relayd: make icmp check engine optional because ICMP may be forbidden (feature request)
Wanted to try relayd inside a FreeBSD jail which has raw socket support disabled (default of ezjail for security reasons ). By chance, the jail also has IPv6 disabled.
The hce program will fail to start in check_icmp.c:icmp_init because these two network features are not available. I don't actually need the host check engine at all for my use case (manually switch relayd redirection to a/b instance of my application for safe deployment of application upgrade without downtime). To me, it makes sense to add a configuration option to disable support for ICMP host checks altogether. Or to disable the HCE process completely, but that seems harder from a quick glance at the code.
Alternatively, I could enable raw socket support and IPv6 for the jail, but that's a security concern and the jail/application wouldn't make use of those features. It would also go against OpenBSD's security principles to force users to switch to an unsafe configuration just to make something work .
Would you favor such a patch to the config options? Any alternatives?