mgrotke/linuxrouter
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Added dnsmasq DNS listening on container bridge interfaces; corrected ddns.json

Browse source
This commit is contained in:
Matthew Grotke 2026-04-14 21:50:55 -04:00
parent 9c043ae30c
commit 2d50a982b8
3 changed files with 56 additions and 34 deletions
Download patch file Download diff file Expand all files Collapse all files

1
README.md
View file

@ -41,6 +41,7 @@ The suite is organized into three independent but complementary scripts, each ma
- Enforces inter-VLAN isolation by default (forward chain policy drop); specific cross-VLAN traffic is permitted via `inter_vlan_exceptions` - Enforces inter-VLAN isolation by default (forward chain policy drop); specific cross-VLAN traffic is permitted via `inter_vlan_exceptions`
- Masquerades outbound traffic for all non-WireGuard VLANs automatically - Masquerades outbound traffic for all non-WireGuard VLANs automatically
- Auto-detects active container bridge interfaces (Docker, Podman, libvirt, etc.) and adds forward rules so VLAN clients can reach containerized services - Auto-detects active container bridge interfaces (Docker, Podman, libvirt, etc.) and adds forward rules so VLAN clients can reach containerized services
- Auto-detects active container bridge interfaces and adds DNS listening on each bridge IP, so containers can reach the local DNS resolver during builds and at runtime (container services, e.g. Docker, Podman, must be running at the time of `--apply`)
- Installs a `systemd` boot service (`core-nat.service`) to re-apply firewall rules on every boot - Installs a `systemd` boot service (`core-nat.service`) to re-apply firewall rules on every boot
- Co-exists with Docker (does not touch Docker-managed `nat`/`filter` tables) - Co-exists with Docker (does not touch Docker-managed `nat`/`filter` tables)
- Generates FreeRADIUS `clients.conf` and `users` files from `core.json` reservations, enabling dynamic VLAN assignment via MAC Authentication Bypass (MAB) for both wired (802.1X) and wireless clients - Generates FreeRADIUS `clients.conf` and `users` files from `core.json` reservations, enabling dynamic VLAN assignment via MAC Authentication Bypass (MAB) for both wired (802.1X) and wireless clients

32
core.py
View file

@ -983,6 +983,11 @@ def build_vlan_dnsmasq_conf(vlan, data):
line("bind-interfaces") line("bind-interfaces")
line(f"listen-address={gateway}") line(f"listen-address={gateway}")
line(f"interface={iface}") line(f"interface={iface}")
if is_physical(vlan):
bridge_ips = get_container_bridge_ips()
for bridge, ip in bridge_ips.items():
line(f"interface={bridge}")
line(f"listen-address={ip}")
line() line()
if not is_wg(vlan): if not is_wg(vlan):
@ -1320,6 +1325,33 @@ def get_container_bridges():
except Exception: except Exception:
return [] return []
def get_container_bridge_ips():
"""Return {ifname: ip} for all active container bridge interfaces.
Used to add listen-address directives to the physical VLAN's dnsmasq
instance so containers can reach the local DNS resolver.
Works universally for Docker, Podman, LXC, libvirt, etc.
"""
try:
result = subprocess.run(
["ip", "-j", "addr", "show", "type", "bridge"],
capture_output=True, text=True, timeout=5
)
if result.returncode != 0:
return {}
import json as _json
links = _json.loads(result.stdout)
out = {}
for l in links:
if l.get("operstate") != "UP":
continue
for addr in l.get("addr_info", []):
if addr.get("family") == "inet":
out[l["ifname"]] = addr["local"]
break
return out
except Exception:
return {}
def apply_dnsmasq_instances(data, dry_run=False, start_if_needed=True): def apply_dnsmasq_instances(data, dry_run=False, start_if_needed=True):
"""Write per-VLAN dnsmasq configs and service units. """Write per-VLAN dnsmasq configs and service units.

57
ddns.json
View file

@ -1,51 +1,40 @@
{ {
"general": { "general": {
"log_max_kb": 512, "log_max_kb": 1024,
"log_errors_only": false "log_errors_only": false,
"ip_check_services": [
"https://api.ipify.org",
"https://ifconfig.me/ip",
"https://icanhazip.com",
"https://api4.my-ip.io/ip",
"https://ipv4.icanhazip.com",
"https://checkip.amazonaws.com",
"https://ipinfo.io/ip",
"https://ipecho.net/plain",
"https://ident.me",
"https://myip.dnsomatic.com",
"https://wtfismyip.com/text"
],
"timer_interval": "10m"
}, },
"providers": [ "providers": [
{ {
"description": "No-IP Main Account", "description": "No-IP Main Account",
"provider": "noip",
"enabled": true, "enabled": true,
"type": "noip", "username": "your-username",
"username": "your-noip-username", "password": "your-password",
"password": "your-noip-password",
"hostnames": [ "hostnames": [
"myhome.ddns.net" "grotke.ddns.net"
],
"timer_interval": "5m",
"ip_check_services": [
"https://api.ipify.org",
"https://ipv4.icanhazip.com",
"https://checkip.amazonaws.com",
"https://myip.dnsomatic.com",
"https://api4.my-ip.io/ip",
"https://ipinfo.io/ip",
"https://ip4.seeip.org",
"https://ipv4bot.whatismyipaddress.com",
"http://checkip.dyndns.org/"
] ]
}, },
{ {
"description": "DuckDNS Account", "description": "DuckDNS Main Account",
"provider": "duckdns",
"enabled": false, "enabled": false,
"type": "duckdns",
"token": "your-duckdns-token", "token": "your-duckdns-token",
"subdomains": [ "subdomains": [
"myhome" "yoursubdomain"
],
"timer_interval": "5m",
"ip_check_services": [
"https://api.ipify.org",
"https://ipv4.icanhazip.com",
"https://checkip.amazonaws.com",
"https://myip.dnsomatic.com",
"https://api4.my-ip.io/ip",
"https://ipinfo.io/ip",
"https://ip4.seeip.org",
"https://ipv4bot.whatismyipaddress.com",
"http://checkip.dyndns.org/"
] ]
} }
] ]