Index: pf.c
===================================================================
RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pf.c,v
retrieving revision 1.43
diff -u -r1.43 pf.c
--- pf.c	29 Dec 2006 13:59:03 -0000	1.43
+++ pf.c	18 Apr 2007 19:55:19 -0000
@@ -134,6 +134,7 @@
 #include <security/mac/mac_framework.h>
 
 extern int ip_optcopy(struct ip *, struct ip *);
+extern int debug_pfugidhack;
 #endif
 
 #define DPFPRINTF(n, x)	if (pf_status.debug >= (n)) printf x
@@ -3032,10 +3033,12 @@
 		return (PF_DROP);
 	}
 
-#if defined(__FreeBSD__) && defined(PF_MPSAFE_UGID)
-	PF_UNLOCK();
-	lookup = pf_socket_lookup(&uid, &gid, direction, pd, inp);
-	PF_LOCK();
+#ifdef __FreeBSD__
+	if (debug_pfugidhack) {
+		PF_UNLOCK();
+		lookup = pf_socket_lookup(&uid, &gid, direction, pd, inp);
+		PF_LOCK();
+	}
 #endif
 
 	r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
@@ -3434,10 +3437,12 @@
 		return (PF_DROP);
 	}
 
-#if defined(__FreeBSD__) && defined(PF_MPSAFE_UGID)
-	PF_UNLOCK();
-	lookup = pf_socket_lookup(&uid, &gid, direction, pd, inp);
-	PF_LOCK();
+#ifdef __FreeBSD__
+	if (debug_pfugidhack) {
+		PF_UNLOCK();
+		lookup = pf_socket_lookup(&uid, &gid, direction, pd, inp);
+		PF_LOCK();
+	}
 #endif
 
 	r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
Index: pf_ioctl.c
===================================================================
RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pf_ioctl.c,v
retrieving revision 1.27
diff -u -r1.27 pf_ioctl.c
--- pf_ioctl.c	1 Jan 2007 16:51:11 -0000	1.27
+++ pf_ioctl.c	18 Apr 2007 20:04:57 -0000
@@ -84,6 +84,7 @@
 #include <sys/module.h>
 #include <sys/conf.h>
 #include <sys/proc.h>
+#include <sys/sysctl.h>
 #else
 #include <sys/timeout.h>
 #include <sys/pool.h>
@@ -237,6 +238,10 @@
 struct mtx pf_task_mtx;
 pflog_packet_t *pflog_packet_ptr = NULL;
 
+int debug_pfugidhack = 0;
+SYSCTL_INT(_debug, OID_AUTO, pfugidhack, CTLFLAG_RW, &debug_pfugidhack, 0,
+    "Enable/disable pf user/group rules mpsafe hack");
+
 void
 init_pf_mutex(void)
 {
@@ -1603,6 +1608,13 @@
 		rule->evaluations = rule->packets = rule->bytes = 0;
 		TAILQ_INSERT_TAIL(ruleset->rules[rs_num].inactive.ptr,
 		    rule, entries);
+#ifdef __FreeBSD__
+		if (!debug_pfugidhack && (rule->uid.op || rule->gid.op)) {
+			DPFPRINTF(PF_DEBUG_MISC,
+			    ("pf: debug.pfugidhack enabled\n"));
+			debug_pfugidhack = 1;
+		}
+#endif
 		break;
 	}
 
@@ -1828,6 +1840,14 @@
 			newrule->rpool.cur = TAILQ_FIRST(&newrule->rpool.list);
 			newrule->evaluations = newrule->packets = 0;
 			newrule->bytes = 0;
+#ifdef __FreeBSD__
+			if (!debug_pfugidhack &&
+			    (newrule->uid.op || newrule->gid.op)) {
+				DPFPRINTF(PF_DEBUG_MISC,
+				    ("pf: debug.pfugidhack enabled\n"));
+				debug_pfugidhack = 1;
+			}
+#endif
 		}
 		pf_empty_pool(&pf_pabuf);