From owner-cvs-all@FreeBSD.ORG Sun Sep 28 06:13:32 2008 Return-Path: Delivered-To: cvs-all@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5D7D31065697; Sun, 28 Sep 2008 06:13:32 +0000 (UTC) (envelope-from ganbold@micom.mng.net) Received: from publicd.ub.mng.net (publicd.ub.mng.net [202.179.0.88]) by mx1.freebsd.org (Postfix) with ESMTP id 0F6658FC16; Sun, 28 Sep 2008 06:13:32 +0000 (UTC) (envelope-from ganbold@micom.mng.net) Received: from [202.179.21.133] (helo=devil.micom.mng.net) by publicd.ub.mng.net with esmtpa (Exim 4.69 (FreeBSD)) (envelope-from ) id 1KjpVC-000JeG-0i; Sun, 28 Sep 2008 14:13:30 +0800 Message-ID: <48DF2010.6030309@micom.mng.net> Date: Sun, 28 Sep 2008 14:11:28 +0800 From: Ganbold User-Agent: Thunderbird 2.0.0.16 (X11/20080901) MIME-Version: 1.0 To: Robert Watson References: <200809271014.m8RAENka041457@repoman.freebsd.org> <48DE5C4F.8040807@micom.mng.net> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: cvs-src@FreeBSD.org, src-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_fw2.c X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Sep 2008 06:13:32 -0000 Robert Watson wrote: > > On Sat, 27 Sep 2008, Robert Watson wrote: > >>>> Rather than shadowing global variable 'lookup' in >>>> check_uidgid(), rename >>>> it to ugid_lookupp. This should make debugging issues with ipfw uid >>>> rules easier. >>> >>> Still panics: >> >> Something seems odd here, we may be looking at an ipfw bug. The goal >> of passing down the inpcb is that ipfw doesn't have to look it up >> (and hence avoids acquiring locks in ipfw on the outbound path) -- >> the stack arguments clearly show it held in ipfw, but locks are >> acquired anyway. This particular change was purely cosmetic, but >> I'll review the ipfw code more closely and see about a fix... > > Indeed -- when an inpcb doesn't have a socket, ipfw will go ahead and > do a lookup for an inpcb even though one is passed down. I've > committed a change that short-circuits that and marks the credential > lookup as failed. Give it a try now? Thanks a lot, Robert, it was indeed simple effective fix. So far no crash :) With loads like pkg_adding emacs (which adds bunch of other packages) on plain CURRENT, downloading FreeBSD ISO with axel (20 simultaneous connection) through http works fine here. test# ipfw show 00040 1184006 673239338 allow ip from any to any uid root 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 65000 60 7426 allow ip from any to any 65535 0 0 deny ip from any to any test# Ganbold > > Robert N M Watson > Computer Laboratory > University of Cambridge > _______________________________________________ > cvs-all@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/cvs-all > To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org" > > > -- If it ain't broke, don't fix it.