From: Christos Tsantilas <chtsanti@users.sourceforge.net>
Date: Sat, 24 Jan 2015 05:08:58 +0000 (-0800)
Subject: Set cap_net_admin capability when Squid sets TOS/Diffserv packet values.
X-Git-Tag: SQUID_3_4_12~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7184e01c9c02448fa2651c5d1e335ee6b500ccaa;p=thirdparty%2Fsquid.git

Set cap_net_admin capability when Squid sets TOS/Diffserv packet values.

In capabilities-capable environments (e.g., Linux with libcap), CAP_NET_ADMIN
capability is required to honor clientside_tos and tcp_outgoing_tos
directives. The code was setting that capability when Netfilter marks or
tproxy was enabled, but missed the clientside_tos and tcp_outgoing_tos cases.

This is a Measurement Factory project
---

diff --git a/src/tools.cc b/src/tools.cc
index 076446ef42..21923a090d 100644
--- a/src/tools.cc
+++ b/src/tools.cc
@@ -1319,7 +1319,10 @@ restoreCapabilities(int keep)
         cap_value_t cap_list[10];
         cap_list[ncaps] = CAP_NET_BIND_SERVICE;
         ++ncaps;
-        if (Ip::Interceptor.TransparentActive() || Ip::Qos::TheConfig.isHitNfmarkActive() || Ip::Qos::TheConfig.isAclNfmarkActive()) {
+        if (Ip::Interceptor.TransparentActive() ||
+                Ip::Qos::TheConfig.isHitNfmarkActive() ||
+                Ip::Qos::TheConfig.isAclNfmarkActive() ||
+                Ip::Qos::TheConfig.isAclTosActive()) {
             cap_list[ncaps] = CAP_NET_ADMIN;
             ++ncaps;
         }