Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prefer SOCK_DGRAM #317

Closed
wants to merge 1 commit into from
Closed

Prefer SOCK_DGRAM #317

wants to merge 1 commit into from

Conversation

Yenya
Copy link

@Yenya Yenya commented May 3, 2024

ping(8) from iputils-20240117 prefers SOCK_DGRAM instead of SOCK_RAW, which has a bonus of using kernel-assigned Identification. Apart from unprivileged operations, this also avoids collisions caused by user-assigned Identification on busy monitoring hosts (see also: birthday paradox).

So let's try SOCK_DGRAM first, and only if that fails, fall back to SOCK_RAW.

@Yenya
Prefer SOCK_DGRAM
ee5db6c 
ping(8) from iputils-20240117 prefers SOCK_DGRAM instead of SOCK_RAW,
which has a bonus of using kernel-assigned Identification. Apart from
unprivileged operations, this also avoids collisions caused by
user-assigned Identification on busy monitoring hosts
(see also: birthday paradox).

So let's try SOCK_DGRAM first, and only if that fails, fall back to
SOCK_RAW.
@auerswal
Copy link
Collaborator

auerswal commented May 4, 2024

It seems as if SOCK_DGRAM does not work as well as SOCK_RAW for fping when using the kernel Linux, according to the test failures.

@auerswal
Copy link
Collaborator

Since this would introduce a regression (i.e., losing the functionality to ping IPv6 multicast groups), without introducing a clear improvement, I plan to close this pull request (no idea when, yet).

@auerswal
Copy link
Collaborator

auerswal commented Jul 7, 2024

At least in my tests on GNU/Linux, when fping 224.0.0.1 works, it does so for both privileged SOCK_RAW and unprivileged SOCK_DGRAM. The reply to an Echo request to a multicast IP address uses a unicast IP address as source, i.e., it comes from a different IP address. This also holds for the iputils ping program. Thus using SOCK_DGRAM does not necessarily solve the identification problem on busy monitoring hosts.

The iputils ping program shows the same problem as fping with your pull request, i.e., it cannot ping IPv6 multicast addresses, even with privileges (cap_net_raw+ep).

The ping program from GNU Inetutils prefers SOCK_RAW similar to fping. For IPv4 multicast, the observable results are comparable to those of fping and iputils ping. The ping6 program from GNU Inetutils does not fall back to SOCK_DGRAM and therefore does not show the multicast problem (but it does not work without privileges).

@auerswal
Copy link
Collaborator

According to a StackExchange answer, Apple's ping program uses a raw socket when started with root privileges, otherwise a datagram socket. This is supposedly done to allow extra functionality with root privileges.

I'd say that fping should prefer using a raw socket if possible (e.g., started by root, binary with set SUID bit, or binary with NET_CAP_RAW), and only fall back to a datagram socket if it cannot open a raw socket.

@auerswal auerswal closed this Jul 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Yenya @auerswal