Age | Commit message (Collapse) | Author |
|
After IPTables checks a batch of packets, we can write packets that are
not dropped or locally destined as a batch instead of individually.
This previously caused a bug since WritePacket* functions expect to take
ownership of passed PacketBuffer{List}. WritePackets assumed the list of
PacketBuffers will not be invalidated when calling WritePacket for each
PacketBuffer in the list, but this is not true. WritePacket may add the
passed PacketBuffer into a different list which would modify the
PacketBuffer in such a way that it no longer points to the next
PacketBuffer to write.
Example: Given a PB list of
PB_a -> PB_b -> PB_c
WritePackets may be iterating over the list and calling WritePacket for
each PB. When WritePacket takes PB_a, it may add it to a new list which
would update pointers such that PB_a no longer points to PB_b.
Test: integration_test.TestIPTableWritePackets
PiperOrigin-RevId: 355969560
|
|
Panic seen at some code path like control.ExecAsync where
ctx does not have a Task.
Reported-by: syzbot+55ce727161cf94a7b7d6@syzkaller.appspotmail.com
PiperOrigin-RevId: 355960596
|
|
According to vfs.FilesystemImpl.RenameAt documentation:
- If the last path component in rp is "." or "..", and opts.Flags contains
RENAME_NOREPLACE, RenameAt returns EEXIST.
- If the last path component in rp is "." or "..", and opts.Flags does not
contain RENAME_NOREPLACE, RenameAt returns EBUSY.
Reported-by: syzbot+6189786e64fe13fe43f8@syzkaller.appspotmail.com
PiperOrigin-RevId: 355959266
|
|
Make it clear that failing to parse a looped back is not a packet
sending error but a malformed received packet error.
FindNetworkEndpoint returns nil when no network endpoint is found
instead of an error.
PiperOrigin-RevId: 355954946
|
|
PiperOrigin-RevId: 355751801
|
|
Some versions of the Go runtime call getcpu(), so add it for compatibility. The
hostcpu package already uses getcpu() on arm64.
PiperOrigin-RevId: 355717757
|
|
PiperOrigin-RevId: 355675900
|
|
Our implementation of vfs.CheckDeleteSticky was not consistent with Linux,
specifically not consistent with fs/linux.h:check_sticky().
One of the biggest differences was that the vfs implementation did not
allow the owner of the sticky directory to delete files inside it that belonged
to other users.
This change makes our implementation consistent with Linux.
Also adds an integration test to check for this. This bug is also present in
VFS1.
Updates #3027
PiperOrigin-RevId: 355557425
|
|
- Adds a function to enable RACK in tests.
- RACK update functions are guarded behind the flag tcpRecovery.
PiperOrigin-RevId: 355435973
|
|
This was missed in cl/351911375; pipe.VFSPipeFD.SpliceFromNonPipe already calls
Notify.
PiperOrigin-RevId: 355246655
|
|
Rename HandleNDupAcks() to HandleLossDetected() as it will enter this when
is detected after:
- reorder window expires and TLP (in case of RACK)
- dupAckCount >= 3
PiperOrigin-RevId: 355237858
|
|
Because we lack gVisor-internal cgroups, we take the CPU usage of the entire pod
and divide it proportionally according to sentry-internal usage stats.
This fixes `kubectl top pods`, which gets a pod's CPU usage by summing the usage
of its containers.
Addresses #172.
PiperOrigin-RevId: 355229833
|
|
This allows the package to serve as a general purpose ring0 support package, as
opposed to being bound to specific sentry platforms.
Updates #5039
PiperOrigin-RevId: 355220044
|
|
Reported-by: syzbot+db8d83f93b84fcb84374@syzkaller.appspotmail.com
PiperOrigin-RevId: 355213994
|
|
Netstack today will send dupACK's with no rate limit for incoming out of
window segments. This can result in ACK loops for example if a TCP socket
connects to itself (actually permitted by TCP). Where the ACK sent in
response to packets being out of order itself gets considered as an out
of window segment resulting in another ACK being generated.
PiperOrigin-RevId: 355206877
|
|
* Make split safe.
* Enable looking up next valid address.
* Support mappings with !accessType.Any(), distinct from unmap.
These changes allow for the use of pagetables in low-level OS packages, such
as ring0, and allow for the use of pagetables for more generic address space
reservation (by writing entries with no access specified).
Updates #5039
PiperOrigin-RevId: 355109016
|
|
...to remove the need for the transport layer to deduce the type of
error it received.
Rename HandleControlPacket to HandleError as HandleControlPacket only
handles errors.
tcpip.SockError now holds a tcpip.SockErrorCause interface that
different errors can implement.
PiperOrigin-RevId: 354994306
|
|
This change flips gvisor to use Neighbor unreachability detection by
default to populate the neighbor table as defined by RFC 4861 section 7.
Although RFC 4861 is targeted at IPv6, the same algorithm is used for
link resolution on IPv4 networks using ARP.
Integrators may still use the legacy link address cache by setting
stack.Options.UseLinkAddrCache to true; stack.Options.UseNeighborCache
is now unused and will be removed.
A later change will remove linkAddrCache and associated code.
Updates #4658.
PiperOrigin-RevId: 354850531
|
|
PiperOrigin-RevId: 354827491
|
|
...in IPv6 ICMP tests.
A channel link endpoint's channel is closed when the link endpoint is
closed.
When the stack tries to send packets through a NIC with a closed channel
endpoint, a panic will occur when attempting to write to a closed
channel (https://golang.org/ref/spec#Close). To make sure the stack does
not try to send packets through a NIC, we remove it.
PiperOrigin-RevId: 354822085
|
|
This stores each protocol's neighbor state separately.
This change also removes the need for each neighbor entry to keep
track of their own link address resolver now that all the entries
in a cache will use the same resolver.
PiperOrigin-RevId: 354818155
|
|
The network endpoint should not need to have logic to handle different
kinds of neighbor tables. Network endpoints can let the NIC know about
differnt neighbor discovery messages and let the NIC decide which table
to update.
This allows us to remove the LinkAddressCache interface.
PiperOrigin-RevId: 354812584
|
|
PiperOrigin-RevId: 354746864
|
|
This removes the need to provide the link address request with the NIC
the request is being performed on since the NetworkEndpoints already
have a reference to the NIC.
PiperOrigin-RevId: 354721940
|
|
This allows later decoupling of the backing network buffer implementation.
PiperOrigin-RevId: 354643297
|
|
This is dynamic state that can be re-learned when the NIC comes
back up.
Test: ipv4_test.TestIgmpV1Present
PiperOrigin-RevId: 354630921
|
|
...as per As per RFC 2236 section 3 page 3 (for IGMPv2) and
RFC 2710 section 4 page 5 (for MLDv1).
See comments in code for more details.
Test: ip_test.TestHandleQuery
PiperOrigin-RevId: 354603068
|
|
PiperOrigin-RevId: 354595623
|
|
When file is regular and metadata cache is authoritative, metadata lock
is taken. The code deadlocks trying to acquire the metadata lock
again to update time stampts.
PiperOrigin-RevId: 354584594
|
|
...per RFC 4861 s7.1.2.
Startblock:
has LGTM from sbalana
and then
add reviewer ghanan
PiperOrigin-RevId: 354539026
|
|
When a route does not need to resolve a remote link address to send a
packet, avoid having to obtain the pending packets queue's lock.
PiperOrigin-RevId: 354456280
|
|
After receiving an ACK(cumulative or selective), RACK will update the reorder
window which is used as a settling time before marking the packet as lost.
This change will add an init function to initialize the variables in RACK and
also store the reference to sender in rackControl.
The reorder window is calculated as per rfc:
https://tools.ietf.org/html/draft-ietf-tcpm-rack-08#section-7.2 Step 4.
PiperOrigin-RevId: 354453528
|
|
Avoid a race condition in which an entry is acquired while it is being
evicted by overlapping the entry lock with the cache lock.
PiperOrigin-RevId: 354452639
|
|
This makes it possible to add data to types that implement tcpip.Error.
ErrBadLinkEndpoint is removed as it is unused.
PiperOrigin-RevId: 354437314
|
|
This was removed in 6c0e1d9cfe6adbfbb32e7020d6426608ac63ad37 but turns
out to be crucial to prevent flaky behaviour in sendfile.
PiperOrigin-RevId: 354434144
|
|
Clockwork does not support timers being reset/stopped from different
goroutines. Our current use of clockwork causes data races and
gotsan complains about clockwork.
This change uses our own implementation of faketime, avoiding data
races.
PiperOrigin-RevId: 354428208
|
|
Fixes #3027 as there is just 1 writable user using OrderedChildren's rename,
unlink and rmdir (kernfs.syntheticDirectory) but it doesn't support the sticky
bit yet.
Fuse which is the other writable user implements its own Inode operations.
PiperOrigin-RevId: 354386522
|
|
PiperOrigin-RevId: 354367665
|
|
PiperOrigin-RevId: 354327882
|
|
Previously, sending on an unconnected UDP socket would ignore the
SO_BINDTODEVICE option. Send on the configured interface when an UDP socket
is bound to an interface through setsockop SO_BINDTODEVICE.
Add packetimpact tests exercising UDP reads and writes with every combination
of bound/unbound, broadcast/multicast/unicast destination, and bound/not-bound
to device.
PiperOrigin-RevId: 354299670
|
|
As per RFC 4861 section 7.3.1,
A neighbor is considered reachable if the node has recently received
a confirmation that packets sent recently to the neighbor were
received by its IP layer. Positive confirmation can be gathered in
two ways: hints from upper-layer protocols that indicate a connection
is making "forward progress", or receipt of a Neighbor Advertisement
message that is a response to a Neighbor Solicitation message.
This change adds support for TCP to let the IP/link layers know that a
neighbor is reachable.
Test: integration_test.TestTCPConfirmNeighborReachability
PiperOrigin-RevId: 354222833
|
|
This clarifies that there is a lock involved.
PiperOrigin-RevId: 354213848
|
|
This CL adds support for the following fields:
- RTT, RTTVar, RTO
- send congestion window (sndCwnd) and send slow start threshold (sndSsthresh)
- congestion control state(CaState)
- ReorderSeen
PiperOrigin-RevId: 354195361
|
|
Fixes #5150.
PiperOrigin-RevId: 354194385
|
|
PiperOrigin-RevId: 354187603
|
|
- This CL will initialize the function handler used for getting the send
buffer size limits during endpoint creation and does not require the caller of
SetSendBufferSize(..) to know the endpoint type(tcp/udp/..)
PiperOrigin-RevId: 353992634
|
|
When sending packets through a stack.Route, we attempt to perform
link resolution. Neighbor Solicitation messages do not need link
resolution to be performed so send the packets out the interface
directly instead.
PiperOrigin-RevId: 353967435
|
|
This improves type-assertion safety.
PiperOrigin-RevId: 353931228
|
|
connect() can be invoked multiple times on UDP/RAW sockets and in such
a case we should release the cached route from the previous connect.
Fixes #5359
PiperOrigin-RevId: 353919891
|
|
Contrary to the comment on the socket test, the failure was due to an issue
with goferfs rather than kernfs.
PiperOrigin-RevId: 353918021
|