- Adds creation of user chains via `-N <chainname>`
- Adds `-j RETURN` support for built-in chains, which triggers the
chain's underflow rule (usually the default policy).
- Adds tests for chain creation, default policies, and `-j RETURN' from
built-in chains.
The readme didn't mention that users need to:
- `bazel build` when working on iptables tests
- enable raw sockets in /etc/docker/daemon.json.
PiperOrigin-RevId: 294260169
- Move shared helpers V4Multicast and V4Broadcast to socket_test_util
- Add unnamed namespace so socket_ipv4_tcp_unbound_external_networking_test.cc
and socket_ipv4_udp_unbound_external_networking_test.cc can be compiled
together
- Add test files to "exports_files" so they can be included by Fuchsia's syscall
test setup
PiperOrigin-RevId: 293880429
From RFC 793 s3.9 p58 Event Processing:
If RECEIVE Call arrives in CLOSED state and the user has access to such a
connection, the return should be "error: connection does not exist"
Fixes#1598
PiperOrigin-RevId: 293494287
Tests 65k connection attempts on common types of sockets to check for port
leaks.
Also fixes a bug where dual-stack sockets wouldn't properly re-queue
segments received while closing.
PiperOrigin-RevId: 293241166
* Tests are picked for a shard differently. It now picks one test from each
block, instead of picking the whole block. This makes the same kind of tests
spreads across different shards.
* Reduce the number of connect() calls in TCPListenClose.
PiperOrigin-RevId: 293019281
If the support is Ignored, then the call is still executed. We
simply rely on it to fall through to the int3. Therefore, we
must also bail on the vendor check.
PiperOrigin-RevId: 292620558
This avoids conflicting definitions of GetSocketPairs() in outer namespace when
multiple such cc files are complied for one binary.
PiperOrigin-RevId: 292420885
When sending a RST on shutdown we need to double check the
state after acquiring the work mutex as the endpoint could
have transitioned out of a connected state from the time
we checked it and we acquired the workMutex.
I added two tests but sadly neither reproduce the panic. I am
going to leave the tests in as they are good to have anyway.
PiperOrigin-RevId: 292393800
Splice must not allow negative offsets. Writes also must not allow offset +
size to overflow int64. Reads are similarly broken, but not just in splice
(b/148095030).
Reported-by: syzbot+0e1ff0b95fb2859b4190@syzkaller.appspotmail.com
PiperOrigin-RevId: 292361208
Special files can have additional requirements for granularity.
For example, read from eventfd returns EINVAL if a size is less 8 bytes.
Reported-by: syzbot+3905f5493bec08eb7b02@syzkaller.appspotmail.com
PiperOrigin-RevId: 292002926
Test command:
$ ip route get 1.1.1.1
Fixes: #1099
Signed-off-by: Jianfeng Tan <henry.tjf@antfin.com>
COPYBARA_INTEGRATE_REVIEW=https://github.com/google/gvisor/pull/1121 from tanjianfeng:fix-1099 e6919f3d4ede5aa51a48b3d2be0d7a4b482dd53d
PiperOrigin-RevId: 291990716
And Type* over Type *. This is basically a whitespace only change.
gVisor code already prefers left-alignment of pointers and references, but
clang-format formats for consistency with the majority of a file, and some
files leaned the wrong way. This is a one-time pass to make us completely
conforming.
Autogenerated with:
$ find . \( -name "*.cc" -or -name "*.c" -or -name "*.h" \) \
| xargs clang-format -i -style="{BasedOnStyle: Google, \
DerivePointerAlignment: false, PointerAlignment: Left}"
PiperOrigin-RevId: 291972421
Note that these simply will use the same logic as getxattr and setxattr, which
is not yet implemented for most filesystems.
PiperOrigin-RevId: 290800960
These can remain disabled until we actually support extended attributes.
The following modifications were also made:
1. Disable save/restore on tests that change file permissions. Restore will not
work properly for these tests, since it will try to open the file with
read-write after it has been read- or write-only.
2. Change user.abc to user.test.
PiperOrigin-RevId: 290123941
All inbound segments for connections in ESTABLISHED state are delivered to the
endpoint's queue but for every segment delivered we also queue the endpoint for
processing to a selected processor. This ensures that when there are a large
number of connections in ESTABLISHED state the inbound packets are all handled
by a small number of goroutines and significantly reduces the amount of work the
goscheduler has to perform.
We let connections in other states follow the current path where the
endpoint's goroutine directly handles the segments.
Updates #231
PiperOrigin-RevId: 289728325
Added tests for tcp protocol with input and output rules including options sport and dport
Increased timeout in iptables_test as TCP tests were timing out with existing value.
This test fails on ubuntu 18.04 because preadv2 for some reason returns
EOPNOTSUPP instead of EINVAL. Instead of root-causing the failure, I'm dropping
the flag in the preadv2 call since it isn't under test in this scenario.
PiperOrigin-RevId: 289188358
Fix the indentation and print statements.
Moved the NAT redirect tests to new file.
Added negative test to check redirect rule on ports other than
redirected port.
This change calls a new Truncate method on the EndpointReader in RecvMsg for
both netlink and unix sockets. This allows readers such as sockets to peek at
the length of data without actually reading it to a buffer.
Fixes#993#1240
PiperOrigin-RevId: 288800167
This gets us closer to passing the iptables tests and opens up iptables
so it can be worked on by multiple people.
A few restrictions are enforced for security (i.e. we don't want to let
users write a bunch of iptables rules and then just not enforce them):
- Only the filter table is writable.
- Only ACCEPT rules with no matching criteria can be added.
The write tests are fitted to Linux-specific behavior, but it is not
well-specified. Tweak the tests to allow for both acceptable outcomes.
PiperOrigin-RevId: 288606386
Added the ability to get/set the IP_RECVTOS socket option on UDP endpoints. If
enabled, TOS from the incoming Network Header passed as ancillary data in the
ControlMessages.
Test:
* Added unit test to udp_test.go that tests getting/setting as well as
verifying that we receive expected TOS from incoming packet.
* Added a syscall test
PiperOrigin-RevId: 287029703
This change is needed to be compatible with the Linux kernel.
There is no glibc wrapper for the futex system call, so it is easy to
make a mistake and call syscall(__NR_futex, FUTEX_WAKE, addr) without
the fourth argument. This works on Linux, because it wakes one waiter
even if val is nonpositive.
PiperOrigin-RevId: 286494396
This test suite has existed for quite a while and has become kind of messy.
Various tests can be joined together by parameterizing.
PiperOrigin-RevId: 286482240
When listen(2) is called on an unbound socket, the socket is
automatically bound to a random free port with the local address
set to INADDR_ANY.
PiperOrigin-RevId: 286305906