From owner-freebsd-current@FreeBSD.ORG Wed Apr 18 15:49:52 2007 Return-Path: X-Original-To: current@freebsd.org Delivered-To: freebsd-current@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 47CB316A406 for ; Wed, 18 Apr 2007 15:49:52 +0000 (UTC) (envelope-from tillman@seekingfire.com) Received: from mail.seekingfire.com (thoth.seekingfire.com [24.89.83.9]) by mx1.freebsd.org (Postfix) with ESMTP id 0FD9713C448 for ; Wed, 18 Apr 2007 15:49:51 +0000 (UTC) (envelope-from tillman@seekingfire.com) Received: by mail.seekingfire.com (Postfix, from userid 500) id EC23439829; Wed, 18 Apr 2007 09:49:50 -0600 (CST) Date: Wed, 18 Apr 2007 09:49:50 -0600 From: Tillman Hodgson To: current@freebsd.org Message-ID: <20070418154950.GM1225@seekingfire.com> References: <20070417153357.GA1335@seekingfire.com> <20070417173005.O42234@fledge.watson.org> <20070417181627.GA1225@seekingfire.com> <20070417220339.E2913@fledge.watson.org> <20070418084345.H2913@fledge.watson.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20070418084345.H2913@fledge.watson.org> X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to . X-GPG-Key-ID: 828AFC7B X-GPG-Fingerprint: 5584 14BA C9EB 1524 0E68 F543 0F0A 7FBC 828A FC7B X-GPG-Key: http://www.seekingfire.com/personal/gpg_key.asc X-Urban-Legend: There is lots of hidden information in headers X-Tillman-rules: yes he does User-Agent: Mutt/1.5.14 (2007-02-12) Cc: Subject: Re: Panic on boot with April 16 src (lengthy info attached) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Apr 2007 15:49:52 -0000 On Wed, Apr 18, 2007 at 08:54:00AM +0100, Robert Watson wrote: > Things get sticky deep in the firewall code because our firewalls > include credential-aware rules, which essentially "peek up the stack" > in order to decide what user is associated with a packet before > delivery to the connection is done. The firewall rule lock is held > over this lookup and inspection of TCP-layer state. In the out-bound > path, we pass down the TCP state reference (PCB pointer) and guarantee > the lock is already held. However, in the in-bound direction, the > firewall has to do the full lookup and lock acquisition. Which > reverses the lock order, and can lead to deadlocks. Thanks for the explanation :-) Previously you pointed out the ipfw man page which seems to be say the same thing (albeit with much less detail): gid group Matches all TCP or UDP packets sent by or received for a group. A group may be specified by name or number. This option should be used only if debug.mpsafenet=0 to avoid possible deadlocks due to layering violations in its implementation. Setting debug.mpsafenet=0 worked for me until the TCP timer change. Is the LOR situation always true for every inbound packet, or only with certain firewall rules in place? That question has me wondering if I can avoid the issue by avoiding certain PF features. My current ruleset is pretty simple. If I drop the variables definitions and comments, the whole thing is 13 lines: nat on $ext_if from $internal_net to any -> ($ext_if) rdr on $int_if proto tcp from $internal_net to any port ftp -> 127.0.0.1 port 8021 block log all pass quick on lo0 all pass quick on $int_if proto ospf all pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state pass in on $ext_if inet proto udp from any to ($ext_if) port $udp_services keep state pass in on $ext_if inet proto icmp all icmp-type $icmp_types keep state pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep state pass in on $int_if from $metanetwork to any pass out on $int_if from any to $metanetwork pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if proto { udp, icmp } all keep state -T -- "There is a time in the life of every problem when it is big enough to see, yet small enough to solve." -- Mike Leavitt