Bind DHCP to a specific ip

David W. Hankins dhankins at isc.org
Wed Jan 13 20:25:30 UTC 2010 

On Sun, Jan 03, 2010 at 03:38:31PM -0500, Chris Arnold wrote:
> You guys were right, there is a file to define the interface. On SLES10 SP3
> it is found in /etc/sysconfig/dhcpd. It was already defined in that file but
> still shows as 0.0.0.0:67 in netstat. Is that the way it was designed?
> 
> I can get netstat to show the ip:67 by entering local-address "ipaddress"
> in the dhcpd.conf file.

The UDP socket in netstat is not the droid you are looking for.

The DHCP protocol has some odd requirements to really work properly.
Being able to transmit to and receive packets sent to the all-ones
limited broadcast address (255.255.255.255), and being able to send
a unicast without an ARP.

In order to both reliably receive and transmit these packets in a
way that conforms with RFC 2131, we have to use platform-flavor
specific raw sockets; on SuSe that's what we call "LPF", Linux'
version of the BPF device.  You should see LPF/interface/MAC lines
logged when dhcpd starts, these are the raw sockets initializing.

When operating in this mode, we open the raw sockets, and a backup
BSD/UDP socket (called the "fallback interface"), which you are seeing
in netstat.

This mode of operation is the default at compile time, because it is
the most compatible and general.

The raw socket:

o Receives all DHCP packets, so the DHCP packet sent to the server
  must come in on the interface the socket is opened on.

o Transmits directed unicasts (w/out ARP), and special RFC 2131
  complying all-ones limited broadcasts (rather than the subnet
  broadcast address you may get from the BSD/UDP interface).  These
  are needed in clients' initial configuration stage (when the client
  does not yet have an address configured).

The BSD/UDP socket:

o Is read from to empty it and free up buffers, but all packets read
  from this socket are immediately discarded.  The reason for this is
  that in the expected operating mode, these packets are all
  duplicates of packets received via the raw socket.

o Is used to transmit routed unicasts, so we don't have to implement
  IP routing in 'dhcpd'.  This is used to reply to any relay agent,
  or to reply to clients apparently in the RENEWING state.

So in the default operating mode, the local-address configuration
parameter only limits how many packets reach the bit-bucket.  True
limitation of operation on interfaces is achieved only by selecting
specific interfaces for raw sockets to operate on.


You _can_ compile raw socket behaviour out, and it may sometimes be
advisable for performance and simplicity reasons, but only IFF you
will never have any directly-connected clients, clients on the same
broadcast domain as the DHCP server...all clients must be reached by
relay agents in this case.  It is hard to maintain this limitation in
an installed system across administrators, as networks grow and ebb,
and the raw sockets do not negatively impact most users' performance
in a meaningful way, so it is not recommended.

But in that event, the server uses regular BSD/UDP socket(s), and no
raw sockets.  In some platforms, a BSD socket is opened for every
interface, if that platform has a way to bind sockets to interfaces.
These will still appear to be as being bound on INADDR-ANY, I do not
think the interface limitation appears in netstat.  I believe Linux is
such a platform, but it may depend on the kernel or libc versions (it
checks if you have SO_BINDTODEVICE defined).  A fallback interface is
not opened in this case.

In this case, the local-address configuration value does what you
expect; it binds that address on the socket, and so limits the packets
received by the DHCP server to those destined to a specific address.
This is probably only a worthwhile step to take on systems that either
only have one interface, or on architectures that don't have a way for
BSD sockets to be bound to interfaces.

-- 
David W. Hankins	"If you don't do it right the first time,
Software Engineer		     you'll just have to do it again."
Internet Systems Consortium, Inc.		-- Jack T. Hankins
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20100113/bab61a5d/attachment.bin>

More information about the dhcp-users mailing list