summaryrefslogtreecommitdiffhomepage
path: root/pkg/sentry/socket
AgeCommit message (Collapse)Author
2020-01-21Merge branch 'master' into iptables-write-filter-protoKevin Krakauer
2020-01-21Merge release-20200115.0-48-g5f82f09 (automated)gVisor bot
2020-01-21Merge pull request #1558 from kevinGC:iptables-write-input-dropgVisor bot
PiperOrigin-RevId: 290793754
2020-01-18Merge release-20200115.0-33-g47d8525 (automated)gVisor bot
2020-01-17Filter out received packets with a local source IP address.Eyal Soha
CERT Advisory CA-96.21 III. Solution advises that devices drop packets which could not have correctly arrived on the wire, such as receiving a packet where the source IP address is owned by the device that sent it. Fixes #1507 PiperOrigin-RevId: 290378240
2020-01-17Merge release-20200115.0-17-g19b4653 (automated)gVisor bot
2020-01-16Remove unused rpcinet.Adin Scannell
PiperOrigin-RevId: 290198756
2020-01-14Merge release-20191213.0-115-g50625ce (automated)gVisor bot
2020-01-14Implement {g,s}etsockopt(IP_RECVTOS) for UDP socketsTamir Duberstein
PiperOrigin-RevId: 289718534
2020-01-13Merge branch 'iptables-write-input-drop' into iptables-write-filter-protoKevin Krakauer
2020-01-13Merge release-20191213.0-113-gdebd213 (automated)gVisor bot
2020-01-13Allow dual stack sockets to operate on AF_INETTamir Duberstein
Fixes #1490 Fixes #1495 PiperOrigin-RevId: 289523250
2020-01-13Only allow INPUT modifications.Kevin Krakauer
2020-01-13Merge branch 'master' into iptables-write-input-dropKevin Krakauer
2020-01-13Merge release-20191213.0-111-gb30cfb1 (automated)gVisor bot
2020-01-13Merge pull request #1528 from kevinGC:iptables-writegVisor bot
PiperOrigin-RevId: 289479774
2020-01-10I think INPUT works with protocolKevin Krakauer
2020-01-10Merge release-20191213.0-96-g27500d5 (automated)gVisor bot
2020-01-09New sync package.Ian Gudger
* Rename syncutil to sync. * Add aliases to sync types. * Replace existing usage of standard library sync package. This will make it easier to swap out synchronization primitives. For example, this will allow us to use primitives from github.com/sasha-s/go-deadlock to check for lock ordering violations. Updates #1472 PiperOrigin-RevId: 289033387
2020-01-09Added a test that we don't pass yetKevin Krakauer
2020-01-09Merge release-20191213.0-86-g8643933 (automated)gVisor bot
2020-01-09Change BindToDeviceOption to store NICIDEyal Soha
This makes it possible to call the sockopt from go even when the NIC has no name. PiperOrigin-RevId: 288955236
2020-01-08It works! It drops some packets.Kevin Krakauer
2020-01-08Merge branch 'iptables-write' into iptables-write-input-dropKevin Krakauer
2020-01-09Merge release-20191213.0-82-gfbb2c00 (automated)gVisor bot
2020-01-08More GH comments.Kevin Krakauer
2020-01-08Return correct length with MSG_TRUNC for unix sockets.Ian Lewis
This change calls a new Truncate method on the EndpointReader in RecvMsg for both netlink and unix sockets. This allows readers such as sockets to peek at the length of data without actually reading it to a buffer. Fixes #993 #1240 PiperOrigin-RevId: 288800167
2020-01-09Merge release-20191213.0-80-gb3ae8a6 (automated)gVisor bot
2020-01-08Addressed GH commentsKevin Krakauer
2020-01-08Fix slice bounds out of range panic in parsing socket control message.Ting-Yu Wang
Panic found by syzakller. PiperOrigin-RevId: 288799046
2020-01-08Getting a panic when running tests. For some reason the filter table isKevin Krakauer
ending up with the wrong chains and is indexing -1 into rules.
2020-01-08Merge release-20191213.0-78-gd530df2 (automated)gVisor bot
2020-01-08Introduce tcpip.SockOptBoolTamir Duberstein
...and port V6OnlyOption to it. PiperOrigin-RevId: 288789451
2020-01-08Built dead-simple traversal, but now getting depedency cycle error :'(Kevin Krakauer
2020-01-08Merge release-20191213.0-76-ga271bcc (automated)gVisor bot
2020-01-08Rename tcpip.SockOpt{,Int}Tamir Duberstein
PiperOrigin-RevId: 288772878
2020-01-08First commit -- re-adding DROPKevin Krakauer
2020-01-08Comment cleanup.Kevin Krakauer
2020-01-08Minor fixes to comments and loggingKevin Krakauer
2020-01-08Write simple ACCEPT rules to the filter table.Kevin Krakauer
This gets us closer to passing the iptables tests and opens up iptables so it can be worked on by multiple people. A few restrictions are enforced for security (i.e. we don't want to let users write a bunch of iptables rules and then just not enforce them): - Only the filter table is writable. - Only ACCEPT rules with no matching criteria can be added.
2019-12-26Merge release-20191213.0-49-g87e4d03 (automated)gVisor bot
2019-12-26Automated rollback of changelist 287029703gVisor bot
PiperOrigin-RevId: 287217899
2019-12-24Merge release-20191213.0-48-ge013c48 (automated)gVisor bot
2019-12-24Enable IP_RECVTOS socket option for datagram socketsRyan Heacock
Added the ability to get/set the IP_RECVTOS socket option on UDP endpoints. If enabled, TOS from the incoming Network Header passed as ancillary data in the ControlMessages. Test: * Added unit test to udp_test.go that tests getting/setting as well as verifying that we receive expected TOS from incoming packet. * Added a syscall test PiperOrigin-RevId: 287029703
2019-12-12Merge release-20191210.0-25-g378d6c1 (automated)gVisor bot
2019-12-12unix: allow to bind unix sockets only to AF_UNIX addressesAndrei Vagin
Reported-by: syzbot+2c0bcfd87fb4e8b7b009@syzkaller.appspotmail.com PiperOrigin-RevId: 285228312
2019-12-12Merge release-20191210.0-23-g6fc9f0a (automated)gVisor bot
2019-12-11Add support for TCP_USER_TIMEOUT option.Bhasker Hariharan
The implementation follows the linux behavior where specifying a TCP_USER_TIMEOUT will cause the resend timer to honor the user specified timeout rather than the default rto based timeout. Further it alters when connections are timedout due to keepalive failures. It does not alter the behavior of when keepalives are sent. This is as per the linux behavior. PiperOrigin-RevId: 285099795
2019-12-11Merge release-20191129.0-43-g2e3b9b0 (automated)gVisor bot
2019-12-10Deduplicate and simplify control message processing for recvmsg and sendmsg.Dean Deng
Also, improve performance by calculating how much space is needed before making an allocation for sendmsg in hostinet. PiperOrigin-RevId: 284898581