pf: unlocked lookup
Maxim Dounin
mdounin at mdounin.ru
Thu Dec 10 19:13:24 UTC 2009
Hello!
On Thu, Dec 10, 2009 at 10:22:09AM -0800, Derek Kulinski wrote:
> Hello Max,
>
> Thursday, December 10, 2009, 9:38:41 AM, you wrote:
>
> > this is a generic informational message that was put into the code to figure
> > out if the hack that is "debug.pfugidhack" is actually required. You can get
> > rid of the message by setting the debug level of pf to something below "misc"
> > (e.g. pfctl -x urgent).
>
> Well, the hack actually is required, my system crashes when I disable
> it.
Please note that depending on workload and actual rules the hack
may do more harm than good. We had some machines which were
deadlocking[1] in minutes with hack enabled but were almost stable
without it.
Anyway, the only safe solution right now is to avoid uid/gid rules.
[1]
http://lists.freebsd.org/pipermail/freebsd-net/2009-October/023350.html
Maxim Dounin
More information about the freebsd-stable
mailing list