Commit 72dcf1f9 authored by Branko Mikić's avatar Branko Mikić
Browse files

Bug fixes in DHCP chain

~ BugFix! In DHCP chain the reply from the server still isn't handled correctly. It get filtered although it's intended to pass. This is due to the addrtype module and it's dst-type LOCAL filter value. Although the addrtype is considered to be a local address it seem that netfilter filters it anyway. Although other rules with comparison of marked packets work this differs in one aspect. It uses the an inverted mark value via exclamation mark. Anyway the only way fix thios properly for now is to just filter for dhcp client port without any addrtype comparision.
~ Argument order of iptables matters so all mark comparisons in DHCP chain have been move to the first place.
parent 34cbc9d6
......@@ -630,15 +630,14 @@ formatAsHexID() {
# DHCP
$IPTABLES -t mangle -N DHCP
$IPTABLES -t mangle -A DHCP -p udp \
-m mark --mark $DHCP_CLIENT_MARK/$DHCP_CLIENT_MARK \
-m addrtype --src-type LOCAL --limit-iface-out \
-m udp --sport $dhcp_client --dport $dhcp_server \
-m mark --mark $DHCP_CLIENT_MARK/$DHCP_CLIENT_MARK \
-j MARK --set-mark 0xff \
-m comment --comment "sending request from local interface";
$IPTABLES -t mangle -A DHCP -p udp \
-m addrtype --dst-type LOCAL --limit-iface-in \
-m udp --dport $dhcp_client \
-m mark ! --mark 0/$DHCP_BOTH_MARK \
-m udp --dport $dhcp_client \
-j MARK --set-mark 0xff \
-m comment --comment "reply from server to local interface";
......@@ -654,19 +653,19 @@ formatAsHexID() {
# receive requests on server different for IPv(4|6)
[ $ENVID == "4" ] && {
$IPTABLES -t mangle -A DHCP -p udp \
-m mark --mark $DHCP_SERVER_MARK/$DHCP_SERVER_MARK \
-s 0.0.0.0/32 \
-m addrtype --dst-type BROADCAST \
-m udp --sport $dhcp_client --dport $dhcp_server \
-m mark --mark $DHCP_SERVER_MARK/$DHCP_SERVER_MARK \
-j MARK --set-mark 0xff \
-m comment --comment "receive initial requests via broadcast (IPv4 only)";
};
[ $ENVID == "6" ] && {
$IPTABLES -t mangle -A DHCP -p udp \
-m mark --mark $DHCP_SERVER_MARK/$DHCP_SERVER_MARK \
-s $LLsubnet \
-m addrtype --dst-type MULTICAST \
-m udp --sport $dhcp_client --dport $dhcp_server \
-m mark --mark $DHCP_SERVER_MARK/$DHCP_SERVER_MARK \
-j MARK --set-mark 0xff \
-m comment --comment "receive requests via link-local (IPv6 only)";
};
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment