add option to set router tproxy DNS IP range in generated config and env

openziti · Mar 22, 2024 · 8dfdae4 · 8dfdae4
1 parent 52dd696
commit 8dfdae4
Show file tree

Hide file tree

Showing 9 changed files with 20 additions and 2 deletions.
diff --git a/dist/dist-packages/linux/openziti-router/env b/dist/dist-packages/linux/openziti-router/env
@@ -31,6 +31,8 @@ ZITI_ROUTER_PORT=
 ZITI_ROUTER_MODE=
 # where to listen for DNS requests in tproxy mode (default: udp://127.0.0.1:53)
 ZITI_ROUTER_TPROXY_RESOLVER=
+# CIDR range of IP addresses to assign to DNS clients in tproxy mode (default: 100.64.0.1/10)
+ZITI_ROUTER_DNS_IP_RANGE=
 
 # the interface address on which to listen (default: 0.0.0.0)
 ZITI_ROUTER_BIND_ADDRESS=

diff --git a/dist/dist-packages/linux/openziti-router/ziti-router.service b/dist/dist-packages/linux/openziti-router/ziti-router.service
@@ -21,7 +21,7 @@ LoadCredential=ZITI_ENROLL_TOKEN:/opt/openziti/etc/router/.token
 ## extra permissions
 #
 
-# allow binding low ports, e.g., 443/tcp
+# allow binding low ports, e.g., 443/tcp; required when ZITI_ROUTER_MODE=tproxy or ZITI_ROUTER_PORT <= 1024
 # AmbientCapabilities=CAP_NET_BIND_SERVICE
 # allow adding IP routes and iptables rules; required when ZITI_ROUTER_MODE=tproxy
 # AmbientCapabilities=CAP_NET_ADMIN

diff --git a/ziti/cmd/create/config_templates/router.yml b/ziti/cmd/create/config_templates/router.yml
@@ -41,7 +41,12 @@ link:
 {{ if or .Router.IsFabric (eq .Router.TunnelerMode "none") }}#{{ end }}    options:
 {{ if or .Router.IsFabric (eq .Router.TunnelerMode "none") }}#      mode: host #tproxy|host{{ else }}      mode: {{ .Router.TunnelerMode }} #tproxy|host{{ end }}
 {{ if and (not .Router.IsFabric) (eq .Router.TunnelerMode "tproxy") }}      resolver: {{ .Router.Edge.Resolver }}{{ end }}
-{{ if and (not .Router.IsFabric) (eq .Router.TunnelerMode "tproxy") (.Router.Edge.LanInterface) }}      lanIf: {{ .Router.Edge.LanInterface }}{{ end }}
+{{- if and (not .Router.IsFabric) (eq .Router.TunnelerMode "tproxy") (.Router.Edge.LanInterface) }}
+      lanIf: {{ .Router.Edge.LanInterface }}
+{{- end }}
+{{- if and (not .Router.IsFabric) (eq .Router.TunnelerMode "tproxy") (.Router.Edge.DnsSvcIpRange ) }}
+      dnsSvcIpRange: {{ .Router.Edge.DnsSvcIpRange }}
+{{- end }}
 {{ if .Router.IsFabric -}}
 csr:
   country: US

diff --git a/ziti/cmd/create/create_config.go b/ziti/cmd/create/create_config.go
@@ -168,6 +168,7 @@ type EdgeRouterTemplateValues struct {
 	AdvertisedHost   string
 	LanInterface     string
 	Resolver         string
+	DnsSvcIpRange    string
 	ListenerBindPort string
 	CsrC             string
 	CsrST            string
@@ -284,6 +285,7 @@ func (data *ConfigTemplateValues) PopulateConfigValues() {
 	data.Router.Edge.Port = cmdHelper.GetZitiEdgeRouterPort()
 	data.Router.Edge.ListenerBindPort = cmdHelper.GetZitiEdgeRouterListenerBindPort()
 	data.Router.Edge.Resolver = cmdHelper.GetZitiEdgeRouterResolver()
+	data.Router.Edge.DnsSvcIpRange = cmdHelper.GetZitiEdgeRouterDnsSvcIpRange()
 	data.Router.Edge.CsrC = cmdHelper.GetZitiEdgeRouterC()
 	data.Router.Edge.CsrST = cmdHelper.GetZitiEdgeRouterST()
 	data.Router.Edge.CsrL = cmdHelper.GetZitiEdgeRouterL()

diff --git a/ziti/cmd/create/create_config_environment.go b/ziti/cmd/create/create_config_environment.go
@@ -135,6 +135,7 @@ func NewCmdCreateConfigEnvironment() *cobra.Command {
 				{constants.ZitiEdgeRouterIPOverrideVarName, constants.ZitiEdgeRouterIPOverrideVarDescription, data.Router.Edge.IPOverride},
 				{constants.ZitiEdgeRouterAdvertisedAddressVarName, constants.ZitiEdgeRouterAdvertisedAddressVarDescription, data.Router.Edge.AdvertisedHost},
 				{constants.ZitiEdgeRouterResolverVarName, constants.ZitiEdgeRouterResolverVarDescription, data.Router.Edge.Resolver},
+				{constants.ZitiEdgeRouterDnsSvcIpRangeVarName, constants.ZitiEdgeRouterDnsSvcIpRangeVarDescription, data.Router.Edge.DnsSvcIpRange},
 				{constants.ZitiEdgeRouterCsrCVarName, constants.ZitiEdgeRouterCsrCVarDescription, data.Router.Edge.CsrC},
 				{constants.ZitiEdgeRouterCsrSTVarName, constants.ZitiEdgeRouterCsrSTVarDescription, data.Router.Edge.CsrST},
 				{constants.ZitiEdgeRouterCsrLVarName, constants.ZitiEdgeRouterCsrLVarDescription, data.Router.Edge.CsrL},
@@ -220,6 +221,7 @@ func NewCmdCreateConfigEnvironment() *cobra.Command {
 	sb.WriteString(fmt.Sprintf("%-40s %-50s %s\n", constants.ZitiEdgeRouterIPOverrideVarName, constants.ZitiEdgeRouterIPOverrideVarDescription, data.Router.Edge.IPOverride))
 	sb.WriteString(fmt.Sprintf("%-40s %-50s %s\n", constants.ZitiEdgeRouterAdvertisedAddressVarName, constants.ZitiEdgeRouterAdvertisedAddressVarDescription, data.Router.Edge.AdvertisedHost))
 	sb.WriteString(fmt.Sprintf("%-40s %-50s %s\n", constants.ZitiEdgeRouterResolverVarName, constants.ZitiEdgeRouterResolverVarDescription, data.Router.Edge.Resolver))
+	sb.WriteString(fmt.Sprintf("%-40s %-50s %s\n", constants.ZitiEdgeRouterDnsSvcIpRangeVarName, constants.ZitiEdgeRouterDnsSvcIpRangeVarDescription, data.Router.Edge.DnsSvcIpRange))
 	sb.WriteString(fmt.Sprintf("%-40s %-50s %s\n", constants.ZitiEdgeRouterCsrCVarName, constants.ZitiEdgeRouterCsrCVarDescription, data.Router.Edge.CsrC))
 	sb.WriteString(fmt.Sprintf("%-40s %-50s %s\n", constants.ZitiEdgeRouterCsrSTVarName, constants.ZitiEdgeRouterCsrSTVarDescription, data.Router.Edge.CsrST))
 	sb.WriteString(fmt.Sprintf("%-40s %-50s %s\n", constants.ZitiEdgeRouterCsrLVarName, constants.ZitiEdgeRouterCsrLVarDescription, data.Router.Edge.CsrL))

diff --git a/ziti/cmd/create/create_config_router_edge.go b/ziti/cmd/create/create_config_router_edge.go
@@ -77,6 +77,7 @@ func NewCmdCreateConfigRouterEdge(routerOptions *CreateConfigRouterOptions, data
 			data.Router.TunnelerMode = routerOptions.TunnelerMode
 			data.Router.Edge.LanInterface = routerOptions.LanInterface
 			data.Router.Edge.Resolver = cmdhelper.GetZitiEdgeRouterResolver()
+			data.Router.Edge.DnsSvcIpRange = cmdhelper.GetZitiEdgeRouterDnsSvcIpRange()
 		},
 		Run: func(cmd *cobra.Command, args []string) {
 			routerOptions.Cmd = cmd

diff --git a/ziti/cmd/create/create_config_test.go b/ziti/cmd/create/create_config_test.go
@@ -59,6 +59,7 @@ func getZitiEnvironmentVariables() []string {
 		"ZITI_ROUTER_IDENTITY_CA",
 		"ZITI_ROUTER_IP_OVERRIDE",
 		"ZITI_ROUTER_TPROXY_RESOLVER",
+		"ZITI_ROUTER_DNS_IP_RANGE",
 		"ZITI_NETWORK_NAME",
 		"ZITI_EDGE_IDENTITY_ENROLLMENT_DURATION",
 		"ZITI_ROUTER_ENROLLMENT_DURATION",

diff --git a/ziti/cmd/helpers/env_helpers.go b/ziti/cmd/helpers/env_helpers.go
@@ -206,6 +206,9 @@ func GetRouterAdvertisedAddress() string {
 func GetZitiEdgeRouterResolver() string {
 	return getFromEnv(constants.ZitiEdgeRouterResolverVarName, defaultValue(xgress_edge_tunnel.DefaultDnsResolver))
 }
+func GetZitiEdgeRouterDnsSvcIpRange() string {
+	return getFromEnv(constants.ZitiEdgeRouterDnsSvcIpRangeVarName, defaultValue(xgress_edge_tunnel.DefaultDnsServiceIpRange))
+}
 func GetRouterSans() string {
 	return getFromEnv(constants.ZitiRouterCsrSansDnsVarName, GetRouterAdvertisedAddress)
 }
diff --git a/ziti/constants/constants.go b/ziti/constants/constants.go
@@ -129,6 +129,8 @@ const (
 	ZitiEdgeRouterListenerBindPortVarDescription     = "The port a public router will advertise on"
 	ZitiEdgeRouterResolverVarName                    = "ZITI_ROUTER_TPROXY_RESOLVER"
 	ZitiEdgeRouterResolverVarDescription             = "The bind URI to listen for DNS requests in tproxy mode"
+	ZitiEdgeRouterDnsSvcIpRangeVarName               = "ZITI_ROUTER_DNS_IP_RANGE"
+	ZitiEdgeRouterDnsSvcIpRangeVarDescription        = "The CIDR range to use for Ziti DNS in tproxy mode"
 	ZitiEdgeRouterCsrCVarName                        = "ZITI_ROUTER_CSR_C"
 	ZitiEdgeRouterCsrCVarDescription                 = "The country (C) to use for router CSRs"
 	ZitiEdgeRouterCsrSTVarName                       = "ZITI_ROUTER_CSR_ST"