<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=us-ascii" http-equiv="Content-Type">
</head>
<body bgcolor="#ffff99" text="#000000">
<br>
<br>
<br>
<blockquote
cite="mid:mailman.19.1216486810.31765.asterisk-users@lists.digium.com"
type="cite">
<pre wrap="">Message: 1
Date: Fri, 18 Jul 2008 20:35:47 -0700
From: Dave Platt <a class="moz-txt-link-rfc2396E" href="mailto:dplatt@radagast.org"><dplatt@radagast.org></a></pre>
</blockquote>
<br>
<blockquote
cite="mid:mailman.19.1216486810.31765.asterisk-users@lists.digium.com"
type="cite">
<pre wrap="">I'm preparing for a client install of * by doing a fresh one in-house.
Unlike my earlier installation that runs asterisk as superuser, my
current experimental box runs without such privilege. This is causing
it to moan that it can't set TOS. I absolutely don't want to install it
on the client LAN without this capability. If need be, I'll set the
binary to run setuid root.
But I'm looking for something more elegant. While googling, I found a
suggestion to use iptables mangle rules to set TOS for all packets going
out of the box on ports like 5060 and 10000:20000. Not a bad hack, but
indiscriminate and this box will be handling other traffic besides the
RTP. I'd like to do better.
</pre>
<pre wrap=""><!---->
It is possible for an iptables filter/rule to match packets in the
OUTPUT chain based on the UID or GID of the process which created
them, if you have the "owner" module loaded. You should be able to
add a rule to the OUTPUT chain of the mangle table which will set the
TOS properly for any and all outbound packets generated locally by the
non-root user ID which you're using to run Asterisk.
</pre>
</blockquote>
I've used LARTC and I'm aware of the capability, but keying on UID did
not occur to me. Thank you - it's a good solution.<br>
<blockquote
cite="mid:mailman.19.1216486810.31765.asterisk-users@lists.digium.com"
type="cite">
<pre wrap="">
Come to think of it, I think I need to do this myself. I'm using the
"ultimate Linux traffic conditioning" configuration (modified very
slightly) to prioritize my system's outbound traffic into multiple
queues by TOS, and it's probably mis-queueing the RTP traffic because
my Debian install of Asterisk is running under a non-root UID.
</pre>
</blockquote>
Glad to be of assistance.<br>
<blockquote
cite="mid:mailman.19.1216486810.31765.asterisk-users@lists.digium.com"
type="cite">
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">I thought of using POSIX access control to enable asterisk to do TOS
setting without being root (would this be CAP_NET_RAW?), which sounds
perfect, but so far I'm operating with stock ubuntu hardy, and I would
like to avoid a kernel build to add this capability.
Any other ideas?
</pre>
</blockquote>
<pre wrap=""><!---->
Seems like "iptables -t mangle -A OUTPUT -m owner --uid-owner $ASTERISK"
would be along the lines of what you want? Mark the packets with the
TOS you want... and then consider using the Linux traffic-shaping
system to make sure that they really do get transmitted ahead of
non-urgent packets:
</pre>
</blockquote>
Traffic-shaping in the box would probably be overkill for my purpose
because the nature of the routing in this box will limit the contention
from this source. I think I just need to have the packets treated well
once they hit the local network. But this is also a worthwhile
consideration, and probably useful in other circumstances. Again,
thanks for the reply - it's right on target and solves my problem
nicely.<br>
<br>
</body>
</html>