Age | Commit message (Collapse) | Author |
|
Allowing this namespace makes way for a lot of GetXattr RPCs to the gofer
process when the gofer filesystem is the lower layer of an overlay.
The overlay filesystem aggressively queries for "trusted.overlay.opaque" which
in practice is never found in the lower layer gofer. But leads to a lot of
wasted work.
A consequence is that mutable gofer upper layer is not supported anymore but
that is still consistent with VFS1. We can revisit when need arises.
PiperOrigin-RevId: 401860585
|
|
The same create/write/read pattern is copied around several places. It's easier
to understand in a package with names and comments, and we can reuse the smart
blocking code in package rawfile.
PiperOrigin-RevId: 401647108
|
|
- Implements RFC 3522 (Eifel detection algorithm) to detect if the connection
entered loss recovery unnecessarily.
- Added a new metric to count the total number of spurious loss recoveries.
- Added tests to verify the new metric.
PiperOrigin-RevId: 401637359
|
|
A libpcap change broke tcpdump support in gvisor. As a result tcpdump
w/ libpcap> 1.10 fails with gvisor.
Updates #6664, #6699
PiperOrigin-RevId: 401633061
|
|
PiperOrigin-RevId: 401624134
|
|
PiperOrigin-RevId: 401620449
|
|
TestRACKWithWindowFull was sending ACK for the last packet to avoid TLP. But,
sometimes the ACK is delayed and the sender sends the re-transmitted packet
before receiving ACK.
The test is now modified to expect the re-transmitted packet always and then
send a DSACK to avoid entering recovery.
Before: http://sponge2/6473db18-137a-4afb-9d60-c3eafd236ea9
After: http://sponge2/6a0f744c-7ea3-40fa-8f76-68503bf142ca
PiperOrigin-RevId: 401606848
|
|
Rather than boiling down to an integer eagerly, do it as late as possible.
PiperOrigin-RevId: 401599308
|
|
Go1.18 is changing the signature of testing.MainStart. To ensure compatibility,
we wrap MainStart and different implementations for versions before/after
Go1.18.
PiperOrigin-RevId: 401362668
|
|
...all connections should be tracked by ConnTrack, so create a no-op
connection entry on the first hook into IPTables (Prerouting or
Output) and let NAT targets modify the connection entry if they
need to instead of letting the NAT target create their own connection
entry.
This also prepares for "twice-NAT" where a packet may have both DNAT and
SNAT performed on it (which requires the ability to update ConnTrack
entries).
Updates #5696.
PiperOrigin-RevId: 401360377
|
|
PiperOrigin-RevId: 401296116
|
|
PiperOrigin-RevId: 401278851
|
|
Linux prevents setting `IP_MULTICAST_IF` to a device when
`SO_BINDTODEVICE` is set to another device. gVsior allows this.
PiperOrigin-RevId: 401267471
|
|
gVisor is a strong host, preventing packets from being sent from a
device using the another device's address as the source. Linux is a weak
host which allows this.
Updates #6686.
PiperOrigin-RevId: 401260128
|
|
PiperOrigin-RevId: 401251635
|
|
PiperOrigin-RevId: 401152818
|
|
- Inline `IfAddrHelper` into its sole user
- Implement pretty-printing `sockaddr_ll`
- Make test class members private, add const accessors
- Log all interface addresses on SetUp for b/137899561
Simplify some things while I'm here.
PiperOrigin-RevId: 401112402
|
|
Fixes #6387
|
|
PiperOrigin-RevId: 401088040
|
|
PiperOrigin-RevId: 401053179
|
|
PiperOrigin-RevId: 400952164
|
|
|
|
Before checking if there is space in the accept queue, the listener
should verify that the cookie is valid. If it is not, instead of
silently dropping the packet, reply with an RST.
Fixes #6683
PiperOrigin-RevId: 400807346
|
|
Updates #6683
PiperOrigin-RevId: 400745768
|
|
Signed-off-by: Koichi Shiraishi <zchee.io@gmail.com>
|
|
We should avoid taking the write lock to avoid contention when looking
for a packet's tracked connection.
No need to reap timed out connections when looking for connections
as the reaper (which runs periodically) will handle that.
PiperOrigin-RevId: 400322514
|
|
Move the hook specific logic to the IPTables hook functions.
This lets us avoid having to perform checks on the hook to determine
what action to take.
Later changes will drop the need for handlePacket's return value,
reducing the value of this function that all hooks call into.
PiperOrigin-RevId: 400298023
|
|
...as the packet's direction gives us the information that tcbHook is
used to derive.
PiperOrigin-RevId: 400280102
|
|
...to catch lock-related bugs in nogo tests.
Updates #6566.
PiperOrigin-RevId: 400265818
|
|
PiperOrigin-RevId: 400258924
|
|
...and have `CheckOutputPackets`, `CheckPostroutingPackets` call their
equivalent methods that operate on a single packet buffer directly.
This is so that the `Check{Output, Postrouting}Packets` methods may
leverage any hook-specific work that `Check{Output, Postrouting}`
may perform.
Note: Later changes will add hook-specific logic to the
`Check{Output, Postrouting}` methods.
PiperOrigin-RevId: 400255651
|
|
...to save a call to `ConnTrack.connFor` when callers already have a
reference to the ConnTrack entry.
PiperOrigin-RevId: 400244955
|
|
Note: this code is auto generated using npm update.
PiperOrigin-RevId: 400227038
|
|
Fixes #6643
PiperOrigin-RevId: 400218778
|
|
This obsoletes the need for the pendingMu and pending, since they are redundant
with acceptMu and pendingAccepted.
Fixes #6671.
PiperOrigin-RevId: 400162391
|
|
Enhance the backlog test to exercise the syn queue.
Updates #6671.
PiperOrigin-RevId: 400094530
|
|
For multithreads processes, it is hard to read logs without knowing task pids.
And let's print a decimal return codeo for syscalls. A hex return code are
usefull for system calls that return addresses. For other syscalls, the decimal
form is more readable.
PiperOrigin-RevId: 400035449
|
|
The upstream analysis packages we depend on do not yet support analysis of code
using Go 1.18 type parameter features, making analysis of the Go tip standard
library choke and crash. Skip these packages for now.
PiperOrigin-RevId: 400030256
|
|
Go 1.18 (as of golang.org/cl/324129) uses per-thread timers created and set
with timer_create/timer_settime for more accurate CPU pprof profiling.
Add these syscalls to the allowed syscall filters.
PiperOrigin-RevId: 399941561
|
|
This prevents an iptables failure from deadlocking the test.
PiperOrigin-RevId: 399822238
|
|
PiperOrigin-RevId: 399765414
|
|
Rename cap -> capacity to avoid collision with the builtin.
PiperOrigin-RevId: 399753630
|
|
This is redundant with listenContext.pendingEndpoints
PiperOrigin-RevId: 399722472
|
|
PiperOrigin-RevId: 399560357
|
|
This function has only one caller.
Remove segment reference count manipulation since it is only used
synchronously.
PiperOrigin-RevId: 399525343
|
|
* Does not accept a port range (Issue #5772).
* Does not support checking for tuple conflits (Issue #5773).
PiperOrigin-RevId: 399524088
|
|
PiperOrigin-RevId: 399295737
|
|
PiperOrigin-RevId: 399276940
|
|
PacketData should not be modified and should be treated readonly because it
represents packet payload. The old DeleteFront method allowed callers to modify
the underlying buffer which should not be allowed.
Added a way to consume from the PacketData instead of deleting from it.
Updated call points to use that instead.
Reported-by: syzbot+faee5cb350f769a52d1b@syzkaller.appspotmail.com
PiperOrigin-RevId: 399268473
|
|
There's no need for synthetic keys here.
PiperOrigin-RevId: 399263134
|