exclude disabled rules from the active rules

Disabled rules were part of the active rules. The fields were not evaluated, but we still went through the entire list. Not adding them to the list of active rules improves matching time, especially when there're a lot of disabled rules. It mainly affected when matching rules that were non-priority or ordered alphabetically, with action Allow.
2025-03-04 08:34:40 +01:00 · 2025-02-08 15:12:11 +01:00 · 2025-02-08 15:12:11 +01:00 · 2a68561557
commit 2a68561557
parent 07a4077a6a
2 changed files with 23 additions and 22 deletions
--- a/daemon/rule/loader.go
+++ b/daemon/rule/loader.go
@ -25,7 +25,7 @@ import (
 type Loader struct {
 	watcher           *fsnotify.Watcher
 	rules             map[string]*Rule
-	rulesKeys         []string
+	activeRules       []string
 	Path              string
 	liveReload        bool
 	liveReloadRunning bool
@ -111,7 +111,7 @@ func (l *Loader) Reload(path string) error {
 	// then delete the rules, and reload everything
 	l.Lock()
-	l.rulesKeys = make([]string, 0)
+	l.activeRules = make([]string, 0)
 	l.rules = make(map[string]*Rule)
 	l.Unlock()
 	return l.Load(path)
@ -354,11 +354,15 @@ func (l *Loader) unmarshalOperatorList(op *Operator) error {
 }
 func (l *Loader) sortRules() {
-	l.rulesKeys = make([]string, 0, len(l.rules))
+	l.activeRules = make([]string, 0, len(l.rules))
-	for k := range l.rules {
+	for k, r := range l.rules {
-		l.rulesKeys = append(l.rulesKeys, k)
+		// exclude not enabled rules from the list of active rules
 		if !r.Enabled {
 			continue
 		}
-	sort.Strings(l.rulesKeys)
+		l.activeRules = append(l.activeRules, k)
 	}
 	sort.Strings(l.activeRules)
 }
 func (l *Loader) addUserRule(rule *Rule) {
@ -483,11 +487,8 @@ func (l *Loader) FindFirstMatch(con *conman.Connection) (match *Rule) {
 	l.RLock()
 	defer l.RUnlock()
-	for _, idx := range l.rulesKeys {
+	for _, idx := range l.activeRules {
 		rule, _ := l.rules[idx]
 		if rule.Enabled == false {
 			continue
 		}
 		if rule.Match(con, l.checkSums) {
 			// We have a match.
 			// Save the rule in order to don't ask the user to take action,
--- a/daemon/rule/loader_test.go
+++ b/daemon/rule/loader_test.go
@ -222,26 +222,26 @@ func testNumRules(t *testing.T, l *Loader, num int) {
 }
 func testRulesOrder(t *testing.T, l *Loader) {
-	if l.rulesKeys[0] != "000-aaa-name" {
+	if l.activeRules[0] != "000-aaa-name" {
-		t.Error("Rules not in order (0): ", l.rulesKeys)
+		t.Error("Rules not in order (0): ", l.activeRules)
 	}
-	if l.rulesKeys[1] != "000-allow-chrome" {
+	if l.activeRules[1] != "000-allow-chrome" {
-		t.Error("Rules not in order (1): ", l.rulesKeys)
+		t.Error("Rules not in order (1): ", l.activeRules)
 	}
-	if l.rulesKeys[2] != "001-deny-chrome" {
+	if l.activeRules[2] != "001-deny-chrome" {
-		t.Error("Rules not in order (2): ", l.rulesKeys)
+		t.Error("Rules not in order (2): ", l.activeRules)
 	}
 }
 func testSortRules(t *testing.T, l *Loader) {
-	l.rulesKeys[1] = "001-deny-chrome"
+	l.activeRules[1] = "001-deny-chrome"
-	l.rulesKeys[2] = "000-allow-chrome"
+	l.activeRules[2] = "000-allow-chrome"
 	l.sortRules()
-	if l.rulesKeys[1] != "000-allow-chrome" {
+	if l.activeRules[1] != "000-allow-chrome" {
-		t.Error("Rules not in order (1): ", l.rulesKeys)
+		t.Error("Rules not in order (1): ", l.activeRules)
 	}
-	if l.rulesKeys[2] != "001-deny-chrome" {
+	if l.activeRules[2] != "001-deny-chrome" {
-		t.Error("Rules not in order (2): ", l.rulesKeys)
+		t.Error("Rules not in order (2): ", l.activeRules)
 	}
 }