On Sat, 16 Dec 2006, Max Laier wrote:
[...]
The attached diff circumvents the problem by **always** doing the
credential lookup *before* walking the pf rules. This has the benefit,
that it works (at least I think it should), but there is a price to pay.
Now we have to pay for the socket lookup for *every* tcp and udp packet
instead of just for those that really hit uid/gid rules. That's why I
decided to make is a config option "PF_MPFSAFE_UGID" which you can turn
on if you are running a setup that will benefit. The patch turns it on
for the module-built by default.
A possible scenario that should benefit is a big iron SMP box running lot
of services that you want to filter using *stateful* uid/gid rules. For
this setup where a huge percentage of the packets that are not captured
by states eventually match a uid/gid rule, you will even get added
parallelism with this patch.
On every other typical setup, it should be better to avoid user/group
rules or to disable mpsafenet.
In order for this to hit the tree, I need tests confirming that it really
helps and possibly benchmarks that qualify the impact of it. Thanks.
Your patch works great here. The box in question never ran into a single
lockup in the last 7 days.
--
Thanks,
Tai-hwa Liang
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
