Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 3 Aug 2002 19:05:08 +0300
From:      "Valentine Zaretsky" <>
To:        <>
Cc:        "Luigi Rizzo" <>
Subject:   ipfw2 & dummynet
Message-ID:  <007601c23b07$8c667550$226e03d4@zhome>

Next in thread | Raw E-Mail | Index | Archive | Help
This is a multi-part message in MIME format.

Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable


Playing with ipfw2 in -stable (last time cvsup'ed yesterday), I found a =
bug when using dummynet pipes and queues

Here is the simplest example to repeat it:

ipfw pipe 1 config bw 20KBytes/s
ipfw add 400 pipe 1 ip from any to me

The first packet matching rule 400 leads to kernel panic caused by =
"division by zero"

Analyzing crashdump with gdb, I found that it happens in the following =
code in /usr/src/sys/netinet/ip_dummynet.c:
(lines 1198-1205)
        if (DN_KEY_GT(q->S, q->F)) { /* means timestamps are invalid */
            q->S =3D pipe->V ;
            pipe->sum +=3D fs->weight ; /* add weight of new queue */
        } else {
            heap_extract(&(pipe->idle_heap), q);
            q->S =3D MAX64(q->F, pipe->V ) ;
        q->F =3D q->S + ( len<<MY_M )/(u_int64_t) fs->weight;     =20

So the weight is 0 when it should be 1.=20
And it's not quite understood why should this code execute at all? There =
is no queues (only simple pipe, so "is_pipe" should be 1)

Adding dumb "if(fs->weight=3D=3D0) fs->weight=3D1;" before the code =
above, fixes this kernel panic.

I think it could/should be fixed a little smarter ;)

With best regards, Valentine Zaretsky

Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<META http-equiv=3DContent-Type content=3D"text/html; =
<META content=3D"MSHTML 6.00.2713.1100" name=3DGENERATOR>
<BODY bgColor=3D#ffffff>
<DIV><FONT size=3D2>Hi,</FONT></DIV>
<DIV><FONT size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT size=3D2>Playing with ipfw2 in -stable (last time cvsup'ed =
I found a bug when using dummynet pipes and queues</FONT></DIV>
<DIV><FONT size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT size=3D2>Here is the simplest example to repeat =
<DIV><FONT size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT size=3D2>ipfw pipe 1 config bw 20KBytes/s</FONT></DIV>
<DIV><FONT size=3D2>ipfw add 400 pipe 1 ip from any to me</FONT></DIV>
<DIV><FONT size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT size=3D2>The first packet matching&nbsp;rule 400 leads to =
panic&nbsp;caused by "division&nbsp;by zero"</FONT></DIV>
<DIV><FONT size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT size=3D2>Analyzing crashdump with gdb, I found that it =
happens in the=20
following code in /usr/src/sys/netinet/ip_dummynet.c:</FONT></DIV>
<DIV><FONT size=3D2>(lines 1198-1205)</FONT></DIV>
<DIV><FONT size=3D2>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if=20
(DN_KEY_GT(q-&gt;S, q-&gt;F)) { /* means timestamps are invalid=20
*/<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
=3D pipe-&gt;V=20
pipe-&gt;sum +=3D fs-&gt;weight ; /* add weight of new queue=20
*/<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; } else=20
q-&gt;S =3D MAX64(q-&gt;F, pipe-&gt;V )=20
}<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; q-&gt;F =3D q-&gt;S + (=20
len&lt;&lt;MY_M )/(u_int64_t) =
<DIV><FONT size=3D2>
<DIV><FONT size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT size=3D2>So the weight is 0 when it should be 1. =
<DIV><FONT size=3D2>And it's not quite understood why should this=20
code&nbsp;execute at all?&nbsp;There is no queues (only simple =
"is_pipe" should be 1)</FONT></DIV>
<DIV><FONT size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT size=3D2>Adding&nbsp;dumb "if(fs-&gt;weight=3D=3D0) =
before&nbsp;the code&nbsp;above, fixes this kernel panic.</FONT></DIV>
<DIV><FONT size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT size=3D2>I&nbsp;think&nbsp;it could/should be fixed&nbsp;a =
<DIV><FONT size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT size=3D2>--</FONT></DIV>
<DIV><FONT size=3D2>With best regards, Valentine Zaretsky</FONT></DIV>
<DIV><FONT size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT size=3D2></FONT>&nbsp;</DIV></BODY></HTML>


To Unsubscribe: send mail to
with "unsubscribe freebsd-ipfw" in the body of the message

Want to link to this message? Use this URL: <$8c667550$226e03d4>