bgpd: justify capabilities for TOS setting

To set the TOS bits on TCP connections, platforms that restrict
capabilities need the priv level to be raised before the sockopt
is set, and this requires the ZCAP_NET_ADMIN priv.

* bgp_main.c: update _caps_p to include ZCAP_NET_ADMIN
* bgp_network.c
  * bgp_connect(): request ZPRIVS_RAISE/ZPRIVS_LOWER
  * bgp_listener(): request ZPRIVS_RAISE earlier
diff --git a/bgpd/bgp_main.c b/bgpd/bgp_main.c
index 1a460c6..0e85d57 100644
--- a/bgpd/bgp_main.c
+++ b/bgpd/bgp_main.c
@@ -119,6 +119,7 @@
 {
     ZCAP_BIND, 
     ZCAP_NET_RAW,
+    ZCAP_NET_ADMIN,
 };
 
 struct zebra_privs_t bgpd_privs =
diff --git a/bgpd/bgp_network.c b/bgpd/bgp_network.c
index c8ff87a..52c72b6 100644
--- a/bgpd/bgp_network.c
+++ b/bgpd/bgp_network.c
@@ -328,12 +328,16 @@
   sockopt_reuseport (peer->fd);
   
 #ifdef IPTOS_PREC_INTERNETCONTROL
+  if (bgpd_privs.change (ZPRIVS_RAISE))
+    zlog_err ("%s: could not raise privs", __func__);
   if (sockunion_family (&peer->su) == AF_INET)
     setsockopt_ipv4_tos (peer->fd, IPTOS_PREC_INTERNETCONTROL);
 # ifdef HAVE_IPV6
   else if (sockunion_family (&peer->su) == AF_INET6)
     setsockopt_ipv6_tclass (peer->fd, IPTOS_PREC_INTERNETCONTROL);
 # endif
+  if (bgpd_privs.change (ZPRIVS_LOWER))
+    zlog_err ("%s: could not lower privs", __func__);
 #endif
 
   if (peer->password)
@@ -390,6 +394,9 @@
   sockopt_reuseaddr (sock);
   sockopt_reuseport (sock);
 
+  if (bgpd_privs.change (ZPRIVS_RAISE))
+    zlog_err ("%s: could not raise privs", __func__);
+
 #ifdef IPTOS_PREC_INTERNETCONTROL
   if (sa->sa_family == AF_INET)
     setsockopt_ipv4_tos (sock, IPTOS_PREC_INTERNETCONTROL);
@@ -408,13 +415,10 @@
   }
 #endif
 
-  if (bgpd_privs.change (ZPRIVS_RAISE) )
-    zlog_err ("bgp_socket: could not raise privs");
-
   ret = bind (sock, sa, salen);
   en = errno;
-  if (bgpd_privs.change (ZPRIVS_LOWER) )
-    zlog_err ("bgp_bind_address: could not lower privs");
+  if (bgpd_privs.change (ZPRIVS_LOWER))
+    zlog_err ("%s: could not lower privs", __func__);
 
   if (ret < 0)
     {