From 70af9ab692ec7cc4bc5b3c5f6204670ba37467a7 Mon Sep 17 00:00:00 2001
From: Valentin Knabel <dev@vknabel.com>
Date: Fri, 22 Mar 2024 13:40:27 +0100
Subject: [PATCH 1/9] fix: initial dns for proxy

---
 controllers/clusterwidenetworkpolicy_controller.go | 2 +-
 pkg/dns/dns_proxy_handler.go                       | 2 +-
 pkg/dns/dnscache.go                                | 4 ++--
 pkg/dns/dnsproxy.go                                | 7 +++++--
 4 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/controllers/clusterwidenetworkpolicy_controller.go b/controllers/clusterwidenetworkpolicy_controller.go
index b26bc738..73e49fc6 100644
--- a/controllers/clusterwidenetworkpolicy_controller.go
+++ b/controllers/clusterwidenetworkpolicy_controller.go
@@ -142,7 +142,7 @@ func (r *ClusterwideNetworkPolicyReconciler) manageDNSProxy(
 
 	if enableDNS && r.DnsProxy == nil {
 		r.Log.Info("DNS Proxy is initialized")
-		if r.DnsProxy, err = dns.NewDNSProxy(f.Spec.DNSPort, ctrl.Log.WithName("DNS proxy")); err != nil {
+		if r.DnsProxy, err = dns.NewDNSProxy(f.Spec.DNSServerAddress, f.Spec.DNSPort, ctrl.Log.WithName("DNS proxy")); err != nil {
 			return fmt.Errorf("failed to init DNS proxy: %w", err)
 		}
 		go r.DnsProxy.Run(ctx)
diff --git a/pkg/dns/dns_proxy_handler.go b/pkg/dns/dns_proxy_handler.go
index 15ed6009..35543b26 100644
--- a/pkg/dns/dns_proxy_handler.go
+++ b/pkg/dns/dns_proxy_handler.go
@@ -38,7 +38,7 @@ func NewDNSProxyHandler(log logr.Logger, cache *DNSCache) *DNSProxyHandler {
 		log:           log.WithName("DNS handler"),
 		udpClient:     udpClient,
 		tcpClient:     tcpClient,
-		dnsServerAddr: defaultDNSServerAddr,
+		dnsServerAddr: cache.dnsServerAddr,
 		updateCache:   getUpdateCacheFunc(log, cache),
 	}
 }
diff --git a/pkg/dns/dnscache.go b/pkg/dns/dnscache.go
index 3c5dbfc8..aa5be334 100644
--- a/pkg/dns/dnscache.go
+++ b/pkg/dns/dnscache.go
@@ -115,12 +115,12 @@ type DNSCache struct {
 	ipv6Enabled   bool
 }
 
-func newDNSCache(ipv4Enabled, ipv6Enabled bool, log logr.Logger) *DNSCache {
+func newDNSCache(dns string, ipv4Enabled, ipv6Enabled bool, log logr.Logger) *DNSCache {
 	return &DNSCache{
 		log:           log,
 		fqdnToEntry:   map[string]cacheEntry{},
 		setNames:      map[string]struct{}{},
-		dnsServerAddr: defaultDNSServerAddr,
+		dnsServerAddr: dns,
 		ipv4Enabled:   ipv4Enabled,
 		ipv6Enabled:   ipv6Enabled,
 	}
diff --git a/pkg/dns/dnsproxy.go b/pkg/dns/dnsproxy.go
index d5056de2..d7163677 100644
--- a/pkg/dns/dnsproxy.go
+++ b/pkg/dns/dnsproxy.go
@@ -36,8 +36,11 @@ type DNSProxy struct {
 	handler DNSHandler
 }
 
-func NewDNSProxy(port *uint, log logr.Logger) (*DNSProxy, error) {
-	cache := newDNSCache(true, false, log.WithName("DNS cache"))
+func NewDNSProxy(dns string, port *uint, log logr.Logger) (*DNSProxy, error) {
+	if dns == "" {
+		dns = defaultDNSServerAddr
+	}
+	cache := newDNSCache(dns, true, false, log.WithName("DNS cache"))
 	handler := NewDNSProxyHandler(log, cache)
 
 	host, err := getHost()

From ad2c4ccd5980693eac794cce66ecf8037eca5917 Mon Sep 17 00:00:00 2001
From: Valentin Knabel <dev@vknabel.com>
Date: Wed, 10 Apr 2024 10:06:35 +0200
Subject: [PATCH 2/9] fix(dns): add port if missing

---
 controllers/clusterwidenetworkpolicy_controller.go | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/controllers/clusterwidenetworkpolicy_controller.go b/controllers/clusterwidenetworkpolicy_controller.go
index 73e49fc6..7f2fe8af 100644
--- a/controllers/clusterwidenetworkpolicy_controller.go
+++ b/controllers/clusterwidenetworkpolicy_controller.go
@@ -154,7 +154,12 @@ func (r *ClusterwideNetworkPolicyReconciler) manageDNSProxy(
 
 	// If proxy is ON, update DNS address(if it's set in spec)
 	if r.DnsProxy != nil && f.Spec.DNSServerAddress != "" {
-		if err = r.DnsProxy.UpdateDNSServerAddr(f.Spec.DNSServerAddress); err != nil {
+		port := 53
+		if f.Spec.DNSPort != nil {
+			port = int(*f.Spec.DNSPort)
+		}
+		addr := fmt.Sprintf("%s:%d", f.Spec.DNSServerAddress, port)
+		if err = r.DnsProxy.UpdateDNSServerAddr(addr); err != nil {
 			return fmt.Errorf("failed to update DNS server address: %w", err)
 		}
 	}

From c990a4abba9917b2a39d7e0b77c5094bbfef6edf Mon Sep 17 00:00:00 2001
From: Valentin Knabel <dev@vknabel.com>
Date: Wed, 17 Apr 2024 10:20:01 +0200
Subject: [PATCH 3/9] feat: redirect dns and allow firewall proxy dns

---
 pkg/dns/dnsproxy.go                  |  4 ++++
 pkg/nftables/firewall.go             |  1 +
 pkg/nftables/mocks/mock_fqdncache.go | 15 +++++++++++++++
 pkg/nftables/networkpolicy.go        | 13 +++++++++++++
 pkg/nftables/nftables.tpl            | 14 ++++++++++++++
 pkg/nftables/rendering.go            | 15 ++++++++++++++-
 6 files changed, 61 insertions(+), 1 deletion(-)

diff --git a/pkg/dns/dnsproxy.go b/pkg/dns/dnsproxy.go
index d7163677..7e5a13a3 100644
--- a/pkg/dns/dnsproxy.go
+++ b/pkg/dns/dnsproxy.go
@@ -124,6 +124,10 @@ func (p *DNSProxy) IsInitialized() bool {
 	return p != nil
 }
 
+func (p *DNSProxy) CacheAddr() (string, error) {
+	return getHost()
+}
+
 func getHost() (string, error) {
 	c, err := netconf.New(network.GetLogger(), network.MetalNetworkerConfig)
 	if err != nil || c == nil {
diff --git a/pkg/nftables/firewall.go b/pkg/nftables/firewall.go
index 19e4ac83..f8fa845e 100644
--- a/pkg/nftables/firewall.go
+++ b/pkg/nftables/firewall.go
@@ -40,6 +40,7 @@ type FQDNCache interface {
 	GetSetsForRendering(fqdns []firewallv1.FQDNSelector) (result []dns.RenderIPSet)
 	GetSetsForFQDN(fqdn firewallv1.FQDNSelector, fqdnSets []firewallv1.IPSet) (result []firewallv1.IPSet)
 	IsInitialized() bool
+	CacheAddr() (string, error)
 }
 
 // Firewall assembles nftable rules based on k8s entities
diff --git a/pkg/nftables/mocks/mock_fqdncache.go b/pkg/nftables/mocks/mock_fqdncache.go
index 568cf1fc..cc5aa232 100644
--- a/pkg/nftables/mocks/mock_fqdncache.go
+++ b/pkg/nftables/mocks/mock_fqdncache.go
@@ -35,6 +35,21 @@ func (m *MockFQDNCache) EXPECT() *MockFQDNCacheMockRecorder {
 	return m.recorder
 }
 
+// CacheAddr mocks base method.
+func (m *MockFQDNCache) CacheAddr() (string, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "CacheAddr")
+	ret0, _ := ret[0].(string)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// CacheAddr indicates an expected call of CacheAddr.
+func (mr *MockFQDNCacheMockRecorder) CacheAddr() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CacheAddr", reflect.TypeOf((*MockFQDNCache)(nil).CacheAddr))
+}
+
 // GetSetsForFQDN mocks base method.
 func (m *MockFQDNCache) GetSetsForFQDN(arg0 v1.FQDNSelector, arg1 []v1.IPSet) []v1.IPSet {
 	m.ctrl.T.Helper()
diff --git a/pkg/nftables/networkpolicy.go b/pkg/nftables/networkpolicy.go
index f6dfc3df..2b6cbba4 100644
--- a/pkg/nftables/networkpolicy.go
+++ b/pkg/nftables/networkpolicy.go
@@ -60,6 +60,19 @@ func clusterwideNetworkPolicyIngressRules(np firewallv1.ClusterwideNetworkPolicy
 	return uniqueSorted(rules)
 }
 
+func clusterwideNetworkPolicyEgressDNSCacheRules(cache FQDNCache, logAcceptedConnections bool) (nftablesRules, error) {
+	addr, err := cache.CacheAddr()
+	if err != nil {
+		return nil, err
+	}
+	base := []string{"ip saddr == @cluster_prefixes", fmt.Sprintf("ip daddr { %s }", addr)}
+	comment := fmt.Sprintf("accept traffic for dns cache")
+	return nftablesRules{
+		assembleDestinationPortRule(base, "tcp", []string{"53"}, logAcceptedConnections, comment+" tcp"),
+		assembleDestinationPortRule(base, "udp", []string{"53"}, logAcceptedConnections, comment+" udp"),
+	}, nil
+}
+
 func clusterwideNetworkPolicyEgressRules(
 	cache FQDNCache,
 	np firewallv1.ClusterwideNetworkPolicy,
diff --git a/pkg/nftables/nftables.tpl b/pkg/nftables/nftables.tpl
index 5581c822..eff19f60 100644
--- a/pkg/nftables/nftables.tpl
+++ b/pkg/nftables/nftables.tpl
@@ -82,3 +82,17 @@ table inet firewall {
 	}
 {{- end }}
 }
+{{- if .DNSAddrs }}
+# Add additional DNS addresses for dnat redirection for the dns proxy
+table inet nat {
+    set public_dns_servers {
+    	type ipv4_addr
+    	flags interval
+    	auto-merge
+    	elements = {
+        {{- $sep := " " }}
+        {{- range .DNSAddrs }}{{ $sep }}{{ . }}{{ $sep = ", " }}
+        {{- end }} }
+    }
+}
+{{- end }}
diff --git a/pkg/nftables/rendering.go b/pkg/nftables/rendering.go
index 00945720..7cdcae63 100644
--- a/pkg/nftables/rendering.go
+++ b/pkg/nftables/rendering.go
@@ -21,6 +21,7 @@ type firewallRenderingData struct {
 	Sets             []dns.RenderIPSet
 	InternalPrefixes string
 	PrivateVrfID     uint
+	DNSAddrs         []string
 }
 
 func newFirewallRenderingData(f *Firewall) (*firewallRenderingData, error) {
@@ -56,11 +57,23 @@ func newFirewallRenderingData(f *Firewall) (*firewallRenderingData, error) {
 		return &firewallRenderingData{}, err
 	}
 
-	var sets []dns.RenderIPSet
+	var (
+		sets     []dns.RenderIPSet
+		dnsAddrs = []string{}
+	)
 	if f.cache.IsInitialized() {
 		sets = f.cache.GetSetsForRendering(f.clusterwideNetworkPolicies.GetFQDNs())
+		rules, err := clusterwideNetworkPolicyEgressDNSCacheRules(f.cache, f.logAcceptedConnections)
+		if err != nil {
+			return &firewallRenderingData{}, err
+		}
+		if f.firewall.Spec.DNSServerAddress != "" {
+			dnsAddrs = append(dnsAddrs, f.firewall.Spec.DNSServerAddress)
+		}
+		egress = append(egress, rules...)
 	}
 	return &firewallRenderingData{
+		DNSAddrs:         dnsAddrs,
 		PrivateVrfID:     uint(*f.primaryPrivateNet.Vrf),
 		InternalPrefixes: strings.Join(f.firewall.Spec.InternalPrefixes, ", "),
 		ForwardingRules: forwardingRules{

From e02daad22e0d05b7961ae153f072a6bdafc4d38b Mon Sep 17 00:00:00 2001
From: Valentin Knabel <dev@vknabel.com>
Date: Wed, 17 Apr 2024 11:26:29 +0200
Subject: [PATCH 4/9] refactor: rendered table dnat

---
 pkg/nftables/nftables.tpl                    | 21 ++++++++++----------
 pkg/nftables/rendering.go                    | 20 +++++++++----------
 pkg/nftables/rendering_test.go               | 11 +++++-----
 pkg/nftables/test_data/more-rules.nftable.v4 | 10 ++++++++++
 4 files changed, 37 insertions(+), 25 deletions(-)

diff --git a/pkg/nftables/nftables.tpl b/pkg/nftables/nftables.tpl
index eff19f60..46a39fcb 100644
--- a/pkg/nftables/nftables.tpl
+++ b/pkg/nftables/nftables.tpl
@@ -82,17 +82,18 @@ table inet firewall {
 	}
 {{- end }}
 }
-{{- if .DNSAddrs }}
+{{- if .AdditionalDNSAddrs }}
+
 # Add additional DNS addresses for dnat redirection for the dns proxy
 table inet nat {
-    set public_dns_servers {
-    	type ipv4_addr
-    	flags interval
-    	auto-merge
-    	elements = {
-        {{- $sep := " " }}
-        {{- range .DNSAddrs }}{{ $sep }}{{ . }}{{ $sep = ", " }}
-        {{- end }} }
-    }
+	set public_dns_servers {
+		type ipv4_addr
+		flags interval
+		auto-merge
+		elements = {
+		{{- $sep := " " }}
+		{{- range .AdditionalDNSAddrs }}{{ $sep }}{{ . }}{{ $sep = ", " }}
+		{{- end }} }
+	}
 }
 {{- end }}
diff --git a/pkg/nftables/rendering.go b/pkg/nftables/rendering.go
index 7cdcae63..a64c74c6 100644
--- a/pkg/nftables/rendering.go
+++ b/pkg/nftables/rendering.go
@@ -15,13 +15,13 @@ import (
 
 // firewallRenderingData holds the data available in the nftables template
 type firewallRenderingData struct {
-	ForwardingRules  forwardingRules
-	RateLimitRules   nftablesRules
-	SnatRules        nftablesRules
-	Sets             []dns.RenderIPSet
-	InternalPrefixes string
-	PrivateVrfID     uint
-	DNSAddrs         []string
+	ForwardingRules    forwardingRules
+	RateLimitRules     nftablesRules
+	SnatRules          nftablesRules
+	Sets               []dns.RenderIPSet
+	InternalPrefixes   string
+	PrivateVrfID       uint
+	AdditionalDNSAddrs []string
 }
 
 func newFirewallRenderingData(f *Firewall) (*firewallRenderingData, error) {
@@ -73,9 +73,9 @@ func newFirewallRenderingData(f *Firewall) (*firewallRenderingData, error) {
 		egress = append(egress, rules...)
 	}
 	return &firewallRenderingData{
-		DNSAddrs:         dnsAddrs,
-		PrivateVrfID:     uint(*f.primaryPrivateNet.Vrf),
-		InternalPrefixes: strings.Join(f.firewall.Spec.InternalPrefixes, ", "),
+		AdditionalDNSAddrs: dnsAddrs,
+		PrivateVrfID:       uint(*f.primaryPrivateNet.Vrf),
+		InternalPrefixes:   strings.Join(f.firewall.Spec.InternalPrefixes, ", "),
 		ForwardingRules: forwardingRules{
 			Ingress: ingress,
 			Egress:  egress,
diff --git a/pkg/nftables/rendering_test.go b/pkg/nftables/rendering_test.go
index 1701a49a..cd80a9a2 100644
--- a/pkg/nftables/rendering_test.go
+++ b/pkg/nftables/rendering_test.go
@@ -37,10 +37,11 @@ func TestFirewallRenderingData_renderString(t *testing.T) {
 					Egress:  []string{"egress rule 1", "egress rule 2"},
 					Ingress: []string{"ingress rule 1", "ingress rule 2"},
 				},
-				InternalPrefixes: "1.2.3.0/24, 2.3.4.0/8",
-				RateLimitRules:   []string{"meta iifname \"eth0\" limit rate over 10 mbytes/second counter name drop_ratelimit drop"},
-				SnatRules:        []string{"ip saddr { 10.0.0.0/8 } oifname \"vlan104009\" counter snat 185.1.2.3 comment \"snat internet\""},
-				PrivateVrfID:     uint(42),
+				InternalPrefixes:   "1.2.3.0/24, 2.3.4.0/8",
+				RateLimitRules:     []string{"meta iifname \"eth0\" limit rate over 10 mbytes/second counter name drop_ratelimit drop"},
+				SnatRules:          []string{"ip saddr { 10.0.0.0/8 } oifname \"vlan104009\" counter snat 185.1.2.3 comment \"snat internet\""},
+				PrivateVrfID:       uint(42),
+				AdditionalDNSAddrs: []string{"8.9.10.11", "4.5.6.7"},
 			},
 			wantErr: false,
 		},
@@ -98,7 +99,7 @@ func TestFirewallRenderingData_renderString(t *testing.T) {
 			rendered, _ := os.ReadFile(path.Join("test_data", tt.name+".nftable.v4"))
 			want := string(rendered)
 			if got != want {
-				t.Errorf("Firewall.renderString() diff: %v", cmp.Diff(got, want))
+				t.Errorf("Firewall.renderString() diff: %v", cmp.Diff(want, got))
 			}
 		})
 	}
diff --git a/pkg/nftables/test_data/more-rules.nftable.v4 b/pkg/nftables/test_data/more-rules.nftable.v4
index 6b19a6fe..0b15df25 100644
--- a/pkg/nftables/test_data/more-rules.nftable.v4
+++ b/pkg/nftables/test_data/more-rules.nftable.v4
@@ -65,3 +65,13 @@ table inet firewall {
 		ip saddr { 10.0.0.0/8 } oifname "vlan104009" counter snat 185.1.2.3 comment "snat internet"
 	}
 }
+
+# Add additional DNS addresses for dnat redirection for the dns proxy
+table inet nat {
+	set public_dns_servers {
+		type ipv4_addr
+		flags interval
+		auto-merge
+		elements = { 8.9.10.11, 4.5.6.7 }
+	}
+}

From e5e4c1f49516e7748ba40e81df2f6ce2416ae4a6 Mon Sep 17 00:00:00 2001
From: Valentin Knabel <dev@vknabel.com>
Date: Wed, 17 Apr 2024 11:49:39 +0200
Subject: [PATCH 5/9] fix: status was not updated for cwnps

---
 controllers/clusterwidenetworkpolicy_controller.go | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/controllers/clusterwidenetworkpolicy_controller.go b/controllers/clusterwidenetworkpolicy_controller.go
index 7f2fe8af..c81f9673 100644
--- a/controllers/clusterwidenetworkpolicy_controller.go
+++ b/controllers/clusterwidenetworkpolicy_controller.go
@@ -242,11 +242,6 @@ func (r *ClusterwideNetworkPolicyReconciler) allowedCWNPs(ctx context.Context, c
 }
 
 func (r *ClusterwideNetworkPolicyReconciler) updateCWNPState(ctx context.Context, cwnp firewallv1.ClusterwideNetworkPolicy, state firewallv1.PolicyDeploymentState, msg string) error {
-	// do nothing if message and state already have the desired values
-	if cwnp.Status.Message == msg && cwnp.Status.State == state {
-		return nil
-	}
-
 	cwnp.Status.Message = msg
 	cwnp.Status.State = state
 

From daa8199cf556a6617639148baa23cff10d8d4c45 Mon Sep 17 00:00:00 2001
From: Valentin Knabel <dev@vknabel.com>
Date: Thu, 18 Apr 2024 09:34:46 +0200
Subject: [PATCH 6/9] Update pkg/nftables/networkpolicy.go

Co-authored-by: Gerrit <Gerrit91@users.noreply.github.com>
---
 pkg/nftables/networkpolicy.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/nftables/networkpolicy.go b/pkg/nftables/networkpolicy.go
index 2b6cbba4..c57bd016 100644
--- a/pkg/nftables/networkpolicy.go
+++ b/pkg/nftables/networkpolicy.go
@@ -66,7 +66,7 @@ func clusterwideNetworkPolicyEgressDNSCacheRules(cache FQDNCache, logAcceptedCon
 		return nil, err
 	}
 	base := []string{"ip saddr == @cluster_prefixes", fmt.Sprintf("ip daddr { %s }", addr)}
-	comment := fmt.Sprintf("accept traffic for dns cache")
+	comment := fmt.Sprintf("accept intercepted traffic for dns cache")
 	return nftablesRules{
 		assembleDestinationPortRule(base, "tcp", []string{"53"}, logAcceptedConnections, comment+" tcp"),
 		assembleDestinationPortRule(base, "udp", []string{"53"}, logAcceptedConnections, comment+" udp"),

From 9d6768ac5d26a98c3c320203447b0f7cb0dbce4a Mon Sep 17 00:00:00 2001
From: Valentin Knabel <dev@vknabel.com>
Date: Thu, 18 Apr 2024 10:45:33 +0200
Subject: [PATCH 7/9] refactor: use new proxy_dns_servers

---
 go.mod                                       | 2 +-
 go.sum                                       | 4 ++--
 pkg/nftables/nftables.tpl                    | 2 +-
 pkg/nftables/test_data/more-rules.nftable.v4 | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/go.mod b/go.mod
index ed62f41d..2594d7b4 100644
--- a/go.mod
+++ b/go.mod
@@ -13,7 +13,7 @@ require (
 	github.com/metal-stack/firewall-controller-manager v0.3.2
 	github.com/metal-stack/metal-go v0.28.1
 	github.com/metal-stack/metal-lib v0.15.1
-	github.com/metal-stack/metal-networker v0.42.0
+	github.com/metal-stack/metal-networker v0.42.1-0.20240418084030-c77d17e444d1
 	github.com/metal-stack/v v1.0.3
 	github.com/miekg/dns v1.1.58
 	github.com/txn2/txeh v1.5.5
diff --git a/go.sum b/go.sum
index 2110f28a..240dafd6 100644
--- a/go.sum
+++ b/go.sum
@@ -166,8 +166,8 @@ github.com/metal-stack/metal-hammer v0.12.3 h1:XY6PwTnOqBlhL9z/sk13/rdy8XRYdBAdf
 github.com/metal-stack/metal-hammer v0.12.3/go.mod h1:2igSC1ZnqxZcARkkUW9qA8PV04VdN9qmUIfUAZ1lGhs=
 github.com/metal-stack/metal-lib v0.15.1 h1:QCmtZ6ci6pHsf3RQnSDbbvYshpyRaxCSeXghVvbDFuA=
 github.com/metal-stack/metal-lib v0.15.1/go.mod h1:x1nyPRi+b/WeK7N41cm4R8w4pScnhOYv8hos2UM4lXY=
-github.com/metal-stack/metal-networker v0.42.0 h1:tVuYw/3GN8lGhkJ91vTD+ax8fAAouFzBRysKxqQlUXo=
-github.com/metal-stack/metal-networker v0.42.0/go.mod h1:exBcBdyDzngo2s3848tASbndizrPlS6a2/Eg90xLTwc=
+github.com/metal-stack/metal-networker v0.42.1-0.20240418084030-c77d17e444d1 h1:5LGLN0osnuvrSYN5zte+mVl1wfdoK1+x7S67v1n1Yts=
+github.com/metal-stack/metal-networker v0.42.1-0.20240418084030-c77d17e444d1/go.mod h1:exBcBdyDzngo2s3848tASbndizrPlS6a2/Eg90xLTwc=
 github.com/metal-stack/v v1.0.3 h1:Sh2oBlnxrCUD+mVpzfC8HiqL045YWkxs0gpTvkjppqs=
 github.com/metal-stack/v v1.0.3/go.mod h1:YTahEu7/ishwpYKnp/VaW/7nf8+PInogkfGwLcGPdXg=
 github.com/miekg/dns v1.1.58 h1:ca2Hdkz+cDg/7eNF6V56jjzuZ4aCAE+DbVkILdQWG/4=
diff --git a/pkg/nftables/nftables.tpl b/pkg/nftables/nftables.tpl
index 46a39fcb..7dd060d2 100644
--- a/pkg/nftables/nftables.tpl
+++ b/pkg/nftables/nftables.tpl
@@ -86,7 +86,7 @@ table inet firewall {
 
 # Add additional DNS addresses for dnat redirection for the dns proxy
 table inet nat {
-	set public_dns_servers {
+	set proxy_dns_servers {
 		type ipv4_addr
 		flags interval
 		auto-merge
diff --git a/pkg/nftables/test_data/more-rules.nftable.v4 b/pkg/nftables/test_data/more-rules.nftable.v4
index 0b15df25..2a77cf52 100644
--- a/pkg/nftables/test_data/more-rules.nftable.v4
+++ b/pkg/nftables/test_data/more-rules.nftable.v4
@@ -68,7 +68,7 @@ table inet firewall {
 
 # Add additional DNS addresses for dnat redirection for the dns proxy
 table inet nat {
-	set public_dns_servers {
+	set proxy_dns_servers {
 		type ipv4_addr
 		flags interval
 		auto-merge

From 96cbc327203af9d06ad083e45e009e7979a024b7 Mon Sep 17 00:00:00 2001
From: Valentin Knabel <dev@vknabel.com>
Date: Thu, 18 Apr 2024 10:51:39 +0200
Subject: [PATCH 8/9] refactor: StringsJoin in template

---
 pkg/nftables/nftables.tpl | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/pkg/nftables/nftables.tpl b/pkg/nftables/nftables.tpl
index 7dd060d2..4fdb92c9 100644
--- a/pkg/nftables/nftables.tpl
+++ b/pkg/nftables/nftables.tpl
@@ -90,10 +90,7 @@ table inet nat {
 		type ipv4_addr
 		flags interval
 		auto-merge
-		elements = {
-		{{- $sep := " " }}
-		{{- range .AdditionalDNSAddrs }}{{ $sep }}{{ . }}{{ $sep = ", " }}
-		{{- end }} }
+		elements = { {{ StringsJoin .AdditionalDNSAddrs ", " }} }
 	}
 }
 {{- end }}

From 02433683284a1c5461e2bbaeea9c86b3e9b869d5 Mon Sep 17 00:00:00 2001
From: Valentin Knabel <dev@vknabel.com>
Date: Mon, 22 Apr 2024 09:37:27 +0200
Subject: [PATCH 9/9] chore: upgrade metal-networker to latest release

---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index 2594d7b4..1e1f85c7 100644
--- a/go.mod
+++ b/go.mod
@@ -13,7 +13,7 @@ require (
 	github.com/metal-stack/firewall-controller-manager v0.3.2
 	github.com/metal-stack/metal-go v0.28.1
 	github.com/metal-stack/metal-lib v0.15.1
-	github.com/metal-stack/metal-networker v0.42.1-0.20240418084030-c77d17e444d1
+	github.com/metal-stack/metal-networker v0.43.0
 	github.com/metal-stack/v v1.0.3
 	github.com/miekg/dns v1.1.58
 	github.com/txn2/txeh v1.5.5
diff --git a/go.sum b/go.sum
index 240dafd6..2e289a4d 100644
--- a/go.sum
+++ b/go.sum
@@ -166,8 +166,8 @@ github.com/metal-stack/metal-hammer v0.12.3 h1:XY6PwTnOqBlhL9z/sk13/rdy8XRYdBAdf
 github.com/metal-stack/metal-hammer v0.12.3/go.mod h1:2igSC1ZnqxZcARkkUW9qA8PV04VdN9qmUIfUAZ1lGhs=
 github.com/metal-stack/metal-lib v0.15.1 h1:QCmtZ6ci6pHsf3RQnSDbbvYshpyRaxCSeXghVvbDFuA=
 github.com/metal-stack/metal-lib v0.15.1/go.mod h1:x1nyPRi+b/WeK7N41cm4R8w4pScnhOYv8hos2UM4lXY=
-github.com/metal-stack/metal-networker v0.42.1-0.20240418084030-c77d17e444d1 h1:5LGLN0osnuvrSYN5zte+mVl1wfdoK1+x7S67v1n1Yts=
-github.com/metal-stack/metal-networker v0.42.1-0.20240418084030-c77d17e444d1/go.mod h1:exBcBdyDzngo2s3848tASbndizrPlS6a2/Eg90xLTwc=
+github.com/metal-stack/metal-networker v0.43.0 h1:MbanA43IINJyoHnMTsUS3o93T3bncTtVy11BexlSMy8=
+github.com/metal-stack/metal-networker v0.43.0/go.mod h1:exBcBdyDzngo2s3848tASbndizrPlS6a2/Eg90xLTwc=
 github.com/metal-stack/v v1.0.3 h1:Sh2oBlnxrCUD+mVpzfC8HiqL045YWkxs0gpTvkjppqs=
 github.com/metal-stack/v v1.0.3/go.mod h1:YTahEu7/ishwpYKnp/VaW/7nf8+PInogkfGwLcGPdXg=
 github.com/miekg/dns v1.1.58 h1:ca2Hdkz+cDg/7eNF6V56jjzuZ4aCAE+DbVkILdQWG/4=