debug.mpsafenet=1 vs. user/group rules [Re: kern/106805: ...]

Max Laier max at love2party.net
Sat Feb 10 15:21:24 UTC 2007 

Hello,

after 6 weeks in HEAD I have received ZERO additional feedback!  Does 
anyone (other than avatar) care?

On Friday 29 December 2006 15:18, Max Laier wrote:
> I just put this in HEAD, a diff to RELENG_6 is attached.  Please follow
> avatar's example and test and report back!
>
> Just apply and put "options PF_MPSAFE_UGID" in your kernconf or
> append "-DPF_MPSAFE_UGID" to your CFLAGS in make.conf.  The latter
> works for the module build as well.  Don't forgot to turn
> debug.mpsafenet back on.
>
> I'd also be interested in the output of "pfctl -si", in particular the
> match counter and the State searches in order to get a picture of your
> traffic pattern and how the patch might impact on it.
>
> On Friday 29 December 2006 02:21, Tai-hwa Liang wrote:
> > On Sat, 16 Dec 2006, Max Laier wrote:
> > [...]
> >
> > > The attached diff circumvents the problem by **always** doing the
> > > credential lookup *before* walking the pf rules.  This has the
> > > benefit, that it works (at least I think it should), but there is a
> > > price to pay. Now we have to pay for the socket lookup for *every*
> > > tcp and udp packet instead of just for those that really hit
> > > uid/gid rules.  That's why I decided to make is a config option
> > > "PF_MPFSAFE_UGID" which you can turn on if you are running a setup
> > > that will benefit.  The patch turns it on for the module-built by
> > > default.
> > >
> > > A possible scenario that should benefit is a big iron SMP box
> > > running lot of services that you want to filter using *stateful*
> > > uid/gid rules.  For this setup where a huge percentage of the
> > > packets that are not captured by states eventually match a uid/gid
> > > rule, you will even get added parallelism with this patch.
> > >
> > > On every other typical setup, it should be better to avoid
> > > user/group rules or to disable mpsafenet.
> > >
> > > In order for this to hit the tree, I need tests confirming that it
> > > really helps and possibly benchmarks that qualify the impact of it.
> > > Thanks.
> >
> >    Your patch works great here.  The box in question never ran into a
> > single lockup in the last 7 days.
>
> Great - Thanks for the report!

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20070210/773a3fd3/attachment.pgp

More information about the freebsd-pf mailing list