Site Navigation

Date:      Fri, 29 Dec 2006 15:18:33 +0100
From:      Max Laier <max@love2party.net>
To:        freebsd-pf@freebsd.org
Cc:        Tai-hwa Liang <avatar@mmlab.cse.yzu.edu.tw>, csjp@freebsd.org
Subject:   Re: debug.mpsafenet=1 vs. user/group rules [Re: kern/106805: ...]
Message-ID:  <200612291518.39222.max@love2party.net>
In-Reply-To: <061229091759A.42827@www.mmlab.cse.yzu.edu.tw>
References:  <200612161335.kBGDZkMj012022@freefall.freebsd.org> <200612161709.48875.max@love2party.net> <061229091759A.42827@www.mmlab.cse.yzu.edu.tw>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

--nextPart4615191.fWbHb7xN1E
Content-Type: multipart/mixed;
  boundary="Boundary-01=_7OSlF3KQwzAfXmE"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--Boundary-01=_7OSlF3KQwzAfXmE
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Everybody,

I just put this in HEAD, a diff to RELENG_6 is attached.  Please follow=20
avatar's example and test and report back!

Just apply and put "options PF_MPSAFE_UGID" in your kernconf or=20
append "-DPF_MPSAFE_UGID" to your CFLAGS in make.conf.  The latter works=20
for the module build as well.  Don't forgot to turn debug.mpsafenet back=20
on.

I'd also be interested in the output of "pfctl -si", in particular the=20
match counter and the State searches in order to get a picture of your=20
traffic pattern and how the patch might impact on it.

On Friday 29 December 2006 02:21, Tai-hwa Liang wrote:
> On Sat, 16 Dec 2006, Max Laier wrote:
> [...]
>
> > The attached diff circumvents the problem by **always** doing the
> > credential lookup *before* walking the pf rules.  This has the
> > benefit, that it works (at least I think it should), but there is a
> > price to pay. Now we have to pay for the socket lookup for *every*
> > tcp and udp packet instead of just for those that really hit uid/gid
> > rules.  That's why I decided to make is a config option
> > "PF_MPFSAFE_UGID" which you can turn on if you are running a setup
> > that will benefit.  The patch turns it on for the module-built by
> > default.
> >
> > A possible scenario that should benefit is a big iron SMP box running
> > lot of services that you want to filter using *stateful* uid/gid
> > rules.  For this setup where a huge percentage of the packets that
> > are not captured by states eventually match a uid/gid rule, you will
> > even get added parallelism with this patch.
> >
> > On every other typical setup, it should be better to avoid user/group
> > rules or to disable mpsafenet.
> >
> > In order for this to hit the tree, I need tests confirming that it
> > really helps and possibly benchmarks that qualify the impact of it.=20
> > Thanks.
>
>    Your patch works great here.  The box in question never ran into a
> single lockup in the last 7 days.

Great - Thanks for the report!

=2D-=20
/"\  Best regards,                      | mlaier@freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier@EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News

--Boundary-01=_7OSlF3KQwzAfXmE
Content-Type: text/x-diff; charset="iso-8859-1"; name="pf.ugid.RELENG_6.diff"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
	filename="pf.ugid.RELENG_6.diff"

Index: conf/NOTES
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /usr/store/mlaier/fcvs/src/sys/conf/NOTES,v
retrieving revision 1.1325.2.24
diff -u -r1.1325.2.24 NOTES
=2D-- conf/NOTES	21 Oct 2006 05:28:50 -0000	1.1325.2.24
+++ conf/NOTES	29 Dec 2006 14:08:48 -0000
@@ -626,6 +626,9 @@
 #  The `pflog' device provides the pflog0 interface which logs packets.
 #  The `pfsync' device provides the pfsync0 interface used for
 #   synchronization of firewall state tables (over the net).
+#  The PF_MPSAFE_UGID option enables a special workaround for a LOR with
+#   user/group rules that would otherwise lead to a deadlock.  This has
+#   performance implications and should be used with care.
 #
 # The PPP_BSDCOMP option enables support for compress(1) style entire
 # packet compression, the PPP_DEFLATE is for zlib/gzip style compression.
@@ -656,6 +659,7 @@
 device		pf			#PF OpenBSD packet-filter firewall
 device		pflog			#logging support interface for PF
 device		pfsync			#synchronization interface for PF
+options 	PF_MPSAFE_UGID		#Workaround LOR with user/group rules
 device		carp			#Common Address Redundancy Protocol
 device		ppp			#Point-to-point protocol
 options 	PPP_BSDCOMP		#PPP BSD-compress support
Index: conf/options
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /usr/store/mlaier/fcvs/src/sys/conf/options,v
retrieving revision 1.510.2.19
diff -u -r1.510.2.19 options
=2D-- conf/options	2 Sep 2006 13:12:08 -0000	1.510.2.19
+++ conf/options	29 Dec 2006 14:09:29 -0000
@@ -342,6 +342,7 @@
 DEV_PF			opt_pf.h
 DEV_PFLOG		opt_pf.h
 DEV_PFSYNC		opt_pf.h
+PF_MPSAFE_UGID		opt_pf.h
 ETHER_II		opt_ef.h
 ETHER_8023		opt_ef.h
 ETHER_8022		opt_ef.h
Index: contrib/pf/net/pf.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pf.c,v
retrieving revision 1.34.2.4
diff -u -r1.34.2.4 pf.c
=2D-- contrib/pf/net/pf.c	19 Sep 2006 15:45:20 -0000	1.34.2.4
+++ contrib/pf/net/pf.c	29 Dec 2006 14:09:52 -0000
@@ -3016,6 +3016,12 @@
 		return (PF_DROP);
 	}
=20
+#if defined(__FreeBSD__) && defined(PF_MPSAFE_UGID)
+	PF_UNLOCK();
+	lookup =3D pf_socket_lookup(&uid, &gid, direction, pd, inp);
+	PF_LOCK();
+#endif
+
 	r =3D TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
=20
 	if (direction =3D=3D PF_OUT) {
@@ -3412,6 +3418,12 @@
 		return (PF_DROP);
 	}
=20
+#if defined(__FreeBSD__) && defined(PF_MPSAFE_UGID)
+	PF_UNLOCK();
+	lookup =3D pf_socket_lookup(&uid, &gid, direction, pd, inp);
+	PF_LOCK();
+#endif
+
 	r =3D TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
=20
 	if (direction =3D=3D PF_OUT) {

--Boundary-01=_7OSlF3KQwzAfXmE--

--nextPart4615191.fWbHb7xN1E
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (FreeBSD)

iD8DBQBFlSO/XyyEoT62BG0RAkzzAJ9BySU+aI0LmplSweBLEUYAQV4QmgCeN6ri
rw629AcquWT5EhsjCaLJ6Ic=
=14FC
-----END PGP SIGNATURE-----

--nextPart4615191.fWbHb7xN1E--

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200612291518.39222.max>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact