icmp: Work around possible failure on bind() due to e.g. broken SELinux policy
If we can't bind() ping sockets, the echo identifier sent out from the socket won't be the original one seen from the tap. Binding a ping socket doesn't require any security capability, but it might still fail due to a broken SELinux policy, see for example: https://bugzilla.redhat.com/show_bug.cgi?id=1848929 Track the ICMP echo identifier as part of the epoll reference for the socket and replace it in the reply on mismatch. We won't send out the original identifier as sent from the guest, but still better than missing replies. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
This commit is contained in:
Stefano Brivio
4
icmp.h
4
icmp.h
@@ -15,10 +15,12 @@ void icmp_timer(struct ctx *c, struct timespec *ts);
|
||||
* union icmp_epoll_ref - epoll reference portion for ICMP tracking
|
||||
* @v6: Set for IPv6 sockets or connections
|
||||
* @u32: Opaque u32 value of reference
|
||||
* @id: Associated echo identifier, needed if bind() fails
|
||||
*/
|
||||
union icmp_epoll_ref {
|
||||
struct {
|
||||
uint32_t v6:1;
|
||||
uint32_t v6:1,
|
||||
id:16;
|
||||
};
|
||||
uint32_t u32;
|
||||
};
|
||||
|
||||
Reference in New Issue
Block a user