From owner-freebsd-pf@FreeBSD.ORG Sat Dec 16 21:24:20 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D78D316A417; Sat, 16 Dec 2006 21:24:20 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.174]) by mx1.FreeBSD.org (Postfix) with ESMTP id 287DE43CBD; Sat, 16 Dec 2006 21:23:46 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.66.56.193] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu6) with ESMTP (Nemesis), id 0ML29c-1Gvh0M1kPA-00080b; Sat, 16 Dec 2006 22:23:40 +0100 From: Max Laier Organization: FreeBSD To: Andrew Thompson Date: Sat, 16 Dec 2006 22:23:30 +0100 User-Agent: KMail/1.9.4 References: <200612161335.kBGDZkMj012022@freefall.freebsd.org> <200612161709.48875.max@love2party.net> <20061216195849.GA52916@heff.fud.org.nz> In-Reply-To: <20061216195849.GA52916@heff.fud.org.nz> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1262884.czgsFRxcJh"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200612162223.37089.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: avatar@mmlab.cse.yzu.edu.tw, csjp@freebsd.org, freebsd-pf@freebsd.org Subject: Re: debug.mpsafenet=1 vs. user/group rules [Re: kern/106805: ...] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Dec 2006 21:24:20 -0000 --nextPart1262884.czgsFRxcJh Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 16 December 2006 20:58, Andrew Thompson wrote: > On Sat, Dec 16, 2006 at 05:09:42PM +0100, Max Laier wrote: > > Okay, spoken too quick ... I just had an idea (enlightment you might > > say - given the time of year), that might finally get us rid of this > > symptom (not of the problem though). > > > > The attached diff circumvents the problem by **always** doing the > > credential lookup *before* walking the pf rules. This has the > > benefit, that it works (at least I think it should), but there is a > > price to pay. Now we have to pay for the socket lookup for *every* > > tcp and udp packet instead of just for those that really hit uid/gid > > rules. That's why I decided to make is a config option > > "PF_MPFSAFE_UGID" which you can turn on if you are running a setup > > that will benefit. The patch turns it on for the module-built by > > default. > > Is it possible to keep a reference count of the number of uid/gid rules > and perform the lookup early if it is non-zero? Possible, but not trivial. If we see that this static version works we=20 can still look at making it more dynamical. A middle ground might be a=20 sysctl you have to set in order to safely use uid/gid rules with=20 mpsafenet. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1262884.czgsFRxcJh Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQBFhGPZXyyEoT62BG0RAi2yAJ9nHOYHFFD3DQZpo/7dF0ZvpOducgCfVJ59 oTLAWkifYBYYzJ23Tzi0+f0= =6e25 -----END PGP SIGNATURE----- --nextPart1262884.czgsFRxcJh--