Work around a long standing LOR with user/group rules by doing the socket

lookup early. This has some performance implications and should not be enabled by default, but might help greatly in certain setups. After some more testing this could be turned into a sysctl. Tested by: avatar LOR ids: 17, 24, 32, 46, 191 (conceptual) MFC after: 6 weeks
2006-12-29 13:59:03 +00:00 · 2006-12-29 13:59:03 +00:00 · 240589a9fe
commit 240589a9fe
parent 7e4277e591
3 changed files with 17 additions and 0 deletions
--- a/sys/conf/NOTES
+++ b/sys/conf/NOTES
@ -750,6 +750,9 @@ device		mn	# Munich32x/Falc54 Nx64kbit/sec cards.
 #  The `pflog' device provides the pflog0 interface which logs packets.
 #  The `pfsync' device provides the pfsync0 interface used for
 #   synchronization of firewall state tables (over the net).
+#  The PF_MPSAFE_UGID option enables a special workaround for a LOR with
+#   user/group rules that would otherwise lead to a deadlock.  This has
+#   performance implications and should be used with care.
 #
 # The PPP_BSDCOMP option enables support for compress(1) style entire
 # packet compression, the PPP_DEFLATE is for zlib/gzip style compression.
@ -780,6 +783,7 @@ device		if_bridge		#Bridge interface
 device		pf			#PF OpenBSD packet-filter firewall
 device		pflog			#logging support interface for PF
 device		pfsync			#synchronization interface for PF
+options 	PF_MPSAFE_UGID		#Workaround LOR with user/group rules
 device		carp			#Common Address Redundancy Protocol
 device		enc			#IPSec interface (needs FAST_IPSEC)
 device		ppp			#Point-to-point protocol
--- a/sys/conf/options
+++ b/sys/conf/options
@ -349,6 +349,7 @@ DEV_ENC			opt_enc.h
 DEV_PF			opt_pf.h
 DEV_PFLOG		opt_pf.h
 DEV_PFSYNC		opt_pf.h
+PF_MPSAFE_UGID		opt_pf.h
 ETHER_II		opt_ef.h
 ETHER_8023		opt_ef.h
 ETHER_8022		opt_ef.h
--- a/sys/contrib/pf/net/pf.c
+++ b/sys/contrib/pf/net/pf.c
@ -3032,6 +3032,12 @@ pf_test_tcp(struct pf_rule **rm, struct pf_state **sm, int direction,
 		return (PF_DROP);
 	}

+#if defined(__FreeBSD__) && defined(PF_MPSAFE_UGID)
+	PF_UNLOCK();
+	lookup = pf_socket_lookup(&uid, &gid, direction, pd, inp);
+	PF_LOCK();
+#endif
+
 	r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);

 	if (direction == PF_OUT) {
@ -3428,6 +3434,12 @@ pf_test_udp(struct pf_rule **rm, struct pf_state **sm, int direction,
 		return (PF_DROP);
 	}

+#if defined(__FreeBSD__) && defined(PF_MPSAFE_UGID)
+	PF_UNLOCK();
+	lookup = pf_socket_lookup(&uid, &gid, direction, pd, inp);
+	PF_LOCK();
+#endif
+
 	r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);

 	if (direction == PF_OUT) {