From 9663378d6d6dcd8275d60b826356cc4be0538231 Mon Sep 17 00:00:00 2001
From: Stefano Brivio <sbrivio@redhat.com>
Date: Mon, 26 Jul 2021 15:26:36 +0200
Subject: icmp: Work around possible failure on bind() due to e.g. broken
 SELinux policy

If we can't bind() ping sockets, the echo identifier sent out from
the socket won't be the original one seen from the tap. Binding a
ping socket doesn't require any security capability, but it might
still fail due to a broken SELinux policy, see for example:
	https://bugzilla.redhat.com/show_bug.cgi?id=1848929

Track the ICMP echo identifier as part of the epoll reference for
the socket and replace it in the reply on mismatch. We won't send
out the original identifier as sent from the guest, but still better
than missing replies.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
 tap.c | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'tap.c')

diff --git a/tap.c b/tap.c
index e31a419..68d3633 100644
--- a/tap.c
+++ b/tap.c
@@ -134,6 +134,11 @@ void tap_ip_send(struct ctx *c, struct in6_addr *src, uint8_t proto,
 			struct udphdr *uh = (struct udphdr *)(iph + 1);
 
 			uh->check = 0;
+		} else if (iph->protocol == IPPROTO_ICMP) {
+			struct icmphdr *ih = (struct icmphdr *)(iph + 1);
+
+			ih->checksum = 0;
+			ih->checksum = csum_unaligned(ih, len, 0);
 		}
 
 		tap_send(c, buf, len + sizeof(*iph) + sizeof(*eh), 1);
-- 
cgit v1.2.3