Use nix crate instead of interacting with libc directly, drop privileges

src/main.rs

@@ -1,8 +1,10 @@
 use clap::Parser;
 use env_logger::Env;
+
 use std::net::IpAddr;
 use std::process::ExitCode;
 
+use tun2proxy::error::Error;
 use tun2proxy::setup::{get_default_cidrs, Setup};
 use tun2proxy::Options;
 use tun2proxy::{main_entry, Proxy};
@@ -63,27 +65,32 @@ fn main() -> ExitCode {
         options = options.with_virtual_dns();
     }
 
-    let mut setup: Setup;
-    if args.setup == Some(ArgSetup::Auto) {
-        let bypass_tun_ip = match args.setup_ip {
-            Some(addr) => addr,
-            None => args.proxy.addr.ip(),
-        };
-        setup = Setup::new(
-            &args.tun,
-            &bypass_tun_ip,
-            get_default_cidrs(),
-            args.setup_ip.is_some(),
-        );
-        if let Err(e) = setup.setup() {
-            log::error!("{e}");
-            return ExitCode::FAILURE;
-        }
-    }
+    if let Err(e) = (|| -> Result<(), Error> {
+        let mut setup: Setup;
+        if args.setup == Some(ArgSetup::Auto) {
+            let bypass_tun_ip = match args.setup_ip {
+                Some(addr) => addr,
+                None => args.proxy.addr.ip(),
+            };
+            setup = Setup::new(
+                &args.tun,
+                &bypass_tun_ip,
+                get_default_cidrs(),
+                args.setup_ip.is_some(),
+            );
 
-    if let Err(e) = main_entry(&args.tun, args.proxy, options) {
+            setup.configure()?;
+
+            setup.drop_privileges()?;
+        }
+
+        main_entry(&args.tun, &args.proxy, options)?;
+
+        Ok(())
+    })() {
         log::error!("{e}");
-        return ExitCode::FAILURE;
-    }
+        std::process::exit(1);
+    };
+
     ExitCode::SUCCESS
 }