dns/dnscrypt-proxy2: Add mac_portacl option in rc script Version 2 of dnscrypt-proxy is written in Go and therefore isn't capable of dropping privileges after binding to a low port on FreeBSD. By default, this port's daemon will listen on port 5353 (TCP/UDP). With this option it's possible to bind it and listen on port 53 (TCP/UDP) with mac_portacl(4) kernel module (network port access control policy). For this add dnscrypt_proxy_mac_portacl_enable=YES in your rc.conf. The dnscrypt-proxy startup script will load mac_portacl and add a rule where %%USER%% user will be able to bind on port 53 (TCP/UDP). This port can be changed by dnscrypt_proxy_mac_portacl_port variable in your rc.conf. You also need to change dnscrypt-proxy config file to use port 53. Suggested by: feld Approved by: Reviewed by: Differential Revision: https://reviews.freebsd.org/D15151
Details
Details
Diff Detail
Diff Detail
- Repository
- rP FreeBSD ports repository
- Lint
No Lint Coverage - Unit
No Test Coverage - Build Status
Buildable 16245 Build 16195: arc lint + arc unit
Event Timeline
Comment Actions
dns/dnscrypt-proxy2/files/dnscrypt-proxy.in | ||
---|---|---|
58 | should we use required_modules here? # required_modules n If set, ensure the given kernel modules are # loaded before running a (re)start command. # The check and possible loads are actually # done after start_precmd so that the modules # aren't loaded in vain, should the precmd # return a non-zero status to indicate a error. # If a word in the list looks like "foo:bar", # "foo" is the KLD file name and "bar" is the # module name. If a word looks like "foo~bar", # "foo" is the KLD file name and "bar" is a # egrep(1) pattern matching the module name. # Otherwise the module name is assumed to be # the same as the KLD file name, which is most # common. See load_kld(). |
dns/dnscrypt-proxy2/files/dnscrypt-proxy.in | ||
---|---|---|
58 | We need to load it here, otherwise we won't be able to insert sysctl security.mac.portacl.rules rules in this function. |