pf: unlocked lookup
Max Laier
max at love2party.net
Thu Dec 10 17:38:45 UTC 2009
Hello Derek,
On Thursday 10 December 2009 04:45:12 Derek Kulinski wrote:
> My console gets flooded by "pf: unlocked lookup" message anyone knows
> what circumstances cause this message, so I could figure out which pf
> rule is causing it?
this is a generic informational message that was put into the code to figure
out if the hack that is "debug.pfugidhack" is actually required. You can get
rid of the message by setting the debug level of pf to something below "misc"
(e.g. pfctl -x urgent).
> After searching on google I found few people asking about it, though no
> real answer. The first result talks about debug.pfugidhack being set to
> 1.
>
> It is set to 1 on my system, though I don't have anything in
> /etc/syctl.conf, also when I switched it to 0, the system crashed within
> an hour or so.
>
> Is this somehow related to rules that have rules with attached to a
> specific user?
The pfugidhack is automatically enabled when you use rules with user or group
filters. These rules are a layering violation and the hack is required to
make them work. I'd rather get rid of them altogether, but since it is a much
demanded functionality we introduced the workaround instead.
Just lower the debugging level (s.a.), ignore the messages, or rebuild your
kernel/pf module with the respective DPRINTF lines (sys/contrib/pf/net/pf.c)
commented out. I might just move them to the loud level in the main tree,
though.
Regards,
--
Max
More information about the freebsd-stable
mailing list