debug.mpsafenet=1 vs. user/group rules [Re: kern/106805: ...]
Max Laier
max at love2party.net
Sat Dec 16 13:24:20 PST 2006
On Saturday 16 December 2006 20:58, Andrew Thompson wrote:
> On Sat, Dec 16, 2006 at 05:09:42PM +0100, Max Laier wrote:
> > Okay, spoken too quick ... I just had an idea (enlightment you might
> > say - given the time of year), that might finally get us rid of this
> > symptom (not of the problem though).
> >
> > The attached diff circumvents the problem by **always** doing the
> > credential lookup *before* walking the pf rules. This has the
> > benefit, that it works (at least I think it should), but there is a
> > price to pay. Now we have to pay for the socket lookup for *every*
> > tcp and udp packet instead of just for those that really hit uid/gid
> > rules. That's why I decided to make is a config option
> > "PF_MPFSAFE_UGID" which you can turn on if you are running a setup
> > that will benefit. The patch turns it on for the module-built by
> > default.
>
> Is it possible to keep a reference count of the number of uid/gid rules
> and perform the lookup early if it is non-zero?
Possible, but not trivial. If we see that this static version works we
can still look at making it more dynamical. A middle ground might be a
sysctl you have to set in order to safely use uid/gid rules with
mpsafenet.
--
/"\ Best regards, | mlaier at freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier at EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20061216/f2f0759a/attachment.pgp
More information about the freebsd-pf
mailing list