app-layer: reduce app cleanup and output-tx calls

Track packets that updated the app-layer, and for those run the transaction housekeeping and output-tx logging loops. Do the same of end of flow packets. This skips needless iterations over the transaction stores.
2 years ago · 23323a961f
parent 4bb7f827e0
commit 23323a961f
5 changed files with 22 additions and 3 deletions
--- a/src/app-layer.c
+++ b/src/app-layer.c
@ -507,6 +507,7 @@ static int TCPProtoDetect(ThreadVars *tv,
        int r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
                flags, data, data_len);
        PACKET_PROFILING_APP_END(app_tctx, f->alproto);
+        p->flags |= PKT_APPLAYER_UPDATE;
        if (r != 1) {
            StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
        }
@ -580,6 +581,7 @@ static int TCPProtoDetect(ThreadVars *tv,
                            f->alproto, flags,
                            data, data_len);
                    PACKET_PROFILING_APP_END(app_tctx, f->alproto);
+                    p->flags |= PKT_APPLAYER_UPDATE;
                    if (r != 1) {
                        StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
                    }
@ -684,6 +686,7 @@ int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
        r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
                flags, data, data_len);
        PACKET_PROFILING_APP_END(app_tctx, f->alproto);
+        p->flags |= PKT_APPLAYER_UPDATE;
        /* ignore parser result for gap */
        StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
        if (r < 0) {
@ -767,6 +770,7 @@ int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
            r = AppLayerParserParse(tv, app_tctx->alp_tctx, f, f->alproto,
                                    flags, data, data_len);
            PACKET_PROFILING_APP_END(app_tctx, f->alproto);
+            p->flags |= PKT_APPLAYER_UPDATE;
            if (r != 1) {
                StreamTcpUpdateAppLayerProgress(ssn, direction, data_len);
                if (r < 0) {
@ -891,6 +895,7 @@ int AppLayerHandleUdp(ThreadVars *tv, AppLayerThreadCtx *tctx, Packet *p, Flow *
            r = AppLayerParserParse(tv, tctx->alp_tctx, f, f->alproto,
                                    flags, p->payload, p->payload_len);
            PACKET_PROFILING_APP_END(tctx, f->alproto);
+            p->flags |= PKT_APPLAYER_UPDATE;
        }
        PACKET_PROFILING_APP_STORE(tctx, p);
        /* we do only inspection in one direction, so flag both
@ -907,6 +912,7 @@ int AppLayerHandleUdp(ThreadVars *tv, AppLayerThreadCtx *tctx, Packet *p, Flow *
                flags, p->payload, p->payload_len);
        PACKET_PROFILING_APP_END(tctx, f->alproto);
        PACKET_PROFILING_APP_STORE(tctx, p);
+        p->flags |= PKT_APPLAYER_UPDATE;
    }
    if (r < 0) {
        ExceptionPolicyApply(p, g_applayerparser_error_policy, PKT_DROP_REASON_APPLAYER_ERROR);
--- a/src/decode.h
+++ b/src/decode.h
@ -1102,6 +1102,9 @@ void DecodeUnregisterCounters(void);
 #define PKT_FIRST_ALERTS BIT_U32(29)
 #define PKT_FIRST_TAG    BIT_U32(30)

+/** Packet updated the app-layer. */
+#define PKT_APPLAYER_UPDATE BIT_U32(31)
+
 /** \brief return 1 if the packet is a pseudo packet */
 #define PKT_IS_PSEUDOPKT(p) \
    ((p)->flags & (PKT_PSEUDO_STREAM_END|PKT_PSEUDO_DETECTLOG_FLUSH))
--- a/src/flow-worker.c
+++ b/src/flow-worker.c
@ -574,9 +574,13 @@ static TmEcode FlowWorker(ThreadVars *tv, Packet *p, void *data)
            FramesPrune(p->flow, p);
        }

-        /* run tx cleanup last */
-        AppLayerParserTransactionsCleanup(p->flow, STREAM_FLAGS_FOR_PACKET(p));
-
+        if ((PKT_IS_PSEUDOPKT(p)) || ((p->flags & PKT_APPLAYER_UPDATE) != 0)) {
+            SCLogDebug("pseudo or app update: run cleanup");
+            /* run tx cleanup last */
+            AppLayerParserTransactionsCleanup(p->flow, STREAM_FLAGS_FOR_PACKET(p));
+        } else {
+            SCLogDebug("not pseudo, no app update: skip");
+        }
        Flow *f = p->flow;
        FlowDeReference(&p->flow);
        FLOWLOCK_UNLOCK(f);
--- a/src/output-tx.c
+++ b/src/output-tx.c
@ -335,6 +335,11 @@ static TmEcode OutputTxLog(ThreadVars *tv, Packet *p, void *thread_data)
    DEBUG_VALIDATE_BUG_ON(thread_data == NULL);
    if (p->flow == NULL)
        return TM_ECODE_OK;
+    if (!((PKT_IS_PSEUDOPKT(p)) || (p->flags & PKT_APPLAYER_UPDATE) != 0)) {
+        SCLogDebug("not pseudo, no app update: skip");
+        return TM_ECODE_OK;
+    }
+    SCLogDebug("pseudo, or app update: run output");

    OutputTxLoggerThreadData *op_thread_data = (OutputTxLoggerThreadData *)thread_data;

--- a/src/stream-tcp-reassemble.c
+++ b/src/stream-tcp-reassemble.c
@ -734,6 +734,7 @@ int StreamTcpReassembleHandleSegmentHandleData(ThreadVars *tv, TcpReassemblyThre
        StreamTcpSetEvent(p, STREAM_REASSEMBLY_DEPTH_REACHED);
        /* increment stream depth counter */
        StatsIncr(tv, ra_ctx->counter_tcp_stream_depth);
+        p->flags |= PKT_APPLAYER_UPDATE;
    }
    if (size == 0) {
        SCLogDebug("ssn %p: depth reached, not reassembling", ssn);