Date: Sun, 28 Sep 2008 14:11:28 +0800 From: Ganbold <ganbold@micom.mng.net> To: Robert Watson <rwatson@FreeBSD.org> Cc: cvs-src@FreeBSD.org, src-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_fw2.c Message-ID: <48DF2010.6030309@micom.mng.net> In-Reply-To: <alpine.BSF.1.10.0809272032440.20117@fledge.watson.org> References: <200809271014.m8RAENka041457@repoman.freebsd.org> <48DE5C4F.8040807@micom.mng.net> <alpine.BSF.1.10.0809272013380.20117@fledge.watson.org> <alpine.BSF.1.10.0809272032440.20117@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Robert Watson wrote: > > On Sat, 27 Sep 2008, Robert Watson wrote: > >>>> Rather than shadowing global variable 'lookup' in >>>> check_uidgid(), rename >>>> it to ugid_lookupp. This should make debugging issues with ipfw uid >>>> rules easier. >>> >>> Still panics: >> >> Something seems odd here, we may be looking at an ipfw bug. The goal >> of passing down the inpcb is that ipfw doesn't have to look it up >> (and hence avoids acquiring locks in ipfw on the outbound path) -- >> the stack arguments clearly show it held in ipfw, but locks are >> acquired anyway. This particular change was purely cosmetic, but >> I'll review the ipfw code more closely and see about a fix... > > Indeed -- when an inpcb doesn't have a socket, ipfw will go ahead and > do a lookup for an inpcb even though one is passed down. I've > committed a change that short-circuits that and marks the credential > lookup as failed. Give it a try now? Thanks a lot, Robert, it was indeed simple effective fix. So far no crash :) With loads like pkg_adding emacs (which adds bunch of other packages) on plain CURRENT, downloading FreeBSD ISO with axel (20 simultaneous connection) through http works fine here. test# ipfw show 00040 1184006 673239338 allow ip from any to any uid root 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 65000 60 7426 allow ip from any to any 65535 0 0 deny ip from any to any test# Ganbold > > Robert N M Watson > Computer Laboratory > University of Cambridge > _______________________________________________ > cvs-all@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/cvs-all > To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org" > > > -- If it ain't broke, don't fix it.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48DF2010.6030309>