From cd5f2f95b6196826c3927b546e90ee0b3ff09cb0 Mon Sep 17 00:00:00 2001 From: "Christian S.J. Peron" Date: Sun, 23 Oct 2005 16:15:02 +0000 Subject: [PATCH] Restore the documentation about uid, gid or prison based rules requiring that debug.mpsafenet be set to 0. It is still possible for dead locks to occur while these filtering options are used due to the layering violation inherent in their implementation. Discussed: -current, rwatson, glebius --- sbin/ipfw/ipfw.8 | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index 5737aa921971..d53612098c40 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -1074,10 +1074,14 @@ Matches all TCP or UDP packets sent by or received for a A .Ar group may be specified by name or number. +This option should be used only if debug.mpsafenet=0 to avoid possible +deadlocks due to layering violations in its implementation. .It Cm jail Ar prisonID Matches all TCP or UDP packets sent by or received for the jail whos prison ID is .Ar prisonID . +This option should be used only if debug.mpsafenet=0 to avoid possible +deadlocks due to layering violations in its implementation. .It Cm icmptypes Ar types Matches ICMP packets whose ICMP type is in the list .Ar types . @@ -1413,6 +1417,8 @@ Match all TCP or UDP packets sent by or received for a A .Ar user may be matched by name or identification number. +This option should be used only if debug.mpsafenet=0 to avoid possible +deadlocks due to layering violations in its implementation. .It Cm verrevpath For incoming packets, a routing table lookup is done on the packet's source address. @@ -2517,3 +2523,7 @@ to a TCP connection, and the uid/gid associated with a packet may not be as expected if the associated process calls .Xr setuid 2 or similar system calls. +.Pp +Rules which use uid, gid or jail based matching should be used only +if debug.mpsafenet=0 to avoid possible deadlocks due to layering +violations in its implementation.