Re: Attention pf/ipfw users with uid/gid/jail rules (Re: Reminder: NET_NEEDS_GIANT, debug.mpsafenet going away in 7.0)

From Julian Elischer <julian@xxxxxxxxxxxx>, Fri, Jul 20, 2007 at 11:36:50AM -0700:
Robert Watson wrote:

On Tue, 17 Jul 2007, Max Laier wrote:

So far I have had 0 (zero) reports of problems since this thread began.
Could people using uid/gid/jail rules with ipfw or pf on 7.x *please*
try running their firewalls without debug.mpsafenet -- ignore the
witness warnings and/or disable witness, and let us know if you
experience deadlocks. We're reaching the very end of the merge cycle
for 7.0, and I would really like to remove the Giant crutches (now
effectively unused) from the network stack so it's not part of the
ABI/API, the code is simplified and cleaned up, etc.
Wasn't there a a clear solution to the uid/gid problem involving flip-pages:
eliminate the pf lock by forcing reconfigurations to build a parallel
data-structure and then perform an atomic operation to exchange the pointers.

AFAIK, Max's patch was just an ugly hack and it isn't really suitable
for performance reasons.

What's the state of MAC for the networking stack? Are we able to restrict
particular uid's to listening only on particular ports?
_______________________________________________
freebsd-arch@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "freebsd-arch-unsubscribe@xxxxxxxxxxx"

Relevant Pages