[Snort-devel] THREAD_LOCAL

Russ Combs (rucombs) rucombs at ...3461...
Fri Jan 23 11:04:56 EST 2015

From: Sancho Panza [sancho at ...3553...]
Sent: Friday, January 23, 2015 10:26 AM
To: snort-devel at lists.sourceforge.net
Subject: [Snort-devel] THREAD_LOCAL

I am currently working myself through the source code of Snort++
I saw that there are quite a few variables are declared to be
"THREAD_LOCAL", for example

THREAD_LOCAL SnortConfig* snort_conf = nullptr;

Alas, this is only just a pointer, and I believe, that as soon as space
is allocated for that variable during parsing and initialisation, the
assignments made thereto are made with memory allocated on a per-process
level, not on a per-thread level.
Is this correct or am I missing something?
If I'm right, then what's the point of declaring snort_conf

* Fortunately, no, that is not correct.  Thread local is exactly that and set when the packet thread starts.  Generally, Snort++ uses thread local for state and process global for configuration.  snort_conf is a special case in that there is one instance of that struct shared by all threads but, because we can reload the configuration during run time, each thread has a pointer to the config so a simple pointer swap can be done between packets.

Suppose I want to write my own rule detection option MyOption (inhering
from IpsOption), is it safe to declare member variables inside MyOption
and modify those during eval() without having to fear the threads might
get in each others way, i.e. does every thread have its own instances of
every IpsOption?

* No, IpsOptions are instantiated as rules are parsed and should only hold configuration.  What kind of state information are you trying to update?  Is it per thread or per session?  If you really want global, you will need to synchronize access (which impacts performance).

Many thanks


New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
Snort-devel mailing list
Snort-devel at lists.sourceforge.net

Please visit http://blog.snort.org for the latest news about Snort!

More information about the Snort-devel mailing list