debug.mpsafenet=1 vs. user/group rules [Re: kern/106805: ...]
Tai-hwa Liang
avatar at mmlab.cse.yzu.edu.tw
Fri Dec 29 04:57:42 PST 2006
On Sat, 16 Dec 2006, Max Laier wrote:
[...]
> The attached diff circumvents the problem by **always** doing the
> credential lookup *before* walking the pf rules. This has the benefit,
> that it works (at least I think it should), but there is a price to pay.
> Now we have to pay for the socket lookup for *every* tcp and udp packet
> instead of just for those that really hit uid/gid rules. That's why I
> decided to make is a config option "PF_MPFSAFE_UGID" which you can turn
> on if you are running a setup that will benefit. The patch turns it on
> for the module-built by default.
>
> A possible scenario that should benefit is a big iron SMP box running lot
> of services that you want to filter using *stateful* uid/gid rules. For
> this setup where a huge percentage of the packets that are not captured
> by states eventually match a uid/gid rule, you will even get added
> parallelism with this patch.
>
> On every other typical setup, it should be better to avoid user/group
> rules or to disable mpsafenet.
>
> In order for this to hit the tree, I need tests confirming that it really
> helps and possibly benchmarks that qualify the impact of it. Thanks.
Your patch works great here. The box in question never ran into a single
lockup in the last 7 days.
--
Thanks,
Tai-hwa Liang
More information about the freebsd-pf
mailing list