[Dnsmasq-discuss] DNSMasq, DHCP, Shorewall, and Proxy Arp

Simon Kelley simon at thekelleys.org.uk
Wed Feb 6 21:21:20 GMT 2008


Steve H. wrote:
> On Monday 04 February 2008 09:04:22 pm richardvoigt at gmail.com wrote:
> 
>>It's not a safeguard.  It is *necessary* to ensure correct handling of
>>relays.
>>
> 
> This basically sounds like a policy decision on relays.  For instance, people 
> in my situation would _like_ the 'incorrect handling' you speak of.  While I 
> appreciate the effort you took in coming up with the example, I think it 
> muddies things more.  Having 2 different sub-nets, with 2 different security 
> requirements served via a single dhcp server just seems like asking for 
> trouble (In my case, all the machine have the same security risks - all are 
> public servers).  Anyway, thanks for clarifying the thought process behind 
> the behavior. I do appreciate all the time you've taken to explain things
> 
> 
>>Of course that will work.  DHCP relays are always used to serve nodes
>>beyond the next-hop, never from the same subnet (in the same subnet no
>>relay is needed).
>>
> 
> Ok - since I have to eat an address on every subnet, I might as well assign 
> them directly to the DNSMasq interface, and skip the relays.  Then DNSMasq 
> should be happy.  I was hoping to avoid this as it eats an I.P. address, and 
> requires me to remember to add a new I.P. to the DNSMasq interface everytime 
> I get a new sub-net.  However, that would be less trouble then having to do 
> that _and_ configure a relay for each new subnet.
> 
> Thanks again for all the help,
> Steve
> 

I'm happy to leave the argument about what should happen to others, but 
it might help to understand that process by which the current behaviour 
is generated.

The inference system that generates an IP address goes like this.

Start with all DHCP ranges.
Eliminate those which don't include an address on the same subnet as one 
of the addresses of the arrival interface, or the address of the relay ( 
if the packet arrived via relay)
If no DHCP ranges left, log an error "no address range available....."
Search for a dhcp-host line which matches the host (MAC address or name) 
and has an address in the subnet corresponding to one of the remaining 
DHCP ranges.
If a dhcp-host line is found, use that address, otherwise allocate a 
free address from one of the remaining DHCP ranges.


Note that in this scheme it's fine to have a more than one dhcp-host 
line associated with (eg) a MAC address, allowing a host to have a fixed 
  IP on each subnet which it might appear on. If dhcp-host lines trump 
everything, then this facility is lost.

Cheers,

Simon.



More information about the Dnsmasq-discuss mailing list