classify: add pcap/trace classfier mgmt API calls

Add lookup/get/set API calls to manage both PCAP and Trace
filtering Classifier tables.

The "lookup" call may be used to identify a Classifier table
within a chain of tables taht matches a particular mask vector.
For efficiency, this call should be used to determine to which
table a match vector should be added.

The "get" calls return the first table within a chain (either
a PCAP or the Trace) set of tables.  The "set" call may be
used to add a new table to one such chain.  If the "sort_masks"
flag is set, the tables within the chain are ordered such that
the most-specific mask is first, and the least-specific mask
is last.  A call that "sets" a chain to ~0 will delete and free
all the tables with a chain.

The PCAP filters are per-interface, with "local0", (that is,
sw_if_index == 0) holding the system-wide PCAP filter.

The Classifier used a reference-counted "set" for each PCAP
or trace filter that it stored.  The ref counts were not used,
and the vector of tables was only used temporarily to establish
a sorted order for tables based on masks.  None of that
complexity was actually warranted, and where it was used,
the same could be achieved more simply.

Type: refactor

Signed-off-by: Jon Loeliger <jdl@netgate.com>
Change-Id: Icc56116cca91b91c631ca0628e814fb53f3677d2
diff --git a/src/vnet/classify/classify.api b/src/vnet/classify/classify.api
index 38c7343..c569fe6 100644
--- a/src/vnet/classify/classify.api
+++ b/src/vnet/classify/classify.api
@@ -13,7 +13,7 @@
  * limitations under the License.
  */
 
-option version = "3.0.0";
+option version = "3.1.0";
 
 import "vnet/interface_types.api";
 
@@ -442,6 +442,175 @@
   bool is_add;
 };
 
+
+
+/** \brief Find a compatible Classify table in a PCAP chain
+    @param client_index - opaque cookie to identify the sender
+    @param context - sender context, to match reply w/ request
+    @param sw_if_index - interface whose chain will be searched, 0==system-wide
+    @param skip_n_vectors - number of u32x4 skip vectors
+    @param match_n_vectors - number of u32x4 vectors, 1..5
+    @param mask_len - length of mask, match_n_vectors * sizeof(u32x4)
+    @param mask - match mask
+*/
+define classify_pcap_lookup_table
+{
+  u32 client_index;
+  u32 context;
+  vl_api_interface_index_t sw_if_index [default=0xffffffff];
+  u32 skip_n_vectors [default=0];
+  u32 match_n_vectors [default=1];
+  u32 mask_len;
+  u8 mask[mask_len];
+};
+
+/** \brief Classify pcap table lookup response
+    @param context - sender context, to match reply w/ request
+    @param retval - return code for the table lookup request
+    @param table_index - returned index of the found table, or ~0
+ */
+define classify_pcap_lookup_table_reply
+{
+  u32 context;
+  i32 retval;
+  u32 table_index;
+};
+
+/** \brief Add a Classify table into a PCAP chain on an interface
+    @param client_index - opaque cookie to identify the sender
+    @param context - sender context, to match reply w/ request
+    @param sw_if_index - interface whose chain will be searched, 0==system-wide
+    @param table_index - Classify table to be added
+    @param sort_masks - 1=sort masks into most-to-least specific order
+ */
+define classify_pcap_set_table
+{
+  u32 client_index;
+  u32 context;
+  vl_api_interface_index_t sw_if_index;
+  u32 table_index [default=0xffffffff];
+  bool sort_masks [default=0];
+};
+
+/** \brief Classify pcap table lookup response
+    @param context - sender context which was passed in the request
+    @param retval - return code for the table lookup request
+    @param table_index - returned index of the sorted table chain
+ */
+define classify_pcap_set_table_reply
+{
+  u32 context;
+  i32 retval;
+  u32 table_index;
+};
+
+/** \brief Classify get the PCAP table indices for an interface
+    @param client_index - opaque cookie to identify the sender
+    @param context - sender context, to match reply w/ request
+ */
+define classify_pcap_get_tables
+{
+  u32 client_index;
+  u32 context;
+  vl_api_interface_index_t sw_if_index;
+};
+
+/** \brief Classify get a PCAP tables response
+    @param context - sender context which was passed in the request
+    @param retval - return code for the request
+    @param count - number of ids returned in response
+    @param indices - array of classify table indices
+ */
+define classify_pcap_get_tables_reply
+{
+  u32 context;
+  i32 retval;
+  u32 count;
+  u32 indices[count];
+};
+
+
+
+/** \brief Find a mask-compatible Classify table in the Trace chain
+    @param client_index - opaque cookie to identify the sender
+    @param context - sender context, to match reply w/ request
+    @param skip_n_vectors - number of u32x4 skip vectors
+    @param match_n_vectors - number of u32x4 vectors, 1..5
+    @param mask_len - length of mask, match_n_vectors * sizeof(u32x4)
+    @param mask - match mask
+*/
+define classify_trace_lookup_table
+{
+  u32 client_index;
+  u32 context;
+  u32 skip_n_vectors [default=0];
+  u32 match_n_vectors [default=1];
+  u32 mask_len;
+  u8 mask[mask_len];
+};
+
+/** \brief Classify trace table lookup response
+    @param context - sender context which was passed in the request
+    @param retval - return code for the table lookup request
+    @param table_index - returned index of the found table, or ~0
+ */
+define classify_trace_lookup_table_reply
+{
+  u32 context;
+  i32 retval;
+  u32 table_index;
+};
+
+/** \brief Add a Classify table into the Trace chain
+    @param client_index - opaque cookie to identify the sender
+    @param context - sender context, to match reply w/ request
+    @param table_index - Classify table to be added
+    @param sort_masks - 1=sort masks into most-to-least specific order
+ */
+define classify_trace_set_table
+{
+  u32 client_index;
+  u32 context;
+  u32 table_index [default=0xffffffff];
+  bool sort_masks [default=0];
+};
+
+/** \brief Classify Trace table lookup response
+    @param context - sender context which was passed in the request
+    @param retval - return code for the table lookup request
+    @param table_index - returned index of the sorted table chain
+ */
+define classify_trace_set_table_reply
+{
+  u32 context;
+  i32 retval;
+  u32 table_index;
+};
+
+/** \brief Classify get the Trace table indices
+    @param client_index - opaque cookie to identify the sender
+    @param context - sender context, to match reply w/ request
+ */
+define classify_trace_get_tables
+{
+  u32 client_index;
+  u32 context;
+};
+
+/** \brief Classify get the Trace tables response
+    @param context - sender context which was passed in the request
+    @param retval - return code for the request
+    @param count - number of ids returned in response
+    @param indices - array of classify table indices
+ */
+define classify_trace_get_tables_reply
+{
+  u32 context;
+  i32 retval;
+  u32 count;
+  u32 indices[count];
+};
+
 /*
  * Local Variables:
  * eval: (c-set-style "gnu")
diff --git a/src/vnet/classify/classify_api.c b/src/vnet/classify/classify_api.c
index f489928..4b182ca 100644
--- a/src/vnet/classify/classify_api.c
+++ b/src/vnet/classify/classify_api.c
@@ -52,10 +52,10 @@
 #define foreach_vpe_api_msg                                             \
 _(CLASSIFY_ADD_DEL_TABLE, classify_add_del_table)                       \
 _(CLASSIFY_ADD_DEL_SESSION, classify_add_del_session)                   \
-_(CLASSIFY_TABLE_IDS,classify_table_ids)                                \
+_(CLASSIFY_TABLE_IDS, classify_table_ids)                               \
 _(CLASSIFY_TABLE_BY_INTERFACE, classify_table_by_interface)             \
-_(CLASSIFY_TABLE_INFO,classify_table_info)                              \
-_(CLASSIFY_SESSION_DUMP,classify_session_dump)                          \
+_(CLASSIFY_TABLE_INFO, classify_table_info)                             \
+_(CLASSIFY_SESSION_DUMP, classify_session_dump)                         \
 _(POLICER_CLASSIFY_SET_INTERFACE, policer_classify_set_interface)       \
 _(POLICER_CLASSIFY_DUMP, policer_classify_dump)                         \
 _(FLOW_CLASSIFY_SET_INTERFACE, flow_classify_set_interface)             \
@@ -63,7 +63,14 @@
 _(INPUT_ACL_SET_INTERFACE, input_acl_set_interface)                     \
 _(CLASSIFY_SET_INTERFACE_IP_TABLE, classify_set_interface_ip_table)     \
 _(CLASSIFY_SET_INTERFACE_L2_TABLES, classify_set_interface_l2_tables)   \
-_(OUTPUT_ACL_SET_INTERFACE, output_acl_set_interface)
+_(OUTPUT_ACL_SET_INTERFACE, output_acl_set_interface)			\
+_(CLASSIFY_PCAP_LOOKUP_TABLE, classify_pcap_lookup_table)		\
+_(CLASSIFY_PCAP_SET_TABLE, classify_pcap_set_table)			\
+_(CLASSIFY_PCAP_GET_TABLES, classify_pcap_get_tables)			\
+_(CLASSIFY_TRACE_LOOKUP_TABLE, classify_trace_lookup_table)		\
+_(CLASSIFY_TRACE_SET_TABLE, classify_trace_set_table)			\
+_(CLASSIFY_TRACE_GET_TABLES, classify_trace_get_tables)			\
+
 
 #define foreach_classify_add_del_table_field    \
 _(table_index)                                  \
@@ -75,6 +82,286 @@
 _(miss_next_index)                              \
 _(mask_len)
 
+
+static void vl_api_classify_pcap_lookup_table_t_handler
+  (vl_api_classify_pcap_lookup_table_t * mp)
+{
+  vnet_classify_main_t *cm = &vnet_classify_main;
+  vl_api_registration_t *reg;
+  vl_api_classify_pcap_lookup_table_reply_t *rmp;
+  int rv = 0;
+  u32 table_index = ~0;
+
+  reg = vl_api_client_index_to_registration (mp->client_index);
+  if (!reg)
+    return;
+
+  u32 n_skip = ntohl (mp->skip_n_vectors);
+  u32 n_match = ntohl (mp->match_n_vectors);
+  u32 mask_len = ntohl (mp->mask_len);
+  u32 sw_if_index = ntohl (mp->sw_if_index);
+
+  if (n_skip > 5
+      || 0 <= n_match || n_match > 5
+      || mask_len != n_match * sizeof (u32x4)
+      || sw_if_index == ~0
+      || sw_if_index >= vec_len (cm->classify_table_index_by_sw_if_index))
+    {
+      rv = VNET_API_ERROR_INVALID_VALUE;
+      goto out;
+    }
+
+  u32 table_chain;
+  table_chain = classify_get_pcap_chain (cm, sw_if_index);
+
+  u8 *mask_vec = 0;
+  vec_validate (mask_vec, mask_len - 1);
+  clib_memcpy (mask_vec, mp->mask, mask_len);
+
+  if (table_chain != ~0)
+    table_index = classify_lookup_chain (table_chain,
+					 mask_vec, n_skip, n_match);
+
+  vec_free (mask_vec);
+
+out:
+  rmp = vl_msg_api_alloc (sizeof (*rmp));
+  rmp->_vl_msg_id = ntohs (VL_API_CLASSIFY_PCAP_LOOKUP_TABLE_REPLY);
+  rmp->context = mp->context;
+  rmp->retval = ntohl (rv);
+  rmp->table_index = htonl (table_index);
+
+  vl_api_send_msg (reg, (u8 *) rmp);
+}
+
+static void vl_api_classify_pcap_set_table_t_handler
+  (vl_api_classify_pcap_set_table_t * mp)
+{
+  vnet_classify_main_t *cm = &vnet_classify_main;
+  vl_api_classify_pcap_set_table_reply_t *rmp;
+  vl_api_registration_t *reg;
+  int rv = 0;
+
+  reg = vl_api_client_index_to_registration (mp->client_index);
+  if (!reg)
+    return;
+
+  u32 table_index = ntohl (mp->table_index);
+  u32 sw_if_index = ntohl (mp->sw_if_index);
+
+  if (sw_if_index == ~0
+      || sw_if_index >= vec_len (cm->classify_table_index_by_sw_if_index)
+      || (table_index != ~0 && pool_is_free_index (cm->tables, table_index)))
+    {
+      rv = VNET_API_ERROR_INVALID_VALUE;
+      goto out;
+    }
+
+  /*
+   * Maybe reorder tables such that masks are most-specify to least-specific.
+   */
+  if (table_index != ~0 && mp->sort_masks)
+    table_index = classify_sort_table_chain (cm, table_index);
+
+  classify_set_pcap_chain (cm, sw_if_index, table_index);
+
+out:
+  rmp = vl_msg_api_alloc (sizeof (*rmp));
+  rmp->_vl_msg_id = ntohs (VL_API_CLASSIFY_PCAP_SET_TABLE_REPLY);
+  rmp->context = mp->context;
+  rmp->retval = ntohl (rv);
+  rmp->table_index = htonl (table_index);
+
+  vl_api_send_msg (reg, (u8 *) rmp);
+}
+
+static void vl_api_classify_pcap_get_tables_t_handler
+  (vl_api_classify_pcap_get_tables_t * mp)
+{
+  vnet_classify_main_t *cm = &vnet_classify_main;
+  vl_api_classify_pcap_get_tables_reply_t *rmp;
+  vl_api_registration_t *reg;
+  int rv = 0;
+  u32 *tables = 0;
+  u32 count;
+
+  reg = vl_api_client_index_to_registration (mp->client_index);
+  if (!reg)
+    return;
+
+  u32 sw_if_index = ntohl (mp->sw_if_index);
+  if (sw_if_index == ~0
+      || sw_if_index >= vec_len (cm->classify_table_index_by_sw_if_index))
+    {
+      rv = VNET_API_ERROR_INVALID_VALUE;
+      goto out;
+    }
+
+  u32 table_index = classify_get_pcap_chain (cm, sw_if_index);
+  if (table_index == ~0)
+    goto out;
+
+  /*
+   * Form a vector of all classifier tables in this chain.
+   */
+  vnet_classify_table_t *t;
+  u32 i;
+
+  for (i = table_index; i != ~0; i = t->next_table_index)
+    {
+      vec_add1 (tables, i);
+      t = pool_elt_at_index (cm->tables, i);
+    }
+
+out:
+  count = vec_len (tables);
+  rmp = vl_msg_api_alloc_as_if_client (sizeof (*rmp) + count * sizeof (u32));
+  rmp->_vl_msg_id = ntohs (VL_API_CLASSIFY_PCAP_GET_TABLES_REPLY);
+  rmp->context = mp->context;
+  rmp->retval = ntohl (rv);
+  rmp->count = htonl (count);
+
+  for (i = 0; i < count; ++i)
+    {
+      rmp->indices[i] = htonl (tables[i]);
+    }
+
+  vec_free (tables);
+
+  vl_api_send_msg (reg, (u8 *) rmp);
+}
+
+
+static void vl_api_classify_trace_lookup_table_t_handler
+  (vl_api_classify_trace_lookup_table_t * mp)
+{
+  vl_api_classify_trace_lookup_table_reply_t *rmp;
+  vl_api_registration_t *reg;
+  int rv = 0;
+  u32 table_index = ~0;
+
+  reg = vl_api_client_index_to_registration (mp->client_index);
+  if (!reg)
+    return;
+
+  u32 n_skip = ntohl (mp->skip_n_vectors);
+  u32 n_match = ntohl (mp->match_n_vectors);
+  u32 mask_len = ntohl (mp->mask_len);
+  if (n_skip > 5
+      || n_match == 0 || n_match > 5 || mask_len != n_match * sizeof (u32x4))
+    {
+      rv = VNET_API_ERROR_INVALID_VALUE;
+      goto out;
+    }
+
+  u32 table_chain;
+  table_chain = classify_get_trace_chain ();
+
+  u8 *mask_vec = 0;
+  vec_validate (mask_vec, mask_len - 1);
+  clib_memcpy (mask_vec, mp->mask, mask_len);
+
+  if (table_chain != ~0)
+    table_index = classify_lookup_chain (table_chain,
+					 mask_vec, n_skip, n_match);
+  vec_free (mask_vec);
+
+out:
+  rmp = vl_msg_api_alloc (sizeof (*rmp));
+  rmp->_vl_msg_id = ntohs ((VL_API_CLASSIFY_TRACE_LOOKUP_TABLE_REPLY));
+  rmp->context = mp->context;
+  rmp->retval = ntohl (rv);
+  rmp->table_index = htonl (table_index);
+
+  vl_api_send_msg (reg, (u8 *) rmp);
+}
+
+static void vl_api_classify_trace_set_table_t_handler
+  (vl_api_classify_trace_set_table_t * mp)
+{
+  vnet_classify_main_t *cm = &vnet_classify_main;
+  vl_api_classify_trace_set_table_reply_t *rmp;
+  vl_api_registration_t *reg;
+  int rv = 0;
+
+  reg = vl_api_client_index_to_registration (mp->client_index);
+  if (!reg)
+    return;
+
+  u32 table_index = ntohl (mp->table_index);
+  if (table_index != ~0 && pool_is_free_index (cm->tables, table_index))
+    {
+      rv = VNET_API_ERROR_INVALID_VALUE;
+      goto out;
+    }
+
+  /*
+   * Maybe reorder tables such that masks are most-specific to least-specific.
+   */
+  if (table_index != ~0 && mp->sort_masks)
+    table_index = classify_sort_table_chain (cm, table_index);
+
+  classify_set_trace_chain (cm, table_index);
+
+out:
+  rmp = vl_msg_api_alloc (sizeof (*rmp));
+  rmp->_vl_msg_id = ntohs ((VL_API_CLASSIFY_TRACE_SET_TABLE_REPLY));
+  rmp->context = mp->context;
+  rmp->retval = ntohl (rv);
+  rmp->table_index = htonl (table_index);
+
+  vl_api_send_msg (reg, (u8 *) rmp);
+}
+
+static void vl_api_classify_trace_get_tables_t_handler
+  (vl_api_classify_trace_get_tables_t * mp)
+{
+  vnet_classify_main_t *cm = &vnet_classify_main;
+  vl_api_classify_trace_get_tables_reply_t *rmp;
+  vl_api_registration_t *reg;
+  int rv = 0;
+  u32 *tables = 0;
+  u32 count;
+
+  reg = vl_api_client_index_to_registration (mp->client_index);
+  if (!reg)
+    return;
+
+  u32 table_index = classify_get_trace_chain ();
+  if (table_index == ~0)
+    goto out;
+
+  /*
+   * Form a vector of all classifier tables in this chain.
+   */
+  vnet_classify_table_t *t;
+  u32 i;
+
+  for (i = table_index; i != ~0; i = t->next_table_index)
+    {
+      vec_add1 (tables, i);
+      t = pool_elt_at_index (cm->tables, i);
+    }
+
+out:
+  count = vec_len (tables);
+  rmp = vl_msg_api_alloc_as_if_client (sizeof (*rmp) + count * sizeof (u32));
+  rmp->_vl_msg_id = ntohs (VL_API_CLASSIFY_TRACE_GET_TABLES_REPLY);
+  rmp->context = mp->context;
+  rmp->retval = ntohl (rv);
+  rmp->count = htonl (count);
+
+  for (i = 0; i < count; ++i)
+    {
+      rmp->indices[i] = htonl (tables[i]);
+    }
+
+  vec_free (tables);
+
+  vl_api_send_msg (reg, (u8 *) rmp);
+}
+
+
 static void vl_api_classify_add_del_table_t_handler
   (vl_api_classify_add_del_table_t * mp)
 {
@@ -391,7 +678,7 @@
   if (rmp == 0)
     {
       rmp = vl_msg_api_alloc (sizeof (*rmp));
-      rmp->_vl_msg_id = ntohs ((VL_API_CLASSIFY_TABLE_INFO_REPLY));
+      rmp->_vl_msg_id = ntohs (VL_API_CLASSIFY_TABLE_INFO_REPLY);
       rmp->context = mp->context;
       rmp->retval = ntohl (VNET_API_ERROR_CLASSIFY_TABLE_NOT_FOUND);
     }
diff --git a/src/vnet/classify/vnet_classify.c b/src/vnet/classify/vnet_classify.c
index 088890a..7e239cc 100644
--- a/src/vnet/classify/vnet_classify.c
+++ b/src/vnet/classify/vnet_classify.c
@@ -12,6 +12,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
+
 #include <vnet/classify/vnet_classify.h>
 #include <vnet/classify/in_out_acl.h>
 #include <vnet/ip/ip.h>
@@ -21,6 +22,8 @@
 #include <vppinfra/lock.h>
 #include <vnet/classify/trace_classify.h>
 
+
+
 /**
  * @file
  * @brief N-tuple classifier
@@ -1671,6 +1674,165 @@
     return 0;
 }
 
+
+/*
+ * Reorder the chain of tables starting with table_index such
+ * that more more-specific masks come before less-specific masks.
+ * Return the new head of the table chain.
+ */
+u32
+classify_sort_table_chain (vnet_classify_main_t * cm, u32 table_index)
+{
+  /*
+   * Form a vector of all classifier tables in this chain.
+   */
+  u32 *tables = 0;
+  vnet_classify_table_t *t;
+  u32 cti;
+  for (cti = table_index; cti != ~0; cti = t->next_table_index)
+    {
+      vec_add1 (tables, cti);
+      t = pool_elt_at_index (cm->tables, cti);
+    }
+
+  /*
+   * Sort filter tables from most-specific mask to least-specific mask.
+   */
+  vec_sort_with_function (tables, filter_table_mask_compare);
+
+  /*
+   * Relink tables via next_table_index fields.
+   */
+  int i;
+  for (i = 0; i < vec_len (tables); i++)
+    {
+      t = pool_elt_at_index (cm->tables, tables[i]);
+
+      if ((i + 1) < vec_len (tables))
+	t->next_table_index = tables[i + 1];
+      else
+	t->next_table_index = ~0;
+    }
+
+  table_index = tables[0];
+  vec_free (tables);
+
+  return table_index;
+}
+
+
+u32
+classify_get_trace_chain (void)
+{
+  u32 table_index;
+
+  table_index = vlib_global_main.trace_filter.classify_table_index;
+
+  return table_index;
+}
+
+/*
+ * Seting the Trace chain to ~0 is a request to delete and clear it.
+ */
+void
+classify_set_trace_chain (vnet_classify_main_t * cm, u32 table_index)
+{
+  if (table_index == ~0)
+    {
+      u32 old_table_index;
+
+      old_table_index = vlib_global_main.trace_filter.classify_table_index;
+      vnet_classify_delete_table_index (cm, old_table_index, 1);
+    }
+
+  vlib_global_main.trace_filter.classify_table_index = table_index;
+}
+
+
+u32
+classify_get_pcap_chain (vnet_classify_main_t * cm, u32 sw_if_index)
+{
+  u32 table_index = ~0;
+
+  if (sw_if_index != ~0
+      && (sw_if_index < vec_len (cm->classify_table_index_by_sw_if_index)))
+    table_index = cm->classify_table_index_by_sw_if_index[sw_if_index];
+
+  return table_index;
+}
+
+void
+classify_set_pcap_chain (vnet_classify_main_t * cm,
+			 u32 sw_if_index, u32 table_index)
+{
+  vnet_main_t *vnm = vnet_get_main ();
+
+  if (sw_if_index != ~0 && table_index != ~0)
+    vec_validate_init_empty (cm->classify_table_index_by_sw_if_index,
+			     sw_if_index, ~0);
+
+  if (table_index == ~0)
+    {
+      u32 old_table_index = ~0;
+
+      if (sw_if_index < vec_len (cm->classify_table_index_by_sw_if_index))
+	old_table_index =
+	  cm->classify_table_index_by_sw_if_index[sw_if_index];
+
+      vnet_classify_delete_table_index (cm, old_table_index, 1);
+    }
+
+  /*
+   * Put the table index where device drivers can find them.
+   * This table index will be either a valid table or a ~0 to clear it.
+   */
+  cm->classify_table_index_by_sw_if_index[sw_if_index] = table_index;
+  if (sw_if_index > 0)
+    {
+      vnet_hw_interface_t *hi;
+      hi = vnet_get_sup_hw_interface (vnm, sw_if_index);
+      hi->trace_classify_table_index = table_index;
+    }
+}
+
+
+/*
+ * Search for a mask-compatible Classify table within the given table chain.
+ */
+u32
+classify_lookup_chain (u32 table_index, u8 * mask, u32 n_skip, u32 n_match)
+{
+  vnet_classify_main_t *cm = &vnet_classify_main;
+  vnet_classify_table_t *t;
+  u32 cti;
+
+  if (table_index == ~0)
+    return ~0;
+
+  for (cti = table_index; cti != ~0; cti = t->next_table_index)
+    {
+      t = pool_elt_at_index (cm->tables, cti);
+
+      /* Classifier geometry mismatch, can't use this table. */
+      if (t->match_n_vectors != n_match || t->skip_n_vectors != n_skip)
+	continue;
+
+      /* Masks aren't congruent, can't use this table. */
+      if (vec_len (t->mask) * sizeof (u32x4) != vec_len (mask))
+	continue;
+
+      /* Masks aren't bit-for-bit identical, can't use this table. */
+      if (memcmp (t->mask, mask, vec_len (mask)))
+	continue;
+
+      /* Winner... */
+      return cti;
+    }
+
+  return ~0;
+}
+
+
 static clib_error_t *
 classify_filter_command_fn (vlib_main_t * vm,
 			    unformat_input_t * input,
@@ -1683,7 +1845,6 @@
   u32 match = ~0;
   u8 *match_vector;
   int is_add = 1;
-  int del_chain = 0;
   u32 table_index = ~0;
   u32 next_table_index = ~0;
   u32 miss_next_index = ~0;
@@ -1692,13 +1853,9 @@
   u32 sw_if_index = ~0;
   int pkt_trace = 0;
   int pcap = 0;
-  int i;
-  vnet_classify_table_t *t;
   u8 *mask = 0;
   vnet_classify_main_t *cm = &vnet_classify_main;
   int rv = 0;
-  vnet_classify_filter_set_t *set = 0;
-  u32 set_index = ~0;
   clib_error_t *err = 0;
 
   unformat_input_t _line_input, *line_input = &_line_input;
@@ -1760,149 +1917,78 @@
 
   if (!is_add)
     {
+      /*
+       * Delete an existing PCAP or trace classify table.
+       */
       if (pkt_trace)
-	set_index = vlib_global_main.trace_filter.trace_filter_set_index;
-      else if (sw_if_index < vec_len (cm->filter_set_by_sw_if_index))
-	set_index = cm->filter_set_by_sw_if_index[sw_if_index];
-
-      if (set_index == ~0)
-	{
-	  if (pkt_trace)
-	    err =
-	      clib_error_return (0, "No pkt trace classify filter set...");
-	  else if (sw_if_index == 0)
-	    err = clib_error_return (0, "No pcap classify filter set...");
-	  else
-	    err = clib_error_return (0, "No classify filter set for %U...",
-				     format_vnet_sw_if_index_name, vnm,
-				     sw_if_index);
-	  unformat_free (line_input);
-	  return err;
-	}
-
-      set = pool_elt_at_index (cm->filter_sets, set_index);
-
-      set->refcnt--;
-      ASSERT (set->refcnt >= 0);
-      if (set->refcnt == 0)
-	{
-	  del_chain = 1;
-	  table_index = set->table_indices[0];
-	  vec_reset_length (set->table_indices);
-	  pool_put (cm->filter_sets, set);
-	  if (pkt_trace)
-	    {
-	      vlib_global_main.trace_filter.trace_filter_set_index = ~0;
-	      vlib_global_main.trace_filter.trace_classify_table_index = ~0;
-	    }
-	  else
-	    {
-	      cm->filter_set_by_sw_if_index[sw_if_index] = ~0;
-	      if (sw_if_index > 0)
-		{
-		  vnet_hw_interface_t *hi =
-		    vnet_get_sup_hw_interface (vnm, sw_if_index);
-		  hi->trace_classify_table_index = ~0;
-		}
-	    }
-	}
-    }
-
-  if (is_add)
-    {
-      if (pkt_trace)
-	set_index = vlib_global_main.trace_filter.trace_filter_set_index;
-      else if (sw_if_index < vec_len (cm->filter_set_by_sw_if_index))
-	set_index = cm->filter_set_by_sw_if_index[sw_if_index];
-
-      /* Do we have a filter set for this intfc / pcap yet? */
-      if (set_index == ~0)
-	{
-	  pool_get (cm->filter_sets, set);
-	  set_index = set - cm->filter_sets;
-	  set->refcnt = 1;
-	}
+	classify_set_trace_chain (cm, ~0);
       else
-	set = pool_elt_at_index (cm->filter_sets, set_index);
+	classify_set_pcap_chain (cm, sw_if_index, ~0);
 
-      ASSERT (set);
-
-      for (i = 0; i < vec_len (set->table_indices); i++)
-	{
-	  t = pool_elt_at_index (cm->tables, set->table_indices[i]);
-	  /* classifier geometry mismatch, can't use this table */
-	  if (t->match_n_vectors != match || t->skip_n_vectors != skip)
-	    continue;
-	  /* Masks aren't congruent, can't use this table */
-	  if (vec_len (t->mask) * sizeof (u32x4) != vec_len (mask))
-	    continue;
-	  /* Masks aren't bit-for-bit identical, can't use this table */
-	  if (memcmp (t->mask, mask, vec_len (mask)))
-	    continue;
-
-	  /* Winner... */
-	  table_index = set->table_indices[i];
-	  goto found_table;
-	}
-    }
-
-  rv = vnet_classify_add_del_table (cm, mask, nbuckets, memory_size,
-				    skip, match, next_table_index,
-				    miss_next_index, &table_index,
-				    current_data_flag, current_data_offset,
-				    is_add, del_chain);
-  vec_free (mask);
-
-  if (rv != 0)
-    {
+      vec_free (mask);
       unformat_free (line_input);
-      return clib_error_return (0, "vnet_classify_add_del_table returned %d",
-				rv);
-    }
 
-  if (is_add == 0)
-    {
-      unformat_free (line_input);
       return 0;
     }
 
-  /* Remember the table */
-  vec_add1 (set->table_indices, table_index);
-
+  /*
+   * Find an existing compatible table or else make a new one.
+   */
   if (pkt_trace)
-    vlib_global_main.trace_filter.trace_filter_set_index = set_index;
+    table_index = classify_get_trace_chain ();
   else
+    table_index = classify_get_pcap_chain (cm, sw_if_index);
+
+  if (table_index != ~0)
+    table_index = classify_lookup_chain (table_index, mask, skip, match);
+
+  /*
+   * When no table is found, make one.
+   */
+  if (table_index == ~0)
     {
-      vec_validate_init_empty (cm->filter_set_by_sw_if_index, sw_if_index,
-			       ~0);
-      cm->filter_set_by_sw_if_index[sw_if_index] = set - cm->filter_sets;
-    }
+      /*
+       * Matching table wasn't found, so create a new one at the
+       * head of the next_table_index chain.
+       */
+      next_table_index = table_index;
+      table_index = ~0;
 
-  /* Sort filter tables from most-specific mask to least-specific mask */
-  vec_sort_with_function (set->table_indices, filter_table_mask_compare);
+      rv = vnet_classify_add_del_table (cm, mask, nbuckets, memory_size,
+					skip, match, next_table_index,
+					miss_next_index, &table_index,
+					current_data_flag,
+					current_data_offset, 1, 0);
 
-  /* Setup next_table_index fields */
-  for (i = 0; i < vec_len (set->table_indices); i++)
-    {
-      t = pool_elt_at_index (cm->tables, set->table_indices[i]);
+      if (rv != 0)
+	{
+	  vec_free (mask);
+	  unformat_free (line_input);
+	  return clib_error_return (0,
+				    "vnet_classify_add_del_table returned %d",
+				    rv);
+	}
 
-      if ((i + 1) < vec_len (set->table_indices))
-	t->next_table_index = set->table_indices[i + 1];
+      /*
+       * Reorder tables such that masks are most-specify to least-specific.
+       */
+      table_index = classify_sort_table_chain (cm, table_index);
+
+      /*
+       * Put first classifier table in chain in a place where
+       * other data structures expect to find and use it.
+       */
+      if (pkt_trace)
+	classify_set_trace_chain (cm, table_index);
       else
-	t->next_table_index = ~0;
+	classify_set_pcap_chain (cm, sw_if_index, table_index);
     }
 
-  /* Put top table index where device drivers can find them */
-  if (sw_if_index > 0 && pkt_trace == 0)
-    {
-      vnet_hw_interface_t *hi = vnet_get_sup_hw_interface (vnm, sw_if_index);
-      ASSERT (vec_len (set->table_indices) > 0);
-      hi->trace_classify_table_index = set->table_indices[0];
-    }
+  vec_free (mask);
 
-found_table:
-
-  /* Now try to parse a session */
+  /*
+   * Now try to parse a and add a filter-match session.
+   */
   if (unformat (line_input, "match %U", unformat_classify_match,
 		cm, &match_vector, table_index) == 0)
     return 0;
@@ -1930,16 +2016,6 @@
 {
   if (enable)
     {
-      vnet_classify_main_t *cm = &vnet_classify_main;
-      vnet_classify_filter_set_t *set;
-      u32 set_index = vlib_global_main.trace_filter.trace_filter_set_index;
-
-      if (set_index == ~0)
-	return -1;
-
-      set = pool_elt_at_index (cm->filter_sets, set_index);
-      vlib_global_main.trace_filter.trace_classify_table_index =
-	set->table_indices[0];
       vlib_global_main.trace_filter.trace_filter_enable = 1;
     }
   else
@@ -2040,10 +2116,8 @@
 {
   vnet_classify_main_t *cm = &vnet_classify_main;
   vnet_main_t *vnm = vnet_get_main ();
-  vnet_classify_filter_set_t *set;
   u8 *name = 0;
   u8 *s = 0;
-  u32 set_index;
   u32 table_index;
   int verbose = 0;
   int i, j, limit;
@@ -2053,53 +2127,50 @@
   vlib_cli_output (vm, "%-30s%s", "Filter Used By", " Table(s)");
   vlib_cli_output (vm, "%-30s%s", "--------------", " --------");
 
-  limit = vec_len (cm->filter_set_by_sw_if_index);
+  limit = vec_len (cm->classify_table_index_by_sw_if_index);
 
   for (i = -1; i < limit; i++)
     {
-      if (i < 0)
-	set_index = vlib_global_main.trace_filter.trace_filter_set_index;
-      else
-	set_index = cm->filter_set_by_sw_if_index[i];
-
-      if (set_index == ~0)
-	continue;
-
-      set = pool_elt_at_index (cm->filter_sets, set_index);
-
       switch (i)
 	{
 	case -1:
+	  table_index = vlib_global_main.trace_filter.classify_table_index;
 	  name = format (0, "packet tracer:");
 	  break;
+
 	case 0:
+	  table_index = cm->classify_table_index_by_sw_if_index[i];
 	  name = format (0, "pcap rx/tx/drop:");
 	  break;
+
 	default:
+	  table_index = cm->classify_table_index_by_sw_if_index[i];
 	  name = format (0, "%U:", format_vnet_sw_if_index_name, vnm, i);
 	  break;
 	}
 
       if (verbose)
 	{
-	  u32 table_index;
-
-	  for (j = 0; j < vec_len (set->table_indices); j++)
+	  vnet_classify_table_t *t;
+	  j = table_index;
+	  do
 	    {
-	      table_index = set->table_indices[j];
-	      if (table_index != ~0)
-		s = format (s, " %u", table_index);
-	      else
+	      if (j == ~0)
 		s = format (s, " none");
+	      else
+		{
+		  s = format (s, " %u", j);
+		  t = pool_elt_at_index (cm->tables, j);
+		  j = t->next_table_index;
+		}
 	    }
+	  while (j != ~0);
 
 	  vlib_cli_output (vm, "%-30v table(s)%v", name, s);
 	  vec_reset_length (s);
 	}
       else
 	{
-	  table_index = set->table_indices ? set->table_indices[0] : ~0;
-
 	  if (table_index != ~0)
 	    s = format (s, " %u", table_index);
 	  else
@@ -2942,7 +3013,6 @@
 vnet_classify_init (vlib_main_t * vm)
 {
   vnet_classify_main_t *cm = &vnet_classify_main;
-  vnet_classify_filter_set_t *set;
 
   cm->vlib_main = vm;
   cm->vnet_main = vnet_get_main ();
@@ -2960,14 +3030,7 @@
 
   vnet_classify_register_unformat_acl_next_index_fn (unformat_acl_next_node);
 
-  /* Filter set 0 is grounded... */
-  pool_get_zero (cm->filter_sets, set);
-  set->refcnt = 0x7FFFFFFF;
-  /* Initialize the pcap filter set */
-  vec_validate (cm->filter_set_by_sw_if_index, 0);
-  cm->filter_set_by_sw_if_index[0] = 0;
-  /* Initialize the packet tracer filter set */
-  vlib_global_main.trace_filter.trace_filter_set_index = ~0;
+  vlib_global_main.trace_filter.classify_table_index = ~0;
 
   return 0;
 }
diff --git a/src/vnet/classify/vnet_classify.h b/src/vnet/classify/vnet_classify.h
index f0c8124..1ce29df 100644
--- a/src/vnet/classify/vnet_classify.h
+++ b/src/vnet/classify/vnet_classify.h
@@ -180,12 +180,6 @@
 
 } vnet_classify_table_t;
 
-typedef struct
-{
-  int refcnt;
-  u32 *table_indices;
-} vnet_classify_filter_set_t;
-
 struct _vnet_classify_main
 {
   /* Table pool */
@@ -198,11 +192,8 @@
   unformat_function_t **unformat_policer_next_index_fns;
   unformat_function_t **unformat_opaque_index_fns;
 
-  /* Pool of filter sets */
-  vnet_classify_filter_set_t *filter_sets;
-
-  /* Per-interface filter set map. [0] is used for pcap */
-  u32 *filter_set_by_sw_if_index;
+  /* Per-interface filter table.  [0] is used for pcap */
+  u32 *classify_table_index_by_sw_if_index;
 
   /* convenience variables */
   vlib_main_t *vlib_main;
@@ -554,6 +545,17 @@
 void vnet_classify_register_unformat_opaque_index_fn (unformat_function_t *
 						      fn);
 
+u32 classify_get_pcap_chain (vnet_classify_main_t * cm, u32 sw_if_index);
+void classify_set_pcap_chain (vnet_classify_main_t * cm,
+			      u32 sw_if_index, u32 table_index);
+
+u32 classify_get_trace_chain (void);
+void classify_set_trace_chain (vnet_classify_main_t * cm, u32 table_index);
+
+u32 classify_sort_table_chain (vnet_classify_main_t * cm, u32 table_index);
+u32 classify_lookup_chain (u32 table_index,
+			   u8 * mask, u32 n_skip, u32 n_match);
+
 #endif /* __included_vnet_classify_h__ */
 
 /*