Page MenuHomeFreeBSD

dns/dnscrypt-proxy2: Add mac_portacl option in rc script
ClosedPublic

Authored by dbaio on Apr 21 2018, 2:24 PM.

Details

Summary
dns/dnscrypt-proxy2: Add mac_portacl option in rc script

Version 2 of dnscrypt-proxy is written in Go and therefore isn't capable
of dropping privileges after binding to a low port on FreeBSD.

By default, this port's daemon will listen on port 5353 (TCP/UDP).

With this option it's possible to bind it and listen on port 53 (TCP/UDP)
with mac_portacl(4) kernel module (network port access control policy).
For this add dnscrypt_proxy_mac_portacl_enable=YES in your rc.conf.
The dnscrypt-proxy startup script will load mac_portacl and add a rule
where %%USER%% user will be able to bind on port 53 (TCP/UDP). This port
can be changed by dnscrypt_proxy_mac_portacl_port variable in your rc.conf.
You also need to change dnscrypt-proxy config file to use port 53.

Suggested by:	feld
Approved by:	
Reviewed by:	
Differential Revision:	https://reviews.freebsd.org/D15151

Diff Detail

Repository
rP FreeBSD ports repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

dbaio edited the summary of this revision. (Show Details)

this revision was planned by @dbaio and me on IRC;
when it comes to maintainer approval, I give it thumbs up.

just a quick question regarding the module loading, and it should be good to land.

thank you very much @dbaio and @feld !

KR,

dns/dnscrypt-proxy2/files/dnscrypt-proxy.in
58 ↗(On Diff #41708)

should we use required_modules here?

#       required_modules n      If set, ensure the given kernel modules are
#                               loaded before running a (re)start command.
#                               The check and possible loads are actually
#                               done after start_precmd so that the modules
#                               aren't loaded in vain, should the precmd
#                               return a non-zero status to indicate a error.
#                               If a word in the list looks like "foo:bar",
#                               "foo" is the KLD file name and "bar" is the
#                               module name.  If a word looks like "foo~bar",
#                               "foo" is the KLD file name and "bar" is a
#                               egrep(1) pattern matching the module name.
#                               Otherwise the module name is assumed to be
#                               the same as the KLD file name, which is most
#                               common.  See load_kld().
dns/dnscrypt-proxy2/files/dnscrypt-proxy.in
58 ↗(On Diff #41708)

We need to load it here, otherwise we won't be able to insert sysctl security.mac.portacl.rules rules in this function.

OK

dns/dnscrypt-proxy2/files/dnscrypt-proxy.in
58 ↗(On Diff #41708)

you are right!

if we don't, than it should also have a new startcmd(), and we do not need/want that!

nice one, @dbaio. tyvm!

This revision was not accepted when it landed; it landed in state Needs Review.Apr 24 2018, 1:07 AM
This revision was automatically updated to reflect the committed changes.