> > 1. Because the marking process needs to be run as root, can this only be > > achieved by putting the mark function within the squid process that > > originally starts up, and stipulate that this has to be run as root? > > Consider a dedicated helper like the diskd helper - send it a fd using > shm, and a mark to place, and have it make the call. This can be > started up before squid drops privileges. Better still, to a patch to > netfilter to allow non root capabilities here.
How about using enter_suid() and leave_suid() before and after the marking (which someone on the netfilter list suggested)? I have just tried it now and it seems to work okay. My intention would be to add the marking function into comm.cc like the current QOS/TOS functions are (comm_set_tos). Thanks, Andy
