From owner-freebsd-pf@FreeBSD.ORG Fri Dec 29 14:18:45 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 762A616A412 for ; Fri, 29 Dec 2006 14:18:45 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.179]) by mx1.freebsd.org (Postfix) with ESMTP id DBFA913C455 for ; Fri, 29 Dec 2006 14:18:44 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.64.182.75] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu6) with ESMTP (Nemesis), id 0ML29c-1H0IZD441y-0007uW; Fri, 29 Dec 2006 15:18:43 +0100 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Fri, 29 Dec 2006 15:18:33 +0100 User-Agent: KMail/1.9.4 References: <200612161335.kBGDZkMj012022@freefall.freebsd.org> <200612161709.48875.max@love2party.net> <061229091759A.42827@www.mmlab.cse.yzu.edu.tw> In-Reply-To: <061229091759A.42827@www.mmlab.cse.yzu.edu.tw> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart4615191.fWbHb7xN1E"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200612291518.39222.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Tai-hwa Liang , csjp@freebsd.org Subject: Re: debug.mpsafenet=1 vs. user/group rules [Re: kern/106805: ...] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Dec 2006 14:18:45 -0000 --nextPart4615191.fWbHb7xN1E Content-Type: multipart/mixed; boundary="Boundary-01=_7OSlF3KQwzAfXmE" Content-Transfer-Encoding: 7bit Content-Disposition: inline --Boundary-01=_7OSlF3KQwzAfXmE Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Everybody, I just put this in HEAD, a diff to RELENG_6 is attached. Please follow=20 avatar's example and test and report back! Just apply and put "options PF_MPSAFE_UGID" in your kernconf or=20 append "-DPF_MPSAFE_UGID" to your CFLAGS in make.conf. The latter works=20 for the module build as well. Don't forgot to turn debug.mpsafenet back=20 on. I'd also be interested in the output of "pfctl -si", in particular the=20 match counter and the State searches in order to get a picture of your=20 traffic pattern and how the patch might impact on it. On Friday 29 December 2006 02:21, Tai-hwa Liang wrote: > On Sat, 16 Dec 2006, Max Laier wrote: > [...] > > > The attached diff circumvents the problem by **always** doing the > > credential lookup *before* walking the pf rules. This has the > > benefit, that it works (at least I think it should), but there is a > > price to pay. Now we have to pay for the socket lookup for *every* > > tcp and udp packet instead of just for those that really hit uid/gid > > rules. That's why I decided to make is a config option > > "PF_MPFSAFE_UGID" which you can turn on if you are running a setup > > that will benefit. The patch turns it on for the module-built by > > default. > > > > A possible scenario that should benefit is a big iron SMP box running > > lot of services that you want to filter using *stateful* uid/gid > > rules. For this setup where a huge percentage of the packets that > > are not captured by states eventually match a uid/gid rule, you will > > even get added parallelism with this patch. > > > > On every other typical setup, it should be better to avoid user/group > > rules or to disable mpsafenet. > > > > In order for this to hit the tree, I need tests confirming that it > > really helps and possibly benchmarks that qualify the impact of it.=20 > > Thanks. > > Your patch works great here. The box in question never ran into a > single lockup in the last 7 days. Great - Thanks for the report! =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-01=_7OSlF3KQwzAfXmE Content-Type: text/x-diff; charset="iso-8859-1"; name="pf.ugid.RELENG_6.diff" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="pf.ugid.RELENG_6.diff" Index: conf/NOTES =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/conf/NOTES,v retrieving revision 1.1325.2.24 diff -u -r1.1325.2.24 NOTES =2D-- conf/NOTES 21 Oct 2006 05:28:50 -0000 1.1325.2.24 +++ conf/NOTES 29 Dec 2006 14:08:48 -0000 @@ -626,6 +626,9 @@ # The `pflog' device provides the pflog0 interface which logs packets. # The `pfsync' device provides the pfsync0 interface used for # synchronization of firewall state tables (over the net). +# The PF_MPSAFE_UGID option enables a special workaround for a LOR with +# user/group rules that would otherwise lead to a deadlock. This has +# performance implications and should be used with care. # # The PPP_BSDCOMP option enables support for compress(1) style entire # packet compression, the PPP_DEFLATE is for zlib/gzip style compression. @@ -656,6 +659,7 @@ device pf #PF OpenBSD packet-filter firewall device pflog #logging support interface for PF device pfsync #synchronization interface for PF +options PF_MPSAFE_UGID #Workaround LOR with user/group rules device carp #Common Address Redundancy Protocol device ppp #Point-to-point protocol options PPP_BSDCOMP #PPP BSD-compress support Index: conf/options =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/conf/options,v retrieving revision 1.510.2.19 diff -u -r1.510.2.19 options =2D-- conf/options 2 Sep 2006 13:12:08 -0000 1.510.2.19 +++ conf/options 29 Dec 2006 14:09:29 -0000 @@ -342,6 +342,7 @@ DEV_PF opt_pf.h DEV_PFLOG opt_pf.h DEV_PFSYNC opt_pf.h +PF_MPSAFE_UGID opt_pf.h ETHER_II opt_ef.h ETHER_8023 opt_ef.h ETHER_8022 opt_ef.h Index: contrib/pf/net/pf.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pf.c,v retrieving revision 1.34.2.4 diff -u -r1.34.2.4 pf.c =2D-- contrib/pf/net/pf.c 19 Sep 2006 15:45:20 -0000 1.34.2.4 +++ contrib/pf/net/pf.c 29 Dec 2006 14:09:52 -0000 @@ -3016,6 +3016,12 @@ return (PF_DROP); } =20 +#if defined(__FreeBSD__) && defined(PF_MPSAFE_UGID) + PF_UNLOCK(); + lookup =3D pf_socket_lookup(&uid, &gid, direction, pd, inp); + PF_LOCK(); +#endif + r =3D TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); =20 if (direction =3D=3D PF_OUT) { @@ -3412,6 +3418,12 @@ return (PF_DROP); } =20 +#if defined(__FreeBSD__) && defined(PF_MPSAFE_UGID) + PF_UNLOCK(); + lookup =3D pf_socket_lookup(&uid, &gid, direction, pd, inp); + PF_LOCK(); +#endif + r =3D TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); =20 if (direction =3D=3D PF_OUT) { --Boundary-01=_7OSlF3KQwzAfXmE-- --nextPart4615191.fWbHb7xN1E Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQBFlSO/XyyEoT62BG0RAkzzAJ9BySU+aI0LmplSweBLEUYAQV4QmgCeN6ri rw629AcquWT5EhsjCaLJ6Ic= =14FC -----END PGP SIGNATURE----- --nextPart4615191.fWbHb7xN1E--