dhcrelay and interfaces
simon at thehobsons.co.uk
Mon Aug 1 20:26:43 UTC 2016
Shawn Routhier <sar at isc.org> wrote:
> There is a patch (with some variations) that uses -i for
> interfaces that would lead to the client (downstream)
> and that auto-discovers the rest of the interfaces and
> uses them to receive responses from any servers.
> ...If the admin
> sets up their interfaces with -i they can limit the interfaces
> the relay will accept “responses” from. With the debian
> patch it appears that the relay will accept responses from
> all interfaces.
I haven't used dhcrelay with or without the patches ...
But, while it would be more work, would it be an option to add an extra option for interfaces to listen to server replies on - so something like '-i if [if ...]' for interfaces to listen to broadcasts on, and '-I if [if ...]' for interfaces to listen to non-broadcast packets on ?
Doing it that way means that existing users (without patch) will see no difference in behaviour (ie the change would be backwards compatible with existing configs).
As another thought, I'm guessing that the auto-configured interfaces are only opening a socket and receiving unicast packets. If so, then the security issue can be worked around with firewall rules.
More information about the dhcp-users