From 2a68561557b55126e1899c4528708d3f8137c4e7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gustavo=20I=C3=B1iguez=20Goia?= Date: Sat, 8 Feb 2025 15:12:11 +0100 Subject: [PATCH] exclude disabled rules from the active rules Disabled rules were part of the active rules. The fields were not evaluated, but we still went through the entire list. Not adding them to the list of active rules improves matching time, especially when there're a lot of disabled rules. It mainly affected when matching rules that were non-priority or ordered alphabetically, with action Allow. --- daemon/rule/loader.go | 21 +++++++++++---------- daemon/rule/loader_test.go | 24 ++++++++++++------------ 2 files changed, 23 insertions(+), 22 deletions(-) diff --git a/daemon/rule/loader.go b/daemon/rule/loader.go index 210e3568..54923ff9 100644 --- a/daemon/rule/loader.go +++ b/daemon/rule/loader.go @@ -25,7 +25,7 @@ import ( type Loader struct { watcher *fsnotify.Watcher rules map[string]*Rule - rulesKeys []string + activeRules []string Path string liveReload bool liveReloadRunning bool @@ -111,7 +111,7 @@ func (l *Loader) Reload(path string) error { // then delete the rules, and reload everything l.Lock() - l.rulesKeys = make([]string, 0) + l.activeRules = make([]string, 0) l.rules = make(map[string]*Rule) l.Unlock() return l.Load(path) @@ -354,11 +354,15 @@ func (l *Loader) unmarshalOperatorList(op *Operator) error { } func (l *Loader) sortRules() { - l.rulesKeys = make([]string, 0, len(l.rules)) - for k := range l.rules { - l.rulesKeys = append(l.rulesKeys, k) + l.activeRules = make([]string, 0, len(l.rules)) + for k, r := range l.rules { + // exclude not enabled rules from the list of active rules + if !r.Enabled { + continue + } + l.activeRules = append(l.activeRules, k) } - sort.Strings(l.rulesKeys) + sort.Strings(l.activeRules) } func (l *Loader) addUserRule(rule *Rule) { @@ -483,11 +487,8 @@ func (l *Loader) FindFirstMatch(con *conman.Connection) (match *Rule) { l.RLock() defer l.RUnlock() - for _, idx := range l.rulesKeys { + for _, idx := range l.activeRules { rule, _ := l.rules[idx] - if rule.Enabled == false { - continue - } if rule.Match(con, l.checkSums) { // We have a match. // Save the rule in order to don't ask the user to take action, diff --git a/daemon/rule/loader_test.go b/daemon/rule/loader_test.go index 37d958da..262f2315 100644 --- a/daemon/rule/loader_test.go +++ b/daemon/rule/loader_test.go @@ -222,26 +222,26 @@ func testNumRules(t *testing.T, l *Loader, num int) { } func testRulesOrder(t *testing.T, l *Loader) { - if l.rulesKeys[0] != "000-aaa-name" { - t.Error("Rules not in order (0): ", l.rulesKeys) + if l.activeRules[0] != "000-aaa-name" { + t.Error("Rules not in order (0): ", l.activeRules) } - if l.rulesKeys[1] != "000-allow-chrome" { - t.Error("Rules not in order (1): ", l.rulesKeys) + if l.activeRules[1] != "000-allow-chrome" { + t.Error("Rules not in order (1): ", l.activeRules) } - if l.rulesKeys[2] != "001-deny-chrome" { - t.Error("Rules not in order (2): ", l.rulesKeys) + if l.activeRules[2] != "001-deny-chrome" { + t.Error("Rules not in order (2): ", l.activeRules) } } func testSortRules(t *testing.T, l *Loader) { - l.rulesKeys[1] = "001-deny-chrome" - l.rulesKeys[2] = "000-allow-chrome" + l.activeRules[1] = "001-deny-chrome" + l.activeRules[2] = "000-allow-chrome" l.sortRules() - if l.rulesKeys[1] != "000-allow-chrome" { - t.Error("Rules not in order (1): ", l.rulesKeys) + if l.activeRules[1] != "000-allow-chrome" { + t.Error("Rules not in order (1): ", l.activeRules) } - if l.rulesKeys[2] != "001-deny-chrome" { - t.Error("Rules not in order (2): ", l.rulesKeys) + if l.activeRules[2] != "001-deny-chrome" { + t.Error("Rules not in order (2): ", l.activeRules) } }