From 554bf1f71199da5b3a353894abc7ac98cf0d5f5d Mon Sep 17 00:00:00 2001 From: Timotej Lazar Date: Sat, 9 Nov 2024 20:06:58 +0100 Subject: [PATCH] dnsmasq: drop dhcp-proxy option Instead add firewall rules to allow direct communication from client networks. --- roles/dnsmasq/tasks/main.yml | 6 ++++++ roles/dnsmasq/templates/00-options.conf.j2 | 1 - roles/dnsmasq/templates/dnsmasq.nft.j2 | 12 ++++++++++++ 3 files changed, 18 insertions(+), 1 deletion(-) create mode 100644 roles/dnsmasq/templates/dnsmasq.nft.j2 diff --git a/roles/dnsmasq/tasks/main.yml b/roles/dnsmasq/tasks/main.yml index 81a8c66..6cfcb84 100644 --- a/roles/dnsmasq/tasks/main.yml +++ b/roles/dnsmasq/tasks/main.yml @@ -38,4 +38,10 @@ - 10-ranges.conf notify: restart dnsmasq +- name: Configure nftables + template: + dest: '/etc/nftables.d/dnsmasq.nft' + src: 'dnsmasq.nft.j2' + notify: reload nftables + # TODO netboot config diff --git a/roles/dnsmasq/templates/00-options.conf.j2 b/roles/dnsmasq/templates/00-options.conf.j2 index 6e507e7..8c15522 100644 --- a/roles/dnsmasq/templates/00-options.conf.j2 +++ b/roles/dnsmasq/templates/00-options.conf.j2 @@ -5,7 +5,6 @@ bind-interfaces interface = {{ interfaces | map(attribute='name') | join(',') }} dhcp-authoritative -dhcp-proxy dhcp-option = option:dns-server,{{ dns | join(',') }} dhcp-option = option:ntp-server,{{ ntp | join(',') }} diff --git a/roles/dnsmasq/templates/dnsmasq.nft.j2 b/roles/dnsmasq/templates/dnsmasq.nft.j2 new file mode 100644 index 0000000..36c2089 --- /dev/null +++ b/roles/dnsmasq/templates/dnsmasq.nft.j2 @@ -0,0 +1,12 @@ +table inet filter { + chain input { + # networks using this DHCP server + ip saddr { +{% for prefix in prefixes | selectattr('custom_fields.dhcp_server') | sort(attribute='vlan.name') %} +{% if prefix.custom_fields.dhcp_server.address | ipaddr('address') == primary_ip4 %} + {{ prefix.prefix }}, # {{ prefix.vlan.name }} +{% endif %} +{% endfor %} + } udp dport { 67 } ct state new accept + } +}