Rare project developers

[mc36 <>]

hi,
yesterday i had a nice chat with a guy and he asked the right questions and 
then he allowed to use him as rubber-duck-debugger,
so i got the idea, what if we introduce a new ace mode called 'punt' (while 
keeping the existing deny/permit)...
then we'll have reflexive acls, but this punt functionality, later could be 
used (if programmed automatically) to do inspection...
then, we can delay the programming of the inspect rules until we saw the 
tlc.sni to do domain based filtering, if needed...
here is the proof-of-concept on dpdk, plus the export capability to 
freerouter:
https://github.com/mc36/freeRouter/commit/8399d4e0c629b792f7e27f07945786ee6a4b90d5
and the fixes needed to pass the testcase for racl:
https://github.com/mc36/freeRouter/commit/71131ac28dff19289d8edbaebe3085e62175a2db
it's racl so it'll go to tcam (and linearly searched in dpdk) but the concept 
seems to work,
and the inspect sessions will be all-exact matches, that is, they'll consume 
sram (and binary search in dpdk) like the nat rules...
next steps will be the bmv2 and tofino codebase to have the 'punt' 
functionality, then i'll proceed with the inspection....
until that, try to imagine the wedge as a stateful firewall... :))
regards,
cs