summaryrefslogtreecommitdiffhomepage
AgeCommit message (Collapse)Author
2021-10-08Disallow "trusted" namespace xattr in VFS2 gofer client.Ayush Ranjan
Allowing this namespace makes way for a lot of GetXattr RPCs to the gofer process when the gofer filesystem is the lower layer of an overlay. The overlay filesystem aggressively queries for "trusted.overlay.opaque" which in practice is never found in the lower layer gofer. But leads to a lot of wasted work. A consequence is that mutable gofer upper layer is not supported anymore but that is still consistent with VFS1. We can revisit when need arises. PiperOrigin-RevId: 401860585
2021-10-07add convenient wrapper for eventfdKevin Krakauer
The same create/write/read pattern is copied around several places. It's easier to understand in a package with names and comments, and we can reuse the smart blocking code in package rawfile. PiperOrigin-RevId: 401647108
2021-10-07Add a new metric to detect the number of spurious loss recoveries.Nayana Bidari
- Implements RFC 3522 (Eifel detection algorithm) to detect if the connection entered loss recovery unnecessarily. - Added a new metric to count the total number of spurious loss recoveries. - Added tests to verify the new metric. PiperOrigin-RevId: 401637359
2021-10-07Update compat list for tcpdump.Bhasker Hariharan
A libpcap change broke tcpdump support in gvisor. As a result tcpdump w/ libpcap> 1.10 fails with gvisor. Updates #6664, #6699 PiperOrigin-RevId: 401633061
2021-10-07tests: use a proper path to the kvm deviceAndrei Vagin
PiperOrigin-RevId: 401624134
2021-10-07Track UDP packets performing REDIRECT NATGhanan Gowripalan
PiperOrigin-RevId: 401620449
2021-10-07Modify the TCP test to receive re-transmitted packet before sending ACK.Nayana Bidari
TestRACKWithWindowFull was sending ACK for the last packet to avoid TLP. But, sometimes the ACK is delayed and the sender sends the re-transmitted packet before receiving ACK. The test is now modified to expect the re-transmitted packet always and then send a DSACK to avoid entering recovery. Before: http://sponge2/6473db18-137a-4afb-9d60-c3eafd236ea9 After: http://sponge2/6a0f744c-7ea3-40fa-8f76-68503bf142ca PiperOrigin-RevId: 401606848
2021-10-07Store timestamps as time.TimeTamir Duberstein
Rather than boiling down to an integer eagerly, do it as late as possible. PiperOrigin-RevId: 401599308
2021-10-06Wrap testing.MainStart to work around upcoming signature change.Nicolas Lacasse
Go1.18 is changing the signature of testing.MainStart. To ensure compatibility, we wrap MainStart and different implementations for versions before/after Go1.18. PiperOrigin-RevId: 401362668
2021-10-06Create null entry connection on first IPTables hookGhanan Gowripalan
...all connections should be tracked by ConnTrack, so create a no-op connection entry on the first hook into IPTables (Prerouting or Output) and let NAT targets modify the connection entry if they need to instead of letting the NAT target create their own connection entry. This also prepares for "twice-NAT" where a packet may have both DNAT and SNAT performed on it (which requires the ability to update ConnTrack entries). Updates #5696. PiperOrigin-RevId: 401360377
2021-10-06Add global lisafs kernel flag.Ayush Ranjan
PiperOrigin-RevId: 401296116
2021-10-06Merge pull request #6700 from avagin:readme-installgVisor bot
PiperOrigin-RevId: 401278851
2021-10-06Clarify incorrect behavior on gVisorTamir Duberstein
Linux prevents setting `IP_MULTICAST_IF` to a device when `SO_BINDTODEVICE` is set to another device. gVsior allows this. PiperOrigin-RevId: 401267471
2021-10-06Clarify incorrect behavior on gVisorTamir Duberstein
gVisor is a strong host, preventing packets from being sent from a device using the another device's address as the source. Linux is a weak host which allows this. Updates #6686. PiperOrigin-RevId: 401260128
2021-10-06Do not skip IPv6 tests when we don't have IPv4Tamir Duberstein
PiperOrigin-RevId: 401251635
2021-10-05Merge pull request #6687 from zchee:atomicbitops-nosplitgVisor bot
PiperOrigin-RevId: 401152818
2021-10-05Centralize skip logicTamir Duberstein
- Inline `IfAddrHelper` into its sole user - Implement pretty-printing `sockaddr_ll` - Make test class members private, add const accessors - Log all interface addresses on SetUp for b/137899561 Simplify some things while I'm here. PiperOrigin-RevId: 401112402
2021-10-05Fix "Installing from source" instructionsAndrei Vagin
Fixes #6387
2021-10-05Add server implementation for sharedmem endpoints.Bhasker Hariharan
PiperOrigin-RevId: 401088040
2021-10-05Merge pull request #6689 from avagin:bazel-updategVisor bot
PiperOrigin-RevId: 401053179
2021-10-05Enable passing syscall testsTamir Duberstein
PiperOrigin-RevId: 400952164
2021-10-04Update bazel packagesAndrei Vagin
2021-10-04Reply to invalid ACKs even when accept queue is fullArthur Sfez
Before checking if there is space in the accept queue, the listener should verify that the cookie is valid. If it is not, instead of silently dropping the packet, reply with an RST. Fixes #6683 PiperOrigin-RevId: 400807346
2021-10-04Test listener receiving an invalid ACK while the accept queue is fullArthur Sfez
Updates #6683 PiperOrigin-RevId: 400745768
2021-10-04No split to assembly and noasm functions on atomicbitops packageKoichi Shiraishi
Signed-off-by: Koichi Shiraishi <zchee.io@gmail.com>
2021-10-01Read lock when getting connectionsGhanan Gowripalan
We should avoid taking the write lock to avoid contention when looking for a packet's tracked connection. No need to reap timed out connections when looking for connections as the reaper (which runs periodically) will handle that. PiperOrigin-RevId: 400322514
2021-10-01Drop ConnTrack.handlePacketGhanan Gowripalan
Move the hook specific logic to the IPTables hook functions. This lets us avoid having to perform checks on the hook to determine what action to take. Later changes will drop the need for handlePacket's return value, reducing the value of this function that all hooks call into. PiperOrigin-RevId: 400298023
2021-10-01Drop conn.tcbHookGhanan Gowripalan
...as the packet's direction gives us the information that tcbHook is used to derive. PiperOrigin-RevId: 400280102
2021-10-01Annotate checklocks on mutex protected fieldsGhanan Gowripalan
...to catch lock-related bugs in nogo tests. Updates #6566. PiperOrigin-RevId: 400265818
2021-10-01Merge pull request #6551 from sudo-sturbia:msgqueue/procfsgVisor bot
PiperOrigin-RevId: 400258924
2021-10-01Drop IPTables.checkPacketsGhanan Gowripalan
...and have `CheckOutputPackets`, `CheckPostroutingPackets` call their equivalent methods that operate on a single packet buffer directly. This is so that the `Check{Output, Postrouting}Packets` methods may leverage any hook-specific work that `Check{Output, Postrouting}` may perform. Note: Later changes will add hook-specific logic to the `Check{Output, Postrouting}` methods. PiperOrigin-RevId: 400255651
2021-10-01Let connection handle tracked packetsGhanan Gowripalan
...to save a call to `ConnTrack.connFor` when callers already have a reference to the ConnTrack entry. PiperOrigin-RevId: 400244955
2021-10-01[bm-dashboard] Upgrade vulnerable node packages.Zach Koopmans
Note: this code is auto generated using npm update. PiperOrigin-RevId: 400227038
2021-10-01Use root context to mount volumesFabricio Voznika
Fixes #6643 PiperOrigin-RevId: 400218778
2021-10-01Move pendingEndpoints to acceptQueueTamir Duberstein
This obsoletes the need for the pendingMu and pending, since they are redundant with acceptMu and pendingAccepted. Fixes #6671. PiperOrigin-RevId: 400162391
2021-09-30Test syn and accept queue behavior on shutdownTamir Duberstein
Enhance the backlog test to exercise the syn queue. Updates #6671. PiperOrigin-RevId: 400094530
2021-09-30kernel: print PID in addition to TID in task log messagesAndrei Vagin
For multithreads processes, it is hard to read logs without knowing task pids. And let's print a decimal return codeo for syscalls. A hex return code are usefull for system calls that return addresses. For other syscalls, the decimal form is more readable. PiperOrigin-RevId: 400035449
2021-09-30Skip analysis of standard library packages using genericsMichael Pratt
The upstream analysis packages we depend on do not yet support analysis of code using Go 1.18 type parameter features, making analysis of the Go tip standard library choke and crash. Skip these packages for now. PiperOrigin-RevId: 400030256
2021-09-30Add timer_create and timer_settime to filtersMichael Pratt
Go 1.18 (as of golang.org/cl/324129) uses per-thread timers created and set with timer_create/timer_settime for more accurate CPU pprof profiling. Add these syscalls to the allowed syscall filters. PiperOrigin-RevId: 399941561
2021-09-29Setup sniffer teardown earlierTamir Duberstein
This prevents an iptables failure from deadlocking the test. PiperOrigin-RevId: 399822238
2021-09-29Avoid comparisons to zero value of acceptQueueTamir Duberstein
PiperOrigin-RevId: 399765414
2021-09-29Rename accepted -> acceptQueueTamir Duberstein
Rename cap -> capacity to avoid collision with the builtin. PiperOrigin-RevId: 399753630
2021-09-29Remove syncRcvdCountTamir Duberstein
This is redundant with listenContext.pendingEndpoints PiperOrigin-RevId: 399722472
2021-09-28Move `safecopy.ReplaceSignalHandler` into `sighandling` package.Etienne Perot
PiperOrigin-RevId: 399560357
2021-09-28Inline handleSynSegmentTamir Duberstein
This function has only one caller. Remove segment reference count manipulation since it is only used synchronously. PiperOrigin-RevId: 399525343
2021-09-28Support naive Masquerade NAT targetGhanan Gowripalan
* Does not accept a port range (Issue #5772). * Does not support checking for tuple conflits (Issue #5773). PiperOrigin-RevId: 399524088
2021-09-27Move `sighandling` package out of `sentry`.Etienne Perot
PiperOrigin-RevId: 399295737
2021-09-27Implement S/R for StatsTamir Duberstein
PiperOrigin-RevId: 399276940
2021-09-27Prevent PacketData from being modified.Ayush Ranjan
PacketData should not be modified and should be treated readonly because it represents packet payload. The old DeleteFront method allowed callers to modify the underlying buffer which should not be allowed. Added a way to consume from the PacketData instead of deleting from it. Updated call points to use that instead. Reported-by: syzbot+faee5cb350f769a52d1b@syzkaller.appspotmail.com PiperOrigin-RevId: 399268473
2021-09-27Store pending endpoints in a setTamir Duberstein
There's no need for synthetic keys here. PiperOrigin-RevId: 399263134