Message: 1 Date: Fri, 18 Jul 2008 20:35:47 -0700 From: Dave Platt <[EMAIL PROTECTED]>
I'm preparing for a client install of * by doing a fresh one in-house. Unlike my earlier installation that runs asterisk as superuser, my current experimental box runs without such privilege. This is causing it to moan that it can't set TOS. I absolutely don't want to install it on the client LAN without this capability. If need be, I'll set the binary to run setuid root.I've used LARTC and I'm aware of the capability, but keying on UID did not occur to me. Thank you - it's a good solution.But I'm looking for something more elegant. While googling, I found a suggestion to use iptables mangle rules to set TOS for all packets going out of the box on ports like 5060 and 10000:20000. Not a bad hack, but indiscriminate and this box will be handling other traffic besides the RTP. I'd like to do better.It is possible for an iptables filter/rule to match packets in the OUTPUT chain based on the UID or GID of the process which created them, if you have the "owner" module loaded. You should be able to add a rule to the OUTPUT chain of the mangle table which will set the TOS properly for any and all outbound packets generated locally by the non-root user ID which you're using to run Asterisk.
Come to think of it, I think I need to do this myself. I'm using the "ultimate Linux traffic conditioning" configuration (modified very slightly) to prioritize my system's outbound traffic into multiple queues by TOS, and it's probably mis-queueing the RTP traffic because my Debian install of Asterisk is running under a non-root UID.
Glad to be of assistance.
Traffic-shaping in the box would probably be overkill for my purpose because the nature of the routing in this box will limit the contention from this source. I think I just need to have the packets treated well once they hit the local network. But this is also a worthwhile consideration, and probably useful in other circumstances. Again, thanks for the reply - it's right on target and solves my problem nicely.I thought of using POSIX access control to enable asterisk to do TOS setting without being root (would this be CAP_NET_RAW?), which sounds perfect, but so far I'm operating with stock ubuntu hardy, and I would like to avoid a kernel build to add this capability.Any other ideas?Seems like "iptables -t mangle -A OUTPUT -m owner --uid-owner $ASTERISK" would be along the lines of what you want? Mark the packets with the TOS you want... and then consider using the Linux traffic-shaping system to make sure that they really do get transmitted ahead of non-urgent packets:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2008 - September 22 - 25 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
