Hello, I wrote a daemon to do packet filtering using libnetfilter-queue. It works well except that I ran into problems trying to run it seteuid/setegid to an unpriviliged user. Setup and teardown proceeds as root but when I try running the main loop seteuid/setegid to a regular user (just processing IP addresses and calling nfq_set_verdict really) everything slows to a crawl. I don't get any software errors (packets are apparently received and accepted/denied as usual) but all my connections time out or error out (not sure which yet). Like I said, works fine as root. I'm at a loss to explain this because as far as I can tell the underlying netlink socket mechanism should not depend on root priviledges to send messages. It's strange enough that there's a significant slow down but no hard errors (and by that I mean nfq_set_verdict returning a negative value). Can anyone at least please confirm that it should work fine and it is worth investigating or else just forget it and run the whole thing as root? Any comments would be greatly appreciated. João -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
