From a163c63787f569931f36ac9201ffbdf9be210227 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Thu, 5 Aug 2021 23:40:04 +0100
Subject: [PATCH] CONNTRACK needs CAP_NET_ADMIN.

---
 CHANGELOG     | 4 ++++
 src/dnsmasq.c | 9 +++++++--
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 0e5d05d..4016ab0 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -82,6 +82,10 @@ version 2.86
 	Make domains generated by --synth-domain appear in replies
 	when in authoritative mode.
 
+	Ensure CAP_NET_ADMIN capability is available when
+	conntrack is configured. Thanks to Yick Xie for spotting
+	the lack of this.
+
 	
 version 2.85
         Fix problem with DNS retries in 2.83/2.84.
diff --git a/src/dnsmasq.c b/src/dnsmasq.c
index 4483bd5..f389871 100644
--- a/src/dnsmasq.c
+++ b/src/dnsmasq.c
@@ -212,8 +212,13 @@ int main (int argc, char **argv)
 #endif
 
 #ifdef HAVE_CONNTRACK
-  if (option_bool(OPT_CONNTRACK) && (daemon->query_port != 0 || daemon->osport))
-    die (_("cannot use --conntrack AND --query-port"), NULL, EC_BADCONF); 
+  if (option_bool(OPT_CONNTRACK))
+    {
+      if (daemon->query_port != 0 || daemon->osport)
+	die (_("cannot use --conntrack AND --query-port"), NULL, EC_BADCONF);
+
+      need_cap_net_admin = 1;
+    }
 #else
   if (option_bool(OPT_CONNTRACK))
     die(_("conntrack support not available: set HAVE_CONNTRACK in src/config.h"), NULL, EC_BADCONF);