From owner-freebsd-current@FreeBSD.ORG Wed Jun 6 14:31:50 2007 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DF59B16A41F; Wed, 6 Jun 2007 14:31:50 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.174]) by mx1.freebsd.org (Postfix) with ESMTP id 67CDE13C4B0; Wed, 6 Jun 2007 14:31:50 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.64.179.143] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu7) with ESMTP (Nemesis), id 0ML2xA-1HvwVr2Pkq-0000m2; Wed, 06 Jun 2007 16:29:40 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Wed, 6 Jun 2007 16:29:12 +0200 User-Agent: KMail/1.9.6 References: <20070417153357.GA1335@seekingfire.com> <200704182213.50663.max@love2party.net> <20070418214855.GQ1225@seekingfire.com> In-Reply-To: <20070418214855.GQ1225@seekingfire.com> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2019925.H1o1M21F2J"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200706061629.21923.max@love2party.net> X-Provags-ID: V01U2FsdGVkX185QuIKPbJst4DBJMSxOydFLAYteegvAypIItS cu0kSlo67rSQ/8CU87v5xbpELJd81qqPAUVEZ1NPmGtQA4DZyS QbXZyDpBbnkP1rksKCFWg== Cc: Tillman Hodgson , freebsd-current@freebsd.org, Tai-hwa Liang Subject: USER/GROUP rules on the chopping Block [ Re: Panic on boot with April 16 src (lengthy info attached) ] X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jun 2007 14:31:51 -0000 --nextPart2019925.H1o1M21F2J Content-Type: multipart/mixed; boundary="Boundary-01=_7SsZG+bwFanvDzd" Content-Transfer-Encoding: 7bit Content-Disposition: inline --Boundary-01=_7SsZG+bwFanvDzd Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline After several attempts to fix user/group rules which ended like the most=20 recent one - cited below - with *ZERO* feedback, I won't waste anymore=20 effort. Either somebody steps up, does proper testing and reports back,=20 or user/group rules go! End of story! This is not personal against Tillman - he just happend to be the most=20 recent one to hit the problem. On Wednesday 18 April 2007, Tillman Hodgson wrote: > On Wed, Apr 18, 2007 at 10:13:42PM +0200, Max Laier wrote: > > On Wednesday 18 April 2007 21:28, Tillman Hodgson wrote: > > > Oh, interesting! I'm rebuilding right now with that option :-) > > > I'll report back in a few days how it goes. > > > > Actually, could you test this? It should enable the hack on the fly > > as a user/group rule is added. See "sysctl debug.pfugidhack" or > > "pfctl -x misc" to confirm it's on. > > Sure, I've restarted the build with this patch. and again ... the thread ends here - zero feedback received :-( Does=20 anyone care about user/group rules at all? If so - speak up now or I'll=20 just disable them with the upcoming update!!! =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-01=_7SsZG+bwFanvDzd Content-Type: text/x-diff; charset="iso-8859-1"; name="auto_ugid_hack.diff" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="auto_ugid_hack.diff" Index: pf.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pf.c,v retrieving revision 1.43 diff -u -r1.43 pf.c =2D-- pf.c 29 Dec 2006 13:59:03 -0000 1.43 +++ pf.c 18 Apr 2007 19:55:19 -0000 @@ -134,6 +134,7 @@ #include =20 extern int ip_optcopy(struct ip *, struct ip *); +extern int debug_pfugidhack; #endif =20 #define DPFPRINTF(n, x) if (pf_status.debug >=3D (n)) printf x @@ -3032,10 +3033,12 @@ return (PF_DROP); } =20 =2D#if defined(__FreeBSD__) && defined(PF_MPSAFE_UGID) =2D PF_UNLOCK(); =2D lookup =3D pf_socket_lookup(&uid, &gid, direction, pd, inp); =2D PF_LOCK(); +#ifdef __FreeBSD__ + if (debug_pfugidhack) { + PF_UNLOCK(); + lookup =3D pf_socket_lookup(&uid, &gid, direction, pd, inp); + PF_LOCK(); + } #endif =20 r =3D TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); @@ -3434,10 +3437,12 @@ return (PF_DROP); } =20 =2D#if defined(__FreeBSD__) && defined(PF_MPSAFE_UGID) =2D PF_UNLOCK(); =2D lookup =3D pf_socket_lookup(&uid, &gid, direction, pd, inp); =2D PF_LOCK(); +#ifdef __FreeBSD__ + if (debug_pfugidhack) { + PF_UNLOCK(); + lookup =3D pf_socket_lookup(&uid, &gid, direction, pd, inp); + PF_LOCK(); + } #endif =20 r =3D TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); Index: pf_ioctl.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pf_ioctl.c,v retrieving revision 1.27 diff -u -r1.27 pf_ioctl.c =2D-- pf_ioctl.c 1 Jan 2007 16:51:11 -0000 1.27 +++ pf_ioctl.c 18 Apr 2007 20:04:57 -0000 @@ -84,6 +84,7 @@ #include #include #include +#include #else #include #include @@ -237,6 +238,10 @@ struct mtx pf_task_mtx; pflog_packet_t *pflog_packet_ptr =3D NULL; =20 +int debug_pfugidhack =3D 0; +SYSCTL_INT(_debug, OID_AUTO, pfugidhack, CTLFLAG_RW, &debug_pfugidhack, 0, + "Enable/disable pf user/group rules mpsafe hack"); + void init_pf_mutex(void) { @@ -1603,6 +1608,13 @@ rule->evaluations =3D rule->packets =3D rule->bytes =3D 0; TAILQ_INSERT_TAIL(ruleset->rules[rs_num].inactive.ptr, rule, entries); +#ifdef __FreeBSD__ + if (!debug_pfugidhack && (rule->uid.op || rule->gid.op)) { + DPFPRINTF(PF_DEBUG_MISC, + ("pf: debug.pfugidhack enabled\n")); + debug_pfugidhack =3D 1; + } +#endif break; } =20 @@ -1828,6 +1840,14 @@ newrule->rpool.cur =3D TAILQ_FIRST(&newrule->rpool.list); newrule->evaluations =3D newrule->packets =3D 0; newrule->bytes =3D 0; +#ifdef __FreeBSD__ + if (!debug_pfugidhack && + (newrule->uid.op || newrule->gid.op)) { + DPFPRINTF(PF_DEBUG_MISC, + ("pf: debug.pfugidhack enabled\n")); + debug_pfugidhack =3D 1; + } +#endif } pf_empty_pool(&pf_pabuf); =20 --Boundary-01=_7SsZG+bwFanvDzd-- --nextPart2019925.H1o1M21F2J Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (FreeBSD) iD8DBQBGZsTBXyyEoT62BG0RAmnZAJ0cnhm91dHBec8d7UrBWZHuIsbjpQCeOQfX A05b4uO3iFDG6gfaTIcoFVE= =lCHB -----END PGP SIGNATURE----- --nextPart2019925.H1o1M21F2J--