On 12/16/25 13:15, Uwe Kleine-König wrote:
Package: unbound Version: 1.22.0-2+deb13u1 Severity: normal X-Debbugs-Cc: [email protected]Hello, when enabling ip-transparent, unbound emits a warning unbound[1327:0] warning: setsockopt(.. IP_TRANSPARENT ..) failed: Operation not permitted (and doesn't use the socket option). This is fixed by doing: echo capability net_admin, > /etc/apparmor.d/local/usr.sbin.unbound . Would be nice if that would work with the default apparmor profile, or at least be documented.
Documented - probably yes, though it should be easy to spot, I guess. Default - definitely not, this is an extra permission which should not be enabled by default.
(I need ip-transparent because unbound is started before networkd configured the network interface that unbound should serve.)
You can configure a systemd override with [Unit] Requires=systemd-networkd-wait-online@ETH:no-carrier.service After=systemd-networkd-wait-online@ETH:no-carrier.service for that, where "ETH" is your network interface name. This way, it wont be necessary to enable ip-transparent. FWIW, /mjt
