Re: Marking uncached packets with a netfilter mark value
tis 2010-06-22 klockan 12:26 +0100 skrev Andrew Beverley: > So, is the best way of implementing this to do the same as transparent > proxying, and check whether the (proposed) marking option is enabled in > squid.conf when executing restoreCapabilities? Either that, or we always request to keep CAP_NET_ADMIN. Quite many setups starts to depend on it. But automatic detection is obviously nice. Regards Henrik
Re: Marking uncached packets with a netfilter mark value
> > I have done some initial scoping, but have discovered that in order to > > mark a packet using setsockopt(), the process needs to be run as root. > > Are you sure it needs root and not just a suitable capability flag? From > what I can tel CAP_NET_ADMIN is sufficient. You're right, it only needs CAP_NET_ADMIN. I've just hacked tools.cc to add that capability and it worked. So, is the best way of implementing this to do the same as transparent proxying, and check whether the (proposed) marking option is enabled in squid.conf when executing restoreCapabilities? If the user has asked for packets to be marked, then CAP_NET_ADMIN will be retained. The mark would then be applied in comm.cc in a similar way to the TOS settings. Andy
Re: Marking uncached packets with a netfilter mark value
mån 2010-06-21 klockan 21:52 +0100 skrev Andrew Beverley: > I have done some initial scoping, but have discovered that in order to > mark a packet using setsockopt(), the process needs to be run as root. Are you sure it needs root and not just a suitable capability flag? From what I can tel CAP_NET_ADMIN is sufficient. Most things are protected by capability flags these days, not by uid==0. Regards Henrik
Re: Marking uncached packets with a netfilter mark value
> > 1. Because the marking process needs to be run as root, can this only be > > achieved by putting the mark function within the squid process that > > originally starts up, and stipulate that this has to be run as root? > > Consider a dedicated helper like the diskd helper - send it a fd using > shm, and a mark to place, and have it make the call. This can be > started up before squid drops privileges. Better still, to a patch to > netfilter to allow non root capabilities here. How about using enter_suid() and leave_suid() before and after the marking (which someone on the netfilter list suggested)? I have just tried it now and it seems to work okay. My intention would be to add the marking function into comm.cc like the current QOS/TOS functions are (comm_set_tos). Thanks, Andy
