Add routing management feature

New routing management feature allows dnsconfd to submit routes
to used DNS servers when necessary. This means situtation
when only one interface is able and allowed to contact the server.
Submitting of routes is done through Network Manager as it is
so far the default supported environment.
Feature can be turned off by setting handle-routing to no.

distribution/com.redhat.dnsconfd.conf

@@ -43,5 +43,11 @@
                send_member="RestartUnit"/>
         <allow receive_sender="org.freedesktop.systemd1"/>
 		<allow send_destination="org.freedesktop.systemd1" send_interface="org.freedesktop.DBus.Introspectable" />
+		<allow send_destination="org.freedesktop.NetworkManager" send_interface="org.freedesktop.DBus.Introspectable" />
+		<allow send_destination="org.freedesktop.NetworkManager" send_interface="org.freedesktop.NetworkManager" send_member="GetDeviceByIpIface"/>
+		<allow send_destination="org.freedesktop.NetworkManager" send_interface="org.freedesktop.NetworkManager.Device" send_member="GetAppliedConnection"/>
+		<allow send_destination="org.freedesktop.NetworkManager" send_interface="org.freedesktop.NetworkManager.Device" send_member="Reapply"/>
+		<allow send_destination="org.freedesktop.NetworkManager" send_interface="org.freedesktop.DBus.Properties" />
+		<allow receive_sender="org.freedesktop.NetworkManager"/>
 	</policy>
 </busconfig>

distribution/dnsconfd-config.8

@@ -1,4 +1,4 @@
-.TH "dnsconfd-config" "8" "10 Oct 2023" "dnsconfd-1.0.2" ""
+.TH "dnsconfd-config" "8" "10 Oct 2023" "dnsconfd-1.1.2" ""
 
 .SH NAME
 

distribution/dnsconfd-reload.8

@@ -1,4 +1,4 @@
-.TH "dnsconfd-reload" "8" "10 Oct 2023" "dnsconfd-1.0.2" ""
+.TH "dnsconfd-reload" "8" "10 Oct 2023" "dnsconfd-1.1.2" ""
 
 .SH NAME
 

distribution/dnsconfd-status.8

@@ -1,4 +1,4 @@
-.TH "dnsconfd-status" "8" "10 Oct 2023" "dnsconfd-1.0.2" ""
+.TH "dnsconfd-status" "8" "10 Oct 2023" "dnsconfd-1.1.2" ""
 
 .SH NAME
 

distribution/dnsconfd.8

@@ -1,4 +1,4 @@
-.TH "dnsconfd" "8" "10 Oct 2023" "dnsconfd-1.0.2" ""
+.TH "dnsconfd" "8" "10 Oct 2023" "dnsconfd-1.1.2" ""
 
 .SH NAME
 
@@ -33,6 +33,8 @@ Path where config file is located, default /etc/dnsconfd.conf
 Options to be used in resolv.conf for alteration of resolver, default "edns0 trust-ad"
 .IP "--dnssec-enabled options"
 Enable dnssec record validation, default no
+.IP "--handle-routing"
+Dnsconfd will submit necessary routes to routing manager, default yes
 
 .SH "EXIT STATUS"
 
@@ -46,6 +48,8 @@ Failed communication through DBUS.
 Failed interaction with resolv.conf
 .IP 4
 Failed to configure dns cache service
+.IP 5
+Failed to set up necessary routes
 
 .SH ENVIRONMENT
 Environment variables have lower priority than command line options but higher
@@ -67,11 +71,18 @@ Path where config file is located, default /etc/dnsconfd.conf
 Options to be used in resolv.conf for alteration of resolver, default "edns0 trust-ad"
 .IP DNSSEC_ENABLED
 Enable dnssec record validation, default no
+.IP HANDLE_ROUTING
+Dnsconfd will submit necessary routes to routing manager, default yes
 
 .SH FILES
 Dnsconfd manages resolv.conf to route domain name resolution to local cache service.
 Default location of the configuration file is /etc/dnsconfd.conf.
 
+.SH ROUTING
+Dnsconfd by default submits routes through NetworkManager, so system contacts
+DNS servers through the right interfaces. This behaviour can be turned off
+by setting handle_routing option to 'no'.
+
 .SH NOTES
 The only currently supported backend is Unbound.
 

distribution/dnsconfd.rules

@@ -6,3 +6,10 @@ polkit.addRule(function(action, subject) {
         return polkit.Result.YES;
     }
 })
+polkit.addRule(function(action, subject) {
+    if (action.id == "org.freedesktop.NetworkManager.network-control" &&
+        subject.user == "dnsconfd")
+    {
+            return polkit.Result.YES;
+    }
+});

distribution/dnsconfd.spec

@@ -2,7 +2,7 @@
 %global selinuxtype targeted
 
 Name:           dnsconfd
-Version:        1.0.2
+Version:        1.1.2
 Release:        1%{?dist}
 Summary:        Local DNS cache configuration daemon
 License:        MIT
@@ -168,6 +168,9 @@ fi
 %{_tmpfilesdir}/dnsconfd-unbound.conf
 
 %changelog
+* Mon Jul 22 2024 Tomas Korbar <[email protected]> - 1.1.2-1
+- Release 1.1.2
+
 * Thu Jun 27 2024 Tomas Korbar <[email protected]> - 1.0.2-1
 - Release 1.0.2
 

distribution/dnsconfd.te

@@ -30,6 +30,7 @@ require {
     type tmp_t;
     type tmpfs_t;
     type NetworkManager_var_run_t;
+    type NetworkManager_t;
 }
 
 type dnsconfd_t;
@@ -110,3 +111,5 @@ allow dnsconfd_t dnsconfd_var_run_t:file { open write getattr ioctl read };
 allow dnsconfd_t dnsconfd_var_run_t:dir search;
 
 allow dnsconfd_t dnsconfd_t:dbus send_msg;
+
+allow dnsconfd_t NetworkManager_t:dbus send_msg;

dnsconfd/argument_parser.py

@@ -40,7 +40,11 @@ def __init__(self, *args, **kwargs) -> None:
              "edns0 trust-ad"),
             ("dnssec_enabled",
              "Enable dnssec record validation, default no",
-             False)
+             False),
+            ("handle_routing",
+             "Dnsconfd will submit necessary routes to routing manager, "
+             "default yes",
+             True)
         ]
 
     def add_arguments(self):
@@ -162,5 +166,8 @@ def _read_config(self, path: str) -> dict:
             # when invalid config is provided
             self.lgr.warning("Bad config provided")
             return {arg: val for (arg, _, val) in self._config_values}
+        for key in config.keys():
+            if config[key] == "yes":
+                config[key] = True
 
         return config

dnsconfd/fsm/context_state.py

@@ -23,3 +23,5 @@ class ContextState(Enum):
     WAITING_RESTART_JOB = 17  # interrupt
     REVERT_RESOLV_ON_FAILED_RESTART = 18
     CONFIGURING_DNS_MANAGER = 19
+    UPDATING_ROUTES = 20
+    REMOVING_ROUTES = 21