NFQ DAQ and unprivileged operation

[amishmm]

I am trying to migrate Snort from 2.9.17 to 3.1.0.0

I run snort in inline mode with NFQ DAQ.

Till snort 2.9.17 snort used to work fine. But now that I am trying to run snort 3.1.0 it gives this error:

ERROR: Cannot drop privileges - at least one of the configured DAQ modules does not support unprivileged operation.

Looking at the NFQ module code I see that README file mentions this:

Last I checked, the process cannot operate in unprivileged mode. This needs to be revalidated, but the module is marked as such in the meantime.

I think this comment indeed needs a re-validation based on how it worked in snort 2.9.17 (atleast for me)?

There can be two things why it worked in snort 2.9.17

1. Snort 2.9.17 first bound to NFQ before dropping privilege and hence it worked (Just my guess. Not sure if it is so)
2. NFQ DAQ actually works even after dropping privilege. In that case marking it as DAQ_TYPE_NO_UNPRIV is incorrect and needs to be changed.

I do not know about DAQ, NFQ and internals. But I do request a review on setting DAQ NFQ module as DAQ_TYPE_NO_UNPRIV

I use Arch Linux and I run snort 3 using this:
snort -Q -u snort -g snort -c /etc/snort/snort.lua -l /var/log/snort --tweaks local