Age | Commit message (Collapse) | Author |
|
The netfilter package uses logs to make debugging the (de)serialization of
structs easier. This generates a lot of (usually irrelevant) logs. Logging is
now hidden behind a debug flag.
PiperOrigin-RevId: 309087115
|
|
Enforce write permission checks in BoundEndpointAt, which corresponds to the
permission checks in Linux (net/unix/af_unix.c:unix_find_other).
Also, create bound socket files with the correct permissions in VFS2.
Fixes #2324.
PiperOrigin-RevId: 308949084
|
|
PiperOrigin-RevId: 308932254
|
|
Named pipes and sockets can be represented in two ways in gofer fs:
1. As a file on the remote filesystem. In this case, all file operations are
passed through 9p.
2. As a synthetic file that is internal to the sandbox. In this case, the
dentry stores an endpoint or VFSPipe for sockets and pipes respectively,
which replaces interactions with the remote fs through the gofer.
In gofer.filesystem.MknodAt, we attempt to call mknod(2) through 9p,
and if it fails, fall back to the synthetic version.
Updates #1200.
PiperOrigin-RevId: 308828161
|
|
The FileDescription implementation for hostfs sockets uses the standard Unix
socket implementation (unix.SocketVFS2), but is also tied to a hostfs dentry.
Updates #1672, #1476
PiperOrigin-RevId: 308716426
|
|
PiperOrigin-RevId: 308674219
|
|
Fixes #1477.
PiperOrigin-RevId: 308317511
|
|
These methods let users eaily break the VectorisedView abstraction, and
allowed netstack to slip into pseudo-enforcement of the "all headers are
in the first View" invariant. Removing them and replacing with PullUp(n)
breaks this reliance and will make it easier to add iptables support and
rework network buffer management.
The new View.PullUp(n) method is low cost in the common case, when when
all the headers fit in the first View.
PiperOrigin-RevId: 308163542
|
|
Sentry metrics with nanoseconds units are labeled as such, and non-cumulative
sentry metrics are supported.
PiperOrigin-RevId: 307621080
|
|
PiperOrigin-RevId: 307598974
|
|
These methods let users eaily break the VectorisedView abstraction, and
allowed netstack to slip into pseudo-enforcement of the "all headers are
in the first View" invariant. Removing them and replacing with PullUp(n)
breaks this reliance and will make it easier to add iptables support and
rework network buffer management.
The new View.PullUp(n) method is low cost in the common case, when when
all the headers fit in the first View.
|
|
This previously changed in 305699233, but this behaviour turned out to
be load bearing.
PiperOrigin-RevId: 307033802
|
|
This should fix panic at aio callback.
PiperOrigin-RevId: 305798549
|
|
PiperOrigin-RevId: 305699233
|
|
We already have network namespace for netstack.
PiperOrigin-RevId: 305341954
|
|
Updates #1476, #1478, #1484, #1485.
PiperOrigin-RevId: 304845354
|
|
This change involves several steps:
- Refactor the VFS1 unix socket implementation to share methods between VFS1
and VFS2 where possible. Re-implement the rest.
- Override the default PRead, Read, PWrite, Write, Ioctl, Release methods in
FileDescriptionDefaultImpl.
- Add functions to create and initialize a new Dentry/Inode and FileDescription
for a Unix socket file.
Updates #1476
PiperOrigin-RevId: 304689796
|
|
PiperOrigin-RevId: 304508083
|
|
Refactor the existing socket interface to share methods between VFS1 and VFS2.
The method signatures do not contain anything filesystem-related, so they don't
need to be re-defined for VFS2.
Updates #1476, #1478, #1484, #1485.
PiperOrigin-RevId: 304184545
|
|
This feature will match UID and GID of the packet creator, for locally
generated packets. This match is only valid in the OUTPUT and POSTROUTING
chains. Forwarded packets do not have any socket associated with them.
Packets from kernel threads do have a socket, but usually no owner.
|
|
PiperOrigin-RevId: 302891559
|
|
This is a precursor to be being able to build an intrusive list
of PacketBuffers for use in queuing disciplines being implemented.
Updates #2214
PiperOrigin-RevId: 302677662
|
|
Fixes #506
PiperOrigin-RevId: 302540404
|
|
PiperOrigin-RevId: 302539171
|
|
Also get rid of the readViewHasData as it's not required anymore.
Updates #231, #357
PiperOrigin-RevId: 301837227
|
|
workMu is removed and e.mu is now a mutex that supports TryLock. The packet
processing path tries to lock the mutex and if its locked it will just queue the
packet and move on. The endpoint.UnlockUser() will process any backlog of
packets before unlocking the socket.
This simplifies the locking inside tcp endpoints a lot. Further the
endpoint.LockUser() implements spinning as long as the lock is not held by
another syscall goroutine. This ensures low latency as not spinning leads to the
task thread being put to sleep if the lock is held by the packet dispatch
path. This is suboptimal as the lower layer rarely holds the lock for long so
implementing spinning here helps.
If the lock is held by another task goroutine then we just proceed to call
LockUser() and the task could be put to sleep.
The protocol goroutines themselves just call e.mu.Lock() and block if the
lock is currently not available.
Updates #231, #357
PiperOrigin-RevId: 301808349
|
|
PiperOrigin-RevId: 301197007
|
|
PiperOrigin-RevId: 300362789
|
|
PiperOrigin-RevId: 298476533
|
|
DATA RACE in netstack.(*SocketOperations).fetchReadView
Write at 0x00c001dca138 by goroutine 1001:
gvisor.dev/gvisor/pkg/sentry/socket/netstack.(*SocketOperations).fetchReadView()
pkg/sentry/socket/netstack/netstack.go:418 +0x85
gvisor.dev/gvisor/pkg/sentry/socket/netstack.(*SocketOperations).coalescingRead()
pkg/sentry/socket/netstack/netstack.go:2309 +0x67
gvisor.dev/gvisor/pkg/sentry/socket/netstack.(*SocketOperations).nonBlockingRead()
pkg/sentry/socket/netstack/netstack.go:2378 +0x183d
Previous read at 0x00c001dca138 by goroutine 1111:
gvisor.dev/gvisor/pkg/sentry/socket/netstack.(*SocketOperations).Ioctl()
pkg/sentry/socket/netstack/netstack.go:2666 +0x533
gvisor.dev/gvisor/pkg/sentry/syscalls/linux.Ioctl()
Reported-by: syzbot+d4c3885fcc346f08deb6@syzkaller.appspotmail.com
PiperOrigin-RevId: 298387377
|
|
- Fix review comments.
|
|
PiperOrigin-RevId: 297638665
|
|
Enables commands such as:
$ iptables -A INPUT -d 127.0.0.1 -j ACCEPT
$ iptables -t nat -A PREROUTING ! -d 127.0.0.1 -j REDIRECT
Also adds a bunch of REDIRECT+destination tests.
|
|
|
|
- commit the changes for the comments.
|
|
PiperOrigin-RevId: 296088213
|
|
Added the ability to get/set the IP_RECVTCLASS socket option on UDP endpoints.
If enabled, traffic class from the incoming Network Header passed as ancillary
data in the ControlMessages.
Adding Get/SetSockOptBool to decrease the overhead of getting/setting simple
options. (This was absorbed in a CL that will be landing before this one).
Test:
* Added unit test to udp_test.go that tests getting/setting as well as
verifying that we receive expected TOS from incoming packet.
* Added a syscall test for verifying getting/setting
* Removed test skip for existing syscall test to enable end to end test.
PiperOrigin-RevId: 295840218
|
|
PiperOrigin-RevId: 295785052
|
|
Add nat table support for Prerouting hook with Redirect option.
Add tests to check redirect of ports.
|
|
$ iptables -N foochain
$ iptables -A INPUT -j foochain
|
|
PiperOrigin-RevId: 294957297
|
|
PiperOrigin-RevId: 294952610
|
|
- Adds creation of user chains via `-N <chainname>`
- Adds `-j RETURN` support for built-in chains, which triggers the
chain's underflow rule (usually the default policy).
- Adds tests for chain creation, default policies, and `-j RETURN' from
built-in chains.
|
|
PiperOrigin-RevId: 294477647
|
|
PiperOrigin-RevId: 294340468
|
|
|
|
|
|
These were out-of-band notes that can help provide additional context
and simplify automated imports.
PiperOrigin-RevId: 293525915
|
|
From RFC 793 s3.9 p58 Event Processing:
If RECEIVE Call arrives in CLOSED state and the user has access to such a
connection, the return should be "error: connection does not exist"
Fixes #1598
PiperOrigin-RevId: 293494287
|
|
|