diff options
author | Stefano Brivio <sbrivio@redhat.com> | 2021-07-26 15:26:36 +0200 |
---|---|---|
committer | Stefano Brivio <sbrivio@redhat.com> | 2021-07-26 17:43:10 +0200 |
commit | 9663378d6d6dcd8275d60b826356cc4be0538231 (patch) | |
tree | 510ca04c778d9f03033cd33688da7b58ccb65ce0 /tap.c | |
parent | 0279ec8eaebf0d0ae6d871f44c27db67904b8872 (diff) | |
download | passt-9663378d6d6dcd8275d60b826356cc4be0538231.tar passt-9663378d6d6dcd8275d60b826356cc4be0538231.tar.gz passt-9663378d6d6dcd8275d60b826356cc4be0538231.tar.bz2 passt-9663378d6d6dcd8275d60b826356cc4be0538231.tar.lz passt-9663378d6d6dcd8275d60b826356cc4be0538231.tar.xz passt-9663378d6d6dcd8275d60b826356cc4be0538231.tar.zst passt-9663378d6d6dcd8275d60b826356cc4be0538231.zip |
icmp: Work around possible failure on bind() due to e.g. broken SELinux policy
If we can't bind() ping sockets, the echo identifier sent out from
the socket won't be the original one seen from the tap. Binding a
ping socket doesn't require any security capability, but it might
still fail due to a broken SELinux policy, see for example:
https://bugzilla.redhat.com/show_bug.cgi?id=1848929
Track the ICMP echo identifier as part of the epoll reference for
the socket and replace it in the reply on mismatch. We won't send
out the original identifier as sent from the guest, but still better
than missing replies.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Diffstat (limited to 'tap.c')
-rw-r--r-- | tap.c | 5 |
1 files changed, 5 insertions, 0 deletions
@@ -134,6 +134,11 @@ void tap_ip_send(struct ctx *c, struct in6_addr *src, uint8_t proto, struct udphdr *uh = (struct udphdr *)(iph + 1); uh->check = 0; + } else if (iph->protocol == IPPROTO_ICMP) { + struct icmphdr *ih = (struct icmphdr *)(iph + 1); + + ih->checksum = 0; + ih->checksum = csum_unaligned(ih, len, 0); } tap_send(c, buf, len + sizeof(*iph) + sizeof(*eh), 1); |