Bug#648401: isc-dhcp-relay: dhcrelay(8) doesn't mention need for -i on server facing interface

Wed, 20 Feb 2013 10:27:13 -0800 

tags 648401 + patch
thanks

On Tue, Feb 19, 2013 at 11:59:05PM +0100, Steinar H. Gunderson wrote:
> I'd say this means dhcrelay itself is pretty much completely broken, and I'm
> upgrading severity accordingly. It shouldn't subject the BOOTREPLY packets to
> interface checking, or it should have a separate list of interfaces from
> which it can come; I think this actually works for DHCPv6, where you have
> separate “lower” and “upper” interface options, but I haven't tested it.

Here's a patch that fixes the problem for us. It makes dhcrelay listen on all
interfaces and relay BOOTREPLY packets from them, but still only rely
BOOTREQUEST packets from requested interfaces (those with -i).

What it _doesn't_ fix, is that dhcrelay should only relay broadcast packets
(e.g. DHCPDISCOVER); the unicast packets (e.g. DHCPREQUEST) can already find
their way through, so you end up with duplicates. Those are largely harmless,
though, so I consider fixing that out-of-scope for the wheezy freeze; this is
the minimal patch that I could find.

/* Steinar */
-- 
Homepage: http://www.sesse.net/

--- isc-dhcp-4.2.2.dfsg.1.orig/relay/dhcrelay.c
+++ isc-dhcp-4.2.2.dfsg.1/relay/dhcrelay.c
@@ -679,6 +679,11 @@ do_relay4(struct interface_info *ip, str
 	if (out)
 		return;
 
+       /* If this is not a BOOTREPLY, and it is not on a requested interface,
+	 * drop it. */
+	if (!(ip->flags & INTERFACE_REQUESTED))
+		return;
+
 	/* Add relay agent options if indicated.   If something goes wrong,
 	   drop the packet. */
 	if (!(length = add_relay_agent_options(ip, packet, length,
--- isc-dhcp-4.2.2.dfsg.1.orig/common/discover.c
+++ isc-dhcp-4.2.2.dfsg.1/common/discover.c
@@ -1108,9 +1107,9 @@ discover_interfaces(int state) {
 					  INTERFACE_REQUESTED);
 
 #ifdef DHCPv6
-		if (!(tmp->flags & INTERFACE_REQUESTED)) {
+		if (state != DISCOVER_RELAY && !(tmp->flags & INTERFACE_REQUESTED)) {
 #else
-		if (!tmp -> ifp || !(tmp -> flags & INTERFACE_REQUESTED)) {
+		if (!tmp -> ifp || (state != DISCOVER_RELAY && !(tmp -> flags & INTERFACE_REQUESTED))) {
 #endif /* DHCPv6 */
 			if ((tmp -> flags & INTERFACE_REQUESTED) != ir)
 				log_fatal ("%s: not found", tmp -> name);

Reply via email to