mask_info_vec =

    vec_new (hash_applied_mask_info_t, 0);


  hash_applied_mask_info_t *minfo;

  int i;

  for (i = 0; i < vec_len ((*applied_hash_aces)); i++)

    {

      applied_hash_ace_entry_t *pae =

        vec_elt_at_index ((*applied_hash_aces), i);


      /* check if mask_type_index is already there */

      u32 new_pointer = vec_len (new_hash_applied_mask_info_vec);

      int search;

      for (search = 0; search < vec_len (new_hash_applied_mask_info_vec);

           search++)

        {

          minfo = vec_elt_at_index (new_hash_applied_mask_info_vec, search);

          if (minfo->mask_type_index == pae->mask_type_index)

            break;

        }


      vec_validate ((new_hash_applied_mask_info_vec), search);

      minfo = vec_elt_at_index ((new_hash_applied_mask_info_vec), search);

      if (search == new_pointer)

        {

          DBG0("remaking index %d", search);

          minfo->mask_type_index = pae->mask_type_index;

          minfo->num_entries = 0;

          minfo->max_collisions = 0;

          minfo->first_rule_index = ~0;

        }


      minfo->num_entries = minfo->num_entries + 1;


      if (vec_len (pae->colliding_rules) > minfo->max_collisions)

        minfo->max_collisions = vec_len (pae->colliding_rules);


      if (minfo->first_rule_index > i)

        minfo->first_rule_index = i;

    }


  hash_applied_mask_info_t **hash_applied_mask_info_vec =

    vec_elt_at_index (am->hash_applied_mask_info_vec_by_lc_index, lc_index);


  vec_free ((*hash_applied_mask_info_vec));

  (*hash_applied_mask_info_vec) = new_hash_applied_mask_info_vec;

}


static void

vec_del_collision_rule (collision_match_rule_t ** pvec,

                        u32 applied_entry_index)

{

  u32 i = 0;

  u32 deleted = 0;

  while (i < _vec_len ((*pvec)))

    {

      collision_match_rule_t *cr = vec_elt_at_index ((*pvec), i);

      if (cr->applied_entry_index == applied_entry_index)

        {

          /* vec_del1 ((*pvec), i) would be more efficient but would reorder the elements. */

          vec_delete((*pvec), 1, i);

          deleted++;

          DBG0("vec_del_collision_rule deleting one at index %d", i);

        }

      else

        {

          i++;

        }

    }

  ASSERT(deleted > 0);

}


static void

acl_plugin_print_pae (vlib_main_t * vm, int j, applied_hash_ace_entry_t * pae);


static void

del_colliding_rule (applied_hash_ace_entry_t ** applied_hash_aces,

                    u32 head_index, u32 applied_entry_index)

{

  DBG0("DEL COLLIDING RULE: head_index %d applied index %d", head_index, applied_entry_index);


  applied_hash_ace_entry_t *head_pae =

    vec_elt_at_index ((*applied_hash_aces), head_index);

  if (ACL_HASH_LOOKUP_DEBUG > 0)

    acl_plugin_print_pae(acl_main.vlib_main, head_index, head_pae);

  vec_del_collision_rule (&head_pae->colliding_rules, applied_entry_index);

  if (vec_len(head_pae->colliding_rules) == 0) {

    vec_free(head_pae->colliding_rules);

  }

  if (ACL_HASH_LOOKUP_DEBUG > 0)

    acl_plugin_print_pae(acl_main.vlib_main, head_index, head_pae);

}


static void

add_colliding_rule (acl_main_t * am,

                    applied_hash_ace_entry_t ** applied_hash_aces,

                    u32 head_index, u32 applied_entry_index)

{

  applied_hash_ace_entry_t *head_pae =

    vec_elt_at_index ((*applied_hash_aces), head_index);

  applied_hash_ace_entry_t *pae =

    vec_elt_at_index ((*applied_hash_aces), applied_entry_index);

  DBG0("ADD COLLIDING RULE: head_index %d applied index %d", head_index, applied_entry_index);

  if (ACL_HASH_LOOKUP_DEBUG > 0)

    acl_plugin_print_pae(acl_main.vlib_main, head_index, head_pae);


  collision_match_rule_t cr;


  cr.acl_index = pae->acl_index;

  cr.ace_index = pae->ace_index;

  cr.acl_position = pae->acl_position;

  cr.applied_entry_index = applied_entry_index;

  cr.rule = am->acls[pae->acl_index].rules[pae->ace_index];

  pae->collision_head_ae_index = head_index;

  vec_add1 (head_pae->colliding_rules, cr);

  if (ACL_HASH_LOOKUP_DEBUG > 0)

    acl_plugin_print_pae(acl_main.vlib_main, head_index, head_pae);

}


static u32

activate_applied_ace_hash_entry(acl_main_t *am,

                            u32 lc_index,

                            applied_hash_ace_entry_t **applied_hash_aces,

                            u32 new_index)

{

  clib_bihash_kv_48_8_t kv;

  ASSERT(new_index != ~0);

  DBG("activate_applied_ace_hash_entry lc_index %d new_index %d", lc_index, new_index);


  fill_applied_hash_ace_kv(am, applied_hash_aces, lc_index, new_index, &kv);


  DBG("APPLY ADD KY: %016llx %016llx %016llx %016llx %016llx %016llx",

                        kv.key[0], kv.key[1], kv.key[2],

                        kv.key[3], kv.key[4], kv.key[5]);


  clib_bihash_kv_48_8_t result;

  hash_acl_lookup_value_t *result_val = (hash_acl_lookup_value_t *)&result.value;

  int res = BV (clib_bihash_search) (&am->acl_lookup_hash, &kv, &result);

  ASSERT(new_index != ~0);

  ASSERT(new_index < vec_len((*applied_hash_aces)));

  if (res == 0) {

    u32 first_index = result_val->applied_entry_index;

    ASSERT(first_index != ~0);

    ASSERT(first_index < vec_len((*applied_hash_aces)));

    /* There already exists an entry or more. Append at the end. */

    DBG("A key already exists, with applied entry index: %d", first_index);

    add_colliding_rule(am, applied_hash_aces, first_index, new_index);

    return first_index;

  } else {

    /* It's the very first entry */

    hashtable_add_del(am, &kv, 1);

    ASSERT(new_index != ~0);

    add_colliding_rule(am, applied_hash_aces, new_index, new_index);

    return new_index;

  }

}


static void

assign_mask_type_index_to_pae(acl_main_t *am, u32 lc_index, int is_ip6, applied_hash_ace_entry_t *pae)

{

  hash_acl_info_t *ha = vec_elt_at_index(am->hash_acl_infos, pae->acl_index);

  hash_ace_info_t *ace_info = vec_elt_at_index(ha->rules, pae->hash_ace_info_index);


  ace_mask_type_entry_t *mte;

  fa_5tuple_t mask;

  /*

   * Start taking base_mask associated to ace, and essentially copy it.

   * With TupleMerge we will assign a relaxed mask here.

   */

  mte = vec_elt_at_index(am->ace_mask_type_pool, ace_info->base_mask_type_index);

  mask = mte->mask;

  if (am->use_tuple_merge)

    pae->mask_type_index = tm_assign_mask_type_index(am, &mask, is_ip6, lc_index);

  else

    pae->mask_type_index = assign_mask_type_index(am, &mask);

}


static void

split_partition(acl_main_t *am, u32 first_index,

                            u32 lc_index, int is_ip6);


static void

check_collision_count_and_maybe_split(acl_main_t *am, u32 lc_index, int is_ip6, u32 first_index)

{

  applied_hash_ace_entry_t **applied_hash_aces = get_applied_hash_aces(am, lc_index);

  applied_hash_ace_entry_t *first_pae = vec_elt_at_index((*applied_hash_aces), first_index);

  if (vec_len(first_pae->colliding_rules) > am->tuple_merge_split_threshold) {

    split_partition(am, first_index, lc_index, is_ip6);

  }

}


void

hash_acl_apply(acl_main_t *am, u32 lc_index, int acl_index, u32 acl_position)

{

  int i;


  DBG0("HASH ACL apply: lc_index %d acl %d", lc_index, acl_index);

  if (!am->acl_lookup_hash_initialized) {

    BV (clib_bihash_init) (&am->acl_lookup_hash, "ACL plugin rule lookup bihash",

                           am->hash_lookup_hash_buckets, am->hash_lookup_hash_memory);

    am->acl_lookup_hash_initialized = 1;

  }


  vec_validate(am->hash_entry_vec_by_lc_index, lc_index);

  vec_validate(am->hash_acl_infos, acl_index);

  applied_hash_ace_entry_t **applied_hash_aces = get_applied_hash_aces(am, lc_index);


  hash_acl_info_t *ha = vec_elt_at_index(am->hash_acl_infos, acl_index);

  u32 **hash_acl_applied_lc_index = &ha->lc_index_list;


  int base_offset = vec_len(*applied_hash_aces);


  /* Update the bitmap of the mask types with which the lookup

     needs to happen for the ACLs applied to this lc_index */

  applied_hash_acl_info_t **applied_hash_acls = &am->applied_hash_acl_info_by_lc_index;

  vec_validate((*applied_hash_acls), lc_index);

  applied_hash_acl_info_t *pal = vec_elt_at_index((*applied_hash_acls), lc_index);


  /* ensure the list of applied hash acls is initialized and add this acl# to it */

  u32 index = vec_search(pal->applied_acls, acl_index);

  if (index != ~0) {

    clib_warning("BUG: trying to apply twice acl_index %d on lc_index %d, according to lc",

                 acl_index, lc_index);

    ASSERT(0);

    return;

  }

  vec_add1(pal->applied_acls, acl_index);

  u32 index2 = vec_search((*hash_acl_applied_lc_index), lc_index);

  if (index2 != ~0) {

    clib_warning("BUG: trying to apply twice acl_index %d on lc_index %d, according to hash h-acl info",

                 acl_index, lc_index);

    ASSERT(0);

    return;

  }

  vec_add1((*hash_acl_applied_lc_index), lc_index);


  /*

   * if the applied ACL is empty, the current code will cause a

   * different behavior compared to current linear search: an empty ACL will

   * simply fallthrough to the next ACL, or the default deny in the end.

   *

   * This is not a problem, because after vpp-dev discussion,

   * the consensus was it should not be possible to apply the non-existent

   * ACL, so the change adding this code also takes care of that.

   */


  vec_validate(am->hash_applied_mask_info_vec_by_lc_index, lc_index);


  /* since we know (in case of no split) how much we expand, preallocate that space */

  if (vec_len(ha->rules) > 0) {

    int old_vec_len = vec_len(*applied_hash_aces);

    vec_validate((*applied_hash_aces), old_vec_len + vec_len(ha->rules) - 1);

    _vec_len((*applied_hash_aces)) = old_vec_len;

  }


  /* add the rules from the ACL to the hash table for lookup and append to the vector*/

  for(i=0; i < vec_len(ha->rules); i++) {

    /*

     * Expand the applied aces vector to fit a new entry.

     * One by one not to upset split_partition() if it is called.

     */

    vec_resize((*applied_hash_aces), 1);


    int is_ip6 = ha->rules[i].match.pkt.is_ip6;

    u32 new_index = base_offset + i;

    applied_hash_ace_entry_t *pae = vec_elt_at_index((*applied_hash_aces), new_index);

    pae->acl_index = acl_index;

    pae->ace_index = ha->rules[i].ace_index;

    pae->acl_position = acl_position;

    pae->action = ha->rules[i].action;

    pae->hitcount = 0;

    pae->hash_ace_info_index = i;

    /* we might link it in later */

    pae->collision_head_ae_index = ~0;

    pae->colliding_rules = NULL;

    pae->mask_type_index = ~0;

    assign_mask_type_index_to_pae(am, lc_index, is_ip6, pae);

    u32 first_index = activate_applied_ace_hash_entry(am, lc_index, applied_hash_aces, new_index);

    if (am->use_tuple_merge)

      check_collision_count_and_maybe_split(am, lc_index, is_ip6, first_index);

  }

  remake_hash_applied_mask_info_vec(am, applied_hash_aces, lc_index);

}


static u32

find_head_applied_ace_index(applied_hash_ace_entry_t **applied_hash_aces, u32 curr_index)

{

  ASSERT(curr_index != ~0);

  applied_hash_ace_entry_t *pae = vec_elt_at_index((*applied_hash_aces), curr_index);

  ASSERT(pae);

  ASSERT(pae->collision_head_ae_index != ~0);

  return pae->collision_head_ae_index;

}


static void

set_collision_head_ae_index(applied_hash_ace_entry_t **applied_hash_aces, collision_match_rule_t *colliding_rules, u32 new_index)

{

        collision_match_rule_t *cr;

        vec_foreach(cr, colliding_rules) {

            applied_hash_ace_entry_t *pae = vec_elt_at_index((*applied_hash_aces), cr->applied_entry_index);

            pae->collision_head_ae_index = new_index;

        }

}


static void

move_applied_ace_hash_entry(acl_main_t *am,

                            u32 lc_index,

                            applied_hash_ace_entry_t **applied_hash_aces,

                            u32 old_index, u32 new_index)

{

  ASSERT(old_index != ~0);

  ASSERT(new_index != ~0);

  /* move the entry */

  *vec_elt_at_index((*applied_hash_aces), new_index) = *vec_elt_at_index((*applied_hash_aces), old_index);


  /* update the linkage and hash table if necessary */

  applied_hash_ace_entry_t *pae = vec_elt_at_index((*applied_hash_aces), old_index);

  applied_hash_ace_entry_t *new_pae = vec_elt_at_index((*applied_hash_aces), new_index);


  if (ACL_HASH_LOOKUP_DEBUG > 0) {

    clib_warning("Moving pae from %d to %d", old_index, new_index);

    acl_plugin_print_pae(am->vlib_main, old_index, pae);

  }


  if (pae->collision_head_ae_index == old_index) {

    /* first entry - so the hash points to it, update */

    add_del_hashtable_entry(am, lc_index,

                            applied_hash_aces, new_index, 1);

  }

  if (new_pae->colliding_rules) {

    /* update the information within the collision rule entry */

    ASSERT(vec_len(new_pae->colliding_rules) > 0);

    collision_match_rule_t *cr = vec_elt_at_index (new_pae->colliding_rules, 0);

    ASSERT(cr->applied_entry_index == old_index);

    cr->applied_entry_index = new_index;

    set_collision_head_ae_index(applied_hash_aces, new_pae->colliding_rules, new_index);

  } else {

    /* find the index in the collision rule entry on the head element */

    u32 head_index = find_head_applied_ace_index(applied_hash_aces, new_index);

    ASSERT(head_index != ~0);

    applied_hash_ace_entry_t *head_pae = vec_elt_at_index((*applied_hash_aces), head_index);

    ASSERT(vec_len(head_pae->colliding_rules) > 0);

    u32 i;

    for (i=0; i<vec_len(head_pae->colliding_rules); i++) {

      collision_match_rule_t *cr = vec_elt_at_index (head_pae->colliding_rules, i);

      if (cr->applied_entry_index == old_index) {

        cr->applied_entry_index = new_index;

      }

    }

    if (ACL_HASH_LOOKUP_DEBUG > 0) {

      clib_warning("Head pae at index %d after adjustment", head_index);

      acl_plugin_print_pae(am->vlib_main, head_index, head_pae);

    }

  }

  /* invalidate the old entry */

  pae->collision_head_ae_index = ~0;

  pae->colliding_rules = NULL;

}


static void

deactivate_applied_ace_hash_entry(acl_main_t *am,

                            u32 lc_index,

                            applied_hash_ace_entry_t **applied_hash_aces,

                            u32 old_index)

{

  applied_hash_ace_entry_t *pae = vec_elt_at_index((*applied_hash_aces), old_index);

  DBG("UNAPPLY DEACTIVATE: lc_index %d applied index %d", lc_index, old_index);

  if (ACL_HASH_LOOKUP_DEBUG > 0) {

    clib_warning("Deactivating pae at index %d", old_index);

    acl_plugin_print_pae(am->vlib_main, old_index, pae);

  }


  if (pae->collision_head_ae_index != old_index) {

    DBG("UNAPPLY = index %d has collision head %d", old_index, pae->collision_head_ae_index);


    u32 head_index = find_head_applied_ace_index(applied_hash_aces, old_index);

    ASSERT(head_index != ~0);

    del_colliding_rule(applied_hash_aces, head_index, old_index);


  } else {

    /* It was the first entry. We need either to reset the hash entry or delete it */

    /* delete our entry from the collision vector first */

    del_colliding_rule(applied_hash_aces, old_index, old_index);

    if (vec_len(pae->colliding_rules) > 0) {

      u32 next_pae_index = pae->colliding_rules[0].applied_entry_index;

      applied_hash_ace_entry_t *next_pae = vec_elt_at_index((*applied_hash_aces), next_pae_index);

      /* Remove ourselves and transfer the ownership of the colliding rules vector */

      next_pae->colliding_rules = pae->colliding_rules;

      set_collision_head_ae_index(applied_hash_aces, next_pae->colliding_rules, next_pae_index);

      add_del_hashtable_entry(am, lc_index,

                              applied_hash_aces, next_pae_index, 1);

    } else {

      /* no next entry, so just delete the entry in the hash table */

      add_del_hashtable_entry(am, lc_index,

                              applied_hash_aces, old_index, 0);

    }

  }

  DBG0("Releasing mask type index %d for pae index %d on lc_index %d", pae->mask_type_index, old_index, lc_index);

  release_mask_type_index(am, pae->mask_type_index);

  /* invalidate the old entry */

  pae->mask_type_index = ~0;

  pae->collision_head_ae_index = ~0;

  /* always has to be 0 */

  pae->colliding_rules = NULL;

}


void

hash_acl_unapply(acl_main_t *am, u32 lc_index, int acl_index)

{

  int i;


  DBG0("HASH ACL unapply: lc_index %d acl %d", lc_index, acl_index);

  applied_hash_acl_info_t **applied_hash_acls = &am->applied_hash_acl_info_by_lc_index;

  applied_hash_acl_info_t *pal = vec_elt_at_index((*applied_hash_acls), lc_index);


  hash_acl_info_t *ha = vec_elt_at_index(am->hash_acl_infos, acl_index);

  u32 **hash_acl_applied_lc_index = &ha->lc_index_list;


  if (ACL_HASH_LOOKUP_DEBUG > 0) {

    clib_warning("unapplying acl %d", acl_index);

    acl_plugin_show_tables_mask_type();

    acl_plugin_show_tables_acl_hash_info(acl_index);

    acl_plugin_show_tables_applied_info(lc_index);

  }


  /* remove this acl# from the list of applied hash acls */

  u32 index = vec_search(pal->applied_acls, acl_index);

  if (index == ~0) {

    clib_warning("BUG: trying to unapply unapplied acl_index %d on lc_index %d, according to lc",

                 acl_index, lc_index);

    return;

  }

  vec_del1(pal->applied_acls, index);


  u32 index2 = vec_search((*hash_acl_applied_lc_index), lc_index);

  if (index2 == ~0) {

    clib_warning("BUG: trying to unapply twice acl_index %d on lc_index %d, according to h-acl info",

                 acl_index, lc_index);

    return;

  }

  vec_del1((*hash_acl_applied_lc_index), index2);


  applied_hash_ace_entry_t **applied_hash_aces = get_applied_hash_aces(am, lc_index);


  for(i=0; i < vec_len((*applied_hash_aces)); i++) {

    if (vec_elt_at_index(*applied_hash_aces,i)->acl_index == acl_index) {

      DBG("Found applied ACL#%d at applied index %d", acl_index, i);

      break;

    }

  }

  if (vec_len((*applied_hash_aces)) <= i) {

    DBG("Did not find applied ACL#%d at lc_index %d", acl_index, lc_index);

    /* we went all the way without finding any entries. Probably a list was empty. */

    return;

  }


  int base_offset = i;

  int tail_offset = base_offset + vec_len(ha->rules);

  int tail_len = vec_len((*applied_hash_aces)) - tail_offset;

  DBG("base_offset: %d, tail_offset: %d, tail_len: %d", base_offset, tail_offset, tail_len);


  for(i=0; i < vec_len(ha->rules); i ++) {

    deactivate_applied_ace_hash_entry(am, lc_index,

                                      applied_hash_aces, base_offset + i);

  }

  for(i=0; i < tail_len; i ++) {

    /* move the entry at tail offset to base offset */

    /* that is, from (tail_offset+i) -> (base_offset+i) */

    DBG0("UNAPPLY MOVE: lc_index %d, applied index %d -> %d", lc_index, tail_offset+i, base_offset + i);

    move_applied_ace_hash_entry(am, lc_index, applied_hash_aces, tail_offset + i, base_offset + i);

  }

  /* trim the end of the vector */

  _vec_len((*applied_hash_aces)) -= vec_len(ha->rules);


  remake_hash_applied_mask_info_vec(am, applied_hash_aces, lc_index);


  if (vec_len((*applied_hash_aces)) == 0) {

    vec_free((*applied_hash_aces));

  }

}


/*

 * Create the applied ACEs and update the hash table,

 * taking into account that the ACL may not be the last

 * in the vector of applied ACLs.

 *

 * For now, walk from the end of the vector and unapply the ACLs,

 * then apply the one in question and reapply the rest.

 */


void

hash_acl_reapply(acl_main_t *am, u32 lc_index, int acl_index)

{

  acl_lookup_context_t *acontext = pool_elt_at_index(am->acl_lookup_contexts, lc_index);

  u32 **applied_acls = &acontext->acl_indices;

  int i;

  int start_index = vec_search((*applied_acls), acl_index);


  DBG0("Start index for acl %d in lc_index %d is %d", acl_index, lc_index, start_index);

  /*

   * This function is called after we find out the lc_index where ACL is applied.

   * If the by-lc_index vector does not have the ACL#, then it's a bug.

   */

  ASSERT(start_index < vec_len(*applied_acls));


  /* unapply all the ACLs at the tail side, up to the current one */

  for(i = vec_len(*applied_acls) - 1; i > start_index; i--) {

    hash_acl_unapply(am, lc_index, *vec_elt_at_index(*applied_acls, i));

  }

  for(i = start_index; i < vec_len(*applied_acls); i++) {

    hash_acl_apply(am, lc_index, *vec_elt_at_index(*applied_acls, i), i);

  }

}


static void

make_ip6_address_mask(ip6_address_t *addr, u8 prefix_len)

{

  ip6_address_mask_from_width(addr, prefix_len);

}


/* Maybe should be moved into the core somewhere */

always_inline void

ip4_address_mask_from_width (ip4_address_t * a, u32 width)

{

  int i, byte, bit, bitnum;

  ASSERT (width <= 32);

  clib_memset (a, 0, sizeof (a[0]));

  for (i = 0; i < width; i++)

    {

      bitnum = (7 - (i & 7));

      byte = i / 8;

      bit = 1 << bitnum;

      a->as_u8[byte] |= bit;

    }

}


static void

make_ip4_address_mask(ip4_address_t *addr, u8 prefix_len)

{

  ip4_address_mask_from_width(addr, prefix_len);

}


static void

make_port_mask(u16 *portmask, u16 port_first, u16 port_last)

{

  if (port_first == port_last) {

    *portmask = 0xffff;

    /* single port is representable by masked value */

    return;

  }


  *portmask = 0;

  return;

}


static void

make_mask_and_match_from_rule(fa_5tuple_t *mask, acl_rule_t *r, hash_ace_info_t *hi)

{

  clib_memset(mask, 0, sizeof(*mask));

  clib_memset(&hi->match, 0, sizeof(hi->match));

  hi->action = r->is_permit;


  /* we will need to be matching based on lc_index and mask_type_index when applied */

  mask->pkt.lc_index = ~0;

  /* we will assign the match of mask_type_index later when we find it*/

  mask->pkt.mask_type_index_lsb = ~0;


  mask->pkt.is_ip6 = 1;

  hi->match.pkt.is_ip6 = r->is_ipv6;

  if (r->is_ipv6) {

    make_ip6_address_mask(&mask->ip6_addr[0], r->src_prefixlen);

    hi->match.ip6_addr[0] = r->src.ip6;

    make_ip6_address_mask(&mask->ip6_addr[1], r->dst_prefixlen);

    hi->match.ip6_addr[1] = r->dst.ip6;

  } else {

    clib_memset(hi->match.l3_zero_pad, 0, sizeof(hi->match.l3_zero_pad));

    make_ip4_address_mask(&mask->ip4_addr[0], r->src_prefixlen);

    hi->match.ip4_addr[0] = r->src.ip4;

    make_ip4_address_mask(&mask->ip4_addr[1], r->dst_prefixlen);

    hi->match.ip4_addr[1] = r->dst.ip4;

  }


  if (r->proto != 0) {

    mask->l4.proto = ~0; /* L4 proto needs to be matched */

    hi->match.l4.proto = r->proto;


    /* Calculate the src/dst port masks and make the src/dst port matches accordingly */

    make_port_mask(&mask->l4.port[0], r->src_port_or_type_first, r->src_port_or_type_last);

    hi->match.l4.port[0] = r->src_port_or_type_first & mask->l4.port[0];


    make_port_mask(&mask->l4.port[1], r->dst_port_or_code_first, r->dst_port_or_code_last);

    hi->match.l4.port[1] = r->dst_port_or_code_first & mask->l4.port[1];

    /* L4 info must be valid in order to match */

    mask->pkt.l4_valid = 1;

    hi->match.pkt.l4_valid = 1;

    /* And we must set the mask to check that it is an initial fragment */

    mask->pkt.is_nonfirst_fragment = 1;

    hi->match.pkt.is_nonfirst_fragment = 0;

    if ((r->proto == IPPROTO_TCP) && (r->tcp_flags_mask != 0)) {

      /* if we want to match on TCP flags, they must be masked off as well */

      mask->pkt.tcp_flags = r->tcp_flags_mask;

      hi->match.pkt.tcp_flags = r->tcp_flags_value;

      /* and the flags need to be present within the packet being matched */

      mask->pkt.tcp_flags_valid = 1;

      hi->match.pkt.tcp_flags_valid = 1;

    }

  }

  /* Sanitize the mask and the match */

  u64 *pmask = (u64 *)mask;

  u64 *pmatch = (u64 *)&hi->match;

  int j;

  for(j=0; j<6; j++) {

    pmatch[j] = pmatch[j] & pmask[j];

  }

}


int hash_acl_exists(acl_main_t *am, int acl_index)

{

  if (acl_index >= vec_len(am->hash_acl_infos))

    return 0;


  hash_acl_info_t *ha = vec_elt_at_index(am->hash_acl_infos, acl_index);

  return ha->hash_acl_exists;

}


void hash_acl_add(acl_main_t *am, int acl_index)

{

  DBG("HASH ACL add : %d", acl_index);

  int i;

  acl_rule_t *acl_rules = am->acls[acl_index].rules;

  vec_validate(am->hash_acl_infos, acl_index);

  hash_acl_info_t *ha = vec_elt_at_index(am->hash_acl_infos, acl_index);

  clib_memset(ha, 0, sizeof(*ha));

  ha->hash_acl_exists = 1;


  /* walk the newly added ACL entries and ensure that for each of them there

     is a mask type, increment a reference count for that mask type */


  /* avoid small requests by preallocating the entire vector before running the additions */

  if (vec_len(acl_rules) > 0) {

    vec_validate(ha->rules, vec_len(acl_rules)-1);

    vec_reset_length(ha->rules);

  }


  for(i=0; i < vec_len(acl_rules); i++) {

    hash_ace_info_t ace_info;

    fa_5tuple_t mask;

    clib_memset(&ace_info, 0, sizeof(ace_info));

    ace_info.acl_index = acl_index;

    ace_info.ace_index = i;


    make_mask_and_match_from_rule(&mask, &acl_rules[i], &ace_info);

    mask.pkt.flags_reserved = 0b000;

    ace_info.base_mask_type_index = assign_mask_type_index(am, &mask);

    /* assign the mask type index for matching itself */

    ace_info.match.pkt.mask_type_index_lsb = ace_info.base_mask_type_index;

    DBG("ACE: %d mask_type_index: %d", i, ace_info.base_mask_type_index);

    vec_add1(ha->rules, ace_info);

  }

  /*

   * if an ACL is applied somewhere, fill the corresponding lookup data structures.

   * We need to take care if the ACL is not the last one in the vector of ACLs applied to the interface.

   */

  if (acl_index < vec_len(am->lc_index_vec_by_acl)) {

    u32 *lc_index;

    vec_foreach(lc_index, am->lc_index_vec_by_acl[acl_index]) {

      hash_acl_reapply(am, *lc_index, acl_index);

    }

  }

}


void hash_acl_delete(acl_main_t *am, int acl_index)

{

  DBG0("HASH ACL delete : %d", acl_index);

  /*

   * If the ACL is applied somewhere, remove the references of it (call hash_acl_unapply)

   * this is a different behavior from the linear lookup where an empty ACL is "deny all",

   *

   * However, following vpp-dev discussion the ACL that is referenced elsewhere

   * should not be possible to delete, and the change adding this also adds

   * the safeguards to that respect, so this is not a problem.

   *

   * The part to remember is that this routine is called in process of reapplication

   * during the acl_add_replace() API call - the old acl ruleset is deleted, then

   * the new one is added, without the change in the applied ACLs - so this case

   * has to be handled.

   */

  hash_acl_info_t *ha = vec_elt_at_index(am->hash_acl_infos, acl_index);

  u32 *lc_list_copy = 0;

  {

    u32 *lc_index;

    lc_list_copy = vec_dup(ha->lc_index_list);

    vec_foreach(lc_index, lc_list_copy) {

      hash_acl_unapply(am, *lc_index, acl_index);

    }

    vec_free(lc_list_copy);

  }

  vec_free(ha->lc_index_list);


  /* walk the mask types for the ACL about-to-be-deleted, and decrease

   * the reference count, possibly freeing up some of them */

  int i;

  for(i=0; i < vec_len(ha->rules); i++) {

    release_mask_type_index(am, ha->rules[i].base_mask_type_index);

  }

  ha->hash_acl_exists = 0;

  vec_free(ha->rules);

}


void

show_hash_acl_hash (vlib_main_t * vm, acl_main_t *am, u32 verbose)

{

  vlib_cli_output(vm, "\nACL lookup hash table:\n%U\n",

                  BV (format_bihash), &am->acl_lookup_hash, verbose);

}


void

acl_plugin_show_tables_mask_type (void)

{

  acl_main_t *am = &acl_main;

  vlib_main_t *vm = am->vlib_main;

  ace_mask_type_entry_t *mte;


  vlib_cli_output (vm, "Mask-type entries:");

    /* *INDENT-OFF* */

    pool_foreach (mte, am->ace_mask_type_pool)

     {

      vlib_cli_output(vm, "     %3d: %016llx %016llx %016llx %016llx %016llx %016llx  refcount %d",

                    mte - am->ace_mask_type_pool,

                    mte->mask.kv_40_8.key[0], mte->mask.kv_40_8.key[1], mte->mask.kv_40_8.key[2],

                    mte->mask.kv_40_8.key[3], mte->mask.kv_40_8.key[4], mte->mask.kv_40_8.value, mte->refcount);

    }

    /* *INDENT-ON* */

}


void

acl_plugin_show_tables_acl_hash_info (u32 acl_index)

{

  acl_main_t *am = &acl_main;

  vlib_main_t *vm = am->vlib_main;

  u32 i, j;

  u64 *m;

  vlib_cli_output (vm, "Mask-ready ACL representations\n");

  for (i = 0; i < vec_len (am->hash_acl_infos); i++)

    {

      if ((acl_index != ~0) && (acl_index != i))

        {

          continue;

        }

      hash_acl_info_t *ha = &am->hash_acl_infos[i];

      vlib_cli_output (vm, "acl-index %u bitmask-ready layout\n", i);

      vlib_cli_output (vm, "  applied lc_index list: %U\n",

                       format_vec32, ha->lc_index_list, "%d");

      for (j = 0; j < vec_len (ha->rules); j++)

        {

          hash_ace_info_t *pa = &ha->rules[j];

          m = (u64 *) & pa->match;

          vlib_cli_output (vm,

                           "    %4d: %016llx %016llx %016llx %016llx %016llx %016llx base mask index %d acl %d rule %d action %d\n",

                           j, m[0], m[1], m[2], m[3], m[4], m[5],

                           pa->base_mask_type_index, pa->acl_index, pa->ace_index,

                           pa->action);

        }

    }

}


static void

acl_plugin_print_colliding_rule (vlib_main_t * vm, int j, collision_match_rule_t *cr) {

  vlib_cli_output(vm,

                  "        %4d: acl %d ace %d acl pos %d pae index: %d",

                  j, cr->acl_index, cr->ace_index, cr->acl_position, cr->applied_entry_index);

}


static void

acl_plugin_print_pae (vlib_main_t * vm, int j, applied_hash_ace_entry_t * pae)

{

  vlib_cli_output (vm,

                   "    %4d: acl %d rule %d action %d bitmask-ready rule %d mask type index: %d colliding_rules: %d collision_head_ae_idx %d hitcount %lld acl_pos: %d",

                   j, pae->acl_index, pae->ace_index, pae->action,

                   pae->hash_ace_info_index, pae->mask_type_index, vec_len(pae->colliding_rules), pae->collision_head_ae_index,

                   pae->hitcount, pae->acl_position);

  int jj;

  for(jj=0; jj<vec_len(pae->colliding_rules); jj++)

    acl_plugin_print_colliding_rule(vm, jj, vec_elt_at_index(pae->colliding_rules, jj));

}


static void

acl_plugin_print_applied_mask_info (vlib_main_t * vm, int j, hash_applied_mask_info_t *mi)

{

  vlib_cli_output (vm,

                   "    %4d: mask type index %d first rule index %d num_entries %d max_collisions %d",

                   j, mi->mask_type_index, mi->first_rule_index, mi->num_entries, mi->max_collisions);

}


void

acl_plugin_show_tables_applied_info (u32 lc_index)

{

  acl_main_t *am = &acl_main;

  vlib_main_t *vm = am->vlib_main;

  u32 lci, j;

  vlib_cli_output (vm, "Applied lookup entries for lookup contexts");


  for (lci = 0;

       (lci < vec_len(am->applied_hash_acl_info_by_lc_index)); lci++)

    {

      if ((lc_index != ~0) && (lc_index != lci))

        {

          continue;

        }

      vlib_cli_output (vm, "lc_index %d:", lci);

      if (lci < vec_len (am->applied_hash_acl_info_by_lc_index))

        {

          applied_hash_acl_info_t *pal =

            &am->applied_hash_acl_info_by_lc_index[lci];

          vlib_cli_output (vm, "  applied acls: %U", format_vec32,

                           pal->applied_acls, "%d");

        }

      if (lci < vec_len (am->hash_applied_mask_info_vec_by_lc_index))

        {

          vlib_cli_output (vm, "  applied mask info entries:");

          for (j = 0;

               j < vec_len (am->hash_applied_mask_info_vec_by_lc_index[lci]);

               j++)

            {

              acl_plugin_print_applied_mask_info (vm, j,

                                    &am->hash_applied_mask_info_vec_by_lc_index

                                    [lci][j]);

            }

        }

      if (lci < vec_len (am->hash_entry_vec_by_lc_index))

        {

          vlib_cli_output (vm, "  lookup applied entries:");

          for (j = 0;

               j < vec_len (am->hash_entry_vec_by_lc_index[lci]);

               j++)

            {

              acl_plugin_print_pae (vm, j,

                                    &am->hash_entry_vec_by_lc_index

                                    [lci][j]);

            }

        }

    }

}


void

acl_plugin_show_tables_bihash (u32 show_bihash_verbose)

{

  acl_main_t *am = &acl_main;

  vlib_main_t *vm = am->vlib_main;

  show_hash_acl_hash (vm, am, show_bihash_verbose);

}


/*

 * Split of the partition needs to happen when the collision count

 * goes over a specified threshold.

 *

 * This is a signal that we ignored too many bits in

 * mT and we need to split the table into two tables. We select

 * all of the colliding rules L and find their maximum common

 * tuple mL. Normally mL is specific enough to hash L with few

 * or no collisions. We then create a new table T2 with tuple mL

 * and transfer all compatible rules from T to T2. If mL is not

 * specific enough, we find the field with the biggest difference

 * between the minimum and maximum tuple lengths for all of

 * the rules in L and set that field to be the average of those two

 * values. We then transfer all compatible rules as before. This

 * guarantees that some rules from L will move and that T2 will

 * have a smaller number of collisions than T did.

 */


static void

ensure_ip6_min_addr (ip6_address_t * min_addr, ip6_address_t * mask_addr)

{

  int update =

    (clib_net_to_host_u64 (mask_addr->as_u64[0]) <

     clib_net_to_host_u64 (min_addr->as_u64[0]))

    ||

    ((clib_net_to_host_u64 (mask_addr->as_u64[0]) ==

      clib_net_to_host_u64 (min_addr->as_u64[0]))

     && (clib_net_to_host_u64 (mask_addr->as_u64[1]) <

         clib_net_to_host_u64 (min_addr->as_u64[1])));

  if (update)

    {

      min_addr->as_u64[0] = mask_addr->as_u64[0];

      min_addr->as_u64[1] = mask_addr->as_u64[1];

    }

}


static void

ensure_ip6_max_addr (ip6_address_t * max_addr, ip6_address_t * mask_addr)

{

  int update =

    (clib_net_to_host_u64 (mask_addr->as_u64[0]) >

     clib_net_to_host_u64 (max_addr->as_u64[0]))

    ||

    ((clib_net_to_host_u64 (mask_addr->as_u64[0]) ==

      clib_net_to_host_u64 (max_addr->as_u64[0]))

     && (clib_net_to_host_u64 (mask_addr->as_u64[1]) >

         clib_net_to_host_u64 (max_addr->as_u64[1])));

  if (update)

    {

      max_addr->as_u64[0] = mask_addr->as_u64[0];

      max_addr->as_u64[1] = mask_addr->as_u64[1];

    }

}


static void

ensure_ip4_min_addr (ip4_address_t * min_addr, ip4_address_t * mask_addr)

{

  int update =

    (clib_net_to_host_u32 (mask_addr->as_u32) <

     clib_net_to_host_u32 (min_addr->as_u32));

  if (update)

    min_addr->as_u32 = mask_addr->as_u32;

}


static void

ensure_ip4_max_addr (ip4_address_t * max_addr, ip4_address_t * mask_addr)

{

  int update =

    (clib_net_to_host_u32 (mask_addr->as_u32) >

     clib_net_to_host_u32 (max_addr->as_u32));

  if (update)

    max_addr->as_u32 = mask_addr->as_u32;

}


enum {

  DIM_SRC_ADDR = 0,

  DIM_DST_ADDR,

  DIM_SRC_PORT,

  DIM_DST_PORT,

  DIM_PROTO,

};


static void

split_partition(acl_main_t *am, u32 first_index,

                            u32 lc_index, int is_ip6){

        DBG( "TM-split_partition - first_entry:%d", first_index);

        applied_hash_ace_entry_t **applied_hash_aces = get_applied_hash_aces(am, lc_index);

        ace_mask_type_entry_t *mte;

        fa_5tuple_t the_min_tuple, *min_tuple = &the_min_tuple;

        fa_5tuple_t the_max_tuple, *max_tuple = &the_max_tuple;

        applied_hash_ace_entry_t *pae = vec_elt_at_index((*applied_hash_aces), first_index);

        hash_acl_info_t *ha = vec_elt_at_index(am->hash_acl_infos, pae->acl_index);

        hash_ace_info_t *ace_info;

        u32 coll_mask_type_index = pae->mask_type_index;

        clib_memset(&the_min_tuple, 0, sizeof(the_min_tuple));

        clib_memset(&the_max_tuple, 0, sizeof(the_max_tuple));


        int i=0;

        collision_match_rule_t *colliding_rules = pae->colliding_rules;

        u64 collisions = vec_len(pae->colliding_rules);

        for(i=0; i<collisions; i++){

                /* reload the hash acl info as it might be a different ACL# */

                pae = vec_elt_at_index((*applied_hash_aces), colliding_rules[i].applied_entry_index);

                ha = vec_elt_at_index(am->hash_acl_infos, pae->acl_index);


                DBG( "TM-collision: base_ace:%d (ace_mask:%d, first_collision_mask:%d)",

                                pae->ace_index, pae->mask_type_index, coll_mask_type_index);


                ace_info = vec_elt_at_index(ha->rules, pae->hash_ace_info_index);

                mte = vec_elt_at_index(am->ace_mask_type_pool, ace_info->base_mask_type_index);

                fa_5tuple_t *mask = &mte->mask;


                if(pae->mask_type_index != coll_mask_type_index) continue;

                /* Computing min_mask and max_mask for colliding rules */

                if(i==0){

                        clib_memcpy_fast(min_tuple, mask, sizeof(fa_5tuple_t));

                        clib_memcpy_fast(max_tuple, mask, sizeof(fa_5tuple_t));

                }else{

                        int j;

                        for(j=0; j<2; j++){

                                if (is_ip6)

                                  ensure_ip6_min_addr(&min_tuple->ip6_addr[j], &mask->ip6_addr[j]);

                                else

                                  ensure_ip4_min_addr(&min_tuple->ip4_addr[j], &mask->ip4_addr[j]);


                                if ((mask->l4.port[j] < min_tuple->l4.port[j]))

                                        min_tuple->l4.port[j] = mask->l4.port[j];

                        }


                        if ((mask->l4.proto < min_tuple->l4.proto))

                                min_tuple->l4.proto = mask->l4.proto;


                        if(mask->pkt.as_u64 < min_tuple->pkt.as_u64)

                                min_tuple->pkt.as_u64 = mask->pkt.as_u64;


                        for(j=0; j<2; j++){

                                if (is_ip6)

                                  ensure_ip6_max_addr(&max_tuple->ip6_addr[j], &mask->ip6_addr[j]);

                                else

                                  ensure_ip4_max_addr(&max_tuple->ip4_addr[j], &mask->ip4_addr[j]);


                                if ((mask->l4.port[j] > max_tuple->l4.port[j]))

                                        max_tuple->l4.port[j] = mask->l4.port[j];

                        }


                        if ((mask->l4.proto < max_tuple->l4.proto))

                                max_tuple->l4.proto = mask->l4.proto;


                        if(mask->pkt.as_u64 > max_tuple->pkt.as_u64)

                                max_tuple->pkt.as_u64 = mask->pkt.as_u64;

                }

        }


        /* Computing field with max difference between (min/max)_mask */

        int best_dim=-1, best_delta=0, delta=0;


        /* SRC_addr dimension */

        if (is_ip6) {

          int i;

          for(i=0; i<2; i++){

                delta += count_bits(max_tuple->ip6_addr[0].as_u64[i]) - count_bits(min_tuple->ip6_addr[0].as_u64[i]);

          }

        } else {

                delta += count_bits(max_tuple->ip4_addr[0].as_u32) - count_bits(min_tuple->ip4_addr[0].as_u32);

        }

        if(delta > best_delta){

                best_delta = delta;

                best_dim = DIM_SRC_ADDR;

        }


        /* DST_addr dimension */

        delta = 0;

        if (is_ip6) {

          int i;

          for(i=0; i<2; i++){

                delta += count_bits(max_tuple->ip6_addr[1].as_u64[i]) - count_bits(min_tuple->ip6_addr[1].as_u64[i]);

          }

        } else {

                delta += count_bits(max_tuple->ip4_addr[1].as_u32) - count_bits(min_tuple->ip4_addr[1].as_u32);

        }

        if(delta > best_delta){

                best_delta = delta;

                best_dim = DIM_DST_ADDR;

        }


        /* SRC_port dimension */

        delta = count_bits(max_tuple->l4.port[0]) - count_bits(min_tuple->l4.port[0]);

        if(delta > best_delta){

                best_delta = delta;

                best_dim = DIM_SRC_PORT;

        }


        /* DST_port dimension */

        delta = count_bits(max_tuple->l4.port[1]) - count_bits(min_tuple->l4.port[1]);

        if(delta > best_delta){

                best_delta = delta;

                best_dim = DIM_DST_PORT;

        }


        /* Proto dimension */

        delta = count_bits(max_tuple->l4.proto) - count_bits(min_tuple->l4.proto);

        if(delta > best_delta){

                best_delta = delta;

                best_dim = DIM_PROTO;

        }


        int shifting = 0; //, ipv4_block = 0;

        switch(best_dim){

                case DIM_SRC_ADDR:

                        shifting = (best_delta)/2; // FIXME IPV4-only

                        // ipv4_block = count_bits(max_tuple->ip4_addr[0].as_u32);

                        min_tuple->ip4_addr[0].as_u32 =

                                        clib_host_to_net_u32((clib_net_to_host_u32(max_tuple->ip4_addr[0].as_u32) << (shifting))&0xFFFFFFFF);


                        break;

                case DIM_DST_ADDR:

                        shifting = (best_delta)/2;

/*

                        ipv4_block = count_bits(max_tuple->addr[1].as_u64[1]);

                        if(ipv4_block > shifting)

                                min_tuple->addr[1].as_u64[1] =

                                        clib_host_to_net_u64((clib_net_to_host_u64(max_tuple->addr[1].as_u64[1]) << (shifting))&0xFFFFFFFF);

                        else{

                                shifting = shifting - ipv4_block;

                                min_tuple->addr[1].as_u64[1] = 0;

                                min_tuple->addr[1].as_u64[0] =

                                        clib_host_to_net_u64((clib_net_to_host_u64(max_tuple->addr[1].as_u64[0]) << (shifting))&0xFFFFFFFF);

                        }

*/

                        min_tuple->ip4_addr[1].as_u32 =

                                        clib_host_to_net_u32((clib_net_to_host_u32(max_tuple->ip4_addr[1].as_u32) << (shifting))&0xFFFFFFFF);


                        break;

                case DIM_SRC_PORT: min_tuple->l4.port[0] = max_tuple->l4.port[0]  << (best_delta)/2;

                        break;

                case DIM_DST_PORT: min_tuple->l4.port[1] = max_tuple->l4.port[1] << (best_delta)/2;

                        break;

                case DIM_PROTO: min_tuple->l4.proto = max_tuple->l4.proto << (best_delta)/2;

                        break;

                default: relax_tuple(min_tuple, is_ip6, 1);

                        break;

        }


        min_tuple->pkt.is_nonfirst_fragment = 0;

        u32 new_mask_type_index = assign_mask_type_index(am, min_tuple);


        hash_applied_mask_info_t **hash_applied_mask_info_vec = vec_elt_at_index(am->hash_applied_mask_info_vec_by_lc_index, lc_index);


        hash_applied_mask_info_t *minfo;

        //search in order pool if mask_type_index is already there

        int search;

        for (search=0; search < vec_len((*hash_applied_mask_info_vec)); search++){

                minfo = vec_elt_at_index((*hash_applied_mask_info_vec), search);

                if(minfo->mask_type_index == new_mask_type_index)

                        break;

        }


        vec_validate((*hash_applied_mask_info_vec), search);

        minfo = vec_elt_at_index((*hash_applied_mask_info_vec), search);

        minfo->mask_type_index = new_mask_type_index;

        minfo->num_entries = 0;

        minfo->max_collisions = 0;

        minfo->first_rule_index = ~0;


        DBG( "TM-split_partition - mask type index-assigned!! -> %d", new_mask_type_index);


        if(coll_mask_type_index == new_mask_type_index){

                //vlib_cli_output(vm, "TM-There are collisions over threshold, but i'm not able to split! %d %d", coll_mask_type_index, new_mask_type_index);

                return;

        }


        /* populate new partition */

        DBG( "TM-Populate new partition");

        u32 r_ace_index = first_index;

        int repopulate_count = 0;


        collision_match_rule_t *temp_colliding_rules = vec_dup(colliding_rules);

        collisions = vec_len(temp_colliding_rules);


        for(i=0; i<collisions; i++){


                r_ace_index = temp_colliding_rules[i].applied_entry_index;


                applied_hash_ace_entry_t *pop_pae = vec_elt_at_index((*applied_hash_aces), r_ace_index);

                ha = vec_elt_at_index(am->hash_acl_infos, pop_pae->acl_index);

                DBG( "TM-Population-collision: base_ace:%d (ace_mask:%d, first_collision_mask:%d)",

                                pop_pae->ace_index, pop_pae->mask_type_index, coll_mask_type_index);


                ASSERT(pop_pae->mask_type_index == coll_mask_type_index);


                ace_info = vec_elt_at_index(ha->rules, pop_pae->hash_ace_info_index);

                mte = vec_elt_at_index(am->ace_mask_type_pool, ace_info->base_mask_type_index);

                //can insert rule?

                //mte = vec_elt_at_index(am->ace_mask_type_pool, pop_pae->mask_type_index);

                fa_5tuple_t *pop_mask = &mte->mask;


                if(!first_mask_contains_second_mask(is_ip6, min_tuple, pop_mask)) continue;

                DBG( "TM-new partition can insert -> applied_ace:%d", r_ace_index);


                //delete and insert in new format

                deactivate_applied_ace_hash_entry(am, lc_index, applied_hash_aces, r_ace_index);


                /* insert the new entry */

                pop_pae->mask_type_index = new_mask_type_index;

                /* The very first repopulation gets the lock by virtue of a new mask being created above */

                if (++repopulate_count > 1)

                  lock_mask_type_index(am, new_mask_type_index);


                activate_applied_ace_hash_entry(am, lc_index, applied_hash_aces, r_ace_index);


        }

        vec_free(temp_colliding_rules);


        DBG( "TM-Populate new partition-END");

        DBG( "TM-split_partition - END");


}