[Dnsmasq-discuss] Problems with DHCP packets with broadcast flag enabled

Simon Kelley simon at thekelleys.org.uk
Mon May 7 21:04:31 BST 2012


On 07/05/12 20:47, Daniel Figueira wrote:
> Hello.
>
>
>
> I’m working on a scenario in which ARP is disabled on a given interface. We
> have a deamon that only responds to ARP requests coming from authorized
> clients. The authorized client list is given by the DHCP lease list.
>
>
>
> When emulating multiple DHCP clients with the Broadcast Flag active, the
> dnsmasq daemon receives the DHCP DISCOVER packets, and according to the
> log, it also sends the DHCP OFFER packets. However, when capturing traffic
> with tcpdump I am unable to see the DHCP OFFER packets. Furthermore, no
> DHCP leases exist in /var/lib/misc/dnsmasq.leases and no client gains IP.
>
>
>
> We are working in a Linux system (2.6.34.8).
>
>
>
> Do you have any suggestions to overcome this problem?
>

Use ISC dhcpd instead :-)

The problem is that dnsmasq rather fundamentally relies on the ARP system.

When it's sending packets to a client which doesn't yet know its own IP 
address, and can't therefore reply to ARP requests, it injects the (IP, 
mac address) pair into the the local ARP cache before sending the 
packet. You've broken this mechanism, and that's why nothing is working.

The ARP fiddling happens _before_ the DHCP lease is established.

There are several possible ways around this, but all involve significant 
hacking.

1) Abandon ARP fiddling, and send the packet to the client via raw net 
access direct to the MAC address instead. Dnsmasq does this on *BSD 
where the ARP trick doesn't work, so the code is there, you just need to 
add the non-portable code to send raw packets in Linux. (ISC dhcpd uses 
this technique, hence my light-hearted suggestion above.)

2) Teach dnsmasq and your daemon to  co-operate, so that dnsmasq talks 
to the daemon to do the ARP fiddling instead of manipulating the ARP 
cache directly.

3) Work out why the broadcast flag in not working. When replying to 
DHCPDISCOVER packets with the broadcast flag set, dnsmasq doesn't use 
the ARP trick, it sends the reply to INADDR_BROADCAST. (ie 
255.255.255.255) The most common reason this fails is ill-advised 
firewall rules.


The packet-sending code is in src/dhcp.c, the last few hundred lines of 
dhcp_packet().


HTH


Simon.





More information about the Dnsmasq-discuss mailing list