On 7/2/2015 1:38 PM, Cyril Lashkevich wrote: > Hello, > > I have a DHCP server running on the firewall. But DHCP requests are > dropped by rpfilter, when this option is enabled for loc interface: > > /etc/shorewall/interfaces > net enp5s0 rpfilter,dhcp,nosmurfs,logmartians,sourceroute=0 > loc enp6s0 rpfilter,dhcp,nosmurfs,logmartians > > Log: > Jul 02 23:21:03 Sardegna kernel: Shorewall:rplog:DROP:IN=enp6s0 OUT= > MAC=ff:ff:ff:ff:ff:ff:78:97:68:45:0d:7f:08:00 SRC=0.0.0.0 > DST=255.255.255.255 LEN=375 TOS=0x00 PREC=0x00 TTL=64 ID=51364 > PROTO=UDP SPT=68 DPT=67 LEN=355 > Jul 02 23:21:07 Sardegna kernel: Shorewall:rplog:DROP:IN=enp6s0 OUT= > MAC=ff:ff:ff:ff:ff:ff:78:97:68:45:0d:7f:08:00 SRC=0.0.0.0 > DST=255.255.255.255 LEN=375 TOS=0x00 PREC=0x00 TTL=64 ID=58639 > PROTO=UDP SPT=68 DPT=67 LEN=355 > Jul 02 23:21:15 Sardegna kernel: Shorewall:rplog:DROP:IN=enp6s0 OUT= > MAC=ff:ff:ff:ff:ff:ff:78:97:68:45:0d:7f:08:00 SRC=0.0.0.0 > DST=255.255.255.255 LEN=375 TOS=0x00 PREC=0x00 TTL=64 ID=59979 > PROTO=UDP SPT=68 DPT=67 LEN=355 > > DHCP works as expected without rpfilter option for the loc interface. > > Is it possible to use rpfilter on interfaces, on which DHCP server is > listening? > `shorewall dump` is attached. The attached patch should correct the problem.
patch /path/to/Shorewall/Misc.pm < RPFILTER.patch
Regards,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm
index d7a0e6e..5b5f162 100644
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -918,12 +918,22 @@ sub add_common_rules ( $$ ) {
$target = $policy eq 'REJECT' ? 'reject' : $policy;
}
- add_ijump( ensure_mangle_chain( 'rpfilter' ),
+ my $rpfilterref = ensure_mangle_chain( 'rpfilter' );
+
+ add_ijump( $rpfilterref,
+ j => 'RETURN',
+ s => NILIPv4,
+ p => UDP,
+ dport => 67,
+ sport => 68
+ ) if $family == F_IPV4;
+
+ add_ijump( $rpfilterref,
j => $target,
rpfilter => '--validmark --invert',
state_imatch 'NEW,RELATED,INVALID',
@ipsec
- );
+ );
}
run_user_exit1 'initdone';
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
