speed up

Home Forums Discussions Support Portal speed up

This topic contains 0 replies, has 1 voice, and was last updated by  ulli-um 10 years, 8 months ago.

Viewing 1 post (of 1 total)
  • Author
    Posts
  • #5084

    ulli-um
    Participant

    hi,

    can anybody help me to increase the speed of my function, because it is too slow…some packets will be queued from the driver…and therefore i have some managment problems

    the function should decide if the packet will be passed or dany


    int CPkgTunnel::isAllowed(INTERMEDIATE_BUFFER *Buffer, unsigned char AdapterNr) { // returns the rule id / is the packet allowed the function return -1

    bool failed=0;
    int ret=0;

    ether_header* pEthHeader = (ether_header*)Buffer->m_IBuffer;
    iphdr* pIpHeader = (iphdr*)&Buffer->m_IBuffer[sizeof(ether_header)]; ;
    tcphdr* pTcpHeader = (tcphdr*)&Buffer->m_IBuffer[sizeof(ether_header)+sizeof(DWORD)*pIpHeader->ip_hl+4];;

    if(pEthHeader->h_proto==htons(ETH_P_ARP))
    return RULE_ARP_PACKET;

    else if(pEthHeader->h_proto==htons(ETH_P_RARP))
    return RULE_RARP_PACKET;

    else if(pEthHeader->h_proto==htons(ETH_P_IP))
    ;
    else
    return RULE_NO_COMMON_PACKET;

    // Generally Security Level
    if(Spec_Adapter_Rule[AdapterNr].SecurityLevel == SECURITY_LEVEL_BLOCK_ALL) return RULE_BLOCK_ALL;
    if(Spec_Adapter_Rule[AdapterNr].SecurityLevel == SECURITY_LEVEL_ALLOW_ALL) return RULE_ALLOW_ALL;
    if(Spec_Adapter_Rule[AdapterNr].SecurityLevel == SECURITY_LEVEL_ONLY_LOKAL) {
    if(isLocalIp((S_un_b*)&pIpHeader->ip_src.S_un.S_un_b) && isLocalIp((S_un_b*)&pIpHeader->ip_dst.S_un.S_un_b) )
    return RULE_ONLY_LOKAL;
    else
    return -1*RULE_ONLY_LOKAL;
    }

    // ICMP Security Rules
    if(pIpHeader->ip_p==IPPROTO_ICMP) {
    if(!(ret=isICMPAllow(Buffer, AdapterNr)))
    return -1*ret;
    else
    return ret;
    }

    // User defined Security Rules
    for(unsigned int i=0; i
    // allways continue if there is any rule which doesn`t agree

    // Enabled ?
    if(!SecurityRules.status) continue;

    // right Adapter ?
    if(SecurityRules
    .interface_index != ANY_INTERFACE) // any
    if(SecurityRules
    .interface_index!=AdapterNr) continue;

    // right Direction?
    if(SecurityRules
    .direction != ANY_DIRECTION) // any
    if(Buffer->m_dwDeviceFlags!=SecurityRules
    .direction) continue;

    // right Protocol?
    if(SecurityRules
    .protocol != ANY_PROTOCOL) // any
    if(SecurityRules
    .protocol!=pIpHeader->ip_p) continue;

    // right ip?
    failed=0;
    if(SecurityRules
    .direction != ANY_DIRECTION) {
    if(SecurityRules
    .src_ip_addr != ANY_IP)
    if(!memcmp(SecurityRules
    .src_ip_addr,&pIpHeader->ip_src.S_un.S_un_b,sizeof(S_un_b))) continue;
    if(SecurityRules
    .dest_ip_addr!=ANY_IP)
    if(!memcmp(SecurityRules
    .dest_ip_addr,&pIpHeader->ip_dst.S_un.S_un_b,sizeof(S_un_b))) continue;

    } else { // check both direction

    if(SecurityRules
    .src_ip_addr != ANY_IP)
    if(!memcmp(SecurityRules
    .src_ip_addr,&pIpHeader->ip_src.S_un.S_un_b,sizeof(S_un_b))) failed=1;
    if(SecurityRules
    .dest_ip_addr!=ANY_IP)
    if(!memcmp(SecurityRules
    .dest_ip_addr,&pIpHeader->ip_dst.S_un.S_un_b,sizeof(S_un_b))) failed=1;

    if(failed) {
    failed=0;
    if(SecurityRules
    .src_ip_addr != ANY_IP)
    if(!memcmp(SecurityRules
    .src_ip_addr,&pIpHeader->ip_dst.S_un.S_un_b,sizeof(S_un_b))) failed=1;
    if(SecurityRules
    .dest_ip_addr!=ANY_IP)
    if(!memcmp(SecurityRules
    .dest_ip_addr,&pIpHeader->ip_src.S_un.S_un_b,sizeof(S_un_b))) failed=1;

    if(failed) continue;
    }
    }


    //right Ports?
    failed=0;

    if(SecurityRules
    .direction != ANY_DIRECTION) {
    if(SecurityRules
    .src_port_from != ANY_PORT)
    if(SecurityRules
    .src_port_from > ntohs(pTcpHeader->th_sport) ||
    SecurityRules
    .src_port_to < ntohs(pTcpHeader->th_sport)) continue;
    if(SecurityRules
    .dest_port_from != ANY_PORT)
    if(SecurityRules
    .dest_port_from > ntohs(pTcpHeader->th_dport) ||
    SecurityRules
    .dest_port_to < ntohs(pTcpHeader->th_dport)) continue;

    } else { // check both directions
    if(SecurityRules
    .src_port_from != ANY_PORT)
    if(SecurityRules
    .src_port_from > ntohs(pTcpHeader->th_sport) ||
    SecurityRules
    .src_port_to < ntohs(pTcpHeader->th_sport)) failed=1;
    if(SecurityRules
    .dest_port_from != ANY_PORT)
    if(SecurityRules
    .dest_port_from > ntohs(pTcpHeader->th_dport) ||
    SecurityRules
    .dest_port_to < ntohs(pTcpHeader->th_dport)) failed=1;

    if(failed) {
    failed=0;
    if(SecurityRules
    .src_port_from != ANY_PORT)
    if(SecurityRules
    .src_port_from > ntohs(pTcpHeader->th_dport) ||
    SecurityRules
    .src_port_to < ntohs(pTcpHeader->th_dport)) failed=1;
    if(SecurityRules
    .dest_port_from != ANY_PORT)
    if(SecurityRules
    .dest_port_from > ntohs(pTcpHeader->th_sport) ||
    SecurityRules
    .dest_port_to < ntohs(pTcpHeader->th_sport)) failed=1;

    if(failed) continue;
    }
    }


    unsigned short localPort = Buffer->m_dwDeviceFlags==RULE_INCOMING ? ntohs(pTcpHeader->th_dport) : ntohs(pTcpHeader->th_sport);

    if(strcmp(SecurityRules
    .hash,ANY_HASH) != 0)
    if(!TDI->isAssociatedProcessCertificated((_PROTOCOL)pIpHeader->ip_p,(unsigned int)localPort))
    continue;


    // allow or dany
    if(!SecurityRules
    .ruleType)
    return -1*(SecurityRules
    .id); // forbidden
    else
    return SecurityRules
    .id; // allow
    }

    if(Spec_Adapter_Rule[AdapterNr].SecurityLevel == SECURITY_LEVEL_GENERALY_BLOCK)
    return RULE_GENERALY_BLOCK;

    return ret;

    }

    is it possible to compare the rule and the packet with creating an hash and compare this?? would it be faster?

    how would you do it??

    THANKS
    ulli

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.