Age | Commit message (Collapse) | Author |
|
Users that never set iptables rules shouldn't incur the iptables performance
cost. Suggested by Ian (@iangudger).
PiperOrigin-RevId: 317232921
|
|
Metadata was useful for debugging and safety, but enough tests exist that we
should see failures when (de)serialization is broken. It made stack
initialization more cumbersome and it's also getting in the way of ip6tables.
PiperOrigin-RevId: 317210653
|
|
When a tcp.timer or tcpip.Route is no longer used, clean up its
resources so that unused memory may be released.
PiperOrigin-RevId: 317046582
|
|
... to help reduce flakes.
When waiting for an event to occur, use a timeout of 10s. When waiting
for an event to not occur, use a timeout of 1s.
Test: Ran test locally w/ run count of 1000 with and without gotsan.
PiperOrigin-RevId: 316998128
|
|
Tentative addresses should not be used when finding a route. This change
fixes a bug where a tentative address may have been used.
Test: stack_test.TestDADResolve
PiperOrigin-RevId: 315997624
|
|
On UDP sockets, SO_REUSEADDR allows multiple sockets to bind to the same
address, but only delivers packets to the most recently bound socket. This
differs from the behavior of SO_REUSEADDR on TCP sockets. SO_REUSEADDR for TCP
sockets will likely need an almost completely independent implementation.
SO_REUSEADDR has some odd interactions with the similar SO_REUSEPORT. These
interactions are tested fairly extensively and all but one particularly odd
one (that honestly seems like a bug) behave the same on gVisor and Linux.
PiperOrigin-RevId: 315844832
|
|
NDP packets are sent periodically from NDP timers. These timers do not
hold the NIC lock when sending packets as the packet write operation
may take some time. While the lock is not held, the NIC may be removed
by some other goroutine. This change handles that scenario gracefully.
Test: stack_test.TestRemoveNICWhileHandlingRSTimer
PiperOrigin-RevId: 315524143
|
|
Netstack has traditionally parsed headers on-demand as a packet moves up the
stack. This is conceptually simple and convenient, but incompatible with
iptables, where headers can be inspected and mangled before even a routing
decision is made.
This changes header parsing to happen early in the incoming packet path, as soon
as the NIC gets the packet from a link endpoint. Even if an invalid packet is
found (e.g. a TCP header of insufficient length), the packet is passed up the
stack for proper stats bookkeeping.
PiperOrigin-RevId: 315179302
|
|
PiperOrigin-RevId: 315041419
|
|
Loopback traffic is not affected by rules in the PREROUTING chain.
This change is also necessary for istio's envoy to talk to other
components in the same pod.
|
|
IPTables.connections contains a sync.RWMutex. Copying it will trigger copylocks
analysis. Tested by manually enabling nogo tests.
sync.RWMutex is added to IPTables for the additional race condition discovered.
PiperOrigin-RevId: 314817019
|
|
Historically we've been passing PacketBuffer by shallow copying through out
the stack. Right now, this is only correct as the caller would not use
PacketBuffer after passing into the next layer in netstack.
With new buffer management effort in gVisor/netstack, PacketBuffer will
own a Buffer (to be added). Internally, both PacketBuffer and Buffer may
have pointers and shallow copying shouldn't be used.
Updates #2404.
PiperOrigin-RevId: 314610879
|
|
PiperOrigin-RevId: 313842690
|
|
Updates #2404.
PiperOrigin-RevId: 313834784
|
|
|
|
The specified LinkEndpoint is not being used in a significant way.
No behavior change, existing tests pass.
This change is a breaking change.
PiperOrigin-RevId: 313496602
|
|
* Aggregate architecture Overview in "What is gVisor?" as it makes more sense
in one place.
* Drop "user-space kernel" and use "application kernel". The term "user-space
kernel" is confusing when some platform implementation do not run in
user-space (instead running in guest ring zero).
* Clear up the relationship between the Platform page in the user guide and the
Platform page in the architecture guide, and ensure they are cross-linked.
* Restore the call-to-action quick start link in the main page, and drop the
GitHub link (which also appears in the top-right).
* Improve image formatting by centering all doc and blog images, and move the
image captions to the alt text.
PiperOrigin-RevId: 311845158
|
|
Enables commands with -o (--out-interface) for iptables rules.
$ iptables -A OUTPUT -o eth0 -j ACCEPT
PiperOrigin-RevId: 310642286
|
|
Do not assume that networks need any DHCPv6 configurations. Instead,
notify the NDP dispatcher in response to the first NDP RA's DHCPv6
flags, even if the flags indicate no DHCPv6 configurations are
available.
PiperOrigin-RevId: 310245068
|
|
Connection tracking is used to track packets in prerouting and
output hooks of iptables. The NAT rules modify the tuples in
connections. The connection tracking code modifies the packets by
looking at the modified tuples.
|
|
If the NIC already has a generated SLAAC address, regenerate a new SLAAC
address until one is generated that does not conflict with the NIC's
existing addresses, up to a maximum of 10 attempts.
This applies to both stable and temporary SLAAC addresses.
Test: stack_test.TestMixedSLAACAddrConflictRegen
PiperOrigin-RevId: 309495628
|
|
PiperOrigin-RevId: 309491861
|
|
Updates #231
PiperOrigin-RevId: 309323808
|
|
Implement rule 7 of Source Address Selection RFC 6724 section 5. This
makes temporary (short-lived) addresses preferred over non-temporary
addresses when earlier rules are equal.
Test: stack_test.TestIPv6SourceAddressSelectionScopeAndSameAddress
PiperOrigin-RevId: 309250975
|
|
Support generating temporary (short-lived) IPv6 SLAAC addresses to
address privacy concerns outlined in RFC 4941.
Tests:
- stack_test.TestAutoGenTempAddr
- stack_test.TestNoAutoGenTempAddrForLinkLocal
- stack_test.TestAutoGenTempAddrRegen
- stack_test.TestAutoGenTempAddrRegenTimerUpdates
- stack_test.TestNoAutoGenTempAddrWithoutStableAddr
- stack_test.TestAutoGenAddrInResponseToDADConflicts
PiperOrigin-RevId: 308915566
|
|
PiperOrigin-RevId: 308674219
|
|
A CancellableTimer's AfterFunc timer instance creates a closure over the
CancellableTimer's address. This closure makes a CancellableTimer unsafe
to copy.
No behaviour change, existing tests pass.
PiperOrigin-RevId: 308306664
|
|
These methods let users eaily break the VectorisedView abstraction, and
allowed netstack to slip into pseudo-enforcement of the "all headers are
in the first View" invariant. Removing them and replacing with PullUp(n)
breaks this reliance and will make it easier to add iptables support and
rework network buffer management.
The new View.PullUp(n) method is low cost in the common case, when when
all the headers fit in the first View.
PiperOrigin-RevId: 308163542
|
|
PiperOrigin-RevId: 307598974
|
|
PiperOrigin-RevId: 307477185
|
|
Inform the netstack integrator when the netstack receives an NDP Router
Advertisement message with the NDP DNS Search List option with at least
one domain name. The stack will not maintain any state related to the
search list - the integrator is expected to maintain any required state
and invalidate domain names after their lifetime expires, or refresh the
lifetime when a new one is received for a known domain name.
Test:
- header_test.TestNDPDNSSearchListOption
- header_test.TestNDPDNSSearchListOptionSerialize
- header_test.TestNDPSearchListOptionDomainNameLabelInvalidSymbols
- header_test.TestNDPOptionsIterCheck
- stack_test.TestNDPDNSSearchListDispatch
PiperOrigin-RevId: 307109375
|
|
These methods let users eaily break the VectorisedView abstraction, and
allowed netstack to slip into pseudo-enforcement of the "all headers are
in the first View" invariant. Removing them and replacing with PullUp(n)
breaks this reliance and will make it easier to add iptables support and
rework network buffer management.
The new View.PullUp(n) method is low cost in the common case, when when
all the headers fit in the first View.
|
|
Test: header_test.TestNDPOptionsIterCheck
PiperOrigin-RevId: 306953867
|
|
As per RFC 7217 section 6, attempt to regenerate IPv6 SLAAC address in response
to a DAD conflict if the address was generated with an opaque IID as outlined in
RFC 7217 section 5.
Test:
- stack_test.TestAutoGenAddrWithOpaqueIIDDADRetries
- stack_test.TestAutoGenAddrWithEUI64IIDNoDADRetries
- stack_test.TestAutoGenAddrContinuesLifetimesAfterRetry
PiperOrigin-RevId: 306555645
|
|
PiperOrigin-RevId: 305807868
|
|
PiperOrigin-RevId: 305699233
|
|
Updates #2243
|
|
Updates #2243
|
|
Software GSO implementation currently has a complicated code path with
implicit assumptions that all packets to WritePackets carry same Data
and it does this to avoid allocations on the path etc. But this makes it
hard to reuse the WritePackets API.
This change breaks all such assumptions by introducing a new Vectorised
View API ReadToVV which can be used to cleanly split a VV into multiple
independent VVs. Further this change also makes packet buffers linkable
to form an intrusive list. This allows us to get rid of the array of
packet buffers that are passed in the WritePackets API call and replace
it with a list of packet buffers.
While this code does introduce some more allocations in the benchmarks
it doesn't cause any degradation.
Updates #231
PiperOrigin-RevId: 304731742
|
|
Timeouts were increased to deflake pkg/tcpip/stack:stack_x_test tests
that depend on timers. Some timeouts used previously were intended for
tests that do not depend on timers, so this change updates those
timeouts to give more time for a timer-based event to occur. This
change also de-parallelizes non-subtests to reduce the number of active
timers.
Test: bazel test //pkg/tcpip/stack:stack_x_test --runs_per_test=500
PiperOrigin-RevId: 304287622
|
|
PiperOrigin-RevId: 303212189
|
|
This feature will match UID and GID of the packet creator, for locally
generated packets. This match is only valid in the OUTPUT and POSTROUTING
chains. Forwarded packets do not have any socket associated with them.
Packets from kernel threads do have a socket, but usually no owner.
|
|
PiperOrigin-RevId: 303156734
|
|
- Change receiver of endpoint lookup functions
- Remove unused struct fields and functions in test
- s/%v/%s/ for errors
- Capitalize NIC
https://github.com/golang/go/wiki/CodeReviewComments#initialisms
PiperOrigin-RevId: 303119580
|
|
This allows the link layer endpoints to consistenly hash a TCP
segment to a single underlying queue in case a link layer endpoint
does support multiple underlying queues.
Updates #231
PiperOrigin-RevId: 302760664
|
|
This is a precursor to be being able to build an intrusive list
of PacketBuffers for use in queuing disciplines being implemented.
Updates #2214
PiperOrigin-RevId: 302677662
|
|
Previously, SLAAC related state was stored on a per-address basis. This was
sufficient for the simple case of a single SLAAC address per prefix, but
future CLs will introduce temporary addresses which will result in multiple
SLAAC addresses for a prefix. This refactor allows storing multiple addresses
for a prefix in a single SLAAC prefix state.
No behaviour changes - existing tests continue to pass.
PiperOrigin-RevId: 300832812
|
|
When a NIC is removed, attempt to disable the NIC first to cleanup
dynamic state and stop ongoing periodic tasks (e.g. IPv6 router
solicitations, DAD) so that a removed NIC does not attempt to send
packets.
Tests:
- stack_test.TestRemoveUnknownNIC
- stack_test.TestRemoveNIC
- stack_test.TestDADStop
- stack_test.TestCleanupNDPState
- stack_test.TestRouteWithDownNIC
- stack_test.TestStopStartSolicitingRouters
PiperOrigin-RevId: 300805857
|
|
- Don't allocate []*endpointsByNic in transportDemuxer.deliverPacket() unless
actually needed for UDP broadcast/multicast.
- Don't allocate []*endpointsByNic via transportDemuxer.findEndpointLocked()
=> transportDemuxer.findAllEndpointsLocked().
- Skip unnecessary map lookups in transportDemuxer.findEndpointLocked() =>
transportDemuxer.findAllEndpointsLocked() (now iterEndpointsLocked).
For most deliverable packets other than UDP broadcast/multicast packets, this
saves two slice allocations and three map lookups per packet.
PiperOrigin-RevId: 300804135
|
|
LinkEndpoints may expect/assume that the a tcpip.PacketBuffer's Header
has enough capacity for its own headers, as per documentation for
LinkEndpoint.MaxHeaderLength.
Test: stack_test.TestNICForwarding
PiperOrigin-RevId: 300784192
|