Date: Wed, 6 Jun 2007 16:29:12 +0200 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org Cc: Tillman Hodgson <tillman@seekingfire.com>, freebsd-current@freebsd.org, Tai-hwa Liang <avatar@mmlab.cse.yzu.edu.tw> Subject: USER/GROUP rules on the chopping Block [ Re: Panic on boot with April 16 src (lengthy info attached) ] Message-ID: <200706061629.21923.max@love2party.net> In-Reply-To: <20070418214855.GQ1225@seekingfire.com> References: <20070417153357.GA1335@seekingfire.com> <200704182213.50663.max@love2party.net> <20070418214855.GQ1225@seekingfire.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart2019925.H1o1M21F2J Content-Type: multipart/mixed; boundary="Boundary-01=_7SsZG+bwFanvDzd" Content-Transfer-Encoding: 7bit Content-Disposition: inline --Boundary-01=_7SsZG+bwFanvDzd Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline After several attempts to fix user/group rules which ended like the most=20 recent one - cited below - with *ZERO* feedback, I won't waste anymore=20 effort. Either somebody steps up, does proper testing and reports back,=20 or user/group rules go! End of story! This is not personal against Tillman - he just happend to be the most=20 recent one to hit the problem. On Wednesday 18 April 2007, Tillman Hodgson wrote: > On Wed, Apr 18, 2007 at 10:13:42PM +0200, Max Laier wrote: > > On Wednesday 18 April 2007 21:28, Tillman Hodgson wrote: > > > Oh, interesting! I'm rebuilding right now with that option :-) > > > I'll report back in a few days how it goes. > > > > Actually, could you test this? It should enable the hack on the fly > > as a user/group rule is added. See "sysctl debug.pfugidhack" or > > "pfctl -x misc" to confirm it's on. > > Sure, I've restarted the build with this patch. and again ... the thread ends here - zero feedback received :-( Does=20 anyone care about user/group rules at all? If so - speak up now or I'll=20 just disable them with the upcoming update!!! =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-01=_7SsZG+bwFanvDzd Content-Type: text/x-diff; charset="iso-8859-1"; name="auto_ugid_hack.diff" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="auto_ugid_hack.diff" Index: pf.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pf.c,v retrieving revision 1.43 diff -u -r1.43 pf.c =2D-- pf.c 29 Dec 2006 13:59:03 -0000 1.43 +++ pf.c 18 Apr 2007 19:55:19 -0000 @@ -134,6 +134,7 @@ #include <security/mac/mac_framework.h> =20 extern int ip_optcopy(struct ip *, struct ip *); +extern int debug_pfugidhack; #endif =20 #define DPFPRINTF(n, x) if (pf_status.debug >=3D (n)) printf x @@ -3032,10 +3033,12 @@ return (PF_DROP); } =20 =2D#if defined(__FreeBSD__) && defined(PF_MPSAFE_UGID) =2D PF_UNLOCK(); =2D lookup =3D pf_socket_lookup(&uid, &gid, direction, pd, inp); =2D PF_LOCK(); +#ifdef __FreeBSD__ + if (debug_pfugidhack) { + PF_UNLOCK(); + lookup =3D pf_socket_lookup(&uid, &gid, direction, pd, inp); + PF_LOCK(); + } #endif =20 r =3D TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); @@ -3434,10 +3437,12 @@ return (PF_DROP); } =20 =2D#if defined(__FreeBSD__) && defined(PF_MPSAFE_UGID) =2D PF_UNLOCK(); =2D lookup =3D pf_socket_lookup(&uid, &gid, direction, pd, inp); =2D PF_LOCK(); +#ifdef __FreeBSD__ + if (debug_pfugidhack) { + PF_UNLOCK(); + lookup =3D pf_socket_lookup(&uid, &gid, direction, pd, inp); + PF_LOCK(); + } #endif =20 r =3D TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); Index: pf_ioctl.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pf_ioctl.c,v retrieving revision 1.27 diff -u -r1.27 pf_ioctl.c =2D-- pf_ioctl.c 1 Jan 2007 16:51:11 -0000 1.27 +++ pf_ioctl.c 18 Apr 2007 20:04:57 -0000 @@ -84,6 +84,7 @@ #include <sys/module.h> #include <sys/conf.h> #include <sys/proc.h> +#include <sys/sysctl.h> #else #include <sys/timeout.h> #include <sys/pool.h> @@ -237,6 +238,10 @@ struct mtx pf_task_mtx; pflog_packet_t *pflog_packet_ptr =3D NULL; =20 +int debug_pfugidhack =3D 0; +SYSCTL_INT(_debug, OID_AUTO, pfugidhack, CTLFLAG_RW, &debug_pfugidhack, 0, + "Enable/disable pf user/group rules mpsafe hack"); + void init_pf_mutex(void) { @@ -1603,6 +1608,13 @@ rule->evaluations =3D rule->packets =3D rule->bytes =3D 0; TAILQ_INSERT_TAIL(ruleset->rules[rs_num].inactive.ptr, rule, entries); +#ifdef __FreeBSD__ + if (!debug_pfugidhack && (rule->uid.op || rule->gid.op)) { + DPFPRINTF(PF_DEBUG_MISC, + ("pf: debug.pfugidhack enabled\n")); + debug_pfugidhack =3D 1; + } +#endif break; } =20 @@ -1828,6 +1840,14 @@ newrule->rpool.cur =3D TAILQ_FIRST(&newrule->rpool.list); newrule->evaluations =3D newrule->packets =3D 0; newrule->bytes =3D 0; +#ifdef __FreeBSD__ + if (!debug_pfugidhack && + (newrule->uid.op || newrule->gid.op)) { + DPFPRINTF(PF_DEBUG_MISC, + ("pf: debug.pfugidhack enabled\n")); + debug_pfugidhack =3D 1; + } +#endif } pf_empty_pool(&pf_pabuf); =20 --Boundary-01=_7SsZG+bwFanvDzd-- --nextPart2019925.H1o1M21F2J Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (FreeBSD) iD8DBQBGZsTBXyyEoT62BG0RAmnZAJ0cnhm91dHBec8d7UrBWZHuIsbjpQCeOQfX A05b4uO3iFDG6gfaTIcoFVE= =lCHB -----END PGP SIGNATURE----- --nextPart2019925.H1o1M21F2J--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200706061629.21923.max>