> > 1. Because the marking process needs to be run as root, can this only be
> > achieved by putting the mark function within the squid process that
> > originally starts up, and stipulate that this has to be run as root?
>
> Consider a dedicated helper like the diskd helper - send it a fd using
> shm, and a mark to place, and have it make the call. This can be
> started up before squid drops privileges. Better still, to a patch to
> netfilter to allow non root capabilities here.
How about using enter_suid() and leave_suid() before and after the
marking (which someone on the netfilter list suggested)? I have just
tried it now and it seems to work okay.
My intention would be to add the marking function into comm.cc like the
current QOS/TOS functions are (comm_set_tos).
Thanks,
Andy
Received on Tue Jun 22 2010 - 08:31:49 MDT
This archive was generated by hypermail 2.2.0 : Tue Jun 22 2010 - 12:00:07 MDT