Date: Sat, 25 Sep 2004 00:07:06 +0000 From: "Christian S.J. Peron" <csjp@freebsd.org> To: current@freebsd.org Subject: [csjp@freebsd.org: fixes for ipfw and pf lock ordering issues] Message-ID: <20040925000705.GA3281@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
----- Forwarded message from "Christian S.J. Peron" <csjp@freebsd.org> ----- From: "Christian S.J. Peron" <csjp@freebsd.org> To: hackers@freebsd.org Cc: max@love2party.net, freebsd-pf@freebsd.org, ipfw@freebsd.org Date: Fri, 24 Sep 2004 22:37:54 +0000 Subject: fixes for ipfw and pf lock ordering issues Good day folks, we need some beta testers Currently, those who utilize ucred based firewalling, i.e. firewall rules which match based on UID, GID or JAIL ID are subject to lock order problems which often results in the system hard locking. (when giant is not present ... debug.mpsafenet=1). This problem affects all FreeBSD firewalls which implement ucred based matching, namely ipfw and pf. The lock order problem exists due to a layering violation which occurs when the IP stack attempts to acquire locks within lower level stacks such as UDP and TCP. Max Laier (mlaier@) and myself have been working together to solve this problem. Together we have generated a set of diffs which do the following: o Add a pointer to a PCB to pfil_hooks o Modify existing pfil_hooks API to handle this extra argument o Modify the pf and ipfw firewalls to utilize this extra argument so that lookups on local outbound TCP and UDP traffic can be deactivated (removing the requirement for holding INP locks, which was a primary suspect for these lock ordering issues). o Implement a shared locking mechanism for firewall rule chain protection The intended results of these changes are: 1) Remove the lock ordering issues which result in system hard locks 2) Avoid redundant PCB lookup overhead improving the overall performance of ucred based rule sets 3) Improving network and firewall parallelism, shared locks give the OS the ability to run multiple evaluation or rule check activations concurrently, which should increase the overall network throughput on devices which have ipfw or pf firewalls enabled (regardless of whether or not these rules contain ucred based constraints). If anyone could help us test these changes that would be great: download: http://people.freebsd.org/~csjp/inp_pfil_fw_lor_fixes_shared_locks.1096053274.diff cd /usr/src/sys fetch http://people.freebsd.org/~csjp/inp_pfil_fw_lor_fixes_shared_locks.1096053274.diff patch < inp_pfil_fw_lor_fixes_shared_locks.1096053274.diff Recompile your kernel and any related pf or ipfw modules add some user/group/jail based firewall rules Remember, these are pretty beta so ... be gentle :) -- Christian S.J. Peron csjp@FreeBSD.ORG FreeBSD Committer ----- End forwarded message ----- -- Christian S.J. Peron csjp@FreeBSD.ORG FreeBSD Committer
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040925000705.GA3281>