Hello,
I'm currently testing a code implementing AF_PACKET bypass for
Suricata. The idea is that Suricata is updating a hash table containing
a list of flows it does not want to see anymore.
I want to check flow timeout from the userspace, so my current
algorithm is doing:
while (bpf_get_next_key(mapfd, &key, &next_key) == 0) {
bpf_lookup_elem(mapfd, &next_key, &value);
FlowCallback(mapfd, &next_key, &value, data);
key = next_key;
}
In the FlowCallback, I check the timing in the flow entry and I remove
the key if the flow is timeout.
This is currently working well when there is only a few flows but on a
real system with log of insertion in the table, the loop is never
returning because we dequeue slower than we enqueue.
Is there a better algorithm or an other way to do it ?
BR,
--
Eric Leblond <e...@regit.org>
Blog: https://home.regit.org/
