Reply to post: Re: This is an important lesson in the testability of regular expressions

Cloudflare gave everyone a 30-minute break from a chunk of the internet yesterday: Here's how they did it

theblackhand

Re: This is an important lesson in the testability of regular expressions

My guess is the pipeline is something along the lines of:

- write a rule

- validate rule and add to rulebase

- check rulebase in monitor mode against pre-canned test traffic

- check rulebase in enforce mode against pre-canned test traffic

- check rulebase in monitor mode against sample traffic containing items to block

- check rulebase in enforce mode against sample traffic containing items to block

- check rulebase in monitor mode against production traffic for select customers

- check rulebase in enforce mode against production test traffic for select customers

- deploy to production

This is based largely on (historical?) Google checks for firewall rule changes. As long as the hit counts/device health stats don't show anything scary, everything should be good.

I wonder if the canned/sample traffic didn't trigger CPU usage in quite the same way (i.e. in small doses the checks remain in CPU caches but as traffic rises above X it starts to cause high latency with memory reads and the CPU is least waiting) or resulted in additional CPU to fully process the rule with some production traffic (repeated calls to a script possibly?) that wasn't fully considered.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon