On Mon, 7 Nov 2011, Murphy, Brandon wrote:
I have noticed that using the omudpspoof action with the omudpspoof module enabled results in very slow forwards. I suspect this is due to the action of creating new sockets for each message being spoofed.
Yes, that would be the bottleneck.
I have noticed, that even if all the messages being forwarded via a omudpspoof action are from a single ip address, it creates new sockets for each message being forwarded. This results in very slow forwarding times. I believe it would be much quicker, if instead, a single socket is created for each unique source ip address, send all messages via the open socket, keep that session open for a given timeout (perhaps configurable), and if it remains idle for that timeframe, close it.
This approach would solve the problem, however the code to manage the open sockets would be significant. A large number of open, but idle sockets could cause grief for other processes trying to grab ephermeral ports.
The other approach, which would be faster and safer, would be to craft the raw packet directly rather than opening a socket and writing to it. This is probably simpler than managing (including expiring) a large population of sockets, but is far from trivial.
The current 'bind to a socket for every message' approach was implemented because it was the easiest one to do.
I attempted to speed up the forwarding process by limiting the spoof port start and end configuration options to a single port, but there was no noticeable increase in speed.
This would not make any difference (and would actually risk slowing things down if it can't re-use a port already in use)
David Lang _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
