On Sun, 29 Nov 2020 07:54:23 GMT, Jamie Le Tual <github.com+55101029+jamielet...@openjdk.org> wrote:
> Users have been able to send ICMP packets without the need for root > privileges or the CAP_NET_RAW capability since at least kernel 3.11. > > For some time now, if the kernel parameter net.ipv4.ping_group_range included > the gid of a user sending an icmp packet with the IPPROTO_ICMP protocol, then > the packet would> > It's important to note that the both the checksum and ident field are > overwritten by the kernel when this is done. > > Newer distributions are now setting the default value of > net.ipv4.ping_group_range to be open to all possible group ids (Fedora 31 and > Ubuntu 20.04 for example) so it can b> > > Also of note is the that this is also implemented in MacOS. > > This patch proposes attempting to use IPPROTO_ICMP first, and then fall back > to attempting a raw socket and ultimately failing over to tcp echo. > This patch also alters the logic for identifying icmp reply packets, since > the kernel overwrites id ident field when using the IPPROTO_ICMP protocol. > The method is similar to that used by the ping(8) utility in the iputils > package, where we compare data in the icmp_data member of the icmp struct > to identify the packet as our response. The ping utility compares the > timeval, whereas this patch proposes to compare both the timeval and the > user's pid. This pull request has been closed without being integrated. ------------- PR: https://git.openjdk.java.net/jdk/pull/1502
