From 9663378d6d6dcd8275d60b826356cc4be0538231 Mon Sep 17 00:00:00 2001 From: Stefano Brivio Date: Mon, 26 Jul 2021 15:26:36 +0200 Subject: icmp: Work around possible failure on bind() due to e.g. broken SELinux policy If we can't bind() ping sockets, the echo identifier sent out from the socket won't be the original one seen from the tap. Binding a ping socket doesn't require any security capability, but it might still fail due to a broken SELinux policy, see for example: https://bugzilla.redhat.com/show_bug.cgi?id=1848929 Track the ICMP echo identifier as part of the epoll reference for the socket and replace it in the reply on mismatch. We won't send out the original identifier as sent from the guest, but still better than missing replies. Signed-off-by: Stefano Brivio --- icmp.h | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'icmp.h') diff --git a/icmp.h b/icmp.h index 12547b7..27f0a5c 100644 --- a/icmp.h +++ b/icmp.h @@ -15,10 +15,12 @@ void icmp_timer(struct ctx *c, struct timespec *ts); * union icmp_epoll_ref - epoll reference portion for ICMP tracking * @v6: Set for IPv6 sockets or connections * @u32: Opaque u32 value of reference + * @id: Associated echo identifier, needed if bind() fails */ union icmp_epoll_ref { struct { - uint32_t v6:1; + uint32_t v6:1, + id:16; }; uint32_t u32; }; -- cgit v1.2.3