Skip to content

Support for JIT option for PCRE2 #2840

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Dec 8, 2022
Merged

Support for JIT option for PCRE2 #2840

merged 1 commit into from
Dec 8, 2022

Conversation

martinhsv
Copy link
Contributor

As with legacy PCRE, you need to include --enable-pcre-jit during the configure step to use this functionality.

@S0obi
Copy link

S0obi commented Dec 7, 2022
edited
Loading

Hey @martinhsv, thanks for this PR. Are you advising to use this flag in Modsec installations ? Did you notice any interesting gains in term of performance ? Any downsides ? Thanks in advance.

@airween
Copy link
Member

airween commented Dec 7, 2022

Did you notice any interesting gains in term of performance ?

There is a small project which emulates the behavior of @rx operator, both for mod_security2 and libmodsecurity3: msc_retest (please note, that this link points to a not-merged separated branch).

With this, you can try the performance (actually only in case of libmodsecurity3 - but I'm sure you will be able to compare the performance, and want to use the flag 😃). For more information see the attached README, or this article.

@martinhsv
Copy link
Contributor Author

Hi @S0obi ,

I did not attempt to quantify the performance gains here -- much depends on the regular expressions that are being used and the strings that are matched against them. However, most installations would see some benefit (or at worst no performance reduction) in using the jit option.

(One exception to this could be if most of the regular expressions being used for matching are generated at runtime (for example by including "%{}" variables in the pattern). Since the extra up-front processing would not happen only once at startup, there is at least a chance that the any efficiency improvement during the match might be exceeded by the compile costs.)

@martinhsv
Copy link
Contributor Author

I am likely to merge this is soon, as is.

One extra thing to note is that actually making use of the PCRE2 JIT functionality depends not only on setting this option during the ModSecurity configure step, but that PCRE2 itself was built with the JIT option specified (it is not the default).

If you specify --with-pcre2 --enable-pcre-jit while configuring ModSecurity but your build of PCRE2 does not support JIT, nothing bad will happen. Processing in ModSecurity will fall back to non-JIT matching.

But, ModSecurity's configure step will not currently warn you that what you have asked for is not available. That would be a good enhancement that I will try to take a look at.

@martinhsv martinhsv merged commit 76ce55a into owasp-modsecurity:v2/master Dec 8, 2022
@martinhsv martinhsv added the 2.x Related to ModSecurity version 2.x label Dec 14, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
2.x Related to ModSecurity version 2.x
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@martinhsv @S0obi @airween