Restore the documentation about uid, gid or prison based rules requiring

that debug.mpsafenet be set to 0. It is still possible for dead locks to occur while these filtering options are used due to the layering violation inherent in their implementation. Discussed: -current, rwatson, glebius
svn path=/head/; revision=151587
2005-10-23 16:15:02 +00:00 · 2005-10-23 16:15:02 +00:00 · cd5f2f95b6 · 2020-12-20 02:59:44 +00:00
commit cd5f2f95b6
parent 180e996dfc
1 changed files with 10 additions and 0 deletions
--- a/sbin/ipfw/ipfw.8
+++ b/sbin/ipfw/ipfw.8
@ -1074,10 +1074,14 @@ Matches all TCP or UDP packets sent by or received for a
 A
 .Ar group
 may be specified by name or number.
+This option should be used only if debug.mpsafenet=0 to avoid possible
+deadlocks due to layering violations in its implementation.
 .It Cm jail Ar prisonID
 Matches all TCP or UDP packets sent by or received for the
 jail whos prison ID is
 .Ar prisonID .
+This option should be used only if debug.mpsafenet=0 to avoid possible
+deadlocks due to layering violations in its implementation.
 .It Cm icmptypes Ar types
 Matches ICMP packets whose ICMP type is in the list
 .Ar types .
@ -1413,6 +1417,8 @@ Match all TCP or UDP packets sent by or received for a
 A
 .Ar user
 may be matched by name or identification number.
+This option should be used only if debug.mpsafenet=0 to avoid possible
+deadlocks due to layering violations in its implementation.
 .It Cm verrevpath
 For incoming packets,
 a routing table lookup is done on the packet's source address.
@ -2517,3 +2523,7 @@ to a TCP connection, and the uid/gid associated with a packet may not
 be as expected if the associated process calls
 .Xr setuid 2
 or similar system calls.
+.Pp
+Rules which use uid, gid or jail based matching should be used only
+if debug.mpsafenet=0 to avoid possible deadlocks due to layering
+violations in its implementation.