git.ipfire.org Git - thirdparty/suricata.git/commit

author	Victor Julien <vjulien@oisf.net>
	Mon, 11 Sep 2023 19:17:36 +0000 (21:17 +0200)
committer	Victor Julien <vjulien@oisf.net>
	Fri, 28 Jun 2024 07:44:10 +0000 (09:44 +0200)
commit	c08c81cacf9a0ef9e4e38f1e57e9a6dc18846fe4
tree	7a41bf3c2a8fddee3bcc513665bcad8a5bfd5c1c	tree
parent	c9631584434e33ed5fc20f19c66c5420a8d94f7a	commit \| diff

detect/threshold: implement per thread cache

Thresholding often has 2 stages:

1. recording matches
2. appling an action, like suppress

E.g. with something like:
threshold:type limit, count 10, seconds 3600, track by_src;
the recording state is about counting 10 first hits for an IP,
then followed by the "suppress" state that might last an hour.

By_src/by_dst are expensive, as they do a host table lookup and lock
the host. If many threads require this access, lock contention becomes
a serious problem.

This patch adds a thread local cache to avoid the synchronization
overhead. When the threshold for a host enters the "apply" stage,
a thread local hash entry is added. This entry knows the expiry
time and the action to apply. This way the action can be applied
w/o the synchronization overhead.

A rbtree is used to handle expiration.

Implemented for IPv4.

src/detect-engine-threshold.c		diff \| blob \| blame \| history
src/detect-engine-threshold.h		diff \| blob \| blame \| history
src/detect-engine.c		diff \| blob \| blame \| history