DTLS patches
Wang Shanker
shankerwangmiao at gmail.com
Wed Feb 21 15:49:37 UTC 2018
> 在 2018年2月21日,23:34,Vladimir Homutov <vl at nginx.com> 写道:
>
>> On Wed, Feb 21, 2018 at 10:44:00PM +0800, Wang Shanker wrote:
>> Hi,
>>
>> I noticed that you have introduced `ngx_event_udp_accept()`, which can
>> create a separate socket for receiving datagrams from a specific client.
>> I understand that it is necessary for DTLS servers. However I wonder
>> why it is also called for normal udp servers.
>
> for normal udp server this is beneficial if you need to process
> bidirectional stream, i.e. proxying DTLS or similar protocols without
> offloading it. Probably this should be at least configurable.
>
>> For udp servers listening on a port below 1024, such call will fail if
>> the worker processes drop their privilege as a non-root user.
>> The following patch solves this problem by retaining CAP_NET_BIND_SERVICE
>> after worker processes change UID.
>
> yes, there is an issue in such case, and retaining (partial) permissions
> is a possible (but ugly) solution.
You can see from the code that it is not the first time to use that solution. I wonder if there is better solution for this issue.
Cheers,
Miao Wang
More information about the nginx
mailing list