| Age | Commit message (Collapse) | Author |
|---|
|
Before this change, we would silently drop packets when link resolution
failed. This change brings us into line with RFC 792 (IPv4) and RFC 4443 (IPv6),
both of which specify that gateways should return an ICMP error to the sender
when link resolution fails.
PiperOrigin-RevId: 374699789
|
|
Previously, we named domain objects using numbers (e.g. "e1", "e2" etc). This
change renames objects to clarify whether they are part of the incoming or
outgoing path.
PiperOrigin-RevId: 374226859
|
|
Make sure that the initial configurations used by the DAD state is
valid.
Before this change, an invalid DAD configuration (with a zero-valued
retransmit timer) was used so the DAD state would attempt to resolve
DAD immediately.
This lead to a deadlock in TestDADResolve as when DAD resolves, the
stack notifies the NDP dispatcher which would attempt to write to an
unbuffered channel while holding a lock. The test goroutine also
attempts to obtain a stack.Route (before receiving from the channel)
which ends up attempting to take the same lock.
Test: stack_test.TestDADResolve
PiperOrigin-RevId: 373888540
|
|
...instead of per NetworkProtocol to better conform with linux
(https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt):
```
conf/interface/*
forwarding - BOOLEAN
Enable IP forwarding on this interface. This controls whether packets
received _on_ this interface can be forwarded.
```
Fixes #5932.
PiperOrigin-RevId: 373888000
|
|
This change updates the forwarding path to perform the forwarding hook
with iptables so that the filter table is consulted before a packet is
forwarded
Updates #170.
Test: iptables_test.TestForwardingHook
PiperOrigin-RevId: 373702359
|
|
Benchmark iperf3:
Before After
native->runsc 5.14 5.01 (Gbps)
runsc->native 4.15 4.07 (Gbps)
It did introduce overhead, mainly at the bridge between pkg/buffer and
VectorisedView, the ExtractVV method. Once endpoints start migrating away from
VV, this overhead will be gone.
Updates #2404
PiperOrigin-RevId: 373651666
|
|
...to make it clear to callers that all interfaces are updated with the
forwarding flag and that future NICs will be created with the new
forwarding state.
PiperOrigin-RevId: 373618435
|
|
Before this change, we would silently drop packets when the packet was too
big to be sent out through the NIC (and, for IPv4 packets, if DF was set).
This change brings us into line with RFC 792 (IPv4) and RFC 4443 (IPv6),
both of which specify that gateways should return an ICMP error to the sender
when the packet can't be fragmented.
PiperOrigin-RevId: 373480078
|
|
This is a hot path for all incoming packets and we don't
need an exclusive lock here as we are not modifying any
of the fields protected by mu here.
PiperOrigin-RevId: 373181254
|
|
This is in preparation of having aggregated NIC stats at the stack
level. These validation functions will be needed outside of the
network layer packages to test aggregated NIC stats.
PiperOrigin-RevId: 373180565
|
|
Currently, we process IPv6 extension headers when receiving packets
but not when forwarding them. This is fine for the most part, with
with one exception: RFC 8200 requires that we process the
Hop-by-Hop headers even while forwarding packets.
This CL adds that support by invoking the Hop-by-hop logic performed
when receiving packets during forwarding as well.
PiperOrigin-RevId: 373145478
|
|
...to conform with Linux's `accept_ra` sysctl option.
```
accept_ra - INTEGER
Accept Router Advertisements; autoconfigure using them.
It also determines whether or not to transmit Router
Solicitations. If and only if the functional setting is to
accept Router Advertisements, Router Solicitations will be
transmitted.
Possible values are:
0 Do not accept Router Advertisements.
1 Accept Router Advertisements if forwarding is disabled.
2 Overrule forwarding behaviour. Accept Router Advertisements
even if forwarding is enabled.
Functional default: enabled if local forwarding is disabled.
disabled if local forwarding is enabled.
```
With this change, routers may be solicited even if the stack is has
forwarding enabled, as long as the interface is configured to handle
RAs when forwarding is enabled.
PiperOrigin-RevId: 372406501
|
|
...to conform with Linux's `accept_ra` sysctl option.
```
accept_ra - INTEGER
Accept Router Advertisements; autoconfigure using them.
It also determines whether or not to transmit Router
Solicitations. If and only if the functional setting is to
accept Router Advertisements, Router Solicitations will be
transmitted.
Possible values are:
0 Do not accept Router Advertisements.
1 Accept Router Advertisements if forwarding is disabled.
2 Overrule forwarding behaviour. Accept Router Advertisements
even if forwarding is enabled.
Functional default: enabled if local forwarding is disabled.
disabled if local forwarding is enabled.
```
PiperOrigin-RevId: 372214640
|
|
Before this change, we would silently drop packets when unable to determine a
route to the destination host. This change brings us into line with RFC 792
(IPv4) and RFC 4443 (IPv6), both of which specify that gateways should return
an ICMP error to the sender when unable to reach the destination.
Startblock:
has LGTM from asfez
and then
add reviewer ghanan
PiperOrigin-RevId: 372214051
|
|
...to match linux behaviour:
```
$ sudo sysctl net.ipv6.conf.eno1.forwarding
net.ipv6.conf.eno1.forwarding = 0
$ ip addr list dev eno1
2: eno1: <...> ...
inet6 PREFIX:TEMP_IID/64 scope global temporary dynamic
valid_lft 209363sec preferred_lft 64024sec
inet6 PREFIX:GLOBAL_STABLE_IID/64 scope global dynamic mngtmpaddr ...
valid_lft 209363sec preferred_lft 209363sec
inet6 fe80::LINKLOCAL_STABLE_IID/64 scope link
valid_lft forever preferred_lft forever
$ sudo sysctl -w "net.ipv6.conf.all.forwarding=1"
net.ipv6.conf.all.forwarding = 1
$ sudo sysctl net.ipv6.conf.eno1.forwarding
net.ipv6.conf.eno1.forwarding = 1
$ ip addr list dev eno1
2: eno1: <...> ...
inet6 PREFIX:TEMP_IID/64 scope global temporary dynamic
valid_lft 209339sec preferred_lft 64000sec
inet6 PREFIX:GLOBAL_STABLE_IID/64 scope global dynamic mngtmpaddr ...
valid_lft 209339sec preferred_lft 209339sec
inet6 fe80::LINKLOCAL_STABLE_IID/64 scope link
valid_lft forever preferred_lft forever
$ ip -6 route list
...
PREFIX::/64 dev eno1 proto ra metric 100 expires 209241sec pref medium
default via fe80::ROUTER_IID dev eno1 proto ra ...
```
PiperOrigin-RevId: 372146689
|
|
Fixes the below linting error:
```
From Golint:
> Package ip has package comment defined in multiple places:
> duplicate_address_detection.go
> generic_multicast_protocol.go
```
PiperOrigin-RevId: 371430486
|
|
... it may now invalidate backing slice references
This is currently safe because TrimFront() in VectorisedView only shrinks the
view. This may not hold under the a different buffer implementation.
Reordering method calls order to allow this.
PiperOrigin-RevId: 371167610
|
|
With this change, GSO options no longer needs to be passed around as
a function argument in the write path.
This change is done in preparation for a later change that defers
segmentation, and may change GSO options for a packet as it flows
down the stack.
Updates #170.
PiperOrigin-RevId: 369774872
|
|
This is done for IPv4, UDP and TCP headers.
This also changes the packet checkers used in tests to error on
zero-checksum, not sure why it was allowed before.
And while I'm here, make comments' case consistent.
RELNOTES: n/a
Fixes #5049
PiperOrigin-RevId: 369383862
|
|
This was semi-automated -- there are many addresses that were not replaced.
Future commits should clean those up.
Parse4 and Parse6 were given their own package because //pkg/test can introduce
dependency cycles, as it depends transitively on //pkg/tcpip and some other
netstack packages.
PiperOrigin-RevId: 368726528
|
|
The current SNAT implementation has several limitations:
- SNAT source port has to be specified. It is not optional.
- SNAT source port range is not supported.
- SNAT for UDP is a one-way translation. No response packets
are handled (because conntrack doesn't support UDP currently).
- SNAT and REDIRECT can't work on the same connection.
Fixes #5489
PiperOrigin-RevId: 367750325
|
|
To match the V4 variant.
PiperOrigin-RevId: 367691981
|
|
As per RFC 3927 section 7 and RFC 4291 section 2.5.6.
Test: forward_test.TestMulticastForwarding
PiperOrigin-RevId: 367519336
|
|
See comments inline code for rationale.
Test: ip_test.TestJoinLeaveAllRoutersGroup
PiperOrigin-RevId: 367449434
|
|
...as per RFC 2710 section 5 page 10.
Test: ipv6_test.TestMLDSkipProtocol
PiperOrigin-RevId: 367031126
|
|
On Linux these are meant to be equivalent to POLLIN/POLLOUT. Rather
than hack these on in sys_poll etc it felt cleaner to just cleanup
the call sites to notify for both events. This is what linux does
as well.
Fixes #5544
PiperOrigin-RevId: 364859977
|
|
This change sets the inner `routeInfo` struct to be a named private member
and replaces direct access with access through getters. Note that direct
access to the fields of `routeInfo` is still possible through the `RouteInfo`
struct.
Fixes #4902
PiperOrigin-RevId: 364822872
|
|
...instead of opting out of them.
Loopback traffic should be stack-local but gVisor has some clients
that depend on the ability to receive loopback traffic that originated
from outside of the stack. Because of this, we guard this change behind
IP protocol options.
A previous change provided the facility to deny these martian loopback
packets but this change requires client to opt-in to accepting martian
loopback packets as accepting martian loopback packets are not meant
to be accepted, as per RFC 1122 section 3.2.1.3.g:
(g) { 127, <any> }
Internal host loopback address. Addresses of this form
MUST NOT appear outside a host.
PiperOrigin-RevId: 364581174
|
|
PiperOrigin-RevId: 364381970
|
|
Loopback traffic should be stack-local but gVisor has some clients
that depend on the ability to receive loopback traffic that originated
from outside of the stack. Because of this, we guard this change behind
IP protocol options.
Test: integration_test.TestExternalLoopbackTraffic
PiperOrigin-RevId: 363461242
|
|
...as per RFC 7527.
If a looped-back DAD message is received, do not fail DAD since our own
DAD message does not indicate that a neighbor has the address assigned.
Test: ndp_test.TestDADResolveLoopback
PiperOrigin-RevId: 363224288
|
|
Calling into the stack from LinkAddressRequest is not needed as we
already have a reference to the network endpoint (IPv6) or network
interface (IPv4/ARP).
PiperOrigin-RevId: 363213973
|
|
IPv4 would violate the lock ordering of protocol > endpoint when closing
network endpoints by calling `ipv4.protocol.forgetEndpoint` while
holding the network endpoint lock.
PiperOrigin-RevId: 361232817
|
|
The integrator may be interested in who owns a duplicate address so
pass this information (if available) along.
Fixes #5605.
PiperOrigin-RevId: 361213556
|
|
While I'm here, update NDPDispatcher.OnDuplicateAddressDetectionStatus to
take a DADResult and rename it to OnDuplicateAddressDetectionResult.
Fixes #5606.
PiperOrigin-RevId: 360965416
|
|
One of the preparation to decouple underlying buffer implementation.
There are still some methods that tie to VectorisedView, and they will be
changed gradually in later CLs.
This CL also introduce a new ICMPv6ChecksumParams to replace long list of
parameters when calling ICMPv6Checksum, aiming to be more descriptive.
PiperOrigin-RevId: 360778149
|
|
While I'm here, simplify the comments and unify naming of certain stats
across protocols.
PiperOrigin-RevId: 360728849
|
|
Fixes #5490
PiperOrigin-RevId: 359401532
|
|
Previously, when DAD would detect a conflict for a temporary address,
the address would be removed but its timers would not be stopped,
resulting in a panic when the removed address's invalidation timer
fired.
While I'm here, remove the check for unicast-ness on removed address
endpoints since multicast addresses are no longer stored in the same
structure as unicast addresses as of 27ee4fe76ad586ac8751951a842b3681f93.
Test: stack_test.TestMixedSLAACAddrConflictRegen
PiperOrigin-RevId: 359344849
|
|
This change also adds support for Router Alert option processing on
incoming packets, a new stat for Router Alert option, and exports
all the IP-option related stats.
Fixes #5491
PiperOrigin-RevId: 358238123
|
|
Utilities written to be common across IPv4/IPv6 are not planned to be
available for public use.
https://golang.org/doc/go1.4#internalpackages
PiperOrigin-RevId: 356554862
|
|
IPv4 forwarding and reassembly needs support for option processing
and regular processing also needs options to be processed before
being passed to the transport layer. This patch extends option processing
to those cases and provides additional testing. A small change to the ICMP
error generation API code was required to allow it to know when a packet was
being forwarded or not.
Updates #4586
PiperOrigin-RevId: 356446681
|
|
The thing the lock protects will never be accessed concurrently.
PiperOrigin-RevId: 356423331
|
|
...as long as the network protocol supports duplicate address detection.
This CL provides the facilities for a netstack integrator to perform
DAD.
DHCP recommends that clients effectively perform DAD before accepting an
offer. As per RFC 2131 section 4.4.1 pg 38,
The client SHOULD perform a check on the suggested address to ensure
that the address is not already in use. For example, if the client
is on a network that supports ARP, the client may issue an ARP request
for the suggested request.
The implementation of ARP-based IPv4 DAD effectively operates the same
as IPv6's NDP DAD - using ARP requests and responses in place of
NDP neighbour solicitations and advertisements, respectively.
DAD performed by calls to (*Stack).CheckDuplicateAddress don't interfere
with DAD performed when a new IPv6 address is added. This is so that
integrator requests to check for duplicate addresses aren't unexpectedly
aborted when addresses are removed.
A network package internal package provides protocol agnostic DAD state
management that specific protocols that provide DAD can use.
Fixes #4550.
Tests:
- internal/ip_test.*
- integration_test.TestDAD
- arp_test.TestDADARPRequestPacket
- ipv6.TestCheckDuplicateAddress
PiperOrigin-RevId: 356405593
|
|
It was replaced by NUD/neighborCache.
Fixes #4658.
PiperOrigin-RevId: 356085221
|
|
Previously when sending NDP DAD or RS messages, we would hold a shared
lock which lead to deadlocks (due to synchronous packet loooping
(e.g. pipe and loopback link endpoints)) and lock contention.
Writing packets may be an expensive operation which could prevent other
goroutines from doing meaningful work if a shared lock is held while
writing packets.
This change upates the NDP DAD/RS timers to not hold shared locks while
sending packets.
PiperOrigin-RevId: 356053146
|
|
The network endpoints only look for other network endpoints of the
same kind. Since the network protocols keeps track of all endpoints,
go through the protocol to find an endpoint with an address instead
of the stack.
PiperOrigin-RevId: 356051498
|
|
Network endpoints that wish to check addresses on another NIC-local
network endpoint may now do so through the NetworkInterface.
This fixes a lock ordering issue between NIC removal and link
resolution. Before this change:
NIC Removal takes the stack lock, neighbor cache lock then neighbor
entries' locks.
When performing IPv4 link resolution, we take the entry lock then ARP
would try check IPv4 local addresses through the stack which tries to
obtain the stack's lock.
Now that ARP can check IPv4 addreses through the NIC, we avoid the lock
ordering issue, while also removing the need for stack to lookup the
NIC.
PiperOrigin-RevId: 356034245
|
|
After IPTables checks a batch of packets, we can write packets that are
not dropped or locally destined as a batch instead of individually.
This previously caused a bug since WritePacket* functions expect to take
ownership of passed PacketBuffer{List}. WritePackets assumed the list of
PacketBuffers will not be invalidated when calling WritePacket for each
PacketBuffer in the list, but this is not true. WritePacket may add the
passed PacketBuffer into a different list which would modify the
PacketBuffer in such a way that it no longer points to the next
PacketBuffer to write.
Example: Given a PB list of
PB_a -> PB_b -> PB_c
WritePackets may be iterating over the list and calling WritePacket for
each PB. When WritePacket takes PB_a, it may add it to a new list which
would update pointers such that PB_a no longer points to PB_b.
Test: integration_test.TestIPTableWritePackets
PiperOrigin-RevId: 355969560
|
|
Make it clear that failing to parse a looped back is not a packet
sending error but a malformed received packet error.
FindNetworkEndpoint returns nil when no network endpoint is found
instead of an error.
PiperOrigin-RevId: 355954946
|
