diff --git a/src/conf_mode/dns_forwarding.py b/src/conf_mode/dns_forwarding.py
index 7559a0af6..491bb0120 100755
--- a/src/conf_mode/dns_forwarding.py
+++ b/src/conf_mode/dns_forwarding.py
@@ -1,275 +1,283 @@
#!/usr/bin/env python3
#
# Copyright (C) 2018 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
#
import sys
import os
import argparse
import jinja2
import netifaces
+import vyos.util
+
from vyos.config import Config
from vyos import ConfigError
parser = argparse.ArgumentParser()
parser.add_argument("--dhclient", action="store_true",
help="Started from dhclient-script")
config_file = r'/etc/powerdns/recursor.conf'
# XXX: pdns recursor doesn't like whitespace near entry separators,
# especially in the semicolon-separated lists of name servers.
# Please be careful if you edit the template.
config_tmpl = """
### Autogenerated by dns_forwarding.py ###
# Non-configurable defaults
daemon=yes
threads=1
allow-from=0.0.0.0/0, ::/0
log-common-errors=yes
non-local-bind=yes
query-local-address=0.0.0.0
query-local-address6=::
# cache-size
max-cache-entries={{ cache_size }}
# negative TTL for NXDOMAIN
max-negative-ttl={{ negative_ttl }}
# ignore-hosts-file
export-etc-hosts={{ export_hosts_file }}
# listen-on
local-address={{ listen_on | join(',') }}
# domain ... server ...
{% if domains -%}
forward-zones={% for d in domains %}
{{ d.name }}={{ d.servers | join(";") }}
{{- "," if not loop.last -}}
{% endfor %}
{% endif %}
# dnssec
dnssec={{ dnssec }}
{% if name_servers -%}
# name-server
forward-zones-recurse=.={{ name_servers | join(';') }}
{% else %}
# no name-servers specified - start full recursor
{% endif %}
"""
default_config_data = {
'cache_size': 10000,
'export_hosts_file': 'yes',
'listen_on': [],
'interfaces': [],
'name_servers': [],
'negative_ttl': 3600,
'domains': [],
'dnssec': 'process-no-validate'
}
# borrowed from: https://github.com/donjajo/py-world/blob/master/resolvconfReader.py, THX!
def get_resolvers(file):
try:
with open(file, 'r') as resolvconf:
lines = [line.split('#', 1)[0].rstrip()
for line in resolvconf.readlines()]
resolvers = [line.split()[1]
for line in lines if 'nameserver' in line]
return resolvers
except IOError:
return []
def get_config(arguments):
dns = default_config_data
conf = Config()
if arguments.dhclient:
conf.exists = conf.exists_effective
conf.return_value = conf.return_effective_value
conf.return_values = conf.return_effective_values
if not conf.exists('service dns forwarding'):
return None
conf.set_level('service dns forwarding')
if conf.exists('cache-size'):
cache_size = conf.return_value('cache-size')
dns['cache_size'] = cache_size
if conf.exists('negative-ttl'):
negative_ttl = conf.return_value('negative-ttl')
dns['negative_ttl'] = negative_ttl
if conf.exists('domain'):
for node in conf.list_nodes('domain'):
servers = conf.return_values("domain {0} server".format(node))
domain = {
"name": node,
"servers": bracketize_ipv6_addrs(servers)
}
dns['domains'].append(domain)
if conf.exists('ignore-hosts-file'):
dns['export_hosts_file'] = "no"
if conf.exists('name-server'):
name_servers = conf.return_values('name-server')
dns['name_servers'] = dns['name_servers'] + name_servers
if conf.exists('system'):
conf.set_level('system')
system_name_servers = []
system_name_servers = conf.return_values('name-server')
if not system_name_servers:
print(
"DNS forwarding warning: No name-servers set under 'system name-server'\n")
else:
dns['name_servers'] = dns['name_servers'] + system_name_servers
conf.set_level('service dns forwarding')
dns['name_servers'] = bracketize_ipv6_addrs(dns['name_servers'])
if conf.exists('listen-address'):
dns['listen_on'] = conf.return_values('listen-address')
if conf.exists('dnssec'):
dns['dnssec'] = conf.return_value('dnssec')
## Hacks and tricks
# The old VyOS syntax that comes from dnsmasq was "listen-on $interface".
# pdns wants addresses instead, so we emulate it by looking up all addresses
# of a given interface and writing them to the config
if conf.exists('listen-on'):
print("WARNING: since VyOS 1.2.0, \"service dns forwarding listen-on\" is a limited compatibility option.")
print("It will only make DNS forwarder listen on addresses assigned to the interface at the time of commit")
print("which means it will NOT work properly with VRRP/clustering or addresses received from DHCP.")
print("Please reconfigure your system with \"service dns forwarding listen-address\" instead.")
interfaces = conf.return_values('listen-on')
listen4 = []
listen6 = []
for interface in interfaces:
try:
addrs = netifaces.ifaddresses(interface)
except ValueError:
print(
"WARNING: interface {0} does not exist".format(interface))
continue
if netifaces.AF_INET in addrs.keys():
for ip4 in addrs[netifaces.AF_INET]:
listen4.append(ip4['addr'])
if netifaces.AF_INET6 in addrs.keys():
for ip6 in addrs[netifaces.AF_INET6]:
listen6.append(ip6['addr'])
if (not listen4) and (not (listen6)):
print(
"WARNING: interface {0} has no configured addresses".format(interface))
dns['listen_on'] = dns['listen_on'] + listen4 + listen6
# Save interfaces in the dict for the reference
dns['interfaces'] = interfaces
# Add name servers received from DHCP
if conf.exists('dhcp'):
interfaces = []
interfaces = conf.return_values('dhcp')
for interface in interfaces:
dhcp_resolvers = get_resolvers(
"/etc/resolv.conf.dhclient-new-{0}".format(interface))
if dhcp_resolvers:
dns['name_servers'] = dns['name_servers'] + dhcp_resolvers
return dns
def bracketize_ipv6_addrs(addrs):
"""Wraps each IPv6 addr in addrs in [], leaving IPv4 addrs untouched."""
return ['[{0}]'.format(a) if a.count(':') > 1 else a for a in addrs]
def verify(dns):
# bail out early - looks like removal from running config
if dns is None:
return None
if not dns['listen_on']:
raise ConfigError(
"Error: DNS forwarding requires either a listen-address (preferred) or a listen-on option")
if dns['domains']:
for domain in dns['domains']:
if not domain['servers']:
raise ConfigError(
'Error: No server configured for domain {0}'.format(domain['name']))
return None
def generate(dns):
# bail out early - looks like removal from running config
if dns is None:
return None
tmpl = jinja2.Template(config_tmpl, trim_blocks=True)
config_text = tmpl.render(dns)
with open(config_file, 'w') as f:
f.write(config_text)
return None
def apply(dns):
if dns is not None:
os.system("systemctl restart pdns-recursor")
else:
# DNS forwarding is removed in the commit
os.system("systemctl stop pdns-recursor")
if os.path.isfile(config_file):
os.unlink(config_file)
if __name__ == '__main__':
args = parser.parse_args()
+
+ if args.dhclient:
+ # There's a big chance it was triggered by a commit still in progress
+ # so we need to wait until the new values are in the running config
+ vyos.util.wait_for_commit_lock()
+
try:
c = get_config(args)
verify(c)
generate(c)
apply(c)
except ConfigError as e:
print(e)
sys.exit(1)