dhcrelay and interfaces

Shawn Routhier sar at isc.org
Tue Aug 2 03:59:22 UTC 2016


> On Aug 1, 2016, at 1:26 PM, Simon Hobson <simon at thehobsons.co.uk> wrote:
> 
> Shawn Routhier <sar at isc.org> wrote:
> 
>> There is a patch (with some variations) that uses -i for
>> interfaces that would lead to the client (downstream)
>> and that auto-discovers the rest of the interfaces and
>> uses them to receive responses from any servers.
>> 
>> ...If the admin
>> sets up their interfaces with -i they can limit the interfaces
>> the relay will accept “responses” from.  With the debian
>> patch it appears that the relay will accept responses from
>> all interfaces.
> 
> I haven't used dhcrelay with or without the patches ...
> But, while it would be more work, would it be an option to add an extra option for interfaces to listen to server replies on - so something like '-i if [if ...]' for interfaces to listen to broadcasts on, and '-I if [if ...]' for interfaces to listen to non-broadcast packets on ?

It wouldn’t be a question of broadcast vs non-broadcast as that would require more work given
how the code handles the sockets.

One option we are considering is to go with something like the v6 code and have an option for
upper interfaces (connect to the server) and lower interfaces (connected to the clients).

> 
> Doing it that way means that existing users (without patch) will see no difference in behaviour (ie the change would be backwards compatible with existing configs).

I think that might be true for people using vanilla ISC DHCP.  For people using one of the
patches they would see a change as they would need to add the upstream interfaces instead
of letting auto-configure do it for them.  While I don’t feel as constrained to ensure backwards
compatibility with other peoples changes or additions I also don’t wish to break them
if I don’t have to.

> 
> As another thought, I'm guessing that the auto-configured interfaces are only opening a socket and receiving unicast packets. If so, then the security issue can be worked around with firewall rules.

I don’t think so.

regards,
Shawn Routhier
ISC


More information about the dhcp-users mailing list