From owner-freebsd-hackers@FreeBSD.ORG Wed Jun 2 14:35:15 2004 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D477D16A4CE; Wed, 2 Jun 2004 14:35:15 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8549843D3F; Wed, 2 Jun 2004 14:35:15 -0700 (PDT) (envelope-from csjp@freebsd.org) Received: from freefall.freebsd.org (csjp@localhost [127.0.0.1]) i52LZFEK091522; Wed, 2 Jun 2004 14:35:15 -0700 (PDT) (envelope-from csjp@freebsd.org) Received: (from csjp@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i52LZFJr091521; Wed, 2 Jun 2004 14:35:15 -0700 (PDT) (envelope-from csjp@freebsd.org) X-Authentication-Warning: freefall.freebsd.org: csjp set sender to csjp@freebsd.org using -f Date: Wed, 2 Jun 2004 14:35:15 -0700 From: "Christian S.J. Peron" To: Andre Oppermann Message-ID: <20040602213515.GA90619@freefall.freebsd.org> References: <20040602043537.GA42327@freefall.freebsd.org> <40BD9D3F.7090100@freebsd.org> <20040602135155.GA31642@freefall.freebsd.org> <40BE4536.4050905@freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <40BE4536.4050905@freebsd.org> User-Agent: Mutt/1.4.1i cc: hackers@freebsd.org cc: ipfw@freebsd.org Subject: Re: ipfw cached ucred patch X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Jun 2004 21:35:16 -0000 Agreed, This was a concern for me as well, I was pretty carefull about managing the reference counts, I am currently testing this patch with a variety of rule types to check for ucred leaks. If/before this patch gets committed, I plan on doing another carefull scrutinization of the ipfw code to make sure there are no return, continues or breaks etc which could cause the ucred to be leaked. On 2 Jun 2004 Andre Oppermann wrote: > Christian S.J. Peron wrote: > >On 2 Jun 2004 Andre Oppermann wrote: > > > >>Christian S.J. Peron wrote: > >> > >>>All, > >>> > >>>Currently, when you have any rules which contain UID/GID > >>>constraints, ipfw will lock the pcb hash and do a lookup > >>>to find the pcb associated with that packet -- > >>>One for each constraint. > >>> > >>>I have written a patch in attempt to minimize the impact > >>>of PCB related lookups for these type of firewall rules. > >>> > >>>This patch will have the following effects on firewalls which > >>>contain UID/GID constraints: > >>> > >>>o Greatly reduce the locking contention associated > >>> with PCB lookups. > >>> > >>>o Increase the performance of firewall in general by making > >>> PCB lookups O(1) rather than O(n) (where n represents > >>> number of UID/GID constraints in the ruleset) > >>> > >>>It would be greatly appriciated if people who are running ipfw > >>>rules sets containing UID/GID constraints tested this patch > >>>and reported any success or failures. > >>> > >>>The patch can be downloaded from: > >>> > >>>http://people.freebsd.org/~csjp/ip_fw2_cached_ucred.patch > >> > >>You can optimize it even further by directly copying the uid/gid > >>from the ucred while you hold the INP_LOCK. There is no need to > >>hold on to the entire ucred. It should be sufficient to do the > >>ucred lookup only once per packet in the ipfw code. If you don't > >>find an INPCB for the packet you'll do a negative lookup for every > >>uid/gid rule. > > > >I thought about this to, however in order to implement GID contraints > >properly, we need to use groupmember(9) which requires the > >entire cr_groups[16] located in the ucred. I thought it was more > >elegant and cheaper to avoid the memcpy(sizeof(gid_t) * NGROUPS) > >and stick with the mutex. > > I see. Hmmm... Actually I'm only concerned that someone later > misses a crfree() call and starts to leak ucred structures. ipfw > is not the first place you are going to look for it. The more you > can keep together in one place the better it is. This kind > of error has already happend once with the initial implementation > of verrevpath in ifpw. The fuction did not correctly do the ref- > counting leading to a hefty rtentry leak. > > -- > Andre > -- Christian S.J. Peron csjp@FreeBSD.ORG FreeBSD Committer