aboutgitcodebugslistschat
Commit message (Collapse)AuthorAgeFilesLines
...
* passt: Don't refuse to run if UID is 0 in non-init namespaceStefano Brivio2021-10-141-1/+14
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* pasta: Push pasta.h headerStefano Brivio2021-10-141-0/+3
| | | | | | ...I forgot to add this earlier. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* slirp4netns.sh: Introduce compatibility wrapper behaving like slirp4netns(1)Stefano Brivio2021-10-141-0/+227
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Warning: draft quality, not really tested, --enable-sandbox not supported yet. Example: $ unshare -rUn # echo $$ 3130879 $ ./slirp4netns.sh -m 65520 -c 3130879 tap0 sent tapfd=5 for tap0 received tapfd=5 Starting slirp * MTU: 65520 * Network: 10.0.2.0 * Netmask: 255.255.255.0 * Gateway: 10.0.2.2 * DNS: 10.0.2.3 * Recommended IP: 10.0.2.100 WARNING: 127.0.0.1:* on the host is accessible as 10.0.2.2 (set --disable-host-loopback to prohibit connecting to 127.0.0.1:*) # ip li sh 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 33: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65520 qdisc pfifo_fast state UNKNOWN mode DEFAULT group default qlen 1000 link/ether 5e:9d:a0:c5:cf:67 brd ff:ff:ff:ff:ff:ff # ip ad sh 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 33: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65520 qdisc pfifo_fast state UNKNOWN group default qlen 1000 link/ether 5e:9d:a0:c5:cf:67 brd ff:ff:ff:ff:ff:ff inet 10.0.2.0/24 scope global tap0 valid_lft forever preferred_lft forever inet6 fe80::5c9d:a0ff:fec5:cf67/64 scope link valid_lft forever preferred_lft forever # ip ro sh default via 10.0.2.2 dev tap0 10.0.2.0/24 dev tap0 proto kernel scope link src 10.0.2.0 root@epycfail:~# ip -6 ro sh fe80::/64 dev tap0 proto kernel metric 256 pref medium # iperf3 -c 10.0.2.2 -l1M Connecting to host 10.0.2.2, port 5201 [ 5] local 10.0.2.0 port 43014 connected to 10.0.2.2 port 5201 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 1.38 GBytes 11.8 Gbits/sec 0 9.96 MBytes [ 5] 1.00-2.00 sec 1.59 GBytes 13.6 Gbits/sec 0 13.3 MBytes [ 5] 2.00-3.00 sec 1.63 GBytes 14.0 Gbits/sec 0 13.3 MBytes [ 5] 3.00-4.00 sec 1.78 GBytes 15.3 Gbits/sec 0 13.3 MBytes [ 5] 4.00-5.00 sec 1.80 GBytes 15.5 Gbits/sec 0 15.8 MBytes [ 5] 5.00-6.00 sec 1.69 GBytes 14.5 Gbits/sec 0 15.8 MBytes [ 5] 6.00-7.00 sec 1.65 GBytes 14.2 Gbits/sec 0 15.8 MBytes [ 5] 7.00-8.00 sec 1.68 GBytes 14.4 Gbits/sec 0 15.8 MBytes [ 5] 8.00-9.00 sec 1.60 GBytes 13.7 Gbits/sec 0 15.8 MBytes [ 5] 9.00-10.00 sec 1.66 GBytes 14.3 Gbits/sec 0 15.8 MBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 16.5 GBytes 14.1 Gbits/sec 0 sender [ 5] 0.00-10.01 sec 16.4 GBytes 14.1 Gbits/sec receiver iperf Done. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* netlink, pasta: Configure MTU of tap interface on --config-netStefano Brivio2021-10-144-21/+33
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* conf: Add -P, --pid, to specify a file where own PID is written toStefano Brivio2021-10-144-3/+48
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* conf: Reset netns_only flag after probingStefano Brivio2021-10-141-1/+3
| | | | | | | | ...if we check whether an option might be a namespace specification, and it turns out not to be (e.g. with --pcap), we might set netns_only, but we don't reset it back to 0 if it wasn't set. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp: Explicitly align IP headers in tcp4_l2_{,flags}buf_t also in non-AVX2 buildStefano Brivio2021-10-141-14/+12
| | | | | | | Otherwise, tcp4_l2_flags_buf_t is not consistent with tcp4_l2_buf_t and header fields get all mixed up in tcp_l2_buf_fill_headers(). Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* conf, tcp, udp: Add --no-map-gw to disable mapping gateway address to hostStefano Brivio2021-10-145-5/+15
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* passt: Warn if we're running as root, abort if we can't change to nobody:nobodyStefano Brivio2021-10-141-0/+29
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* conf: Reset errno before checking port specifier with strtol(3)Stefano Brivio2021-10-141-0/+1
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* passt: Drop all capabilities that we might have, except for CAP_NET_BIND_SERVICEStefano Brivio2021-10-141-0/+18
| | | | | | | | While it's not recommended to give passt any capability, drop all the ones we might have got by mistake, except for the only sensible one, CAP_NET_BIND_SERVICE. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* passt, pasta: Completely avoid dynamic memory allocationStefano Brivio2021-10-146-28/+389
| | | | | | | | | Replace libc functions that might dynamically allocate memory with own implementations or wrappers. Drop brk(2) from list of allowed syscalls in seccomp profile. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* passt, pasta: Add seccomp supportStefano Brivio2021-10-1410-9/+259
| | | | | | | | | | | | | | | | | | List of allowed syscalls comes from comments in the form: #syscalls <list> for syscalls needed both in passt and pasta mode, and: #syscalls:pasta <list> #syscalls:passt <list> for syscalls specifically needed in pasta or passt mode only. seccomp.sh builds a list of BPF statements from those comments, prefixed by a binary search tree to keep lookup fast. While at it, clean up a bit the Makefile using wildcards. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* test: Drop debugging left-overs in lib/utilStefano Brivio2021-10-141-4/+0
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* doc: Add to man page tip to grant passt the CAP_NET_BIND_SERVICE capabilityStefano Brivio2021-10-141-1/+6
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* doc: Fix up note about missing tcpi_snd_wnd in man pageStefano Brivio2021-10-141-7/+3
| | | | | | | | The behaviour without tcpi_snd_wnd changed: the only difference now is the advertised window, which corresponds to the queried sending buffer size. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp: Decrease pool size for pipes to 16Stefano Brivio2021-10-141-1/+1
| | | | | | | This should be a reasonable balance between quick connection establishment and a fast start-up. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* util: Fix comment to bitmap_clear()Stefano Brivio2021-10-141-1/+1
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* conf, tap: Split netlink and pasta functions, allow interface configurationStefano Brivio2021-10-1411-609/+703
| | | | | | | | | | Move netlink routines to their own file, and use netlink to configure or fetch all the information we need, except for the TUNSETIFF ioctl. Move pasta-specific functions to their own file as well, add parameters and calls to configure the tap interface in the namespace. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* conf: Don't get IPv{4,6} DNS addresses if IPv{4,6} is disabledStefano Brivio2021-10-101-4/+6
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* conf: Avoid getifaddrs(), split L2/L3 address fetching, get filtered dumpsStefano Brivio2021-10-102-124/+170
| | | | | | | | | | | | getifaddrs() needs to allocate heap memory, and gets a ton of results we don't need. Use explicit netlink messages with "strict checking" instead. While at it, separate L2/L3 address handling, so that we don't fetch MAC addresses for IPv6, and also use netlink instead of ioctl() to get the MAC address. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* README: Drop domain part in absolute linksStefano Brivio2021-10-071-25/+25
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* conf: Fix getopt_long() return value for --quietStefano Brivio2021-10-071-1/+1
| | | | | | Only the short version actually worked. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* pasta: Add second waitid() in pasta_child_handler()Stefano Brivio2021-10-071-0/+1
| | | | | | | | We usually have up to one additional child exiting while we receive a SIGCHLD, instead of complicating this with tracking PIDs, just add a second waitid() call. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* pasta: Allow specifying paths and names of namespacesGiuseppe Scrivano2021-10-0712-79/+240
| | | | | | | | | | | | | | | | | | Based on a patch from Giuseppe Scrivano, this adds the ability to: - specify paths and names of target namespaces to join, instead of a PID, also for user namespaces, with --userns - request to join or create a network namespace only, without entering or creating a user namespace, with --netns-only - specify the base directory for netns mountpoints, with --nsrun-dir Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> [sbrivio: reworked logic to actually join the given namespaces when they're not created, implemented --netns-only and --nsrun-dir, updated pasta demo script and man page] Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* git: Add pre-push hookStefano Brivio2021-10-061-0/+64
| | | | | | I've been using this for a while, now it's all "nice" and clean. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp: Check if timestamp is passed also while sending FIN to tap/guestStefano Brivio2021-10-051-1/+1
| | | | | | | ...it's probably possible that we might need to reset a connection together with a FIN segment. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp: Drop EPOLLOUT for connections being established earlierStefano Brivio2021-10-051-3/+3
| | | | | | | | That's the first thing we have to do, before sending SYN, ACK: if tcp_send_to_tap() fails, we'll get a lot of useless events otherwise. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* conf: Silence gcc -Os warningStefano Brivio2021-10-051-1/+1
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* passt: Shrink binary size by dropping static initialisersStefano Brivio2021-10-054-53/+73
| | | | | | ...from 11MiB to 155KiB for 'make avx2', 95KiB with -Os and stripped. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* test/lib/term: Export PCAP and DEBUG variables for tmux sessions globallyStefano Brivio2021-10-051-0/+1
| | | | | | Otherwise, this would depend on the local tmux configuration. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* test/lib/setup: Increase --max-stackframe in commented-out valgrind commandStefano Brivio2021-10-051-1/+1
| | | | | | ...so that I don't keep fighting with this for pasta clone() calls. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp: Simplify ACK-sending conditions in tcp_data_from_tap()Stefano Brivio2021-10-051-20/+9
| | | | | | | | Now that we have a proper function checking when and how to send ACKs and window updates, we don't need to duplicate this logic in tcp_data_from_tap(). Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp: Always probe SO_SNDBUF, second attemptStefano Brivio2021-10-051-3/+0
| | | | | | I fell for this already: the sending buffer might shrink later! Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp: Defer and coalesce all segments with no data (flags) to handlerStefano Brivio2021-10-052-142/+377
| | | | | | | | | | ...using pre-cooked buffers, just like we do with other segments. While at it, remove some code duplication by having separate functions for updating ACK sequence and window, and for filling in buffer headers. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp: Increase LOW_RTT_THRESHOLD to 10usStefano Brivio2021-10-051-1/+1
| | | | | | Sometimes we can get up to 6-7us minimum RTT for local connections too. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp: Reduce size of socket poolsStefano Brivio2021-10-051-2/+2
| | | | | | | A large pool helps marginally with CRR latency, but has detrimental effects on TCP memory pressure. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp: Increase TCP_TAP_FRAMES once moreStefano Brivio2021-10-051-1/+1
| | | | | | | With an increased sending buffer size for the AF_UNIX socket, we can get slightly lower overhead. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp, tap: Turn tcp_probe_mem() into sock_probe_mem(), use for AF_UNIX socket tooStefano Brivio2021-10-057-40/+49
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* passt: Add handler for optional deferred tasksStefano Brivio2021-10-051-20/+26
| | | | | | | | We'll need this for TCP ACK coalescing on tap/guest-side. For convenience, allow _handler() functions to be undefined, courtesy of __attribute__((weak)). Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* demo/pasta: Enter the right directory before issuing perf report -gStefano Brivio2021-10-041-1/+1
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp: Fix botched timeout comparisonStefano Brivio2021-10-041-2/+2
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp: Check pending ACK every two thirds of window, not every halfStefano Brivio2021-10-041-1/+1
| | | | | | | ...to spare some syscalls. If it's not enough, the timer will take care of it. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp: Don't set ACK flag while merely updating window valueStefano Brivio2021-10-041-15/+19
| | | | | | The receiver might take this as a duplicate ACK othewise. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp: Set TCP_TAP_FRAMES back to 32Stefano Brivio2021-10-041-1/+1
| | | | | | | Now that we fixed the issue with small receiving buffers, we can safely increase this back and get slightly lower syscall overhead. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp: Probe net.core.{r,w}mem_max, don't set SO_{RCV,SND}BUF if lowStefano Brivio2021-10-042-16/+26
| | | | | | | | | | | | | | | If net.core.rmem_max and net.core.wmem_max sysctls have low values, we can get bigger buffers by not trying to set them high -- the kernel would lock their values to what we get. Try, instead, to get bigger buffers by queueing as much as possible, and if maximum values in tcp_wmem and tcp_rmem are bigger than this, that will work. While at it, drop QUICKACK option for non-spliced sockets, I set that earlier by mistake. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp: Check if connection is local or low RTT was seen before using large MSSStefano Brivio2021-10-041-0/+59
| | | | | | | | If the connection is local or the RTT was comparable to the time it takes to queue a batch of messages, we can safely use a large MSS regardless of the sending buffer, but otherwise not. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp: Adjust usage of sending buffer depending on its sizeStefano Brivio2021-10-041-12/+63
| | | | | | | | | | | | | If we start with a very small sending buffer, we can make the kernel expand it if we cause the congestion window to get bigger, but this won't reliably happen if we use just half (other half is accounted as overhead). Scale usage depending on its own size, we might eventually get some retransmissions because we can't queue messages the sender sends us in-window, but it's better than keeping that small buffer forever. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* tcp: Derive MSS announced to guest/namespace from configured MTU if presentStefano Brivio2021-09-291-1/+14
| | | | | | | | | | | ...and from the sending socket only if the MTU is not configured. Otherwise, a connection to a host from a local guest, with a non-loopback destination address, will get its MSS from the MTU of the outbound interface with that address, which is unnecessary as we know the guest can send us larger segments. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
* test: Record CI and demo videos in Xvfb by default, fix demo setup sequenceStefano Brivio2021-09-296-8/+54
| | | | Signed-off-by: Stefano Brivio <sbrivio@redhat.com>