mirror of
https://github.com/slackhq/nebula.git
synced 2026-01-21 03:51:33 -08:00
undo some of that
This commit is contained in:
Jay Wren
parent
9a3400cdf0
commit
1cdc7b4149
2 changed files with 7 additions and 31 deletions
25
firewall.go
25
firewall.go
|
|
@ -77,7 +77,7 @@ type firewallMetrics struct {
|
|||
}
|
||||
|
||||
type FirewallConntrack struct {
|
||||
sync.RWMutex
|
||||
sync.Mutex
|
||||
|
||||
Conns map[firewall.Packet]*conn
|
||||
TimerWheel *TimerWheel[firewall.Packet]
|
||||
|
|
@ -481,9 +481,9 @@ func (f *Firewall) Destroy() {
|
|||
|
||||
func (f *Firewall) EmitStats() {
|
||||
conntrack := f.Conntrack
|
||||
conntrack.RLock()
|
||||
conntrack.Lock()
|
||||
conntrackCount := len(conntrack.Conns)
|
||||
conntrack.RUnlock()
|
||||
conntrack.Unlock()
|
||||
metrics.GetOrRegisterGauge("firewall.conntrack.count", nil).Update(int64(conntrackCount))
|
||||
metrics.GetOrRegisterGauge("firewall.rules.version", nil).Update(int64(f.rulesVersion))
|
||||
metrics.GetOrRegisterGauge("firewall.rules.hash", nil).Update(int64(f.GetRuleHashFNV()))
|
||||
|
|
@ -496,20 +496,6 @@ func (f *Firewall) inConns(fp firewall.Packet, h *HostInfo, caPool *cert.CAPool,
|
|||
}
|
||||
}
|
||||
conntrack := f.Conntrack
|
||||
|
||||
// Fast path: RLock for lookup only
|
||||
conntrack.RLock()
|
||||
c, ok := conntrack.Conns[fp]
|
||||
if !ok {
|
||||
conntrack.RUnlock()
|
||||
return false
|
||||
}
|
||||
|
||||
// Check if we need to validate against new rules (requires write lock)
|
||||
needsRulesCheck := c.rulesVersion != f.rulesVersion
|
||||
conntrack.RUnlock()
|
||||
|
||||
// Slow path: need write lock for expiry update and possibly rules check
|
||||
conntrack.Lock()
|
||||
|
||||
// Periodic purge instead of every lookup (major CPU savings)
|
||||
|
|
@ -522,14 +508,13 @@ func (f *Firewall) inConns(fp firewall.Packet, h *HostInfo, caPool *cert.CAPool,
|
|||
}
|
||||
}
|
||||
|
||||
// Re-check after acquiring write lock (entry may have been deleted)
|
||||
c, ok = conntrack.Conns[fp]
|
||||
c, ok := conntrack.Conns[fp]
|
||||
if !ok {
|
||||
conntrack.Unlock()
|
||||
return false
|
||||
}
|
||||
|
||||
if needsRulesCheck && c.rulesVersion != f.rulesVersion {
|
||||
if c.rulesVersion != f.rulesVersion {
|
||||
// This conntrack entry was for an older rule set, validate
|
||||
// it still passes with the current rule set
|
||||
table := f.OutRules
|
||||
|
|
|
|||
13
inside.go
13
inside.go
|
|
@ -47,17 +47,8 @@ func (f *Interface) consumeInsidePackets(packets [][]byte, sizes []int, count in
|
|||
*batchPackets = (*batchPackets)[:0]
|
||||
*batchAddrs = (*batchAddrs)[:0]
|
||||
|
||||
// Get pooled slice for batched encryption (reduces allocations)
|
||||
preEncryptionBatchPtr := preEncryptionBatchPool.Get().(*[]preEncryptionPacket)
|
||||
preEncryptionBatch := (*preEncryptionBatchPtr)[:0]
|
||||
defer func() {
|
||||
// Clear references to allow GC and return to pool
|
||||
for i := range preEncryptionBatch {
|
||||
preEncryptionBatch[i] = preEncryptionPacket{}
|
||||
}
|
||||
*preEncryptionBatchPtr = preEncryptionBatch[:0]
|
||||
preEncryptionBatchPool.Put(preEncryptionBatchPtr)
|
||||
}()
|
||||
// Collect packets for batched encryption
|
||||
preEncryptionBatch := make([]preEncryptionPacket, 0, count)
|
||||
|
||||
// Process each packet in the batch
|
||||
for i := 0; i < count; i++ {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue