LOR with divert sockets
Andrea Venturoli
ml.diespammer at netfence.it
Wed Feb 28 09:45:42 UTC 2007
Bjoern A. Zeeb wrote:
> I am unsure but this should still be true for at least RELENG_6. I
> can only remember that there was work in progress but cannot remmember
> things were patched and where or not...
>
> %man ipfw | col -b | grep -5 'Rules which use uid' | tail -7 | head -5
>
> Rules which use uid, gid or jail based matching should be used only if
> debug.mpsafenet=0 to avoid possible deadlocks due to layering
> violations
> in its implementation.
>
>
Thanks, this is very interesting.
I see this paragraph was added in 6.x, and I admit I never saw it.
In fact I had been using uid rules in 5.x without any trouble.
Shouldn't this be mentioned in the ERRATA document? I guess no one
really reads *all* the man pages again, after an upgrade.
First off, I searched for what debug.mpsafe does and came up with some
vague description. Are there any reason not to disable this?
Second. I grasped the idea that this is important in SMP boxes, but I'm
not sure. Does it affect UP boxes too?
I'm currently having:
_ 1 SMP box *with* one uid rule which occasionally hangs (running
INVARIANTS&Co and from which my report was taken);
_ 1 SMP box *without* uid rules which occasionally hangs (running
INVARIANTS&Co);
_ 1 UP box *with* one uid rule which frequently hangs (I'm turning
INVARIANTS&Co on this afternoon on this one);
_ 1 UP box *with* one uid rule which frequently hangs (I'm turning SMP
and INVARIANTS&Co on this afternoon on this one);
_ 2 UP boxes *with* one uid rule which never ever hanged.
IMHO the uid rule problems could explain half of the data above, but
then again, I guess it can also depend on network load, hardware type or
other combinations of things.
If there are no bigger drawbacks (I don't care for speed as much as I do
for stability), I might disable debug.mpsafenet today.
Comments?
bye & Thanks
av.
More information about the freebsd-net
mailing list