Search process of HiPAC high-performance rule matching algorithm, hipac high-performance
When I received an email, A friend thought I had misunderstood nf-HiPAC. How can such a high-performance algorithm be forced by traditional hash and tree algorithms. Yes, HiPAC is a very powerful algorithm, and there are few documents. This increases the mystery of HiPAC, but it does not mean that it is incomprehensible. On the contrary, it has a very simple idea.
In essence, HiPAC is a priority-based interval matching algorithm. How can this problem be solved? When we define a matching domain as a continuous interval, each Rule defines a subinterval of the interval. If multiple rules overwrite the same subinterval, the priority issue is involved. This is useful in the firewall's access control list. In the case of multiple Rule entries, the first Rule has the highest priority. It would be better to use a picture to represent the above statement:
Five rules are defined. Among them, Rule1 has the highest priority and Rule5 has the lowest priority, indicating that the bottom-to-top priority is gradually reduced. As shown in, the matching of each interval is as follows:
Range 1: Match Rule5;
Range 2: Match Rule3 and Rule5;
Range 3: Match Rule2, Rule3, and Rule5;
Range 4: Match Rule2, Rule3, Rule4, and Rule5;
Range 5: Match Rule1, Rule2, Rule3, Rule4, and Rule5;
Range 6: Match Rule1, Rule3, Rule4, and Rule5;
Range 7: Match Rule1, Rule4, and Rule5;
Range 8: Match Rule1 and Rule4;
Range 9: Match Rule4;
Range 10: no Rule matches!
If a match falls in the range of 5, which Rule does it match? In range 5, a line is run from bottom to top. The first line is Rule1. Because of its highest priority, Rule1 is matched. If a match falls into range 2, from bottom to top, it first runs through Rule3, so it matches Rule3; if a match falls into the range 1, it matches Rule5 because it only runs through Rule5; if it falls into the range 10, sorry, none of the rules are passed through, indicating that no rules are matched!
This is basically the case! Then you may ask, what if there are multiple matches? For example, in the following rules, I certainly use iptables, which we are most familiar with, as an example. It may take several weekends to port HiPAC to iptables:
Iptables-a forward-s $ ip1-d $ ip2-p udp-j DROP
In this rule, I have displayed a total of three matches, namely ip1, ip2, and udp. So do I need the above three figures? Yes! This is the so-called multi-dimensional HiPAC matching. It is just a word. I don't like extended definition. Since the first image has excluded several Rule entries in some intervals, many Rule entries in the subsequent graph do not need to be drawn.
In order to show the search process, I drew a relatively simple figure with a total of three matches. The specific matching process is in the figure and I will not elaborate on it in words:
The HiPAC algorithm focuses on priority matching. If you need to continue matching, we say that a dimension is extended, and the search continues down along the tree. If you do not need to continue matching, in this case, the current interval runs through a line from the bottom up. The Rule that is first touched is the matching Rule. There are many Rule drawn as dotted lines, because the Rule has been excluded from the previous level or dimension. Therefore, the dotted lines should be ignored during the draw.
If you understand this process, you will find that it is super efficient and does not need to be traced back. You do not need to rely on complicated hash algorithms, do not need to rely on the hash degree, and have nothing to do with the input data, the number of matches is the number of layers. As for how to maintain this algorithm, it is the implementation problem. In essence, this is a tree-like data structure. Its clever point lies in its structure.
This article only provides an overview. There are complex mathematical principles behind the insertion, deletion, and search of HiPAC algorithms. As an engineering technician, understanding these mathematical principles is necessary, although there are not many HOWTO articles on HiPAC, there are still a lot of related papers.
In order to reply to an email, I wrote another article. My wife and mother-in-law were reading the finale of "Red Sorghum". I was playing iPad, and I drew the complicated figure on the table, this is the benefit of not drinking alcohol. Otherwise, I guess the cloud game will be in my dream again .... I have been busy for a day during the day. I am still responsive to the requests from forums and distant friends, so I should learn. However, I still hope that I don't have any technical problems when I get home at night. At first, forcing myself to stop drinking at night is not for network technology or code writing, instead, I want to power myself up, enrich myself, read history, and cleanse my soul. For example, I can also learn cooking, decorating design, and so on.
