From 981323b7d692b40db9975f57e2cb0e9017683afc Mon Sep 17 00:00:00 2001 From: teastep Date: Wed, 2 Nov 2005 15:32:33 +0000 Subject: [PATCH] Fix MACLIST_TABLE=mangle and DHCP git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2946 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/changelog.txt | 2 ++ Shorewall/firewall | 7 +++++++ Shorewall/releasenotes.txt | 6 ++++++ 3 files changed, 15 insertions(+) diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index e9a01cdf2..3edf4d2e6 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -10,6 +10,8 @@ Changes in 3.0.0 RC 3. 5) Update config files with cmd-owner info. +6) Fix DHCP with MACLIST_TABLE=mangle. + Changes in 3.0.0 RC 2. 1) Fix support for OpenVPN and tcp. diff --git a/Shorewall/firewall b/Shorewall/firewall index 5732f8797..6c3e7c617 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -2816,6 +2816,12 @@ setup_mac_lists() { for interface in $maclist_interfaces; do chain=$(mac_chain $interface) create_mac_chain $chain + # + # If we're using the mangle table and the interface is DHCP-enabled then we need to accept DHCP broadcasts from 0.0.0.0 + # + if [ $MACLIST_TABLE = mangle ] && interface_has_option $interface dhcp; then + run_iptables -t mangle -A $chain -s 0.0.0.0 -p udp --dport 67:68 -j RETURN + fi if [ -n "$MACLIST_TTL" ]; then chain1=$(macrecent_target $interface) @@ -2826,6 +2832,7 @@ setup_mac_lists() { run_iptables -t $MACLIST_TABLE -A $chain -m recent --set --name $chain fi done + # # Process the maclist file producing the verification rules # diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 77aed3cef..4af52ae29 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -18,6 +18,12 @@ Problems Corrected in 3.0.0 RC 3: files have been updated to warn that + is not supported by kernel versions 2.6.14 and later. +4) When MACLIST_TABLE=mangle and an interface is enabled for DHCP (the + 'dhcp' option is specified in /etc/shorewall/interfaces) then broadcasts + on UDP port 67 to address 255.255.255.255 from address 0.0.0.0 were being + dropped and logged. While this did not prevent the client from acquiring + an IP address, it could result in lots of log messages. + Migration Considerations: 1) The "monitor" command has been eliminated.