3 files changed, 79 insertions, 9 deletions

diff --git a/interface-definitions/dns-forwarding.xml b/interface-definitions/dns-forwarding.xml
index 56820608c..08a221ebe 100644
--- a/interface-definitions/dns-forwarding.xml
+++ b/interface-definitions/dns-forwarding.xml
@@ -97,6 +97,23 @@
                   <valueless/>
                 </properties>
               </leafNode>
+              <leafNode name="allow-from">
+                <properties>
+                  <help>Networks allowed to query this server</help>
+                  <valueHelp>
+                    <format>ipv4net</format>
+                    <description>IP address and prefix length</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>ipv6net</format>
+                    <description>IPv6 address and prefix length</description>
+                  </valueHelp>
+                  <multi/>
+                  <constraint>
+                    <validator name="ip-prefix"/>
+                  </constraint>
+                </properties>
+              </leafNode>
               <leafNode name="listen-address">
                 <properties>
                   <help>Addresses to listen for DNS queries [REQUIRED]</help>
diff --git a/src/conf_mode/dns_forwarding.py b/src/conf_mode/dns_forwarding.py
index 3ca77adee..86683e72c 100755
--- a/src/conf_mode/dns_forwarding.py
+++ b/src/conf_mode/dns_forwarding.py
@@ -44,7 +44,7 @@ config_tmpl = """
 # Non-configurable defaults
 daemon=yes
 threads=1
-allow-from=0.0.0.0/0, ::/0
+allow-from={{ allow_from | join(',') }}
 log-common-errors=yes
 non-local-bind=yes
 query-local-address=0.0.0.0
@@ -83,6 +83,7 @@ dnssec={{ dnssec }}
 """
 
 default_config_data = {
+    'allow_from': [],
     'cache_size': 10000,
     'export_hosts_file': 'yes',
     'listen_on': [],
@@ -121,6 +122,9 @@ def get_config(arguments):
 
     conf.set_level('service dns forwarding')
 
+    if conf.exists('allow-from'):
+        dns['allow_from'] = conf.return_values('allow-from')
+
     if conf.exists('cache-size'):
         cache_size = conf.return_value('cache-size')
         dns['cache_size'] = cache_size
@@ -216,12 +220,10 @@ def get_config(arguments):
 
     return dns
 
-
 def bracketize_ipv6_addrs(addrs):
     """Wraps each IPv6 addr in addrs in [], leaving IPv4 addrs untouched."""
     return ['[{0}]'.format(a) if a.count(':') > 1 else a for a in addrs]
 
-
 def verify(dns):
     # bail out early - looks like removal from running config
     if dns is None:
@@ -231,6 +233,10 @@ def verify(dns):
         raise ConfigError(
             "Error: DNS forwarding requires either a listen-address (preferred) or a listen-on option")
 
+    if not dns['allow_from']:
+        raise ConfigError(
+                "Error: DNS forwarding requires an allow-from network")
+
     if dns['domains']:
         for domain in dns['domains']:
             if not domain['servers']:
@@ -239,7 +245,6 @@ def verify(dns):
 
     return None
 
-
 def generate(dns):
     # bail out early - looks like removal from running config
     if dns is None:
@@ -251,16 +256,14 @@ def generate(dns):
         f.write(config_text)
     return None
 
-
 def apply(dns):
-    if dns is not None:
-        os.system("systemctl restart pdns-recursor")
-    else:
+    if dns is None:
         # DNS forwarding is removed in the commit
         os.system("systemctl stop pdns-recursor")
         if os.path.isfile(config_file):
             os.unlink(config_file)
-
+    else:
+        os.system("systemctl restart pdns-recursor")
 
 if __name__ == '__main__':
     args = parser.parse_args()
diff --git a/src/migration-scripts/dns-forwarding/0-to-1 b/src/migration-scripts/dns-forwarding/0-to-1
new file mode 100755
index 000000000..6e8720eef
--- /dev/null
+++ b/src/migration-scripts/dns-forwarding/0-to-1
@@ -0,0 +1,50 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2019 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+# This migration script will check if there is a allow-from directive configured
+# for the dns forwarding service - if not, the node will be created with the old
+# default values of 0.0.0.0/0 and ::/0
+
+import sys
+from vyos.configtree import ConfigTree
+
+if (len(sys.argv) < 1):
+    print("Must specify file name!")
+    sys.exit(1)
+
+file_name = sys.argv[1]
+
+with open(file_name, 'r') as f:
+    config_file = f.read()
+
+config = ConfigTree(config_file)
+
+base = ['service', 'dns', 'forwarding']
+if not config.exists(base):
+    # Nothing to do
+    sys.exit(0)
+else:
+    if not config.exists(base + ['allow-from']):
+        config.set(base + ['allow-from'], value='0.0.0.0/0', replace=False)
+        config.set(base + ['allow-from'], value='::/0', replace=False)
+
+    try:
+        with open(file_name, 'w') as f:
+            f.write(config.to_string())
+    except OSError as e:
+        print("Failed to save the modified config: {}".format(e))
+        sys.exit(1)