DTLS patches

Vladimir Homutov vl at nginx.com
Wed Feb 21 15:34:50 UTC 2018


On Wed, Feb 21, 2018 at 10:44:00PM +0800, Wang Shanker wrote:
> Hi,
>
> I noticed that you have introduced `ngx_event_udp_accept()`, which can
> create a separate socket for receiving datagrams from a specific client.
> I understand that it is necessary for DTLS servers. However I wonder
> why it is also called for normal udp servers.

for normal udp server this is beneficial if you need to process
bidirectional stream, i.e. proxying DTLS or similar protocols without
offloading it. Probably this should be at least configurable.

> For udp servers listening on a port below 1024, such call will fail if
> the worker processes drop their privilege as a non-root user.
> The  following patch solves this problem by retaining CAP_NET_BIND_SERVICE
> after worker processes change UID.

yes, there is an issue in such case, and retaining (partial) permissions
is a possible (but ugly) solution.


More information about the nginx mailing list