dns/dnscrypt-proxy2/files/dnscrypt-proxy.in

   1 #!/bin/sh
   2 #
   3 # $FreeBSD$
   4 #
   5 # PROVIDE: dnscrypt_proxy
   6 # REQUIRE: cleanvar SERVERS
   7 # BEFORE:  dnsmasq local_unbound named nsmasq pdns unbound
   8 #
   9 # Options to configure dnscrypt-proxy via /etc/rc.conf:
  10 #
  11 # dnscrypt_proxy_enable (bool)  Enable service on boot
  12 #                               Default: NO
  13 #
  14 # dnscrypt_proxy_conf (str)     Config file to use
  15 #                               Default: %%ETCDIR%%/dnscrypt-proxy.toml
  16 #
  17 # dnscrypt_proxy_suexec (bool)  Run dnscrypt_proxy as root
  18 #                               Default: NO
  19 #
  20 # dnscrypt_proxy_uid (str)      User to run dnscrypt_proxy as
  21 #                               Default: %%USER%%
  22 #
  23 # dnscrypt_proxy_mac_portacl_enable (bool)
  24 #                               Load mac_portacl module (network port access control policy)
  25 #                               Default: NO
  26 #
  27 # dnscrypt_proxy_mac_portacl_port (int)
  28 #                               Port used in the mac_portacl rule
  29 #                               Default: 53
  30
  31 . /etc/rc.subr
  32
  33 name="dnscrypt_proxy"
  34 rcvar="dnscrypt_proxy_enable"
  35 pidfile="/var/run/dnscrypt-proxy.pid"
  36 procname="%%PREFIX%%/sbin/dnscrypt-proxy"
  37
  38 load_rc_config $name
  39
  40 : ${dnscrypt_proxy_enable:="NO"}
  41 : ${dnscrypt_proxy_conf:="%%ETCDIR%%/dnscrypt-proxy.toml"}
  42 : ${dnscrypt_proxy_suexec:="NO"}
  43 : ${dnscrypt_proxy_uid:="%%USER%%"}
  44 : ${dnscrypt_proxy_mac_portacl_enable:="NO"}
  45 : ${dnscrypt_proxy_mac_portacl_port:="53"}
  46
  47 checkyesno dnscrypt_proxy_suexec && dnscrypt_proxy_uid="root"
  48
  49 command="/usr/sbin/daemon"
  50 command_args="-p ${pidfile} -u ${dnscrypt_proxy_uid} -f ${procname} -config ${dnscrypt_proxy_conf}"
  51 start_precmd="dnscrypt_proxy_precmd"
  52
  53 dnscrypt_proxy_precmd() {
  54         local reservedlow reservedhigh rules_current rules_dnscrypt rport ruid
  55
  56         if checkyesno dnscrypt_proxy_mac_portacl_enable ; then
  57
  58                 # Check and load mac_portacl module
  59                 if ! kldstat -m mac_portacl >/dev/null 2>&1 ; then
  60                         if ! kldload mac_portacl ; then
  61                                 warn "Could not load mac_portacl module."
  62                                 return 1
  63                         fi
  64                 fi
  65
  66                 # Check and add mac_portacl rules
  67                 ruid=$(id -u $dnscrypt_proxy_uid)
  68                 rport=$dnscrypt_proxy_mac_portacl_port #smaller variable
  69                 rules_current=$(sysctl -n security.mac.portacl.rules)
  70                 rules_dnscrypt="uid:${ruid}:tcp:${rport},uid:${ruid}:udp:${rport}"
  71                 if [ ! $rules_current = "" ]; then
  72                         if ! echo $rules_current | grep "$rules_dnscrypt" >/dev/null 2>&1 ; then
  73                                 rules_current="${rules_current},${rules_dnscrypt}"
  74                                 if ! sysctl security.mac.portacl.rules="$rules_current" >/dev/null 2>&1 ; then
  75                                         warn "Could not insert mac_portacl rules."
  76                                         return 1
  77                                 fi
  78                         fi
  79                 elif ! sysctl security.mac.portacl.rules=$rules_dnscrypt >/dev/null 2>&1 ; then
  80                         warn "Could not insert mac_portacl rules."
  81                         return 1
  82                 fi
  83
  84                 # Check and disable net.inet.ip.portrange.* control
  85                 reservedlow=$(sysctl -n net.inet.ip.portrange.reservedlow)
  86                 reservedhigh=$(sysctl -n net.inet.ip.portrange.reservedhigh)
  87                 if [ ! $reservedlow -eq 0 ]; then
  88                         if ! sysctl net.inet.ip.portrange.reservedlow=0 >/dev/null 2>&1 ; then
  89                                 warn "Could not change net.inet.ip.portrange.reservedlow."
  90                                 return 1
  91                         fi
  92                 fi
  93                 if [ ! $reservedhigh -eq 0 ]; then
  94                         if ! sysctl net.inet.ip.portrange.reservedhigh=0 >/dev/null 2>&1 ; then
  95                                 warn "Could not change net.inet.ip.portrange.reservedhigh."
  96                                 return 1
  97                         fi
  98                 fi
  99
 100         fi # dnscrypt_proxy_mac_portacl_enable
 101
 102         return 0
 103 }
 104
 105 run_rc_command "$1"