Firewall DNS

[8176135]

Automatically adds firewall rules to block any DNS requests (UDP packets on port 53) that does not go to one of the DNS addresses specified/pushed by the VPN server.

This solves the problem of "the bind mount will silently disappear in the protected namespace", by blocking DNS requests that don't go to the servers we want.

Downsides:

• Blocks all UDP traffic on port 53. So if someone for some reason need port 53 UDP, it won't work.
• If you end a connection, and the namespace is still up, and run namespaced-openvpn again, it will increase the iptables chain by 2. This is obviously reset upon restart or removing the protected namespace. This is not really a limitation, just lazy coding :D.

Note:
I only tested this on IPv4 connections, I don't know if IPv6 connections will work (it should, just not tested).

[slingamn]

Thanks for the contribution! This is a good idea.

I don't want to make this the default behavior, in keeping with the goal of making namespaced-openvpn's behavior as close as possible to stock openvpn. I'm considering two options for this:

1. Make this a separate script that can be run with --up (adds the rules) and --down (removes them)
2. Make this a command-line option for namespaced-openvpn (something like --harden-dns); add the rules in route_up() and remove them in a new function that is run as a --down script. (This would require overriding the default behavior of --down, along the lines of routeup_from_config().)