DHCP relay with UDP source port of 67 causes ISC 3.0.2 to respond with UDP source port of 1
Frank Bulk
frnkblk at iname.com
Fri Nov 3 16:46:02 UTC 2006
Chuck:
I read the same thing, which is why I tested that theory.
As I wrote below that "when I remove the POSTROUTING rule, it's interesting
to see that most everything comes out of the DHCP server with IP source
address of a.b.c.22, as it should, but there are some ACKs with a source
address of a.b.c.24 -- and guess what, they all have a src port of 1!"
Kind regards,
Frank
-----Original Message-----
From: dhcp-users-bounce at isc.org [mailto:dhcp-users-bounce at isc.org] On Behalf
Of Chuck Anderson
Sent: Friday, November 03, 2006 10:32 AM
To: dhcp-users at isc.org
Subject: Re: DHCP relay with UDP source port of 67 causes ISC 3.0.2 to
respond with UDP source port of 1
On Fri, Nov 03, 2006 at 09:54:23AM -0600, Frank Bulk wrote:
> -A POSTROUTING -s a.b.c.22 -p udp -m udp --sport 67 -j SNAT
> --to-source a.b.c.24
> - when I remove the POSTROUTING rule, it's interesting to see that most
> everything comes out of the DHCP server with IP source address of
a.b.c.22,
> as it should, but there are some ACKs with a source address of a.b.c.24 --
> and guess what, they all have a src port of 1! I tried over a dozen
> different iptables rules, but no success in catching those aberrant UDP
src
> port 1 packets and changing them, via iptables, to UDP src port 67.
IPTables SNAT may be changing the source port number on you:
--to-source ipaddr[-ipaddr][:port-port]
which can specify a single new source IP address, an
inclusive
range of IP addresses, and optionally, a port range (which
is
only valid if the rule also specifies -p tcp or -p udp). If
no
port range is specified, then source ports below 512 will
be
mapped to other ports below 512: those between 512 and
1023
inclusive will be mapped to ports below 1024, and other
ports
will be mapped to 1024 or above. Where possible, no port
alter-
ation will occur.
> - this leads me to conjecture that dhcpd, for some of its packets, is not
> binding to the right interface, and spewing out an incorrect packet.
>
> I agree, dhcpd shouldn't care what the source port from the DHCP relay,
but
> it's possible that there's something in the code that's leading dhcpd to
> occasionally use a different interface for its output.
The server binds to a raw socket to generate some packets, and a BSD
socket to generate others. This would explain the differences. I'm
not sure if IPTables rules apply to packets generated with a raw
socket.
More information about the dhcp-users
mailing list