From: Victor Julien Date: Wed, 11 Jun 2025 20:15:24 +0000 (+0200) Subject: detect/alert: optimize context cleanup X-Git-Tag: suricata-8.0.0-rc1~3 X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=36ecda3ea2510268da8deb5850b553f5668234da;p=thirdparty%2Fsuricata.git detect/alert: optimize context cleanup Don't always loop over each alert, but only do so if context was used. --- diff --git a/src/decode.h b/src/decode.h index 397f4ca970..bd0fdb4cd9 100644 --- a/src/decode.h +++ b/src/decode.h @@ -1248,7 +1248,9 @@ void DecodeUnregisterCounters(void); /** Flag to indicate that packet contents should not be inspected */ #define PKT_NOPAYLOAD_INSPECTION BIT_U32(2) -// vacancy + +/** set if PacketAlerts may contain json context data */ +#define PKT_ALERT_CTX_USED BIT_U32(3) /** Packet has matched a tag */ #define PKT_HAS_TAG BIT_U32(4) diff --git a/src/detect-engine-alert.c b/src/detect-engine-alert.c index 4e697978a3..709e41c2ef 100644 --- a/src/detect-engine-alert.c +++ b/src/detect-engine-alert.c @@ -570,6 +570,8 @@ void PacketAlertFinalize(const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *d if (det_ctx->alert_queue_size > 0) { PacketAlertFinalizeProcessQueue(de_ctx, det_ctx, p); + if (det_ctx->json_content_len) + p->flags |= PKT_ALERT_CTX_USED; } /* At this point, we should have all the new alerts. Now check the tag diff --git a/src/packet.c b/src/packet.c index 80ecfb166d..0be394d76d 100644 --- a/src/packet.c +++ b/src/packet.c @@ -99,6 +99,7 @@ void PacketReinit(Packet *p) p->app_update_direction = 0; p->sig_mask = 0; p->pkt_hooks = 0; + const uint32_t pflags = p->flags; p->flags = 0; p->flowflags = 0; p->pkt_src = 0; @@ -127,7 +128,8 @@ void PacketReinit(Packet *p) p->alerts.suppressed = 0; p->alerts.drop.action = 0; if (p->alerts.cnt > 0) { - PacketAlertRecycle(p->alerts.alerts, p->alerts.cnt); + if (pflags & PKT_ALERT_CTX_USED) + PacketAlertRecycle(p->alerts.alerts, p->alerts.cnt); p->alerts.cnt = 0; } p->pcap_cnt = 0;