Date: Fri, 29 Dec 2006 09:21:18 +0800 (CST) From: Tai-hwa Liang <avatar@mmlab.cse.yzu.edu.tw> To: Max Laier <max@love2party.net> Cc: csjp@freebsd.org, freebsd-pf@freebsd.org Subject: Re: debug.mpsafenet=1 vs. user/group rules [Re: kern/106805: ...] Message-ID: <061229091759A.42827@www.mmlab.cse.yzu.edu.tw> In-Reply-To: <200612161709.48875.max@love2party.net> References: <200612161335.kBGDZkMj012022@freefall.freebsd.org> <200612161709.48875.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 16 Dec 2006, Max Laier wrote: [...] > The attached diff circumvents the problem by **always** doing the > credential lookup *before* walking the pf rules. This has the benefit, > that it works (at least I think it should), but there is a price to pay. > Now we have to pay for the socket lookup for *every* tcp and udp packet > instead of just for those that really hit uid/gid rules. That's why I > decided to make is a config option "PF_MPFSAFE_UGID" which you can turn > on if you are running a setup that will benefit. The patch turns it on > for the module-built by default. > > A possible scenario that should benefit is a big iron SMP box running lot > of services that you want to filter using *stateful* uid/gid rules. For > this setup where a huge percentage of the packets that are not captured > by states eventually match a uid/gid rule, you will even get added > parallelism with this patch. > > On every other typical setup, it should be better to avoid user/group > rules or to disable mpsafenet. > > In order for this to hit the tree, I need tests confirming that it really > helps and possibly benchmarks that qualify the impact of it. Thanks. Your patch works great here. The box in question never ran into a single lockup in the last 7 days. -- Thanks, Tai-hwa Liang
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?061229091759A.42827>