DTLS patches

Wang Shanker shankerwangmiao at gmail.com
Wed Feb 21 14:44:00 UTC 2018


Hi,

I noticed that you have introduced `ngx_event_udp_accept()`, which can 
create a separate socket for receiving datagrams from a specific client. 
I understand that it is necessary for DTLS servers. However I wonder 
why it is also called for normal udp servers.

For udp servers listening on a port below 1024, such call will fail if
the worker processes drop their privilege as a non-root user. The 
following patch solves this problem by retaining CAP_NET_BIND_SERVICE 
after worker processes change UID.

Cheers,

Miao Wang
 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Retain-CAP_NET_BIND_SERVICE-capability-for-udp-privi.patch
Type: application/octet-stream
Size: 3605 bytes
Desc: not available
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20180221/01c29a98/attachment.obj>
-------------- next part --------------


> ? 2018?02?21??22:30?Wang Shanker <shankerwangmiao at gmail.com> ???
> 
> Hi, of course. I'm implementing RFC8094, which is for transmitting dns
> queries through DTLS. Nginx is used for offloading DTLS encryption and
> the software behind nginx is bind9.
> 
> Cheers,
> 
> Miao Wang
> 
>> ? 2018?02?21??22:12?Vladimir Homutov <vl at nginx.com> ???
>> 
>> On Wed, Feb 21, 2018 at 08:47:37AM -0500, shankerwangmiao wrote:
>>> 
>>> I have tested this patch in my environment. Before the patch is applied,
>>> `tcp_nodelay off` needs to be placed in every `server` clause with DTLS
>>> enabled to work the problem around.
>>> 
>> 
>> Hello,
>> can you please elaborate about your environment? Do you proxy DTLS
>> stream directly to backend, or you perform DTLS offload ?
>> What protocol are you using and which server/client software
>> before/behind nginx?
>> 
>> I'm attaching refreshed patch against nginx-1.13.9 for those who are
>> interested to test.
>> <nginx-1.13.9-dtls-experimental.diff>_______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
> 



More information about the nginx mailing list