Describe the feature you'd like
Add ICMP proxy support for FreeBSD and OpenBSD. Currently, cloudflared falls through to the generic stub (ingress/icmp_generic.go) on these platforms, which returns errICMPProxyNotImplemented — ICMP/ping traffic cannot be proxied through the tunnel, and a "ICMP proxy is not implemented" warning is logged at startup.
FreeBSD and OpenBSD have no unprivileged datagram ICMP (unlike Linux's ping_group_range and Darwin's native datagram sockets). They require a privileged raw socket (SOCK_RAW, network strings ip4:icmp / ip6:ipv6-icmp) and root. The proxy architecture is otherwise identical to Darwin's: a single shared socket with an echo-ID tracker to demux replies. The vendored golang.org/x/net/icmp already handles the raw-socket path on both platforms, so no new dependencies are needed.
This has raised concerns by users of the OPNsense (FreeBSD-based) cloudflared plugin which I developed and maintain, where ICMP proxy support would be expected to work but falls back to the stub and throws a warning in the logs.
Describe alternatives you've considered
Unprivileged datagram sockets: neither OS supports them for ICMP (no ping_group_range equivalent, no native datagram ICMP). Not viable.
Additional context
I have a working initial implementation at: master...insanityinside:cloudflared:freebsd-icmp
The implementation reuses the Darwin single-socket proxy with minimal additions, Linux and Windows are completely unaffected. Tested on FreeBSD 14.3, FreeBSD 15.0, and OpenBSD 7.9 as root (ICMP proxied correctly). Non-root degrades gracefully: a "requires root privileges" warning is logged and cloudflared continues with ICMP disabled. go vet is clean for all five platforms.
Raising here before I set up a PR in case there are design concerns or a preferred approach. I used Claude to assist me with the development, and I've manually sanity checked all the generated/modified code. It all looks reasonable, with the caveat that I've not got massive experience with Go (but years of experience developing in other languages and being a sysadmin).
Describe the feature you'd like
Add ICMP proxy support for FreeBSD and OpenBSD. Currently, cloudflared falls through to the generic stub (
ingress/icmp_generic.go) on these platforms, which returnserrICMPProxyNotImplemented— ICMP/ping traffic cannot be proxied through the tunnel, and a "ICMP proxy is not implemented" warning is logged at startup.FreeBSD and OpenBSD have no unprivileged datagram ICMP (unlike Linux's
ping_group_rangeand Darwin's native datagram sockets). They require a privileged raw socket (SOCK_RAW, network stringsip4:icmp/ip6:ipv6-icmp) and root. The proxy architecture is otherwise identical to Darwin's: a single shared socket with an echo-ID tracker to demux replies. The vendoredgolang.org/x/net/icmpalready handles the raw-socket path on both platforms, so no new dependencies are needed.This has raised concerns by users of the OPNsense (FreeBSD-based) cloudflared plugin which I developed and maintain, where ICMP proxy support would be expected to work but falls back to the stub and throws a warning in the logs.
Describe alternatives you've considered
Unprivileged datagram sockets: neither OS supports them for ICMP (no
ping_group_rangeequivalent, no native datagram ICMP). Not viable.Additional context
I have a working initial implementation at: master...insanityinside:cloudflared:freebsd-icmp
The implementation reuses the Darwin single-socket proxy with minimal additions, Linux and Windows are completely unaffected. Tested on FreeBSD 14.3, FreeBSD 15.0, and OpenBSD 7.9 as root (ICMP proxied correctly). Non-root degrades gracefully: a "requires root privileges" warning is logged and cloudflared continues with ICMP disabled.
go vetis clean for all five platforms.Raising here before I set up a PR in case there are design concerns or a preferred approach. I used Claude to assist me with the development, and I've manually sanity checked all the generated/modified code. It all looks reasonable, with the caveat that I've not got massive experience with Go (but years of experience developing in other languages and being a sysadmin).