Age | Commit message (Collapse) | Author |
|
Fixes #5490
PiperOrigin-RevId: 359401532
|
|
Previously, when DAD would detect a conflict for a temporary address,
the address would be removed but its timers would not be stopped,
resulting in a panic when the removed address's invalidation timer
fired.
While I'm here, remove the check for unicast-ness on removed address
endpoints since multicast addresses are no longer stored in the same
structure as unicast addresses as of 27ee4fe76ad586ac8751951a842b3681f93.
Test: stack_test.TestMixedSLAACAddrConflictRegen
PiperOrigin-RevId: 359344849
|
|
- Use atomic add rather than CAS in every Gate method, which is slightly
faster in most cases.
- Implement Close wakeup using gopark/goready to avoid channel allocation.
New benchmarks:
name old time/op new time/op delta
GateEnterLeave-12 16.7ns ± 1% 10.3ns ± 1% -38.44% (p=0.000 n=9+8)
GateClose-12 50.2ns ± 8% 42.4ns ± 6% -15.44% (p=0.000 n=10+10)
GateEnterLeaveAsyncClose-12 972ns ± 2% 640ns ± 7% -34.15% (p=0.000 n=9+10)
PiperOrigin-RevId: 359336344
|
|
These are bumped to allow early testing of Go 1.17. Use will be audited closer
to the 1.17 release.
PiperOrigin-RevId: 358278615
|
|
This change also adds support for Router Alert option processing on
incoming packets, a new stat for Router Alert option, and exports
all the IP-option related stats.
Fixes #5491
PiperOrigin-RevId: 358238123
|
|
Completes the soft migration to Unreachable state by removing the Failed state
and the the FailedEntryLookups StatCounter.
Fixes #4667
PiperOrigin-RevId: 358226380
|
|
PiperOrigin-RevId: 358078157
|
|
tcpip integration tests have been flaky lately. They usually run in 20 seconds
and have a 60 seconds timeout. Sometimes they timeout which could be due to
a bug or deadlock. To further investigate it might be helpful to split the
targets and see which test is causing the flake.
Added a new tcpip/tests/utils package to hold all common utilities across all
tests.
PiperOrigin-RevId: 358012936
|
|
This change implements TLP details enumerated in
https://tools.ietf.org/html/draft-ietf-tcpm-rack-08#section-7.5.3
Fixes #5085
PiperOrigin-RevId: 357125037
|
|
Entry check:
- Earlier implementation was preventing us from entering recovery even if
SND.UNA is lost but dupAckCount is still below threshold. Fixed that.
- We should only enter recovery when at least one more byte of data beyond the
highest byte that was outstanding when fast retransmit was last entered is
acked. Added that check.
Exit check:
- Earlier we were checking if SEG.ACK is in range [SND.UNA, SND.NXT]. The
intention was to check if any unacknowledged data was ACKed. Note that
(SEG.ACK - 1) is actually the sequence number which was ACKed. So we were
incorrectly including (SND.UNA - 1) in the range. Fixed the check to now be
(SEG.ACK - 1) in range [SND.UNA, SND.NXT).
Additionally, moved a RACK specific test to the rack tests file.
Added tests for the changes I made.
PiperOrigin-RevId: 357091322
|
|
Added a LINT IfChange/ThenChange check to catch this in the future.
PiperOrigin-RevId: 357077564
|
|
TestRACKWithDuplicateACK is flaky as the reorder window can expire before
receiving three duplicate ACKs which will result in sending the first
unacknowledged segment twice: when reorder timer expired and again after
receiving the third duplicate ACK.
This CL will fix this behavior and will not resend the segment again if it was
already re-transmittted when reorder timer expired.
Update the TestRACKWithDuplicateACK to test that the first segment is
considered as lost and is re-transmitted.
PiperOrigin-RevId: 356855168
|
|
PiperOrigin-RevId: 356852625
|
|
The limits for snd/rcv buffers for unix domain socket is controlled by the
following sysctls on linux
- net.core.rmem_default
- net.core.rmem_max
- net.core.wmem_default
- net.core.wmem_max
Today in gVisor we do not expose these sysctls but we do support setting the
equivalent in netstack via stack.Options() method. But AF_UNIX sockets in gVisor
can be used without netstack, with hostinet or even without any networking stack
at all. Which means ideally these sysctls need to live as globals in gVisor.
But rather than make this a big change for now we hardcode the limits in the
AF_UNIX implementation itself (which in itself is better than where we were
before) where it SO_SNDBUF was hardcoded to 16KiB. Further we bump the initial
limit to a default value of 208 KiB to match linux from the paltry 16 KiB we use
today.
Updates #5132
PiperOrigin-RevId: 356665498
|
|
Utilities written to be common across IPv4/IPv6 are not planned to be
available for public use.
https://golang.org/doc/go1.4#internalpackages
PiperOrigin-RevId: 356554862
|
|
... as per RFC 7048. The Failed state is an internal state that is not
specified by any RFC; replacing it with the Unreachable state enables us to
expose this state while keeping our terminology consistent with RFC 4861 and
RFC 7048.
Unreachable state replaces all internal references for Failed state. However
unlike the Failed state, change events are dispatched when moving into
Unreachable state. This gives developers insight into whether a neighbor entry
failed address resolution or whether it was explicitly removed.
The Failed state will be removed entirely once all references to it are
removed. This is done to avoid a Fuchsia roll failure.
Updates #4667
PiperOrigin-RevId: 356554104
|
|
IPv4 forwarding and reassembly needs support for option processing
and regular processing also needs options to be processed before
being passed to the transport layer. This patch extends option processing
to those cases and provides additional testing. A small change to the ICMP
error generation API code was required to allow it to know when a packet was
being forwarded or not.
Updates #4586
PiperOrigin-RevId: 356446681
|
|
The thing the lock protects will never be accessed concurrently.
PiperOrigin-RevId: 356423331
|
|
We previously return EINVAL when connecting to port 0, however this is not the
observed behavior on Linux. One of the observable effects after connecting to
port 0 on Linux is that getpeername() will fail with ENOTCONN.
PiperOrigin-RevId: 356413451
|
|
...as long as the network protocol supports duplicate address detection.
This CL provides the facilities for a netstack integrator to perform
DAD.
DHCP recommends that clients effectively perform DAD before accepting an
offer. As per RFC 2131 section 4.4.1 pg 38,
The client SHOULD perform a check on the suggested address to ensure
that the address is not already in use. For example, if the client
is on a network that supports ARP, the client may issue an ARP request
for the suggested request.
The implementation of ARP-based IPv4 DAD effectively operates the same
as IPv6's NDP DAD - using ARP requests and responses in place of
NDP neighbour solicitations and advertisements, respectively.
DAD performed by calls to (*Stack).CheckDuplicateAddress don't interfere
with DAD performed when a new IPv6 address is added. This is so that
integrator requests to check for duplicate addresses aren't unexpectedly
aborted when addresses are removed.
A network package internal package provides protocol agnostic DAD state
management that specific protocols that provide DAD can use.
Fixes #4550.
Tests:
- internal/ip_test.*
- integration_test.TestDAD
- arp_test.TestDADARPRequestPacket
- ipv6.TestCheckDuplicateAddress
PiperOrigin-RevId: 356405593
|
|
Detect packet loss using reorder window and re-transmit them after the reorder
timer expires.
PiperOrigin-RevId: 356321786
|
|
It was replaced by NUD/neighborCache.
Fixes #4658.
PiperOrigin-RevId: 356085221
|
|
Before this change, packets were delivered asynchronously to the remote
end of a pipe. This was to avoid a deadlock during link resolution where
the stack would attempt to double-lock a mutex (see removed comments in
the parent commit for details).
As of https://github.com/google/gvisor/commit/4943347137, we do not hold
locks while sending link resolution probes so the deadlock will no
longer occur.
PiperOrigin-RevId: 356066224
|
|
Previously when sending NDP DAD or RS messages, we would hold a shared
lock which lead to deadlocks (due to synchronous packet loooping
(e.g. pipe and loopback link endpoints)) and lock contention.
Writing packets may be an expensive operation which could prevent other
goroutines from doing meaningful work if a shared lock is held while
writing packets.
This change upates the NDP DAD/RS timers to not hold shared locks while
sending packets.
PiperOrigin-RevId: 356053146
|
|
The network endpoints only look for other network endpoints of the
same kind. Since the network protocols keeps track of all endpoints,
go through the protocol to find an endpoint with an address instead
of the stack.
PiperOrigin-RevId: 356051498
|
|
Previously when sending probe messages, we would hold a shared lock
which lead to deadlocks (due to synchronous packet loooping (e.g. pipe
and loopback link endpoints)) and lock contention.
Writing packets may be an expensive operation which could prevent other
goroutines from doing meaningful work if a shared lock is held while
writing packets.
This change upates the NUD timers to not hold shared locks while
sending packets.
PiperOrigin-RevId: 356048697
|
|
Also while I'm here, update neighbor cahce/entry tests to use the
stack's RNG instead of creating a neigbor cache/entry specific one.
PiperOrigin-RevId: 356040581
|
|
The NIC structure is not to be used outside of the stack package
directly.
PiperOrigin-RevId: 356036737
|
|
Network endpoints that wish to check addresses on another NIC-local
network endpoint may now do so through the NetworkInterface.
This fixes a lock ordering issue between NIC removal and link
resolution. Before this change:
NIC Removal takes the stack lock, neighbor cache lock then neighbor
entries' locks.
When performing IPv4 link resolution, we take the entry lock then ARP
would try check IPv4 local addresses through the stack which tries to
obtain the stack's lock.
Now that ARP can check IPv4 addreses through the NIC, we avoid the lock
ordering issue, while also removing the need for stack to lookup the
NIC.
PiperOrigin-RevId: 356034245
|
|
After IPTables checks a batch of packets, we can write packets that are
not dropped or locally destined as a batch instead of individually.
This previously caused a bug since WritePacket* functions expect to take
ownership of passed PacketBuffer{List}. WritePackets assumed the list of
PacketBuffers will not be invalidated when calling WritePacket for each
PacketBuffer in the list, but this is not true. WritePacket may add the
passed PacketBuffer into a different list which would modify the
PacketBuffer in such a way that it no longer points to the next
PacketBuffer to write.
Example: Given a PB list of
PB_a -> PB_b -> PB_c
WritePackets may be iterating over the list and calling WritePacket for
each PB. When WritePacket takes PB_a, it may add it to a new list which
would update pointers such that PB_a no longer points to PB_b.
Test: integration_test.TestIPTableWritePackets
PiperOrigin-RevId: 355969560
|
|
Make it clear that failing to parse a looped back is not a packet
sending error but a malformed received packet error.
FindNetworkEndpoint returns nil when no network endpoint is found
instead of an error.
PiperOrigin-RevId: 355954946
|
|
PiperOrigin-RevId: 355751801
|
|
- Adds a function to enable RACK in tests.
- RACK update functions are guarded behind the flag tcpRecovery.
PiperOrigin-RevId: 355435973
|
|
Rename HandleNDupAcks() to HandleLossDetected() as it will enter this when
is detected after:
- reorder window expires and TLP (in case of RACK)
- dupAckCount >= 3
PiperOrigin-RevId: 355237858
|
|
Netstack today will send dupACK's with no rate limit for incoming out of
window segments. This can result in ACK loops for example if a TCP socket
connects to itself (actually permitted by TCP). Where the ACK sent in
response to packets being out of order itself gets considered as an out
of window segment resulting in another ACK being generated.
PiperOrigin-RevId: 355206877
|
|
...to remove the need for the transport layer to deduce the type of
error it received.
Rename HandleControlPacket to HandleError as HandleControlPacket only
handles errors.
tcpip.SockError now holds a tcpip.SockErrorCause interface that
different errors can implement.
PiperOrigin-RevId: 354994306
|
|
This change flips gvisor to use Neighbor unreachability detection by
default to populate the neighbor table as defined by RFC 4861 section 7.
Although RFC 4861 is targeted at IPv6, the same algorithm is used for
link resolution on IPv4 networks using ARP.
Integrators may still use the legacy link address cache by setting
stack.Options.UseLinkAddrCache to true; stack.Options.UseNeighborCache
is now unused and will be removed.
A later change will remove linkAddrCache and associated code.
Updates #4658.
PiperOrigin-RevId: 354850531
|
|
PiperOrigin-RevId: 354827491
|
|
...in IPv6 ICMP tests.
A channel link endpoint's channel is closed when the link endpoint is
closed.
When the stack tries to send packets through a NIC with a closed channel
endpoint, a panic will occur when attempting to write to a closed
channel (https://golang.org/ref/spec#Close). To make sure the stack does
not try to send packets through a NIC, we remove it.
PiperOrigin-RevId: 354822085
|
|
This stores each protocol's neighbor state separately.
This change also removes the need for each neighbor entry to keep
track of their own link address resolver now that all the entries
in a cache will use the same resolver.
PiperOrigin-RevId: 354818155
|
|
The network endpoint should not need to have logic to handle different
kinds of neighbor tables. Network endpoints can let the NIC know about
differnt neighbor discovery messages and let the NIC decide which table
to update.
This allows us to remove the LinkAddressCache interface.
PiperOrigin-RevId: 354812584
|
|
PiperOrigin-RevId: 354746864
|
|
This removes the need to provide the link address request with the NIC
the request is being performed on since the NetworkEndpoints already
have a reference to the NIC.
PiperOrigin-RevId: 354721940
|
|
This allows later decoupling of the backing network buffer implementation.
PiperOrigin-RevId: 354643297
|
|
This is dynamic state that can be re-learned when the NIC comes
back up.
Test: ipv4_test.TestIgmpV1Present
PiperOrigin-RevId: 354630921
|
|
...as per As per RFC 2236 section 3 page 3 (for IGMPv2) and
RFC 2710 section 4 page 5 (for MLDv1).
See comments in code for more details.
Test: ip_test.TestHandleQuery
PiperOrigin-RevId: 354603068
|
|
...per RFC 4861 s7.1.2.
Startblock:
has LGTM from sbalana
and then
add reviewer ghanan
PiperOrigin-RevId: 354539026
|
|
When a route does not need to resolve a remote link address to send a
packet, avoid having to obtain the pending packets queue's lock.
PiperOrigin-RevId: 354456280
|
|
After receiving an ACK(cumulative or selective), RACK will update the reorder
window which is used as a settling time before marking the packet as lost.
This change will add an init function to initialize the variables in RACK and
also store the reference to sender in rackControl.
The reorder window is calculated as per rfc:
https://tools.ietf.org/html/draft-ietf-tcpm-rack-08#section-7.2 Step 4.
PiperOrigin-RevId: 354453528
|
|
Avoid a race condition in which an entry is acquired while it is being
evicted by overlapping the entry lock with the cache lock.
PiperOrigin-RevId: 354452639
|