github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-18 00:31:30 +00:00
Code Issues Projects Releases Wiki Activity

Use the same falco_rule struct for every call to filter_ruleset

Browse Source 
Instead of using a falco_rule struct on the stack, use a single value
inside the falco_source struct. It's mutable as find_source returns a
const struct.

At very high event volumes (> 1M syscalls/second), even the tiny time
it takes to create/destroy the struct starts to add up, and this
switch has some small cpu savings.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
This commit is contained in:
Mark Stemm 2022-09-13 15:02:25 -07:00 committed by poiana
parent e5cd5eacf5
commit 2d5fc0b647
2 changed files with 11 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
userspace/engine/falco_engine.cpp
View File

@ -333,8 +333,6 @@ std::shared_ptr<gen_event_formatter> falco_engine::create_formatter(const std::s
unique_ptr<falco_engine::rule_result> falco_engine::process_event(std::size_t source_idx, gen_event *ev, uint16_t ruleset_id) unique_ptr<falco_engine::rule_result> falco_engine::process_event(std::size_t source_idx, gen_event *ev, uint16_t ruleset_id)
{ {
falco_rule rule;
// note: there are no thread-safety guarantees on the filter_ruleset::run() // note: there are no thread-safety guarantees on the filter_ruleset::run()
// method, but the thread-safety assumptions of falco_engine::process_event() // method, but the thread-safety assumptions of falco_engine::process_event()
// imply that concurrent invokers use different and non-switchable values of // imply that concurrent invokers use different and non-switchable values of
@ -359,13 +357,13 @@ unique_ptr<falco_engine::rule_result> falco_engine::process_event(std::size_t so
unique_ptr<struct rule_result> res(new rule_result()); unique_ptr<struct rule_result> res(new rule_result());
res->evt = ev; res->evt = ev;
res->rule = rule.name; res->rule = source->m_rule.name;
res->source = rule.source; res->source = source->m_rule.source;
res->format = rule.output; res->format = source->m_rule.output;
res->priority_num = rule.priority; res->priority_num = source->m_rule.priority;
res->tags = rule.tags; res->tags = source->m_rule.tags;
res->exception_fields = rule.exception_fields; res->exception_fields = source->m_rule.exception_fields;
m_rule_stats_manager.on_event(rule); m_rule_stats_manager.on_event(source->m_rule);
return res; return res;
} }

4
userspace/engine/falco_source.h
View File

@ -32,6 +32,10 @@ struct falco_source
std::shared_ptr<gen_event_filter_factory> filter_factory; std::shared_ptr<gen_event_filter_factory> filter_factory;
std::shared_ptr<gen_event_formatter_factory> formatter_factory; std::shared_ptr<gen_event_formatter_factory> formatter_factory;
// Used by the filter_ruleset interface. Filled in when a rule
// matches an event.
mutable falco_rule m_rule;
inline bool is_field_defined(std::string field) const inline bool is_field_defined(std::string field) const
{ {
auto *chk = filter_factory->new_filtercheck(field.c_str()); auto *chk = filter_factory->new_filtercheck(field.c_str());