krizhanovsky
commented
4 months ago Let's just integrate with hyperscan for now - hyperscan should be good for simple patterns.
Also need to extend the tests for HTTPtables to use the regular expressions.
Open krizhanovsky opened 8 years ago
krizhanovsky
commented
4 months ago Let's just integrate with hyperscan for now - hyperscan should be good for simple patterns.
Also need to extend the tests for HTTPtables to use the regular expressions.
krizhanovsky
commented
2 months ago I forked the repo https://github.com/tempesta-tech/linux-regex-module . The discussed TODO is
biathlon3
commented
1 month ago
Tempesta FW core must implement multi-pattern regular expressions to efficiently handle HTTP matching rules for filtering and configuration (see for example #471, #495, #530, #1544 with many ignored headers matching in #1550 for caching). Intel HyperScan can be used as reference or foundation for the feature.
ReDoS must be considered by the implementation. It seems limited or fully prohibited back and forward referencing and resource consumption in sense of #488 .
Should be done close or together with #732, since simple multi-pattern is a sub-task of multi-pattern regexps.
Since Tempesta FW deals with fields of parsed HTTP messages, in general we need (1) relatively simple regular expressions for (2) relatively short strings. E.g.
In most cases simple multipattern prefix/suffix is enough. Definitely no need for PCRE. However, there could be tens of
locationrules with simple regexps, so multi-pattern regexps still make sense.The only functionality requiring relatively large input data (up to tens kilobytes and hundreds bytes in average) and complex regexps is WAF filtering rules against User-Agent, URI, Cookie or other headers values.
These two cases must be separated: