Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

"IP_TRANSPARENT: Operation not permitted", but CAP_NET_ADMIN is enabled. #1252

Closed
enihcam opened this issue Feb 14, 2017 · 12 comments
Closed

"IP_TRANSPARENT: Operation not permitted", but CAP_NET_ADMIN is enabled. #1252

enihcam opened this issue Feb 14, 2017 · 12 comments

Comments

@enihcam
Copy link

@enihcam enihcam commented Feb 14, 2017

Please answer these questions before submitting your issue. Thanks!

(Please mention that if the issue you filed is solved, you may wish to close it by yourself. Thanks again.)

(PS, you can remove 3 lines above, including this one, before post your issue.)

What version of shadowsocks-libev are you using?

3.0.2

What operating system are you using?

Archlinux

What did you do?

-pacman update
-enable reuse_port

What did you expect to see?

-ss-redir starts in systemd

What did you see instead?

Feb 14 08:09:19 archnet ss-redir[900]: 2017-02-14 08:09:19 ERROR: [udp] setsockopt IP_TRANSPARENT:
Feb 14 08:09:19 archnet systemd[1]: shadowsocks-libev-redir@r0.service: Main process exited, code=ex
Feb 14 08:09:19 archnet systemd[1]: Failed to start Shadowsocks-Libev Client Service Redir Mode.

What is your config in detail (with all sensitive info masked)?

{
"server":"____",
"server_port":12345,
"local_address":"0.0.0.0",
"local_port":1234,
"nameserver":"_____",
"password":"",
"timeout":60,
"method":"chacha20-ietf",
"fast_open":true,
"reuse_port":true,
"nofile":16384,
"mode":"tcp_and_udp"
}

[Unit]
Description=Shadowsocks-Libev Client Service Redir Mode
After=network.target

[Service]
Type=simple
User=nobody
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
ExecStart=/usr/bin/ss-redir -c /etc/shadowsocks/%i.json

[Install]
WantedBy=multi-user.target

@enihcam
Copy link
Author

@enihcam enihcam commented Feb 14, 2017

root can start the service, but that is not what we want, right?

Loading

@enihcam
Copy link
Author

@enihcam enihcam commented Feb 14, 2017

would it be more flexible to use socket-base activation?
e.g. shadowsocks-libev-redir.socket

Loading

@madeye
Copy link

@madeye madeye commented Feb 14, 2017

ss-redir requires ROOT permission to access IP_TRANSPARENT. It's expected.

Loading

@rogers0
Copy link

@rogers0 rogers0 commented Feb 14, 2017

@enihcam @madeye seems it just need to add a cmd to setcap CAP_NET_ADMIN for ss-redir.

Loading

@enihcam
Copy link
Author

@enihcam enihcam commented Feb 14, 2017

@rogers0, are you saying 'CapabilityBoundingSet=CAP_NET_ADMIN' in the .service does not work?

Loading

@rogers0
Copy link

@rogers0 rogers0 commented Feb 14, 2017

@enihcam It won't work if you just change that service file.
Please refer:

Loading

@enihcam
Copy link
Author

@enihcam enihcam commented Feb 14, 2017

Loading

@enihcam
Copy link
Author

@enihcam enihcam commented Feb 14, 2017

@rogers0 could you make the change? @madeye

Loading

@rogers0
Copy link

@rogers0 rogers0 commented Feb 15, 2017

@enihcam I fixed it by debian postinst script.
seems you're using arch, problem is still there. but you can do it locally by yourself after every install/upgrade:

sudo setcap cap_net_bind_service,cap_net_admin+ep /usr/bin/ss-redir

Loading

@enihcam
Copy link
Author

@enihcam enihcam commented Feb 15, 2017

Thank you @rogers0 . I'm trying to contact the arch package owner to update the post-install script.

Loading

Windendless added a commit to Windendless/shadowsocks-libev that referenced this issue Feb 16, 2017
@h0wardch3ng
Copy link

@h0wardch3ng h0wardch3ng commented May 19, 2018

echo 3 > /proc/sys/net/ipv4/tcp_fastopen

Loading

@ysy
Copy link

@ysy ysy commented Oct 11, 2018

sudo setcap cap_net_bind_service,cap_net_admin+ep /usr/local/bin/ss-redir

Loading

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants