cvs commit: src/sys/netinet ip_fw2.c
ganbold at micom.mng.net
Sun Sep 28 06:13:32 UTC 2008
Robert Watson wrote:
> On Sat, 27 Sep 2008, Robert Watson wrote:
>>>> Rather than shadowing global variable 'lookup' in
>>>> check_uidgid(), rename
>>>> it to ugid_lookupp. This should make debugging issues with ipfw uid
>>>> rules easier.
>>> Still panics:
>> Something seems odd here, we may be looking at an ipfw bug. The goal
>> of passing down the inpcb is that ipfw doesn't have to look it up
>> (and hence avoids acquiring locks in ipfw on the outbound path) --
>> the stack arguments clearly show it held in ipfw, but locks are
>> acquired anyway. This particular change was purely cosmetic, but
>> I'll review the ipfw code more closely and see about a fix...
> Indeed -- when an inpcb doesn't have a socket, ipfw will go ahead and
> do a lookup for an inpcb even though one is passed down. I've
> committed a change that short-circuits that and marks the credential
> lookup as failed. Give it a try now?
Thanks a lot, Robert, it was indeed simple effective fix. So far no crash :)
With loads like pkg_adding emacs (which adds bunch of other packages) on
plain CURRENT, downloading
FreeBSD ISO with axel (20 simultaneous connection) through http works
test# ipfw show
00040 1184006 673239338 allow ip from any to any uid root
00100 0 0 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
65000 60 7426 allow ip from any to any
65535 0 0 deny ip from any to any
> Robert N M Watson
> Computer Laboratory
> University of Cambridge
> cvs-all at freebsd.org mailing list
> To unsubscribe, send any mail to "cvs-all-unsubscribe at freebsd.org"
If it ain't broke, don't fix it.
More information about the cvs-all