Sorry for the "dump and run" yesterday, I was a bit under the pump. Thanks for expanding on the explanation Dave and yes I agree the documentation is not very clear. Once you "click" to what it is doing though it is very powerful and, as Dave also points out, negligible impact on throughput or CPU.
To re-construct with zcamero net parameters and some random ports to illustrate the flexibility I get ...
filter acl 222 create inPort act 4092 name "Special-NH"
filter acl 222 port add 3/1,4/4-4/12
filter acl 222 ace 22 create name "Ten2Five"
filter acl 222 ace 22 action permit redirect-next-hop 10.2.7.2 stop-on-match true
filter acl 222 ace 22 debug count enable
filter acl 222 ace 22 ip src-ip eq 10.2.5.1-10.2.5.254
filter acl 222 ace 22 ip dst-ip ne 10.2.0.0-10.2.255.255
filter acl 222 ace 22 enable
When you play around with this, probably the most important bit is making sure the correct template is selected. In the first line when the ACL is initially declared, a template is specified. In the above I use "act 4092". The template specifies which "fields" of the frame will be presented to the filter for processing. There are a number of these templates out-of-the-box with combinations that suit most requirements ... src-ip, dst-ip, src-mac etc ... or you can make your own.
Just make sure that the template you specify has all the fields your filter requires. Template 4092 only gives the filter src and dst ip, no point in setting an ACE entry to look at, say, DSCP because it won't see it. Would have to change the template to one that includes srcIp/dstIp/dscp ... I have embarassed myself more than once with this.
Cheers
Ian