Multi-pattern regular expressions #496
Comments
krizhanovsky
modified the milestones:
1.2 TBD,
0.8 - Beta: TDBv0.2 & web cache eviction
|
Let's just integrate with hyperscan for now - hyperscan should be good for simple patterns. Also need to extend the tests for HTTPtables to use the regular expressions. |
|
I forked the repo https://github.com/tempesta-tech/linux-regex-module . The discussed TODO is
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Tempesta FW core must implement multi-pattern regular expressions to efficiently handle HTTP matching rules for filtering and configuration (see for example #471, #495, #530, #1544 with many ignored headers matching in #1550 for caching). Intel HyperScan can be used as reference or foundation for the feature.
ReDoS must be considered by the implementation. It seems limited or fully prohibited back and forward referencing and resource consumption in sense of #488 .
Should be done close or together with #732, since simple multi-pattern is a sub-task of multi-pattern regexps.
Since Tempesta FW deals with fields of parsed HTTP messages, in general we need (1) relatively simple regular expressions for (2) relatively short strings. E.g.
In most cases simple multipattern prefix/suffix is enough. Definitely no need for PCRE. However, there could be tens of
locationrules with simple regexps, so multi-pattern regexps still make sense.The only functionality requiring relatively large input data (up to tens kilobytes and hundreds bytes in average) and complex regexps is WAF filtering rules against User-Agent, URI, Cookie or other headers values.
These two cases must be separated:
The text was updated successfully, but these errors were encountered: