Date: Sat, 27 Sep 2008 20:33:49 +0100 (BST) From: Robert Watson <rwatson@FreeBSD.org> To: Ganbold <ganbold@micom.mng.net> Cc: cvs-src@FreeBSD.org, src-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_fw2.c Message-ID: <alpine.BSF.1.10.0809272032440.20117@fledge.watson.org> In-Reply-To: <alpine.BSF.1.10.0809272013380.20117@fledge.watson.org> References: <200809271014.m8RAENka041457@repoman.freebsd.org> <48DE5C4F.8040807@micom.mng.net> <alpine.BSF.1.10.0809272013380.20117@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 27 Sep 2008, Robert Watson wrote: >>> Rather than shadowing global variable 'lookup' in check_uidgid(), >>> rename >>> it to ugid_lookupp. This should make debugging issues with ipfw uid >>> rules easier. >> >> Still panics: > > Something seems odd here, we may be looking at an ipfw bug. The goal of > passing down the inpcb is that ipfw doesn't have to look it up (and hence > avoids acquiring locks in ipfw on the outbound path) -- the stack arguments > clearly show it held in ipfw, but locks are acquired anyway. This > particular change was purely cosmetic, but I'll review the ipfw code more > closely and see about a fix... Indeed -- when an inpcb doesn't have a socket, ipfw will go ahead and do a lookup for an inpcb even though one is passed down. I've committed a change that short-circuits that and marks the credential lookup as failed. Give it a try now? Robert N M Watson Computer Laboratory University of Cambridge
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.1.10.0809272032440.20117>