From 905ac95ca1efa5935edcd600e1332ebc756620a3 Mon Sep 17 00:00:00 2001
From: yrutschle <git1@rutschle.net>
Date: Sat, 8 May 2021 07:44:39 +0200
Subject: [PATCH] do not drop CAP_NET_ADMIN if any of the protocols require
 transparent proxying

---
 common.c | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/common.c b/common.c
index 6f5fd56..3698f86 100644
--- a/common.c
+++ b/common.c
@@ -785,6 +785,21 @@ void set_keepcaps(int val) {
 #endif
 }
 
+/* Returns true if anything requires transparent proxying. */
+#ifdef LIBCAP
+static int use_transparent(void)
+{
+    if (cfg.transparent)
+        return 1;
+
+    for (int i = 0; i < cfg.protocols_len; i++)
+        if (cfg.protocols[i].transparent)
+            return 1;
+
+    return 0;
+}
+#endif
+
 /* set needed capabilities for effective and permitted, clear rest */
 void set_capabilities(void) {
 #ifdef LIBCAP
@@ -793,7 +808,7 @@ void set_capabilities(void) {
     cap_value_t cap_list[10];
     int ncap = 0;
 
-    if (cfg.transparent)
+    if (use_transparent())
         cap_list[ncap++] = CAP_NET_ADMIN;
 
     caps = cap_init();