cvs commit: src/sys/netinet ip_fw2.c
Robert Watson
rwatson at FreeBSD.org
Sat Sep 27 19:33:50 UTC 2008
On Sat, 27 Sep 2008, Robert Watson wrote:
>>> Rather than shadowing global variable 'lookup' in check_uidgid(),
>>> rename
>>> it to ugid_lookupp. This should make debugging issues with ipfw uid
>>> rules easier.
>>
>> Still panics:
>
> Something seems odd here, we may be looking at an ipfw bug. The goal of
> passing down the inpcb is that ipfw doesn't have to look it up (and hence
> avoids acquiring locks in ipfw on the outbound path) -- the stack arguments
> clearly show it held in ipfw, but locks are acquired anyway. This
> particular change was purely cosmetic, but I'll review the ipfw code more
> closely and see about a fix...
Indeed -- when an inpcb doesn't have a socket, ipfw will go ahead and do a
lookup for an inpcb even though one is passed down. I've committed a change
that short-circuits that and marks the credential lookup as failed. Give it a
try now?
Robert N M Watson
Computer Laboratory
University of Cambridge
More information about the cvs-src
mailing list