On Mon, Jul 17, 2017 at 11:47 PM, Rob Landley <r...@landley.net> wrote: > On 07/17/2017 09:55 AM, enh wrote: >> On Mon, Jul 17, 2017 at 3:33 AM, Rob Landley <r...@landley.net> wrote: >>> Over the weekend I started looking at ping.c again thinking "this seems >>> really easy, why haven't I already done it". And I figured out why (I >>> wanted the code to autodetect ipv4 or ipv6 without you having to >>> specify, but you could go "ping -I lo 127.0.0.1" and it could see ::1 as >>> the first address of lo so you have to defer the decision of which type >>> to use while detecting, AND I still wanted -4 and -6 to work to force >>> the decision meaning it fails if source or dest can't do that, except >>> supplying source address is optional.) >>> >>> So I finally untangled all that crap, and then I started in on the next >>> thing I wantedit to do, use the "unprivileged ping sockets" stuff Linux >>> merged back in 2011: >>> >>> https://lwn.net/Articles/422330/ >>> >>> It's almost been 7 years, no need to support the old "needs root" stuff >>> if this should be ubiquitously deployed. >>> >>> Yes that description's wrong, there's no such thing as PROT_ICMP, they >>> mean IPPROTO_ICMP but good luck finding example code using that because >>> nobody uses it. Why does nobody use it? Because the API is stupidly >>> disabled for no apparent reason. >> >> Android uses it all over the place. i even made it available to Java. >> >> in particular, external/iputils' ping/ping6 uses it. > > Did you patch the stupid out of the kernel, or does your init script > just "echo 0 65535 > /proc/sys/net/ipv4/ping_group_range"?
the latter. there's this line in the default init script: write /proc/sys/net/ipv4/ping_group_range "0 2147483647" > (Honestly, what's the point or creating a new API to do the same thing > without requiring root access, and then not even let ROOT use it by > default? I thought busybox was using this, but they yanked it back OUT > in 2014: https://git.busybox.net/busybox/commit/?id=f0058b1b1fe9 > because of this nonsense.) > > Right. The kernel patch to fix this is: > > --- a/net/ipv4/af_inet.c > +++ b/net/ipv4/af_inet.c > @@ -1712,12 +1712,8 @@ static __net_init int inet_init_net(struct net *net) > net->ipv4.ip_local_ports.range[1] = 60999; > > seqlock_init(&net->ipv4.ping_group_range.lock); > - /* > - * Sane defaults - nobody may create ping sockets. > - * Boot scripts should set this to distro-specific group. > - */ > - net->ipv4.ping_group_range.range[0] = make_kgid(&init_user_ns, 1); > - net->ipv4.ping_group_range.range[1] = make_kgid(&init_user_ns, 0); > + net->ipv4.ping_group_range.range[0] = make_kgid(&init_user_ns, 0); > + net->ipv4.ping_group_range.range[1] = make_kgid(&init_user_ns, 65535); > > /* Default values for sysctl-controlled parameters. > * We set them here, in case sysctl is not compiled. > > And I think I'll just put that patch in the toybox FAQ rather than > implementing two APIs to do the same darn thing. I've asked the kernel > guys what they were thinking (with my usual "I'm tracking down a bug > and I found PEOPLE at the end of it" diplomacy, ala > http://lkml.iu.edu/hypermail/linux/kernel/1707.2/01797.html ) and > I have no _idea_ what they'll say because this makes no sense to me. > > Rob -- Elliott Hughes - http://who/enh - http://jessies.org/~enh/ Android native code/tools questions? Mail me/drop by/add me as a reviewer. _______________________________________________ Toybox mailing list Toybox@lists.landley.net http://lists.landley.net/listinfo.cgi/toybox-landley.net