aboutgitcodebugslistschat
Commit message (Collapse)AuthorAgeFilesLines
...
* passt: Include linux/seccomp.h and linux/audit.h instead of seccomp.hStefano Brivio2021-10-191-1/+2
| | | | | | | We don't use libseccomp. Reported-by: Martin Hauke <mardnh@gmx.de> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* netlink, conf: Actually get prefix/mask lengthStefano Brivio2021-10-194-10/+24
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp: Arm tcp_data_noack on insufficient window too, don't reset if ACK ↵Stefano Brivio2021-10-161-2/+4
| | | | | | | | | | doesn't match ...and while at it, reverse the operands in the window equality comparison to detect the need for fast re-transmit: it's easier to read this way. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* passt: Add clock_gettime to list of allowed syscallsStefano Brivio2021-10-161-0/+1
| | | | | | | ...depending on the system clock source, glibc might use it to fetch the wall time. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* passt: Static builds: don't redefine __vsyslog(), skip getpwnam() and ↵Stefano Brivio2021-10-165-12/+21
| | | | | | initgroups() Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* util, pasta: Don't read() and lseek() every single line in read_line()Stefano Brivio2021-10-162-5/+24
| | | | | | | ...periodically checking bound ports becomes quite expensive otherwise. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* udp: drop bogus udp_tap_map ts assignmentStefan Hajnoczi2021-10-151-1/+0
| | | | | | | | | | | | | | | | | | The 'ts' field is a timestamp so assigning the socket file descriptor is incorrect. There is no actual bug because the current time is assigned just a few lines later: udp_tap_map[V4][src].sock = s; udp_tap_map[V4][src].ts = s; ^^^^^^^^^^^ bogus ^^^^^^^^^^ bitmap_set(udp_act[V4][UDP_ACT_TAP], src); } udp_tap_map[V4][src].ts = now->tv_sec; ^^^^^^^^^^^^^^^ correct ^^^^^^^^^^^^^^ Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* demo/pasta: Swap init>ns and ns>init flowsStefano Brivio2021-10-151-24/+24
| | | | | | ...make those short performance tests actually match table headers. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* util: Don't duplicate debug messages, they're already on stderrStefano Brivio2021-10-151-4/+4
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp: ...and so I got a socket called zeroStefano Brivio2021-10-151-35/+44
| | | | | | | | I thought I'd get away with it, but no, after some clean-ups, I finally got a socket with number 0. Fix up all the convenient, yet botched assumptions. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* passt: Check if a PID file was actually requested before creating itStefano Brivio2021-10-151-1/+1
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* util: Define ROUND_UP()Stefano Brivio2021-10-151-0/+2
| | | | | | | ...not actually used, just for completeness, as ROUND_DOWN() is defined. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp: Bump TCP_TAP_FRAMES back to 256Stefano Brivio2021-10-151-1/+1
| | | | | | With a batched sendmsg(), this is now beneficial. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp: Get rid of iov with cached MSS, drop sendmmsg(), add deferred flushStefano Brivio2021-10-151-139/+130
| | | | | | | | | | | | | | | Caching iov_len for messages from socket doesn't actually decrease overhead by the tiniest bit, and added a lot of complexity. Drop that. Also drop the sendmmsg(), we don't need to send multiple messages with TCP, as long as we make sure no messages with a length descriptor are sent partially, qemu is fine with it. Just like it's done for segments without data (flags), also defer the sendmsg() for sending data segments, to improve batching. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp: Clamp MSS depending on IP version, properly derive buffer sizesStefano Brivio2021-10-151-17/+19
| | | | | | | It makes no sense to include an IPv6 header in the calculation for clamping MSS on IPv4. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* conf, pasta: Create a new namespace also if probing netns options failedStefano Brivio2021-10-151-1/+1
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* checksum: Stream load into four registers at a time with > 128 bytesStefano Brivio2021-10-151-3/+47
| | | | | | | | ...and further interleave register usage. This brings the csum() overhead reported by perf(1) for 30 seconds of 64KiB TCP IPv4 frames, host to guest, from 7.2% to 5.8%. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* checksum: Interleave lo/hi sums while folding into 128-bit sums, drop TODOStefano Brivio2021-10-151-3/+3
| | | | | | | I left a TODO and never checked -- this actually seems to slightly improve CPIs on AMD Naples (two 128-bit FMA units glued together). Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* pasta: Allow nanosleep(2) and clock_nanosleep(2) syscalls tooStefano Brivio2021-10-141-1/+1
| | | | | | ...we need those to wait for terminating processes in the namespace. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* netlink: Bring up interface even if neither MTU nor MAC address is configuredStefano Brivio2021-10-141-0/+5
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* passt: Don't refuse to run if UID is 0 in non-init namespaceStefano Brivio2021-10-141-1/+14
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* pasta: Push pasta.h headerStefano Brivio2021-10-141-0/+3
| | | | | | ...I forgot to add this earlier. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* slirp4netns.sh: Introduce compatibility wrapper behaving like slirp4netns(1)Stefano Brivio2021-10-141-0/+227
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Warning: draft quality, not really tested, --enable-sandbox not supported yet. Example: $ unshare -rUn # echo $$ 3130879 $ ./slirp4netns.sh -m 65520 -c 3130879 tap0 sent tapfd=5 for tap0 received tapfd=5 Starting slirp * MTU: 65520 * Network: 10.0.2.0 * Netmask: 255.255.255.0 * Gateway: 10.0.2.2 * DNS: 10.0.2.3 * Recommended IP: 10.0.2.100 WARNING: 127.0.0.1:* on the host is accessible as 10.0.2.2 (set --disable-host-loopback to prohibit connecting to 127.0.0.1:*) # ip li sh 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 33: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65520 qdisc pfifo_fast state UNKNOWN mode DEFAULT group default qlen 1000 link/ether 5e:9d:a0:c5:cf:67 brd ff:ff:ff:ff:ff:ff # ip ad sh 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 33: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65520 qdisc pfifo_fast state UNKNOWN group default qlen 1000 link/ether 5e:9d:a0:c5:cf:67 brd ff:ff:ff:ff:ff:ff inet 10.0.2.0/24 scope global tap0 valid_lft forever preferred_lft forever inet6 fe80::5c9d:a0ff:fec5:cf67/64 scope link valid_lft forever preferred_lft forever # ip ro sh default via 10.0.2.2 dev tap0 10.0.2.0/24 dev tap0 proto kernel scope link src 10.0.2.0 root@epycfail:~# ip -6 ro sh fe80::/64 dev tap0 proto kernel metric 256 pref medium # iperf3 -c 10.0.2.2 -l1M Connecting to host 10.0.2.2, port 5201 [ 5] local 10.0.2.0 port 43014 connected to 10.0.2.2 port 5201 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 1.38 GBytes 11.8 Gbits/sec 0 9.96 MBytes [ 5] 1.00-2.00 sec 1.59 GBytes 13.6 Gbits/sec 0 13.3 MBytes [ 5] 2.00-3.00 sec 1.63 GBytes 14.0 Gbits/sec 0 13.3 MBytes [ 5] 3.00-4.00 sec 1.78 GBytes 15.3 Gbits/sec 0 13.3 MBytes [ 5] 4.00-5.00 sec 1.80 GBytes 15.5 Gbits/sec 0 15.8 MBytes [ 5] 5.00-6.00 sec 1.69 GBytes 14.5 Gbits/sec 0 15.8 MBytes [ 5] 6.00-7.00 sec 1.65 GBytes 14.2 Gbits/sec 0 15.8 MBytes [ 5] 7.00-8.00 sec 1.68 GBytes 14.4 Gbits/sec 0 15.8 MBytes [ 5] 8.00-9.00 sec 1.60 GBytes 13.7 Gbits/sec 0 15.8 MBytes [ 5] 9.00-10.00 sec 1.66 GBytes 14.3 Gbits/sec 0 15.8 MBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 16.5 GBytes 14.1 Gbits/sec 0 sender [ 5] 0.00-10.01 sec 16.4 GBytes 14.1 Gbits/sec receiver iperf Done. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* netlink, pasta: Configure MTU of tap interface on --config-netStefano Brivio2021-10-144-21/+33
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* conf: Add -P, --pid, to specify a file where own PID is written toStefano Brivio2021-10-144-3/+48
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* conf: Reset netns_only flag after probingStefano Brivio2021-10-141-1/+3
| | | | | | | | ...if we check whether an option might be a namespace specification, and it turns out not to be (e.g. with --pcap), we might set netns_only, but we don't reset it back to 0 if it wasn't set. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp: Explicitly align IP headers in tcp4_l2_{,flags}buf_t also in non-AVX2 buildStefano Brivio2021-10-141-14/+12
| | | | | | | Otherwise, tcp4_l2_flags_buf_t is not consistent with tcp4_l2_buf_t and header fields get all mixed up in tcp_l2_buf_fill_headers(). Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* conf, tcp, udp: Add --no-map-gw to disable mapping gateway address to hostStefano Brivio2021-10-145-5/+15
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* passt: Warn if we're running as root, abort if we can't change to nobody:nobodyStefano Brivio2021-10-141-0/+29
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* conf: Reset errno before checking port specifier with strtol(3)Stefano Brivio2021-10-141-0/+1
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* passt: Drop all capabilities that we might have, except for CAP_NET_BIND_SERVICEStefano Brivio2021-10-141-0/+18
| | | | | | | | While it's not recommended to give passt any capability, drop all the ones we might have got by mistake, except for the only sensible one, CAP_NET_BIND_SERVICE. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* passt, pasta: Completely avoid dynamic memory allocationStefano Brivio2021-10-146-28/+389
| | | | | | | | | Replace libc functions that might dynamically allocate memory with own implementations or wrappers. Drop brk(2) from list of allowed syscalls in seccomp profile. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* passt, pasta: Add seccomp supportStefano Brivio2021-10-1410-9/+259
| | | | | | | | | | | | | | | | | | List of allowed syscalls comes from comments in the form: #syscalls <list> for syscalls needed both in passt and pasta mode, and: #syscalls:pasta <list> #syscalls:passt <list> for syscalls specifically needed in pasta or passt mode only. seccomp.sh builds a list of BPF statements from those comments, prefixed by a binary search tree to keep lookup fast. While at it, clean up a bit the Makefile using wildcards. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* test: Drop debugging left-overs in lib/utilStefano Brivio2021-10-141-4/+0
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* doc: Add to man page tip to grant passt the CAP_NET_BIND_SERVICE capabilityStefano Brivio2021-10-141-1/+6
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* doc: Fix up note about missing tcpi_snd_wnd in man pageStefano Brivio2021-10-141-7/+3
| | | | | | | | The behaviour without tcpi_snd_wnd changed: the only difference now is the advertised window, which corresponds to the queried sending buffer size. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp: Decrease pool size for pipes to 16Stefano Brivio2021-10-141-1/+1
| | | | | | | This should be a reasonable balance between quick connection establishment and a fast start-up. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* util: Fix comment to bitmap_clear()Stefano Brivio2021-10-141-1/+1
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* conf, tap: Split netlink and pasta functions, allow interface configurationStefano Brivio2021-10-1411-609/+703
| | | | | | | | | | Move netlink routines to their own file, and use netlink to configure or fetch all the information we need, except for the TUNSETIFF ioctl. Move pasta-specific functions to their own file as well, add parameters and calls to configure the tap interface in the namespace. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* conf: Don't get IPv{4,6} DNS addresses if IPv{4,6} is disabledStefano Brivio2021-10-101-4/+6
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* conf: Avoid getifaddrs(), split L2/L3 address fetching, get filtered dumpsStefano Brivio2021-10-102-124/+170
| | | | | | | | | | | | getifaddrs() needs to allocate heap memory, and gets a ton of results we don't need. Use explicit netlink messages with "strict checking" instead. While at it, separate L2/L3 address handling, so that we don't fetch MAC addresses for IPv6, and also use netlink instead of ioctl() to get the MAC address. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* README: Drop domain part in absolute linksStefano Brivio2021-10-071-25/+25
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* conf: Fix getopt_long() return value for --quietStefano Brivio2021-10-071-1/+1
| | | | | | Only the short version actually worked. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* pasta: Add second waitid() in pasta_child_handler()Stefano Brivio2021-10-071-0/+1
| | | | | | | | We usually have up to one additional child exiting while we receive a SIGCHLD, instead of complicating this with tracking PIDs, just add a second waitid() call. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* pasta: Allow specifying paths and names of namespacesGiuseppe Scrivano2021-10-0712-79/+240
| | | | | | | | | | | | | | | | | | Based on a patch from Giuseppe Scrivano, this adds the ability to: - specify paths and names of target namespaces to join, instead of a PID, also for user namespaces, with --userns - request to join or create a network namespace only, without entering or creating a user namespace, with --netns-only - specify the base directory for netns mountpoints, with --nsrun-dir Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> [sbrivio: reworked logic to actually join the given namespaces when they're not created, implemented --netns-only and --nsrun-dir, updated pasta demo script and man page] Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* git: Add pre-push hookStefano Brivio2021-10-061-0/+64
| | | | | | I've been using this for a while, now it's all "nice" and clean. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp: Check if timestamp is passed also while sending FIN to tap/guestStefano Brivio2021-10-051-1/+1
| | | | | | | ...it's probably possible that we might need to reset a connection together with a FIN segment. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp: Drop EPOLLOUT for connections being established earlierStefano Brivio2021-10-051-3/+3
| | | | | | | | That's the first thing we have to do, before sending SYN, ACK: if tcp_send_to_tap() fails, we'll get a lot of useless events otherwise. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* conf: Silence gcc -Os warningStefano Brivio2021-10-051-1/+1
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* passt: Shrink binary size by dropping static initialisersStefano Brivio2021-10-054-53/+73
| | | | | | ...from 11MiB to 155KiB for 'make avx2', 95KiB with -Os and stripped. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>