Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-09 01:58:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Do not lookup ignore_checksums_nets for every packet

Browse source 
This could lead to a noticeable (single-percent) performance
improvement.

Most of the functionality for this is in the packet analyzers that now
cache ignore_chesksums_nets.

Based on a patch by Arne Welzel (Corelight).
This commit is contained in:
Johanna Amann 2021-08-06 10:32:53 +01:00
parent d24cecf268
commit 8192ad581d
13 changed files with 101 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

11
src/packet_analysis/packet_analysis.bif
View file

@ -4,6 +4,7 @@ module PacketAnalyzer;
#include "zeek/packet_analysis/Analyzer.h"
#include "zeek/packet_analysis/Manager.h"
#include "zeek/packet_analysis/protocol/ip/IPBasedAnalyzer.h"
%%}
@ -47,3 +48,13 @@ function try_register_packet_analyzer_by_name%(parent: string, identifier: count
parent_analyzer->RegisterProtocol(identifier, child_analyzer);
return zeek::val_mgr->True();
%}
## Internal function that is used to update the core-mirror of the script-level `ignore_checksums_nets` variable.
function PacketAnalyzer::__set_ignore_checksums_nets%(v: subnet_set%) : bool
%{
if ( v->GetType()->Tag() != zeek::TYPE_TABLE )
zeek::emit_builtin_error("update_ignore_checksums_net() requires a table/set argument");
zeek::packet_analysis::IP::IPBasedAnalyzer::SetIgnoreChecksumsNets(zeek::IntrusivePtr{zeek::NewRef{}, v->AsTableVal()});
return zeek::val_mgr->True();
%}

2
src/packet_analysis/protocol/icmp/ICMP.cc
View file

@ -77,7 +77,7 @@ void ICMPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int rema
const std::unique_ptr<IP_Hdr>& ip = pkt->ip_hdr;
if ( ! zeek::detail::ignore_checksums &&
! zeek::id::find_val<TableVal>("ignore_checksums_nets")->Contains(ip->IPHeaderSrcAddr()) &&
! GetIgnoreChecksumsNets()->Contains(ip->IPHeaderSrcAddr()) &&
remaining >= len )
{
int chksum = 0;

3
src/packet_analysis/protocol/ip/IP.cc
View file

@ -1,6 +1,7 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "zeek/packet_analysis/protocol/ip/IP.h"
#include "zeek/packet_analysis/protocol/ip/IPBasedAnalyzer.h"
#include "zeek/NetVar.h"
#include "zeek/IP.h"
#include "zeek/Discard.h"
@ -128,7 +129,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
return false;
if ( ! packet->l2_checksummed && ! detail::ignore_checksums && ip4 &&
! zeek::id::find_val<TableVal>("ignore_checksums_nets")->Contains(packet->ip_hdr->IPHeaderSrcAddr()) &&
! IPBasedAnalyzer::GetIgnoreChecksumsNets()->Contains(packet->ip_hdr->IPHeaderSrcAddr()) &&
detail::in_cksum(reinterpret_cast<const uint8_t*>(ip4), ip_hdr_len) != 0xffff )
{
Weird("bad_IP_checksum", packet);

15
src/packet_analysis/protocol/ip/IPBasedAnalyzer.cc
View file

@ -282,3 +282,18 @@ void IPBasedAnalyzer::DumpPortDebug()
DBG_LOG(DBG_ANALYZER, " %d/%s: %s", mapping.first, transport_proto_string(transport), s.c_str());
}
}
TableValPtr IPBasedAnalyzer::ignore_checksums_nets_table = nullptr;
void IPBasedAnalyzer::SetIgnoreChecksumsNets(TableValPtr t)
{
IPBasedAnalyzer::ignore_checksums_nets_table = t;
}
TableValPtr IPBasedAnalyzer::GetIgnoreChecksumsNets()
{
if ( ! IPBasedAnalyzer::ignore_checksums_nets_table )
IPBasedAnalyzer::ignore_checksums_nets_table = zeek::id::find_val<TableVal>("ignore_checksums_nets");
return IPBasedAnalyzer::ignore_checksums_nets_table;
}

21
src/packet_analysis/protocol/ip/IPBasedAnalyzer.h
View file

@ -7,6 +7,7 @@
#include "zeek/packet_analysis/Analyzer.h"
#include "zeek/analyzer/Tag.h"
#include "zeek/ID.h"
namespace zeek::analyzer::pia { class PIA; }
@ -61,6 +62,25 @@ public:
*/
void DumpPortDebug();
/**
* Updates the internal pointer to the script-level variable `ignore_checksums_nets`.
* This is used to prevent repeated (costly) lookup of the script-level variable
* by IP-based analyzers.
*
* @param t New value of ignore_checksums_nets
*/
static void SetIgnoreChecksumsNets(TableValPtr t);
/**
* Gets the interpal pointer to the script-level variable `ignore_checksums_nets`.
* This is used to prevent repeated (costly) lookup of the script-level variable
* by IP-based analyzers.
*
* @return Current value of `ignore_checksums_nets`.
*/
static TableValPtr GetIgnoreChecksumsNets();
protected:
/**
@ -178,6 +198,7 @@ private:
TransportProto transport;
uint32_t server_port_mask;
static TableValPtr ignore_checksums_nets_table;
};
}

3
src/packet_analysis/protocol/tcp/TCP.cc
View file

@ -18,7 +18,6 @@ TCPAnalyzer::TCPAnalyzer() : IPBasedAnalyzer("TCP", TRANSPORT_TCP, TCP_PORT_MASK
void TCPAnalyzer::Initialize()
{
ignored_nets = zeek::id::find_val<TableVal>("ignore_checksums_nets");
}
SessionAdapter* TCPAnalyzer::MakeSessionAdapter(Connection* conn)
@ -164,7 +163,7 @@ bool TCPAnalyzer::ValidateChecksum(const IP_Hdr* ip, const struct tcphdr* tp,
{
if ( ! run_state::current_pkt->l3_checksummed &&
! detail::ignore_checksums &&
! ignored_nets->Contains(ip->IPHeaderSrcAddr()) &&
! GetIgnoreChecksumsNets()->Contains(ip->IPHeaderSrcAddr()) &&
caplen >= len && ! endpoint->ValidChecksum(tp, len, ip->IP4_Hdr()) )
{
adapter->Weird("bad_TCP_checksum");

2
src/packet_analysis/protocol/tcp/TCP.h
View file

@ -86,8 +86,6 @@ private:
bool ValidateChecksum(const IP_Hdr* ip, const struct tcphdr* tp,
analyzer::tcp::TCP_Endpoint* endpoint,
int len, int caplen, TCPSessionAdapter* adapter);
TableValPtr ignored_nets;
};
}

2
src/packet_analysis/protocol/udp/UDP.cc
View file

@ -108,7 +108,7 @@ void UDPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remai
auto validate_checksum =
! run_state::current_pkt->l3_checksummed &&
! zeek::detail::ignore_checksums &&
! zeek::id::find_val<TableVal>("ignore_checksums_nets")->Contains(ip->IPHeaderSrcAddr()) &&
! GetIgnoreChecksumsNets()->Contains(ip->IPHeaderSrcAddr()) &&
remaining >=len;
constexpr auto vxlan_len = 8;