Feature request: unprivileged-icmp

[mokeyish]

Linux kernel patch from 2010 which allows unprivileged users to create an ICMP datagram socket that is restricted to sending and receiving ICMP ECHO packets:

https://sturmflut.github.io/linux/ubuntu/2015/01/17/unprivileged-icmp-sockets-on-linux/

[kolapapa]

Thanks for your feedback, I'll look into it~

[kolapapa]

@mokeyish I released a new version 0.4.7, is it the effect you want?

[mokeyish]

Thanks for your quick response. However, there is a small suggestion to make this library more robust.

There are two ways to use ping with unprivileged users.

1. The Linux Capabilities CAP_NET_RAW was set to current program. —— raw socket is supported
2. The property net.ipv4.ping_group_range of sysctl is enabled. —— unprivileged-icmp is support.

Shall we check it?

The example code of smardns that enable checking: https://github.com/pymumu/smartdns/blob/391ef310b47cdd93989a4d6d3a7f9024537739d9/src/dns_conf.c#L2625-L2642

[mokeyish]

BTW: do you plan to support TCP ping(unprivileged)?

The test code of tcp ping I write yesterday.

    pub fn ping(addr: &SocketAddr, times: u8, timeout: u64) -> Option<Duration> {
        let start = Instant::now();
        for _ in 0..times {
            if let Err(_) = std::net::TcpStream::connect_timeout(addr, Duration::from_millis(timeout)) {
                return None;
            }
        }
        Some(start.elapsed())
    }

I want to port smardns(written in c) to smartdns-rs(written in rust, which allow cross platform🤣) . Thanks for your surge-ping, it made me easy to select the fastest ip when dns query.

[mokeyish]

@mokeyish I released a new version 0.4.7, is it the effect you want?

Nice，I have test it, it work for me aftrer I run command sudo sysctl -w net.ipv4.ping_group_range='0 10'

[kolapapa]

smartdns-rs

@mokeyish I released a new version 0.4.7, is it the effect you want?

Nice，I have test it, it work for me aftrer I run command sudo sysctl -w net.ipv4.ping_group_range='0 10'

Are there any issues with permissions?

[kolapapa]

BTW: do you plan to support TCP ping(unprivileged)?

The test code of tcp ping I write yesterday.

    pub fn ping(addr: &SocketAddr, times: u8, timeout: u64) -> Option<Duration> {
        let start = Instant::now();
        for _ in 0..times {
            if let Err(_) = std::net::TcpStream::connect_timeout(addr, Duration::from_millis(timeout)) {
                return None;
            }
        }
        Some(start.elapsed())
    }

I want to port smardns(written in c) to smartdns-rs(written in rust, which allow cross platform🤣) . Thanks for your surge-ping, it made me easy to select the fastest ip when dns query.

I don't have this plan yet. We have also tried the ping detection scheme of tcp before, and there are several good crates we have used: rnp/netdiag

[mokeyish]

BTW: do you plan to support TCP ping(unprivileged)? The test code of tcp ping I write yesterday.

    pub fn ping(addr: &SocketAddr, times: u8, timeout: u64) -> Option<Duration> {
        let start = Instant::now();
        for _ in 0..times {
            if let Err(_) = std::net::TcpStream::connect_timeout(addr, Duration::from_millis(timeout)) {
                return None;
            }
        }
        Some(start.elapsed())
    }

I want to port smardns(written in c) to smartdns-rs(written in rust, which allow cross platform🤣) . Thanks for your surge-ping, it made me easy to select the fastest ip when dns query.

I don't have this plan yet. We have also tried the ping detection scheme of tcp before, and there are several good crates we have used: rnp/netdiag

I also used rnp last week, but I think surge-ping have better api .👍

[mokeyish]

smartdns-rs

@mokeyish I released a new version 0.4.7, is it the effect you want?

Nice，I have test it, it work for me aftrer I run command sudo sysctl -w net.ipv4.ping_group_range='0 10'

Are there any issues with permissions?

I plan to submit a PR to detect permissions automaticlly this week.

[mokeyish]

@kolapapa Hi, did you test unprivileged_icmp in linux? I didn't look carefully last week, and now I found that it's timed out.

    Running `target/debug/examples/multi_ping`
No.0: 172.217.26.142 ping Request timeout for icmp_seq 0
No.0: 8.8.8.8 ping Request timeout for icmp_seq 0
No.0: 114.114.114.114 ping Request timeout for icmp_seq 0
No.0: 39.156.69.79 ping Request timeout for icmp_seq 0
No.0: 114.114.114.114 ping Request timeout for icmp_seq 0
No.1: 114.114.114.114 ping Request timeout for icmp_seq 1

[mokeyish]

I have write some detect code.

Currently:

• windows(non-root user)

  • RAW => Success
  • DGRAM => code: 10043, kind: Uncategorized

• macos(non-root user)

  • DGRAM => Success
  • RAW => code: 1, kind: PermissionDenied

• linux(non-root user)

  • DGRAM => timeout 👈👈👈(unprivileged_icmp enable by sudo sysctl -w net.ipv4.ping_group_range='0 2147483647')
  • RAW success (CAP_NET_RAW enable by sudo setcap CAP_NET_RAW+eip /path/to/program)

https://github.com/mokeyish/surge-ping/blob/unpriviledged_ping/src/client.rs

@kolapapa Do you know how to solve the timeout in linux? I have no idea currently.

[kolapapa]

I have write some detect code.

Currently:

• windows(non-root user)

  • RAW => Success
  • DGRAM => code: 10043, kind: Uncategorized

• macos(non-root user)

  • DGRAM => Success
  • RAW => code: 1, kind: PermissionDenied

• linux(non-root user)

  • DGRAM => timeout 👈👈👈(unprivileged_icmp enable by sudo sysctl -w net.ipv4.ping_group_range='0 2147483647')
  • RAW success (CAP_NET_RAW enable by sudo setcap CAP_NET_RAW+eip /path/to/program)

https://github.com/mokeyish/surge-ping/blob/unpriviledged_ping/src/client.rs

@kolapapa Do you know how to solve the timeout in linux? I have no idea currently.

It should be due to the use of datagram sockets, which is caused by an exception in parsing the return packet.