prog, sys: add icmp descriptions and checksum

13 files changed, 362 insertions, 41 deletions

diff --git a/prog/checksum.go b/prog/checksum.go
index fdc14a513..03eb81f7b 100644
--- a/prog/checksum.go
+++ b/prog/checksum.go
@@ -130,20 +130,7 @@ func getFieldByName(arg *Arg, name string) *Arg {
 	panic(fmt.Sprintf("failed to find %v field in %v", name, arg.Type.Name()))
 }
 
-func findCsumFieldIPv4(packet *Arg, pid int) *Arg {
-	csumField := getFieldByName(packet, "csum")
-	if typ, ok := csumField.Type.(*sys.CsumType); !ok {
-		panic(fmt.Sprintf("checksum field has bad type %v, arg: %+v", csumField.Type, csumField))
-	} else if typ.Kind != sys.CsumIPv4 {
-		panic(fmt.Sprintf("checksum field has bad kind %v, arg: %+v", typ.Kind, csumField))
-	}
-	if csumField.Value(pid) != 0 {
-		panic(fmt.Sprintf("checksum field has nonzero value %v, arg: %+v", csumField.Value(pid), csumField))
-	}
-	return csumField
-}
-
-func calcChecksumIPv4(packet, csumField *Arg, pid int) *Arg {
+func calcChecksumInet(packet, csumField *Arg, pid int) *Arg {
 	bytes := encodeArg(packet, pid)
 	csum := ipChecksum(bytes)
 	newCsumField := *csumField
@@ -234,16 +221,29 @@ func calcChecksumsCall(c *Call, pid int) map[*Arg]*Arg {
 	var ipSrcAddr *Arg
 	var ipDstAddr *Arg
 	tcp := false
+
+	// Calculate inet checksums.
+	foreachArgArray(&c.Args, nil, func(arg, base *Arg, _ *[]*Arg) {
+		if _, ok := arg.Type.(*sys.StructType); ok {
+			for _, field := range arg.Inner {
+				if typ, ok1 := field.Type.(*sys.CsumType); ok1 {
+					if typ.Kind == sys.CsumInet {
+						newCsumField := calcChecksumInet(arg, field, pid)
+						if csumMap == nil {
+							csumMap = make(map[*Arg]*Arg)
+						}
+						csumMap[field] = newCsumField
+					}
+				}
+			}
+		}
+	})
+
+	// Calculate tcp and udp checksums.
 	foreachArgArray(&c.Args, nil, func(arg, base *Arg, _ *[]*Arg) {
 		// syz_csum_* structs are used in tests
 		switch arg.Type.Name() {
 		case "ipv4_header", "syz_csum_ipv4_header":
-			if csumMap == nil {
-				csumMap = make(map[*Arg]*Arg)
-			}
-			csumField := findCsumFieldIPv4(arg, pid)
-			newCsumField := calcChecksumIPv4(arg, csumField, pid)
-			csumMap[csumField] = newCsumField
 			ipSrcAddr, ipDstAddr = extractHeaderParamsIPv4(arg)
 			ipv4HeaderParsed = true
 		case "ipv6_packet", "syz_csum_ipv6_header":
diff --git a/prog/checksum_test.go b/prog/checksum_test.go
index c956da509..cd16bb70b 100644
--- a/prog/checksum_test.go
+++ b/prog/checksum_test.go
@@ -143,7 +143,7 @@ func TestChecksumCalc(t *testing.T) {
 	}{
 		{
 			"syz_test$csum_ipv4(&(0x7f0000000000)={0x0, 0x1234, 0x5678})",
-			sys.CsumIPv4,
+			sys.CsumInet,
 			0x9753,
 		},
 		{
diff --git a/sys/decl.go b/sys/decl.go
index 77fbfbc51..6b4d24f37 100644
--- a/sys/decl.go
+++ b/sys/decl.go
@@ -193,7 +193,7 @@ type ProcType struct {
 type CsumKind int
 
 const (
-	CsumIPv4 CsumKind = iota
+	CsumInet CsumKind = iota
 	CsumTCP
 	CsumUDP
 )
diff --git a/sys/socket.txt b/sys/socket.txt
index 075f0536c..afc25f3cd 100644
--- a/sys/socket.txt
+++ b/sys/socket.txt
@@ -234,6 +234,28 @@ udp_pair {
 	f1	sock_udp
 }
 
+# AF_INET: ICMP support
+
+resource sock_icmp[sock]
+
+socket$icmp(domain const[AF_INET], type const[SOCK_DGRAM], proto const[IPPROTO_ICMP]) sock_icmp
+socket$icmp_raw(domain const[AF_INET], type const[SOCK_RAW], proto const[IPPROTO_ICMP]) sock_icmp
+socketpair$icmp(domain const[AF_INET], type const[SOCK_DGRAM], proto const[IPPROTO_ICMP], fds ptr[out, icmp_pair])
+socketpair$icmp_raw(domain const[AF_INET], type const[SOCK_RAW], proto const[IPPROTO_ICMP], fds ptr[out, icmp_pair])
+accept$icmp(fd sock_icmp, peer ptr[out, sockaddr_in, opt], peerlen ptr[inout, len[peer, int32]]) sock_icmp
+accept4$icmp(fd sock_icmp, peer ptr[out, sockaddr_in, opt], peerlen ptr[inout, len[peer, int32]], flags flags[accept_flags]) sock_icmp
+bind$icmp(fd sock_icmp, addr ptr[in, sockaddr_in], addrlen len[addr])
+connect$icmp(fd sock_icmp, addr ptr[in, sockaddr_in], addrlen len[addr])
+sendto$icmp(fd sock_icmp, buf buffer[in], len len[buf], f flags[send_flags], addr ptr[in, sockaddr_in, opt], addrlen len[addr])
+recvfrom$icmp(fd sock_icmp, buf buffer[out], len len[buf], f flags[recv_flags], addr ptr[in, sockaddr_in, opt], addrlen len[addr])
+getsockname$icmp(fd sock_icmp, addr ptr[out, sockaddr_in], addrlen ptr[inout, len[addr, int32]])
+getpeername$icmp(fd sock_icmp, peer ptr[out, sockaddr_in], peerlen ptr[inout, len[peer, int32]])
+
+icmp_pair {
+	f0	sock_icmp
+	f1	sock_icmp
+}
+
 
 
 
@@ -277,6 +299,28 @@ udp6_pair {
 	f1	sock_udp6
 }
 
+# AF_INET6: ICMP support
+
+resource sock_icmp6[sock]
+
+socket$icmp6(domain const[AF_INET6], type const[SOCK_DGRAM], proto const[IPPROTO_ICMP]) sock_icmp6
+socket$icmp6_raw(domain const[AF_INET6], type const[SOCK_RAW], proto const[IPPROTO_ICMP]) sock_icmp6
+socketpair$icmp6(domain const[AF_INET6], type const[SOCK_DGRAM], proto const[IPPROTO_ICMP], fds ptr[out, icmp6_pair])
+socketpair$icmp6_raw(domain const[AF_INET6], type const[SOCK_RAW], proto const[IPPROTO_ICMP], fds ptr[out, icmp6_pair])
+accept$icmp6(fd sock_icmp6, peer ptr[out, sockaddr_in6, opt], peerlen ptr[inout, len[peer, int32]]) sock_icmp6
+accept4$icmp6(fd sock_icmp6, peer ptr[out, sockaddr_in6, opt], peerlen ptr[inout, len[peer, int32]], flags flags[accept_flags]) sock_icmp6
+bind$icmp6(fd sock_icmp6, addr ptr[in, sockaddr_in6], addrlen len[addr])
+connect$icmp6(fd sock_icmp6, addr ptr[in, sockaddr_in6], addrlen len[addr])
+sendto$icmp6(fd sock_icmp6, buf buffer[in], len len[buf], f flags[send_flags], addr ptr[in, sockaddr_in6, opt], addrlen len[addr])
+recvfrom$icmp6(fd sock_icmp6, buf buffer[out], len len[buf], f flags[recv_flags], addr ptr[in, sockaddr_in6, opt], addrlen len[addr])
+getsockname$icmp6(fd sock_icmp6, addr ptr[out, sockaddr_in6], addrlen ptr[inout, len[addr, int32]])
+getpeername$icmp6(fd sock_icmp6, peer ptr[out, sockaddr_in6], peerlen ptr[inout, len[peer, int32]])
+
+icmp6_pair {
+	f0	sock_icmp6
+	f1	sock_icmp6
+}
+
 
 
 
diff --git a/sys/test.txt b/sys/test.txt
index ae7b0b7f3..9d4ac0ced 100644
--- a/sys/test.txt
+++ b/sys/test.txt
@@ -409,7 +409,7 @@ syz_csum_encode {
 } [packed]
 
 syz_csum_ipv4_header {
-	csum		csum[ipv4, int16]
+	csum		csum[inet, int16]
 	src_ip		int32be
 	dst_ip		int32be
 } [packed]
diff --git a/sys/vnet.txt b/sys/vnet.txt
index 794103282..eee1ece19 100644
--- a/sys/vnet.txt
+++ b/sys/vnet.txt
@@ -247,7 +247,7 @@ ipv4_header {
 # TODO: frag_off is actually 13 bits, 3 bits are flags
 	ttl		int8
 	protocol	flags[ipv4_types, int8]
-	csum		csum[ipv4, int16be]
+	csum		csum[inet, int16be]
 	src_ip		ipv4_addr
 	dst_ip		ipv4_addr
 	options		ipv4_options
@@ -381,27 +381,14 @@ ipv6_packet_payload {
 ip_payload [
 	tcp		tcp_packet
 	udp		udp_packet
+	icmp		icmp_packet
 ] [varlen]
 
 ################################################################################
-###################################### UDP #####################################
-################################################################################
-
-# https://tools.ietf.org/html/rfc768
-# https://en.wikipedia.org/wiki/User_Datagram_Protocol#Packet_structure
-
-udp_packet {
-	src_port	proc[int16be, 20000, 4]
-	dst_port	proc[int16be, 20000, 4]
-	length		len[parent, int16be]
-	csum		csum[udp, int16be]
-	data		array[int8]
-} [packed]
-
-################################################################################
 ###################################### TCP #####################################
 ################################################################################
 
+# https://tools.ietf.org/html/rfc793#section-3.1
 # https://en.wikipedia.org/wiki/Transmission_Control_Protocol#TCP_segment_structure
 # http://www.iana.org/assignments/tcp-parameters/tcp-parameters.xhtml
 
@@ -526,3 +513,184 @@ tcp_packet {
 tcp_payload {
 	payload		array[int8]
 } [packed]
+
+################################################################################
+###################################### UDP #####################################
+################################################################################
+
+# https://tools.ietf.org/html/rfc768
+# https://en.wikipedia.org/wiki/User_Datagram_Protocol#Packet_structure
+
+udp_packet {
+	src_port	proc[int16be, 20000, 4]
+	dst_port	proc[int16be, 20000, 4]
+	length		len[parent, int16be]
+	csum		csum[udp, int16be]
+	data		array[int8]
+} [packed]
+
+################################################################################
+###################################### ICMP ####################################
+################################################################################
+
+# https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol#ICMP_datagram_structure
+# https://tools.ietf.org/html/rfc792
+
+include <uapi/linux/icmp.h>
+
+icmp_ipv4_header {
+	ihl		bytesize4[parent, int8:4]
+	version		const[4, int8:4]
+	ecn		int8:2
+	dscp		int8:6
+	total_len	int16be
+	id		int16be
+	frag_off	int16be
+	ttl		int8
+	protocol	flags[ipv4_types, int8]
+	csum		int16be
+	src_ip		ipv4_addr
+	dst_ip		ipv4_addr
+	options		ipv4_options
+} [packed]
+
+icmp_echo_reply_packet {
+	type		const[ICMP_ECHOREPLY, int8]
+	code		const[0, int8]
+	csum		csum[inet, int16be]
+	id		int16be
+	seq_num		int16be
+	data		array[int8]
+} [packed]
+
+icmp_dest_unreach_codes = ICMP_NET_UNREACH, ICMP_HOST_UNREACH, ICMP_PROT_UNREACH, ICMP_PORT_UNREACH, ICMP_FRAG_NEEDED, ICMP_SR_FAILED, ICMP_NET_UNKNOWN, ICMP_HOST_UNKNOWN, ICMP_HOST_ISOLATED, ICMP_NET_ANO, ICMP_HOST_ANO, ICMP_NET_UNR_TOS, ICMP_HOST_UNR_TOS, ICMP_PKT_FILTERED, ICMP_PREC_VIOLATION, ICMP_PREC_CUTOFF
+
+icmp_dest_unreach_packet {
+	type		const[ICMP_DEST_UNREACH, int8]
+	code		flags[icmp_dest_unreach_codes, int8]
+	csum		csum[inet, int16be]
+	unused		const[0, int16]
+	mtu		int16be
+	iph		icmp_ipv4_header
+	data		array[int8, 0:8]
+} [packed]
+
+icmp_source_quench_packet {
+	type		const[ICMP_SOURCE_QUENCH, int8]
+	code		const[0, int8]
+	csum		csum[inet, int16be]
+	unused		const[0, int32]
+	iph		icmp_ipv4_header
+	data		array[int8, 0:8]
+} [packed]
+
+icmp_redirect_codes = ICMP_REDIR_NET, ICMP_REDIR_HOST, ICMP_REDIR_NETTOS, ICMP_REDIR_HOSTTOS
+
+icmp_redirect_packet {
+	type		const[ICMP_REDIRECT, int8]
+	code		flags[icmp_redirect_codes, int8]
+	csum		csum[inet, int16be]
+	ip		ipv4_addr
+	iph		icmp_ipv4_header
+	data		array[int8, 0:8]
+} [packed]
+
+icmp_echo_packet {
+	type		const[ICMP_ECHO, int8]
+	code		const[0, int8]
+	csum		csum[inet, int16be]
+	id		int16be
+	seq_num		int16be
+	data		array[int8]
+} [packed]
+
+icmp_time_exceeded_codes = ICMP_EXC_TTL, ICMP_EXC_FRAGTIME
+
+icmp_time_exceeded_packet {
+	type		const[ICMP_TIME_EXCEEDED, int8]
+	code		flags[icmp_time_exceeded_codes, int8]
+	csum		csum[inet, int16be]
+	unsed		const[0, int32]
+	iph		icmp_ipv4_header
+	data		array[int8, 0:8]
+} [packed]
+
+icmp_parameter_prob_packet {
+	type		const[ICMP_PARAMETERPROB, int8]
+	code		const[0, int8]
+	csum		csum[inet, int16be]
+	pointer		int8
+	unsed		array[const[0, int8], 3]
+	iph		icmp_ipv4_header
+	data		array[int8, 0:8]
+} [packed]
+
+icmp_timestamp_packet {
+	type		const[ICMP_TIMESTAMP, int8]
+	code		const[0, int8]
+	csum		csum[inet, int16be]
+	id		int16be
+	seq_num		int16be
+	orig_ts		int32be
+	recv_ts		int32be
+	trans_ts	int32be
+} [packed]
+
+icmp_timestamp_reply_packet {
+	type		const[ICMP_TIMESTAMPREPLY, int8]
+	code		const[0, int8]
+	csum		csum[inet, int16be]
+	id		int16be
+	seq_num		int16be
+	orig_ts		int32be
+	recv_ts		int32be
+	trans_ts	int32be
+} [packed]
+
+icmp_info_request_packet {
+	type		const[ICMP_INFO_REQUEST, int8]
+	code		const[0, int8]
+	csum		csum[inet, int16be]
+	id		int16be
+	seq_num		int16be
+} [packed]
+
+icmp_info_reply_packet {
+	type		const[ICMP_INFO_REPLY, int8]
+	code		const[0, int8]
+	csum		csum[inet, int16be]
+	id		int16be
+	seq_num		int16be
+} [packed]
+
+icmp_address_request_packet {
+	type		const[ICMP_ADDRESS, int8]
+	code		const[0, int8]
+	csum		csum[inet, int16be]
+	mask		int32be
+} [packed]
+
+icmp_address_reply_packet {
+	type		const[ICMP_ADDRESSREPLY, int8]
+	code		const[0, int8]
+	csum		csum[inet, int16be]
+	mask		int32be
+} [packed]
+
+icmp_types = ICMP_ECHOREPLY, ICMP_DEST_UNREACH, ICMP_SOURCE_QUENCH, ICMP_REDIRECT, ICMP_ECHO, ICMP_TIME_EXCEEDED, ICMP_PARAMETERPROB, ICMP_TIMESTAMP, ICMP_TIMESTAMPREPLY, ICMP_INFO_REQUEST, ICMP_INFO_REPLY, ICMP_ADDRESS, ICMP_ADDRESSREPLY
+
+icmp_packet [
+	echo_reply	icmp_echo_reply_packet
+	dest_unreach	icmp_dest_unreach_packet
+	source_quench	icmp_source_quench_packet
+	redirect	icmp_redirect_packet
+	echo		icmp_echo_packet
+	time_exceeded	icmp_time_exceeded_packet
+	parameter_prob	icmp_parameter_prob_packet
+	timestamp	icmp_timestamp_packet
+	timestamp_reply	icmp_timestamp_reply_packet
+	info_request	icmp_info_request_packet
+	info_reply	icmp_info_reply_packet
+	address_request	icmp_address_request_packet
+	address_reply	icmp_address_reply_packet
+] [varlen]
diff --git a/sys/vnet_amd64.const b/sys/vnet_amd64.const
index b59f7a4f3..e9c262f0d 100644
--- a/sys/vnet_amd64.const
+++ b/sys/vnet_amd64.const
@@ -63,6 +63,41 @@ ETH_P_TIPC = 35018
 ETH_P_TSN = 8944
 ETH_P_WCCP = 34878
 ETH_P_X25 = 2053
+ICMP_ADDRESS = 17
+ICMP_ADDRESSREPLY = 18
+ICMP_DEST_UNREACH = 3
+ICMP_ECHO = 8
+ICMP_ECHOREPLY = 0
+ICMP_EXC_FRAGTIME = 1
+ICMP_EXC_TTL = 0
+ICMP_FRAG_NEEDED = 4
+ICMP_HOST_ANO = 10
+ICMP_HOST_ISOLATED = 8
+ICMP_HOST_UNKNOWN = 7
+ICMP_HOST_UNREACH = 1
+ICMP_HOST_UNR_TOS = 12
+ICMP_INFO_REPLY = 16
+ICMP_INFO_REQUEST = 15
+ICMP_NET_ANO = 9
+ICMP_NET_UNKNOWN = 6
+ICMP_NET_UNREACH = 0
+ICMP_NET_UNR_TOS = 11
+ICMP_PARAMETERPROB = 12
+ICMP_PKT_FILTERED = 13
+ICMP_PORT_UNREACH = 3
+ICMP_PREC_CUTOFF = 15
+ICMP_PREC_VIOLATION = 14
+ICMP_PROT_UNREACH = 2
+ICMP_REDIRECT = 5
+ICMP_REDIR_HOST = 1
+ICMP_REDIR_HOSTTOS = 3
+ICMP_REDIR_NET = 0
+ICMP_REDIR_NETTOS = 2
+ICMP_SOURCE_QUENCH = 4
+ICMP_SR_FAILED = 5
+ICMP_TIMESTAMP = 13
+ICMP_TIMESTAMPREPLY = 14
+ICMP_TIME_EXCEEDED = 11
 IPOPT_CIPSO = 134
 IPOPT_END = 0
 IPOPT_LSRR = 131
diff --git a/sys/vnet_arm64.const b/sys/vnet_arm64.const
index b59f7a4f3..e9c262f0d 100644
--- a/sys/vnet_arm64.const
+++ b/sys/vnet_arm64.const
@@ -63,6 +63,41 @@ ETH_P_TIPC = 35018
 ETH_P_TSN = 8944
 ETH_P_WCCP = 34878
 ETH_P_X25 = 2053
+ICMP_ADDRESS = 17
+ICMP_ADDRESSREPLY = 18
+ICMP_DEST_UNREACH = 3
+ICMP_ECHO = 8
+ICMP_ECHOREPLY = 0
+ICMP_EXC_FRAGTIME = 1
+ICMP_EXC_TTL = 0
+ICMP_FRAG_NEEDED = 4
+ICMP_HOST_ANO = 10
+ICMP_HOST_ISOLATED = 8
+ICMP_HOST_UNKNOWN = 7
+ICMP_HOST_UNREACH = 1
+ICMP_HOST_UNR_TOS = 12
+ICMP_INFO_REPLY = 16
+ICMP_INFO_REQUEST = 15
+ICMP_NET_ANO = 9
+ICMP_NET_UNKNOWN = 6
+ICMP_NET_UNREACH = 0
+ICMP_NET_UNR_TOS = 11
+ICMP_PARAMETERPROB = 12
+ICMP_PKT_FILTERED = 13
+ICMP_PORT_UNREACH = 3
+ICMP_PREC_CUTOFF = 15
+ICMP_PREC_VIOLATION = 14
+ICMP_PROT_UNREACH = 2
+ICMP_REDIRECT = 5
+ICMP_REDIR_HOST = 1
+ICMP_REDIR_HOSTTOS = 3
+ICMP_REDIR_NET = 0
+ICMP_REDIR_NETTOS = 2
+ICMP_SOURCE_QUENCH = 4
+ICMP_SR_FAILED = 5
+ICMP_TIMESTAMP = 13
+ICMP_TIMESTAMPREPLY = 14
+ICMP_TIME_EXCEEDED = 11
 IPOPT_CIPSO = 134
 IPOPT_END = 0
 IPOPT_LSRR = 131
diff --git a/sys/vnet_ppc64le.const b/sys/vnet_ppc64le.const
index b59f7a4f3..e9c262f0d 100644
--- a/sys/vnet_ppc64le.const
+++ b/sys/vnet_ppc64le.const
@@ -63,6 +63,41 @@ ETH_P_TIPC = 35018
 ETH_P_TSN = 8944
 ETH_P_WCCP = 34878
 ETH_P_X25 = 2053
+ICMP_ADDRESS = 17
+ICMP_ADDRESSREPLY = 18
+ICMP_DEST_UNREACH = 3
+ICMP_ECHO = 8
+ICMP_ECHOREPLY = 0
+ICMP_EXC_FRAGTIME = 1
+ICMP_EXC_TTL = 0
+ICMP_FRAG_NEEDED = 4
+ICMP_HOST_ANO = 10
+ICMP_HOST_ISOLATED = 8
+ICMP_HOST_UNKNOWN = 7
+ICMP_HOST_UNREACH = 1
+ICMP_HOST_UNR_TOS = 12
+ICMP_INFO_REPLY = 16
+ICMP_INFO_REQUEST = 15
+ICMP_NET_ANO = 9
+ICMP_NET_UNKNOWN = 6
+ICMP_NET_UNREACH = 0
+ICMP_NET_UNR_TOS = 11
+ICMP_PARAMETERPROB = 12
+ICMP_PKT_FILTERED = 13
+ICMP_PORT_UNREACH = 3
+ICMP_PREC_CUTOFF = 15
+ICMP_PREC_VIOLATION = 14
+ICMP_PROT_UNREACH = 2
+ICMP_REDIRECT = 5
+ICMP_REDIR_HOST = 1
+ICMP_REDIR_HOSTTOS = 3
+ICMP_REDIR_NET = 0
+ICMP_REDIR_NETTOS = 2
+ICMP_SOURCE_QUENCH = 4
+ICMP_SR_FAILED = 5
+ICMP_TIMESTAMP = 13
+ICMP_TIMESTAMPREPLY = 14
+ICMP_TIME_EXCEEDED = 11
 IPOPT_CIPSO = 134
 IPOPT_END = 0
 IPOPT_LSRR = 131
diff --git a/sysgen/sysgen.go b/sysgen/sysgen.go
index 918c6d847..e88710d56 100644
--- a/sysgen/sysgen.go
+++ b/sysgen/sysgen.go
@@ -507,8 +507,8 @@ func generateArg(
 		size, bigEndian, bitfieldLen := decodeIntType(a[1])
 		var kind string
 		switch a[0] {
-		case "ipv4":
-			kind = "CsumIPv4"
+		case "inet":
+			kind = "CsumInet"
 		case "tcp":
 			kind = "CsumTCP"
 		case "udp":
diff --git a/syz-gce/generated.go b/syz-gce/generated.go
index 6b9f73ef7..364583808 100644
--- a/syz-gce/generated.go
+++ b/syz-gce/generated.go
@@ -327,6 +327,7 @@ echo "kernel.printk = 7 4 1 3" | sudo tee -a disk.mnt/etc/sysctl.conf
 echo "debug.exception-trace = 0" | sudo tee -a disk.mnt/etc/sysctl.conf
 echo "net.core.bpf_jit_enable = 1" | sudo tee -a disk.mnt/etc/sysctl.conf
 echo "net.core.bpf_jit_harden = 2" | sudo tee -a disk.mnt/etc/sysctl.conf
+echo "net.ipv4.ping_group_range = 0 65535" | sudo tee -a disk.mnt/etc/sysctl.conf
 echo -en "127.0.0.1\tlocalhost\n" | sudo tee disk.mnt/etc/hosts
 echo "nameserver 8.8.8.8" | sudo tee -a disk.mnt/etc/resolve.conf
 echo "ClientAliveInterval 420" | sudo tee -a disk.mnt/etc/ssh/sshd_config
@@ -364,3 +365,4 @@ echo -n "$4" > tag
 tar -czvf image.tar.gz disk.tar.gz key tag obj/vmlinux
 rm -rf tag obj
 `
+
diff --git a/tools/create-gce-image.sh b/tools/create-gce-image.sh
index 8be01c44b..59d7823fb 100755
--- a/tools/create-gce-image.sh
+++ b/tools/create-gce-image.sh
@@ -69,6 +69,7 @@ echo "kernel.printk = 7 4 1 3" | sudo tee -a disk.mnt/etc/sysctl.conf
 echo "debug.exception-trace = 0" | sudo tee -a disk.mnt/etc/sysctl.conf
 echo "net.core.bpf_jit_enable = 1" | sudo tee -a disk.mnt/etc/sysctl.conf
 echo "net.core.bpf_jit_harden = 2" | sudo tee -a disk.mnt/etc/sysctl.conf
+echo "net.ipv4.ping_group_range = 0 65535" | sudo tee -a disk.mnt/etc/sysctl.conf
 echo -en "127.0.0.1\tlocalhost\n" | sudo tee disk.mnt/etc/hosts
 echo "nameserver 8.8.8.8" | sudo tee -a disk.mnt/etc/resolve.conf
 echo "ClientAliveInterval 420" | sudo tee -a disk.mnt/etc/ssh/sshd_config
diff --git a/tools/create-image.sh b/tools/create-image.sh
index b577a0f23..48fd7c068 100755
--- a/tools/create-image.sh
+++ b/tools/create-image.sh
@@ -20,6 +20,7 @@ echo "kernel.printk = 7 4 1 3" | sudo tee -a wheezy/etc/sysctl.conf
 echo 'debug.exception-trace = 0' | sudo tee -a wheezy/etc/sysctl.conf
 echo "net.core.bpf_jit_enable = 1" | sudo tee -a wheezy/etc/sysctl.conf
 echo "net.core.bpf_jit_harden = 2" | sudo tee -a wheezy/etc/sysctl.conf
+echo "net.ipv4.ping_group_range = 0 65535" | sudo tee -a wheezy/etc/sysctl.conf
 sudo mkdir -p wheezy/root/.ssh/
 rm -rf ssh
 mkdir -p ssh