Propagate ICMP echo reply TTL when available#1658
Open
kurochan wants to merge 1 commit into
Open
Conversation
Respect TTL/HopLimit from origin ICMP echo replies when returning packets to the eyeball. Treat cloudflared as one hop by decrementing the received TTL/HopLimit and drop replies that would expire instead of emitting TTL=0. Keep the default TTL fallback when the reply TTL/HopLimit is unavailable.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds TTL/HopLimit propagation for ICMP Echo Reply packets returned from the origin.
cloudflared already behaves like one hop on the request path by decrementing the TTL/HopLimit before forwarding ICMP packets to the origin. This change applies the same behavior on the reply path when the origin reply TTL/HopLimit is available: cloudflared decrements it by 1 before returning the packet to the eyeball.
Replies whose received TTL/HopLimit is 1 or lower are dropped instead of returning a packet with TTL=0. When the reply TTL/HopLimit is unavailable, cloudflared keeps the existing default TTL fallback.
Fixes #1657
Supported paths
Linux now reads IPv4 TTL and IPv6 HopLimit from packet control messages, so both IPv4 and IPv6 Echo Replies can preserve the origin reply hop limit.
Windows IPv4 uses the TTL from the parsed
IcmpSendEchoreply.Partial and fallback behavior
Darwin keeps the existing default TTL fallback on the normal socket read path, where the reply is parsed as an ICMP message without IP header metadata. When Darwin returns a full IP packet and cloudflared can decode the IP header, the reply TTL from that header is preserved and decremented.
Windows IPv6 keeps the existing default TTL behavior because the current parsed
Icmp6SendEcho2reply path does not expose HopLimit.Any other path where cloudflared cannot obtain the received TTL/HopLimit also keeps the default TTL fallback.