aboutgitcodebugslistschat
Commit message (Collapse)AuthorAgeFilesLines
* conf: Reset errno before checking port specifier with strtol(3)Stefano Brivio2021-10-141-0/+1
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* passt: Drop all capabilities that we might have, except for CAP_NET_BIND_SERVICEStefano Brivio2021-10-141-0/+18
| | | | | | | | While it's not recommended to give passt any capability, drop all the ones we might have got by mistake, except for the only sensible one, CAP_NET_BIND_SERVICE. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* passt, pasta: Completely avoid dynamic memory allocationStefano Brivio2021-10-146-28/+389
| | | | | | | | | Replace libc functions that might dynamically allocate memory with own implementations or wrappers. Drop brk(2) from list of allowed syscalls in seccomp profile. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* passt, pasta: Add seccomp supportStefano Brivio2021-10-1410-9/+259
| | | | | | | | | | | | | | | | | | List of allowed syscalls comes from comments in the form: #syscalls <list> for syscalls needed both in passt and pasta mode, and: #syscalls:pasta <list> #syscalls:passt <list> for syscalls specifically needed in pasta or passt mode only. seccomp.sh builds a list of BPF statements from those comments, prefixed by a binary search tree to keep lookup fast. While at it, clean up a bit the Makefile using wildcards. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* test: Drop debugging left-overs in lib/utilStefano Brivio2021-10-141-4/+0
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* doc: Add to man page tip to grant passt the CAP_NET_BIND_SERVICE capabilityStefano Brivio2021-10-141-1/+6
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* doc: Fix up note about missing tcpi_snd_wnd in man pageStefano Brivio2021-10-141-7/+3
| | | | | | | | The behaviour without tcpi_snd_wnd changed: the only difference now is the advertised window, which corresponds to the queried sending buffer size. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp: Decrease pool size for pipes to 16Stefano Brivio2021-10-141-1/+1
| | | | | | | This should be a reasonable balance between quick connection establishment and a fast start-up. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* util: Fix comment to bitmap_clear()Stefano Brivio2021-10-141-1/+1
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* conf, tap: Split netlink and pasta functions, allow interface configurationStefano Brivio2021-10-1411-609/+703
| | | | | | | | | | Move netlink routines to their own file, and use netlink to configure or fetch all the information we need, except for the TUNSETIFF ioctl. Move pasta-specific functions to their own file as well, add parameters and calls to configure the tap interface in the namespace. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* conf: Don't get IPv{4,6} DNS addresses if IPv{4,6} is disabledStefano Brivio2021-10-101-4/+6
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* conf: Avoid getifaddrs(), split L2/L3 address fetching, get filtered dumpsStefano Brivio2021-10-102-124/+170
| | | | | | | | | | | | getifaddrs() needs to allocate heap memory, and gets a ton of results we don't need. Use explicit netlink messages with "strict checking" instead. While at it, separate L2/L3 address handling, so that we don't fetch MAC addresses for IPv6, and also use netlink instead of ioctl() to get the MAC address. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* README: Drop domain part in absolute linksStefano Brivio2021-10-071-25/+25
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* conf: Fix getopt_long() return value for --quietStefano Brivio2021-10-071-1/+1
| | | | | | Only the short version actually worked. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* pasta: Add second waitid() in pasta_child_handler()Stefano Brivio2021-10-071-0/+1
| | | | | | | | We usually have up to one additional child exiting while we receive a SIGCHLD, instead of complicating this with tracking PIDs, just add a second waitid() call. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* pasta: Allow specifying paths and names of namespacesGiuseppe Scrivano2021-10-0712-79/+240
| | | | | | | | | | | | | | | | | | Based on a patch from Giuseppe Scrivano, this adds the ability to: - specify paths and names of target namespaces to join, instead of a PID, also for user namespaces, with --userns - request to join or create a network namespace only, without entering or creating a user namespace, with --netns-only - specify the base directory for netns mountpoints, with --nsrun-dir Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> [sbrivio: reworked logic to actually join the given namespaces when they're not created, implemented --netns-only and --nsrun-dir, updated pasta demo script and man page] Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* git: Add pre-push hookStefano Brivio2021-10-061-0/+64
| | | | | | I've been using this for a while, now it's all "nice" and clean. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp: Check if timestamp is passed also while sending FIN to tap/guestStefano Brivio2021-10-051-1/+1
| | | | | | | ...it's probably possible that we might need to reset a connection together with a FIN segment. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp: Drop EPOLLOUT for connections being established earlierStefano Brivio2021-10-051-3/+3
| | | | | | | | That's the first thing we have to do, before sending SYN, ACK: if tcp_send_to_tap() fails, we'll get a lot of useless events otherwise. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* conf: Silence gcc -Os warningStefano Brivio2021-10-051-1/+1
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* passt: Shrink binary size by dropping static initialisersStefano Brivio2021-10-054-53/+73
| | | | | | ...from 11MiB to 155KiB for 'make avx2', 95KiB with -Os and stripped. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* test/lib/term: Export PCAP and DEBUG variables for tmux sessions globallyStefano Brivio2021-10-051-0/+1
| | | | | | Otherwise, this would depend on the local tmux configuration. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* test/lib/setup: Increase --max-stackframe in commented-out valgrind commandStefano Brivio2021-10-051-1/+1
| | | | | | ...so that I don't keep fighting with this for pasta clone() calls. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp: Simplify ACK-sending conditions in tcp_data_from_tap()Stefano Brivio2021-10-051-20/+9
| | | | | | | | Now that we have a proper function checking when and how to send ACKs and window updates, we don't need to duplicate this logic in tcp_data_from_tap(). Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp: Always probe SO_SNDBUF, second attemptStefano Brivio2021-10-051-3/+0
| | | | | | I fell for this already: the sending buffer might shrink later! Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp: Defer and coalesce all segments with no data (flags) to handlerStefano Brivio2021-10-052-142/+377
| | | | | | | | | | ...using pre-cooked buffers, just like we do with other segments. While at it, remove some code duplication by having separate functions for updating ACK sequence and window, and for filling in buffer headers. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp: Increase LOW_RTT_THRESHOLD to 10usStefano Brivio2021-10-051-1/+1
| | | | | | Sometimes we can get up to 6-7us minimum RTT for local connections too. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp: Reduce size of socket poolsStefano Brivio2021-10-051-2/+2
| | | | | | | A large pool helps marginally with CRR latency, but has detrimental effects on TCP memory pressure. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp: Increase TCP_TAP_FRAMES once moreStefano Brivio2021-10-051-1/+1
| | | | | | | With an increased sending buffer size for the AF_UNIX socket, we can get slightly lower overhead. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp, tap: Turn tcp_probe_mem() into sock_probe_mem(), use for AF_UNIX socket tooStefano Brivio2021-10-057-40/+49
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* passt: Add handler for optional deferred tasksStefano Brivio2021-10-051-20/+26
| | | | | | | | We'll need this for TCP ACK coalescing on tap/guest-side. For convenience, allow _handler() functions to be undefined, courtesy of __attribute__((weak)). Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* demo/pasta: Enter the right directory before issuing perf report -gStefano Brivio2021-10-041-1/+1
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp: Fix botched timeout comparisonStefano Brivio2021-10-041-2/+2
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp: Check pending ACK every two thirds of window, not every halfStefano Brivio2021-10-041-1/+1
| | | | | | | ...to spare some syscalls. If it's not enough, the timer will take care of it. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp: Don't set ACK flag while merely updating window valueStefano Brivio2021-10-041-15/+19
| | | | | | The receiver might take this as a duplicate ACK othewise. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp: Set TCP_TAP_FRAMES back to 32Stefano Brivio2021-10-041-1/+1
| | | | | | | Now that we fixed the issue with small receiving buffers, we can safely increase this back and get slightly lower syscall overhead. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp: Probe net.core.{r,w}mem_max, don't set SO_{RCV,SND}BUF if lowStefano Brivio2021-10-042-16/+26
| | | | | | | | | | | | | | | If net.core.rmem_max and net.core.wmem_max sysctls have low values, we can get bigger buffers by not trying to set them high -- the kernel would lock their values to what we get. Try, instead, to get bigger buffers by queueing as much as possible, and if maximum values in tcp_wmem and tcp_rmem are bigger than this, that will work. While at it, drop QUICKACK option for non-spliced sockets, I set that earlier by mistake. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp: Check if connection is local or low RTT was seen before using large MSSStefano Brivio2021-10-041-0/+59
| | | | | | | | If the connection is local or the RTT was comparable to the time it takes to queue a batch of messages, we can safely use a large MSS regardless of the sending buffer, but otherwise not. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp: Adjust usage of sending buffer depending on its sizeStefano Brivio2021-10-041-12/+63
| | | | | | | | | | | | | If we start with a very small sending buffer, we can make the kernel expand it if we cause the congestion window to get bigger, but this won't reliably happen if we use just half (other half is accounted as overhead). Scale usage depending on its own size, we might eventually get some retransmissions because we can't queue messages the sender sends us in-window, but it's better than keeping that small buffer forever. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp: Derive MSS announced to guest/namespace from configured MTU if presentStefano Brivio2021-09-291-1/+14
| | | | | | | | | | | ...and from the sending socket only if the MTU is not configured. Otherwise, a connection to a host from a local guest, with a non-loopback destination address, will get its MSS from the MTU of the outbound interface with that address, which is unnecessary as we know the guest can send us larger segments. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* test: Record CI and demo videos in Xvfb by default, fix demo setup sequenceStefano Brivio2021-09-296-8/+54
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* README: Fix pasta anchor in Try it sectionStefano Brivio2021-09-281-1/+1
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* doc: Add source Excalidraw scene files for diagramsStefano Brivio2021-09-272-0/+7984
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* test: Add CI/demo scriptsStefano Brivio2021-09-2731-0/+4816
| | | | | | Not really quick, definitely dirty. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* README: Add demo sectionStefano Brivio2021-09-271-0/+15
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* conf, tcp: Periodic detection of bound ports for pasta port forwardingStefano Brivio2021-09-278-97/+316
| | | | | | | | | | Detecting bound ports at start-up time isn't terribly useful: do this periodically instead, if configured. This is only implemented for TCP at the moment, UDP is somewhat more complicated: leave a TODO there. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* util: Fix parsing of next option in ipv6_l4hdr()Stefano Brivio2021-09-271-2/+1
| | | | | | | We need to update next header and header length as soon as we meet a new option header. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp: Rework window handling, timers, add SO_RCVLOWAT and pools for sockets/pipesStefano Brivio2021-09-272-458/+727
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This introduces a number of fundamental changes that would be quite messy to split. Summary: - advertised window scaling can be as big as we want, we just need to clamp window sizes to avoid exceeding the size of our "discard" buffer for unacknowledged data from socket - add macros to compare sequence numbers - force sending ACK to guest/tap on PSH segments, always in pasta mode, whenever we see an overlapping segment, or when we reach a given threshold compared to our window - we don't actually use recvmmsg() here, fix comments and label - introduce pools for pre-opened sockets and pipes, to decrease latency on new connections - set receiving and sending buffer sizes to the maximum allowed, kernel will clamp and round appropriately - defer clean-up of spliced and non-spliced connection to timer - in tcp_send_to_tap(), there's no need anymore to keep a large buffer, shrink it down to what we actually need - introduce SO_RCVLOWAT setting and activity tracking for spliced connections, to coalesce data moved by splice() calls as much as possible - as we now have a compacted connection table, there's no need to keep sparse bitmaps tracking connection activity -- simply go through active connections with a loop in the timer handler - always clamp the advertised window to half our sending buffer, too, to minimise retransmissions from the guest/tap - set TCP_QUICKACK for originating socket in spliced connections, there's no need to delay them - fix up timeout for unacknowledged data from socket Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp: Drop TODO about sequence collision attacksStefano Brivio2021-09-271-1/+0
| | | | | | | A random initial sequence number based on a secret has already been there for a while. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tap: Don't leak file descriptor used to bring up loopback interfaceStefano Brivio2021-09-271-6/+11
| | | | | | ...and while at it, set the socket as non-blocking directly on open(). Signed-off-by: Stefano Brivio <sbrivio@redhat.com>