git.ipfire.org Git - thirdparty/suricata.git/commit

author	Victor Julien <victor@inliniac.net>
	Wed, 22 Jul 2020 11:50:14 +0000 (13:50 +0200)
committer	Victor Julien <victor@inliniac.net>
	Thu, 30 Jul 2020 11:22:54 +0000 (13:22 +0200)
commit	611c991f27598b8498d34fb18262de2f280a841a
tree	2383226959a7b2ff6809e6c6ccf956a879fa7cf6	tree
parent	0da4dc0deab8ae40f2f4476f68faa62a692a0350	commit \| diff

flow: improve performance in emergency mode

When the flow engine enters emergency mode, 3 things happen:

1. a different set of (lower) timeout values are applied
2. the flow manager runs more often
3. worker threads go get a flow directly from the hash table

Testing showed that performance went down significantly due to concurrency
issues:

1. worker threads would fight each other over the hash access
2. flow manager would get in the way of workers

This patch changes the behavior in 2 ways:

1. it makes the flow manager slightly less aggressive. It will still
   try to run ~3 times per second, but no longer 10 times.

   This should be reducing the contention. At the same time flows
   won't time out faster if they are checked many times per second.

2. The 'get a used flow' logic optimizes the use of atomics by only
   doing an atomic operation once, and while doing so reserving
   a slice of the hash per worker.

   The worker will also give up much quicker, to avoid the overhead
   of hash walking and taking and releasing locks.

These combined changes show much better 'under stress' behavior, esp
on multi-NUMA systems.

src/flow-hash.c		diff \| blob \| blame \| history
src/flow-manager.c		diff \| blob \| blame \| history