Limit DHCP requests with iptables - problem: Router
Dorsey, Chris
dorsey2 at llnl.gov
Wed Aug 29 18:43:31 UTC 2012
We are seeing a lot of induced IO wait due to processing/logging of unwanted DHCP requests from *known* MAC addresses (broken printers, mis-behaving clients, etc.) and were very interested in this thread. After some hopeful testing with iptables based on some clues in this thread, we have abandoned this approach after one of our admins discovered the following article confirming that ISC DHCP uses raw sockets which get processed before iptables, rendering iptables-based solutions useless for these type of problems:
https://deepthought.isc.org/article/AA-00378/0/Why-does-DHCP-use-raw-sockets.html
Our limited testing confirms this fact. Other solutions in this space would seem to be external filtering in front of the DHCP servers (possible), fixing broken clients (valiant but impractical at scale), or enhancing dhcpd with the ability to allow for administrator-configured filtering. This last one seems the most attractive for several reasons. Any other possible solution approaches?
Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20120829/0acfa937/attachment.html>
More information about the dhcp-users
mailing list