From e7792fc868a69d61e4abdc9677b0cb8bb7b4a54c Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Fri, 3 Jul 2015 10:03:03 -0700
Subject: [PATCH] Exempt IPv4 DHCP broadcasts from rpfilter

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/Perl/Shorewall/Misc.pm | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm
index d7a0e6eca..5b5f16243 100644
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -918,12 +918,22 @@ sub add_common_rules ( $$ ) {
 	    $target = $policy eq 'REJECT' ? 'reject' : $policy;
 	}
 
-	add_ijump( ensure_mangle_chain( 'rpfilter' ),
+	my $rpfilterref = ensure_mangle_chain( 'rpfilter' );
+
+	add_ijump( $rpfilterref,
+		   j        => 'RETURN',
+		   s        => NILIPv4,
+		   p        => UDP,
+		   dport    => 67,
+		   sport    => 68
+	    ) if $family == F_IPV4;
+
+	add_ijump( $rpfilterref,
 		   j        => $target,
 		   rpfilter => '--validmark --invert',
 		   state_imatch 'NEW,RELATED,INVALID',
 		   @ipsec
-		 );
+	    );
     }
 	    
     run_user_exit1 'initdone';