From: Jeff Lucovsky <jeff@lucovsky.org>
Date: Mon, 29 Mar 2021 12:30:59 +0000 (-0400)
Subject: detect/threshold: Improve threshold.config perf
X-Git-Tag: suricata-5.0.7~22
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e8de11ea08cd4bc1af952ea6e4927510911459fa;p=thirdparty%2Fsuricata.git

detect/threshold: Improve threshold.config perf

This commit improves performance when parsing threshold.config by
removing a loop-invariant to create a one-time object with the parsed
address(es).

Then, as needed, copies of this object are made as the suppression
rule(s) are processed.

(cherry picked from commit 02ceac8b8d4473de5f373a4785a1c143778b06e1)
---

diff --git a/src/util-threshold-config.c b/src/util-threshold-config.c
index d47eebbaf9..2f4a5fae53 100644
--- a/src/util-threshold-config.c
+++ b/src/util-threshold-config.c
@@ -295,6 +295,25 @@ static int SetupSuppressRule(DetectEngineCtx *de_ctx, uint32_t id, uint32_t gid,
 
     BUG_ON(parsed_type != TYPE_SUPPRESS);
 
+    DetectThresholdData *orig_de = NULL;
+    if (parsed_track != TRACK_RULE) {
+        orig_de = SCCalloc(1, sizeof(DetectThresholdData));
+        if (unlikely(orig_de == NULL))
+            goto error;
+
+        orig_de->type = TYPE_SUPPRESS;
+        orig_de->track = parsed_track;
+        orig_de->count = parsed_count;
+        orig_de->seconds = parsed_seconds;
+        orig_de->new_action = parsed_new_action;
+        orig_de->timeout = parsed_timeout;
+        if (DetectAddressParse((const DetectEngineCtx *)de_ctx, &orig_de->addrs, (char *)th_ip) <
+                0) {
+            SCLogError(SC_ERR_INVALID_IP_NETBLOCK, "failed to parse %s", th_ip);
+            goto error;
+        }
+    }
+
     /* Install it */
     if (id == 0 && gid == 0) {
         if (parsed_track == TRACK_RULE) {
@@ -309,24 +328,9 @@ static int SetupSuppressRule(DetectEngineCtx *de_ctx, uint32_t id, uint32_t gid,
                 continue;
             }
 
-            de = SCMalloc(sizeof(DetectThresholdData));
+            de = DetectThresholdDataCopy(orig_de);
             if (unlikely(de == NULL))
                 goto error;
-            memset(de,0,sizeof(DetectThresholdData));
-
-            de->type = TYPE_SUPPRESS;
-            de->track = parsed_track;
-            de->count = parsed_count;
-            de->seconds = parsed_seconds;
-            de->new_action = parsed_new_action;
-            de->timeout = parsed_timeout;
-
-            if (parsed_track != TRACK_RULE) {
-                if (DetectAddressParse((const DetectEngineCtx *)de_ctx, &de->addrs, (char *)th_ip) < 0) {
-                    SCLogError(SC_ERR_INVALID_IP_NETBLOCK, "failed to parse %s", th_ip);
-                    goto error;
-                }
-            }
 
             sm = SigMatchAlloc();
             if (sm == NULL) {
@@ -353,26 +357,10 @@ static int SetupSuppressRule(DetectEngineCtx *de_ctx, uint32_t id, uint32_t gid,
                 continue;
             }
 
-            de = SCMalloc(sizeof(DetectThresholdData));
+            de = DetectThresholdDataCopy(orig_de);
             if (unlikely(de == NULL))
                 goto error;
 
-            memset(de,0,sizeof(DetectThresholdData));
-
-            de->type = TYPE_SUPPRESS;
-            de->track = parsed_track;
-            de->count = parsed_count;
-            de->seconds = parsed_seconds;
-            de->new_action = parsed_new_action;
-            de->timeout = parsed_timeout;
-
-            if (parsed_track != TRACK_RULE) {
-                if (DetectAddressParse((const DetectEngineCtx *)de_ctx, &de->addrs, (char *)th_ip) < 0) {
-                    SCLogError(SC_ERR_INVALID_IP_NETBLOCK, "failed to parse %s", th_ip);
-                    goto error;
-                }
-            }
-
             sm = SigMatchAlloc();
             if (sm == NULL) {
                 SCLogError(SC_ERR_MEM_ALLOC, "Error allocating SigMatch");
@@ -400,22 +388,9 @@ static int SetupSuppressRule(DetectEngineCtx *de_ctx, uint32_t id, uint32_t gid,
                 goto end;
             }
 
-            de = SCMalloc(sizeof(DetectThresholdData));
+            de = DetectThresholdDataCopy(orig_de);
             if (unlikely(de == NULL))
                 goto error;
-            memset(de,0,sizeof(DetectThresholdData));
-
-            de->type = TYPE_SUPPRESS;
-            de->track = parsed_track;
-            de->count = parsed_count;
-            de->seconds = parsed_seconds;
-            de->new_action = parsed_new_action;
-            de->timeout = parsed_timeout;
-
-            if (DetectAddressParse((const DetectEngineCtx *)de_ctx, &de->addrs, (char *)th_ip) < 0) {
-                SCLogError(SC_ERR_INVALID_IP_NETBLOCK, "failed to parse %s", th_ip);
-                goto error;
-            }
 
             sm = SigMatchAlloc();
             if (sm == NULL) {
@@ -431,8 +406,16 @@ static int SetupSuppressRule(DetectEngineCtx *de_ctx, uint32_t id, uint32_t gid,
     }
 
 end:
+    if (orig_de != NULL) {
+        DetectAddressHeadCleanup(&orig_de->addrs);
+        SCFree(orig_de);
+    }
     return 0;
 error:
+    if (orig_de != NULL) {
+        DetectAddressHeadCleanup(&orig_de->addrs);
+        SCFree(orig_de);
+    }
     if (de != NULL) {
         DetectAddressHeadCleanup(&de->addrs);
         SCFree(de);