Fix MACLIST_TABLE=mangle and DHCP

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2946 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/changelog.txt

@@ -10,6 +10,8 @@ Changes in 3.0.0 RC 3.
 
 5) Update config files with cmd-owner info.
 
+6) Fix DHCP with MACLIST_TABLE=mangle.
+
 Changes in 3.0.0 RC 2.
 
 1) Fix support for OpenVPN and tcp.

Shorewall/firewall

@@ -2816,6 +2816,12 @@ setup_mac_lists() {
     for interface in $maclist_interfaces; do
 	chain=$(mac_chain $interface)
 	create_mac_chain $chain
+	#
+	# If we're using the mangle table and the interface is DHCP-enabled then we need to accept DHCP broadcasts from 0.0.0.0
+	#
+	if [ $MACLIST_TABLE = mangle ] && interface_has_option $interface dhcp; then
+	    run_iptables -t mangle -A $chain -s 0.0.0.0 -p udp --dport 67:68 -j RETURN
+	fi
 
 	if [ -n "$MACLIST_TTL" ]; then
 	    chain1=$(macrecent_target $interface)
@@ -2826,6 +2832,7 @@ setup_mac_lists() {
 	    run_iptables -t $MACLIST_TABLE -A $chain  -m recent --set                           --name $chain
 	fi
     done
+
     #
     # Process the maclist file producing the verification rules
     #

Shorewall/releasenotes.txt

@@ -18,6 +18,12 @@ Problems Corrected in 3.0.0 RC 3:
     files have been updated to warn that +<program name> is not supported
     by kernel versions 2.6.14 and later.
 
+4)  When MACLIST_TABLE=mangle and an interface is enabled for DHCP (the
+    'dhcp' option is specified in /etc/shorewall/interfaces) then broadcasts
+    on UDP port 67 to address 255.255.255.255 from address 0.0.0.0 were being
+    dropped and logged. While this did not prevent the client from acquiring
+    an IP address, it could result in lots of log messages.
+
 Migration Considerations:
 
 1) The "monitor" command has been eliminated.