1 files changed, 20 insertions, 65 deletions

diff --git a/src/conf_mode/dns_forwarding.py b/src/conf_mode/dns_forwarding.py
index 3ca77adee..38f3cb4de 100755
--- a/src/conf_mode/dns_forwarding.py
+++ b/src/conf_mode/dns_forwarding.py
@@ -24,6 +24,7 @@ import jinja2
 import netifaces
 
 import vyos.util
+import vyos.hostsd_client
 
 from vyos.config import Config
 from vyos import ConfigError
@@ -44,7 +45,7 @@ config_tmpl = """
 # Non-configurable defaults
 daemon=yes
 threads=1
-allow-from=0.0.0.0/0, ::/0
+allow-from={{ allow_from | join(',') }}
 log-common-errors=yes
 non-local-bind=yes
 query-local-address=0.0.0.0
@@ -83,10 +84,10 @@ dnssec={{ dnssec }}
 """
 
 default_config_data = {
+    'allow_from': [],
     'cache_size': 10000,
     'export_hosts_file': 'yes',
     'listen_on': [],
-    'interfaces': [],
     'name_servers': [],
     'negative_ttl': 3600,
     'domains': [],
@@ -94,19 +95,6 @@ default_config_data = {
 }
 
 
-# borrowed from: https://github.com/donjajo/py-world/blob/master/resolvconfReader.py, THX!
-def get_resolvers(file):
-    try:
-        with open(file, 'r') as resolvconf:
-            lines = [line.split('#', 1)[0].rstrip()
-                     for line in resolvconf.readlines()]
-            resolvers = [line.split()[1]
-                         for line in lines if 'nameserver' in line]
-        return resolvers
-    except IOError:
-        return []
-
-
 def get_config(arguments):
     dns = default_config_data
     conf = Config()
@@ -121,6 +109,9 @@ def get_config(arguments):
 
     conf.set_level('service dns forwarding')
 
+    if conf.exists('allow-from'):
+        dns['allow_from'] = conf.return_values('allow-from')
+
     if conf.exists('cache-size'):
         cache_size = conf.return_value('cache-size')
         dns['cache_size'] = cache_size
@@ -164,64 +155,27 @@ def get_config(arguments):
     if conf.exists('dnssec'):
         dns['dnssec'] = conf.return_value('dnssec')
 
-    ## Hacks and tricks
-
-    # The old VyOS syntax that comes from dnsmasq was "listen-on $interface".
-    # pdns wants addresses instead, so we emulate it by looking up all addresses
-    # of a given interface and writing them to the config
-    if conf.exists('listen-on'):
-        print("WARNING: since VyOS 1.2.0, \"service dns forwarding listen-on\" is a limited compatibility option.")
-        print("It will only make DNS forwarder listen on addresses assigned to the interface at the time of commit")
-        print("which means it will NOT work properly with VRRP/clustering or addresses received from DHCP.")
-        print("Please reconfigure your system with \"service dns forwarding listen-address\" instead.")
-
-        interfaces = conf.return_values('listen-on')
-
-        listen4 = []
-        listen6 = []
-        for interface in interfaces:
-            try:
-                addrs = netifaces.ifaddresses(interface)
-            except ValueError:
-                print(
-                    "WARNING: interface {0} does not exist".format(interface))
-                continue
-
-            if netifaces.AF_INET in addrs.keys():
-                for ip4 in addrs[netifaces.AF_INET]:
-                    listen4.append(ip4['addr'])
-
-            if netifaces.AF_INET6 in addrs.keys():
-                for ip6 in addrs[netifaces.AF_INET6]:
-                    listen6.append(ip6['addr'])
-
-            if (not listen4) and (not (listen6)):
-                print(
-                    "WARNING: interface {0} has no configured addresses".format(interface))
-
-        dns['listen_on'] = dns['listen_on'] + listen4 + listen6
-
-        # Save interfaces in the dict for the reference
-        dns['interfaces'] = interfaces
-
     # Add name servers received from DHCP
     if conf.exists('dhcp'):
         interfaces = []
         interfaces = conf.return_values('dhcp')
+        hc = vyos.hostsd_client.Client()
+
         for interface in interfaces:
-            dhcp_resolvers = get_resolvers(
-                "/etc/resolv.conf.dhclient-new-{0}".format(interface))
+            dhcp_resolvers = hc.get_name_servers("dhcp-{0}".format(interface))
+            dhcpv6_resolvers = hc.get_name_servers("dhcpv6-{0}".format(interface))
+
             if dhcp_resolvers:
                 dns['name_servers'] = dns['name_servers'] + dhcp_resolvers
+            if dhcpv6_resolvers:
+                dns['name_servers'] = dns['name_servers'] + dhcpv6_resolvers
 
     return dns
 
-
 def bracketize_ipv6_addrs(addrs):
     """Wraps each IPv6 addr in addrs in [], leaving IPv4 addrs untouched."""
     return ['[{0}]'.format(a) if a.count(':') > 1 else a for a in addrs]
 
-
 def verify(dns):
     # bail out early - looks like removal from running config
     if dns is None:
@@ -231,6 +185,10 @@ def verify(dns):
         raise ConfigError(
             "Error: DNS forwarding requires either a listen-address (preferred) or a listen-on option")
 
+    if not dns['allow_from']:
+        raise ConfigError(
+                "Error: DNS forwarding requires an allow-from network")
+
     if dns['domains']:
         for domain in dns['domains']:
             if not domain['servers']:
@@ -239,7 +197,6 @@ def verify(dns):
 
     return None
 
-
 def generate(dns):
     # bail out early - looks like removal from running config
     if dns is None:
@@ -251,16 +208,14 @@ def generate(dns):
         f.write(config_text)
     return None
 
-
 def apply(dns):
-    if dns is not None:
-        os.system("systemctl restart pdns-recursor")
-    else:
+    if dns is None:
         # DNS forwarding is removed in the commit
         os.system("systemctl stop pdns-recursor")
         if os.path.isfile(config_file):
             os.unlink(config_file)
-
+    else:
+        os.system("systemctl restart pdns-recursor")
 
 if __name__ == '__main__':
     args = parser.parse_args()