[24.10] - backport changes to snort3, vectorscan, and gperftools #27692
Conversation
|
I am closing your previous PR - #27667 , there was no need to open a new one. You just need to rebase your branch. :) Never mind, though. |
graysky2
force-pushed
the
snort3-backport
branch
from
2f9935c to
e6902f0
Compare
|
Thanks. I wanted to the the other one for diffing purposes. Seems like some of the CI failures are unrelated (failure to download Packages.gz or a bad signature) but one failure for x86/64 is due to a missing |
|
While looking at it, I am not sure how did you end up with this, because most of those gperftools commits are already in OpenWrt 24.10. |
graysky2
force-pushed
the
snort3-backport
branch
from
e6902f0 to
f9fb9b9
Compare
|
On my branch which was branched from Then to see the commits: I had to manually inspect each commit with |
BKPepe
force-pushed
the
snort3-backport
branch
from
f9fb9b9 to
df72186
Compare
Vectorscan is fork of Hyperscan, a high-performance multiple regex matching library. It follows the regular expression syntax of the commonly-used libpcre library, but is a standalone library with its own C API. Currently ARM NEON/ASIMD and Power VSX are 100% functional. ARM SVE2 support is in ongoing with access to hardware now. More platforms will follow in the future. The performance difference of snort3 compiled against this is sizable for aarch64 confirmed on two different SoCs: Test SoC #1 flogic/glinet_gl-mt6000 IDS mode: Download speed wo/ vectorscan: 91.2 ±0.21 Mbit/s (n=3) Download speed using vectorscan: 331.0 ±27.34 Mbit/s (n=3) Gain of 3.6x IPS mode: Download speed wo/ vectorscan: 30.0 ±0.06 Mbit/s (n=3) Download speed using vectorscan: 52.9 ±0.78 Mbit/s (n=3) Gain of 1.8x Notes: * Data generated on snapshot build on 12-Apr-2024 using kernel 6.6.26, snort 3.1.84.0, vectorscan 5.4.11. * Speedtest script hitting the same server. * Snort rules file of was 37,917 lines/22 MB. * In all cases, single core CPU saturation occurred which speaks to the efficiency gains supplied by vectorscan. Test Soc #2 bcm2712/RPi5B IPS mode: Download speed wo/ vectorscan: 164.3 ±0.64 Mbit/s (n=3) Download speed using vectorscan: 232.8 ±0.26 Mbit/s (n=3) Gain of 1.4x Notes: * Data generated on snapshot build on 13-Apr-2024 using kernel 6.1.86, snort 3.1.84.0, vectorscan 5.4.11. * Google fiber speedtest (https://fiber.google.com/speedtest/) hitting the same server. * Snort rules contained 39,801 rules/22 MB. * In all cases, single core CPU saturation occurred which speaks to the efficiency gains supplied by vectorscan. Build system: x86/64 Build-tested: flogic/glinet_gl-mt6000, bcm2712/RPi5B, x86/64-glibc Run-tested: flogic/glinet_gl-mt6000, bcm2712/RPi5B, x86/64-glibc (Intel N150 based box) Co-authored-by: Tianling Shen <[email protected]> Co-authored-by: Jeffery To <[email protected]> Signed-off-by: John Audia <[email protected]> (cherry picked from commit b6b2d1e)
There is no reason to have custom specific DEPENDS_COMMON, I dropped it and added it to DEPENDS. Simplified, easier to read and understand. Signed-off-by: Josef Schlehofer <[email protected]> (cherry picked from commit 3a6f31c)
The vectorscan-headers package installed headers to the target device, but headers are only needed during the build process (via Build/InstallDev). - Rename vectorscan-runtime to vectorscan to simplify things - Add ABI_VERSION:=5 to track library soname versioning Signed-off-by: Josef Schlehofer <[email protected]> (cherry picked from commit 8a3c7a6)
BKPepe
force-pushed
the
snort3-backport
branch
from
df72186 to
00450d3
Compare
|
Yes, there are definitely other and much more efficient ways to solve this, but we can't duplicate commits in the branch. Then we really won't be able to make sense of it anymore. And at the same time, we definitely can't bring breaking changes into the stable branch. You want to add vectorscan to the stable branch and simultaneously remove hyperscan. We can't do that without adding PROVIDES to hyperscan. The question is, what about the header packages. I'd gladly remove them, but again it's about breaking changes, but fortunately very few people use those headers/runtime packages. I wouldn't be worried about that. But I can't solve almost every pull request for you, that's not possible. |
3 participants
📦 Package Details
Maintainer: me
(You can find this by checking the history of the package
Makefile.)Description:
This PR is a backport of recent changes to
net/snort3/libs/gperftoolslibs/vectorscan. It also includes removinglibs/hyperscanand brings openwrt-24.10 into parity with main.Supersedes: #27667
🧪 Run Testing Details
I have not run tested on 24.10
✅ Formalities
If your PR contains a patch:
git am(e.g., subject line, commit description, etc.)
We must try to upstream patches to reduce maintenance burden.