[asterisk-users] asterisk-users Digest, Vol 48, Issue 56

Sat Jul 19 12:19:32 CDT 2008



> Message: 1
> Date: Fri, 18 Jul 2008 20:35:47 -0700
> From: Dave Platt <dplatt at radagast.org>

> I'm preparing for a client install of * by doing a fresh one in-house.  
> Unlike my earlier installation that runs asterisk as superuser, my 
> current experimental box runs without such privilege.  This is causing 
> it to moan that it can't set TOS.  I absolutely don't want to install it 
> on the client LAN without this capability.  If need be, I'll set the 
> binary to run setuid root.
>
> But I'm looking for something more elegant.  While googling, I found a 
> suggestion to use iptables mangle rules to set TOS for all packets going 
> out of the box on ports like 5060 and 10000:20000.  Not a bad hack, but 
> indiscriminate and this box will be handling other traffic besides the 
> RTP.  I'd like to do better.
>   
>
> It is possible for an iptables filter/rule to match packets in the
> OUTPUT chain based on the UID or GID of the process which created
> them, if you have the "owner" module loaded.  You should be able to
> add a rule to the OUTPUT chain of the mangle table which will set the
> TOS properly for any and all outbound packets generated locally by the
> non-root user ID which you're using to run Asterisk.
>   
I've used LARTC and I'm aware of the capability, but keying on UID did 
not occur to me. Thank you - it's a good solution.
> Come to think of it, I think I need to do this myself.  I'm using the
> "ultimate Linux traffic conditioning" configuration (modified very
> slightly) to prioritize my system's outbound traffic into multiple
> queues by TOS, and it's probably mis-queueing the RTP traffic because
> my Debian install of Asterisk is running under a non-root UID.
>   
Glad to be of assistance.
>   
>> I thought of using POSIX access control to enable asterisk to do TOS 
>> setting without being root (would this be CAP_NET_RAW?), which sounds 
>> perfect, but so far I'm operating with stock ubuntu hardy, and I would 
>> like to avoid a kernel build to add this capability.
>>
>> Any other ideas?
>>     
>
> Seems like "iptables -t mangle -A OUTPUT -m owner --uid-owner $ASTERISK"
> would be along the lines of what you want?  Mark the packets with the
> TOS you want... and then consider using the Linux traffic-shaping
> system to make sure that they really do get transmitted ahead of
> non-urgent packets:
>   
Traffic-shaping in the box would probably be overkill for my purpose 
because the nature of the routing in this box will limit the contention 
from this source. I think I just need to have the packets treated well 
once they hit the local network. But this is also a worthwhile 
consideration, and probably useful in other circumstances. Again, thanks 
for the reply - it's right on target and solves my problem nicely.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20080719/648f6949/attachment.htm 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3221 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.digium.com/pipermail/asterisk-users/attachments/20080719/648f6949/attachment.bin