> > I have done some initial scoping, but have discovered that in order to > > mark a packet using setsockopt(), the process needs to be run as root. > > Are you sure it needs root and not just a suitable capability flag? From > what I can tel CAP_NET_ADMIN is sufficient.
You're right, it only needs CAP_NET_ADMIN. I've just hacked tools.cc to add that capability and it worked. So, is the best way of implementing this to do the same as transparent proxying, and check whether the (proposed) marking option is enabled in squid.conf when executing restoreCapabilities? If the user has asked for packets to be marked, then CAP_NET_ADMIN will be retained. The mark would then be applied in comm.cc in a similar way to the TOS settings. Andy
