On Wed, 23 Dec 2020 14:06:12 GMT, Jamie Le Tual <github.com+55101029+jamielet...@openjdk.org> wrote:
>> Users have been able to send ICMP packets without the need for root >> privileges or the CAP_NET_RAW capability since at least kernel 3.11. >> >> For some time now, if the kernel parameter net.ipv4.ping_group_range >> included the gid of a user sending an icmp packet with the IPPROTO_ICMP >> protocol, then the packet would> >> It's important to note that the both the checksum and ident field are >> overwritten by the kernel when this is done. >> >> Newer distributions are now setting the default value of >> net.ipv4.ping_group_range to be open to all possible group ids (Fedora 31 >> and Ubuntu 20.04 for example) so it can b> >> >> Also of note is the that this is also implemented in MacOS. >> >> This patch proposes attempting to use IPPROTO_ICMP first, and then fall back >> to attempting a raw socket and ultimately failing over to tcp echo. >> This patch also alters the logic for identifying icmp reply packets, since >> the kernel overwrites id ident field when using the IPPROTO_ICMP protocol. >> The method is similar to that used by the ping(8) utility in the iputils >> package, where we compare data in the icmp_data member of the icmp struct >> to identify the packet as our response. The ping utility compares the >> timeval, whereas this patch proposes to compare both the timeval and the >> user's pid. > > Jamie Le Tual has updated the pull request incrementally with one additional > commit since the last revision: > > Fixed formatting I think that the changes are mostly good. I would like to try them out on my local system and our internal buildAndTest system. ------------- PR: https://git.openjdk.java.net/jdk/pull/1502
