Wanted to try relayd inside a FreeBSD jail which has raw socket support disabled (default of ezjail for security reasons [0]). By chance, the jail also has IPv6 disabled.
The hce program will fail to start in check_icmp.c:icmp_init because these two network features are not available. I don't actually need the host check engine at all for my use case (manually switch relayd redirection to a/b instance of my application for safe deployment of application upgrade without downtime). To me, it makes sense to add a configuration option to disable support for ICMP host checks altogether. Or to disable the HCE process completely, but that seems harder from a quick glance at the code. Alternatively, I could enable raw socket support and IPv6 for the jail, but that's a security concern and the jail/application wouldn't make use of those features. It would also go against OpenBSD's security principles to force users to switch to an unsafe configuration just to make something work [1]. Would you favor such a patch to the config options? Any alternatives? Best, Andreas Sommer [0] https://www.freebsd.org/doc/handbook/jails-ezjail.html (search "Occasionally, a jail genuinely needs raw sockets [...]") [1] http://www.openbsd.org/papers/hackfest2015-pledge/mgp00005.html
