"IP_TRANSPARENT: Operation not permitted", but CAP_NET_ADMIN is enabled.

[enihcam]

Please answer these questions before submitting your issue. Thanks!

(Please mention that if the issue you filed is solved, you may wish to close it by yourself. Thanks again.)

(PS, you can remove 3 lines above, including this one, before post your issue.)

What version of shadowsocks-libev are you using?

3.0.2

What operating system are you using?

Archlinux

What did you do?

-pacman update
-enable reuse_port

What did you expect to see?

-ss-redir starts in systemd

What did you see instead?

Feb 14 08:09:19 archnet ss-redir[900]: 2017-02-14 08:09:19 ERROR: [udp] setsockopt IP_TRANSPARENT:
Feb 14 08:09:19 archnet systemd[1]: shadowsocks-libev-redir@r0.service: Main process exited, code=ex
Feb 14 08:09:19 archnet systemd[1]: Failed to start Shadowsocks-Libev Client Service Redir Mode.

What is your config in detail (with all sensitive info masked)?

{
"server":"____",
"server_port":12345,
"local_address":"0.0.0.0",
"local_port":1234,
"nameserver":"_____",
"password":"",
"timeout":60,
"method":"chacha20-ietf",
"fast_open":true,
"reuse_port":true,
"nofile":16384,
"mode":"tcp_and_udp"
}

[Unit]
Description=Shadowsocks-Libev Client Service Redir Mode
After=network.target

[Service]
Type=simple
User=nobody
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
ExecStart=/usr/bin/ss-redir -c /etc/shadowsocks/%i.json

[Install]
WantedBy=multi-user.target

[enihcam]

root can start the service, but that is not what we want, right?

[enihcam]

would it be more flexible to use socket-base activation?
e.g. shadowsocks-libev-redir.socket

[madeye]

ss-redir requires ROOT permission to access IP_TRANSPARENT. It's expected.

[rogers0]

@enihcam @madeye seems it just need to add a cmd to setcap CAP_NET_ADMIN for ss-redir.

[enihcam]

@rogers0, are you saying 'CapabilityBoundingSet=CAP_NET_ADMIN' in the .service does not work?

[rogers0]

@enihcam It won't work if you just change that service file.
Please refer:

• https://github.com/shadowsocks/shadowsocks-libev/blob/master/debian/shadowsocks-libev.postinst
  We need to change the setcap part of above postinst script.

[enihcam]

@rogers0 according to
https://git.archlinux.org/svntogit/community.git/tree/trunk/shadowsocks-libev.install?h=packages/shadowsocks-libev

the setcap step has run already.

[enihcam]

@rogers0 could you make the change? @madeye

[rogers0]

@enihcam I fixed it by debian postinst script.
seems you're using arch, problem is still there. but you can do it locally by yourself after every install/upgrade:

sudo setcap cap_net_bind_service,cap_net_admin+ep /usr/bin/ss-redir

[enihcam]

Thank you @rogers0 . I'm trying to contact the arch package owner to update the post-install script.

[1a57danc3]

echo 3 > /proc/sys/net/ipv4/tcp_fastopen

[ysy]

sudo setcap cap_net_bind_service,cap_net_admin+ep /usr/local/bin/ss-redir