DHCP relay with UDP source port of 67 causes ISC 3.0.2 to respond with UDP source port of 1
Chuck Anderson
cra at WPI.EDU
Fri Nov 3 16:32:23 UTC 2006
On Fri, Nov 03, 2006 at 09:54:23AM -0600, Frank Bulk wrote:
> -A POSTROUTING -s a.b.c.22 -p udp -m udp --sport 67 -j SNAT
> --to-source a.b.c.24
> - when I remove the POSTROUTING rule, it's interesting to see that most
> everything comes out of the DHCP server with IP source address of a.b.c.22,
> as it should, but there are some ACKs with a source address of a.b.c.24 --
> and guess what, they all have a src port of 1! I tried over a dozen
> different iptables rules, but no success in catching those aberrant UDP src
> port 1 packets and changing them, via iptables, to UDP src port 67.
IPTables SNAT may be changing the source port number on you:
--to-source ipaddr[-ipaddr][:port-port]
which can specify a single new source IP address, an inclusive
range of IP addresses, and optionally, a port range (which is
only valid if the rule also specifies -p tcp or -p udp). If no
port range is specified, then source ports below 512 will be
mapped to other ports below 512: those between 512 and 1023
inclusive will be mapped to ports below 1024, and other ports
will be mapped to 1024 or above. Where possible, no port alter-
ation will occur.
> - this leads me to conjecture that dhcpd, for some of its packets, is not
> binding to the right interface, and spewing out an incorrect packet.
>
> I agree, dhcpd shouldn't care what the source port from the DHCP relay, but
> it's possible that there's something in the code that's leading dhcpd to
> occasionally use a different interface for its output.
The server binds to a raw socket to generate some packets, and a BSD
socket to generate others. This would explain the differences. I'm
not sure if IPTables rules apply to packets generated with a raw
socket.
More information about the dhcp-users
mailing list