Why is the ping failing on Debian 12?

[precisionpete]

The following code works fine on Windows, Ubuntu 22.04, MacOS, and some others. But it fails on Debian 12.

I've tried running it as root vs a user with the same result.

I've also tried SetPrivileges and the same result.

How to resolve this?

Thanks

ping -c 1 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=115 time=4.19 ms

--- 8.8.8.8 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 4.190/4.190/4.190/0.000 ms
$ ./testping 
socket: permission denied
false
$ sudo ./testping 
socket: permission denied
false
$ 
$ cat /etc/os-release 
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
$ 

package main

import (
	"fmt"
	"runtime"
	"time"

	probing "github.com/prometheus-community/pro-bing"
)

func main() {

	isup := Ping("8.8.8.8")

	fmt.Println(isup)

}

func Ping(ip string) bool {
	pinger, err := probing.NewPinger(ip)
	if err != nil {
		return false
	}
	pinger.Count = 1
	pinger.Timeout = 250 * time.Millisecond
	if runtime.GOOS == "windows" {
		pinger.SetPrivileged(true)
	}
	err = pinger.Run()
	if err != nil {
		fmt.Println(err)
		return false
	}

	stats := pinger.Statistics()

	return stats.PacketsRecv > 0
}

[unmurphy]

try about this, sudo sysctl -w net.ipv4.ping_group_range="0 2147483647"

[lrascao]

try about this, sudo sysctl -w net.ipv4.ping_group_range="0 2147483647"

this fixed it for me

[crazyoptimist]

Fixed it for me too. Thanks @unmurphy.
Would you mind explaining why it happens and how it solves the problem?

[dswarbrick]

@crazyoptimist The net.ipv4.ping_group_range sysctl setting defines the minimum and maximum group IDs which are allowed to create ICMP echo sockets (i.e. socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP)) as an alternative to the traditional socket(AF_INET, SOCK_RAW, IPPROTO_ICMP) used by /usr/bin/ping (which in turn requires that it grant CAP_NET_RAW, or (historically) be a setuid binary).

The default setting of 1 0 effectively means that no group is allowed to create ICMP echo sockets. Setting that value to something much more liberal like 0 2147483647 basically means that any group can create ICMP echo sockets.

[Tchoupinax]

Hello,
Very interesting to learn this!
I have a question because I met exactly the same but before using this library, I was doing it by executing a command:
cmd := exec.Command("ping", "-c", "2", ip)

I did not meet any issue with this command but I have one with library. However, it's the same process (golang binary) that performs both. So why with exec command it works while library needs allowance from system?

[dswarbrick]

@Tchoupinax Most modern Linux distros set capabilities on the /usr/bin/ping binary, so that it is permitted to create raw IP sockets.

$ getcap /usr/bin/ping
/usr/bin/ping cap_net_raw=ep

Prior to the capabilities feature, and on various other *nixes, ping would setuid root, which also allowed it to create raw IP sockets. The capabilities approach is more fine-grained however, since it restricts the privileges of the process to just creating raw sockets, rather than everything else that comes with being root.

You can of course set capabilities on Go applications which use the pro-bing library (e.g. setcap cap_net_raw=ep /usr/bin/foo), and this is indeed what Debian / Ubuntu do with the prometheus-blackbox-exporter and prometheus-smokeping-prober packages, via a debconf prompt during package installation.

[benok]

Hi, I found a blog post about the problem.

It also can be fixed by installing the linux-sysctl-defaults package, just FYI.

apt install linux-sysctl-defaults