| Age | Commit message (Collapse) | Author |
|---|
|
Turns out certain features of iptables (e.g. NAT) will not perform
any checks/work unless both the Network and Transport headers are
populated.
With this change, provide the packet directly to the outgoing
network endpoint's `writePacket` method instead of going
through `WriteHeaderIncludedPacket` which expected the headers
to not be set.
PiperOrigin-RevId: 398304004
|
|
PiperOrigin-RevId: 397496920
|
|
...even protocols the stack is unaware of.
While I am here, annotate checklocks on stack.packetEndpointList.
PiperOrigin-RevId: 397226754
|
|
...to catch lock-related bugs in nogo tests.
Checklocks also pointed out a locking violation which is fixed
in this change.
Updates #6566.
PiperOrigin-RevId: 397225322
|
|
Replaced the current AddAddressWithOptions method with
AddAddressWithProperties which passes all address properties in
a single AddressProperties type. More properties that need to be
configured in the future are expected, so adding a type makes adding
them easier.
PiperOrigin-RevId: 396930729
|
|
Fixes #6558
PiperOrigin-RevId: 396393293
|
|
This change removes NetworkDispatcher.DeliverOutboundPacket.
Since all packet writes go through the NIC (the only NetworkDispatcher),
we can deliver outgoing packets to interested packet endpoints before
writing the packet to the link endpoint as the stack expects that all
packets that get delivered to a link endpoint are transmitted on the
wire. That is, link endpoints no longer need to let the stack know when
it writes a packet as the stack already knows about the packet it writes
through a link endpoint.
PiperOrigin-RevId: 395761629
|
|
...through the loopback interface, only.
This change only supports sending on packet sockets through the loopback
interface as the loopback interface is the only interface used in packet
socket syscall tests - the other link endpoints are not excercised with
the existing test infrastructure.
Support for sending on packet sockets through the other interfaces will
be added as needed.
BUG: https://fxbug.dev/81592
PiperOrigin-RevId: 394368899
|
|
PiperOrigin-RevId: 393808461
|
|
...returning unsupported errors.
PiperOrigin-RevId: 393388991
|
|
... because it is still used by fuchsia.
PiperOrigin-RevId: 393246904
|
|
Also fix an option parsing error in checker.TCPTimestampChecker while I am here.
PiperOrigin-RevId: 391828329
|
|
Use different secrets for different purposes (port picking,
ISN generation, tsOffset generation) and moved the secrets
from stack.Stack to tcp.protocol.
PiperOrigin-RevId: 391641238
|
|
Send buffer size in TCP indicates the amount of bytes available for the sender
to transmit. This change will allow TCP to update the send buffer size when
- TCP enters established state.
- ACK is received.
The auto tuning is disabled when the send buffer size is set with the
SO_SNDBUF option.
PiperOrigin-RevId: 390312274
|
|
Earlier PacketBuffer.Clone() would do a shallow top level copy of the packet
buffer - which involved sharing the *buffer.Buffer between packets. Reading
or writing to the buffer in one packet would impact the other.
This caused modifications in one packet to affect the other's pkt.Views() which
is not desired. Change the clone to do a deeper copy of the underlying buffer
list and buffer pointers. The payload buffers (which are immutable) are still
shared. This change makes the Clone() operation more expensive as we now need to
allocate the entire buffer list.
Added unit test to test integrity of packet data after cloning.
Reported-by: syzbot+7ffff9a82a227b8f2e31@syzkaller.appspotmail.com
Reported-by: syzbot+7d241de0d9072b2b6075@syzkaller.appspotmail.com
Reported-by: syzbot+212bc4d75802fa461521@syzkaller.appspotmail.com
PiperOrigin-RevId: 390277713
|
|
This change will allow us to remove the default link in a packetimpact test so
we can reduce indeterministic behaviors as required in https://fxbug.dev/78430.
This will also help with testing #1388.
Updates #578, #1388.
PiperOrigin-RevId: 387896847
|
|
Before this change, transmission of the first router solicitation races
with the adding of an IPv6 link-local address. This change creates the
NIC in the disabled state and is only enabled after the address is added
(if required) to avoid this race.
PiperOrigin-RevId: 384493553
|
|
More-specific route discovery allows hosts to pick a more appropriate
router for off-link destinations.
Fixes #6172.
PiperOrigin-RevId: 382779880
|
|
This change makes the checklocks analyzer considerable more powerful, adding:
* The ability to traverse complex structures, e.g. to have multiple nested
fields as part of the annotation.
* The ability to resolve simple anonymous functions and closures, and perform
lock analysis across these invocations. This does not apply to closures that
are passed elsewhere, since it is not possible to know the context in which
they might be invoked.
* The ability to annotate return values in addition to receivers and other
parameters, with the same complex structures noted above.
* Ignoring locking semantics for "fresh" objects, i.e. objects that are
allocated in the local frame (typically a new-style function).
* Sanity checking of locking state across block transitions and returns, to
ensure that no unexpected locks are held.
Note that initially, most of these findings are excluded by a comprehensive
nogo.yaml. The findings that are included are fundamental lock violations.
The changes here should be relatively low risk, minor refactorings to either
include necessary annotations to simplify the code structure (in general
removing closures in favor of methods) so that the analyzer can be easily
track the lock state.
This change additional includes two changes to nogo itself:
* Sanity checking of all types to ensure that the binary and ast-derived
types have a consistent objectpath, to prevent the bug above from occurring
silently (and causing much confusion). This also requires a trick in
order to ensure that serialized facts are consumable downstream. This can
be removed with https://go-review.googlesource.com/c/tools/+/331789 merged.
* A minor refactoring to isolation the objdump settings in its own package.
This was originally used to implement the sanity check above, but this
information is now being passed another way. The minor refactor is preserved
however, since it cleans up the code slightly and is minimal risk.
PiperOrigin-RevId: 382613300
|
|
sndQueue made sense when the worker goroutine and the syscall context held
different locks. Now both lock the endpoint lock before doing anything which
means adding to sndQueue is pointless as we move it to writeList immediately
after that in endpoint.Write() by calling e.drainSendQueue.
PiperOrigin-RevId: 381523177
|
|
...instead of calculating a fresh checksum to avoid re-calcalculating
a checksum on unchanged bytes.
Fixes #5340.
PiperOrigin-RevId: 381403888
|
|
This change prepares for a later change which supports the NDP
Route Information option to discover more-specific routes, as
per RFC 4191.
The newly introduced off-link route state will be used to hold
both the state for default routers (which is a default (off-link)
route through the router, and more-specific routes (which are
routes through some router to some destination subnet more specific
than the IPv6 empty subnet).
Updates #6172.
PiperOrigin-RevId: 381403761
|
|
Updates #5940.
PiperOrigin-RevId: 380668609
|
|
epsByNIC.registerEndpoint can add a multiportEndpoint to its map of
nic->multiportEndpoint even if multiport.Endpoint.singleRegisterEndpoint
failed. Same for transportDemuxer.singleRegisterEndpoint which ends up adding an
entry to nic->epsByNIC even if epsByNIC.registerEndpoint fails.
These breaks an invariant which the code assumes that a
multiportEndpoint/endpointsByNIC always have at least one valid entry.
PiperOrigin-RevId: 380310115
|
|
RFC 4191 supports the notion of a preference value for default routers
and more-specific routes, so update the OffLinkRouteUpdate event to
include this preference value so integrators may prioritize routes
based on a route's advertised preference value.
Note, more-specific route discovery is not supported yet, but will be in
a later change.
Updates #6172.
Test: ndp_test.TestRouterDiscovery
PiperOrigin-RevId: 380243716
|
|
Also makes the behavior of raw sockets WRT fragmentation clearer, and makes the
ICMPv4 header-length check explicit.
Fixes #3160.
PiperOrigin-RevId: 380033450
|
|
This change prepares for a later change which supports the NDP
Route Information option to discover more-specific routes, as
per RFC 4191.
Updates #6172.
PiperOrigin-RevId: 379361330
|
|
There are many references to unimplemented iptables features that link to #170,
but that bug is about Istio support specifically. Istio is supported, so the
references should change.
Some TODOs are addressed, some removed because they are not features requested
by users, and some are left as implementation notes.
Fixes #170.
PiperOrigin-RevId: 379328488
|
|
Before this change, the NDPDispatcher was allowed to "cancel" the
discovery of default routers/prefixes and auto-generate addresses.
No use case exists for this today so we drop this for now. If a
use case comes up in the future, we should instead invalidate the
discovered configuration through the stack instead of during
discovery.
PiperOrigin-RevId: 379327009
|
|
As per https://linux.die.net/man/8/iptables,
```
Parameters
-i, --in-interface [!] name
Name of an interface via which a packet was received (only for
packets entering the INPUT, FORWARD and PREROUTING chains).
```
Before this change, iptables would use the NIC that a packet was
delivered to after forwarding a packet locally (when forwarding is
enabled) instead of the NIC the packet arrived at.
Updates #170, #3549.
Test: iptables_test.TestInputHookWithLocalForwarding
PiperOrigin-RevId: 377714971
|
|
- Typos
- Unused arguments
- Useless conversions
PiperOrigin-RevId: 376362730
|
|
Testing only TestBindToDeviceDistribution decreased from 24s to 11s, and with
TSAN from 186s to 21s.
Note: using `t.Parallel()` actually slows the test down.
PiperOrigin-RevId: 376251420
|
|
...except TCP tests and NDP tests that mutate globals. These will be
undertaken later.
Updates #5940.
PiperOrigin-RevId: 376145608
|
|
- Don't shadow package name
- Don't defer in a loop
- Remove unnecessary type conversion
PiperOrigin-RevId: 376137822
|
|
...except in tests.
Note this replaces some uses of a cryptographic RNG with a plain RNG.
PiperOrigin-RevId: 376070666
|
|
PiperOrigin-RevId: 376022495
|
|
PiperOrigin-RevId: 375977977
|
|
...and use manual clocks in forwarding and link resolution tests.
Fixes #5141.
Fixes #6012.
PiperOrigin-RevId: 375939167
|
|
Updates #5939.
Updates #6012.
RELNOTES: n/a
PiperOrigin-RevId: 375931554
|
|
Introduce tcpip.MonotonicTime; replace int64 in tcpip.Clock method
returns with time.Time and MonotonicTime to improve type safety and
ensure that monotonic clock readings are never compared to wall clock
readings.
PiperOrigin-RevId: 375775907
|
|
Remove redundant interface.
PiperOrigin-RevId: 375756254
|
|
PiperOrigin-RevId: 375728461
|
|
- Unused constants
- Unused functions
- Unused arguments
- Unkeyed literals
- Unnecessary conversions
PiperOrigin-RevId: 375253464
|
|
This change also includes miscellaneous improvements:
* UnknownProtocolRcvdPackets has been separated into two stats, to
specify at which layer the unknown protocol was found (L3 or L4)
* MalformedRcvdPacket is not aggregated across every endpoint anymore.
Doing it this way did not add useful information, and it was also error-prone
(example: ipv6 forgot to increment this aggregated stat, it only
incremented its own ipv6.MalformedPacketsReceived). It is now only incremented
the NIC.
* Removed TestStatsString test which was outdated and had no real
utility.
PiperOrigin-RevId: 375057472
|
|
Before this change, we would silently drop packets when link resolution
failed. This change brings us into line with RFC 792 (IPv4) and RFC 4443 (IPv6),
both of which specify that gateways should return an ICMP error to the sender
when link resolution fails.
PiperOrigin-RevId: 374699789
|
|
PiperOrigin-RevId: 374464969
|
|
Make sure that the initial configurations used by the DAD state is
valid.
Before this change, an invalid DAD configuration (with a zero-valued
retransmit timer) was used so the DAD state would attempt to resolve
DAD immediately.
This lead to a deadlock in TestDADResolve as when DAD resolves, the
stack notifies the NDP dispatcher which would attempt to write to an
unbuffered channel while holding a lock. The test goroutine also
attempts to obtain a stack.Route (before receiving from the channel)
which ends up attempting to take the same lock.
Test: stack_test.TestDADResolve
PiperOrigin-RevId: 373888540
|
|
...instead of per NetworkProtocol to better conform with linux
(https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt):
```
conf/interface/*
forwarding - BOOLEAN
Enable IP forwarding on this interface. This controls whether packets
received _on_ this interface can be forwarded.
```
Fixes #5932.
PiperOrigin-RevId: 373888000
|
|
headerOffset() is incorrectly taking account of previous push(), so it thinks
there is more data to consume. This change switches to use pk.reserved as
pivot point.
Reported-by: syzbot+64fef9acd509976f9ce7@syzkaller.appspotmail.com
PiperOrigin-RevId: 373846283
|
|
This change updates the forwarding path to perform the forwarding hook
with iptables so that the filter table is consulted before a packet is
forwarded
Updates #170.
Test: iptables_test.TestForwardingHook
PiperOrigin-RevId: 373702359
|
