Open cjc7373 opened 2 years ago
setting capabilities works for me:
sudo setcap cap_sys_admin+ep `which cproxy`
oops, sorry, i test with sudo. setting capabilities doesn't work.
my temporary workaround:
cproxy
and iptables
, setcap all+ep ...
it mostly works, except failing to clean up iptable rules. i have to remove it manually.
$ ./target/debug/cproxy --port 1081 -- curl https://www.ipconfig.io
xxx.xxx.xxx.xxx
thread 'main' panicked at 'drop iptables and cgroup failed: Custom { kind: Other, error: "Running [\"iptables\", \"-t\", \"nat\", \
"-D\", \"OUTPUT\", \"-j\", \"nozomi_redirect_out_11570\"] exited with error; status code: 111" }', src/guards.rs:108:14
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
instead of setuid and capabilities, maybe it's easier to run cproxy with sudo, after setting up iptables, cproxy start the program as the original user and add it to the cgroup.
I've encountered iptables errors recently:
It may be related to a change introduced in iptables 1.8.8, that iptables cannot be called by a setuid executable. See https://git.netfilter.org/iptables/commit/?id=ef7781eb1437a2d6fd37eb3567c599e3ea682b96
I'm not sure how to deal with it, but I think Linux capabilities is an option.