summaryrefslogtreecommitdiffhomepage
path: root/pkg/tcpip/network
AgeCommit message (Collapse)Author
2020-05-08Merge release-20200422.0-61-gcfd3066 (automated)gVisor bot
2020-05-08iptables - filter packets using outgoing interface.gVisor bot
Enables commands with -o (--out-interface) for iptables rules. $ iptables -A OUTPUT -o eth0 -j ACCEPT PiperOrigin-RevId: 310642286
2020-05-06Add basic incoming ipv4 fragment testsKevin Krakauer
Based on ipv6's TestReceiveIPv6Fragments.
2020-05-04Merge release-20200422.0-18-g711439b (automated)gVisor bot
2020-05-01Support for connection tracking of TCP packets.Nayana Bidari
Connection tracking is used to track packets in prerouting and output hooks of iptables. The NAT rules modify the tuples in connections. The connection tracking code modifies the packets by looking at the modified tuples.
2020-05-01Merge release-20200422.0-11-g5e1e61f (automated)gVisor bot
2020-05-01Automated rollback of changelist 308674219Kevin Krakauer
PiperOrigin-RevId: 309491861
2020-04-30Merge release-20200422.0-7-gae15d90 (automated)gVisor bot
2020-04-30FIFO QDisc implementationBhasker Hariharan
Updates #231 PiperOrigin-RevId: 309323808
2020-04-27Merge release-20200323.0-253-g55f0c33 (automated)gVisor bot
2020-04-27Automated rollback of changelist 308163542gVisor bot
PiperOrigin-RevId: 308674219
2020-04-24Merge release-20200323.0-227-geccae0f (automated)gVisor bot
2020-04-23Remove View.First() and View.RemoveFirst()Kevin Krakauer
These methods let users eaily break the VectorisedView abstraction, and allowed netstack to slip into pseudo-enforcement of the "all headers are in the first View" invariant. Removing them and replacing with PullUp(n) breaks this reliance and will make it easier to add iptables support and rework network buffer management. The new View.PullUp(n) method is low cost in the common case, when when all the headers fit in the first View. PiperOrigin-RevId: 308163542
2020-04-21Merge release-20200323.0-199-g120d3b5 (automated)gVisor bot
2020-04-21Automated rollback of changelist 307477185gVisor bot
PiperOrigin-RevId: 307598974
2020-04-20Merge release-20200323.0-195-g07b1b4c (automated)gVisor bot
2020-04-17Remove View.First() and View.RemoveFirst()Kevin Krakauer
These methods let users eaily break the VectorisedView abstraction, and allowed netstack to slip into pseudo-enforcement of the "all headers are in the first View" invariant. Removing them and replacing with PullUp(n) breaks this reliance and will make it easier to add iptables support and rework network buffer management. The new View.PullUp(n) method is low cost in the common case, when when all the headers fit in the first View.
2020-04-17Merge release-20200323.0-172-gf367cf8 (automated)gVisor bot
2020-04-16Drop invalid NDP NA messagesGhanan Gowripalan
Better validate NDP NAs options before updating the link address cache. Test: stack_test.TestNeighorAdvertisementWithTargetLinkLayerOption PiperOrigin-RevId: 306962924
2020-04-14Attempt SLAAC address regeneration on DAD conflictsGhanan Gowripalan
As per RFC 7217 section 6, attempt to regenerate IPv6 SLAAC address in response to a DAD conflict if the address was generated with an opaque IID as outlined in RFC 7217 section 5. Test: - stack_test.TestAutoGenAddrWithOpaqueIIDDADRetries - stack_test.TestAutoGenAddrWithEUI64IIDNoDADRetries - stack_test.TestAutoGenAddrContinuesLifetimesAfterRetry PiperOrigin-RevId: 306555645
2020-04-09Merge pull request #2253 from amscanne:nogogVisor bot
PiperOrigin-RevId: 305807868
2020-04-10Merge release-20200323.0-114-gc560bfd (automated)gVisor bot
2020-04-09Drop invalid NDP NS messagesGhanan Gowripalan
Better validate NDP NS messages and their options before doing work in response to them. Also make sure that NA messages sent in response to an NS use the correct IPv6 and link-layer addresses so they are routed properly and received by the right node. Test: stack_test.TestNeighorSolicitationResponse PiperOrigin-RevId: 305799054
2020-04-08Remove lostcancel warnings.Adin Scannell
Updates #2243
2020-04-07Merge release-20200323.0-80-g6db55a5 (automated)gVisor bot
2020-04-07Require that IPv6 headers be in the first fragmentGhanan Gowripalan
Test: - header_test.TestIPv6ExtHdrIter - ipv6_test.TestReceiveIPv6Fragments Updates #2197, #2333 PiperOrigin-RevId: 305330178
2020-04-04Merge release-20200323.0-69-gfc99a7e (automated)gVisor bot
2020-04-03Refactor software GSO code.Bhasker Hariharan
Software GSO implementation currently has a complicated code path with implicit assumptions that all packets to WritePackets carry same Data and it does this to avoid allocations on the path etc. But this makes it hard to reuse the WritePackets API. This change breaks all such assumptions by introducing a new Vectorised View API ReadToVV which can be used to cleanly split a VV into multiple independent VVs. Further this change also makes packet buffers linkable to form an intrusive list. This allows us to get rid of the array of packet buffers that are passed in the WritePackets API call and replace it with a list of packet buffers. While this code does introduce some more allocations in the benchmarks it doesn't cause any degradation. Updates #231 PiperOrigin-RevId: 304731742
2020-04-03Merge release-20200323.0-61-g4582a2f (automated)gVisor bot
2020-04-02Drop NDP messages with fragment extension headerGhanan Gowripalan
As per RFC 6980 section 5, nodes MUST silently ignore NDP messages if the packet carrying them include an IPv6 Fragmentation Header. Test: ipv6_test.TestNDPValidation PiperOrigin-RevId: 304519379
2020-04-02Merge release-20200323.0-58-gecc3d01 (automated)gVisor bot
2020-04-02Increment NDP message RX stats before validationGhanan Gowripalan
Tests: - ipv6_test.TestHopLimitValidation - ipv6_test.TestRouterAdvertValidation PiperOrigin-RevId: 304495723
2020-03-27Merge release-20200219.0-253-g2a4aff7 (automated)gVisor bot
2020-03-27Support Hop By Hop and Destination Options ext hdrGhanan Gowripalan
Enables handling the Hop by Hop and Destination Options extension headers, but options are not yet supported. All options will be treated as unknown and their respective action will be followed. Note, the stack does not yet support sending ICMPv6 error messages in response to options that cannot be handled/parsed. That will come in a later change (Issue #2211). Tests: - header_test.TestIPv6UnknownExtHdrOption - header_test.TestIPv6OptionsExtHdrIterErr - header_test.TestIPv6OptionsExtHdrIter - ipv6_test.TestReceiveIPv6ExtHdrs PiperOrigin-RevId: 303433085
2020-03-26Merge release-20200219.0-250-gedc3c04 (automated)gVisor bot
2020-03-26Use panic instead of log.FatalfGhanan Gowripalan
PiperOrigin-RevId: 303212189
2020-03-26Merge release-20200219.0-249-g0e62a54 (automated)gVisor bot
2020-03-26Merge pull request #2130 from nybidari:iptablesgVisor bot
PiperOrigin-RevId: 303208407
2020-03-26Merge release-20200219.0-247-gfbe8046 (automated)gVisor bot
2020-03-26Handle IPv6 Fragment & Routing extension headersGhanan Gowripalan
Enables the reassembly of fragmented IPv6 packets and handling of the Routing extension header with a Segments Left value of 0. Atomic fragments are handled as described in RFC 6946 to not interfere with "normal" fragment traffic. No specific routing header type is supported. Note, the stack does not yet support sending ICMPv6 error messages in response to IPv6 packets that cannot be handled/parsed. That will come in a later change (Issue #2211). Test: - header_test.TestIPv6RoutingExtHdr - header_test.TestIPv6FragmentExtHdr - header_test.TestIPv6ExtHdrIterErr - header_test.TestIPv6ExtHdrIter - ipv6_test.TestReceiveIPv6ExtHdrs - ipv6_test.TestReceiveIPv6Fragments RELNOTES: n/a PiperOrigin-RevId: 303189584
2020-03-26Support owner matching for iptables.Nayana Bidari
This feature will match UID and GID of the packet creator, for locally generated packets. This match is only valid in the OUTPUT and POSTROUTING chains. Forwarded packets do not have any socket associated with them. Packets from kernel threads do have a socket, but usually no owner.
2020-03-24Merge release-20200219.0-220-g7e4073a (automated)gVisor bot
2020-03-24Move tcpip.PacketBuffer and IPTables to stack package.Bhasker Hariharan
This is a precursor to be being able to build an intrusive list of PacketBuffers for use in queuing disciplines being implemented. Updates #2214 PiperOrigin-RevId: 302677662
2020-03-06Merge release-20200219.0-122-g6fa5cee (automated)gVisor bot
2020-03-06Prevent memory leaks in ilistTamir Duberstein
When list elements are removed from a list but not discarded, it becomes important to invalidate the references they hold to their former neighbors to prevent memory leaks. PiperOrigin-RevId: 299412421
2020-03-03Merge release-20200219.0-91-g844e4d2 (automated)gVisor bot
2020-02-24Merge release-20200219.0-27-gc37b196 (automated)gVisor bot
2020-02-24Add support for tearing down protocol dispatchers and TIME_WAIT endpoints.Ian Gudger
Protocol dispatchers were previously leaked. Bypassing TIME_WAIT is required to test this change. Also fix a race when a socket in SYN-RCVD is closed. This is also required to test this change. PiperOrigin-RevId: 296922548
2020-02-11Merge release-20200127.0-130-g9be46e5 (automated)gVisor bot
2020-02-06Merge release-20200127.0-88-g6bd59b4 (automated)gVisor bot