> Users have been able to send ICMP packets without the need for root > privileges or the CAP_NET_RAW capability since at least kernel 3.11. > > For some time now, if the kernel parameter net.ipv4.ping_group_range included > the gid of a user sending an icmp packet with the IPPROTO_ICMP protocol, then > the packet would> > It's important to note that the both the checksum and ident field are > overwritten by the kernel when this is done. > > Newer distributions are now setting the default value of > net.ipv4.ping_group_range to be open to all possible group ids (Fedora 31 and > Ubuntu 20.04 for example) so it can b> > > Also of note is the that this is also implemented in MacOS. > > This patch proposes attempting to use IPPROTO_ICMP first, and then fall back > to attempting a raw socket and ultimately failing over to tcp echo. > This patch also alters the logic for identifying icmp reply packets, since > the kernel overwrites id ident field when using the IPPROTO_ICMP protocol. > The method is similar to that used by the ping(8) utility in the iputils > package, where we compare data in the icmp_data member of the icmp struct > to identify the packet as our response. The ping utility compares the > timeval, whereas this patch proposes to compare both the timeval and the > user's pid.
Jamie Le Tual has updated the pull request incrementally with one additional commit since the last revision: Fixed formatting ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/1502/files - new: https://git.openjdk.java.net/jdk/pull/1502/files/923e3489..1c8a555f Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=1502&range=01 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=1502&range=00-01 Stats: 1 line in 1 file changed: 0 ins; 0 del; 1 mod Patch: https://git.openjdk.java.net/jdk/pull/1502.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/1502/head:pull/1502 PR: https://git.openjdk.java.net/jdk/pull/1502
