Attention pf/ipfw users with uid/gid/jail rules (Re: Reminder:
NET_NEEDS_GIANT, debug.mpsafenet going away in 7.0)
Paul Allen
nospam at ugcs.caltech.edu
Fri Jul 20 19:35:05 UTC 2007
>From Julian Elischer <julian at elischer.org>, Fri, Jul 20, 2007 at 11:36:50AM -0700:
> Robert Watson wrote:
> >
> >On Tue, 17 Jul 2007, Max Laier wrote:
> >
> >So far I have had 0 (zero) reports of problems since this thread began.
> >Could people using uid/gid/jail rules with ipfw or pf on 7.x *please*
> >try running their firewalls without debug.mpsafenet -- ignore the
> >witness warnings and/or disable witness, and let us know if you
> >experience deadlocks. We're reaching the very end of the merge cycle
> >for 7.0, and I would really like to remove the Giant crutches (now
> >effectively unused) from the network stack so it's not part of the
> >ABI/API, the code is simplified and cleaned up, etc.
Wasn't there a a clear solution to the uid/gid problem involving flip-pages:
eliminate the pf lock by forcing reconfigurations to build a parallel
data-structure and then perform an atomic operation to exchange the pointers.
AFAIK, Max's patch was just an ugly hack and it isn't really suitable
for performance reasons.
What's the state of MAC for the networking stack? Are we able to restrict
particular uid's to listening only on particular ports?
More information about the freebsd-pf
mailing list