Page MenuHomeFreeBSD

dns/dnscrypt-proxy2: Add mac_portacl option in rc script
ClosedPublic

Authored by dbaio on Apr 21 2018, 2:24 PM.

Details

Summary
dns/dnscrypt-proxy2: Add mac_portacl option in rc script

Version 2 of dnscrypt-proxy is written in Go and therefore isn't capable
of dropping privileges after binding to a low port on FreeBSD.

By default, this port's daemon will listen on port 5353 (TCP/UDP).

With this option it's possible to bind it and listen on port 53 (TCP/UDP)
with mac_portacl(4) kernel module (network port access control policy).
For this add dnscrypt_proxy_mac_portacl_enable=YES in your rc.conf.
The dnscrypt-proxy startup script will load mac_portacl and add a rule
where %%USER%% user will be able to bind on port 53 (TCP/UDP). This port
can be changed by dnscrypt_proxy_mac_portacl_port variable in your rc.conf.
You also need to change dnscrypt-proxy config file to use port 53.

Suggested by:	feld
Approved by:	
Reviewed by:	
Differential Revision:	https://reviews.freebsd.org/D15151

Diff Detail

Repository
rP FreeBSD ports repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

dbaio edited the summary of this revision. (Show Details)

this revision was planned by @dbaio and me on IRC;
when it comes to maintainer approval, I give it thumbs up.

just a quick question regarding the module loading, and it should be good to land.

thank you very much @dbaio and @feld !

KR,

dns/dnscrypt-proxy2/files/dnscrypt-proxy.in
58 ↗(On Diff #41708)

should we use required_modules here?

#       required_modules n      If set, ensure the given kernel modules are
#                               loaded before running a (re)start command.
#                               The check and possible loads are actually
#                               done after start_precmd so that the modules
#                               aren't loaded in vain, should the precmd
#                               return a non-zero status to indicate a error.
#                               If a word in the list looks like "foo:bar",
#                               "foo" is the KLD file name and "bar" is the
#                               module name.  If a word looks like "foo~bar",
#                               "foo" is the KLD file name and "bar" is a
#                               egrep(1) pattern matching the module name.
#                               Otherwise the module name is assumed to be
#                               the same as the KLD file name, which is most
#                               common.  See load_kld().
dns/dnscrypt-proxy2/files/dnscrypt-proxy.in
58 ↗(On Diff #41708)

We need to load it here, otherwise we won't be able to insert sysctl security.mac.portacl.rules rules in this function.

OK

dns/dnscrypt-proxy2/files/dnscrypt-proxy.in
58 ↗(On Diff #41708)

you are right!

if we don't, than it should also have a new startcmd(), and we do not need/want that!

nice one, @dbaio. tyvm!

This revision was not accepted when it landed; it landed in state Needs Review.Apr 24 2018, 1:07 AM
This revision was automatically updated to reflect the committed changes.