On Saturday 16 December 2006 20:58, Andrew Thompson wrote: > On Sat, Dec 16, 2006 at 05:09:42PM +0100, Max Laier wrote: > > Okay, spoken too quick ... I just had an idea (enlightment you might > > say - given the time of year), that might finally get us rid of this > > symptom (not of the problem though). > > > > The attached diff circumvents the problem by **always** doing the > > credential lookup *before* walking the pf rules. This has the > > benefit, that it works (at least I think it should), but there is a > > price to pay. Now we have to pay for the socket lookup for *every* > > tcp and udp packet instead of just for those that really hit uid/gid > > rules. That's why I decided to make is a config option > > "PF_MPFSAFE_UGID" which you can turn on if you are running a setup > > that will benefit. The patch turns it on for the module-built by > > default. > > Is it possible to keep a reference count of the number of uid/gid rules > and perform the lookup early if it is non-zero?
Possible, but not trivial. If we see that this static version works we can still look at making it more dynamical. A middle ground might be a sysctl you have to set in order to safely use uid/gid rules with mpsafenet. -- /"\ Best regards, | [EMAIL PROTECTED] \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED] / \ ASCII Ribbon Campaign | Against HTML Mail and News
pgpvrGgQ1dZdG.pgp
Description: PGP signature
