On Wednesday 18 April 2007 21:28, Tillman Hodgson wrote: > On Wed, Apr 18, 2007 at 08:18:27PM +0200, Max Laier wrote: > > Running Current you can try to include "options PF_MPSAFE_UGID". > > This is a hack that allows the use of user/group rules in a > > debug.mpsafe=1 environment. Unfortunately, I never got any feedback > > on this albeit throwing it after everybody with these symptoms. > > Please report back! > > Oh, interesting! I'm rebuilding right now with that option :-) > I'll report back in a few days how it goes.
Actually, could you test this? It should enable the hack on the fly as a user/group rule is added. See "sysctl debug.pfugidhack" or "pfctl -x misc" to confirm it's on. -- /"\ Best regards, | [EMAIL PROTECTED] \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED] / \ ASCII Ribbon Campaign | Against HTML Mail and News
Index: pf.c
===================================================================
RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pf.c,v
retrieving revision 1.43
diff -u -r1.43 pf.c
--- pf.c 29 Dec 2006 13:59:03 -0000 1.43
+++ pf.c 18 Apr 2007 19:55:19 -0000
@@ -134,6 +134,7 @@
#include <security/mac/mac_framework.h>
extern int ip_optcopy(struct ip *, struct ip *);
+extern int debug_pfugidhack;
#endif
#define DPFPRINTF(n, x) if (pf_status.debug >= (n)) printf x
@@ -3032,10 +3033,12 @@
return (PF_DROP);
}
-#if defined(__FreeBSD__) && defined(PF_MPSAFE_UGID)
- PF_UNLOCK();
- lookup = pf_socket_lookup(&uid, &gid, direction, pd, inp);
- PF_LOCK();
+#ifdef __FreeBSD__
+ if (debug_pfugidhack) {
+ PF_UNLOCK();
+ lookup = pf_socket_lookup(&uid, &gid, direction, pd, inp);
+ PF_LOCK();
+ }
#endif
r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
@@ -3434,10 +3437,12 @@
return (PF_DROP);
}
-#if defined(__FreeBSD__) && defined(PF_MPSAFE_UGID)
- PF_UNLOCK();
- lookup = pf_socket_lookup(&uid, &gid, direction, pd, inp);
- PF_LOCK();
+#ifdef __FreeBSD__
+ if (debug_pfugidhack) {
+ PF_UNLOCK();
+ lookup = pf_socket_lookup(&uid, &gid, direction, pd, inp);
+ PF_LOCK();
+ }
#endif
r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
Index: pf_ioctl.c
===================================================================
RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pf_ioctl.c,v
retrieving revision 1.27
diff -u -r1.27 pf_ioctl.c
--- pf_ioctl.c 1 Jan 2007 16:51:11 -0000 1.27
+++ pf_ioctl.c 18 Apr 2007 20:04:57 -0000
@@ -84,6 +84,7 @@
#include <sys/module.h>
#include <sys/conf.h>
#include <sys/proc.h>
+#include <sys/sysctl.h>
#else
#include <sys/timeout.h>
#include <sys/pool.h>
@@ -237,6 +238,10 @@
struct mtx pf_task_mtx;
pflog_packet_t *pflog_packet_ptr = NULL;
+int debug_pfugidhack = 0;
+SYSCTL_INT(_debug, OID_AUTO, pfugidhack, CTLFLAG_RW, &debug_pfugidhack, 0,
+ "Enable/disable pf user/group rules mpsafe hack");
+
void
init_pf_mutex(void)
{
@@ -1603,6 +1608,13 @@
rule->evaluations = rule->packets = rule->bytes = 0;
TAILQ_INSERT_TAIL(ruleset->rules[rs_num].inactive.ptr,
rule, entries);
+#ifdef __FreeBSD__
+ if (!debug_pfugidhack && (rule->uid.op || rule->gid.op)) {
+ DPFPRINTF(PF_DEBUG_MISC,
+ ("pf: debug.pfugidhack enabled\n"));
+ debug_pfugidhack = 1;
+ }
+#endif
break;
}
@@ -1828,6 +1840,14 @@
newrule->rpool.cur = TAILQ_FIRST(&newrule->rpool.list);
newrule->evaluations = newrule->packets = 0;
newrule->bytes = 0;
+#ifdef __FreeBSD__
+ if (!debug_pfugidhack &&
+ (newrule->uid.op || newrule->gid.op)) {
+ DPFPRINTF(PF_DEBUG_MISC,
+ ("pf: debug.pfugidhack enabled\n"));
+ debug_pfugidhack = 1;
+ }
+#endif
}
pf_empty_pool(&pf_pabuf);
pgpaWDpIYh95T.pgp
Description: PGP signature
