The search process of Hipac high performance rule matching algorithm

Received an e-mail, a friend thought I misunderstood Nf-hipac. Such a high-performance algorithm can be what traditional hash,tree such as coercion. Oh, yes. Hipac is a very fierce algorithm. There is less documentation, which adds to its sense of wonder, but it does not mean that it is incomprehensible. Instead. It's very easy to think.

The HIPAC algorithm is essentially a priority-based interval matching algorithm. How do you understand it? We define the match field as a continuous interval, and each rule defines a sub-interval of that interval. Suppose that multiple rules cover the same sub-range. Then there is the question of priority. This is very useful in the access control list of firewalls, where there are multiple rule cases, the rule that is defined first has the highest precedence. It is better to use a picture to indicate the above statement:

In the. There are 5 rule definitions, among which Rule1 has the highest priority and Rule5 has the lowest priority. Indicates that the lower-to-upper priority is reduced successively on the graph. As you can see, each interval matches such as the following:
interval 1: matching Rule5;
Interval 2: Match Rule3. Rule5;
Interval 3: Matching rule2,rule3,rule5;
Interval 4: Match rule2,rule3. Rule4. Rule5;
Interval 5: Matching rule1,rule2,rule3,rule4,rule5;
Interval 6: Matching rule1,rule3,rule4,rule5;
Interval 7: Match rule1,rule4. Rule5;
Interval 8: Matching rule1,rule4;
Interval 9: Matching Rule4;
Interval 10: No matter what rule matches!
Suppose a match falls in the interval 5. So what rule does it match? In the interval 5 from bottom to top through a line, the first penetrating is the Rule1. Because it has the highest priority, it matches Rule1; Suppose a match falls in the interval 2. The first runs through the Rule3, so it matches the Rule3. Suppose a match falls in the interval 1, then it is only through the Rule5. So it matches the Rule5; assuming it falls within the interval 10, I'm sorry, no matter what rule is being run through. The description does not matter what rules are matched.
This is basically the case. So maybe you're going to ask, what if there's more than one match? For example, the following rules, of course, I take the iptables of our most familiar examples, although I would like to transplant Hipac to Iptables also need a few weekends:
Iptables-a forward-s $ip 1-d $ip 2-p udp-j DROP
In this rule. I have shown a total of 3 match, each of which is ip1,ip2,udp, so I need 3 of the above figure? Yes. This is the so-called multidimensional Hipac match, just a word, I do not like the extension of the definition.

Since the first graph has ruled out some of the rules in some intervals, so much of the rule in the latter figure does not have to be drawn.

In order to demonstrate the collation of the search process. I drew a relatively simple figure, a total of 3 matches, the detailed matching process is in the diagram, no longer use the text to elaborate:



About the HIPAC algorithm is to say that priority matching is the key, assuming the need to continue matching match, we say is a dimension extension. Look down along the tree to continue down. Assuming there is no need to continue matching match, then the current interval runs from the bottom up through a line, and the first touch of rule is the matching rule.

There are a lot of rules that are drawn as dashed lines because the rule is excluded from the previous level or dimension, so the dashed line should be ignored when drawing through the lines.
Assuming that you understand the process, you will find that it is super efficient. No backtracking, no reliance on complex hash algorithms, no need to rely on the degree of hash hash, and input data independent, how many matches there are how many layers, as to how to maintain the algorithm, that is the implementation of the problem. This is essentially a tree-type data structure. The clever point is in its structure.
This article just gives an overview. As for the HIPAC algorithm, the insertion, deletion, and lookup. There are very complex mathematical principles behind it, and as a project technician, it is necessary to understand these mathematics, although there is not much howto about HIPAC, but there are still a lot of related papers.
In order to reply to an e-mail, and wrote an article, wife and mother in the "Red sorghum" finale, small playing ipad. I draw that complex picture at the table, which is the advantage of not drinking, otherwise I expect to wander again in my dream .... Day busy day, for the forum and friends from afar, I still Bing, it is learning.

Just, I still hope to get home at night no matter what technical problems, at first forced their own night not to drink alcohol is not to engage in network technology, and not to write code, but want to recharge their electricity. Enrich your own, see history. Wash your heart. For example, you can learn cooking, decorating design and so on.

The search process of Hipac high performance rule matching algorithm