[Dnsmasq-discuss] Problems with DHCP packets with broadcast flag enabled
Simon Kelley
simon at thekelleys.org.uk
Mon May 7 21:04:31 BST 2012
On 07/05/12 20:47, Daniel Figueira wrote:
> Hello.
>
>
>
> I’m working on a scenario in which ARP is disabled on a given interface. We
> have a deamon that only responds to ARP requests coming from authorized
> clients. The authorized client list is given by the DHCP lease list.
>
>
>
> When emulating multiple DHCP clients with the Broadcast Flag active, the
> dnsmasq daemon receives the DHCP DISCOVER packets, and according to the
> log, it also sends the DHCP OFFER packets. However, when capturing traffic
> with tcpdump I am unable to see the DHCP OFFER packets. Furthermore, no
> DHCP leases exist in /var/lib/misc/dnsmasq.leases and no client gains IP.
>
>
>
> We are working in a Linux system (2.6.34.8).
>
>
>
> Do you have any suggestions to overcome this problem?
>
Use ISC dhcpd instead :-)
The problem is that dnsmasq rather fundamentally relies on the ARP system.
When it's sending packets to a client which doesn't yet know its own IP
address, and can't therefore reply to ARP requests, it injects the (IP,
mac address) pair into the the local ARP cache before sending the
packet. You've broken this mechanism, and that's why nothing is working.
The ARP fiddling happens _before_ the DHCP lease is established.
There are several possible ways around this, but all involve significant
hacking.
1) Abandon ARP fiddling, and send the packet to the client via raw net
access direct to the MAC address instead. Dnsmasq does this on *BSD
where the ARP trick doesn't work, so the code is there, you just need to
add the non-portable code to send raw packets in Linux. (ISC dhcpd uses
this technique, hence my light-hearted suggestion above.)
2) Teach dnsmasq and your daemon to co-operate, so that dnsmasq talks
to the daemon to do the ARP fiddling instead of manipulating the ARP
cache directly.
3) Work out why the broadcast flag in not working. When replying to
DHCPDISCOVER packets with the broadcast flag set, dnsmasq doesn't use
the ARP trick, it sends the reply to INADDR_BROADCAST. (ie
255.255.255.255) The most common reason this fails is ill-advised
firewall rules.
The packet-sending code is in src/dhcp.c, the last few hundred lines of
dhcp_packet().
HTH
Simon.
More information about the Dnsmasq-discuss
mailing list