On 03/19/2009 08:54 PM, Amos Jeffries wrote:
> At present dstdomain handles a raw-IP hostname by performing rDNS and
> testing against the domains list.
>
> This causes major performance loss on systems with multiple dstdomain
> ACLs. Since each one does its own rDNS lookup :(
>
>
> I'd like some opinions please on how we can change this:
>
> 1) additional field in HttpRequest for the rDNS name. Set at first need.
rDNS does not seem related to HttpRequest so it is better to keep
HttpRequest out of this if possible.
> 2) change raw-IP hostname to rDNS when we get that info.
rDNS name may not resolve back to the same raw IP so it seems like
replacing is dangerous/wrong. Besides, some ACLs may match raw IPs so it
is probably bad to remove that information from ACL point of view as well.
> 3) add rDNS as additional field to Checklist data, set at first need.
Modifying something in ACL world sounds like the right solution because
that's where the performance bug is. I do not know if it is sufficient
to cache rDNS lookup in ACLFilledChecklist but it sounds like it should
be enough.
> 4) drop rDNS and match on raw-IP string directly.
rDNS checks are probably too valuable for many users to drop them.
In summary, unless you hear otherwise from ACL experts, let's do #3 if
we can and #1 if we must.
HTH,
Alex.
Received on Fri Mar 20 2009 - 20:37:49 MDT
This archive was generated by hypermail 2.2.0 : Sat Mar 21 2009 - 12:00:03 MDT