icmp: Work around possible failure on bind() due to e.g. broken SELinux policy

If we can't bind() ping sockets, the echo identifier sent out from
the socket won't be the original one seen from the tap. Binding a
ping socket doesn't require any security capability, but it might
still fail due to a broken SELinux policy, see for example:
	https://bugzilla.redhat.com/show_bug.cgi?id=1848929

Track the ICMP echo identifier as part of the epoll reference for
the socket and replace it in the reply on mismatch. We won't send
out the original identifier as sent from the guest, but still better
than missing replies.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>

1 files changed, 5 insertions, 0 deletions

diff --git a/tap.c b/tap.c
index e31a419..68d3633 100644
--- a/tap.c
+++ b/tap.c
@@ -134,6 +134,11 @@ void tap_ip_send(struct ctx *c, struct in6_addr *src, uint8_t proto,
 			struct udphdr *uh = (struct udphdr *)(iph + 1);
 
 			uh->check = 0;
+		} else if (iph->protocol == IPPROTO_ICMP) {
+			struct icmphdr *ih = (struct icmphdr *)(iph + 1);
+
+			ih->checksum = 0;
+			ih->checksum = csum_unaligned(ih, len, 0);
 		}
 
 		tap_send(c, buf, len + sizeof(*iph) + sizeof(*eh), 1);