CAP_NET_ADMIN has been overkill to use setsockopt(IP_TRANSPARENT) since a discussion on LKML[1] and a patch[2] in 2011. All that is left to do is to let devs know they don't need CAP_NET_ADMIN. [1] <https://lore.kernel.org/netdev/20111020.182214.629562655202957174.davem@xxxxxxxxxxxxx/T/> [2] linux.git 6cc7a765c2987f03ba278dac03c7cc759ee198e7 ("IP_TRANSPARENT requires CAP_NET_ADMIN - why?") Signed-off-by: Matthieu Buffet <matthieu@xxxxxxxxx> --- man/man7/ip.7 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/man/man7/ip.7 b/man/man7/ip.7 index e75aa7ca40a4..00e5274c552a 100644 --- a/man/man7/ip.7 +++ b/man/man7/ip.7 @@ -1088,6 +1088,8 @@ socket option). Enabling this socket option requires superuser privileges (the .B CAP_NET_ADMIN +or +.B CAP_NET_RAW capability). .IP TProxy redirection with the iptables TPROXY target also requires that base-commit: 64199c5bf76806f13a78b9fd5792ccfcb28a5551 -- 2.39.5
