Menu

#20 layer7 caching

open
Matthew Strait
None
1
2006-09-10
2006-07-13
Sam Liddicott
No

The original layer7 code caches compiled regexes and
does a linear search per-packet-per-iptables-rule to
find the cached regex to do the match.

If you have a lot of layer7 rules, this is not good use
of cpu cycles.

This patch stores (caches) the location of the compiled
regex in the matchinfo struct (if there is room),
avoiding the need to search the cache for each packet.

Discussion

  • Sam Liddicott

    Sam Liddicott - 2006-07-13
     
    layer7-cache.patch

  • Matthew Strait

    Matthew Strait - 2006-07-15
    • assigned_to: nobody --> quadong
     

  • Matthew Strait

    Matthew Strait - 2006-09-10
    • priority: 5 --> 1
     

  • Matthew Strait

    Matthew Strait - 2006-09-10

    Logged In: YES
    user_id=220960

    This patch seems fine, but I am not convinced that the added
    complexity is worth it. I strongly suspect that regexec
    itself uses vastly more CPU time than this linear search.
    Do you have any evidence that this significantly improves
    performance?

     

  • Sam Liddicott

    Sam Liddicott - 2006-09-11

    Logged In: YES
    user_id=189629

    Don't apply the patch, as it stands.
    It stops deletion of the rule by specification (rather than
    index) from working, as it changes the match struct and
    preventing the rule from being recognized in user-space.

    I don't have evidence of how much is saved. I wrote it for a
    system that had more than a hundred layer7 rules. That
    linear speed approaches the regex time for many packets
    which fail many matches very quickly.

    We wither need to do a user-space mod to go with it or wait
    till iptables adds private per-rule pointers, which is under
    discussion/progress right now.

     

Log in to post a comment.

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.