dnsmasq: drop dhcp-proxy option

Instead add firewall rules to allow direct communication from client networks.

roles/dnsmasq/tasks/main.yml

@@ -38,4 +38,10 @@
   - 10-ranges.conf
   notify: restart dnsmasq
 
+- name: Configure nftables
+  template:
+    dest: '/etc/nftables.d/dnsmasq.nft'
+    src: 'dnsmasq.nft.j2'
+  notify: reload nftables
+
 # TODO netboot config

roles/dnsmasq/templates/00-options.conf.j2

@@ -5,7 +5,6 @@ bind-interfaces
 interface = {{ interfaces | map(attribute='name') | join(',') }}
 
 dhcp-authoritative
-dhcp-proxy
 
 dhcp-option = option:dns-server,{{ dns | join(',') }}
 dhcp-option = option:ntp-server,{{ ntp | join(',') }}

roles/dnsmasq/templates/dnsmasq.nft.j2

@@ -0,0 +1,12 @@
+table inet filter {
+    chain input {
+        # networks using this DHCP server
+        ip saddr {
+{% for prefix in prefixes | selectattr('custom_fields.dhcp_server') | sort(attribute='vlan.name') %}
+{% if prefix.custom_fields.dhcp_server.address | ipaddr('address') == primary_ip4 %}
+            {{ prefix.prefix }}, # {{ prefix.vlan.name }}
+{% endif %}
+{% endfor %}
+        } udp dport { 67 } ct state new accept
+    }
+}