mirror of
https://git.freebsd.org/ports.git
synced 2025-05-07 03:16:44 -04:00
103 lines
3 KiB
Bash
103 lines
3 KiB
Bash
#!/bin/sh
|
|
|
|
# PROVIDE: dnscrypt_proxy
|
|
# REQUIRE: cleanvar SERVERS
|
|
# BEFORE: dnsmasq local_unbound named nsmasq pdns unbound
|
|
#
|
|
# Options to configure dnscrypt-proxy via /etc/rc.conf:
|
|
#
|
|
# dnscrypt_proxy_enable (bool) Enable service on boot
|
|
# Default: NO
|
|
#
|
|
# dnscrypt_proxy_conf (str) Config file to use
|
|
# Default: %%ETCDIR%%/dnscrypt-proxy.toml
|
|
#
|
|
# dnscrypt_proxy_suexec (bool) Run dnscrypt_proxy as root
|
|
# Default: NO
|
|
#
|
|
# dnscrypt_proxy_uid (str) User to run dnscrypt_proxy as
|
|
# Default: %%USER%%
|
|
#
|
|
# dnscrypt_proxy_mac_portacl_enable (bool)
|
|
# Load mac_portacl module (network port access control policy)
|
|
# Default: NO
|
|
#
|
|
# dnscrypt_proxy_mac_portacl_port (int)
|
|
# Port used in the mac_portacl rule
|
|
# Default: 53
|
|
|
|
. /etc/rc.subr
|
|
|
|
name="dnscrypt_proxy"
|
|
rcvar="dnscrypt_proxy_enable"
|
|
pidfile="/var/run/dnscrypt-proxy.pid"
|
|
procname="%%PREFIX%%/sbin/dnscrypt-proxy"
|
|
|
|
load_rc_config $name
|
|
|
|
: ${dnscrypt_proxy_enable:="NO"}
|
|
: ${dnscrypt_proxy_conf:="%%ETCDIR%%/dnscrypt-proxy.toml"}
|
|
: ${dnscrypt_proxy_suexec:="NO"}
|
|
: ${dnscrypt_proxy_uid:="%%USER%%"}
|
|
: ${dnscrypt_proxy_mac_portacl_enable:="NO"}
|
|
: ${dnscrypt_proxy_mac_portacl_port:="53"}
|
|
|
|
checkyesno dnscrypt_proxy_suexec && dnscrypt_proxy_uid="root"
|
|
|
|
command="/usr/sbin/daemon"
|
|
command_args="-p ${pidfile} -u ${dnscrypt_proxy_uid} -f ${procname} -config ${dnscrypt_proxy_conf}"
|
|
start_precmd="dnscrypt_proxy_precmd"
|
|
|
|
dnscrypt_proxy_precmd() {
|
|
local reservedlow reservedhigh rules_current rules_dnscrypt rport ruid
|
|
|
|
if checkyesno dnscrypt_proxy_mac_portacl_enable ; then
|
|
|
|
# Check and load mac_portacl module
|
|
if ! kldstat -m mac_portacl >/dev/null 2>&1 ; then
|
|
if ! kldload mac_portacl ; then
|
|
warn "Could not load mac_portacl module."
|
|
return 1
|
|
fi
|
|
fi
|
|
|
|
# Check and add mac_portacl rules
|
|
ruid=$(id -u $dnscrypt_proxy_uid)
|
|
rport=$dnscrypt_proxy_mac_portacl_port #smaller variable
|
|
rules_current=$(sysctl -n security.mac.portacl.rules)
|
|
rules_dnscrypt="uid:${ruid}:tcp:${rport},uid:${ruid}:udp:${rport}"
|
|
if [ ! $rules_current = "" ]; then
|
|
if ! echo $rules_current | grep "$rules_dnscrypt" >/dev/null 2>&1 ; then
|
|
rules_current="${rules_current},${rules_dnscrypt}"
|
|
if ! sysctl security.mac.portacl.rules="$rules_current" >/dev/null 2>&1 ; then
|
|
warn "Could not insert mac_portacl rules."
|
|
return 1
|
|
fi
|
|
fi
|
|
elif ! sysctl security.mac.portacl.rules=$rules_dnscrypt >/dev/null 2>&1 ; then
|
|
warn "Could not insert mac_portacl rules."
|
|
return 1
|
|
fi
|
|
|
|
# Check and disable net.inet.ip.portrange.* control
|
|
reservedlow=$(sysctl -n net.inet.ip.portrange.reservedlow)
|
|
reservedhigh=$(sysctl -n net.inet.ip.portrange.reservedhigh)
|
|
if [ ! $reservedlow -eq 0 ]; then
|
|
if ! sysctl net.inet.ip.portrange.reservedlow=0 >/dev/null 2>&1 ; then
|
|
warn "Could not change net.inet.ip.portrange.reservedlow."
|
|
return 1
|
|
fi
|
|
fi
|
|
if [ ! $reservedhigh -eq 0 ]; then
|
|
if ! sysctl net.inet.ip.portrange.reservedhigh=0 >/dev/null 2>&1 ; then
|
|
warn "Could not change net.inet.ip.portrange.reservedhigh."
|
|
return 1
|
|
fi
|
|
fi
|
|
|
|
fi # dnscrypt_proxy_mac_portacl_enable
|
|
|
|
return 0
|
|
}
|
|
|
|
run_rc_command "$1"
|