New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

"IP_TRANSPARENT: Operation not permitted", but CAP_NET_ADMIN is enabled. #1252

Closed
enihcam opened this Issue Feb 14, 2017 · 12 comments

Comments

Projects
None yet
5 participants
@enihcam
Copy link

enihcam commented Feb 14, 2017

Please answer these questions before submitting your issue. Thanks!

(Please mention that if the issue you filed is solved, you may wish to close it by yourself. Thanks again.)

(PS, you can remove 3 lines above, including this one, before post your issue.)

What version of shadowsocks-libev are you using?

3.0.2

What operating system are you using?

Archlinux

What did you do?

-pacman update
-enable reuse_port

What did you expect to see?

-ss-redir starts in systemd

What did you see instead?

Feb 14 08:09:19 archnet ss-redir[900]: 2017-02-14 08:09:19 ERROR: [udp] setsockopt IP_TRANSPARENT:
Feb 14 08:09:19 archnet systemd[1]: shadowsocks-libev-redir@r0.service: Main process exited, code=ex
Feb 14 08:09:19 archnet systemd[1]: Failed to start Shadowsocks-Libev Client Service Redir Mode.

What is your config in detail (with all sensitive info masked)?

{
"server":"____",
"server_port":12345,
"local_address":"0.0.0.0",
"local_port":1234,
"nameserver":"_____",
"password":"",
"timeout":60,
"method":"chacha20-ietf",
"fast_open":true,
"reuse_port":true,
"nofile":16384,
"mode":"tcp_and_udp"
}

[Unit]
Description=Shadowsocks-Libev Client Service Redir Mode
After=network.target

[Service]
Type=simple
User=nobody
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
ExecStart=/usr/bin/ss-redir -c /etc/shadowsocks/%i.json

[Install]
WantedBy=multi-user.target

@enihcam

This comment has been minimized.

Copy link

enihcam commented Feb 14, 2017

root can start the service, but that is not what we want, right?

@enihcam

This comment has been minimized.

Copy link

enihcam commented Feb 14, 2017

would it be more flexible to use socket-base activation?
e.g. shadowsocks-libev-redir.socket

@madeye

This comment has been minimized.

Copy link

madeye commented Feb 14, 2017

ss-redir requires ROOT permission to access IP_TRANSPARENT. It's expected.

@rogers0

This comment has been minimized.

Copy link

rogers0 commented Feb 14, 2017

@enihcam @madeye seems it just need to add a cmd to setcap CAP_NET_ADMIN for ss-redir.

@enihcam

This comment has been minimized.

Copy link

enihcam commented Feb 14, 2017

@rogers0, are you saying 'CapabilityBoundingSet=CAP_NET_ADMIN' in the .service does not work?

@rogers0

This comment has been minimized.

Copy link

rogers0 commented Feb 14, 2017

@enihcam It won't work if you just change that service file.
Please refer:

@enihcam

This comment has been minimized.

@enihcam

This comment has been minimized.

Copy link

enihcam commented Feb 14, 2017

@rogers0 could you make the change? @madeye

@rogers0

This comment has been minimized.

Copy link

rogers0 commented Feb 15, 2017

@enihcam I fixed it by debian postinst script.
seems you're using arch, problem is still there. but you can do it locally by yourself after every install/upgrade:

sudo setcap cap_net_bind_service,cap_net_admin+ep /usr/bin/ss-redir
@enihcam

This comment has been minimized.

Copy link

enihcam commented Feb 15, 2017

Thank you @rogers0 . I'm trying to contact the arch package owner to update the post-install script.

Windendless added a commit to Windendless/shadowsocks-libev that referenced this issue Feb 16, 2017

@ky0nch3ng

This comment has been minimized.

Copy link

ky0nch3ng commented May 19, 2018

echo 3 > /proc/sys/net/ipv4/tcp_fastopen

@ysy

This comment has been minimized.

Copy link

ysy commented Oct 11, 2018

sudo setcap cap_net_bind_service,cap_net_admin+ep /usr/local/bin/ss-redir

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment