Age | Commit message (Collapse) | Author |
|
The current SNAT implementation has several limitations:
- SNAT source port has to be specified. It is not optional.
- SNAT source port range is not supported.
- SNAT for UDP is a one-way translation. No response packets
are handled (because conntrack doesn't support UDP currently).
- SNAT and REDIRECT can't work on the same connection.
Fixes #5489
PiperOrigin-RevId: 367750325
|
|
PiperOrigin-RevId: 367730917
|
|
Move maxListenBacklog check to the caller of endpoint Listen so that it
is applicable to Unix domain sockets as well.
This was changed in cl/366935921.
Reported-by: syzbot+a35ae7cdfdde0c41cf7a@syzkaller.appspotmail.com
PiperOrigin-RevId: 367728052
|
|
This is the most often pattern of calling system calls in real applications.
PiperOrigin-RevId: 367320048
|
|
- Change the accept queue full condition for a listening endpoint
to only honor completed (and delivered) connections.
- Use syncookies if the number of incomplete connections is beyond
listen backlog. This also cleans up the SynThreshold option code
as that is no longer used with this change.
- Added a new stack option to unconditionally generate syncookies.
Similar to sysctl -w net.ipv4.tcp_syncookies=2 on Linux.
- Enable keeping of incomplete connections beyond listen backlog.
- Drop incoming SYNs only if the accept queue is filled up.
- Drop incoming ACKs that complete handshakes when accept queue is full
- Enable the stack to accept one more connection than programmed by
listen backlog.
- Handle backlog argument being zero, negative for listen, as Linux.
- Add syscall and packetimpact tests to reflect the changes above.
- Remove TCPConnectBacklog test which is polling for completed
connections on the client side which is not reflective of whether
the accept queue is filled up by the test. The modified syscall test
in this CL addresses testing of connecting sockets.
Fixes #3153
PiperOrigin-RevId: 366935921
|
|
PiperOrigin-RevId: 366923274
|
|
PiperOrigin-RevId: 366907152
|
|
Closes #3373
PiperOrigin-RevId: 366903991
|
|
Updates #5273
PiperOrigin-RevId: 366902314
|
|
This benchmark currently takes > 15 minutes to run in that case.
PiperOrigin-RevId: 366891726
|
|
There's no reason to actually increment the semaphore, it just introduces the
chance of a race.
PiperOrigin-RevId: 366851795
|
|
Allow user mounting a verity fs on an existing mount by specifying mount
flags root_hash and lower_path.
PiperOrigin-RevId: 366843846
|
|
PiperOrigin-RevId: 366839955
|
|
This benchmark currently takes > 15 minutes to run in that case.
PiperOrigin-RevId: 366817185
|
|
PiperOrigin-RevId: 366573366
|
|
A skeleton implementation of cgroupfs. It supports trivial cpu and
memory controllers with no support for hierarchies.
PiperOrigin-RevId: 366561126
|
|
PiperOrigin-RevId: 366344222
|
|
PiperOrigin-RevId: 366292533
|
|
VFS1 skips over mounts that overrides files in /dev because the list of
files is hardcoded. This is not needed for VFS2 and a recent change
lifted this restriction. However, parts of the code were still skipping
/dev mounts even in VFS2, causing the loader to panic when it ran short
of FDs to connect to the gofer.
PiperOrigin-RevId: 365858436
|
|
Split usermem package to help remove syserror dependency in go_marshal.
New hostarch package contains code not dependent on syserror.
PiperOrigin-RevId: 365651233
|
|
PiperOrigin-RevId: 365092320
|
|
On Linux these are meant to be equivalent to POLLIN/POLLOUT. Rather
than hack these on in sys_poll etc it felt cleaner to just cleanup
the call sites to notify for both events. This is what linux does
as well.
Fixes #5544
PiperOrigin-RevId: 364859977
|
|
Also adds support for clearing the setuid bit when appropriate (writing,
truncating, changing size, changing UID, or changing GID).
VFS2 only.
PiperOrigin-RevId: 364661835
|
|
- Don't cleanup containers in Network.Cleanup, otherwise containers will
be killed and removed several times.
- Don't set AutoRemove for containers. This will prevent the confusing
'removal already in progress' messages.
Fixes #3795
PiperOrigin-RevId: 364404414
|
|
The tests were not using the correct windowSize so the testing segments were
actually within the window for seqNumOffset=0 tests. The issue is already fixed
by #5674.
PiperOrigin-RevId: 364252630
|
|
syserror allows packages to register translators for errors. These
translators should be called prior to checking if the error is valid,
otherwise it may not account for possible errors that can be returned
from different packages, e.g. safecopy.BusError => syserror.EFAULT.
Second attempt, it passes tests now :-)
PiperOrigin-RevId: 363714508
|
|
Also, drop fio total reads/writes to 1GB as 10GB is
prohibitively slow.
PiperOrigin-RevId: 363714060
|
|
Netstack does not check ACK number for FIN-ACK packets and goes into TIMEWAIT
unconditionally. Fixing the state machine will give us back the retransmission
of FIN.
PiperOrigin-RevId: 363301883
|
|
There is a race in handling new incoming connections on a listening
endpoint that causes the endpoint to reply to more incoming SYNs than
what is permitted by the listen backlog.
The race occurs when there is a successful passive connection handshake
and the synRcvdCount counter is decremented, followed by the endpoint
delivered to the accept queue. In the window of time between
synRcvdCount decrementing and the endpoint being enqueued for accept,
new incoming SYNs can be handled without honoring the listen backlog
value, as the backlog could be perceived not full.
Fixes #5637
PiperOrigin-RevId: 363279372
|
|
PiperOrigin-RevId: 363276495
|
|
Terminating tasks from other tests can mess up with the task
list of the current test. Tests were changed to look for added/removed
tasks, ignoring other tasks that may exist while the test is running.
PiperOrigin-RevId: 363084261
|
|
TCP, in CLOSING state, MUST send an ACK with next expected SEQ number after
receiving any segment with OTW SEQ number and remain in the same state.
While I am here, I also changed shutdown to behave the same as other calls
in posix_server.
PiperOrigin-RevId: 362976955
|
|
The test queries for RTO via TCP_INFO and applies that to the
rest of the test. The RTO is estimated by processing incoming ACK.
There is a race in the test where we may query for RTO before the
incoming ACK was processed. Fix the race in the test by letting the
DUT complete a payload receive, thus estimating RTO before proceeding
to query the RTO. Bump up the time correction to reduce flakes.
PiperOrigin-RevId: 362865904
|
|
By default net.ipv4.ping_group_range is set to "1 0" and no one (even the root)
can create an ICMP socket. Setting it to "0 0" allows root, which we are inside
the container, to create ICMP sockets for packetimpact tests.
PiperOrigin-RevId: 362454201
|
|
With /proc/sys/net/ipv4/ip_local_port_range implemented, the socket stress
test runs in a more normal time and doesn't need to sacrifice coverage to
prevent timeouts.
PiperOrigin-RevId: 362443366
|
|
By default, fusefs defers node permission checks to the server. The
default_permissions mount option enables the usual unix permission
checks based on the node owner and mode bits. Previously fusefs was
incorrectly checking permissions unconditionally.
Additionally, fusefs should restrict filesystem access to processes
started by the mount owner to prevent the fuse daemon from gaining
priviledge over other processes. The allow_other mount option
overrides this behaviour. Previously fusefs was incorrectly skipping
this check.
Updates #3229
PiperOrigin-RevId: 362419092
|
|
The previous "bind" filesystem, already included in go/runsc-benchmarks
is a remote re-validate mount. However, the non-re-validate mount
was not present, and it has been added in the form of rootfs.
Also, fix the fio runs to reads/writes of 10GB as running
with --test.benchtime=Xs may scale beyond the memory available
to tmpfs mounts on buildkite VMs. Currently, our buildkite
pipelines are run on e2-standard-8 machines with 32GB of memory,
allowing tmpfs mounts to safely be at least 10GB.
PiperOrigin-RevId: 362143620
|
|
panic: interface conversion: interface {} is syscall.WaitStatus, not unix.WaitStatus
goroutine 1 [running]:
main.runTestCaseNative(0xc0001fc000, 0xe3, 0xc000119b60, 0x1, 0x1, 0x0, 0x0)
test/runner/runner.go:185 +0xa94
main.main()
test/runner/runner.go:118 +0x745
PiperOrigin-RevId: 361957796
|
|
- Implement Stringer for it so that we can improve error messages.
- Use TCPFlags through the code base. There used to be a mixed usage of byte,
uint8 and int as TCP flags.
PiperOrigin-RevId: 361940150
|
|
Kernels after 3b830a9c return EAGAIN in this case.
PiperOrigin-RevId: 361936327
|
|
Speeds up the socket stress tests by a couple orders of magnitude.
PiperOrigin-RevId: 361721050
|
|
Thread from earlier test can show up in `/proc/self/tasks` while the
thread tears down. Account for that when searching for procs for the
first time in the test.
PiperOrigin-RevId: 361689673
|
|
Run all tests (or a given test partition) in a single sandbox.
Previously, each individual unit test executed in a new
sandbox, which takes much longer to execute.
Before After
Syscall tests: 37m22.768s 14m5.272s
PiperOrigin-RevId: 361661726
|
|
Fix a race where the DUT could send out test data before it received the
peer window advertisement. Such a race results in the DUT taking longer
time to retransmit zero window probe, thus causing the test to fail
receiving the last expected probe.
To ensure this ordering, piggyback a non-zero payload with the zero
window advertisement and let the DUT receive that, before continuing
with the test.
PiperOrigin-RevId: 361640241
|
|
Remove part of test that was making it flaky. It runs for native only,
so not really important since it's not testing gVisor.
Before: http://sponge2/37557c41-298e-408d-9b54-50ba3d41e22f
After: http://sponge2/7bca72be-cb9b-42f8-8c54-af4956c39455
PiperOrigin-RevId: 361611512
|
|
The syscall package has been deprecated in favor of golang.org/x/sys.
Note that syscall is still used in some places because the following don't seem
to have an equivalent in unix package:
- syscall.SysProcIDMap
- syscall.Credential
Updates #214
PiperOrigin-RevId: 361332034
|
|
Some OSs behave slightly differently, but still within the RFC. It can be useful
to have access to uname information from the testbench.
PiperOrigin-RevId: 361193766
|
|
One of the preparation to decouple underlying buffer implementation.
There are still some methods that tie to VectorisedView, and they will be
changed gradually in later CLs.
This CL also introduce a new ICMPv6ChecksumParams to replace long list of
parameters when calling ICMPv6Checksum, aiming to be more descriptive.
PiperOrigin-RevId: 360778149
|
|
- Removed (*testbench.Connection)(&conn) like casts
- Removed redundant definition of Drain, Close and ExpectFrame
PiperOrigin-RevId: 360727788
|
|
PiperOrigin-RevId: 360491700
|