| Age | Commit message (Collapse) | Author |
|---|
|
|
|
Use the static method instead; these methods encourage callers to retain
a pointer to the entire stack rather than only its clock which they
require.
PiperOrigin-RevId: 408651956
|
|
|
|
PiperOrigin-RevId: 408426639
|
|
|
|
These fields do not need to synchronize reads/writes with the rest of
the connection.
PiperOrigin-RevId: 407183693
|
|
|
|
This change fixes a bug when reaping tuples of NAT-ed connections.
Previously when reaping a tuple, the other direction's tuple ID was
calculated by taking the reaping tuple's ID and inverting it. This
works when a connection is not NATed but doesn't work when NAT is
performed as the other direction's tuple may use different
addresses.
PiperOrigin-RevId: 407160930
|
|
|
|
An ICMP error may not hold the full packet that triggered the ICMP
response. As long as the IP header and the transport header is
parsable, we should be able to successfully NAT as that is all that
we need to identify the connection.
PiperOrigin-RevId: 406966048
|
|
|
|
...so a NAT-ed connection's socket can handle ICMP errors.
Updates #5916.
PiperOrigin-RevId: 406270868
|
|
|
|
Connection tracking is agnostic to whether the packet is inbound or outbound. It
cares who initiated the connection. The naming can get confusing as conntrack
can track connections originating from any host.
Part of resolving #6736.
PiperOrigin-RevId: 405997540
|
|
|
|
...so a NAT-ed connection's socket can handle ICMP errors.
Updates #5916.
PiperOrigin-RevId: 405970089
|
|
|
|
Previously, we recorded a single aggregated count. These per-protocol counts
can help us debug field issues when frames are dropped for this reason.
PiperOrigin-RevId: 405913911
|
|
|
|
..including ICMP headers before delivering them to the
TransportDispatcher.
Updates #3810.
PiperOrigin-RevId: 404404002
|
|
|
|
Reaping an expired tuple removes it from its bucket so we need to grab
the succeeding tuple in the bucket before reaping the expired tuple.
Before this change, only the first expired tuple in a bucket was reaped
per reaper run on the bucket. This change just allows more connections
to be reaped.
PiperOrigin-RevId: 404392925
|
|
|
|
This prevents reaping connections unnecessarily early. This change both moves
the state update to the beginning of handlePacket and fixes a bug where
un-finalized connections could become un-reapable.
Fixes #6748
PiperOrigin-RevId: 404141012
|
|
|
|
- We should be using a monotonic clock
- This will make future testing easier
Updates #6748.
PiperOrigin-RevId: 404072318
|
|
|
|
Fixes #6590
PiperOrigin-RevId: 404007524
|
|
|
|
...since direction can only hold one of two possible values.
PiperOrigin-RevId: 402855698
|
|
|
|
This CL allows both SNAT and DNAT targets to be performed on the same
packet.
Fixes #5696.
PiperOrigin-RevId: 402714738
|
|
|
|
This change also refactors the conntrack packet handling code
to not perform the actual rewriting of the packet while holding
the lock.
This change prepares for a followup CL that adds support for twice-NAT.
Updates #5696.
PiperOrigin-RevId: 402671685
|
|
|
|
PiperOrigin-RevId: 402468096
|
|
|
|
- Implements RFC 3522 (Eifel detection algorithm) to detect if the connection
entered loss recovery unnecessarily.
- Added a new metric to count the total number of spurious loss recoveries.
- Added tests to verify the new metric.
PiperOrigin-RevId: 401637359
|
|
|
|
PiperOrigin-RevId: 401620449
|
|
|
|
...all connections should be tracked by ConnTrack, so create a no-op
connection entry on the first hook into IPTables (Prerouting or
Output) and let NAT targets modify the connection entry if they
need to instead of letting the NAT target create their own connection
entry.
This also prepares for "twice-NAT" where a packet may have both DNAT and
SNAT performed on it (which requires the ability to update ConnTrack
entries).
Updates #5696.
PiperOrigin-RevId: 401360377
|
|
|
|
We should avoid taking the write lock to avoid contention when looking
for a packet's tracked connection.
No need to reap timed out connections when looking for connections
as the reaper (which runs periodically) will handle that.
PiperOrigin-RevId: 400322514
|
|
|
|
Move the hook specific logic to the IPTables hook functions.
This lets us avoid having to perform checks on the hook to determine
what action to take.
Later changes will drop the need for handlePacket's return value,
reducing the value of this function that all hooks call into.
PiperOrigin-RevId: 400298023
|
|
|
|
...as the packet's direction gives us the information that tcbHook is
used to derive.
PiperOrigin-RevId: 400280102
|
|
|
|
...to catch lock-related bugs in nogo tests.
Updates #6566.
PiperOrigin-RevId: 400265818
|
