From 21ba0eeb1138f63c829db111815dad3ce8d287a4 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Thu, 30 May 2019 18:31:31 -0700 Subject: [PATCH] Set dropping mode after open so it is effective (#635) For a while, falco has set the inspector drop mode to 1, which should discard several classes of events that weren't necessary to use most falco rules. However, it was mistakenly being called before the inspector was opened, which meant it wasn't actually doing anything. Fix this by setting the dropping mode after the inspector open. On some spot testing on a moderately loaded environment, this results in a 30-40% drop in the number of system calls processed per second, and should result in a nice boost in performance. --- userspace/falco/falco.cpp | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/userspace/falco/falco.cpp b/userspace/falco/falco.cpp index fd1bc5ab5ff..6f2312efc55 100644 --- a/userspace/falco/falco.cpp +++ b/userspace/falco/falco.cpp @@ -856,7 +856,6 @@ int falco_init(int argc, char **argv) if(!all_events) { inspector->set_drop_event_flags(EF_DROP_FALCO); - inspector->start_dropping_mode(1); } if (describe_all_rules) @@ -964,6 +963,12 @@ int falco_init(int argc, char **argv) } } + // This must be done after the open + if(!all_events) + { + inspector->start_dropping_mode(1); + } + // If daemonizing, do it here so any init errors will // be returned in the foreground process. if (daemon && !g_daemonized) {