iptables cannot be used with setuid

[cjc7373]

I've encountered iptables errors recently:

$ cproxy mpv xxxx
Error: Running ["iptables", "-t", "nat", "-N", "nozomi_redirect_out_23962"] exited with error; status code: 111

It may be related to a change introduced in iptables 1.8.8, that iptables cannot be called by a setuid executable. See https://git.netfilter.org/iptables/commit/?id=ef7781eb1437a2d6fd37eb3567c599e3ea682b96

I'm not sure how to deal with it, but I think Linux capabilities is an option.

[kauruus]

setting capabilities works for me:

sudo setcap cap_sys_admin+ep `which cproxy`

oops, sorry, i test with sudo. setting capabilities doesn't work.

[kauruus]

my temporary workaround:

0. disable seteuid check in cproxy https://github.com/NOBLES5E/cproxy/blob/master/src/main.rs#L155-L160
1. add all capabilities (no time to figure out the exact one) to both cproxy and iptables, setcap all+ep ...

it mostly works, except failing to clean up iptable rules. i have to remove it manually.

$ ./target/debug/cproxy --port 1081 -- curl https://www.ipconfig.io
xxx.xxx.xxx.xxx
thread 'main' panicked at 'drop iptables and cgroup failed: Custom { kind: Other, error: "Running [\"iptables\", \"-t\", \"nat\", \
"-D\", \"OUTPUT\", \"-j\", \"nozomi_redirect_out_11570\"] exited with error; status code: 111" }', src/guards.rs:108:14
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

[kauruus]

instead of setuid and capabilities, maybe it's easier to run cproxy with sudo, after setting up iptables, cproxy start the program as the original user and add it to the cgroup.