DTLS patches

Wang Shanker shankerwangmiao at gmail.com
Wed Feb 21 15:49:37 UTC 2018



> 在 2018年2月21日,23:34,Vladimir Homutov <vl at nginx.com> 写道:
> 
>> On Wed, Feb 21, 2018 at 10:44:00PM +0800, Wang Shanker wrote:
>> Hi,
>> 
>> I noticed that you have introduced `ngx_event_udp_accept()`, which can
>> create a separate socket for receiving datagrams from a specific client.
>> I understand that it is necessary for DTLS servers. However I wonder
>> why it is also called for normal udp servers.
> 
> for normal udp server this is beneficial if you need to process
> bidirectional stream, i.e. proxying DTLS or similar protocols without
> offloading it. Probably this should be at least configurable.
> 
>> For udp servers listening on a port below 1024, such call will fail if
>> the worker processes drop their privilege as a non-root user.
>> The  following patch solves this problem by retaining CAP_NET_BIND_SERVICE
>> after worker processes change UID.
> 
> yes, there is an issue in such case, and retaining (partial) permissions
> is a possible (but ugly) solution.

You can see from the code that it is not the first time to use that solution. I wonder if there is better solution for this issue. 

Cheers,

Miao Wang



More information about the nginx mailing list