** Changed in: hipl Status: Fix Committed => Fix Released -- firewall: ineffecient port to LSI mapping https://bugs.launchpad.net/bugs/647006 You received this bug notification because you are a member of HIPL core team, which is subscribed to HIPL. Status in Host Identity Protocol for Linux: Fix Released Bug description: (It seems to me that) the firewall needs to map ports with incoming traffic to LSIs. This mapping is implemented via a hash table in the file firewall/cache_port.c. This implementation is inefficient in several ways: 1) The hash table key is a 20-byte string that consists of the ASCII-converted port and an ASCII-representation of the protocol (e.g. "6415_tcp"). The binary representation would be much more efficient in space and time because these ASCII-representations need to be calculated for every lookup. The conversion from protocol to ASCII uses an unnecessary memcpy(). The binary representation of { port, protocol } takes up 3 bytes and could be supplied directly to the hash table, which internally uses hashes of sizeof(long) bytes. An optimization would be to arrange the key as { protocol, port } so that the bits that can be expected to differ the most form the the low order bits of the hash value. 2) The current hash function hip_firewall_port_hash_key() performs a SHA1 hash over the ASCII-representation of { port, protocol}. This is only necessary to convert the ASCII-representation from 1) back into a binary format, adding another step of wasted computation. 3) The current hash function hip_firewall_port_hash_key() performs the SHA1 hash not over the full ASCII-representation of { port, protocol } but only over the first byte of it, leading to at most 10 distinct hash values.