From ef9d22b6471ae31dd5887b6f1bae18a77d00be64 Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Wed, 13 Jul 2005 14:29:52 +0000
Subject: [PATCH] Avoid blocking DHCP broadcasts during MAC verification

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2327 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall/firewall | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/Shorewall/firewall b/Shorewall/firewall
index 33dd12dd1..321743faa 100755
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@@ -2302,6 +2302,7 @@ setup_mac_lists() {
     local hosts
     local ipsec
     local policy=
+    local options
     #
     # Generate the list of interfaces having MAC verification
     #
@@ -2391,6 +2392,10 @@ setup_mac_lists() {
 	    run_iptables -A $chain -s $address -d 224.0.0.0/4     -j $chain1
 	done
 
+	if $(interface_has_option $interface dhcp); then
+	    run_iptables -A $chain -p udp --sport 68 --dport 67 -s 0.0.0.0 -d 255.255.255.255 -j ACCEPT
+	fi
+
 	if [ -n "$MACLIST_LOG_LEVEL" ]; then
 	    log_rule $MACLIST_LOG_LEVEL $chain $MACLIST_DISPOSITION 
 	fi