Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Transform rust 7229 v9 #12068

Closed
wants to merge 8 commits into from
Closed

Transform rust 7229 v9 #12068

wants to merge 8 commits into from

Conversation

catenacyber
Copy link
Contributor

Link to ticket: https://redmine.openinfosecfoundation.org/issues/
https://redmine.openinfosecfoundation.org/issues/7229

Describe changes:

  • transforms: move many transforms to rust

#12065 with rust fixes and clean history

Only base64 and pcrexform left in C

Benchmark
./src/suricata -r bigf.pcapng -S bigf.rules -c bigf.yaml -k none -l log --runmode single
with big.rules being alert tcp any any -> any any (file.data; strip_whitespace; content:"hasxspace"; sid:1;) and bigf.pcapng being a capture of http1 download of 28 Mbyte file SV datasets-1m-StringSets/datasets.csv and bigf.yaml having all kinds of options for profiling

with PR

  Date: 10/10/2024 -- 11:10:46
  --------------------------------------------------------------------------------------------------------------------------------
  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Prefilter                        Ticks           Called          Max Ticks       Avg             Bytes           Called          Max Bytes       Avg Bytes       Ticks/Byte     
  -------------------------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  file_data#179 (strip_whitespace  77389980        119             2075940         650335.00       28534678        116             266949          245988.00       2.00

With master

  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Prefilter                        Ticks           Called          Max Ticks       Avg             Bytes           Called          Max Bytes       Avg Bytes       Ticks/Byte     
  -------------------------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- --------------- 
  file_data#179 (strip_whitespace  81533120        119             1905360         685152.00       28499770        116             266647          245687.00       2.00

So 77389980 vs 81533120 does not seem significant for a difference

@catenacyber catenacyber mentioned this pull request Oct 30, 2024
Closed
@codecov Codecov
Copy link

codecov bot commented Oct 30, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 86.51832% with 103 lines in your changes missing coverage. Please review.

Project coverage is 79.80%. Comparing base (3a7eef8) to head (d70b86e).
Report is 33 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #12068      +/-   ##
==========================================
- Coverage   83.42%   79.80%   -3.63%     
==========================================
  Files         910      906       -4     
  Lines      257642   257512     -130     
==========================================
- Hits       214949   205513    -9436     
- Misses      42693    51999    +9306
Flag Coverage Δ
fuzzcorpus 61.60% <76.66%> (-0.05%) ⬇️
livemode 19.42% <30.14%> (+0.01%) ⬆️
pcap 43.91% <35.65%> (-0.57%) ⬇️
suricata-verify ?
unittests 59.30% <59.29%> (-0.08%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

@suricata-qa
Copy link

WARNING:

field baseline test %
SURI_TLPW2_autofp_stats_chk
.flow.end.tcp_state.established 8 9 112.5%

Pipeline 23225

@victorjulien
Copy link
Member

Passed my QA. Ran this PR with SV master. Local pipeline 5130, run 626.

jasonish
jasonish reviewed Nov 5, 2024
View reviewed changes
rust/src/detect/transforms/mod.rs
Comment on lines +31 to +56
#[repr(C)]
#[allow(non_snake_case)]
pub struct SCTransformTableElmt {
pub name: *const c_char,
pub desc: *const c_char,
pub url: *const c_char,
pub flags: u16,
pub Setup: unsafe extern "C" fn(de: *mut c_void, s: *mut c_void, raw: *const c_char) -> c_int,
pub Free: Option<unsafe extern "C" fn(de: *mut c_void, ptr: *mut c_void)>,
pub Transform: unsafe extern "C" fn(inspect_buf: *mut c_void, options: *mut c_void),
pub TransformValidate:
Option<unsafe extern "C" fn(content: *const u8, len: u16, context: *mut c_void) -> bool>,
}

/// cbindgen:ignore
extern "C" {
pub fn DetectSignatureAddTransform(
s: *mut c_void, transform_id: c_int, ctx: *mut c_void,
) -> c_int;
pub fn InspectionBufferPtr(buf: *const c_void) -> *const u8;
pub fn InspectionBufferLength(buf: *const c_void) -> u32;
pub fn InspectionBufferCopy(ibuf: *const c_void, buf: *const u8, buf_len: u32);
pub fn DetectHelperTransformRegister(kw: *const SCTransformTableElmt) -> c_int;
pub fn InspectionBufferCheckAndExpand(ibuf: *const c_void, buf_len: u32) -> *mut u8;
pub fn InspectionBufferTruncate(ibuf: *const c_void, buf_len: u32);
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unrelated to this PR, but with respect to bindgen (#12062) these are the type of structs we'd move back to C, and let bind gen generate them to avoid to the circular dependency issue.

jasonish
jasonish reviewed Nov 5, 2024
View reviewed changes
rust/src/detect/transforms/mod.rs
pub fn InspectionBufferLength(buf: *const c_void) -> u32;
pub fn InspectionBufferCopy(ibuf: *const c_void, buf: *const u8, buf_len: u32);
pub fn DetectHelperTransformRegister(kw: *const SCTransformTableElmt) -> c_int;
pub fn InspectionBufferCheckAndExpand(ibuf: *const c_void, buf_len: u32) -> *mut u8;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't matter, but on the C side this returns void *. But they're the same size so FFI should be OK.

@victorjulien victorjulien added this to the 8.0 milestone Nov 6, 2024
@victorjulien victorjulien mentioned this pull request Nov 6, 2024
Merged
@victorjulien
Copy link
Member

Merged in #12094, thanks!

@catenacyber catenacyber mentioned this pull request Nov 7, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jasonish jasonish jasonish left review comments

@victorjulien victorjulien victorjulien approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
8.0
Development

Successfully merging this pull request may close these issues.
4 participants
@catenacyber @suricata-qa @victorjulien @jasonish