relayd: make icmp check engine optional because ICMP may be forbidden (feature request)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

relayd: make icmp check engine optional because ICMP may be forbidden (feature request)

Andreas Sommer
Wanted to try relayd inside a FreeBSD jail which has raw socket support disabled (default of ezjail for security reasons [0]). By chance, the jail also has IPv6 disabled.

The hce program will fail to start in check_icmp.c:icmp_init because these two network features are not available. I don't actually need the host check engine at all for my use case (manually switch relayd redirection to a/b instance of my application for safe deployment of application upgrade without downtime). To me, it makes sense to add a configuration option to disable support for ICMP host checks altogether. Or to disable the HCE process completely, but that seems harder from a quick glance at the code.

Alternatively, I could enable raw socket support and IPv6 for the jail, but that's a security concern and the jail/application wouldn't make use of those features. It would also go against OpenBSD's security principles to force users to switch to an unsafe configuration just to make something work [1].

Would you favor such a patch to the config options? Any alternatives?

Best,
 Andreas Sommer

[0] https://www.freebsd.org/doc/handbook/jails-ezjail.html (search "Occasionally, a jail genuinely needs raw sockets [...]")
[1] http://www.openbsd.org/papers/hackfest2015-pledge/mgp00005.html