| Age | Commit message (Collapse) | Author |
|---|
|
Updates #5940.
PiperOrigin-RevId: 380668609
|
|
epsByNIC.registerEndpoint can add a multiportEndpoint to its map of
nic->multiportEndpoint even if multiport.Endpoint.singleRegisterEndpoint
failed. Same for transportDemuxer.singleRegisterEndpoint which ends up adding an
entry to nic->epsByNIC even if epsByNIC.registerEndpoint fails.
These breaks an invariant which the code assumes that a
multiportEndpoint/endpointsByNIC always have at least one valid entry.
PiperOrigin-RevId: 380310115
|
|
RFC 4191 supports the notion of a preference value for default routers
and more-specific routes, so update the OffLinkRouteUpdate event to
include this preference value so integrators may prioritize routes
based on a route's advertised preference value.
Note, more-specific route discovery is not supported yet, but will be in
a later change.
Updates #6172.
Test: ndp_test.TestRouterDiscovery
PiperOrigin-RevId: 380243716
|
|
Also makes the behavior of raw sockets WRT fragmentation clearer, and makes the
ICMPv4 header-length check explicit.
Fixes #3160.
PiperOrigin-RevId: 380033450
|
|
This change prepares for a later change which supports the NDP
Route Information option to discover more-specific routes, as
per RFC 4191.
Updates #6172.
PiperOrigin-RevId: 379361330
|
|
There are many references to unimplemented iptables features that link to #170,
but that bug is about Istio support specifically. Istio is supported, so the
references should change.
Some TODOs are addressed, some removed because they are not features requested
by users, and some are left as implementation notes.
Fixes #170.
PiperOrigin-RevId: 379328488
|
|
Before this change, the NDPDispatcher was allowed to "cancel" the
discovery of default routers/prefixes and auto-generate addresses.
No use case exists for this today so we drop this for now. If a
use case comes up in the future, we should instead invalidate the
discovered configuration through the stack instead of during
discovery.
PiperOrigin-RevId: 379327009
|
|
As per https://linux.die.net/man/8/iptables,
```
Parameters
-i, --in-interface [!] name
Name of an interface via which a packet was received (only for
packets entering the INPUT, FORWARD and PREROUTING chains).
```
Before this change, iptables would use the NIC that a packet was
delivered to after forwarding a packet locally (when forwarding is
enabled) instead of the NIC the packet arrived at.
Updates #170, #3549.
Test: iptables_test.TestInputHookWithLocalForwarding
PiperOrigin-RevId: 377714971
|
|
- Typos
- Unused arguments
- Useless conversions
PiperOrigin-RevId: 376362730
|
|
Testing only TestBindToDeviceDistribution decreased from 24s to 11s, and with
TSAN from 186s to 21s.
Note: using `t.Parallel()` actually slows the test down.
PiperOrigin-RevId: 376251420
|
|
...except TCP tests and NDP tests that mutate globals. These will be
undertaken later.
Updates #5940.
PiperOrigin-RevId: 376145608
|
|
- Don't shadow package name
- Don't defer in a loop
- Remove unnecessary type conversion
PiperOrigin-RevId: 376137822
|
|
...except in tests.
Note this replaces some uses of a cryptographic RNG with a plain RNG.
PiperOrigin-RevId: 376070666
|
|
PiperOrigin-RevId: 376022495
|
|
PiperOrigin-RevId: 375977977
|
|
...and use manual clocks in forwarding and link resolution tests.
Fixes #5141.
Fixes #6012.
PiperOrigin-RevId: 375939167
|
|
Updates #5939.
Updates #6012.
RELNOTES: n/a
PiperOrigin-RevId: 375931554
|
|
Introduce tcpip.MonotonicTime; replace int64 in tcpip.Clock method
returns with time.Time and MonotonicTime to improve type safety and
ensure that monotonic clock readings are never compared to wall clock
readings.
PiperOrigin-RevId: 375775907
|
|
Remove redundant interface.
PiperOrigin-RevId: 375756254
|
|
PiperOrigin-RevId: 375728461
|
|
- Unused constants
- Unused functions
- Unused arguments
- Unkeyed literals
- Unnecessary conversions
PiperOrigin-RevId: 375253464
|
|
This change also includes miscellaneous improvements:
* UnknownProtocolRcvdPackets has been separated into two stats, to
specify at which layer the unknown protocol was found (L3 or L4)
* MalformedRcvdPacket is not aggregated across every endpoint anymore.
Doing it this way did not add useful information, and it was also error-prone
(example: ipv6 forgot to increment this aggregated stat, it only
incremented its own ipv6.MalformedPacketsReceived). It is now only incremented
the NIC.
* Removed TestStatsString test which was outdated and had no real
utility.
PiperOrigin-RevId: 375057472
|
|
Before this change, we would silently drop packets when link resolution
failed. This change brings us into line with RFC 792 (IPv4) and RFC 4443 (IPv6),
both of which specify that gateways should return an ICMP error to the sender
when link resolution fails.
PiperOrigin-RevId: 374699789
|
|
PiperOrigin-RevId: 374464969
|
|
Make sure that the initial configurations used by the DAD state is
valid.
Before this change, an invalid DAD configuration (with a zero-valued
retransmit timer) was used so the DAD state would attempt to resolve
DAD immediately.
This lead to a deadlock in TestDADResolve as when DAD resolves, the
stack notifies the NDP dispatcher which would attempt to write to an
unbuffered channel while holding a lock. The test goroutine also
attempts to obtain a stack.Route (before receiving from the channel)
which ends up attempting to take the same lock.
Test: stack_test.TestDADResolve
PiperOrigin-RevId: 373888540
|
|
...instead of per NetworkProtocol to better conform with linux
(https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt):
```
conf/interface/*
forwarding - BOOLEAN
Enable IP forwarding on this interface. This controls whether packets
received _on_ this interface can be forwarded.
```
Fixes #5932.
PiperOrigin-RevId: 373888000
|
|
headerOffset() is incorrectly taking account of previous push(), so it thinks
there is more data to consume. This change switches to use pk.reserved as
pivot point.
Reported-by: syzbot+64fef9acd509976f9ce7@syzkaller.appspotmail.com
PiperOrigin-RevId: 373846283
|
|
This change updates the forwarding path to perform the forwarding hook
with iptables so that the filter table is consulted before a packet is
forwarded
Updates #170.
Test: iptables_test.TestForwardingHook
PiperOrigin-RevId: 373702359
|
|
Benchmark iperf3:
Before After
native->runsc 5.14 5.01 (Gbps)
runsc->native 4.15 4.07 (Gbps)
It did introduce overhead, mainly at the bridge between pkg/buffer and
VectorisedView, the ExtractVV method. Once endpoints start migrating away from
VV, this overhead will be gone.
Updates #2404
PiperOrigin-RevId: 373651666
|
|
...to make it clear to callers that all interfaces are updated with the
forwarding flag and that future NICs will be created with the new
forwarding state.
PiperOrigin-RevId: 373618435
|
|
Before this change, we would silently drop packets when the packet was too
big to be sent out through the NIC (and, for IPv4 packets, if DF was set).
This change brings us into line with RFC 792 (IPv4) and RFC 4443 (IPv6),
both of which specify that gateways should return an ICMP error to the sender
when the packet can't be fragmented.
PiperOrigin-RevId: 373480078
|
|
PiperOrigin-RevId: 373271579
|
|
This is a hot path for all incoming packets and we don't
need an exclusive lock here as we are not modifying any
of the fields protected by mu here.
PiperOrigin-RevId: 373181254
|
|
|
|
...to conform with Linux's `accept_ra` sysctl option.
```
accept_ra - INTEGER
Accept Router Advertisements; autoconfigure using them.
It also determines whether or not to transmit Router
Solicitations. If and only if the functional setting is to
accept Router Advertisements, Router Solicitations will be
transmitted.
Possible values are:
0 Do not accept Router Advertisements.
1 Accept Router Advertisements if forwarding is disabled.
2 Overrule forwarding behaviour. Accept Router Advertisements
even if forwarding is enabled.
Functional default: enabled if local forwarding is disabled.
disabled if local forwarding is enabled.
```
With this change, routers may be solicited even if the stack is has
forwarding enabled, as long as the interface is configured to handle
RAs when forwarding is enabled.
PiperOrigin-RevId: 372406501
|
|
...to conform with Linux's `accept_ra` sysctl option.
```
accept_ra - INTEGER
Accept Router Advertisements; autoconfigure using them.
It also determines whether or not to transmit Router
Solicitations. If and only if the functional setting is to
accept Router Advertisements, Router Solicitations will be
transmitted.
Possible values are:
0 Do not accept Router Advertisements.
1 Accept Router Advertisements if forwarding is disabled.
2 Overrule forwarding behaviour. Accept Router Advertisements
even if forwarding is enabled.
Functional default: enabled if local forwarding is disabled.
disabled if local forwarding is enabled.
```
PiperOrigin-RevId: 372214640
|
|
...to match linux behaviour:
```
$ sudo sysctl net.ipv6.conf.eno1.forwarding
net.ipv6.conf.eno1.forwarding = 0
$ ip addr list dev eno1
2: eno1: <...> ...
inet6 PREFIX:TEMP_IID/64 scope global temporary dynamic
valid_lft 209363sec preferred_lft 64024sec
inet6 PREFIX:GLOBAL_STABLE_IID/64 scope global dynamic mngtmpaddr ...
valid_lft 209363sec preferred_lft 209363sec
inet6 fe80::LINKLOCAL_STABLE_IID/64 scope link
valid_lft forever preferred_lft forever
$ sudo sysctl -w "net.ipv6.conf.all.forwarding=1"
net.ipv6.conf.all.forwarding = 1
$ sudo sysctl net.ipv6.conf.eno1.forwarding
net.ipv6.conf.eno1.forwarding = 1
$ ip addr list dev eno1
2: eno1: <...> ...
inet6 PREFIX:TEMP_IID/64 scope global temporary dynamic
valid_lft 209339sec preferred_lft 64000sec
inet6 PREFIX:GLOBAL_STABLE_IID/64 scope global dynamic mngtmpaddr ...
valid_lft 209339sec preferred_lft 209339sec
inet6 fe80::LINKLOCAL_STABLE_IID/64 scope link
valid_lft forever preferred_lft forever
$ ip -6 route list
...
PREFIX::/64 dev eno1 proto ra metric 100 expires 209241sec pref medium
default via fe80::ROUTER_IID dev eno1 proto ra ...
```
PiperOrigin-RevId: 372146689
|
|
Previously, tcpip.StdClock depended on linking with the unexposed method
time.now to implement tcpip.Clock using the time package. This change
updates the standard clock to not require manually linking to this
unexported method and use publicly documented functions from the time
package.
PiperOrigin-RevId: 371805101
|
|
...as all GSO capable endpoints must implement GSOEndpoint.
PiperOrigin-RevId: 371804175
|
|
Not really designed to be used this way, but it works and it's been relied
upon. Add a test.
PiperOrigin-RevId: 371802756
|
|
PiperOrigin-RevId: 371231148
|
|
... it may now invalidate backing slice references
This is currently safe because TrimFront() in VectorisedView only shrinks the
view. This may not hold under the a different buffer implementation.
Reordering method calls order to allow this.
PiperOrigin-RevId: 371167610
|
|
With this change, GSO options no longer needs to be passed around as
a function argument in the write path.
This change is done in preparation for a later change that defers
segmentation, and may change GSO options for a packet as it flows
down the stack.
Updates #170.
PiperOrigin-RevId: 369774872
|
|
Fixes #2926, #674
PiperOrigin-RevId: 369457123
|
|
This change replaces individual private members in tcp.endpoint with a single
private TCPEndpointState member.
Some internal substructures within endpoint (receiver, sender) have been broken
into a public substructure (which is then copied into the TCPEndpointState
returned from completeState()) alongside other private fields.
Fixes #4466
PiperOrigin-RevId: 369329514
|
|
This fixes a race that occurs while the endpoint is being unregistered
and the transport demuxer attempts to match the incoming packet to any
endpoint. The race specifically occurs when the unregistration (and
deletion of the endpoint) occurs, after a successful endpointsByNIC
lookup and before the endpoints map is further looked up with ingress
NICID of the packet.
The fix is to notify the caller of lookup-with-NICID failure, so that
the logic falls through to handling unknown destination packets.
For TCP this can mean replying back with RST.
The syscall test in this CL catches this race as the ACK completing the
handshake could get silently dropped on a listener close, causing no
RST sent to the peer and timing out the poll waiting for POLLHUP.
Fixes #5850
PiperOrigin-RevId: 369023779
|
|
This was semi-automated -- there are many addresses that were not replaced.
Future commits should clean those up.
Parse4 and Parse6 were given their own package because //pkg/test can introduce
dependency cycles, as it depends transitively on //pkg/tcpip and some other
netstack packages.
PiperOrigin-RevId: 368726528
|
|
The current SNAT implementation has several limitations:
- SNAT source port has to be specified. It is not optional.
- SNAT source port range is not supported.
- SNAT for UDP is a one-way translation. No response packets
are handled (because conntrack doesn't support UDP currently).
- SNAT and REDIRECT can't work on the same connection.
Fixes #5489
PiperOrigin-RevId: 367750325
|
|
To match the V4 variant.
PiperOrigin-RevId: 367691981
|
|
See comments inline code for rationale.
Test: ip_test.TestJoinLeaveAllRoutersGroup
PiperOrigin-RevId: 367449434
|
