diff options
author | Stefano Brivio <sbrivio@redhat.com> | 2023-03-08 18:07:42 +0100 |
---|---|---|
committer | Stefano Brivio <sbrivio@redhat.com> | 2023-03-09 03:44:21 +0100 |
commit | d7272f1df89c099a7e98ae43d1ef9b936c7e46f7 (patch) | |
tree | e8b9f5692361876f5cbfa3778358bde9eafd0be2 /contrib/selinux/passt.te | |
parent | bb2b67cb3549ea2509f5b7b88790e08d2e362351 (diff) | |
download | passt-d7272f1df89c099a7e98ae43d1ef9b936c7e46f7.tar passt-d7272f1df89c099a7e98ae43d1ef9b936c7e46f7.tar.gz passt-d7272f1df89c099a7e98ae43d1ef9b936c7e46f7.tar.bz2 passt-d7272f1df89c099a7e98ae43d1ef9b936c7e46f7.tar.lz passt-d7272f1df89c099a7e98ae43d1ef9b936c7e46f7.tar.xz passt-d7272f1df89c099a7e98ae43d1ef9b936c7e46f7.tar.zst passt-d7272f1df89c099a7e98ae43d1ef9b936c7e46f7.zip |
tcp: Clamp MSS value when queueing data to tap, also for pasta
Tom reports that a pattern of repated ~1 MiB chunks downloads over
NNTP over TLS, on Podman 4.4 using pasta as network back-end, results
in pasta taking one full CPU thread after a while, and the download
never succeeds.
On that setup, we end up re-sending the same frame over and over,
with a consistent 65 534 bytes size, and never get an
acknowledgement from the tap-side client. This only happens for the
default MTU value (65 520 bytes) or for values that are slightly
smaller than that (down to 64 499 bytes).
We hit this condition because the MSS value we use in
tcp_data_from_sock(), only in pasta mode, is simply clamped to
USHRT_MAX, and not to the actual size of the buffers we pre-cooked
for sending, which is a bit less than that.
It looks like we got away with it until commit 0fb7b2b9080a ("tap:
Use different io vector bases depending on tap type") fixed the
setting of iov_len.
Luckily, since it's pasta, we're queueing up to two frames at a time,
so the worst that can happen is a badly segmented TCP stream: we
always have some space at the tail of the buffer.
Clamp the MSS value to the appropriate maximum given by struct
tcp{4,6}_buf_data_t, no matter if we're running in pasta or passt
mode.
While at it, fix the comments to those structs to reflect the current
struct size. This is not really relevant for any further calculation
or consideration, but it's convenient to know while debugging this
kind of issues.
Thanks to Tom for reporting the issue in a very detailed way and for
providing a test setup.
Reported-by: Tom Mombourquette <tom@devnode.com>
Link: https://github.com/containers/podman/issues/17703
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Diffstat (limited to 'contrib/selinux/passt.te')
0 files changed, 0 insertions, 0 deletions