github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-05 16:50:34 +00:00
Code Issues Projects Releases Wiki Activity

Use the same falco_rule struct for every call to filter_ruleset

Browse Source 
Instead of using a falco_rule struct on the stack, use a single value
inside the falco_source struct. It's mutable as find_source returns a
const struct.

At very high event volumes (> 1M syscalls/second), even the tiny time
it takes to create/destroy the struct starts to add up, and this
switch has some small cpu savings.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
This commit is contained in:
Mark Stemm
2022-09-13 15:02:25 -07:00
committed by poiana
parent e5cd5eacf5
commit 2d5fc0b647
2 changed files with 11 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
userspace/engine/falco_source.h
View File

@@ -32,6 +32,10 @@ struct falco_source
std::shared_ptr<gen_event_filter_factory> filter_factory;
std::shared_ptr<gen_event_formatter_factory> formatter_factory;
// Used by the filter_ruleset interface. Filled in when a rule
// matches an event.
mutable falco_rule m_rule;
inline bool is_field_defined(std::string field) const
{
auto *chk = filter_factory->new_filtercheck(field.c_str());