debug.mpsafenet=1 vs. user/group rules [Re: kern/106805: ...]
Andrew Thompson
thompsa at freebsd.org
Sat Dec 16 12:02:37 PST 2006
On Sat, Dec 16, 2006 at 05:09:42PM +0100, Max Laier wrote:
> Okay, spoken too quick ... I just had an idea (enlightment you might say -
> given the time of year), that might finally get us rid of this symptom
> (not of the problem though).
>
> The attached diff circumvents the problem by **always** doing the
> credential lookup *before* walking the pf rules. This has the benefit,
> that it works (at least I think it should), but there is a price to pay.
> Now we have to pay for the socket lookup for *every* tcp and udp packet
> instead of just for those that really hit uid/gid rules. That's why I
> decided to make is a config option "PF_MPFSAFE_UGID" which you can turn
> on if you are running a setup that will benefit. The patch turns it on
> for the module-built by default.
Is it possible to keep a reference count of the number of uid/gid rules
and perform the lookup early if it is non-zero?
Andrew
More information about the freebsd-pf
mailing list