USER/GROUP rules on the chopping Block

Volker volker at
Sat Jun 9 19:26:31 UTC 2007

On 06/06/07 16:29, Max Laier wrote:
> After several attempts to fix user/group rules which ended like the most 
> recent one - cited below - with *ZERO* feedback, I won't waste anymore 
> effort.  Either somebody steps up, does proper testing and reports back, 
> or user/group rules go!  End of story!


I've upgraded my -STABLE standby desktop system into a -CURRENT system
(just for you... *s*) to test your patch.

Before trying to check your fixes, I've set up a plain (recently
csup'ed) -CURRENT system w/o your patch. Unfortunately while trying
hard to get that box into an LOR, I'm unable to do so easy. As I need
to verify an unpatched against a patched system, I need to find a
_reliable_ way to get the box LORing.

I've added two pf rules which should (AFAIK) get this into an LOR:

pass out log quick on $if_lan all user volker keep state
pass in log on $if_lan proto {tcp udp} from any to \
 any port 49152:65535 user avahi keep state

After having that box running for a while (3-4 hours), generated some
icmp, tcp and udp traffic, I was able to get just one single LOR which
has been caused by a DHCPd response (but even 1 out of 5 bootp udp
packets caused that LOR):

lock order reversal:
 1st 0xc34e7d84 pf task mtx (pf task mtx) @
 2nd 0xc0a6456c udp (udp) @
KDB: stack backtrace:
at db_trace_self_wrapper+0x26
kdb_backtrace(c092c9c0,c0a6456c,c092ca6d,c092ca6d,c34e4da8,...) at
witness_checkorder(c0a6456c,9,c34e4da8,ac8,0,...) at
_mtx_lock_flags(c0a6456c,0,c34e4da8,ac8,1,...) at _mtx_lock_flags+0xbc
pf_socket_lookup(d404d984,d404d980,1,d404d9f0,0,...) at
pf_test_udp(d404da74,d404da70,1,c3481300,c3259c00,...) at
pf_test(1,c3160c00,d404dad0,0,0,...) at pf_test+0xf32
pf_check_in(0,d404dad0,c3160c00,1,0,...) at pf_check_in+0x39
pfil_run_hooks(c0a63d60,d404db24,c3160c00,1,0,...) at pfil_run_hooks+0x88
ip_input(c3259c00,14e,800,c3160c00,800,...) at ip_input+0x27d
netisr_dispatch(2,c3259c00,10,3,0,...) at netisr_dispatch+0x73
ether_demux(c3160c00,c3259c00,3,0,3,...) at ether_demux+0x1f1
ether_input(c3160c00,c3259c00,c094ce2d,647,c32516d8,...) at
nve_ospacketrx(c3251600,d404dc04,1,0,0,...) at nve_ospacketrx+0xfa
at UpdateReceiveDescRingData+0x2f8
nve_osalloc(c3249a40,d4306010,c3251600,c088a9b0,c088a950,...) at
_end(c32c9c00,c3102c08,3065766e,0,0,...) at 0xc30f8540
_end(c3249a40,d4306010,c3251600,c088a9b0,c088a950,...) at 0xc32423c0

What am I doing wrong? How do I get the (unpatched) system reliable
into an LOR and being able to verify that with a patched system?

My pf.c (w/o your patch):
src/sys/contrib/pf/net/pf.c,v 1.44 2007/05/21 20:08:59 dhartmei

pf.c commit rev 1.43 already states LORs as being fixed. By reading
your patches, you're just wrapping 1.43 fixes by a systctl setting.

Next story... what does your patch really do? I've analyzed it and
you're just wrapping the pf_socket_lookup by an if(debug_pfugidhack)
statement. Your patch also auto sets debug.pfugidhack=1 if an uid/gid
rule has been parsed. It can manually be set to zero by sysctl but
that would just cause skipping pf_socket_lookup() completely at
runtime (which disables uid/gid rule parsing?).

So I'm wondering if the LOR has really been fixed or if the patch is
just a cosmetical one?

Can you help me to find a reliable way to get that LOR and proof your
patch? Anybody else having any comments on this?



epeios# uname -v
FreeBSD 7.0-CURRENT #15: Sat Jun  9 08:19:03 CEST 2007

Copyright (c) 1992-2007 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
	The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 7.0-CURRENT #15: Sat Jun  9 08:19:03 CEST 2007
    root at
WARNING: WITNESS option enabled, expect reduced performance.
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: AMD Athlon(tm) 64 Processor 3200+ (2009.16-MHz 686-class CPU)
  Origin = "AuthenticAMD"  Id = 0x20ff2  Stepping = 2

  AMD Features=0xe2500800<SYSCALL,NX,MMX+,FFXSR,LM,3DNow!+,3DNow!>
  AMD Features2=0x1<LAHF>
real memory  = 503054336 (479 MB)
avail memory = 474140672 (452 MB)
ioapic0 <Version 1.1> irqs 0-23 on motherboard
kbd1 at kbdmux0
ath_hal: (AR5210, AR5211, AR5212, RF5111, RF5112, RF2413, RF5413)
cryptosoft0: <software crypto> on motherboard
acpi0: <A M I OEMXSDT> on motherboard
acpi0: [ITHREAD]
acpi0: Power Button (fixed)
acpi0: reservation of 0, a0000 (3) failed
acpi0: reservation of 100000, 1ff00000 (3) failed
Timecounter "ACPI-fast" frequency 3579545 Hz quality 1000
acpi_timer0: <24-bit timer at 3.579545MHz> port 0x508-0x50b on acpi0
cpu0: <ACPI CPU> on acpi0
pcib0: <ACPI Host-PCI bridge> port 0xcf8-0xcff on acpi0
pci0: <ACPI PCI bus> on pcib0
pci0: <memory, RAM> at device 0.0 (no driver attached)
pci0: <memory, RAM> at device 0.1 (no driver attached)
pci0: <memory, RAM> at device 0.2 (no driver attached)
pci0: <memory, RAM> at device 0.3 (no driver attached)
pci0: <memory, RAM> at device 0.4 (no driver attached)
pci0: <memory, RAM> at device 0.5 (no driver attached)
pci0: <memory, RAM> at device 0.6 (no driver attached)
pci0: <memory, RAM> at device 0.7 (no driver attached)
pcib1: <ACPI PCI-PCI bridge> at device 2.0 on pci0
pci1: <ACPI PCI bus> on pcib1
pcib2: <ACPI PCI-PCI bridge> at device 3.0 on pci0
pci2: <ACPI PCI bus> on pcib2
pcib3: <ACPI PCI-PCI bridge> at device 4.0 on pci0
pci3: <ACPI PCI bus> on pcib3
nvidia0: <GeForce 6150> mem
0xfd000000-0xfdffffff,0xd0000000-0xdfffffff,0xfc000000-0xfcffffff at
device 5.0 on pci0
nvidia0: [GIANT-LOCKED]
nvidia0: [ITHREAD]
pci0: <memory, RAM> at device 9.0 (no driver attached)
isab0: <PCI-ISA bridge> at device 10.0 on pci0
isa0: <ISA bus> on isab0
pci0: <serial bus, SMBus> at device 10.1 (no driver attached)
ohci0: <OHCI (generic) USB controller> mem 0xfebde000-0xfebdefff irq
21 at device 11.0 on pci0
ohci0: [ITHREAD]
usb0: OHCI version 1.0, legacy support
usb0: <OHCI (generic) USB controller> on ohci0
usb0: USB revision 1.0
uhub0: <nVidia OHCI root hub, class 9/0, rev 1.00/1.00, addr 1> on usb0
uhub0: 8 ports with 8 removable, self powered
ehci0: <EHCI (generic) USB 2.0 controller> mem 0xfebdfc00-0xfebdfcff
irq 22 at device 11.1 on pci0
ehci0: [ITHREAD]
usb1: EHCI version 1.0
usb1: companion controller, 8 ports each: usb0
usb1: <EHCI (generic) USB 2.0 controller> on ehci0
usb1: USB revision 2.0
uhub1: <nVidia EHCI root hub, class 9/0, rev 2.00/1.00, addr 1> on usb1
uhub1: 8 ports with 8 removable, self powered
atapci0: <nVidia nForce MCP51 UDMA133 controller> port
0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xffa0-0xffaf at device 13.0 on pci0
ata0: <ATA channel 0> on atapci0
ata0: [ITHREAD]
ata1: <ATA channel 1> on atapci0
ata1: [ITHREAD]
atapci1: <nVidia nForce MCP51 SATA300 controller> port
mem 0xfebdd000-0xfebddfff irq 23 at device 14.0 on pci0
atapci1: [ITHREAD]
ata2: <ATA channel 0> on atapci1
ata2: [ITHREAD]
ata3: <ATA channel 1> on atapci1
ata3: [ITHREAD]
atapci2: <nVidia nForce MCP51 SATA300 controller> port
mem 0xfebdc000-0xfebdcfff irq 20 at device 15.0 on pci0
atapci2: [ITHREAD]
ata4: <ATA channel 0> on atapci2
ata4: [ITHREAD]
ata5: <ATA channel 1> on atapci2
ata5: [ITHREAD]
pcib4: <ACPI PCI-PCI bridge> at device 16.0 on pci0
pci4: <ACPI PCI bus> on pcib4
fwohci0: <VIA Fire II (VT6306)> port 0xcc00-0xcc7f mem
0xfaaff800-0xfaafffff irq 17 at device 5.0 on pci4
fwohci0: [FILTER]
fwohci0: OHCI version 1.0 (ROM=1)
fwohci0: No. of Isochronous channels is 4.
fwohci0: EUI64 00:11:d8:00:00:67:ed:4b
fwohci0: Phy 1394a available S400, 2 ports.
fwohci0: Link S400, max_rec 2048 bytes.
firewire0: <IEEE1394(FireWire) bus> on fwohci0
fwe0: <Ethernet over FireWire> on firewire0
if_fwe0: Fake Ethernet address: 02:11:d8:67:ed:4b
fwe0: Ethernet address: 02:11:d8:67:ed:4b
fwip0: <IP over FireWire> on firewire0
fwip0: Firewire address: 00:11:d8:00:00:67:ed:4b @ 0xfffe00000000,
S400, maxrec 2048
sbp0: <SBP-2/SCSI over FireWire> on firewire0
dcons_crom0: <dcons configuration ROM> on firewire0
dcons_crom0: bus_addr 0x1d500000
fwohci0: Initiate bus reset
fwohci0: BUS reset
fwohci0: node_id=0xc800ffc0, gen=1, CYCLEMASTER mode
pci0: <multimedia> at device 16.1 (no driver attached)
nve0: <NVIDIA nForce MCP13 Networking Adapter> port 0xd080-0xd087 mem
0xfebd7000-0xfebd7fff irq 22 at device 20.0 on pci0
nve0: Ethernet address 00:15:f2:02:df:f5
miibus0: <MII bus> on nve0
e1000phy0: <Marvell 88E1111 Gigabit PHY> PHY 1 on miibus0
e1000phy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX,
1000baseTX-FDX, auto
nve0: using obsoleted if_watchdog interface
nve0: Ethernet address: 00:15:f2:02:df:f5
nve0: [ITHREAD]
acpi_button0: <Power Button> on acpi0
fdc0: <floppy drive controller (FDE)> port 0x3f0-0x3f5,0x3f7 irq 6 drq
2 on acpi0
fdc0: [FILTER]
atkbdc0: <Keyboard controller (i8042)> port 0x60,0x64 irq 1 on acpi0
atkbd0: <AT Keyboard> irq 1 on atkbdc0
kbd0 at atkbd0
atkbd0: [GIANT-LOCKED]
atkbd0: [ITHREAD]
psm0: <PS/2 Mouse> irq 12 on atkbdc0
psm0: [ITHREAD]
psm0: model MouseMan+, device ID 0
pmtimer0 on isa0
sc0: <System console> at flags 0x100 on isa0
sc0: VGA <16 virtual consoles, flags=0x300>
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
ppc0: <Parallel port> at port 0x378-0x37f irq 7 on isa0
ppc0: SMC-like chipset (ECP/EPP/PS2/NIBBLE) in COMPATIBLE mode
ppc0: FIFO with 16/16/9 bytes threshold
ppbus0: <Parallel port bus> on ppc0
lpt0: <Printer> on ppbus0
lpt0: Interrupt-driven port
ppi0: <Parallel I/O> on ppbus0
ppc0: [ITHREAD]
Timecounter "TSC" frequency 2009159850 Hz quality 800
Timecounters tick every 1.000 msec
Fast IPsec: Initialized Security Association Processing.
firewire0: 1 nodes, maxhop <= 0, cable IRM = 0 (me)
firewire0: bus manager 0 (me)
ad4: 76319MB <SAMSUNG HD080HJ WT100-33> at ata2-master SATA300
WARNING: WITNESS option enabled, expect reduced performance.
Trying to mount root from ufs:/dev/ad4s1a

machine         i386
cpu             I686_CPU
ident           EPEIOS

# To statically compile in device wiring instead of /boot/device.hints
#hints          "GENERIC.hints"         # Default places to look for

makeoptions     DEBUG=-g                # Build kernel with gdb(1)
debug symbols

options         SCHED_4BSD              # 4BSD scheduler
options         PREEMPTION              # Enable kernel thread preemption
options         INET                    # InterNETworking
options         INET6                   # IPv6 communications protocols
options         FAST_IPSEC
options         FFS                     # Berkeley Fast Filesystem
options         SOFTUPDATES             # Enable FFS soft updates support
options         UFS_ACL                 # Support for access control lists
options         UFS_DIRHASH             # Improve performance on big
options         UFS_GJOURNAL            # Enable gjournal-based UFS
options         MD_ROOT                 # MD is a potential root device
options         NFSCLIENT               # Network Filesystem Client
options         NFSSERVER               # Network Filesystem Server
options         NFS_ROOT                # NFS usable as /, requires
options         MSDOSFS                 # MSDOS Filesystem
options         CD9660                  # ISO 9660 Filesystem
options         PROCFS                  # Process filesystem (requires
options         PSEUDOFS                # Pseudo-filesystem framework
#options        GEOM_GPT                # GUID Partition Tables.
options         GEOM_PART_GPT           # GUID Partition Tables.
options         COMPAT_43               # Compatible with BSD 4.3
options         COMPAT_43TTY            # BSD 4.3 TTY compat [KEEP THIS!]
options         COMPAT_FREEBSD4         # Compatible with FreeBSD4
options         COMPAT_FREEBSD5         # Compatible with FreeBSD5
options         SCSI_DELAY=5000         # Delay (in ms) before probing
options         KTRACE                  # ktrace(1) support
options         SYSVSHM                 # SYSV-style shared memory
options         SYSVMSG                 # SYSV-style message queues
options         SYSVSEM                 # SYSV-style semaphores
options         _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time
options         KBD_INSTALL_CDEV        # install a CDEV entry in /dev
options         ADAPTIVE_GIANT          # Giant mutex is adaptive.
options         STOP_NMI                # Stop CPUS using NMI instead
of IPI

options         HZ=1000

options         SMP
device          apic                    # I/O APIC

# Debugging for use in -current
options         KDB                     # Enable kernel debugger support.
options         DDB                     # Support DDB.
options         GDB                     # Support remote GDB.
options         INVARIANTS              # Enable calls of extra sanity
options         INVARIANT_SUPPORT       # Extra sanity checks of
internal structures, required by INVARIANTS
options         WITNESS                 # Enable checks to detect
deadlocks and cycles
options         WITNESS_SKIPSPIN        # Don't run witness on
spinlocks for speed

# Bus support.
#device         eisa
device          pci

# Floppy drives
device          fdc

# ATA and ATAPI devices
device          ata
device          atadisk         # ATA disk drives
device          ataraid         # ATA RAID drives
device          atapicd         # ATAPI CDROM drives
device          atapifd         # ATAPI floppy drives
device          atapist         # ATAPI tape drives
options         ATA_STATIC_ID   # Static device numbering
device          atapicam

# SCSI Controllers
device          ahc             # AHA2940 and onboard AIC7xxx devices
options         AHC_REG_PRETTY_PRINT    # Print register bitfields in
                                        # output.  Adds ~128k to driver.
device          ahd             # AHA39320/29320 and onboard AIC79xx
options         AHD_REG_PRETTY_PRINT    # Print register bitfields in
                                        # output.  Adds ~215k to driver.

device          ncv             # NCR 53C500
device          nsp             # Workbit Ninja SCSI-3
device          stg             # TMC 18C30/18C50

# SCSI peripherals
device          scbus           # SCSI bus (required for SCSI)
device          ch              # SCSI media changers
device          da              # Direct Access (disks)
device          sa              # Sequential Access (tape etc)
device          cd              # CD
device          pass            # Passthrough device (direct SCSI access)
device          ses             # SCSI Environmental Services (and SAF-TE)

# atkbdc0 controls both the keyboard and the PS/2 mouse
device          atkbdc          # AT keyboard controller
device          atkbd           # AT keyboard
device          psm             # PS/2 mouse

device          kbdmux          # keyboard multiplexer

device          vga             # VGA video card driver

device          splash          # Splash screen and screen saver support

# syscons is the default console driver, resembling an SCO console
device          sc

# Enable this for the pcvt (VT220 compatible) console driver
#device         vt
#options        XSERVER         # support for X server on a vt console
#options        FAT_CURSOR      # start with block cursor

device          agp             # support several AGP chipsets

# Power management support (see NOTES for more options)
#device         apm
# Add suspend/resume support for the i8254.
device          pmtimer

# Serial (COM) ports
#device         sio             # 8250, 16[45]50 based serial ports
#device         uart

# Parallel port
device          ppc
device          ppbus           # Parallel port bus (required)
device          lpt             # Printer
device          ppi             # Parallel port interface device
#device         vpo             # Requires scbus and da

# If you've got a "dumb" serial or parallel PCI card that is
# supported by the puc(4) glue driver, uncomment the following
# line to enable it (connects to the sio and/or ppc drivers):
#device         puc

# PCI Ethernet NICs.
device          de              # DEC/Intel DC21x4x (``Tulip'')
device          em              # Intel PRO/1000 adapter Gigabit
Ethernet Card
device          ixgb            # Intel PRO/10GbE Ethernet Card
device          txp             # 3Com 3cR990 (``Typhoon'')
device          vx              # 3Com 3c590, 3c595 (``Vortex'')

# PCI Ethernet NICs that use the common MII bus controller code.
# NOTE: Be sure to keep the 'device miibus' line in order to use these
device          miibus          # MII bus support
device          bce             # Broadcom BCM5706/BCM5708 Gigabit
device          bfe             # Broadcom BCM440x 10/100 Ethernet
device          bge             # Broadcom BCM570xx Gigabit Ethernet
device          dc              # DEC/Intel 21143 and various workalikes
device          fxp             # Intel EtherExpress PRO/100B (82557,
device          lge             # Level 1 LXT1001 gigabit Ethernet
device          nge             # NatSemi DP83820 gigabit Ethernet
device          nve             # nVidia nForce MCP on-board Ethernet
device          pcn             # AMD Am79C97x PCI 10/100(precedence
over 'lnc')
device          re              # RealTek 8139C+/8169/8169S/8110S
device          rl              # RealTek 8129/8139
device          sf              # Adaptec AIC-6915 (``Starfire'')
device          sis             # Silicon Integrated Systems SiS
900/SiS 7016
device          sk              # SysKonnect SK-984x & SK-982x gigabit
device          ste             # Sundance ST201 (D-Link DFE-550TX)
device          stge            # Sundance/Tamarack TC9021 gigabit
device          ti              # Alteon Networks Tigon I/II gigabit
device          tl              # Texas Instruments ThunderLAN
device          tx              # SMC EtherPower II (83c170 ``EPIC'')
device          vge             # VIA VT612x gigabit Ethernet
device          vr              # VIA Rhine, Rhine II
device          wb              # Winbond W89C840F
device          xl              # 3Com 3c90x (``Boomerang'', ``Cyclone'')

# Wireless NIC cards
device          wlan            # 802.11 support
device          wlan_wep        # 802.11 WEP support
device          wlan_ccmp       # 802.11 CCMP support
device          wlan_tkip       # 802.11 TKIP support
device          wlan_amrr
device          an              # Aironet 4500/4800 802.11 wireless NICs.
device          ath             # Atheros pci/cardbus NIC's
device          ath_hal         # Atheros HAL (Hardware Access Layer)
device          ath_rate_sample # SampleRate tx rate control for ath
device          awi             # BayStack 660 and others
device          ral             # Ralink Technology RT2500 wireless NICs.
device          wi              # WaveLAN/Intersil/Symbol 802.11
wireless NICs.
#device         wl              # Older non 802.11 Wavelan wireless NIC.

# Pseudo devices.
device          mem
device          io
device          loop            # Network loopback
device          random          # Entropy device
device          ether           # Ethernet support
device          ppp             # Kernel PPP
device          tun             # Packet tunnel.
device          pty             # Pseudo-ttys (telnet etc)
device          md              # Memory "disks"
device          gif             # IPv6 and IPv4 tunneling
device          faith           # IPv6-to-IPv4 relaying (translation)

# The `bpf' device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
# Note that 'bpf' is required for DHCP.
device          bpf             # Berkeley packet filter

# USB support
device          uhci            # UHCI PCI->USB interface
device          ohci            # OHCI PCI->USB interface
device          ehci            # EHCI PCI->USB interface (USB 2.0)
device          usb             # USB Bus (required)
#device         udbp            # USB Double Bulk Pipe devices
device          ugen            # Generic
device          uhid            # "Human Interface Devices"
device          ukbd            # Keyboard
device          ulpt            # Printer
device          umass           # Disks/Mass storage - Requires scbus
and da
device          ums             # Mouse
device          ural            # Ralink Technology RT2500USB wireless
device          rum
device          urio            # Diamond Rio 500 MP3 player
device          uscanner        # Scanners
# USB Ethernet, requires miibus
device          aue             # ADMtek USB Ethernet
device          axe             # ASIX Electronics USB Ethernet
device          cdce            # Generic USB over Ethernet
device          cue             # CATC USB Ethernet
device          kue             # Kawasaki LSI USB Ethernet
device          rue             # RealTek RTL8150 USB Ethernet

options         ALTQ
options         ALTQ_CBQ        # Class Bases Queueing
options         ALTQ_RED        # Random Early Detection
options         ALTQ_RIO        # RED In/Out
options         ALTQ_HFSC       # Hierarchical Packet Scheduler
options         ALTQ_CDNR       # Traffic conditioner
options         ALTQ_PRIQ       # Priority Queueing
options         ALTQ_NOPCC      # Required if the TSC is unusable
#options        ALTQ_DEBUG

# FireWire support
device          firewire        # FireWire bus code
device          sbp             # SCSI over FireWire (Requires scbus
and da)
device          fwe             # Ethernet over FireWire (non-standard!)
device          fwip
device          dcons
device          dcons_crom

device          crypto
device          enc

More information about the freebsd-current mailing list