Date: Sat, 16 Dec 2006 22:23:30 +0100 From: Max Laier <max@love2party.net> To: Andrew Thompson <thompsa@freebsd.org> Cc: avatar@mmlab.cse.yzu.edu.tw, csjp@freebsd.org, freebsd-pf@freebsd.org Subject: Re: debug.mpsafenet=1 vs. user/group rules [Re: kern/106805: ...] Message-ID: <200612162223.37089.max@love2party.net> In-Reply-To: <20061216195849.GA52916@heff.fud.org.nz> References: <200612161335.kBGDZkMj012022@freefall.freebsd.org> <200612161709.48875.max@love2party.net> <20061216195849.GA52916@heff.fud.org.nz>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart1262884.czgsFRxcJh Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 16 December 2006 20:58, Andrew Thompson wrote: > On Sat, Dec 16, 2006 at 05:09:42PM +0100, Max Laier wrote: > > Okay, spoken too quick ... I just had an idea (enlightment you might > > say - given the time of year), that might finally get us rid of this > > symptom (not of the problem though). > > > > The attached diff circumvents the problem by **always** doing the > > credential lookup *before* walking the pf rules. This has the > > benefit, that it works (at least I think it should), but there is a > > price to pay. Now we have to pay for the socket lookup for *every* > > tcp and udp packet instead of just for those that really hit uid/gid > > rules. That's why I decided to make is a config option > > "PF_MPFSAFE_UGID" which you can turn on if you are running a setup > > that will benefit. The patch turns it on for the module-built by > > default. > > Is it possible to keep a reference count of the number of uid/gid rules > and perform the lookup early if it is non-zero? Possible, but not trivial. If we see that this static version works we=20 can still look at making it more dynamical. A middle ground might be a=20 sysctl you have to set in order to safely use uid/gid rules with=20 mpsafenet. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1262884.czgsFRxcJh Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQBFhGPZXyyEoT62BG0RAi2yAJ9nHOYHFFD3DQZpo/7dF0ZvpOducgCfVJ59 oTLAWkifYBYYzJ23Tzi0+f0= =6e25 -----END PGP SIGNATURE----- --nextPart1262884.czgsFRxcJh--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200612162223.37089.max>