summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/capabilities.c8
-rw-r--r--src/types.h2
2 files changed, 8 insertions, 2 deletions
diff --git a/src/capabilities.c b/src/capabilities.c
index f72b7f9..5e02df3 100644
--- a/src/capabilities.c
+++ b/src/capabilities.c
@@ -76,7 +76,13 @@ static void try_cap(cap_value_t cap) {
/** Returns true if CAP_NET_ADMIN should be retained */
static bool need_cap_net_admin(void) {
- return !fastd_config_persistent_ifaces() && conf.drop_caps != DROP_CAPS_FORCE;
+ if (!fastd_config_persistent_ifaces() && conf.drop_caps != DROP_CAPS_FORCE)
+ return true;
+
+ if (!(ctx.sock_default_v4 || ctx.sock_default_v6) && conf.packet_mark)
+ return true;
+
+ return false;
}
/** Returns true if CAP_NET_RAW should be retained */
diff --git a/src/types.h b/src/types.h
index 0792e1b..523efa2 100644
--- a/src/types.h
+++ b/src/types.h
@@ -74,7 +74,7 @@ typedef enum fastd_drop_caps {
DROP_CAPS_OFF, /**< The capabilities aren't dropped at all */
DROP_CAPS_ON, /**< The capabilities are dropped after executing the on-up command */
DROP_CAPS_EARLY, /**< The capabilities are dropped before executing the on-up command */
- DROP_CAPS_FORCE, /**< The capabilities are dropped before executing the on-up command; CAP_NET_ADMIN is always dropped */
+ DROP_CAPS_FORCE, /**< The capabilities are dropped before executing the on-up command; CAP_NET_ADMIN is dropped even when TUN/TAP interfaces need to be opened */
} fastd_drop_caps_t;
/** Types of file descriptors to poll on */