USER/GROUP rules on the chopping Block
Volker
volker at vwsoft.com
Sat Jun 9 19:26:31 UTC 2007
On 06/06/07 16:29, Max Laier wrote:
> After several attempts to fix user/group rules which ended like the most
> recent one - cited below - with *ZERO* feedback, I won't waste anymore
> effort. Either somebody steps up, does proper testing and reports back,
> or user/group rules go! End of story!
Max,
I've upgraded my -STABLE standby desktop system into a -CURRENT system
(just for you... *s*) to test your patch.
Before trying to check your fixes, I've set up a plain (recently
csup'ed) -CURRENT system w/o your patch. Unfortunately while trying
hard to get that box into an LOR, I'm unable to do so easy. As I need
to verify an unpatched against a patched system, I need to find a
_reliable_ way to get the box LORing.
I've added two pf rules which should (AFAIK) get this into an LOR:
pass out log quick on $if_lan all user volker keep state
pass in log on $if_lan proto {tcp udp} from any to \
any port 49152:65535 user avahi keep state
After having that box running for a while (3-4 hours), generated some
icmp, tcp and udp traffic, I was able to get just one single LOR which
has been caused by a DHCPd response (but even 1 out of 5 bootp udp
packets caused that LOR):
lock order reversal:
1st 0xc34e7d84 pf task mtx (pf task mtx) @
/usr/src/sys/modules/pf/../../contrib/pf/net/pf.c:6414
2nd 0xc0a6456c udp (udp) @
/usr/src/sys/modules/pf/../../contrib/pf/net/pf.c:2760
KDB: stack backtrace:
db_trace_self_wrapper(c092a516,d404d888,c06ab8fe,c092c9c0,c0a6456c,...)
at db_trace_self_wrapper+0x26
kdb_backtrace(c092c9c0,c0a6456c,c092ca6d,c092ca6d,c34e4da8,...) at
kdb_backtrace+0x29
witness_checkorder(c0a6456c,9,c34e4da8,ac8,0,...) at
witness_checkorder+0x6de
_mtx_lock_flags(c0a6456c,0,c34e4da8,ac8,1,...) at _mtx_lock_flags+0xbc
pf_socket_lookup(d404d984,d404d980,1,d404d9f0,0,...) at
pf_socket_lookup+0x25b
pf_test_udp(d404da74,d404da70,1,c3481300,c3259c00,...) at
pf_test_udp+0x1099
pf_test(1,c3160c00,d404dad0,0,0,...) at pf_test+0xf32
pf_check_in(0,d404dad0,c3160c00,1,0,...) at pf_check_in+0x39
pfil_run_hooks(c0a63d60,d404db24,c3160c00,1,0,...) at pfil_run_hooks+0x88
ip_input(c3259c00,14e,800,c3160c00,800,...) at ip_input+0x27d
netisr_dispatch(2,c3259c00,10,3,0,...) at netisr_dispatch+0x73
ether_demux(c3160c00,c3259c00,3,0,3,...) at ether_demux+0x1f1
ether_input(c3160c00,c3259c00,c094ce2d,647,c32516d8,...) at
ether_input+0x41f
nve_ospacketrx(c3251600,d404dc04,1,0,0,...) at nve_ospacketrx+0xfa
UpdateReceiveDescRingData(c088a950,c088aa80,c088a980,c088ab20,c088a930,...)
at UpdateReceiveDescRingData+0x2f8
nve_osalloc(c3249a40,d4306010,c3251600,c088a9b0,c088a950,...) at
nve_osalloc
_end(c32c9c00,c3102c08,3065766e,0,0,...) at 0xc30f8540
_end(c3249a40,d4306010,c3251600,c088a9b0,c088a950,...) at 0xc32423c0
What am I doing wrong? How do I get the (unpatched) system reliable
into an LOR and being able to verify that with a patched system?
My pf.c (w/o your patch):
src/sys/contrib/pf/net/pf.c,v 1.44 2007/05/21 20:08:59 dhartmei
pf.c commit rev 1.43 already states LORs as being fixed. By reading
your patches, you're just wrapping 1.43 fixes by a systctl setting.
Next story... what does your patch really do? I've analyzed it and
you're just wrapping the pf_socket_lookup by an if(debug_pfugidhack)
statement. Your patch also auto sets debug.pfugidhack=1 if an uid/gid
rule has been parsed. It can manually be set to zero by sysctl but
that would just cause skipping pf_socket_lookup() completely at
runtime (which disables uid/gid rule parsing?).
So I'm wondering if the LOR has really been fixed or if the patch is
just a cosmetical one?
Can you help me to find a reliable way to get that LOR and proof your
patch? Anybody else having any comments on this?
Thx
Volker
epeios# uname -v
FreeBSD 7.0-CURRENT #15: Sat Jun 9 08:19:03 CEST 2007
dmesg:
Copyright (c) 1992-2007 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 7.0-CURRENT #15: Sat Jun 9 08:19:03 CEST 2007
root at epeios.sz.vwsoft.com:/usr/obj/usr/src/sys/EPEIOS
WARNING: WITNESS option enabled, expect reduced performance.
ACPI APIC Table: <A M I OEMAPIC >
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: AMD Athlon(tm) 64 Processor 3200+ (2009.16-MHz 686-class CPU)
Origin = "AuthenticAMD" Id = 0x20ff2 Stepping = 2
Features=0x78bfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,MMX,FXSR,SSE,SSE2>
Features2=0x1<SSE3>
AMD Features=0xe2500800<SYSCALL,NX,MMX+,FFXSR,LM,3DNow!+,3DNow!>
AMD Features2=0x1<LAHF>
real memory = 503054336 (479 MB)
avail memory = 474140672 (452 MB)
ioapic0 <Version 1.1> irqs 0-23 on motherboard
kbd1 at kbdmux0
ath_hal: 0.9.20.3 (AR5210, AR5211, AR5212, RF5111, RF5112, RF2413, RF5413)
cryptosoft0: <software crypto> on motherboard
acpi0: <A M I OEMXSDT> on motherboard
acpi0: [ITHREAD]
acpi0: Power Button (fixed)
acpi0: reservation of 0, a0000 (3) failed
acpi0: reservation of 100000, 1ff00000 (3) failed
Timecounter "ACPI-fast" frequency 3579545 Hz quality 1000
acpi_timer0: <24-bit timer at 3.579545MHz> port 0x508-0x50b on acpi0
cpu0: <ACPI CPU> on acpi0
pcib0: <ACPI Host-PCI bridge> port 0xcf8-0xcff on acpi0
pci0: <ACPI PCI bus> on pcib0
pci0: <memory, RAM> at device 0.0 (no driver attached)
pci0: <memory, RAM> at device 0.1 (no driver attached)
pci0: <memory, RAM> at device 0.2 (no driver attached)
pci0: <memory, RAM> at device 0.3 (no driver attached)
pci0: <memory, RAM> at device 0.4 (no driver attached)
pci0: <memory, RAM> at device 0.5 (no driver attached)
pci0: <memory, RAM> at device 0.6 (no driver attached)
pci0: <memory, RAM> at device 0.7 (no driver attached)
pcib1: <ACPI PCI-PCI bridge> at device 2.0 on pci0
pci1: <ACPI PCI bus> on pcib1
pcib2: <ACPI PCI-PCI bridge> at device 3.0 on pci0
pci2: <ACPI PCI bus> on pcib2
pcib3: <ACPI PCI-PCI bridge> at device 4.0 on pci0
pci3: <ACPI PCI bus> on pcib3
nvidia0: <GeForce 6150> mem
0xfd000000-0xfdffffff,0xd0000000-0xdfffffff,0xfc000000-0xfcffffff at
device 5.0 on pci0
nvidia0: [GIANT-LOCKED]
nvidia0: [ITHREAD]
pci0: <memory, RAM> at device 9.0 (no driver attached)
isab0: <PCI-ISA bridge> at device 10.0 on pci0
isa0: <ISA bus> on isab0
pci0: <serial bus, SMBus> at device 10.1 (no driver attached)
ohci0: <OHCI (generic) USB controller> mem 0xfebde000-0xfebdefff irq
21 at device 11.0 on pci0
ohci0: [GIANT-LOCKED]
ohci0: [ITHREAD]
usb0: OHCI version 1.0, legacy support
usb0: <OHCI (generic) USB controller> on ohci0
usb0: USB revision 1.0
uhub0: <nVidia OHCI root hub, class 9/0, rev 1.00/1.00, addr 1> on usb0
uhub0: 8 ports with 8 removable, self powered
ehci0: <EHCI (generic) USB 2.0 controller> mem 0xfebdfc00-0xfebdfcff
irq 22 at device 11.1 on pci0
ehci0: [GIANT-LOCKED]
ehci0: [ITHREAD]
usb1: EHCI version 1.0
usb1: companion controller, 8 ports each: usb0
usb1: <EHCI (generic) USB 2.0 controller> on ehci0
usb1: USB revision 2.0
uhub1: <nVidia EHCI root hub, class 9/0, rev 2.00/1.00, addr 1> on usb1
uhub1: 8 ports with 8 removable, self powered
atapci0: <nVidia nForce MCP51 UDMA133 controller> port
0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xffa0-0xffaf at device 13.0 on pci0
ata0: <ATA channel 0> on atapci0
ata0: [ITHREAD]
ata1: <ATA channel 1> on atapci0
ata1: [ITHREAD]
atapci1: <nVidia nForce MCP51 SATA300 controller> port
0xe800-0xe807,0xe480-0xe483,0xe400-0xe407,0xe080-0xe083,0xe000-0xe00f
mem 0xfebdd000-0xfebddfff irq 23 at device 14.0 on pci0
atapci1: [ITHREAD]
ata2: <ATA channel 0> on atapci1
ata2: [ITHREAD]
ata3: <ATA channel 1> on atapci1
ata3: [ITHREAD]
atapci2: <nVidia nForce MCP51 SATA300 controller> port
0xdc00-0xdc07,0xd880-0xd883,0xd800-0xd807,0xd480-0xd483,0xd400-0xd40f
mem 0xfebdc000-0xfebdcfff irq 20 at device 15.0 on pci0
atapci2: [ITHREAD]
ata4: <ATA channel 0> on atapci2
ata4: [ITHREAD]
ata5: <ATA channel 1> on atapci2
ata5: [ITHREAD]
pcib4: <ACPI PCI-PCI bridge> at device 16.0 on pci0
pci4: <ACPI PCI bus> on pcib4
fwohci0: <VIA Fire II (VT6306)> port 0xcc00-0xcc7f mem
0xfaaff800-0xfaafffff irq 17 at device 5.0 on pci4
fwohci0: [FILTER]
fwohci0: OHCI version 1.0 (ROM=1)
fwohci0: No. of Isochronous channels is 4.
fwohci0: EUI64 00:11:d8:00:00:67:ed:4b
fwohci0: Phy 1394a available S400, 2 ports.
fwohci0: Link S400, max_rec 2048 bytes.
firewire0: <IEEE1394(FireWire) bus> on fwohci0
fwe0: <Ethernet over FireWire> on firewire0
if_fwe0: Fake Ethernet address: 02:11:d8:67:ed:4b
fwe0: Ethernet address: 02:11:d8:67:ed:4b
fwip0: <IP over FireWire> on firewire0
fwip0: Firewire address: 00:11:d8:00:00:67:ed:4b @ 0xfffe00000000,
S400, maxrec 2048
sbp0: <SBP-2/SCSI over FireWire> on firewire0
dcons_crom0: <dcons configuration ROM> on firewire0
dcons_crom0: bus_addr 0x1d500000
fwohci0: Initiate bus reset
fwohci0: BUS reset
fwohci0: node_id=0xc800ffc0, gen=1, CYCLEMASTER mode
pci0: <multimedia> at device 16.1 (no driver attached)
nve0: <NVIDIA nForce MCP13 Networking Adapter> port 0xd080-0xd087 mem
0xfebd7000-0xfebd7fff irq 22 at device 20.0 on pci0
nve0: Ethernet address 00:15:f2:02:df:f5
miibus0: <MII bus> on nve0
e1000phy0: <Marvell 88E1111 Gigabit PHY> PHY 1 on miibus0
e1000phy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX,
1000baseTX-FDX, auto
nve0: using obsoleted if_watchdog interface
nve0: Ethernet address: 00:15:f2:02:df:f5
nve0: [ITHREAD]
acpi_button0: <Power Button> on acpi0
fdc0: <floppy drive controller (FDE)> port 0x3f0-0x3f5,0x3f7 irq 6 drq
2 on acpi0
fdc0: [FILTER]
atkbdc0: <Keyboard controller (i8042)> port 0x60,0x64 irq 1 on acpi0
atkbd0: <AT Keyboard> irq 1 on atkbdc0
kbd0 at atkbd0
atkbd0: [GIANT-LOCKED]
atkbd0: [ITHREAD]
psm0: <PS/2 Mouse> irq 12 on atkbdc0
psm0: [GIANT-LOCKED]
psm0: [ITHREAD]
psm0: model MouseMan+, device ID 0
pmtimer0 on isa0
sc0: <System console> at flags 0x100 on isa0
sc0: VGA <16 virtual consoles, flags=0x300>
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
ppc0: <Parallel port> at port 0x378-0x37f irq 7 on isa0
ppc0: SMC-like chipset (ECP/EPP/PS2/NIBBLE) in COMPATIBLE mode
ppc0: FIFO with 16/16/9 bytes threshold
ppbus0: <Parallel port bus> on ppc0
lpt0: <Printer> on ppbus0
lpt0: Interrupt-driven port
ppi0: <Parallel I/O> on ppbus0
ppc0: [GIANT-LOCKED]
ppc0: [ITHREAD]
Timecounter "TSC" frequency 2009159850 Hz quality 800
Timecounters tick every 1.000 msec
Fast IPsec: Initialized Security Association Processing.
firewire0: 1 nodes, maxhop <= 0, cable IRM = 0 (me)
firewire0: bus manager 0 (me)
ad4: 76319MB <SAMSUNG HD080HJ WT100-33> at ata2-master SATA300
WARNING: WITNESS option enabled, expect reduced performance.
Trying to mount root from ufs:/dev/ad4s1a
KERNCONF:
machine i386
cpu I686_CPU
ident EPEIOS
# To statically compile in device wiring instead of /boot/device.hints
#hints "GENERIC.hints" # Default places to look for
devices.
makeoptions DEBUG=-g # Build kernel with gdb(1)
debug symbols
options SCHED_4BSD # 4BSD scheduler
options PREEMPTION # Enable kernel thread preemption
options INET # InterNETworking
options INET6 # IPv6 communications protocols
options FAST_IPSEC
options FFS # Berkeley Fast Filesystem
options SOFTUPDATES # Enable FFS soft updates support
options UFS_ACL # Support for access control lists
options UFS_DIRHASH # Improve performance on big
directories
options UFS_GJOURNAL # Enable gjournal-based UFS
journaling
options MD_ROOT # MD is a potential root device
options NFSCLIENT # Network Filesystem Client
options NFSSERVER # Network Filesystem Server
options NFS_ROOT # NFS usable as /, requires
NFSCLIENT
options MSDOSFS # MSDOS Filesystem
options CD9660 # ISO 9660 Filesystem
options PROCFS # Process filesystem (requires
PSEUDOFS)
options PSEUDOFS # Pseudo-filesystem framework
#options GEOM_GPT # GUID Partition Tables.
options GEOM_PART_GPT # GUID Partition Tables.
options COMPAT_43 # Compatible with BSD 4.3
[KEEP THIS!]
options COMPAT_43TTY # BSD 4.3 TTY compat [KEEP THIS!]
options COMPAT_FREEBSD4 # Compatible with FreeBSD4
options COMPAT_FREEBSD5 # Compatible with FreeBSD5
options SCSI_DELAY=5000 # Delay (in ms) before probing
SCSI
options KTRACE # ktrace(1) support
options SYSVSHM # SYSV-style shared memory
options SYSVMSG # SYSV-style message queues
options SYSVSEM # SYSV-style semaphores
options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time
extensions
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
options ADAPTIVE_GIANT # Giant mutex is adaptive.
options STOP_NMI # Stop CPUS using NMI instead
of IPI
options HZ=1000
options SMP
device apic # I/O APIC
# Debugging for use in -current
options KDB # Enable kernel debugger support.
options DDB # Support DDB.
options GDB # Support remote GDB.
options INVARIANTS # Enable calls of extra sanity
checking
options INVARIANT_SUPPORT # Extra sanity checks of
internal structures, required by INVARIANTS
options WITNESS # Enable checks to detect
deadlocks and cycles
options WITNESS_SKIPSPIN # Don't run witness on
spinlocks for speed
# Bus support.
#device eisa
device pci
# Floppy drives
device fdc
# ATA and ATAPI devices
device ata
device atadisk # ATA disk drives
device ataraid # ATA RAID drives
device atapicd # ATAPI CDROM drives
device atapifd # ATAPI floppy drives
device atapist # ATAPI tape drives
options ATA_STATIC_ID # Static device numbering
device atapicam
# SCSI Controllers
device ahc # AHA2940 and onboard AIC7xxx devices
options AHC_REG_PRETTY_PRINT # Print register bitfields in
debug
# output. Adds ~128k to driver.
device ahd # AHA39320/29320 and onboard AIC79xx
devices
options AHD_REG_PRETTY_PRINT # Print register bitfields in
debug
# output. Adds ~215k to driver.
device ncv # NCR 53C500
device nsp # Workbit Ninja SCSI-3
device stg # TMC 18C30/18C50
# SCSI peripherals
device scbus # SCSI bus (required for SCSI)
device ch # SCSI media changers
device da # Direct Access (disks)
device sa # Sequential Access (tape etc)
device cd # CD
device pass # Passthrough device (direct SCSI access)
device ses # SCSI Environmental Services (and SAF-TE)
# atkbdc0 controls both the keyboard and the PS/2 mouse
device atkbdc # AT keyboard controller
device atkbd # AT keyboard
device psm # PS/2 mouse
device kbdmux # keyboard multiplexer
device vga # VGA video card driver
device splash # Splash screen and screen saver support
# syscons is the default console driver, resembling an SCO console
device sc
# Enable this for the pcvt (VT220 compatible) console driver
#device vt
#options XSERVER # support for X server on a vt console
#options FAT_CURSOR # start with block cursor
device agp # support several AGP chipsets
# Power management support (see NOTES for more options)
#device apm
# Add suspend/resume support for the i8254.
device pmtimer
# Serial (COM) ports
#device sio # 8250, 16[45]50 based serial ports
#device uart
# Parallel port
device ppc
device ppbus # Parallel port bus (required)
device lpt # Printer
device ppi # Parallel port interface device
#device vpo # Requires scbus and da
# If you've got a "dumb" serial or parallel PCI card that is
# supported by the puc(4) glue driver, uncomment the following
# line to enable it (connects to the sio and/or ppc drivers):
#device puc
# PCI Ethernet NICs.
device de # DEC/Intel DC21x4x (``Tulip'')
device em # Intel PRO/1000 adapter Gigabit
Ethernet Card
device ixgb # Intel PRO/10GbE Ethernet Card
device txp # 3Com 3cR990 (``Typhoon'')
device vx # 3Com 3c590, 3c595 (``Vortex'')
# PCI Ethernet NICs that use the common MII bus controller code.
# NOTE: Be sure to keep the 'device miibus' line in order to use these
NICs!
device miibus # MII bus support
device bce # Broadcom BCM5706/BCM5708 Gigabit
Ethernet
device bfe # Broadcom BCM440x 10/100 Ethernet
device bge # Broadcom BCM570xx Gigabit Ethernet
device dc # DEC/Intel 21143 and various workalikes
device fxp # Intel EtherExpress PRO/100B (82557,
82558)
device lge # Level 1 LXT1001 gigabit Ethernet
device nge # NatSemi DP83820 gigabit Ethernet
device nve # nVidia nForce MCP on-board Ethernet
Networking
device pcn # AMD Am79C97x PCI 10/100(precedence
over 'lnc')
device re # RealTek 8139C+/8169/8169S/8110S
device rl # RealTek 8129/8139
device sf # Adaptec AIC-6915 (``Starfire'')
device sis # Silicon Integrated Systems SiS
900/SiS 7016
device sk # SysKonnect SK-984x & SK-982x gigabit
Ethernet
device ste # Sundance ST201 (D-Link DFE-550TX)
device stge # Sundance/Tamarack TC9021 gigabit
Ethernet
device ti # Alteon Networks Tigon I/II gigabit
Ethernet
device tl # Texas Instruments ThunderLAN
device tx # SMC EtherPower II (83c170 ``EPIC'')
device vge # VIA VT612x gigabit Ethernet
device vr # VIA Rhine, Rhine II
device wb # Winbond W89C840F
device xl # 3Com 3c90x (``Boomerang'', ``Cyclone'')
# Wireless NIC cards
device wlan # 802.11 support
device wlan_wep # 802.11 WEP support
device wlan_ccmp # 802.11 CCMP support
device wlan_tkip # 802.11 TKIP support
device wlan_amrr
device an # Aironet 4500/4800 802.11 wireless NICs.
device ath # Atheros pci/cardbus NIC's
device ath_hal # Atheros HAL (Hardware Access Layer)
device ath_rate_sample # SampleRate tx rate control for ath
device awi # BayStack 660 and others
device ral # Ralink Technology RT2500 wireless NICs.
device wi # WaveLAN/Intersil/Symbol 802.11
wireless NICs.
#device wl # Older non 802.11 Wavelan wireless NIC.
# Pseudo devices.
device mem
device io
device loop # Network loopback
device random # Entropy device
device ether # Ethernet support
device ppp # Kernel PPP
device tun # Packet tunnel.
device pty # Pseudo-ttys (telnet etc)
device md # Memory "disks"
device gif # IPv6 and IPv4 tunneling
device faith # IPv6-to-IPv4 relaying (translation)
# The `bpf' device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
# Note that 'bpf' is required for DHCP.
device bpf # Berkeley packet filter
# USB support
device uhci # UHCI PCI->USB interface
device ohci # OHCI PCI->USB interface
device ehci # EHCI PCI->USB interface (USB 2.0)
device usb # USB Bus (required)
#device udbp # USB Double Bulk Pipe devices
device ugen # Generic
device uhid # "Human Interface Devices"
device ukbd # Keyboard
device ulpt # Printer
device umass # Disks/Mass storage - Requires scbus
and da
device ums # Mouse
device ural # Ralink Technology RT2500USB wireless
NICs
device rum
device urio # Diamond Rio 500 MP3 player
device uscanner # Scanners
# USB Ethernet, requires miibus
device aue # ADMtek USB Ethernet
device axe # ASIX Electronics USB Ethernet
device cdce # Generic USB over Ethernet
device cue # CATC USB Ethernet
device kue # Kawasaki LSI USB Ethernet
device rue # RealTek RTL8150 USB Ethernet
options ALTQ
options ALTQ_CBQ # Class Bases Queueing
options ALTQ_RED # Random Early Detection
options ALTQ_RIO # RED In/Out
options ALTQ_HFSC # Hierarchical Packet Scheduler
options ALTQ_CDNR # Traffic conditioner
options ALTQ_PRIQ # Priority Queueing
options ALTQ_NOPCC # Required if the TSC is unusable
#options ALTQ_DEBUG
# FireWire support
device firewire # FireWire bus code
device sbp # SCSI over FireWire (Requires scbus
and da)
device fwe # Ethernet over FireWire (non-standard!)
device fwip
device dcons
device dcons_crom
device crypto
device enc
More information about the freebsd-pf
mailing list