Add some meaningless benchmark tests (reporting under 74 ns?)

NHAS · May 4, 2023 · e19d348 · e19d348
1 parent c248f2c
commit e19d348
Show file tree

Hide file tree

Showing 5 changed files with 52 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -422,7 +422,7 @@ For example:
 ```
 All users will be able to access `22/tcp` on the `10.0.1.1/32` host, but users in the `group:users` will be able to access `443/tcp` on that host as well, along with `22/tcp` when authorized.  
 
-It is **important to note** that this will not compose subnet matches, i.e rules that apply to `10.0.0.0/16` will not apply to `10.0.1.1/32` as the more specific route rule takes preference. 
+It is **important to note** that this will not compose subnet matches, i.e rules that apply to `10.0.0.0/16` will not apply to `10.0.1.1/32` as the more specific route rule takes preference.   
 
 It is possible to define what services a user can access by defining port and protocol rules.  
 Currently 3 types of port and protocol rules are supported:  

diff --git a/internal/router/bpf_bpfeb.o b/internal/router/bpf_bpfeb.o
diff --git a/internal/router/bpf_bpfel.o b/internal/router/bpf_bpfel.o
diff --git a/internal/router/ebpf_test.go b/internal/router/ebpf_test.go
@@ -1290,6 +1290,54 @@ func TestLookupDifferentKeyTypesInMap(t *testing.T) {
 
 }
 
+func BenchmarkGeneralRun(b *testing.B) {
+
+	if err := setup("../config/test_port_based_rules.json"); err != nil {
+		b.Fatal(err)
+	}
+	defer xdpObjects.Close()
+
+	out, err := addDevices()
+	if err != nil {
+		b.Fatal(err)
+	}
+
+	packet := createPacket(net.ParseIP(out[0].Address), net.ParseIP("10.10.10.10"), routetypes.TCP, 8082)
+
+	b.ResetTimer()
+	_, duration, err := xdpObjects.bpfPrograms.XdpWagFirewall.Benchmark(packet, b.N, nil)
+	if err != nil {
+		b.Fatalf("program failed %s", err)
+	}
+
+	b.ReportMetric(float64(duration), "ns/op")
+
+}
+
+func BenchmarkGeneralDenyRun(b *testing.B) {
+
+	if err := setup("../config/test_port_based_rules.json"); err != nil {
+		b.Fatal(err)
+	}
+	defer xdpObjects.Close()
+
+	out, err := addDevices()
+	if err != nil {
+		b.Fatal(err)
+	}
+
+	packet := createPacket(net.ParseIP(out[0].Address), net.ParseIP("10.10.10.10"), routetypes.TCP, 9999)
+
+	b.ResetTimer()
+	_, duration, err := xdpObjects.bpfPrograms.XdpWagFirewall.Benchmark(packet, b.N, nil)
+	if err != nil {
+		b.Fatalf("program failed %s", err)
+	}
+
+	b.ReportMetric(float64(duration), "ns/op")
+
+}
+
 func getInnerMap(username string, m *ebpf.Map) (*ebpf.Map, error) {
 	var innerMapID ebpf.MapID
 	userid := sha1.Sum([]byte(username))

diff --git a/internal/router/xdp.c b/internal/router/xdp.c
@@ -477,7 +477,7 @@ static __always_inline int conntrack(struct ip *ip_info)
         return 0;
     }
 
-    // Our userland defined inactivity timeout
+    // // Our userland defined inactivity timeout
     __u32 index = 0;
     __u64 *inactivity_timeout = bpf_map_lookup_elem(&inactivity_timeout_minutes, &index);
     if (inactivity_timeout == NULL)
@@ -544,7 +544,8 @@ static __always_inline int conntrack(struct ip *ip_info)
             {
                 // MFA restrictions take precedence, so if we match an MFA policy under this route
                 // Then we can fail/succeed fast
-                // If device does not belong to a locked account and the device itself isnt locked and if it isnt timed out
+
+                // If device does not belong to a locked account, the device itself isnt locked and if it isnt timed out
                 return (!*isAccountLocked && !isTimedOut && current_device->sessionExpiry != 0 &&
                         // If either max session lifetime is disabled, or it is before the max lifetime of the session
                         (current_device->sessionExpiry == __UINT64_MAX__ || currentTime < current_device->sessionExpiry));