[hipl-dev] [Bug 647006] Re: firewall: ineffecient port to LSI mapping
- From: Stefan Götz <647006@xxxxxxxxxxxxxxxxxx>
- To: hipl-dev@xxxxxxxxxxxxx
- Date: Sat, 13 Nov 2010 09:14:24 -0000
** Changed in: hipl
Status: Fix Committed => Fix Released
--
firewall: ineffecient port to LSI mapping
https://bugs.launchpad.net/bugs/647006
You received this bug notification because you are a member of HIPL core
team, which is subscribed to HIPL.
Status in Host Identity Protocol for Linux: Fix Released
Bug description:
(It seems to me that) the firewall needs to map ports with incoming traffic to
LSIs. This mapping is implemented via a hash table in the file
firewall/cache_port.c. This implementation is inefficient in several ways:
1) The hash table key is a 20-byte string that consists of the ASCII-converted
port and an ASCII-representation of the protocol (e.g. "6415_tcp"). The binary
representation would be much more efficient in space and time because these
ASCII-representations need to be calculated for every lookup. The conversion
from protocol to ASCII uses an unnecessary memcpy().
The binary representation of { port, protocol } takes up 3 bytes and could be
supplied directly to the hash table, which internally uses hashes of
sizeof(long) bytes. An optimization would be to arrange the key as { protocol,
port } so that the bits that can be expected to differ the most form the the
low order bits of the hash value.
2) The current hash function hip_firewall_port_hash_key() performs a SHA1 hash
over the ASCII-representation of { port, protocol}. This is only necessary to
convert the ASCII-representation from 1) back into a binary format, adding
another step of wasted computation.
3) The current hash function hip_firewall_port_hash_key() performs the SHA1
hash not over the full ASCII-representation of { port, protocol } but only over
the first byte of it, leading to at most 10 distinct hash values.
Other related posts:
