diff options
author | mlaier <mlaier@FreeBSD.org> | 2006-12-29 13:59:03 +0000 |
---|---|---|
committer | mlaier <mlaier@FreeBSD.org> | 2006-12-29 13:59:03 +0000 |
commit | 89e0ae76db000800f893d800de9dcbf15519ff50 (patch) | |
tree | 450bece21275271ddebaac52f810c4d0c53088e3 /sys/contrib | |
parent | 6a28e42eadcd4634375ae8043202f375212bd6cb (diff) | |
download | FreeBSD-src-89e0ae76db000800f893d800de9dcbf15519ff50.zip FreeBSD-src-89e0ae76db000800f893d800de9dcbf15519ff50.tar.gz |
Work around a long standing LOR with user/group rules by doing the socket
lookup early. This has some performance implications and should not be
enabled by default, but might help greatly in certain setups. After some
more testing this could be turned into a sysctl.
Tested by: avatar
LOR ids: 17, 24, 32, 46, 191 (conceptual)
MFC after: 6 weeks
Diffstat (limited to 'sys/contrib')
-rw-r--r-- | sys/contrib/pf/net/pf.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/sys/contrib/pf/net/pf.c b/sys/contrib/pf/net/pf.c index f2be6e5..15cff43 100644 --- a/sys/contrib/pf/net/pf.c +++ b/sys/contrib/pf/net/pf.c @@ -3032,6 +3032,12 @@ pf_test_tcp(struct pf_rule **rm, struct pf_state **sm, int direction, return (PF_DROP); } +#if defined(__FreeBSD__) && defined(PF_MPSAFE_UGID) + PF_UNLOCK(); + lookup = pf_socket_lookup(&uid, &gid, direction, pd, inp); + PF_LOCK(); +#endif + r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); if (direction == PF_OUT) { @@ -3428,6 +3434,12 @@ pf_test_udp(struct pf_rule **rm, struct pf_state **sm, int direction, return (PF_DROP); } +#if defined(__FreeBSD__) && defined(PF_MPSAFE_UGID) + PF_UNLOCK(); + lookup = pf_socket_lookup(&uid, &gid, direction, pd, inp); + PF_LOCK(); +#endif + r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); if (direction == PF_OUT) { |