From 7907b6f0e5e805b4a0e9c0ca96a1659bbb93e659 Mon Sep 17 00:00:00 2001
From: Timotej Lazar <timotej.lazar@fri.uni-lj.si>
Date: Wed, 19 Mar 2025 14:44:36 +0100
Subject: [PATCH] Revert "dnsmasq: drop dhcp-proxy option"

This reverts commit 554bf1f71199da5b3a353894abc7ac98cf0d5f5d.

Turns out ISC dhcrelay will relay even unicast packets from clients. So
the DHCP server got both the routed and the relayed query.

This tells dnsmasq to tell clients to send everything through the relay.
Since everything now comes from the relay we can drop access from client
networks.
---
 roles/dnsmasq/tasks/main.yml               |  6 ------
 roles/dnsmasq/templates/00-options.conf.j2 |  4 ++++
 roles/dnsmasq/templates/dnsmasq.nft.j2     | 12 ------------
 3 files changed, 4 insertions(+), 18 deletions(-)
 delete mode 100644 roles/dnsmasq/templates/dnsmasq.nft.j2

diff --git a/roles/dnsmasq/tasks/main.yml b/roles/dnsmasq/tasks/main.yml
index 6cfcb84..81a8c66 100644
--- a/roles/dnsmasq/tasks/main.yml
+++ b/roles/dnsmasq/tasks/main.yml
@@ -38,10 +38,4 @@
   - 10-ranges.conf
   notify: restart dnsmasq
 
-- name: Configure nftables
-  template:
-    dest: '/etc/nftables.d/dnsmasq.nft'
-    src: 'dnsmasq.nft.j2'
-  notify: reload nftables
-
 # TODO netboot config
diff --git a/roles/dnsmasq/templates/00-options.conf.j2 b/roles/dnsmasq/templates/00-options.conf.j2
index 1c2c3ac..3e505e9 100644
--- a/roles/dnsmasq/templates/00-options.conf.j2
+++ b/roles/dnsmasq/templates/00-options.conf.j2
@@ -4,6 +4,10 @@ port = 0
 # we are the only DHCP server
 dhcp-authoritative
 
+# instruct clients to also send unicast traffic through the relay
+# prevents duplicate queries because ISC dhcrelay forwards everything anyway
+dhcp-proxy
+
 # don’t try to ping clients for duplicate IP check
 # has 3 s timeout during which no other requests are processed
 no-ping
diff --git a/roles/dnsmasq/templates/dnsmasq.nft.j2 b/roles/dnsmasq/templates/dnsmasq.nft.j2
deleted file mode 100644
index 36c2089..0000000
--- a/roles/dnsmasq/templates/dnsmasq.nft.j2
+++ /dev/null
@@ -1,12 +0,0 @@
-table inet filter {
-    chain input {
-        # networks using this DHCP server
-        ip saddr {
-{% for prefix in prefixes | selectattr('custom_fields.dhcp_server') | sort(attribute='vlan.name') %}
-{% if prefix.custom_fields.dhcp_server.address | ipaddr('address') == primary_ip4 %}
-            {{ prefix.prefix }}, # {{ prefix.vlan.name }}
-{% endif %}
-{% endfor %}
-        } udp dport { 67 } ct state new accept
-    }
-}