Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 25 Sep 2004 00:07:06 +0000
From:      "Christian S.J. Peron" <csjp@freebsd.org>
To:        current@freebsd.org
Subject:   [csjp@freebsd.org: fixes for ipfw and pf lock ordering issues]
Message-ID:  <20040925000705.GA3281@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help
----- Forwarded message from "Christian S.J. Peron" <csjp@freebsd.org> -----

From: "Christian S.J. Peron" <csjp@freebsd.org>
To: hackers@freebsd.org
Cc: max@love2party.net, freebsd-pf@freebsd.org, ipfw@freebsd.org
Date: Fri, 24 Sep 2004 22:37:54 +0000
Subject: fixes for ipfw and pf lock ordering issues

Good day folks, we need some beta testers

Currently, those who utilize ucred based firewalling, i.e. firewall
rules which match based on UID, GID or JAIL ID are subject to lock order
problems which often results in the system hard locking. (when giant
is not present ... debug.mpsafenet=1).

This problem affects all FreeBSD firewalls which implement ucred based
matching, namely ipfw and pf. The lock order problem exists due to a
layering violation which occurs when the IP stack attempts to acquire
locks within lower level stacks such as UDP and TCP.

Max Laier (mlaier@) and myself have been working together to solve this
problem. Together we have generated a set of diffs which do the following:

 o Add a pointer to a PCB to pfil_hooks
 o Modify existing pfil_hooks API to handle this extra argument
 o Modify the pf and ipfw firewalls to utilize this extra argument
   so that lookups on local outbound TCP and UDP traffic can
   be deactivated (removing the requirement for holding INP locks,
   which was a primary suspect for these lock ordering issues).
 o Implement a shared locking mechanism for firewall rule chain protection

The intended results of these changes are:

1) Remove the lock ordering issues which result in system hard locks
2) Avoid redundant PCB lookup overhead improving the overall performance
   of ucred based rule sets
3) Improving network and firewall parallelism, shared locks give the OS
   the ability to run multiple evaluation or rule check activations
   concurrently, which should increase the overall network throughput
   on devices which have ipfw or pf firewalls enabled (regardless
   of whether or not these rules contain ucred based constraints).

If anyone could help us test these changes that would be great:

download:
http://people.freebsd.org/~csjp/inp_pfil_fw_lor_fixes_shared_locks.1096053274.diff

cd /usr/src/sys
fetch http://people.freebsd.org/~csjp/inp_pfil_fw_lor_fixes_shared_locks.1096053274.diff
patch < inp_pfil_fw_lor_fixes_shared_locks.1096053274.diff

Recompile your kernel and any related pf or ipfw modules
add some user/group/jail based firewall rules

Remember, these are pretty beta so ... be gentle :)

-- 
Christian S.J. Peron
csjp@FreeBSD.ORG
FreeBSD Committer

----- End forwarded message -----

-- 
Christian S.J. Peron
csjp@FreeBSD.ORG
FreeBSD Committer



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040925000705.GA3281>