perf: 优化策略扫描

2023-11-03 10:02:50 +08:00
parent 0753e8018c
commit 3627addb85
5 changed files with 1456 additions and 332 deletions
--- a/common/include/utarray.h
+++ b/common/include/utarray.h
@@ -0,0 +1,353 @@
+/*
+Copyright (c) 2008-2022, Troy D. Hanson  https://troydhanson.github.io/uthash/
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+    * Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
+IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
+OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+/* a dynamic array implementation using macros
+ */
+#ifndef UTARRAY_H
+#define UTARRAY_H
+
+#define UTARRAY_VERSION 2.3.0
+
+#include <stddef.h> /* size_t */
+#include <string.h> /* memset, etc */
+#include <stdlib.h> /* exit */
+
+#ifdef __GNUC__
+#define UTARRAY_UNUSED __attribute__((__unused__))
+#else
+#define UTARRAY_UNUSED
+#endif
+
+#ifndef utarray_oom
+#define utarray_oom() exit(-1)
+#endif
+
+typedef void(ctor_f)(void *dst, const void *src);
+typedef void(dtor_f)(void *elt);
+typedef void(init_f)(void *elt);
+typedef struct
+{
+  size_t sz;
+  init_f *init;
+  ctor_f *copy;
+  dtor_f *dtor;
+} UT_icd;
+
+typedef struct
+{
+  unsigned i, n; /* i: index of next available slot, n: num slots */
+  UT_icd icd;    /* initializer, copy and destructor functions */
+  char *d;       /* n slots of size icd->sz*/
+} UT_array;
+
+#define utarray_init(a, _icd)       \
+  do                                \
+  {                                 \
+    memset(a, 0, sizeof(UT_array)); \
+    (a)->icd = *(_icd);             \
+  } while (0)
+
+#define utarray_done(a)                            \
+  do                                               \
+  {                                                \
+    if ((a)->n)                                    \
+    {                                              \
+      if ((a)->icd.dtor)                           \
+      {                                            \
+        unsigned _ut_i;                            \
+        for (_ut_i = 0; _ut_i < (a)->i; _ut_i++)   \
+        {                                          \
+          (a)->icd.dtor(utarray_eltptr(a, _ut_i)); \
+        }                                          \
+      }                                            \
+      free((a)->d);                                \
+    }                                              \
+    (a)->n = 0;                                    \
+  } while (0)
+
+#define utarray_new(a, _icd)                    \
+  do                                            \
+  {                                             \
+    (a) = (UT_array *)malloc(sizeof(UT_array)); \
+    if ((a) == NULL)                            \
+    {                                           \
+      utarray_oom();                            \
+    }                                           \
+    utarray_init(a, _icd);                      \
+  } while (0)
+
+#define utarray_free(a) \
+  do                    \
+  {                     \
+    utarray_done(a);    \
+    free(a);            \
+  } while (0)
+
+#define utarray_reserve(a, by)                                     \
+  do                                                               \
+  {                                                                \
+    if (((a)->i + (by)) > (a)->n)                                  \
+    {                                                              \
+      char *utarray_tmp;                                           \
+      while (((a)->i + (by)) > (a)->n)                             \
+      {                                                            \
+        (a)->n = ((a)->n ? (2 * (a)->n) : 8);                      \
+      }                                                            \
+      utarray_tmp = (char *)realloc((a)->d, (a)->n * (a)->icd.sz); \
+      if (utarray_tmp == NULL)                                     \
+      {                                                            \
+        utarray_oom();                                             \
+      }                                                            \
+      (a)->d = utarray_tmp;                                        \
+    }                                                              \
+  } while (0)
+
+#define utarray_push_back(a, p)                             \
+  do                                                        \
+  {                                                         \
+    utarray_reserve(a, 1);                                  \
+    if ((a)->icd.copy)                                      \
+    {                                                       \
+      (a)->icd.copy(_utarray_eltptr(a, (a)->i++), p);       \
+    }                                                       \
+    else                                                    \
+    {                                                       \
+      memcpy(_utarray_eltptr(a, (a)->i++), p, (a)->icd.sz); \
+    };                                                      \
+  } while (0)
+
+#define utarray_pop_back(a)                          \
+  do                                                 \
+  {                                                  \
+    if ((a)->icd.dtor)                               \
+    {                                                \
+      (a)->icd.dtor(_utarray_eltptr(a, --((a)->i))); \
+    }                                                \
+    else                                             \
+    {                                                \
+      (a)->i--;                                      \
+    }                                                \
+  } while (0)
+
+#define utarray_extend_back(a)                            \
+  do                                                      \
+  {                                                       \
+    utarray_reserve(a, 1);                                \
+    if ((a)->icd.init)                                    \
+    {                                                     \
+      (a)->icd.init(_utarray_eltptr(a, (a)->i));          \
+    }                                                     \
+    else                                                  \
+    {                                                     \
+      memset(_utarray_eltptr(a, (a)->i), 0, (a)->icd.sz); \
+    }                                                     \
+    (a)->i++;                                             \
+  } while (0)
+
+#define utarray_len(a) ((a)->i)
+
+#define utarray_eltptr(a, j) (((j) < (a)->i) ? _utarray_eltptr(a, j) : NULL)
+#define _utarray_eltptr(a, j) ((void *)((a)->d + ((a)->icd.sz * (j))))
+
+#define utarray_insert(a, p, j)                                   \
+  do                                                              \
+  {                                                               \
+    if ((j) > (a)->i)                                             \
+      utarray_resize(a, j);                                       \
+    utarray_reserve(a, 1);                                        \
+    if ((j) < (a)->i)                                             \
+    {                                                             \
+      memmove(_utarray_eltptr(a, (j) + 1), _utarray_eltptr(a, j), \
+              ((a)->i - (j)) * ((a)->icd.sz));                    \
+    }                                                             \
+    if ((a)->icd.copy)                                            \
+    {                                                             \
+      (a)->icd.copy(_utarray_eltptr(a, j), p);                    \
+    }                                                             \
+    else                                                          \
+    {                                                             \
+      memcpy(_utarray_eltptr(a, j), p, (a)->icd.sz);              \
+    };                                                            \
+    (a)->i++;                                                     \
+  } while (0)
+
+#define utarray_inserta(a, w, j)                                                   \
+  do                                                                               \
+  {                                                                                \
+    if (utarray_len(w) == 0)                                                       \
+      break;                                                                       \
+    if ((j) > (a)->i)                                                              \
+      utarray_resize(a, j);                                                        \
+    utarray_reserve(a, utarray_len(w));                                            \
+    if ((j) < (a)->i)                                                              \
+    {                                                                              \
+      memmove(_utarray_eltptr(a, (j) + utarray_len(w)),                            \
+              _utarray_eltptr(a, j),                                               \
+              ((a)->i - (j)) * ((a)->icd.sz));                                     \
+    }                                                                              \
+    if ((a)->icd.copy)                                                             \
+    {                                                                              \
+      unsigned _ut_i;                                                              \
+      for (_ut_i = 0; _ut_i < (w)->i; _ut_i++)                                     \
+      {                                                                            \
+        (a)->icd.copy(_utarray_eltptr(a, (j) + _ut_i), _utarray_eltptr(w, _ut_i)); \
+      }                                                                            \
+    }                                                                              \
+    else                                                                           \
+    {                                                                              \
+      memcpy(_utarray_eltptr(a, j), _utarray_eltptr(w, 0),                         \
+             utarray_len(w) * ((a)->icd.sz));                                      \
+    }                                                                              \
+    (a)->i += utarray_len(w);                                                      \
+  } while (0)
+
+#define utarray_resize(dst, num)                                                      \
+  do                                                                                  \
+  {                                                                                   \
+    unsigned _ut_i;                                                                   \
+    if ((dst)->i > (unsigned)(num))                                                   \
+    {                                                                                 \
+      if ((dst)->icd.dtor)                                                            \
+      {                                                                               \
+        for (_ut_i = (num); _ut_i < (dst)->i; ++_ut_i)                                \
+        {                                                                             \
+          (dst)->icd.dtor(_utarray_eltptr(dst, _ut_i));                               \
+        }                                                                             \
+      }                                                                               \
+    }                                                                                 \
+    else if ((dst)->i < (unsigned)(num))                                              \
+    {                                                                                 \
+      utarray_reserve(dst, (num) - (dst)->i);                                         \
+      if ((dst)->icd.init)                                                            \
+      {                                                                               \
+        for (_ut_i = (dst)->i; _ut_i < (unsigned)(num); ++_ut_i)                      \
+        {                                                                             \
+          (dst)->icd.init(_utarray_eltptr(dst, _ut_i));                               \
+        }                                                                             \
+      }                                                                               \
+      else                                                                            \
+      {                                                                               \
+        memset(_utarray_eltptr(dst, (dst)->i), 0, (dst)->icd.sz *((num) - (dst)->i)); \
+      }                                                                               \
+    }                                                                                 \
+    (dst)->i = (num);                                                                 \
+  } while (0)
+
+#define utarray_concat(dst, src)                 \
+  do                                             \
+  {                                              \
+    utarray_inserta(dst, src, utarray_len(dst)); \
+  } while (0)
+
+#define utarray_erase(a, pos, len)                                        \
+  do                                                                      \
+  {                                                                       \
+    if ((a)->icd.dtor)                                                    \
+    {                                                                     \
+      unsigned _ut_i;                                                     \
+      for (_ut_i = 0; _ut_i < (len); _ut_i++)                             \
+      {                                                                   \
+        (a)->icd.dtor(utarray_eltptr(a, (pos) + _ut_i));                  \
+      }                                                                   \
+    }                                                                     \
+    if ((a)->i > ((pos) + (len)))                                         \
+    {                                                                     \
+      memmove(_utarray_eltptr(a, pos), _utarray_eltptr(a, (pos) + (len)), \
+              ((a)->i - ((pos) + (len))) * (a)->icd.sz);                  \
+    }                                                                     \
+    (a)->i -= (len);                                                      \
+  } while (0)
+
+#define utarray_renew(a, u) \
+  do                        \
+  {                         \
+    if (a)                  \
+      utarray_clear(a);     \
+    else                    \
+      utarray_new(a, u);    \
+  } while (0)
+
+#define utarray_clear(a)                            \
+  do                                                \
+  {                                                 \
+    if ((a)->i > 0)                                 \
+    {                                               \
+      if ((a)->icd.dtor)                            \
+      {                                             \
+        unsigned _ut_i;                             \
+        for (_ut_i = 0; _ut_i < (a)->i; _ut_i++)    \
+        {                                           \
+          (a)->icd.dtor(_utarray_eltptr(a, _ut_i)); \
+        }                                           \
+      }                                             \
+      (a)->i = 0;                                   \
+    }                                               \
+  } while (0)
+
+#define utarray_sort(a, cmp)                 \
+  do                                         \
+  {                                          \
+    qsort((a)->d, (a)->i, (a)->icd.sz, cmp); \
+  } while (0)
+
+#define utarray_find(a, v, cmp) bsearch((v), (a)->d, (a)->i, (a)->icd.sz, cmp)
+
+#define utarray_front(a) (((a)->i) ? (_utarray_eltptr(a, 0)) : NULL)
+#define utarray_next(a, e) (((e) == NULL) ? utarray_front(a) : (((a)->i != utarray_eltidx(a, e) + 1) ? _utarray_eltptr(a, utarray_eltidx(a, e) + 1) : NULL))
+#define utarray_prev(a, e) (((e) == NULL) ? utarray_back(a) : ((utarray_eltidx(a, e) != 0) ? _utarray_eltptr(a, utarray_eltidx(a, e) - 1) : NULL))
+#define utarray_back(a) (((a)->i) ? (_utarray_eltptr(a, (a)->i - 1)) : NULL)
+#define utarray_eltidx(a, e) (((char *)(e) - (a)->d) / (a)->icd.sz)
+
+/* last we pre-define a few icd for common utarrays of ints and strings */
+static void utarray_str_cpy(void *dst, const void *src)
+{
+  char *const *srcc = (char *const *)src;
+  char **dstc = (char **)dst;
+  if (*srcc == NULL)
+  {
+    *dstc = NULL;
+  }
+  else
+  {
+    *dstc = (char *)malloc(strlen(*srcc) + 1);
+    if (*dstc == NULL)
+    {
+      utarray_oom();
+    }
+    else
+    {
+      strcpy(*dstc, *srcc);
+    }
+  }
+}
+static void utarray_str_dtor(void *elt)
+{
+  char **eltc = (char **)elt;
+  if (*eltc != NULL)
+    free(*eltc);
+}
+static const UT_icd ut_str_icd UTARRAY_UNUSED = {sizeof(char *), NULL, utarray_str_cpy, utarray_str_dtor};
+static const UT_icd ut_int_icd UTARRAY_UNUSED = {sizeof(int), NULL, NULL, NULL};
+static const UT_icd ut_ptr_icd UTARRAY_UNUSED = {sizeof(void *), NULL, NULL, NULL};
+
+#endif /* UTARRAY_H */
--- a/platform/include/policy.h
+++ b/platform/include/policy.h
@@ -31,7 +31,7 @@ enum session_action
 	SESSION_ACTION_BLOCK = 2,
 };

-enum action_reason
+enum action_desc
 {
 	ACTION_BYPASS_DUE_DEFAULT = 0x00,
 	ACTION_BYPASS_DUE_INVALID_POLICY = 0x01,
@@ -88,11 +88,10 @@ struct selected_sf
 	int sff_profile_id;
 	enum forward_type sff_forward_type;

-	int sf_need_skip;
 	int sf_vsys_id;
 	int sf_profile_id;
 	enum session_action sf_action;
-	enum action_reason sf_action_reason;
+	enum action_desc sf_action_desc;
 	struct connectivity sf_connectivity;

 	struct throughput_metrics rx;
@@ -121,8 +120,7 @@ struct selected_chainings

 const char *traffic_type_to_string(enum traffic_type traffic_type);
 const char *forward_type_to_string(enum forward_type forward_type);
-const char *session_action_to_string(enum session_action session_action);
-const char *action_reason_to_string(enum action_reason action_reason);
+const char *action_desc_to_string(enum action_desc action_desc);
 const char *encapsulate_method_to_string(enum encapsulate_method encap_method);

 struct selected_chaining *selected_chaining_create(int chaining_size, uint64_t session_id, char *session_addr);
--- a/platform/src/packet_io.cpp
+++ b/platform/src/packet_io.cpp
@@ -662,15 +662,11 @@ static void action_sf_chaining(struct thread_ctx *thread_ctx, struct session_ctx
    for (sf_index = next_sf_index; sf_index < chaining->chaining_used; sf_index++)
    {
        struct selected_sf *sf = &(chaining->chaining[sf_index]);
-        LOG_INFO("%s: session: %lu %s execute chaining [%d/%d] rule_id: %lu, sff_profile_id: %d, sf_profile_id: %d, sf_need_skip: %d, sf_action_reason: %s, is_e2i: %d, is_decrypted: %d",
-                 LOG_TAG_POLICY, session_ctx->session_id, session_ctx->session_addr, sf_index, chaining->chaining_used,
-                 sf->rule_id, sf->sff_profile_id, sf->sf_profile_id, sf->sf_need_skip, action_reason_to_string(sf->sf_action_reason),
-                 meta->is_e2i_dir, meta->is_decrypted);
-
-        if (sf->sf_need_skip)
-        {
-            continue;
-        }
+        LOG_INFO("%s: session: %lu %s execute chaining [%d/%d]: policy %lu->%d->%d, action %s->%s->%s->%s",
+                 LOG_TAG_POLICY, session_ctx->session_id, session_ctx->session_addr,
+                 sf_index, chaining->chaining_used,
+                 sf->rule_id, sf->sff_profile_id, sf->sf_profile_id,
+                 (meta->is_decrypted == 1 ? "decrypted" : "raw"), (meta->is_e2i_dir ? "E2I" : "I2E"), forward_type_to_string(sf->sff_forward_type), action_desc_to_string(sf->sf_action_desc));

        switch (sf->sf_action)
        {
@@ -775,7 +771,7 @@ static int send_ctrl_packet(struct session_ctx *session_ctx, struct selected_cha
            for (int i = 0; i < chaining->chaining_used; i++)
            {
                struct selected_sf *sf = &(chaining->chaining[i]);
-                if (sf->sf_need_skip == 0 && sf->sf_action == SESSION_ACTION_FORWARD)
+                if (sf->sf_action == SESSION_ACTION_FORWARD)
                {
                    mpack_write_u32(&writer, sf->sf_profile_id);
                }
@@ -858,7 +854,7 @@ static void send_event_log(struct session_ctx *session_ctx, struct thread_ctx *t
    }
 }

-static void dump_sf_metrics(struct session_ctx *session_ctx, struct selected_chaining *chaining, const char *tag)
+static void dump_sf_metrics(struct session_ctx *session_ctx, struct selected_chaining *chaining)
 {
    if (chaining == NULL)
    {
@@ -868,8 +864,11 @@ static void dump_sf_metrics(struct session_ctx *session_ctx, struct selected_cha
    for (int i = 0; i < chaining->chaining_used; i++)
    {
        struct selected_sf *sf = &(chaining->chaining[i]);
-        LOG_INFO("%s: session %lu %s %s metrics: rule_id %lu sff_profile_id %d sf_profile_id %d sf_need_skip %d sf_action_reason %s rx_pkts %lu rx_bytes %lu tx_pkts %lu tx_bytes %lu",
-                 LOG_TAG_METRICS, session_ctx->session_id, session_ctx->session_addr, tag, sf->rule_id, sf->sff_profile_id, sf->sf_profile_id, sf->sf_need_skip, action_reason_to_string(sf->sf_action_reason), sf->rx.n_pkts, sf->rx.n_bytes, sf->tx.n_pkts, sf->tx.n_bytes);
+        LOG_INFO("%s: session %lu %s metrics: policy %lu->%d->%d action %s->%s->%s rx_pkts %lu rx_bytes %lu tx_pkts %lu tx_bytes %lu",
+                 LOG_TAG_METRICS, session_ctx->session_id, session_ctx->session_addr,
+                 sf->rule_id, sf->sff_profile_id, sf->sf_profile_id,
+                 traffic_type_to_string(sf->traffic_type), forward_type_to_string(sf->sff_forward_type), action_desc_to_string(sf->sf_action_desc),
+                 sf->rx.n_pkts, sf->rx.n_bytes, sf->tx.n_pkts, sf->tx.n_bytes);
    }
 }

@@ -955,10 +954,10 @@ static void handle_session_closing(struct metadata *meta, struct control_packet
        LOG_INFO("%s: session %lu %s closing", LOG_TAG_PKTIO, s_ctx->session_id, s_ctx->session_addr);

        struct selected_chaining *chaining_raw = s_ctx->chainings.chaining_raw;
-        dump_sf_metrics(s_ctx, chaining_raw, "raw_traffic");
+        dump_sf_metrics(s_ctx, chaining_raw);

        struct selected_chaining *chaining_decrypted = s_ctx->chainings.chaining_decrypted;
-        dump_sf_metrics(s_ctx, chaining_decrypted, "decrypted_traffic");
+        dump_sf_metrics(s_ctx, chaining_decrypted);

        session_table_delete_by_id(session_table, meta->session_id);
        ATOMIC_DEC(&(thread_metrics->sf_session.num));
@@ -1264,16 +1263,13 @@ static int packet_io_config(const char *profile, struct config *config)
    LOG_DEBUG("%s: PACKET_IO->min_timeout_ms                            : %d", LOG_TAG_PKTIO, config->min_timeout_ms);
    LOG_DEBUG("%s: PACKET_IO->app_symbol                                : %s", LOG_TAG_PKTIO, config->app_symbol);
    LOG_DEBUG("%s: PACKET_IO->dev_nf_name                               : %s", LOG_TAG_PKTIO, config->dev_nf_name);
+
    LOG_DEBUG("%s: PACKET_IO->dev_endpoint_l3_name                      : %s", LOG_TAG_PKTIO, config->dev_endpoint_l3_name);
    LOG_DEBUG("%s: PACKET_IO->dev_endpoint_l3_ip                        : %s", LOG_TAG_PKTIO, config->dev_endpoint_l3_ip_str);
+
    LOG_DEBUG("%s: PACKET_IO->dev_endpoint_l2_name                      : %s", LOG_TAG_PKTIO, config->dev_endpoint_l2_name);
    LOG_DEBUG("%s: PACKET_IO->vlan_encapsulate_replace_orig_vlan_header : %d", LOG_TAG_PKTIO, config->vlan_encapsulate_replace_orig_vlan_header);

-    if (strlen(config->dev_endpoint_l3_mac_str))
-    {
-        LOG_DEBUG("%s: PACKET_IO->dev_endpoint_l3_mac : %s (get from configuration file)", LOG_TAG_PKTIO, config->dev_endpoint_l3_mac_str);
-    }
-
    return 0;
 }

@@ -1342,6 +1338,14 @@ struct packet_io *packet_io_create(const char *profile, int thread_num, cpu_set_
        goto error_out;
    }

+    if (strlen(handle->config.dev_endpoint_l3_mac_str) == 0)
+    {
+        marsio_get_device_ether_addr(handle->dev_endpoint_l3.mr_dev, handle->config.dev_endpoint_l3_mac_str, sizeof(handle->config.dev_endpoint_l3_mac_str));
+        LOG_DEBUG("%s: PACKET_IO->dev_endpoint_l3_mac : %s (get from marsio api)", LOG_TAG_PKTIO, handle->config.dev_endpoint_l3_mac_str);
+    }
+    str_to_mac(handle->config.dev_endpoint_l3_mac_str, handle->config.dev_endpoint_l3_mac);
+    handle->config.dev_endpoint_l3_ip = inet_addr(handle->config.dev_endpoint_l3_ip_str);
+
    handle->dev_endpoint_l2.mr_dev = marsio_open_device(handle->instance, handle->config.dev_endpoint_l2_name, handle->thread_num, handle->thread_num);
    if (handle->dev_endpoint_l2.mr_dev == NULL)
    {
@@ -1356,14 +1360,6 @@ struct packet_io *packet_io_create(const char *profile, int thread_num, cpu_set_
        goto error_out;
    }

-    if (strlen(handle->config.dev_endpoint_l3_mac_str) == 0)
-    {
-        marsio_get_device_ether_addr(handle->dev_endpoint_l3.mr_dev, handle->config.dev_endpoint_l3_mac_str, sizeof(handle->config.dev_endpoint_l3_mac_str));
-        LOG_DEBUG("%s: PACKET_IO->dev_endpoint_l3_mac : %s (get from marsio api)", LOG_TAG_PKTIO, handle->config.dev_endpoint_l3_mac_str);
-    }
-    str_to_mac(handle->config.dev_endpoint_l3_mac_str, handle->config.dev_endpoint_l3_mac);
-    handle->config.dev_endpoint_l3_ip = inet_addr(handle->config.dev_endpoint_l3_ip_str);
-
    return handle;

 error_out:
@@ -1435,7 +1431,7 @@ int packet_io_thread_init(struct packet_io *handle, struct thread_ctx *thread_ct

 void packet_io_thread_wait(struct packet_io *handle, struct thread_ctx *thread_ctx, int timeout_ms)
 {
-    static __thread struct mr_vdev *vdevs[] = {
+    struct mr_vdev *vdevs[3] = {
        handle->dev_nf.mr_dev,
        handle->dev_endpoint_l3.mr_dev,
        handle->dev_endpoint_l2.mr_dev,
--- a/platform/src/policy.cpp
+++ b/platform/src/policy.cpp
@@ -12,6 +12,7 @@
 #include "utils.h"
 #include "log.h"
 #include "sce.h"
+#include "utarray.h"

 /******************************************************************************
 * Struct policy_enforcer
@@ -165,7 +166,7 @@ struct sf_param
 };

 /******************************************************************************
- * Private API
+ * Private API -- Utils
 ******************************************************************************/

 static const char *effective_type_to_string(enum effective_type type)
@@ -310,6 +311,10 @@ static void policy_enforcer_config(const char *profile, struct policy_config *co
    LOG_DEBUG("%s: MAAT->max_chaining_size  : %d", LOG_TAG_POLICY, config->max_chaining_size);
 }

+/******************************************************************************
+ * Private API -- MAAT Callback
+ ******************************************************************************/
+
 static void chaining_param_new_cb(const char *table_name, int table_id, const char *key, const char *table_line, void **ad, long argl, void *argp)
 {
    int iter = 0;
@@ -1003,199 +1008,261 @@ static void sf_param_free(struct sf_param *param)
    sf_param_free_cb(0, (void **)&param, 0, NULL);
 }

-// After return must check array elem nums
-static void select_sf_by_nearby_and_adminstatus(struct policy_enforcer *enforcer, struct sff_param *sff_param, struct mutable_array *array)
+/******************************************************************************
+ * Private API -- Selected SF
+ ******************************************************************************/
+
+static void selected_sf_init(struct selected_sf *selected_sf)
 {
-    char buffer[16];
-    struct sf_param *sf = NULL;
+    if (selected_sf)
+    {
+        memset(selected_sf, 0, sizeof(struct selected_sf));
+        selected_sf->rule_vsys_id = 0;
+        selected_sf->rule_id = 0;
+        selected_sf->traffic_type = TRAFFIC_TYPE_NONE;
+        selected_sf->sff_profile_id = -1;
+        selected_sf->sff_forward_type = FORWARD_TYPE_NONE;
+        selected_sf->sf_profile_id = -1;
+        selected_sf->sf_action = SESSION_ACTION_BYPASS;
+        selected_sf->sf_action_desc = ACTION_BYPASS_DUE_DEFAULT;
+    }
+}
+
+static void selected_sf_set_info(struct selected_sf *selected_sf, struct sf_param *sf_param)
+{
+    selected_sf->sf_vsys_id = sf_param->sf_vsys_id;
+    selected_sf->sf_profile_id = sf_param->sf_profile_id;
+    selected_sf->sf_connectivity = sf_param->sf_connectivity;
+
+    if (selected_sf->sf_connectivity.method == ENCAPSULATE_METHOD_VXLAN_G)
+    {
+        selected_sf->sf_dst_ip = inet_addr(selected_sf->sf_connectivity.dest_ip);
+    }
+}
+
+static void selected_sf_set_action(struct selected_sf *selected_sf, enum action_desc action_desc)
+{
+    selected_sf->sf_action_desc = action_desc;
+
+    switch (action_desc)
+    {
+    case ACTION_BYPASS_DUE_DEFAULT:
+    case ACTION_BYPASS_DUE_INVALID_POLICY:
+    case ACTION_BYPASS_DUE_FAILURE_ACTION:
+    case ACTION_BYPASS_DUE_UNAVAILABLE_ACTION:
+    case ACTION_BYPASS_DUE_HEALTH_SF_LIMIT:
+        selected_sf->sf_action = SESSION_ACTION_BYPASS;
+        break;
+    case ACTION_BLOCK_DUE_FAILURE_ACTION:
+    case ACTION_BLOCK_DUE_UNAVAILABLE_ACTION:
+        selected_sf->sf_action = SESSION_ACTION_BLOCK;
+        break;
+    case ACTION_FORWAED_DUE_SELECTED_SF:
+        selected_sf->sf_action = SESSION_ACTION_FORWARD;
+        break;
+    }
+}
+
+// return  1 : current sf can   be selected
+// return  0 : current sf can't be selected
+static int select_sf_by_admin_status(struct sf_param *sf)
+{
+    if (sf->sf_admin_status == ADMMIN_STATUS_ACTIVE)
+    {
+        return 1;
+    }
+    else
+    {
+        return 0;
+    }
+}
+
+// return  1 : current sf can   be selected
+// return  0 : current sf can't be selected
+static int select_sf_by_device_group(struct policy_enforcer *enforcer, struct sf_param *sf)
+{
+    if (strcasecmp(enforcer->config.device_group, sf->sf_effective_range.value) == 0)
+    {
+        return 1;
+    }
+    else
+    {
+        return 0;
+    }
+}
+
+// return  1 : current sf can   be selected
+// return  0 : current sf can't be selected
+static int select_sf_by_data_center(struct policy_enforcer *enforcer, struct sf_param *sf)
+{
+    if (strcasecmp(enforcer->config.data_center, sf->sf_effective_range.value) == 0)
+    {
+        return 1;
+    }
+    else
+    {
+        return 0;
+    }
+}
+
+// return  1 : current sf can   be selected
+// return  0 : current sf can't be selected
+static int select_sf_by_localization(struct policy_enforcer *enforcer, struct sff_param *sff_param, struct sf_param *sf)
+{
+    if (sff_param->sff_ldbc.localiza == LDBC_LOCALIZATION_NEARBY)
+    {
+        if (sf->sf_effective_range.type == EFFECTIVE_TYPE_DEVICE_GROUP)
+        {
+            return select_sf_by_device_group(enforcer, sf);
+        }
+        else
+        {
+            return select_sf_by_data_center(enforcer, sf);
+        }
+    }
+    else
+    {
+        return 1;
+    }
+}
+
+// return  1 : current sf can   be selected
+// return  0 : current sf can't be selected
+static int handle_fail_action(struct exception *sff_exception, struct selected_sf *selected_sf, int sf_num)
+{
+    if (sff_exception->fail_action == FAILURE_ACTION_RE_DISPATCH)
+    {
+        if (sff_exception->health_service_func_lt > 0 && sf_num < sff_exception->health_service_func_lt)
+        {
+            selected_sf_set_action(selected_sf, ACTION_BYPASS_DUE_HEALTH_SF_LIMIT);
+            return 1;
+        }
+        else
+        {
+            if (sf_num == 0)
+            {
+                if (sff_exception->unavail_action == UNAVAILABLE_ACTION_BYPASSS)
+                {
+                    selected_sf_set_action(selected_sf, ACTION_BYPASS_DUE_UNAVAILABLE_ACTION);
+                    return 1;
+                }
+                else
+                {
+                    selected_sf_set_action(selected_sf, ACTION_BLOCK_DUE_UNAVAILABLE_ACTION);
+                    return 1;
+                }
+            }
+            else
+            {
+                return 0;
+            }
+        }
+    }
+    else if (sff_exception->fail_action == FAILURE_ACTION_BYPASS)
+    {
+        selected_sf_set_action(selected_sf, ACTION_BYPASS_DUE_FAILURE_ACTION);
+        return 1;
+    }
+    else if (sff_exception->fail_action == FAILURE_ACTION_BLOCK)
+    {
+        selected_sf_set_action(selected_sf, ACTION_BLOCK_DUE_FAILURE_ACTION);
+        return 1;
+    }
+    else
+    {
+        return 0;
+    }
+}
+
+static void select_sf_by_ldbc(struct sff_param *sff_param, struct selected_sf *selected_sf, struct session_ctx *s_ctx, UT_array *sf_array, uint64_t hash)
+{
+    struct thread_metrics *thread_metrics = &s_ctx->ref_thread_ctx->thread_metrics;
+
+    while (utarray_len(sf_array))
+    {
+        unsigned int sf_index = (unsigned int)(hash % utarray_len(sf_array));
+        struct sf_param *sf_param = (struct sf_param *)utarray_eltptr(sf_array, sf_index);
+
+        if (sf_param->sf_connectivity.method == ENCAPSULATE_METHOD_LAYER2_SWITCH)
+        {
+            LOG_INFO("%s: session %lu %s select sf by ldbc, sf_profile_id %d to be selected", LOG_TAG_POLICY, s_ctx->session_id, s_ctx->session_addr, sf_param->sf_profile_id);
+            selected_sf_set_action(selected_sf, ACTION_FORWAED_DUE_SELECTED_SF);
+            selected_sf_set_info(selected_sf, sf_param);
+            return;
+        }
+
+        memset(selected_sf->sf_dst_mac, 0, sizeof(selected_sf->sf_dst_mac));
+        if (health_check_session_get_mac(sf_param->health_check_session_id, selected_sf->sf_dst_mac) == 0)
+        {
+            ATOMIC_INC(&(thread_metrics->sf_status.active));
+            LOG_INFO("%s: session %lu %s select sf by ldbc, sf_profile_id %d to be selected", LOG_TAG_POLICY, s_ctx->session_id, s_ctx->session_addr, sf_param->sf_profile_id);
+            selected_sf_set_action(selected_sf, ACTION_FORWAED_DUE_SELECTED_SF);
+            selected_sf_set_info(selected_sf, sf_param);
+            return;
+        }
+        else
+        {
+            ATOMIC_INC(&(thread_metrics->sf_status.inactive));
+            if (handle_fail_action(&sff_param->sff_exception, selected_sf, utarray_len(sf_array) - 1) == 0)
+            {
+                LOG_INFO("%s: session %lu %s select sf by re-dispatch, sf_profile_id %d to be excluded", LOG_TAG_POLICY, s_ctx->session_id, s_ctx->session_addr, sf_param->sf_profile_id);
+                utarray_erase(sf_array, sf_index, 1);
+                continue;
+            }
+            else
+            {
+                LOG_INFO("%s: session %lu %s select sf by fail-action, sf_profile_id %d to be selected", LOG_TAG_POLICY, s_ctx->session_id, s_ctx->session_addr, sf_param->sf_profile_id);
+                selected_sf_set_info(selected_sf, sf_param);
+                return;
+            }
+        }
+    }
+
+    handle_fail_action(&sff_param->sff_exception, selected_sf, 0);
+}
+
+static void select_sf_from_sff(struct policy_enforcer *enforcer, struct sff_param *sff_param, struct selected_sf *selected_sf, struct session_ctx *s_ctx, uint64_t packet_hash)
+{
+    UT_array *sf_array;
+    UT_icd sf_icd = {sizeof(struct sf_param), NULL, NULL, NULL};
+    utarray_new(sf_array, &sf_icd);

    for (int i = 0; i < sff_param->sf_profile_ids_num; i++)
    {
-        memset(&buffer, 0, sizeof(buffer));
-        snprintf(buffer, sizeof(buffer), "%u", sff_param->sf_profile_ids[i]);
-        sf = (struct sf_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->sf_table_id, buffer, strlen(buffer));
+        char profile_id[16] = {0};
+        snprintf(profile_id, sizeof(profile_id), "%u", sff_param->sf_profile_ids[i]);
+
+        struct sf_param *sf = (struct sf_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->sf_table_id, profile_id, strlen(profile_id));
        if (sf == NULL)
        {
            LOG_ERROR("%s: failed to get sf parameter of profile %d", LOG_TAG_POLICY, sff_param->sf_profile_ids[i]);
            continue;
        }

-        if (sff_param->sff_ldbc.localiza == LDBC_LOCALIZATION_NEARBY)
+        if (select_sf_by_admin_status(sf) == 0)
        {
-            if (sf->sf_effective_range.type == EFFECTIVE_TYPE_DEVICE_GROUP)
-            {
-                if (strcasecmp(enforcer->config.device_group, sf->sf_effective_range.value) == 0)
-                {
-                    if (sf->sf_admin_status == ADMMIN_STATUS_ACTIVE)
-                    {
-                        mutable_array_add_elem(array, sff_param->sf_profile_ids[i]);
-                    }
-                }
-            }
-            else
-            {
-                if (strcasecmp(enforcer->config.data_center, sf->sf_effective_range.value) == 0)
-                {
-                    if (sf->sf_admin_status == ADMMIN_STATUS_ACTIVE)
-                    {
-                        mutable_array_add_elem(array, sff_param->sf_profile_ids[i]);
-                    }
-                }
-            }
-        }
-        else
-        {
-            if (sf->sf_admin_status == ADMMIN_STATUS_ACTIVE)
-            {
-                mutable_array_add_elem(array, sff_param->sf_profile_ids[i]);
-            }
-        }
-        sf_param_free(sf);
-    }
-}
-
-// return : SESSION_ACTION_BYPASS, not care selected_sf_profile_id
-// return : SESSION_ACTION_BLOCK,  not care selected_sf_profile_id
-// return : SESSION_ACTION_FORWARD,    care selected_sf_profile_id
-static enum session_action select_sf_by_ldbc(struct policy_enforcer *enforcer, struct session_ctx *s_ctx, struct sff_param *sff_param, struct selected_sf *sf, struct mutable_array *array, uint64_t hash)
-{
-    struct thread_ctx *thread = (struct thread_ctx *)s_ctx->ref_thread_ctx;
-    struct thread_metrics *thread_metrics = &thread->thread_metrics;
-    struct sf_param *sf_param = NULL;
-    char buffer[16];
-
-    sf->sf_profile_id = -1;
-    int sf_profile_id = 0;
-    int sf_profile_index = 0;
-    int sf_profile_num = 0;
-    uint64_t health_check_session_id = 0;
-    enum encapsulate_method encap_method;
-
-    sf_profile_num = mutable_array_count_elem(array);
-
-    while (sf_profile_num)
-    {
-        sf_profile_index = (int)(hash % sf_profile_num);
-        sf_profile_id = mutable_array_index_elem(array, sf_profile_index);
-
-        memset(&buffer, 0, sizeof(buffer));
-        snprintf(buffer, sizeof(buffer), "%u", sf_profile_id);
-        sf_param = (struct sf_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->sf_table_id, buffer, strlen(buffer));
-        if (sf_param == NULL)
-        {
-            LOG_ERROR("%s: failed to get sf parameter of profile %d", LOG_TAG_POLICY, sf_profile_id);
-            mutable_array_del_elem(array, sf_profile_id);
+            LOG_INFO("%s: session %lu %s select sf by admin-status, sf_profile_id %d to be excluded", LOG_TAG_POLICY, s_ctx->session_id, s_ctx->session_addr, sf->sf_profile_id);
+            sf_param_free(sf);
            continue;
        }
-        health_check_session_id = sf_param->health_check_session_id;
-        encap_method = sf_param->sf_connectivity.method;
-        sf_param_free(sf_param);

-        memset(sf->sf_dst_mac, 0, sizeof(sf->sf_dst_mac));
-
-        // VLAN encapsulation not require health check
-        if (encap_method == ENCAPSULATE_METHOD_LAYER2_SWITCH)
+        if (select_sf_by_localization(enforcer, sff_param, sf) == 0)
        {
-            ATOMIC_INC(&(thread_metrics->sf_status.active));
-
-            sf->sf_profile_id = sf_profile_id;
-            sf->sf_action_reason = ACTION_FORWAED_DUE_SELECTED_SF;
-            return SESSION_ACTION_FORWARD;
+            LOG_INFO("%s: session %lu %s select sf by localization, sf_profile_id %d to be excluded", LOG_TAG_POLICY, s_ctx->session_id, s_ctx->session_addr, sf->sf_profile_id);
+            sf_param_free(sf);
+            continue;
        }

-        // VXLAN encapsulation require health check
-        if (health_check_session_get_mac(health_check_session_id, sf->sf_dst_mac) == 0)
-        {
-            ATOMIC_INC(&(thread_metrics->sf_status.active));
-
-            sf->sf_profile_id = sf_profile_id;
-            sf->sf_action_reason = ACTION_FORWAED_DUE_SELECTED_SF;
-            return SESSION_ACTION_FORWARD;
-        }
-        else
-        {
-            ATOMIC_INC(&(thread_metrics->sf_status.inactive));
-
-            if (sff_param->sff_exception.fail_action == FAILURE_ACTION_RE_DISPATCH)
-            {
-                mutable_array_del_elem(array, sf_profile_id);
-                sf_profile_num = mutable_array_count_elem(array);
-
-                if (sff_param->sff_exception.health_service_func_lt > 0 && sf_profile_num < sff_param->sff_exception.health_service_func_lt)
-                {
-                    sf->sf_action_reason = ACTION_BYPASS_DUE_HEALTH_SF_LIMIT;
-                    return SESSION_ACTION_BYPASS;
-                }
-                else
-                {
-                    if (sf_profile_num == 0)
-                    {
-                        if (sff_param->sff_exception.unavail_action == UNAVAILABLE_ACTION_BYPASSS)
-                        {
-                            sf->sf_action_reason = ACTION_BYPASS_DUE_UNAVAILABLE_ACTION;
-                            return SESSION_ACTION_BYPASS;
-                        }
-                        else
-                        {
-                            sf->sf_action_reason = ACTION_BLOCK_DUE_UNAVAILABLE_ACTION;
-                            return SESSION_ACTION_BLOCK;
-                        }
-                    }
-                    else
-                    {
-                        continue;
-                    }
-                }
-            }
-            else if (sff_param->sff_exception.fail_action == FAILURE_ACTION_BYPASS)
-            {
-                sf->sf_profile_id = sf_profile_id;
-                sf->sf_action_reason = ACTION_BYPASS_DUE_FAILURE_ACTION;
-                return SESSION_ACTION_BYPASS;
-            }
-            else if (sff_param->sff_exception.fail_action == FAILURE_ACTION_BLOCK)
-            {
-                sf->sf_profile_id = sf_profile_id;
-                sf->sf_action_reason = ACTION_BLOCK_DUE_FAILURE_ACTION;
-                return SESSION_ACTION_BLOCK;
-            }
-        }
-    };
-
-    sf->sf_action_reason = ACTION_BYPASS_DUE_INVALID_POLICY;
-    return SESSION_ACTION_BYPASS;
-}
-
-static void selected_sf_init(struct selected_sf *item)
-{
-    if (item)
-    {
-        memset(item, 0, sizeof(struct selected_sf));
-        item->rule_vsys_id = 0;
-        item->rule_id = 0;
-        item->traffic_type = TRAFFIC_TYPE_NONE;
-        item->sff_profile_id = -1;
-        item->sff_forward_type = FORWARD_TYPE_NONE;
-        item->sf_need_skip = 0;
-        item->sf_profile_id = -1;
-        item->sf_action = SESSION_ACTION_BYPASS;
-        item->sf_action_reason = ACTION_BYPASS_DUE_DEFAULT;
+        utarray_push_back(sf_array, sf);
+        sf_param_free(sf);
    }
-}

-static void connectivity_copy(struct connectivity *dst, struct connectivity *src)
-{
-    if (dst && src)
-    {
-        dst->method = src->method;
-        dst->int_vlan_tag = src->int_vlan_tag;
-        dst->ext_vlan_tag = src->ext_vlan_tag;
-        memcpy(dst->dest_ip, src->dest_ip, sizeof(dst->dest_ip));
-    }
+    select_sf_by_ldbc(sff_param, selected_sf, s_ctx, sf_array, packet_hash);
+    utarray_free(sf_array);
 }

 /******************************************************************************
- * Public API
+ * Public API -- Utils
 ******************************************************************************/

 const char *traffic_type_to_string(enum traffic_type traffic_type)
@@ -1228,41 +1295,26 @@ const char *forward_type_to_string(enum forward_type forward_type)
    }
 }

-const char *session_action_to_string(enum session_action session_action)
+const char *action_desc_to_string(enum action_desc action_desc)
 {
-    switch (session_action)
-    {
-    case SESSION_ACTION_BYPASS:
-        return "bypass";
-    case SESSION_ACTION_FORWARD:
-        return "forward";
-    case SESSION_ACTION_BLOCK:
-        return "block";
-    default:
-        return "unknown";
-    }
-}
-
-const char *action_reason_to_string(enum action_reason action_reason)
-{
-    switch (action_reason)
+    switch (action_desc)
    {
    case ACTION_BYPASS_DUE_DEFAULT:
-        return "bypass_due_default";
+        return "bypass(default)";
    case ACTION_BYPASS_DUE_HEALTH_SF_LIMIT:
-        return "bypass_due_health_sf_limit";
+        return "bypass(health_sf_limit)";
    case ACTION_BYPASS_DUE_UNAVAILABLE_ACTION:
-        return "bypass_due_unavailable_action";
+        return "bypass(unavailable_action)";
    case ACTION_BYPASS_DUE_FAILURE_ACTION:
-        return "bypass_due_failure_action";
+        return "bypass(failure_action)";
    case ACTION_BYPASS_DUE_INVALID_POLICY:
-        return "bypass_due_invalid_policy";
+        return "bypass(invalid_policy)";
    case ACTION_BLOCK_DUE_UNAVAILABLE_ACTION:
-        return "block_due_unavailable_action";
+        return "block(unavailable_action)";
    case ACTION_BLOCK_DUE_FAILURE_ACTION:
-        return "block_due_failure_action";
+        return "block(failure_action)";
    case ACTION_FORWAED_DUE_SELECTED_SF:
-        return "forward_due_selected_sf";
+        return "forward(selected_sf)";
    default:
        return "unknown";
    }
@@ -1285,6 +1337,10 @@ const char *encapsulate_method_to_string(enum encapsulate_method encap_method)
    }
 }

+/******************************************************************************
+ * Public API -- Selected Chaining
+ ******************************************************************************/
+
 // return  NULL : error
 // return !NULL : success
 struct selected_chaining *selected_chaining_create(int chaining_size, uint64_t session_id, char *session_addr)
@@ -1342,9 +1398,7 @@ void selected_chaining_dump(struct selected_chaining *chaining)
        LOG_DEBUG("%s: session %lu %s selected_chaining->node[%d]->sff_forward_type                    : %s", LOG_TAG_POLICY, chaining->session_id, chaining->session_addr, i, forward_type_to_string(node->sff_forward_type));
        // sf
        LOG_DEBUG("%s: session %lu %s selected_chaining->node[%d]->sf_profile_id                       : %d", LOG_TAG_POLICY, chaining->session_id, chaining->session_addr, i, node->sf_profile_id);
-        LOG_DEBUG("%s: session %lu %s selected_chaining->node[%d]->sf_need_skip                        : %d", LOG_TAG_POLICY, chaining->session_id, chaining->session_addr, i, node->sf_need_skip);
-        LOG_DEBUG("%s: session %lu %s selected_chaining->node[%d]->sf_action                           : %s", LOG_TAG_POLICY, chaining->session_id, chaining->session_addr, i, session_action_to_string(node->sf_action));
-        LOG_DEBUG("%s: session %lu %s selected_chaining->node[%d]->sf_action_reason                    : %s", LOG_TAG_POLICY, chaining->session_id, chaining->session_addr, i, action_reason_to_string(node->sf_action_reason));
+        LOG_DEBUG("%s: session %lu %s selected_chaining->node[%d]->sf_action_desc                      : %s", LOG_TAG_POLICY, chaining->session_id, chaining->session_addr, i, action_desc_to_string(node->sf_action_desc));
        LOG_DEBUG("%s: session %lu %s selected_chaining->node[%d]->sf_connectivity->encapsulate_method : %s", LOG_TAG_POLICY, chaining->session_id, chaining->session_addr, i, encapsulate_method_to_string(node->sf_connectivity.method));
        LOG_DEBUG("%s: session %lu %s selected_chaining->node[%d]->sf_connectivity->int_vlan_tag       : %d", LOG_TAG_POLICY, chaining->session_id, chaining->session_addr, i, node->sf_connectivity.int_vlan_tag);
        LOG_DEBUG("%s: session %lu %s selected_chaining->node[%d]->sf_connectivity->ext_vlan_tag       : %d", LOG_TAG_POLICY, chaining->session_id, chaining->session_addr, i, node->sf_connectivity.ext_vlan_tag);
@@ -1373,9 +1427,9 @@ void selected_chaining_bref(struct selected_chaining *chaining)
                buff_used += snprintf(buff + buff_used, buff_size - buff_used, ",");
            }
            buff_used += snprintf(buff + buff_used, buff_size - buff_used,
-                                  "\"node[%d]\":{\"skip\":%d,\"rule_id\":%lu,\"sff_profile_id\":%d,\"sf_profile_id\":%d,\"traffic_type\":\"%s\",\"sff_forward_type\":\"%s\",\"sf_action\":\"%s\",\"reason\":\"%s\"}",
-                                  i, node->sf_need_skip, node->rule_id, node->sff_profile_id, node->sf_profile_id,
-                                  traffic_type_to_string(node->traffic_type), forward_type_to_string(node->sff_forward_type), session_action_to_string(node->sf_action), action_reason_to_string(node->sf_action_reason));
+                                  "\"node[%d]\":{\"policy\":\"%lu->%d->%d\",\"action\":\"%s->%s->%s\"}",
+                                  i, node->rule_id, node->sff_profile_id, node->sf_profile_id,
+                                  traffic_type_to_string(node->traffic_type), forward_type_to_string(node->sff_forward_type), action_desc_to_string(node->sf_action_desc));
        }
    }
    LOG_INFO("%s: session %lu %s selected_chaining_bref: %s}", LOG_TAG_POLICY, chaining->session_id, chaining->session_addr, buff);
@@ -1390,21 +1444,44 @@ void selected_chaining_uniq(struct selected_chaining *chaining)

    // Selected Service Chaining Before Unique : [1,2,3,1,2]
    // Selected Service Chaining After Unique : [1,2,3]
-    for (int i = 0; i < chaining->chaining_used; i++)
+
+    int i = 0;
+    int j = 0;
+    int k = 0;
+    int is_exist = 0;
+    for (i = 0; i < chaining->chaining_used; i++)
    {
-        struct selected_sf *node_i = &(chaining->chaining[i]);
-        for (int j = 0; j < i; j++)
+        is_exist = 0;
+        for (j = 0; j < i; j++)
        {
-            struct selected_sf *node_j = &(chaining->chaining[j]);
-            if (node_i->sf_profile_id == node_j->sf_profile_id)
+            if (chaining->chaining[i].sf_profile_id == chaining->chaining[j].sf_profile_id && chaining->chaining[i].sf_action == chaining->chaining[j].sf_action)
            {
-                node_i->sf_need_skip = 1;
+                is_exist = 1;
                break;
            }
        }
+        if (is_exist == 0)
+        {
+            if (i != k)
+            {
+                memcpy(&(chaining->chaining[k]), &(chaining->chaining[i]), sizeof(struct selected_sf));
+            }
+            k++;
+        }
+    }
+
+    chaining->chaining_used = k;
+    // Selected Service Chaining After Unique : [1,2,3,1,2] -> [1,2,3,0,0]
+    for (i = chaining->chaining_used; i < chaining->chaining_size; i++)
+    {
+        selected_sf_init(&(chaining->chaining[i]));
    }
 }

+/******************************************************************************
+ * Public API -- Policy Enforcer
+ ******************************************************************************/
+
 // return  NULL : error
 // return !NULL : success
 struct policy_enforcer *policy_enforcer_create(const char *instance, const char *profile, int thread_num, void *logger)
@@ -1607,16 +1684,11 @@ int policy_enforce_chaining_size(struct policy_enforcer *enforcer)

 void policy_enforce_select_chainings(struct policy_enforcer *enforcer, struct selected_chainings *chainings, struct session_ctx *s_ctx, struct data_packet *data_pkt, uint64_t rule_id, int dir_is_i2e)
 {
-    uint64_t hash_value = 0;
    char buffer[16] = {0};
-    struct sf_param *sf_param = NULL;
-    struct sff_param *sff_param = NULL;
-    struct mutable_array array = {0};
-    struct chaining_param *chaining_param = NULL;
    struct selected_chaining *chaining = NULL;

    snprintf(buffer, sizeof(buffer), "%lu", rule_id);
-    chaining_param = (struct chaining_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->compile_table_id, buffer, strlen(buffer));
+    struct chaining_param *chaining_param = (struct chaining_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->compile_table_id, buffer, strlen(buffer));
    if (chaining_param == NULL)
    {
        LOG_ERROR("%s: session %lu %s failed to get chaining parameter of policy %lu", LOG_TAG_POLICY, s_ctx->session_id, s_ctx->session_addr, rule_id);
@@ -1631,95 +1703,44 @@ void policy_enforce_select_chainings(struct policy_enforcer *enforcer, struct se
    {
        chaining = chainings->chaining_decrypted;
    }
-    LOG_INFO("%s: session %lu %s enforce %s chaining rule %lu", LOG_TAG_POLICY, chaining->session_id, chaining->session_addr, traffic_type_to_string(chaining_param->traffic_type), rule_id);
+    LOG_INFO("%s: session %lu %s enforce %s chaining: rule_id %lu", LOG_TAG_POLICY, chaining->session_id, chaining->session_addr, traffic_type_to_string(chaining_param->traffic_type), rule_id);

    for (int i = 0; i < chaining_param->sff_profile_ids_num && chaining->chaining_used < chaining->chaining_size; i++)
    {
-        struct selected_sf *item = &(chaining->chaining[chaining->chaining_used]);
-        selected_sf_init(item);
-
-        item->rule_id = rule_id;
-        item->rule_vsys_id = chaining_param->vsys_id;
-        item->traffic_type = chaining_param->traffic_type;
-        item->sff_profile_id = chaining_param->sff_profile_ids[i];
-        item->sf_index = chaining->chaining_used;
+        struct selected_sf *selected_sf = &(chaining->chaining[chaining->chaining_used]);
+        selected_sf_init(selected_sf);

        memset(buffer, 0, sizeof(buffer));
-        snprintf(buffer, sizeof(buffer), "%u", item->sff_profile_id);
-        sff_param = (struct sff_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->sff_table_id, buffer, strlen(buffer));
+        snprintf(buffer, sizeof(buffer), "%u", chaining_param->sff_profile_ids[i]);
+        struct sff_param *sff_param = (struct sff_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->sff_table_id, buffer, strlen(buffer));
        if (sff_param == NULL)
        {
-            LOG_ERROR("%s: session %lu %s failed to get sff parameter of profile %d, bypass current sff !!!", LOG_TAG_POLICY, chaining->session_id, chaining->session_addr, item->sff_profile_id);
-            item->sf_action = SESSION_ACTION_BYPASS;
-            item->sf_action_reason = ACTION_BYPASS_DUE_INVALID_POLICY;
-            chaining->chaining_used++;
-            continue;
-        }
-        item->sff_forward_type = sff_param->sff_forward_type;
-
-        memset(&array, 0, sizeof(array));
-        mutable_array_init(&array);
-        select_sf_by_nearby_and_adminstatus(enforcer, sff_param, &array);
-        LOG_DEBUG("%s: session %lu %s select sf from chaining rule %lu sff_profile %d, sf_profile_num (before filter: %d -> filter nearby/admin_status: %d)", LOG_TAG_POLICY, chaining->session_id, chaining->session_addr, rule_id, item->sff_profile_id, sff_param->sf_profile_ids_num, mutable_array_count_elem(&array));
-        if (mutable_array_count_elem(&array) == 0)
-        {
-            switch (sff_param->sff_exception.fail_action)
-            {
-            case FAILURE_ACTION_BYPASS:
-                item->sf_action = SESSION_ACTION_BYPASS;
-                item->sf_action_reason = ACTION_BYPASS_DUE_FAILURE_ACTION;
-                break;
-            case FAILURE_ACTION_BLOCK:
-                item->sf_action = SESSION_ACTION_BLOCK;
-                item->sf_action_reason = ACTION_BLOCK_DUE_FAILURE_ACTION;
-                break;
-            case FAILURE_ACTION_RE_DISPATCH:
-                if (sff_param->sff_exception.unavail_action == UNAVAILABLE_ACTION_BYPASSS)
-                {
-                    item->sf_action = SESSION_ACTION_BYPASS;
-                    item->sf_action_reason = ACTION_BYPASS_DUE_UNAVAILABLE_ACTION;
-                }
-                else // UNAVAILABLE_ACTION_BLOCK
-                {
-                    item->sf_action = SESSION_ACTION_BLOCK;
-                    item->sf_action_reason = ACTION_BLOCK_DUE_UNAVAILABLE_ACTION;
-                }
-                break;
-            }
-            LOG_DEBUG("%s: session %lu %s rule_id %lu sff_profile_id %d, no sf available after filtering by 'nearby & admin_status', %s", LOG_TAG_POLICY, chaining->session_id, chaining->session_addr, rule_id, item->sff_profile_id, action_reason_to_string(item->sf_action_reason));
-            chaining->chaining_used++;
-            sff_param_free(sff_param);
+            LOG_ERROR("%s: session %lu %s failed to get sff parameter of profile %d, bypass current sff !!!", LOG_TAG_POLICY, chaining->session_id, chaining->session_addr, chaining_param->sff_profile_ids[i]);
            continue;
        }

-        hash_value = data_packet_get_hash(data_pkt, sff_param->sff_ldbc.method, dir_is_i2e);
-        item->sf_action = select_sf_by_ldbc(enforcer, s_ctx, sff_param, item, &array, hash_value);
-        if (item->sf_action != SESSION_ACTION_FORWARD)
-        {
-            chaining->chaining_used++;
-            sff_param_free(sff_param);
-            continue;
-        }
+        // sc info
+        selected_sf->rule_id = rule_id;
+        selected_sf->rule_vsys_id = chaining_param->vsys_id;
+        selected_sf->traffic_type = chaining_param->traffic_type;

-        memset(&buffer, 0, sizeof(buffer));
-        snprintf(buffer, sizeof(buffer), "%u", item->sf_profile_id);
-        sf_param = (struct sf_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->sf_table_id, buffer, strlen(buffer));
-        if (sf_param == NULL)
-        {
-            LOG_ERROR("%s: session %lu %s failed to get sf parameter of profile %d, bypass current sff !!!", LOG_TAG_POLICY, chaining->session_id, chaining->session_addr, item->sf_profile_id);
-            item->sf_action = SESSION_ACTION_BYPASS;
-            item->sf_action_reason = ACTION_BYPASS_DUE_INVALID_POLICY;
-            chaining->chaining_used++;
-            sff_param_free(sff_param);
-            continue;
-        }
+        // sff info
+        selected_sf->sff_profile_id = chaining_param->sff_profile_ids[i];
+        selected_sf->sff_forward_type = sff_param->sff_forward_type;
+
+        // sf_index
+        selected_sf->sf_index = chaining->chaining_used;
+
+        uint64_t packet_hash = data_packet_get_hash(data_pkt, sff_param->sff_ldbc.method, dir_is_i2e);
+        select_sf_from_sff(enforcer, sff_param, selected_sf, s_ctx, packet_hash);
+
+        LOG_INFO("%s: session %lu %s enforce chaining [%d/%d]: policy: %lu->%d->%d, action: %s->%s->%s",
+                 LOG_TAG_POLICY, chaining->session_id, chaining->session_addr,
+                 selected_sf->sf_index, chaining->chaining_size,
+                 selected_sf->rule_id, selected_sf->sff_profile_id, selected_sf->sf_profile_id,
+                 traffic_type_to_string(chaining_param->traffic_type), forward_type_to_string(selected_sf->sff_forward_type), action_desc_to_string(selected_sf->sf_action_desc));

-        item->sf_vsys_id = sf_param->sf_vsys_id;
-        connectivity_copy(&item->sf_connectivity, &sf_param->sf_connectivity);
-        item->sf_dst_ip = inet_addr(sf_param->sf_connectivity.dest_ip);
        chaining->chaining_used++;
-
-        sf_param_free(sf_param);
        sff_param_free(sff_param);
    }

--- a/platform/test/gtest_policy.cpp
+++ b/platform/test/gtest_policy.cpp
@@ -14,17 +14,647 @@ unsigned char data1[] = {
 	0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd,
 	0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd};

-TEST(POLICY, SELECTED_CHAINING_LIFE_CYCLE)
+// 都不同
+TEST(POLICY, SELECTED_CHAINING1)
 {
-	struct selected_chaining *chaining = NULL;
+	struct selected_chaining *chainings = NULL;

-	chaining = selected_chaining_create(128, 1, (char *)"1.1.1.1 11 2.2.2.2 22");
-	EXPECT_TRUE(chaining != nullptr);
+	chainings = selected_chaining_create(3, 1, (char *)"1.1.1.1 11 2.2.2.2 22");
+	EXPECT_TRUE(chainings != nullptr);

-	selected_chaining_destory(chaining);
+	chainings->chaining[chainings->chaining_used++].sf_profile_id = 1;
+	chainings->chaining[chainings->chaining_used++].sf_profile_id = 2;
+	chainings->chaining[chainings->chaining_used++].sf_profile_id = 3;
+
+	selected_chaining_uniq(chainings);
+	selected_chaining_dump(chainings);
+
+	EXPECT_TRUE(chainings->chaining_used == 3);
+	EXPECT_TRUE(chainings->chaining[0].sf_profile_id == 1);
+	EXPECT_TRUE(chainings->chaining[1].sf_profile_id == 2);
+	EXPECT_TRUE(chainings->chaining[2].sf_profile_id == 3);
+
+	selected_chaining_destory(chainings);
 }

-TEST(POLICY, POLICY_ENFORCER_LIFE_CYCLE)
+// 都相同
+TEST(POLICY, SELECTED_CHAINING2)
+{
+	struct selected_chaining *chainings = NULL;
+
+	chainings = selected_chaining_create(3, 1, (char *)"1.1.1.1 11 2.2.2.2 22");
+	EXPECT_TRUE(chainings != nullptr);
+
+	chainings->chaining[chainings->chaining_used++].sf_profile_id = 1;
+	chainings->chaining[chainings->chaining_used++].sf_profile_id = 1;
+	chainings->chaining[chainings->chaining_used++].sf_profile_id = 1;
+
+	selected_chaining_uniq(chainings);
+	selected_chaining_dump(chainings);
+
+	EXPECT_TRUE(chainings->chaining_used == 1);
+	EXPECT_TRUE(chainings->chaining[0].sf_profile_id == 1);
+
+	selected_chaining_destory(chainings);
+}
+
+// 两个相同 (1,2相同)
+TEST(POLICY, SELECTED_CHAINING3)
+{
+	struct selected_chaining *chainings = NULL;
+
+	chainings = selected_chaining_create(3, 1, (char *)"1.1.1.1 11 2.2.2.2 22");
+	EXPECT_TRUE(chainings != nullptr);
+
+	chainings->chaining[chainings->chaining_used++].sf_profile_id = 1;
+	chainings->chaining[chainings->chaining_used++].sf_profile_id = 1;
+	chainings->chaining[chainings->chaining_used++].sf_profile_id = 2;
+
+	selected_chaining_uniq(chainings);
+	selected_chaining_dump(chainings);
+
+	EXPECT_TRUE(chainings->chaining_used == 2);
+	EXPECT_TRUE(chainings->chaining[0].sf_profile_id == 1);
+	EXPECT_TRUE(chainings->chaining[1].sf_profile_id == 2);
+
+	selected_chaining_destory(chainings);
+}
+
+// 两个相同 (1,3相同)
+TEST(POLICY, SELECTED_CHAINING4)
+{
+	struct selected_chaining *chainings = NULL;
+
+	chainings = selected_chaining_create(3, 1, (char *)"1.1.1.1 11 2.2.2.2 22");
+	EXPECT_TRUE(chainings != nullptr);
+
+	chainings->chaining[chainings->chaining_used++].sf_profile_id = 1;
+	chainings->chaining[chainings->chaining_used++].sf_profile_id = 2;
+	chainings->chaining[chainings->chaining_used++].sf_profile_id = 1;
+
+	selected_chaining_uniq(chainings);
+	selected_chaining_dump(chainings);
+
+	EXPECT_TRUE(chainings->chaining_used == 2);
+	EXPECT_TRUE(chainings->chaining[0].sf_profile_id == 1);
+	EXPECT_TRUE(chainings->chaining[1].sf_profile_id == 2);
+
+	selected_chaining_destory(chainings);
+}
+
+// 两个相同 (2，3相同)
+TEST(POLICY, SELECTED_CHAINING5)
+{
+	struct selected_chaining *chainings = NULL;
+
+	chainings = selected_chaining_create(3, 1, (char *)"1.1.1.1 11 2.2.2.2 22");
+	EXPECT_TRUE(chainings != nullptr);
+
+	chainings->chaining[chainings->chaining_used++].sf_profile_id = 2;
+	chainings->chaining[chainings->chaining_used++].sf_profile_id = 1;
+	chainings->chaining[chainings->chaining_used++].sf_profile_id = 1;
+
+	selected_chaining_uniq(chainings);
+	selected_chaining_dump(chainings);
+
+	EXPECT_TRUE(chainings->chaining_used == 2);
+	EXPECT_TRUE(chainings->chaining[0].sf_profile_id == 2);
+	EXPECT_TRUE(chainings->chaining[1].sf_profile_id == 1);
+
+	selected_chaining_destory(chainings);
+}
+
+// 没有数据
+TEST(POLICY, SELECTED_CHAINING6)
+{
+	struct selected_chaining *chainings = NULL;
+
+	chainings = selected_chaining_create(3, 1, (char *)"1.1.1.1 11 2.2.2.2 22");
+	EXPECT_TRUE(chainings != nullptr);
+
+	selected_chaining_uniq(chainings);
+	selected_chaining_dump(chainings);
+
+	EXPECT_TRUE(chainings->chaining_used == 0);
+
+	selected_chaining_destory(chainings);
+}
+
+// 只有一个
+TEST(POLICY, SELECTED_CHAINING7)
+{
+	struct selected_chaining *chainings = NULL;
+
+	chainings = selected_chaining_create(3, 1, (char *)"1.1.1.1 11 2.2.2.2 22");
+	EXPECT_TRUE(chainings != nullptr);
+
+	chainings->chaining[chainings->chaining_used++].sf_profile_id = 1;
+
+	selected_chaining_uniq(chainings);
+	selected_chaining_dump(chainings);
+
+	EXPECT_TRUE(chainings->chaining_used == 1);
+	EXPECT_TRUE(chainings->chaining[0].sf_profile_id == 1);
+
+	selected_chaining_destory(chainings);
+}
+
+#if 1
+TEST(POLICY, POLICY_ENFORCER_RAW_TRAFFIC1)
+{
+	struct global_metrics global_metrics;
+	struct thread_ctx t_ctx;
+	struct session_ctx s_ctx;
+
+	t_ctx.ref_global_metrics = &global_metrics;
+	s_ctx.ref_thread_ctx = &t_ctx;
+	s_ctx.session_id = 1;
+	s_ctx.session_addr = (char *)"1.1.1.1 11 2.2.2.2 22";
+
+	struct data_packet handler;
+
+	const void *payload = data_packet_parse(&handler, (const void *)data1, sizeof(data1), 0);
+	EXPECT_TRUE(payload != nullptr);
+	EXPECT_TRUE((char *)payload - (char *)&data1 == 70);
+
+	const char *profile = "./test_resource/sce.conf";
+	struct policy_enforcer *enforcer = policy_enforcer_create("SCE", profile, 8, NULL);
+	EXPECT_TRUE(enforcer != nullptr);
+	EXPECT_TRUE(policy_enforcer_register(enforcer) == 0);
+
+	int dir_is_i2e = 1;
+	struct selected_chainings chainings;
+	chainings.chaining_raw = selected_chaining_create(64, s_ctx.session_id, s_ctx.session_addr);
+	policy_enforce_select_chainings(enforcer, &chainings, &s_ctx, &handler, 1, dir_is_i2e);
+
+	/*
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 1, sff_profile_id 1, sf_profile_id -1, sf_action bypass, sf_action_desc bypass_due_failure_action
+	*/
+
+	EXPECT_TRUE(chainings.chaining_raw->chaining_used == 1);
+
+	EXPECT_TRUE(chainings.chaining_raw->chaining[0].rule_id == 1);
+	EXPECT_TRUE(chainings.chaining_raw->chaining[0].sff_profile_id == 1);
+	EXPECT_TRUE(chainings.chaining_raw->chaining[0].sf_profile_id == -1);
+	EXPECT_TRUE(chainings.chaining_raw->chaining[0].sf_action == SESSION_ACTION_BYPASS);
+	EXPECT_TRUE(chainings.chaining_raw->chaining[0].sf_action_desc == ACTION_BYPASS_DUE_FAILURE_ACTION);
+
+	selected_chaining_dump(chainings.chaining_raw);
+	selected_chaining_bref(chainings.chaining_raw);
+	selected_chaining_destory(chainings.chaining_raw);
+
+	printf("Before Sleep\n");
+	sleep(1);
+	printf("After Sleep\n");
+
+	policy_enforcer_destory(enforcer);
+}
+#endif
+
+#if 1
+TEST(POLICY, POLICY_ENFORCER_RAW_TRAFFIC2)
+{
+	struct global_metrics global_metrics;
+	struct thread_ctx t_ctx;
+	struct session_ctx s_ctx;
+
+	t_ctx.ref_global_metrics = &global_metrics;
+	s_ctx.ref_thread_ctx = &t_ctx;
+	s_ctx.session_id = 1;
+	s_ctx.session_addr = (char *)"1.1.1.1 11 2.2.2.2 22";
+
+	struct data_packet handler;
+
+	const void *payload = data_packet_parse(&handler, (const void *)data1, sizeof(data1), 0);
+	EXPECT_TRUE(payload != nullptr);
+	EXPECT_TRUE((char *)payload - (char *)&data1 == 70);
+
+	const char *profile = "./test_resource/sce.conf";
+	struct policy_enforcer *enforcer = policy_enforcer_create("SCE", profile, 8, NULL);
+	EXPECT_TRUE(enforcer != nullptr);
+	EXPECT_TRUE(policy_enforcer_register(enforcer) == 0);
+
+	int dir_is_i2e = 1;
+	struct selected_chainings chainings;
+	chainings.chaining_raw = selected_chaining_create(64, s_ctx.session_id, s_ctx.session_addr);
+	policy_enforce_select_chainings(enforcer, &chainings, &s_ctx, &handler, 2, dir_is_i2e);
+
+	/*
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 1, sf_profile_id -1, sf_action bypass, sf_action_desc bypass_due_failure_action
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 2 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 3 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 4 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 5 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 6 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by admin-status, sf_profile_id 7 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by admin-status, sf_profile_id 8 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 2, sf_profile_id -1, sf_action bypass, sf_action_desc bypass_due_failure_action
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 3, sf_profile_id -1, sf_action block, sf_action_desc block_due_failure_action
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 2 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 3 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 4, sf_profile_id -1, sf_action bypass, sf_action_desc bypass_due_health_sf_limit
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 2 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 3 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 5, sf_profile_id -1, sf_action block, sf_action_desc block_due_unavailable_action
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 6, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 7, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 8, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 9, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 10, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
+	*/
+
+	EXPECT_TRUE(chainings.chaining_raw->chaining_used == 3);
+
+	EXPECT_TRUE(chainings.chaining_raw->chaining[0].rule_id == 2);
+	EXPECT_TRUE(chainings.chaining_raw->chaining[0].sff_profile_id == 1);
+	EXPECT_TRUE(chainings.chaining_raw->chaining[0].sf_profile_id == -1);
+	EXPECT_TRUE(chainings.chaining_raw->chaining[0].sf_action == SESSION_ACTION_BYPASS);
+	EXPECT_TRUE(chainings.chaining_raw->chaining[0].sf_action_desc == ACTION_BYPASS_DUE_FAILURE_ACTION);
+
+	EXPECT_TRUE(chainings.chaining_raw->chaining[1].rule_id == 2);
+	EXPECT_TRUE(chainings.chaining_raw->chaining[1].sff_profile_id == 3);
+	EXPECT_TRUE(chainings.chaining_raw->chaining[1].sf_profile_id == -1);
+	EXPECT_TRUE(chainings.chaining_raw->chaining[1].sf_action == SESSION_ACTION_BLOCK);
+	EXPECT_TRUE(chainings.chaining_raw->chaining[1].sf_action_desc == ACTION_BLOCK_DUE_FAILURE_ACTION);
+
+	EXPECT_TRUE(chainings.chaining_raw->chaining[2].rule_id == 2);
+	EXPECT_TRUE(chainings.chaining_raw->chaining[2].sff_profile_id == 6);
+	EXPECT_TRUE(chainings.chaining_raw->chaining[2].sf_profile_id == 1);
+	EXPECT_TRUE(chainings.chaining_raw->chaining[2].sf_action == SESSION_ACTION_BLOCK);
+	EXPECT_TRUE(chainings.chaining_raw->chaining[2].sf_action_desc == ACTION_BLOCK_DUE_FAILURE_ACTION);
+
+	selected_chaining_dump(chainings.chaining_raw);
+	selected_chaining_bref(chainings.chaining_raw);
+	selected_chaining_destory(chainings.chaining_raw);
+
+	printf("Before Sleep\n");
+	sleep(1);
+	printf("After Sleep\n");
+
+	policy_enforcer_destory(enforcer);
+}
+#endif
+
+#if 1
+TEST(POLICY, POLICY_ENFORCER_RAW_TRAFFIC_MUTIL_HITS)
+{
+	struct global_metrics global_metrics;
+	struct thread_ctx t_ctx;
+	struct session_ctx s_ctx;
+
+	t_ctx.ref_global_metrics = &global_metrics;
+	s_ctx.ref_thread_ctx = &t_ctx;
+	s_ctx.session_id = 1;
+	s_ctx.session_addr = (char *)"1.1.1.1 11 2.2.2.2 22";
+
+	struct data_packet handler;
+
+	const void *payload = data_packet_parse(&handler, (const void *)data1, sizeof(data1), 0);
+	EXPECT_TRUE(payload != nullptr);
+	EXPECT_TRUE((char *)payload - (char *)&data1 == 70);
+
+	const char *profile = "./test_resource/sce.conf";
+	struct policy_enforcer *enforcer = policy_enforcer_create("SCE", profile, 8, NULL);
+	EXPECT_TRUE(enforcer != nullptr);
+	EXPECT_TRUE(policy_enforcer_register(enforcer) == 0);
+
+	int dir_is_i2e = 1;
+	struct selected_chainings chainings;
+	chainings.chaining_raw = selected_chaining_create(64, s_ctx.session_id, s_ctx.session_addr);
+	policy_enforce_select_chainings(enforcer, &chainings, &s_ctx, &handler, 1, dir_is_i2e);
+	policy_enforce_select_chainings(enforcer, &chainings, &s_ctx, &handler, 2, dir_is_i2e);
+
+	/*
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 1
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 1, sff_profile_id 1, sf_profile_id -1, sf_action bypass, sf_action_desc bypass_due_failure_action
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 1, sf_profile_id -1, sf_action bypass, sf_action_desc bypass_due_failure_action
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 2 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 3 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 4 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 5 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 6 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by admin-status, sf_profile_id 7 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by admin-status, sf_profile_id 8 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 2, sf_profile_id -1, sf_action bypass, sf_action_desc bypass_due_failure_action
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 3, sf_profile_id -1, sf_action block, sf_action_desc block_due_failure_action
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 2 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 3 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 4, sf_profile_id -1, sf_action bypass, sf_action_desc bypass_due_health_sf_limit
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 2 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 3 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 5, sf_profile_id -1, sf_action block, sf_action_desc block_due_unavailable_action
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 6, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 7, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 8, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 9, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 10, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
+	*/
+
+	EXPECT_TRUE(chainings.chaining_raw->chaining_used == 3);
+
+	EXPECT_TRUE(chainings.chaining_raw->chaining[0].rule_id == 1);
+	EXPECT_TRUE(chainings.chaining_raw->chaining[0].sff_profile_id == 1);
+	EXPECT_TRUE(chainings.chaining_raw->chaining[0].sf_profile_id == -1);
+	EXPECT_TRUE(chainings.chaining_raw->chaining[0].sf_action == SESSION_ACTION_BYPASS);
+	EXPECT_TRUE(chainings.chaining_raw->chaining[0].sf_action_desc == ACTION_BYPASS_DUE_FAILURE_ACTION);
+
+	EXPECT_TRUE(chainings.chaining_raw->chaining[1].rule_id == 2);
+	EXPECT_TRUE(chainings.chaining_raw->chaining[1].sff_profile_id == 3);
+	EXPECT_TRUE(chainings.chaining_raw->chaining[1].sf_profile_id == -1);
+	EXPECT_TRUE(chainings.chaining_raw->chaining[1].sf_action == SESSION_ACTION_BLOCK);
+	EXPECT_TRUE(chainings.chaining_raw->chaining[1].sf_action_desc == ACTION_BLOCK_DUE_FAILURE_ACTION);
+
+	EXPECT_TRUE(chainings.chaining_raw->chaining[2].rule_id == 2);
+	EXPECT_TRUE(chainings.chaining_raw->chaining[2].sff_profile_id == 6);
+	EXPECT_TRUE(chainings.chaining_raw->chaining[2].sf_profile_id == 1);
+	EXPECT_TRUE(chainings.chaining_raw->chaining[2].sf_action == SESSION_ACTION_BLOCK);
+	EXPECT_TRUE(chainings.chaining_raw->chaining[2].sf_action_desc == ACTION_BLOCK_DUE_FAILURE_ACTION);
+
+	selected_chaining_dump(chainings.chaining_raw);
+	selected_chaining_bref(chainings.chaining_raw);
+	selected_chaining_destory(chainings.chaining_raw);
+
+	printf("Before Sleep\n");
+	sleep(1);
+	printf("After Sleep\n");
+
+	policy_enforcer_destory(enforcer);
+}
+#endif
+
+#if 1
+TEST(POLICY, POLICY_ENFORCER_DECRYPTED_TRAFFIC1)
+{
+	struct global_metrics global_metrics;
+	struct thread_ctx t_ctx;
+	struct session_ctx s_ctx;
+
+	t_ctx.ref_global_metrics = &global_metrics;
+	s_ctx.ref_thread_ctx = &t_ctx;
+	s_ctx.session_id = 1;
+	s_ctx.session_addr = (char *)"1.1.1.1 11 2.2.2.2 22";
+
+	struct data_packet handler;
+
+	const void *payload = data_packet_parse(&handler, (const void *)data1, sizeof(data1), 0);
+	EXPECT_TRUE(payload != nullptr);
+	EXPECT_TRUE((char *)payload - (char *)&data1 == 70);
+
+	const char *profile = "./test_resource/sce.conf";
+	struct policy_enforcer *enforcer = policy_enforcer_create("SCE", profile, 8, NULL);
+	EXPECT_TRUE(enforcer != nullptr);
+	EXPECT_TRUE(policy_enforcer_register(enforcer) == 0);
+
+	int dir_is_i2e = 1;
+	struct selected_chainings chainings;
+	chainings.chaining_decrypted = selected_chaining_create(64, s_ctx.session_id, s_ctx.session_addr);
+	policy_enforce_select_chainings(enforcer, &chainings, &s_ctx, &handler, 11, dir_is_i2e);
+
+	/*
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 11
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 11, sff_profile_id 1, sf_profile_id -1, sf_action bypass, sf_action_desc bypass_due_failure_action
+	*/
+
+	EXPECT_TRUE(chainings.chaining_decrypted->chaining_used == 1);
+
+	EXPECT_TRUE(chainings.chaining_decrypted->chaining[0].rule_id == 11);
+	EXPECT_TRUE(chainings.chaining_decrypted->chaining[0].sff_profile_id == 1);
+	EXPECT_TRUE(chainings.chaining_decrypted->chaining[0].sf_profile_id == -1);
+	EXPECT_TRUE(chainings.chaining_decrypted->chaining[0].sf_action == SESSION_ACTION_BYPASS);
+	EXPECT_TRUE(chainings.chaining_decrypted->chaining[0].sf_action_desc == ACTION_BYPASS_DUE_FAILURE_ACTION);
+
+	selected_chaining_dump(chainings.chaining_decrypted);
+	selected_chaining_bref(chainings.chaining_decrypted);
+	selected_chaining_destory(chainings.chaining_decrypted);
+
+	printf("Before Sleep\n");
+	sleep(1);
+	printf("After Sleep\n");
+
+	policy_enforcer_destory(enforcer);
+}
+#endif
+
+#if 1
+TEST(POLICY, POLICY_ENFORCER_DECRYPTED_TRAFFIC2)
+{
+	struct global_metrics global_metrics;
+	struct thread_ctx t_ctx;
+	struct session_ctx s_ctx;
+
+	t_ctx.ref_global_metrics = &global_metrics;
+	s_ctx.ref_thread_ctx = &t_ctx;
+	s_ctx.session_id = 1;
+	s_ctx.session_addr = (char *)"1.1.1.1 11 2.2.2.2 22";
+
+	struct data_packet handler;
+
+	const void *payload = data_packet_parse(&handler, (const void *)data1, sizeof(data1), 0);
+	EXPECT_TRUE(payload != nullptr);
+	EXPECT_TRUE((char *)payload - (char *)&data1 == 70);
+
+	const char *profile = "./test_resource/sce.conf";
+	struct policy_enforcer *enforcer = policy_enforcer_create("SCE", profile, 8, NULL);
+	EXPECT_TRUE(enforcer != nullptr);
+	EXPECT_TRUE(policy_enforcer_register(enforcer) == 0);
+
+	int dir_is_i2e = 1;
+	struct selected_chainings chainings;
+	chainings.chaining_decrypted = selected_chaining_create(64, s_ctx.session_id, s_ctx.session_addr);
+	policy_enforce_select_chainings(enforcer, &chainings, &s_ctx, &handler, 12, dir_is_i2e);
+
+	/*
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 1, sf_profile_id -1, sf_action bypass, sf_action_desc bypass_due_failure_action
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 2 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 3 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 4 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 5 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 6 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by admin-status, sf_profile_id 7 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by admin-status, sf_profile_id 8 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 2, sf_profile_id -1, sf_action bypass, sf_action_desc bypass_due_failure_action
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 3, sf_profile_id -1, sf_action block, sf_action_desc block_due_failure_action
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 2 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 3 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 4, sf_profile_id -1, sf_action bypass, sf_action_desc bypass_due_health_sf_limit
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 2 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 3 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 5, sf_profile_id -1, sf_action block, sf_action_desc block_due_unavailable_action
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 6, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 7, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 8, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 9, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 10, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
+	*/
+
+	EXPECT_TRUE(chainings.chaining_decrypted->chaining_used == 3);
+
+	EXPECT_TRUE(chainings.chaining_decrypted->chaining[0].rule_id == 12);
+	EXPECT_TRUE(chainings.chaining_decrypted->chaining[0].sff_profile_id == 1);
+	EXPECT_TRUE(chainings.chaining_decrypted->chaining[0].sf_profile_id == -1);
+	EXPECT_TRUE(chainings.chaining_decrypted->chaining[0].sf_action == SESSION_ACTION_BYPASS);
+	EXPECT_TRUE(chainings.chaining_decrypted->chaining[0].sf_action_desc == ACTION_BYPASS_DUE_FAILURE_ACTION);
+
+	EXPECT_TRUE(chainings.chaining_decrypted->chaining[1].rule_id == 12);
+	EXPECT_TRUE(chainings.chaining_decrypted->chaining[1].sff_profile_id == 3);
+	EXPECT_TRUE(chainings.chaining_decrypted->chaining[1].sf_profile_id == -1);
+	EXPECT_TRUE(chainings.chaining_decrypted->chaining[1].sf_action == SESSION_ACTION_BLOCK);
+	EXPECT_TRUE(chainings.chaining_decrypted->chaining[1].sf_action_desc == ACTION_BLOCK_DUE_FAILURE_ACTION);
+
+	EXPECT_TRUE(chainings.chaining_decrypted->chaining[2].rule_id == 12);
+	EXPECT_TRUE(chainings.chaining_decrypted->chaining[2].sff_profile_id == 6);
+	EXPECT_TRUE(chainings.chaining_decrypted->chaining[2].sf_profile_id == 1);
+	EXPECT_TRUE(chainings.chaining_decrypted->chaining[2].sf_action == SESSION_ACTION_BLOCK);
+	EXPECT_TRUE(chainings.chaining_decrypted->chaining[2].sf_action_desc == ACTION_BLOCK_DUE_FAILURE_ACTION);
+
+	selected_chaining_dump(chainings.chaining_decrypted);
+	selected_chaining_bref(chainings.chaining_decrypted);
+	selected_chaining_destory(chainings.chaining_decrypted);
+
+	printf("Before Sleep\n");
+	sleep(1);
+	printf("After Sleep\n");
+
+	policy_enforcer_destory(enforcer);
+}
+#endif
+
+#if 1
+TEST(POLICY, POLICY_ENFORCER_DECRYPTED_TRAFFIC_MUTIL_HITS)
+{
+	struct global_metrics global_metrics;
+	struct thread_ctx t_ctx;
+	struct session_ctx s_ctx;
+
+	t_ctx.ref_global_metrics = &global_metrics;
+	s_ctx.ref_thread_ctx = &t_ctx;
+	s_ctx.session_id = 1;
+	s_ctx.session_addr = (char *)"1.1.1.1 11 2.2.2.2 22";
+
+	struct data_packet handler;
+
+	const void *payload = data_packet_parse(&handler, (const void *)data1, sizeof(data1), 0);
+	EXPECT_TRUE(payload != nullptr);
+	EXPECT_TRUE((char *)payload - (char *)&data1 == 70);
+
+	const char *profile = "./test_resource/sce.conf";
+	struct policy_enforcer *enforcer = policy_enforcer_create("SCE", profile, 8, NULL);
+	EXPECT_TRUE(enforcer != nullptr);
+	EXPECT_TRUE(policy_enforcer_register(enforcer) == 0);
+
+	int dir_is_i2e = 1;
+	struct selected_chainings chainings;
+	chainings.chaining_decrypted = selected_chaining_create(64, s_ctx.session_id, s_ctx.session_addr);
+	policy_enforce_select_chainings(enforcer, &chainings, &s_ctx, &handler, 11, dir_is_i2e);
+	policy_enforce_select_chainings(enforcer, &chainings, &s_ctx, &handler, 12, dir_is_i2e);
+
+	/*
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 11
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 11, sff_profile_id 1, sf_profile_id -1, sf_action bypass, sf_action_desc bypass_due_failure_action
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 1, sf_profile_id -1, sf_action bypass, sf_action_desc bypass_due_failure_action
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 2 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 3 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 4 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 5 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 6 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by admin-status, sf_profile_id 7 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by admin-status, sf_profile_id 8 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 2, sf_profile_id -1, sf_action bypass, sf_action_desc bypass_due_failure_action
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 3, sf_profile_id -1, sf_action block, sf_action_desc block_due_failure_action
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 2 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 3 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 4, sf_profile_id -1, sf_action bypass, sf_action_desc bypass_due_health_sf_limit
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 2 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 3 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 5, sf_profile_id -1, sf_action block, sf_action_desc block_due_unavailable_action
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 6, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 7, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 8, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 9, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 10, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
+	*/
+
+	EXPECT_TRUE(chainings.chaining_decrypted->chaining_used == 3);
+
+	EXPECT_TRUE(chainings.chaining_decrypted->chaining[0].rule_id == 11);
+	EXPECT_TRUE(chainings.chaining_decrypted->chaining[0].sff_profile_id == 1);
+	EXPECT_TRUE(chainings.chaining_decrypted->chaining[0].sf_profile_id == -1);
+	EXPECT_TRUE(chainings.chaining_decrypted->chaining[0].sf_action == SESSION_ACTION_BYPASS);
+	EXPECT_TRUE(chainings.chaining_decrypted->chaining[0].sf_action_desc == ACTION_BYPASS_DUE_FAILURE_ACTION);
+
+	EXPECT_TRUE(chainings.chaining_decrypted->chaining[1].rule_id == 12);
+	EXPECT_TRUE(chainings.chaining_decrypted->chaining[1].sff_profile_id == 3);
+	EXPECT_TRUE(chainings.chaining_decrypted->chaining[1].sf_profile_id == -1);
+	EXPECT_TRUE(chainings.chaining_decrypted->chaining[1].sf_action == SESSION_ACTION_BLOCK);
+	EXPECT_TRUE(chainings.chaining_decrypted->chaining[1].sf_action_desc == ACTION_BLOCK_DUE_FAILURE_ACTION);
+
+	EXPECT_TRUE(chainings.chaining_decrypted->chaining[2].rule_id == 12);
+	EXPECT_TRUE(chainings.chaining_decrypted->chaining[2].sff_profile_id == 6);
+	EXPECT_TRUE(chainings.chaining_decrypted->chaining[2].sf_profile_id == 1);
+	EXPECT_TRUE(chainings.chaining_decrypted->chaining[2].sf_action == SESSION_ACTION_BLOCK);
+	EXPECT_TRUE(chainings.chaining_decrypted->chaining[2].sf_action_desc == ACTION_BLOCK_DUE_FAILURE_ACTION);
+
+	selected_chaining_dump(chainings.chaining_decrypted);
+	selected_chaining_bref(chainings.chaining_decrypted);
+	selected_chaining_destory(chainings.chaining_decrypted);
+
+	printf("Before Sleep\n");
+	sleep(1);
+	printf("After Sleep\n");
+
+	policy_enforcer_destory(enforcer);
+}
+#endif
+
+#if 1
+TEST(POLICY, POLICY_ENFORCER_MIX_TRAFFIC_MUTIL_HITS)
 {
 	struct global_metrics global_metrics;
 	struct thread_ctx t_ctx;
@@ -50,25 +680,151 @@ TEST(POLICY, POLICY_ENFORCER_LIFE_CYCLE)
 	struct selected_chainings chainings;
 	chainings.chaining_raw = selected_chaining_create(64, s_ctx.session_id, s_ctx.session_addr);
 	chainings.chaining_decrypted = selected_chaining_create(64, s_ctx.session_id, s_ctx.session_addr);
+	// raw traffic multi hits
 	policy_enforce_select_chainings(enforcer, &chainings, &s_ctx, &handler, 1, dir_is_i2e);
 	policy_enforce_select_chainings(enforcer, &chainings, &s_ctx, &handler, 2, dir_is_i2e);
+	// decrypted traffic multi hits
 	policy_enforce_select_chainings(enforcer, &chainings, &s_ctx, &handler, 11, dir_is_i2e);
 	policy_enforce_select_chainings(enforcer, &chainings, &s_ctx, &handler, 12, dir_is_i2e);

+	/*
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 1
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 1, sff_profile_id 1, sf_profile_id -1, sf_action bypass, sf_action_desc bypass_due_failure_action
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 1, sf_profile_id -1, sf_action bypass, sf_action_desc bypass_due_failure_action
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 2 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 3 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 4 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 5 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 6 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by admin-status, sf_profile_id 7 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by admin-status, sf_profile_id 8 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 2, sf_profile_id -1, sf_action bypass, sf_action_desc bypass_due_failure_action
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 3, sf_profile_id -1, sf_action block, sf_action_desc block_due_failure_action
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 2 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 3 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 4, sf_profile_id -1, sf_action bypass, sf_action_desc bypass_due_health_sf_limit
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 2 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 3 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 5, sf_profile_id -1, sf_action block, sf_action_desc block_due_unavailable_action
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 6, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 7, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 8, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 9, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 10, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 11
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 11, sff_profile_id 1, sf_profile_id -1, sf_action bypass, sf_action_desc bypass_due_failure_action
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 1, sf_profile_id -1, sf_action bypass, sf_action_desc bypass_due_failure_action
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 2 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 3 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 4 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 5 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 6 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by admin-status, sf_profile_id 7 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by admin-status, sf_profile_id 8 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 2, sf_profile_id -1, sf_action bypass, sf_action_desc bypass_due_failure_action
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 3, sf_profile_id -1, sf_action block, sf_action_desc block_due_failure_action
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 2 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 3 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 4, sf_profile_id -1, sf_action bypass, sf_action_desc bypass_due_health_sf_limit
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 2 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 3 to be excluded
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 5, sf_profile_id -1, sf_action block, sf_action_desc block_due_unavailable_action
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 6, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 7, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 8, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 9, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 10, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 selected_chaining_bref: chaining_size:64, chaining_used:3, {
+		"node[0]":{"rule_id":1,"sff_profile_id":1,"sf_profile_id":-1,"traffic_type":"raw","sff_forward_type":"steering","sf_action":"bypass","reason":"bypass_due_failure_action"},
+		"node[1]":{"rule_id":2,"sff_profile_id":3,"sf_profile_id":-1,"traffic_type":"raw","sff_forward_type":"steering","sf_action":"block","reason":"block_due_failure_action"},
+		"node[2]":{"rule_id":2,"sff_profile_id":6,"sf_profile_id":1,"traffic_type":"raw","sff_forward_type":"steering","sf_action":"block","reason":"block_due_failure_action"}}
+	POLICY: session 1 1.1.1.1 11 2.2.2.2 22 selected_chaining_bref: chaining_size:64, chaining_used:3, {
+		"node[0]":{"rule_id":11,"sff_profile_id":1,"sf_profile_id":-1,"traffic_type":"decrypted","sff_forward_type":"steering","sf_action":"bypass","reason":"bypass_due_failure_action"},
+		"node[1]":{"rule_id":12,"sff_profile_id":3,"sf_profile_id":-1,"traffic_type":"decrypted","sff_forward_type":"steering","sf_action":"block","reason":"block_due_failure_action"},
+		"node[2]":{"rule_id":12,"sff_profile_id":6,"sf_profile_id":1,"traffic_type":"decrypted","sff_forward_type":"steering","sf_action":"block","reason":"block_due_failure_action"}}
+	*/
+
+	// raw traffic
+	EXPECT_TRUE(chainings.chaining_raw->chaining_used == 3);
+
+	EXPECT_TRUE(chainings.chaining_raw->chaining[0].rule_id == 1);
+	EXPECT_TRUE(chainings.chaining_raw->chaining[0].sff_profile_id == 1);
+	EXPECT_TRUE(chainings.chaining_raw->chaining[0].sf_profile_id == -1);
+	EXPECT_TRUE(chainings.chaining_raw->chaining[0].sf_action == SESSION_ACTION_BYPASS);
+	EXPECT_TRUE(chainings.chaining_raw->chaining[0].sf_action_desc == ACTION_BYPASS_DUE_FAILURE_ACTION);
+
+	EXPECT_TRUE(chainings.chaining_raw->chaining[1].rule_id == 2);
+	EXPECT_TRUE(chainings.chaining_raw->chaining[1].sff_profile_id == 3);
+	EXPECT_TRUE(chainings.chaining_raw->chaining[1].sf_profile_id == -1);
+	EXPECT_TRUE(chainings.chaining_raw->chaining[1].sf_action == SESSION_ACTION_BLOCK);
+	EXPECT_TRUE(chainings.chaining_raw->chaining[1].sf_action_desc == ACTION_BLOCK_DUE_FAILURE_ACTION);
+
+	EXPECT_TRUE(chainings.chaining_raw->chaining[2].rule_id == 2);
+	EXPECT_TRUE(chainings.chaining_raw->chaining[2].sff_profile_id == 6);
+	EXPECT_TRUE(chainings.chaining_raw->chaining[2].sf_profile_id == 1);
+	EXPECT_TRUE(chainings.chaining_raw->chaining[2].sf_action == SESSION_ACTION_BLOCK);
+	EXPECT_TRUE(chainings.chaining_raw->chaining[2].sf_action_desc == ACTION_BLOCK_DUE_FAILURE_ACTION);
+
 	selected_chaining_dump(chainings.chaining_raw);
 	selected_chaining_bref(chainings.chaining_raw);
 	selected_chaining_destory(chainings.chaining_raw);

+	// decrypted traffic
+	EXPECT_TRUE(chainings.chaining_decrypted->chaining_used == 3);
+
+	EXPECT_TRUE(chainings.chaining_decrypted->chaining[0].rule_id == 11);
+	EXPECT_TRUE(chainings.chaining_decrypted->chaining[0].sff_profile_id == 1);
+	EXPECT_TRUE(chainings.chaining_decrypted->chaining[0].sf_profile_id == -1);
+	EXPECT_TRUE(chainings.chaining_decrypted->chaining[0].sf_action == SESSION_ACTION_BYPASS);
+	EXPECT_TRUE(chainings.chaining_decrypted->chaining[0].sf_action_desc == ACTION_BYPASS_DUE_FAILURE_ACTION);
+
+	EXPECT_TRUE(chainings.chaining_decrypted->chaining[1].rule_id == 12);
+	EXPECT_TRUE(chainings.chaining_decrypted->chaining[1].sff_profile_id == 3);
+	EXPECT_TRUE(chainings.chaining_decrypted->chaining[1].sf_profile_id == -1);
+	EXPECT_TRUE(chainings.chaining_decrypted->chaining[1].sf_action == SESSION_ACTION_BLOCK);
+	EXPECT_TRUE(chainings.chaining_decrypted->chaining[1].sf_action_desc == ACTION_BLOCK_DUE_FAILURE_ACTION);
+
+	EXPECT_TRUE(chainings.chaining_decrypted->chaining[2].rule_id == 12);
+	EXPECT_TRUE(chainings.chaining_decrypted->chaining[2].sff_profile_id == 6);
+	EXPECT_TRUE(chainings.chaining_decrypted->chaining[2].sf_profile_id == 1);
+	EXPECT_TRUE(chainings.chaining_decrypted->chaining[2].sf_action == SESSION_ACTION_BLOCK);
+	EXPECT_TRUE(chainings.chaining_decrypted->chaining[2].sf_action_desc == ACTION_BLOCK_DUE_FAILURE_ACTION);
+
 	selected_chaining_dump(chainings.chaining_decrypted);
 	selected_chaining_bref(chainings.chaining_decrypted);
 	selected_chaining_destory(chainings.chaining_decrypted);

 	printf("Before Sleep\n");
-	sleep(3);
+	sleep(1);
 	printf("After Sleep\n");

 	policy_enforcer_destory(enforcer);
 }
+#endif

 int main(int argc, char **argv)
 {