From 39a4a950d62af21f410dc3469e3d4c13852766c2 Mon Sep 17 00:00:00 2001
From: Robin Schneider <ypid@riseup.net>
Date: Sat, 27 Aug 2016 19:57:33 +0200
Subject: [PATCH] Add `dnsmasq__external_dns` for limiting DNS by dnsmasq to
 localhost

---
 CHANGES.rst       |  3 +++
 defaults/main.yml | 12 ++++++++++--
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/CHANGES.rst b/CHANGES.rst
index 7de006e..b216bec 100644
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -28,6 +28,9 @@ Added
 - Add :envvar:`dnsmasq__group_options` and :envvar:`dnsmasq__host_options` with
   the same function as ``dnsmasq_options``. [ypid_]
 
+- Add :envvar:`dnsmasq__external_dns` which can be used to only provided DNS
+  for localhost. [ypid_]
+
 Changed
 ~~~~~~~
 
diff --git a/defaults/main.yml b/defaults/main.yml
index dac2a51..c5b7949 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -22,6 +22,13 @@
 dnsmasq_public_dns: False
 
 
+# .. envvar:: dnsmasq__external_dns
+#
+# Enable or disable external DNS support.
+# If set to ``False`` then only allow DNS queries from localhost.
+dnsmasq__external_dns: True
+
+
 # .. envvar:: dnsmasq_dhcpv4
 #
 # Enable or disable DHCPv4 support.
@@ -245,6 +252,7 @@ dnsmasq__ferm__dependent_rules:
     protocol: [ 'udp', 'tcp' ]
     dport: [ 'domain' ]
     accept_any: True
+    rule_state: '{{ dnsmasq__external_dns|bool | ternary("present", "absent") }}'
     interface: '{{ []
                    if (dnsmasq_public_dns|bool)
                    else (dnsmasq_interfaces | map(attribute="interface") | list) }}'
@@ -255,7 +263,7 @@ dnsmasq__ferm__dependent_rules:
     weight: '40'
     protocol: [ 'udp', 'tcp' ]
     dport: [ 'bootps' ]
-    rule_state: '{{ "present" if (dnsmasq_dhcpv4|bool) else "absent" }}'
+    rule_state: '{{ dnsmasq_dhcpv4|bool | ternary("present", "absent") }}'
     interface: '{{ dnsmasq_interfaces | map(attribute="interface")
                    | list | difference(dnsmasq_no_dhcp_interfaces) }}'
 
@@ -267,7 +275,7 @@ dnsmasq__ferm__dependent_rules:
     daddr: [ 'ff02::1:2' ]
     protocol: [ 'udp', 'tcp' ]
     dport: [ 'dhcpv6-client', 'dhcpv6-server' ]
-    rule_state: '{{ "present" if (dnsmasq_dhcpv6|bool) else "absent" }}'
+    rule_state: '{{ dnsmasq_dhcpv6|bool | ternary("present", "absent") }}'
     interface: '{{ dnsmasq_interfaces | map(attribute="interface")
                    | list | difference(dnsmasq_no_dhcp_interfaces) }}'