From owner-freebsd-pf@FreeBSD.ORG Sat Dec 16 20:02:37 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9E30016A4CE for ; Sat, 16 Dec 2006 20:02:37 +0000 (UTC) (envelope-from thompsa@freebsd.org) Received: from alias1.ihug.co.nz (alias1.ihug.co.nz [203.96.222.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3BFFB43CBB for ; Sat, 16 Dec 2006 19:58:51 +0000 (GMT) (envelope-from thompsa@freebsd.org) Received: from ironport2.ihug.co.nz [203.109.254.20] by alias1.ihug.co.nz with esmtp (Exim 3.36 #1 (Debian)) id 1Gvfcd-0006AR-00; Sun, 17 Dec 2006 08:55:03 +1300 Received: from 203-109-251-39.static.bliink.ihug.co.nz (HELO heff.fud.org.nz) ([203.109.251.39]) by ironport2.ihug.co.nz with ESMTP; 17 Dec 2006 09:11:25 +1300 X-Ironport-Seen: Yes Received: by heff.fud.org.nz (Postfix, from userid 1001) id 229EB1CC1F; Sun, 17 Dec 2006 08:58:49 +1300 (NZDT) Date: Sun, 17 Dec 2006 08:58:49 +1300 From: Andrew Thompson To: Max Laier Message-ID: <20061216195849.GA52916@heff.fud.org.nz> References: <200612161335.kBGDZkMj012022@freefall.freebsd.org> <200612161709.48875.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200612161709.48875.max@love2party.net> User-Agent: Mutt/1.5.13 (2006-08-11) Cc: avatar@mmlab.cse.yzu.edu.tw, csjp@freebsd.org, freebsd-pf@freebsd.org Subject: Re: debug.mpsafenet=1 vs. user/group rules [Re: kern/106805: ...] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Dec 2006 20:02:37 -0000 On Sat, Dec 16, 2006 at 05:09:42PM +0100, Max Laier wrote: > Okay, spoken too quick ... I just had an idea (enlightment you might say - > given the time of year), that might finally get us rid of this symptom > (not of the problem though). > > The attached diff circumvents the problem by **always** doing the > credential lookup *before* walking the pf rules. This has the benefit, > that it works (at least I think it should), but there is a price to pay. > Now we have to pay for the socket lookup for *every* tcp and udp packet > instead of just for those that really hit uid/gid rules. That's why I > decided to make is a config option "PF_MPFSAFE_UGID" which you can turn > on if you are running a setup that will benefit. The patch turns it on > for the module-built by default. Is it possible to keep a reference count of the number of uid/gid rules and perform the lookup early if it is non-zero? Andrew