From owner-freebsd-pf@FreeBSD.ORG Fri Jul 20 19:35:05 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 34C9916A417; Fri, 20 Jul 2007 19:35:05 +0000 (UTC) (envelope-from jd@ugcs.caltech.edu) Received: from regurgitate.ugcs.caltech.edu (regurgitate.ugcs.caltech.edu [131.215.176.97]) by mx1.freebsd.org (Postfix) with ESMTP id 0B21413C457; Fri, 20 Jul 2007 19:35:05 +0000 (UTC) (envelope-from jd@ugcs.caltech.edu) Received: by regurgitate.ugcs.caltech.edu (Postfix, from userid 3640) id 04D80E8AC; Fri, 20 Jul 2007 12:12:01 -0700 (PDT) Date: Fri, 20 Jul 2007 12:12:01 -0700 From: Paul Allen To: Julian Elischer Message-ID: <20070720191201.GE5504@regurgitate.ugcs.caltech.edu> References: <20070717131518.G1177@fledge.watson.org> <200707172342.39082.max@love2party.net> <20070720111539.U1096@fledge.watson.org> <46A100C2.1030606@elischer.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <46A100C2.1030606@elischer.org> Sender: jd@ugcs.caltech.edu Cc: freebsd-net@freebsd.org, freebsd-arch@freebsd.org, freebsd-current@freebsd.org, Robert Watson , freebsd-pf@freebsd.org Subject: Re: Attention pf/ipfw users with uid/gid/jail rules (Re: Reminder: NET_NEEDS_GIANT, debug.mpsafenet going away in 7.0) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Jul 2007 19:35:05 -0000 >From Julian Elischer , Fri, Jul 20, 2007 at 11:36:50AM -0700: > Robert Watson wrote: > > > >On Tue, 17 Jul 2007, Max Laier wrote: > > > >So far I have had 0 (zero) reports of problems since this thread began. > >Could people using uid/gid/jail rules with ipfw or pf on 7.x *please* > >try running their firewalls without debug.mpsafenet -- ignore the > >witness warnings and/or disable witness, and let us know if you > >experience deadlocks. We're reaching the very end of the merge cycle > >for 7.0, and I would really like to remove the Giant crutches (now > >effectively unused) from the network stack so it's not part of the > >ABI/API, the code is simplified and cleaned up, etc. Wasn't there a a clear solution to the uid/gid problem involving flip-pages: eliminate the pf lock by forcing reconfigurations to build a parallel data-structure and then perform an atomic operation to exchange the pointers. AFAIK, Max's patch was just an ugly hack and it isn't really suitable for performance reasons. What's the state of MAC for the networking stack? Are we able to restrict particular uid's to listening only on particular ports?