summaryrefslogtreecommitdiffhomepage
path: root/pkg/sentry/socket
AgeCommit message (Collapse)Author
2019-11-07Merge release-20190806.1-382-g66ebb65 (automated)gVisor bot
2019-11-07Add support for TIME_WAIT timeout.Bhasker Hariharan
This change adds explicit support for honoring the 2MSL timeout for sockets in TIME_WAIT state. It also adds support for the TCP_LINGER2 option that allows modification of the FIN_WAIT2 state timeout duration for a given socket. It also adds an option to modify the Stack wide TIME_WAIT timeout but this is only for testing. On Linux this is fixed at 60s. Further, we also now correctly process RST's in CLOSE_WAIT and close the socket similar to linux without moving it to error state. We also now handle SYN in ESTABLISHED state as per RFC5961#section-4.1. Earlier we would just drop these SYNs. Which can result in some tests that pass on linux to fail on gVisor. Netstack now honors TIME_WAIT correctly as well as handles the following cases correctly. - TCP RSTs in TIME_WAIT are ignored. - A duplicate TCP FIN during TIME_WAIT extends the TIME_WAIT and a dup ACK is sent in response to the FIN as the dup FIN indicates potential loss of the original final ACK. - An out of order segment during TIME_WAIT generates a dup ACK. - A new SYN w/ a sequence number > the highest sequence number in the previous connection closes the TIME_WAIT early and opens a new connection. Further to make the SYN case work correctly the ISN (Initial Sequence Number) generation for Netstack has been updated to be as per RFC. Its not a pure random number anymore and follows the recommendation in https://tools.ietf.org/html/rfc6528#page-3. The current hash used is not a cryptographically secure hash function. A separate change will update the hash function used to Siphash similar to what is used in Linux. PiperOrigin-RevId: 279106406
2019-11-04Merge release-20190806.1-367-gb23b36e (automated)gVisor bot
2019-11-04Add NETLINK_KOBJECT_UEVENT socket supportMichael Pratt
NETLINK_KOBJECT_UEVENT sockets send udev-style messages for device events. gVisor doesn't have any device events, so our sockets don't need to do anything once created. systemd's device manager needs to be able to create one of these sockets. It also wants to install a BPF filter on the socket. Since we'll never send any messages, the filter would never be invoked, thus we just fake it out. Fixes #1117 Updates #1119 PiperOrigin-RevId: 278405893
2019-11-01Merge release-20190806.1-363-g515fee5 (automated)gVisor bot
2019-11-01Add SO_PASSCRED support to netlink socketsMichael Pratt
Since we only supporting sending messages from the kernel, the peer is always the kernel, simplifying handling. There are currently no known users of SO_PASSCRED that would actually receive messages from gVisor, but adding full support is barely more work than stubbing out fake support. Updates #1117 Fixes #1119 PiperOrigin-RevId: 277981465
2019-10-29Merge release-20190806.1-343-ga2c51ef (automated)gVisor bot
2019-10-29Add endpoint tracking to the stack.Ian Gudger
In the future this will replace DanglingEndpoints. DanglingEndpoints must be kept for now due to issues with save/restore. This is arguably a cleaner design and allows the stack to know which transport endpoints might still be using its link endpoints. Updates #837 PiperOrigin-RevId: 277386633
2019-10-25Merge release-20190806.1-327-g8f029b3 (automated)gVisor bot
2019-10-25Convert DelayOption to the newer/faster SockOpt int type.Ian Gudger
DelayOption is set on all new endpoints in gVisor. PiperOrigin-RevId: 276746791
2019-10-23Merge release-20190806.1-315-g6d4d956 (automated)gVisor bot
2019-10-23Merge pull request #641 from tanjianfeng:mastergVisor bot
PiperOrigin-RevId: 276380008
2019-10-21Merge release-20190806.1-295-g12235d5 (automated)gVisor bot
2019-10-21AF_PACKET support for netstack (aka epsocket).Kevin Krakauer
Like (AF_INET, SOCK_RAW) sockets, AF_PACKET sockets require CAP_NET_RAW. With runsc, you'll need to pass `--net-raw=true` to enable them. Binding isn't supported yet. PiperOrigin-RevId: 275909366
2019-10-16Reorder BUILD license and load functions in gvisor.Kevin Krakauer
PiperOrigin-RevId: 275139066
2019-10-16Merge release-20190806.1-278-gd22f053 (automated)gVisor bot
2019-10-16Merge pull request #736 from tanjianfeng:fix-unixgVisor bot
PiperOrigin-RevId: 275114157
2019-10-15epsocket: support /proc/net/snmpJianfeng Tan
Netstack has its own stats, we use this to fill /proc/net/snmp. Note that some metrics are not recorded in Netstack, which will be shown as 0 in the proc file. Signed-off-by: Jianfeng Tan <henry.tjf@antfin.com> Change-Id: Ie0089184507d16f49bc0057b4b0482094417ebe1
2019-10-15netstack: add counters for tcp CurrEstab and EstabResetsJianfeng Tan
Signed-off-by: Jianfeng Tan <henry.tjf@antfin.com>
2019-10-15hostinet: support /proc/net/snmp and /proc/net/devJianfeng Tan
For hostinet, we inherit the data from host procfs. To to that, we cache the fds for these files for later reads. Fixes #506 Signed-off-by: Jianfeng Tan <henry.tjf@antfin.com> Change-Id: I2f81215477455b9c59acf67e33f5b9af28ee0165
2019-10-15Merge release-20190806.1-270-gbfa0bb2 (automated)gVisor bot
2019-10-14Internal change.gVisor bot
PiperOrigin-RevId: 274700093
2019-10-10Merge release-20190806.1-263-g470997c (automated)gVisor bot
2019-10-10Allow for zero byte iovec with MSG_PEEK | MSG_TRUNC in recvmsg.Ian Lewis
This allows for peeking at the length of the next message on a netlink socket without pulling it off the socket's buffer/queue, allowing tools like 'ip' to work. This CL also fixes an issue where dump_done_errno was not included in the NLMSG_DONE messages payload. Issue #769 PiperOrigin-RevId: 274068637
2019-10-10Merge release-20190806.1-262-gc7e901f (automated)gVisor bot
2019-10-10Fix bugs in fragment handling.Bhasker Hariharan
Strengthen the header.IPv4.IsValid check to correctly check for IHL/TotalLength fields. Also add a check to make sure fragmentOffsets + size of the fragment do not cause a wrap around for the end of the fragment. PiperOrigin-RevId: 274049313
2019-10-10Merge release-20190806.1-256-gbf870c1 (automated)gVisor bot
2019-10-09Internal change.gVisor bot
PiperOrigin-RevId: 273861936
2019-10-08Merge release-20190806.1-247-g7c1587e (automated)gVisor bot
2019-10-07Implement IP_TTL.Ian Gudger
Also change the default TTL to 64 to match Linux. PiperOrigin-RevId: 273430341
2019-10-07Merge release-20190806.1-244-g6a98237 (automated)gVisor bot
2019-10-07Rename epsocket to netstack.Kevin Krakauer
PiperOrigin-RevId: 273365058
2019-09-27Merge release-20190806.1-201-gabbee56 (automated)gVisor bot
2019-09-27Implement SO_BINDTODEVICE sockoptgVisor bot
PiperOrigin-RevId: 271644926
2019-09-26Merge release-20190806.1-197-g5434926 (automated)gVisor bot
2019-09-26Make raw socket tests pass in environments with or without CAP_NET_RAW.Kevin Krakauer
PiperOrigin-RevId: 271442321
2019-09-23Merge release-20190806.1-168-g03ee55c (automated)gVisor bot
2019-09-23netstack: convert more socket options to {Set,Get}SockOptIntAndrei Vagin
PiperOrigin-RevId: 270763208
2019-09-23internal BUILD file cleanup.gVisor bot
PiperOrigin-RevId: 270680704
2019-09-19Merge release-20190806.1-162-g75781ab (automated)gVisor bot
2019-09-19Remove defer from hot path and ensure Atomic is applied consistently.Adin Scannell
PiperOrigin-RevId: 270114317
2019-09-13Merge release-20190806.1-142-g7c6ab6a (automated)gVisor bot
2019-09-12Implement splice methods for pipes and sockets.Adin Scannell
This also allows the tee(2) implementation to be enabled, since dup can now be properly supported via WriteTo. Note that this change necessitated some minor restructoring with the fs.FileOperations splice methods. If the *fs.File is passed through directly, then only public API methods are accessible, which will deadlock immediately since the locking is already done by fs.Splice. Instead, we pass through an abstract io.Reader or io.Writer, which elide locks and use the underlying fs.FileOperations directly. PiperOrigin-RevId: 268805207
2019-09-12Remove go_test from go_stateify and go_marshalMichael Pratt
They are no-ops, so the standard rule works fine. PiperOrigin-RevId: 268776264
2019-08-31Merge 502c47f7 (automated)gVisor bot
2019-08-30Return correct buffer size for ioctl(socket, FIONREAD)Fabricio Voznika
Ioctl was returning just the buffer size from epsocket.endpoint and it was not considering data from epsocket.SocketOperations that was read from the endpoint, but not yet sent to the caller. PiperOrigin-RevId: 266485461
2019-08-29Merge 863e11ac (automated)gVisor bot
2019-08-29Implement /proc/net/udp.Rahat Mahmood
PiperOrigin-RevId: 266229756
2019-08-22unix: return ECONNRESET if peer closed with data not readJianfeng Tan
For SOCK_STREAM type unix socket, we shall return ECONNRESET if peer is closed with data not read. We explictly set a flag when closing one end, to differentiate from just shutdown (where zero shall be returned). Fixes: #735 Signed-off-by: Jianfeng Tan <henry.tjf@antfin.com>
2019-08-22unix: return zero if peer is closedJianfeng Tan
Previously, recvmsg() on a unix stream socket with its peer closed will never return, with goroutine call trace like this: ... 2 in gvisor.dev/gvisor/pkg/sentry/kernel.(*Task).block at pkg/sentry/kernel/task_block.go:124 3 in gvisor.dev/gvisor/pkg/sentry/kernel.(*Task).BlockWithDeadline at pkg/sentry/kernel/task_block.go:69 4 in gvisor.dev/gvisor/pkg/sentry/socket/unix.(*SocketOperations).RecvMsg at pkg/sentry/socket/unix/unix.go:612 5 in gvisor.dev/gvisor/pkg/sentry/syscalls/linux.recvFrom at pkg/sentry/syscalls/linux/sys_socket.go:885 6 in gvisor.dev/gvisor/pkg/sentry/syscalls/linux.RecvFrom at pkg/sentry/syscalls/linux/sys_socket.go:910 ... The issue is caused by that ErrClosedForReceive returned by unix/transport.queue is turned into nil in unix.(*EndpointReader).ReadToBlocks(): err.ToError() As a result, in unix.(*SocketOperations).RecvMsg(): n == 0 and err == nil We shall differentiate it from another case - no data to read where ErrWouldBlock shall be returned; and return 0 immediately. Fixes: #734 Reported-by: chenglang.hy <chenglang.hy@antfin.com> Signed-off-by: Jianfeng Tan <henry.tjf@antfin.com>