acl core (DON'T REVIEW ME YET)#1471
Draft
daniel-noland wants to merge 3 commits intomainfrom
Draft
Conversation
Add the dataplane-acl crate providing a type-safe ACL rule builder,
compiled classifier, and match-action classification engine.
Core types:
- AclRuleBuilder<T, M> with typestate enforcement of protocol layer
ordering via Within<T>/Install<T>/Blank traits
- FieldMatch<T> {Ignore, Select} with matches(predicate) combinator
and as_option() for Option interop
- ActionSequence (Vec<Step> + Fate) with metadata accessors
(mark, meta, tag, flag)
- Classifier<M> with unified Linear/Cascade dispatch
- ClassifyOutcome: Matched(&ActionSequence) | Default(Fate)
- Metadata trait with associated Values type
Match types:
- ExactMatch<T>, MaskedMatch<T> with private fields (immutability
for hash table safety) and const fn accessors
- Uses lpm crate's Ipv4Prefix/Ipv6Prefix (no duplication)
- Uses std::ops::RangeInclusive for port ranges (80..=443 syntax)
Compiler passes:
- FieldSignature bitset and rule grouping by signature
- Pairwise overlap analysis using lpm's IpPrefixColliding
- Cascade compiler with BackendCapabilities and trap rule insertion
- Category-based rule organization
- Two-phase update planning (Reitblatt delta+base cascade)
Testing:
- 63 unit tests across all modules
- 3 bolero property tests (deterministic classification, update
consistency, large table)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add dpdk/src/acl/ providing safe Rust wrappers around the DPDK ACL library: - AclContext<N, State> -- typestate context (Configuring -> Built) - Rule<N> -- #[repr(C)] rule with compile-time field count - AclClassifierBuilder / AclClassifier -- runtime-sized alternative that avoids const-generic N at the API boundary - AclField, FieldDef, AclBuildConfig, ClassifyAlgorithm - Comprehensive error types Also enables the DPDK ACL library in the nix build and adds rte_acl.h to the dpdk-wrapper header for bindgen. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
User-facing API: let classifier = DpdkAclClassifier::compile(&table)?; let outcome = classifier.classify(&headers); Internals: - Field mapping from ACL signatures to DPDK FieldDef arrays - Rule translation with 2-byte field promotion (lone 2B fields promoted to 4B for DPDK's 4-byte trie traversal) - Category-aware compilation merging signature groups into a single DPDK context via RTE_ACL categories - Compact input buffer assembly from parsed headers - Cross-category priority resolution Tests (41 total): - 3 bolero fuzz tests - 11 boundary tests (priority limits, scale, edge cases) - 5 signature grouping E2E tests - 6 property tests against linear classifier - 3 facade tests with ClassifyOutcome output - 10 unit tests + 3 integration tests Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🚧 DON'T REVIEW ME YET I'M IN MAJOR FLUX 🚧