Date: Sun, 17 Dec 2006 08:58:49 +1300 From: Andrew Thompson <thompsa@freebsd.org> To: Max Laier <max@love2party.net> Cc: avatar@mmlab.cse.yzu.edu.tw, csjp@freebsd.org, freebsd-pf@freebsd.org Subject: Re: debug.mpsafenet=1 vs. user/group rules [Re: kern/106805: ...] Message-ID: <20061216195849.GA52916@heff.fud.org.nz> In-Reply-To: <200612161709.48875.max@love2party.net> References: <200612161335.kBGDZkMj012022@freefall.freebsd.org> <200612161709.48875.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Dec 16, 2006 at 05:09:42PM +0100, Max Laier wrote: > Okay, spoken too quick ... I just had an idea (enlightment you might say - > given the time of year), that might finally get us rid of this symptom > (not of the problem though). > > The attached diff circumvents the problem by **always** doing the > credential lookup *before* walking the pf rules. This has the benefit, > that it works (at least I think it should), but there is a price to pay. > Now we have to pay for the socket lookup for *every* tcp and udp packet > instead of just for those that really hit uid/gid rules. That's why I > decided to make is a config option "PF_MPFSAFE_UGID" which you can turn > on if you are running a setup that will benefit. The patch turns it on > for the module-built by default. Is it possible to keep a reference count of the number of uid/gid rules and perform the lookup early if it is non-zero? Andrew
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061216195849.GA52916>