(11) feat(acl): crate scaffolding + software reference backend#1575
Open
daniel-noland wants to merge 1 commit into
Open
(11) feat(acl): crate scaffolding + software reference backend#1575daniel-noland wants to merge 1 commit into
daniel-noland wants to merge 1 commit into
Conversation
Introduces the dataplane-acl crate with the software reference classifier. The DPDK rte_acl backend lands behind a feature gate in a follow-up PR. The reference backend is a linear-scan software classifier built on the canonical FieldPredicate form from match-action (rule.into_backend_fields::<Erased>()), so it speaks the same four predicate kinds (Prefix / Mask / Range / Exact) as every other backend. Two roles: 1. Differential-testing oracle against rte_acl (a future PR's differential property tests pit both backends against the same random rule + packet draws). 2. Non-lossy substrate for a small-delta cascade front over a slow tail backend. Layout: - src/lib.rs declares the crate-level docs and re-exports the reference module. The dpdk feature gate and dpdk_table_alias! macro land alongside the rte_acl backend itself in the next PR. - src/reference/table.rs is the typed surface: ReferenceTable<K, A> parameterised by a MatchKey and an action; RefRule wraps the lowered Erased predicates plus an action. Inline unit tests cover positional precedence (first match wins) and the four predicate kinds. - src/reference/dyn_table.rs is the runtime-shape twin: DynReferenceTable carries its FieldSpec layout at runtime so property tests can fuzz the schema itself. Returns DynShapeError on shape mismatch. just fmt; cargo check --workspace --all-targets passes.
This was referenced May 31, 2026
daniel-noland
changed the title
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a new dataplane-acl workspace crate that defines the ACL public API surface and implements a pure-software “reference/oracle” backend (typed and dynamic) behind the lookup::Lookup interface.
Changes:
- Add
aclas a workspace member and workspace dependency, plus package metadata for miri/wasm selection. - Introduce
dataplane-aclcrate scaffolding with strict linting and areferencemodule. - Implement
ReferenceTable(typedMatchKey) andDynReferenceTable(runtimeFieldSpec) linear-scan classifiers with unit tests.
Reviewed changes
Copilot reviewed 6 out of 7 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
Cargo.toml |
Adds acl to workspace + workspace deps; introduces miri/wasm metadata entry. |
Cargo.lock |
Locks the new dataplane-acl crate and its dependencies. |
acl/Cargo.toml |
Defines the new dataplane-acl package and dependencies. |
acl/src/lib.rs |
Crate-level lint policy and top-level documentation; exports reference module. |
acl/src/reference/mod.rs |
Wires up reference backend modules + re-exports. |
acl/src/reference/table.rs |
Implements typed ReferenceTable/RefRule and Lookup<K, A> integration. |
acl/src/reference/dyn_table.rs |
Implements runtime-shaped DynReferenceTable with validation and byte-slice lookup. |
Comment on lines
+29
to
+35
| pub(crate) fn matches_packed(&self, specs: &[FieldSpec], buf: &[u8]) -> bool { | ||
| debug_assert_eq!(self.fields.len(), specs.len()); | ||
| self.fields | ||
| .iter() | ||
| .zip(specs) | ||
| .all(|(pred, spec)| pred.matches(&buf[spec.offset..spec.offset + spec.size])) | ||
| } |
Comment on lines
+66
to
+73
| fn pack(key: &K) -> Option<[u8; MAX_KEY_BYTES]> { | ||
| if K::KEY_SIZE > MAX_KEY_BYTES { | ||
| return None; | ||
| } | ||
| let mut buf = [0u8; MAX_KEY_BYTES]; | ||
| key.as_key_into(&mut buf[..K::KEY_SIZE]); | ||
| Some(buf) | ||
| } |
Comment on lines
+88
to
+103
| #[must_use] | ||
| pub fn lookup_bytes(&self, key: &[u8]) -> Option<&A> { | ||
| assert_eq!(key.len(), self.key_size, "key length must equal key_size"); | ||
| self.rules | ||
| .iter() | ||
| .find(|rule| rule.matches_packed(&self.specs, key)) | ||
| .map(RefRule::action) | ||
| } | ||
| #[must_use] | ||
| pub fn matches_bytes(&self, key: &[u8]) -> Vec<&RefRule<A>> { | ||
| assert_eq!(key.len(), self.key_size, "key length must equal key_size"); | ||
| self.rules | ||
| .iter() | ||
| .filter(|rule| rule.matches_packed(&self.specs, key)) | ||
| .collect() | ||
| } |
Comment on lines
+265
to
+272
| [workspace.metadata.package.acl] | ||
| package = "dataplane-acl" | ||
| # Default features enable the DPDK `rte_acl` backend, which pulls in | ||
| # `dpdk-sys` (bindgen against the system DPDK headers). miri can't | ||
| # build that path on the cross target, and the reference backend's | ||
| # unit tests run fine outside the miri profile. | ||
| miri = false # hopeless + pointless | ||
| wasm = false # hopeless + pointless |
Comment on lines
+17
to
+18
| //! - [`reference`](mod@reference): linear-scan software classifier; | ||
| //! differential oracle and a mutable cascade front. Always built. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Stack (11). Base:
pr/daniel-noland/match-action.The ACL crate scaffolding and the software reference backend -- the readable
oracle that defines ACL semantics and the public API surface.
feat(acl): crate scaffolding + software reference backend.The DPDK backend (proven equivalent to this oracle via a differential test)
lands in the next PR.
Review stack (merge bottom -> top):