5 # PROVIDE: dnscrypt_proxy
6 # REQUIRE: cleanvar SERVERS
7 # BEFORE: dnsmasq local_unbound named nsmasq pdns unbound
9 # Options to configure dnscrypt-proxy via /etc/rc.conf:
11 # dnscrypt_proxy_enable (bool) Enable service on boot
14 # dnscrypt_proxy_conf (str) Config file to use
15 # Default: %%ETCDIR%%/dnscrypt-proxy.toml
17 # dnscrypt_proxy_suexec (bool) Run dnscrypt_proxy as root
20 # dnscrypt_proxy_uid (str) User to run dnscrypt_proxy as
23 # dnscrypt_proxy_mac_portacl_enable (bool)
24 # Load mac_portacl module (network port access control policy)
27 # dnscrypt_proxy_mac_portacl_port (int)
28 # Port used in the mac_portacl rule
34 rcvar="dnscrypt_proxy_enable"
35 pidfile="/var/run/dnscrypt-proxy.pid"
36 procname="%%PREFIX%%/sbin/dnscrypt-proxy"
40 : ${dnscrypt_proxy_enable:="NO"}
41 : ${dnscrypt_proxy_conf:="%%ETCDIR%%/dnscrypt-proxy.toml"}
42 : ${dnscrypt_proxy_suexec:="NO"}
43 : ${dnscrypt_proxy_uid:="%%USER%%"}
44 : ${dnscrypt_proxy_mac_portacl_enable:="NO"}
45 : ${dnscrypt_proxy_mac_portacl_port:="53"}
47 checkyesno dnscrypt_proxy_suexec && dnscrypt_proxy_uid="root"
49 command="/usr/sbin/daemon"
50 command_args="-p ${pidfile} -u ${dnscrypt_proxy_uid} -f ${procname} -config ${dnscrypt_proxy_conf}"
51 start_precmd="dnscrypt_proxy_precmd"
53 dnscrypt_proxy_precmd() {
54 local reservedlow reservedhigh rules_current rules_dnscrypt rport ruid
56 if checkyesno dnscrypt_proxy_mac_portacl_enable ; then
58 # Check and load mac_portacl module
59 if ! kldstat -m mac_portacl >/dev/null 2>&1 ; then
60 if ! kldload mac_portacl ; then
61 warn "Could not load mac_portacl module."
66 # Check and add mac_portacl rules
67 ruid=$(id -u $dnscrypt_proxy_uid)
68 rport=$dnscrypt_proxy_mac_portacl_port #smaller variable
69 rules_current=$(sysctl -n security.mac.portacl.rules)
70 rules_dnscrypt="uid:${ruid}:tcp:${rport},uid:${ruid}:udp:${rport}"
71 if [ ! $rules_current = "" ]; then
72 if ! echo $rules_current | grep "$rules_dnscrypt" >/dev/null 2>&1 ; then
73 rules_current="${rules_current},${rules_dnscrypt}"
74 if ! sysctl security.mac.portacl.rules="$rules_current" >/dev/null 2>&1 ; then
75 warn "Could not insert mac_portacl rules."
79 elif ! sysctl security.mac.portacl.rules=$rules_dnscrypt >/dev/null 2>&1 ; then
80 warn "Could not insert mac_portacl rules."
84 # Check and disable net.inet.ip.portrange.* control
85 reservedlow=$(sysctl -n net.inet.ip.portrange.reservedlow)
86 reservedhigh=$(sysctl -n net.inet.ip.portrange.reservedhigh)
87 if [ ! $reservedlow -eq 0 ]; then
88 if ! sysctl net.inet.ip.portrange.reservedlow=0 >/dev/null 2>&1 ; then
89 warn "Could not change net.inet.ip.portrange.reservedlow."
93 if [ ! $reservedhigh -eq 0 ]; then
94 if ! sysctl net.inet.ip.portrange.reservedhigh=0 >/dev/null 2>&1 ; then
95 warn "Could not change net.inet.ip.portrange.reservedhigh."
100 fi # dnscrypt_proxy_mac_portacl_enable