pf: unlocked lookup

Maxim Dounin mdounin at
Thu Dec 10 19:13:24 UTC 2009


On Thu, Dec 10, 2009 at 10:22:09AM -0800, Derek Kulinski wrote:

> Hello Max,
> Thursday, December 10, 2009, 9:38:41 AM, you wrote:
> > this is a generic informational message that was put into the code to figure
> > out if the hack that is "debug.pfugidhack" is actually required.  You can get
> > rid of the message by setting the debug level of pf to something below "misc"
> > (e.g. pfctl -x urgent).
> Well, the hack actually is required, my system crashes when I disable
> it.

Please note that depending on workload and actual rules the hack 
may do more harm than good.  We had some machines which were 
deadlocking[1] in minutes with hack enabled but were almost stable 
without it.

Anyway, the only safe solution right now is to avoid uid/gid rules.


Maxim Dounin

More information about the freebsd-stable mailing list