Revert "dnsmasq: drop dhcp-proxy option"

This reverts commit 554bf1f711.

Turns out ISC dhcrelay will relay even unicast packets from clients. So
the DHCP server got both the routed and the relayed query.

This tells dnsmasq to tell clients to send everything through the relay.
Since everything now comes from the relay we can drop access from client
networks.

roles/dnsmasq/tasks/main.yml

@@ -38,10 +38,4 @@
   - 10-ranges.conf
   notify: restart dnsmasq
 
-- name: Configure nftables
-  template:
-    dest: '/etc/nftables.d/dnsmasq.nft'
-    src: 'dnsmasq.nft.j2'
-  notify: reload nftables
-
 # TODO netboot config

roles/dnsmasq/templates/00-options.conf.j2

@@ -4,6 +4,10 @@ port = 0
 # we are the only DHCP server
 dhcp-authoritative
 
+# instruct clients to also send unicast traffic through the relay
+# prevents duplicate queries because ISC dhcrelay forwards everything anyway
+dhcp-proxy
+
 # don’t try to ping clients for duplicate IP check
 # has 3 s timeout during which no other requests are processed
 no-ping

roles/dnsmasq/templates/dnsmasq.nft.j2

@@ -1,12 +0,0 @@
-table inet filter {
-    chain input {
-        # networks using this DHCP server
-        ip saddr {
-{% for prefix in prefixes | selectattr('custom_fields.dhcp_server') | sort(attribute='vlan.name') %}
-{% if prefix.custom_fields.dhcp_server.address | ipaddr('address') == primary_ip4 %}
-            {{ prefix.prefix }}, # {{ prefix.vlan.name }}
-{% endif %}
-{% endfor %}
-        } udp dport { 67 } ct state new accept
-    }
-}