After several attempts to fix user/group rules which ended like the most recent one - cited below - with *ZERO* feedback, I won't waste anymore effort. Either somebody steps up, does proper testing and reports back, or user/group rules go! End of story!
This is not personal against Tillman - he just happend to be the most recent one to hit the problem. On Wednesday 18 April 2007, Tillman Hodgson wrote: > On Wed, Apr 18, 2007 at 10:13:42PM +0200, Max Laier wrote: > > On Wednesday 18 April 2007 21:28, Tillman Hodgson wrote: > > > Oh, interesting! I'm rebuilding right now with that option :-) > > > I'll report back in a few days how it goes. > > > > Actually, could you test this? It should enable the hack on the fly > > as a user/group rule is added. See "sysctl debug.pfugidhack" or > > "pfctl -x misc" to confirm it's on. > > Sure, I've restarted the build with this patch. and again ... the thread ends here - zero feedback received :-( Does anyone care about user/group rules at all? If so - speak up now or I'll just disable them with the upcoming update!!! -- /"\ Best regards, | [EMAIL PROTECTED] \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED] / \ ASCII Ribbon Campaign | Against HTML Mail and News
Index: pf.c
===================================================================
RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pf.c,v
retrieving revision 1.43
diff -u -r1.43 pf.c
--- pf.c 29 Dec 2006 13:59:03 -0000 1.43
+++ pf.c 18 Apr 2007 19:55:19 -0000
@@ -134,6 +134,7 @@
#include <security/mac/mac_framework.h>
extern int ip_optcopy(struct ip *, struct ip *);
+extern int debug_pfugidhack;
#endif
#define DPFPRINTF(n, x) if (pf_status.debug >= (n)) printf x
@@ -3032,10 +3033,12 @@
return (PF_DROP);
}
-#if defined(__FreeBSD__) && defined(PF_MPSAFE_UGID)
- PF_UNLOCK();
- lookup = pf_socket_lookup(&uid, &gid, direction, pd, inp);
- PF_LOCK();
+#ifdef __FreeBSD__
+ if (debug_pfugidhack) {
+ PF_UNLOCK();
+ lookup = pf_socket_lookup(&uid, &gid, direction, pd, inp);
+ PF_LOCK();
+ }
#endif
r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
@@ -3434,10 +3437,12 @@
return (PF_DROP);
}
-#if defined(__FreeBSD__) && defined(PF_MPSAFE_UGID)
- PF_UNLOCK();
- lookup = pf_socket_lookup(&uid, &gid, direction, pd, inp);
- PF_LOCK();
+#ifdef __FreeBSD__
+ if (debug_pfugidhack) {
+ PF_UNLOCK();
+ lookup = pf_socket_lookup(&uid, &gid, direction, pd, inp);
+ PF_LOCK();
+ }
#endif
r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
Index: pf_ioctl.c
===================================================================
RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pf_ioctl.c,v
retrieving revision 1.27
diff -u -r1.27 pf_ioctl.c
--- pf_ioctl.c 1 Jan 2007 16:51:11 -0000 1.27
+++ pf_ioctl.c 18 Apr 2007 20:04:57 -0000
@@ -84,6 +84,7 @@
#include <sys/module.h>
#include <sys/conf.h>
#include <sys/proc.h>
+#include <sys/sysctl.h>
#else
#include <sys/timeout.h>
#include <sys/pool.h>
@@ -237,6 +238,10 @@
struct mtx pf_task_mtx;
pflog_packet_t *pflog_packet_ptr = NULL;
+int debug_pfugidhack = 0;
+SYSCTL_INT(_debug, OID_AUTO, pfugidhack, CTLFLAG_RW, &debug_pfugidhack, 0,
+ "Enable/disable pf user/group rules mpsafe hack");
+
void
init_pf_mutex(void)
{
@@ -1603,6 +1608,13 @@
rule->evaluations = rule->packets = rule->bytes = 0;
TAILQ_INSERT_TAIL(ruleset->rules[rs_num].inactive.ptr,
rule, entries);
+#ifdef __FreeBSD__
+ if (!debug_pfugidhack && (rule->uid.op || rule->gid.op)) {
+ DPFPRINTF(PF_DEBUG_MISC,
+ ("pf: debug.pfugidhack enabled\n"));
+ debug_pfugidhack = 1;
+ }
+#endif
break;
}
@@ -1828,6 +1840,14 @@
newrule->rpool.cur = TAILQ_FIRST(&newrule->rpool.list);
newrule->evaluations = newrule->packets = 0;
newrule->bytes = 0;
+#ifdef __FreeBSD__
+ if (!debug_pfugidhack &&
+ (newrule->uid.op || newrule->gid.op)) {
+ DPFPRINTF(PF_DEBUG_MISC,
+ ("pf: debug.pfugidhack enabled\n"));
+ debug_pfugidhack = 1;
+ }
+#endif
}
pf_empty_pool(&pf_pabuf);
pgpwpN2y1QI11.pgp
Description: PGP signature
