Date: Sat, 10 Feb 2007 16:20:54 +0100 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org Cc: Tai-hwa Liang <avatar@mmlab.cse.yzu.edu.tw> Subject: Re: debug.mpsafenet=1 vs. user/group rules [Re: kern/106805: ...] Message-ID: <200702101621.00430.max@love2party.net> In-Reply-To: <200612291518.39222.max@love2party.net> References: <200612161335.kBGDZkMj012022@freefall.freebsd.org> <061229091759A.42827@www.mmlab.cse.yzu.edu.tw> <200612291518.39222.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart1466578.z0NtyKnVV7 Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Hello, after 6 weeks in HEAD I have received ZERO additional feedback! Does=20 anyone (other than avatar) care? On Friday 29 December 2006 15:18, Max Laier wrote: > I just put this in HEAD, a diff to RELENG_6 is attached. Please follow > avatar's example and test and report back! > > Just apply and put "options PF_MPSAFE_UGID" in your kernconf or > append "-DPF_MPSAFE_UGID" to your CFLAGS in make.conf. The latter > works for the module build as well. Don't forgot to turn > debug.mpsafenet back on. > > I'd also be interested in the output of "pfctl -si", in particular the > match counter and the State searches in order to get a picture of your > traffic pattern and how the patch might impact on it. > > On Friday 29 December 2006 02:21, Tai-hwa Liang wrote: > > On Sat, 16 Dec 2006, Max Laier wrote: > > [...] > > > > > The attached diff circumvents the problem by **always** doing the > > > credential lookup *before* walking the pf rules. This has the > > > benefit, that it works (at least I think it should), but there is a > > > price to pay. Now we have to pay for the socket lookup for *every* > > > tcp and udp packet instead of just for those that really hit > > > uid/gid rules. That's why I decided to make is a config option > > > "PF_MPFSAFE_UGID" which you can turn on if you are running a setup > > > that will benefit. The patch turns it on for the module-built by > > > default. > > > > > > A possible scenario that should benefit is a big iron SMP box > > > running lot of services that you want to filter using *stateful* > > > uid/gid rules. For this setup where a huge percentage of the > > > packets that are not captured by states eventually match a uid/gid > > > rule, you will even get added parallelism with this patch. > > > > > > On every other typical setup, it should be better to avoid > > > user/group rules or to disable mpsafenet. > > > > > > In order for this to hit the tree, I need tests confirming that it > > > really helps and possibly benchmarks that qualify the impact of it. > > > Thanks. > > > > Your patch works great here. The box in question never ran into a > > single lockup in the last 7 days. > > Great - Thanks for the report! =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1466578.z0NtyKnVV7 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQBFzeLcXyyEoT62BG0RAiwBAJ4zuq/mXUYtemMv4nfbFxCdrTmE2wCfRxQQ J+g59oOP/VAo6+VtotpWabQ= =iHMH -----END PGP SIGNATURE----- --nextPart1466578.z0NtyKnVV7--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200702101621.00430.max>