| Age | Commit message (Collapse) | Author |
|---|
|
...and have `CheckOutputPackets`, `CheckPostroutingPackets` call their
equivalent methods that operate on a single packet buffer directly.
This is so that the `Check{Output, Postrouting}Packets` methods may
leverage any hook-specific work that `Check{Output, Postrouting}`
may perform.
Note: Later changes will add hook-specific logic to the
`Check{Output, Postrouting}` methods.
PiperOrigin-RevId: 400255651
|
|
|
|
...to save a call to `ConnTrack.connFor` when callers already have a
reference to the ConnTrack entry.
PiperOrigin-RevId: 400244955
|
|
|
|
This obsoletes the need for the pendingMu and pending, since they are redundant
with acceptMu and pendingAccepted.
Fixes #6671.
PiperOrigin-RevId: 400162391
|
|
|
|
PiperOrigin-RevId: 399765414
|
|
|
|
Rename cap -> capacity to avoid collision with the builtin.
PiperOrigin-RevId: 399753630
|
|
|
|
This is redundant with listenContext.pendingEndpoints
PiperOrigin-RevId: 399722472
|
|
|
|
This function has only one caller.
Remove segment reference count manipulation since it is only used
synchronously.
PiperOrigin-RevId: 399525343
|
|
|
|
* Does not accept a port range (Issue #5772).
* Does not support checking for tuple conflits (Issue #5773).
PiperOrigin-RevId: 399524088
|
|
|
|
PiperOrigin-RevId: 399276940
|
|
|
|
PacketData should not be modified and should be treated readonly because it
represents packet payload. The old DeleteFront method allowed callers to modify
the underlying buffer which should not be allowed.
Added a way to consume from the PacketData instead of deleting from it.
Updated call points to use that instead.
Reported-by: syzbot+faee5cb350f769a52d1b@syzkaller.appspotmail.com
PiperOrigin-RevId: 399268473
|
|
|
|
There's no need for synthetic keys here.
PiperOrigin-RevId: 399263134
|
|
|
|
...instead of an address.
This allows a later change to more precisely select an address
based on the NAT type (source vs. destination NAT).
PiperOrigin-RevId: 398559901
|
|
|
|
PiperOrigin-RevId: 398559780
|
|
|
|
An ICMP endpoint's write path can use the datagram-based endpoint.
Updates #6565.
Test: Datagram-based generic socket + ICMP/ping syscall tests.
PiperOrigin-RevId: 398539844
|
|
|
|
...to make it clear what arguments are needed per hook.
PiperOrigin-RevId: 398538776
|
|
|
|
This circular reference is misleading at best, and the various code and
commentary that claim `listenEP` can be nil are impossible by
definition.
Add checklocks annotations to enforce preconditions.
PiperOrigin-RevId: 398517574
|
|
|
|
This will enable NAT to be performed on UDP packets that are sent
in response to packets sent by the stack.
This will also enable ICMP errors to be properly NAT-ed in response
to UDP packets (#5916).
Updates #5915.
PiperOrigin-RevId: 398373251
|
|
This prevents go module errors of the form
found packages tcp (accept.go) and rcv (rcv_test.go) in ...
PiperOrigin-RevId: 398370042
|
|
|
|
As per https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
linux does not limit ICMP Echos by default.
icmp_ratemask - INTEGER
Mask made of ICMP types for which rates are being limited.
Significant bits: IHGFEDCBA9876543210
Default mask: 0000001100000011000 (6168)
Bit definitions (see include/linux/icmp.h):
0 Echo Reply
3 Destination Unreachable *
4 Source Quench *
5 Redirect
8 Echo Request
B Time Exceeded *
C Parameter Problem *
D Timestamp Request
E Timestamp Reply
F Info Request
G Info Reply
H Address Mask Request
I Address Mask Reply
* These are rate limited by default (see default mask above)
Equivalently for ICMPv6.
Lay out foundation for ICMP rate masks, exposing that configuration will be
addressed later when the need arises (#6521).
Fixes #6519
PiperOrigin-RevId: 398337963
|
|
|
|
Turns out certain features of iptables (e.g. NAT) will not perform
any checks/work unless both the Network and Transport headers are
populated.
With this change, provide the packet directly to the outgoing
network endpoint's `writePacket` method instead of going
through `WriteHeaderIncludedPacket` which expected the headers
to not be set.
PiperOrigin-RevId: 398304004
|
|
|
|
Fixes #6495
PiperOrigin-RevId: 398121921
|
|
|
|
Before this change, when a new connection was created after receiving
an ACK that matched a SYN-cookie, it was always delivered asynchronously
to the accept queue. There was a chance that the listening endpoint
would process a SYN from another client before the delivery happened,
and the listening endpoint would not know yet that the queue was about
to be full, once the delivery happened.
Now, when an ACK matching a SYN-cookie is received, the new endpoint is
created and moved to the accept queue synchronously, while holding the
accept lock.
Fixes #6545
PiperOrigin-RevId: 398107254
|
|
|
|
Updates #6621
PiperOrigin-RevId: 397898852
|
|
|
|
Once a packet socket is bound to a network protocol, it cannot be
unbound from that protocol; the network protocol binding may only be
updated to a different network protocol.
To comply with Linux.
PiperOrigin-RevId: 397810878
|
|
|
|
PiperOrigin-RevId: 397631833
|
|
|
|
PiperOrigin-RevId: 397496920
|
