From owner-freebsd-pf@FreeBSD.ORG Fri Dec 29 12:57:41 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id EEA1116A4A7; Fri, 29 Dec 2006 12:57:41 +0000 (UTC) (envelope-from avatar@mmlab.cse.yzu.edu.tw) Received: from www.mmlab.cse.yzu.edu.tw (www.mmlab.cse.yzu.edu.tw [140.138.150.166]) by mx1.freebsd.org (Postfix) with ESMTP id 1DD5213C484; Fri, 29 Dec 2006 12:57:40 +0000 (UTC) (envelope-from avatar@mmlab.cse.yzu.edu.tw) Received: by www.mmlab.cse.yzu.edu.tw (qmail, from userid 1000) id 91E838C99C0; Fri, 29 Dec 2006 09:21:18 +0800 (CST) Received: from localhost (localhost [127.0.0.1]) by www.mmlab.cse.yzu.edu.tw (qmail) with ESMTP id 8897A8C99BF; Fri, 29 Dec 2006 09:21:18 +0800 (CST) Date: Fri, 29 Dec 2006 09:21:18 +0800 (CST) From: Tai-hwa Liang To: Max Laier In-Reply-To: <200612161709.48875.max@love2party.net> Message-ID: <061229091759A.42827@www.mmlab.cse.yzu.edu.tw> References: <200612161335.kBGDZkMj012022@freefall.freebsd.org> <200612161709.48875.max@love2party.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: csjp@freebsd.org, freebsd-pf@freebsd.org Subject: Re: debug.mpsafenet=1 vs. user/group rules [Re: kern/106805: ...] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Dec 2006 12:57:42 -0000 On Sat, 16 Dec 2006, Max Laier wrote: [...] > The attached diff circumvents the problem by **always** doing the > credential lookup *before* walking the pf rules. This has the benefit, > that it works (at least I think it should), but there is a price to pay. > Now we have to pay for the socket lookup for *every* tcp and udp packet > instead of just for those that really hit uid/gid rules. That's why I > decided to make is a config option "PF_MPFSAFE_UGID" which you can turn > on if you are running a setup that will benefit. The patch turns it on > for the module-built by default. > > A possible scenario that should benefit is a big iron SMP box running lot > of services that you want to filter using *stateful* uid/gid rules. For > this setup where a huge percentage of the packets that are not captured > by states eventually match a uid/gid rule, you will even get added > parallelism with this patch. > > On every other typical setup, it should be better to avoid user/group > rules or to disable mpsafenet. > > In order for this to hit the tree, I need tests confirming that it really > helps and possibly benchmarks that qualify the impact of it. Thanks. Your patch works great here. The box in question never ran into a single lockup in the last 7 days. -- Thanks, Tai-hwa Liang