[Dnsmasq-discuss] [PATCH] Add support for --dhcp-allowed-srvids option.
Geert Stappers
stappers at stappers.nl
Mon Jun 17 19:58:27 UTC 2024
Hello Marek,
Hello Dnsmasq Mailinglist,
On Mon, Jun 17, 2024 at 09:31:44PM +0200, Geert Stappers wrote:
> From: Marek Skrobacki via Dnsmasq-discuss <dnsmasq-discuss at lists.thekelleys.org.uk>
>
> If the DHCP server is running inside a container or behind a load
> balancer, the DHCPREQUEST arriving at dnsmasq for processing may have a
> Server ID (option 54) configured with an IP address that is not assigned
> to the local interface. In this case, dnsmasq will check if the 'Server
> Identifier Override' option was set in the incoming packet.
>
> - If it was not set, the packet is dropped.
> - If it was set, dnsmasq evaluates the Server ID against the value
> provided in 'Server ID Override' suboption 11, as outlined in RFC5107.
>
> In both cases, there is no match against the 'backend' IP address
> configured on the interface. This results in the DHCPNAK being returned
> with the 'wrong server' message.
>
> The --dhcp-allowed-srvids option allows turning off this security
> mechanism for specific address(es). When enabled, the incoming
> DHCPREQUEST is evaluated against the provided value(s) instead of the
> addresses configured on the local interfaces.
>
> Signed-off-by: Marek Skrobacki <skrobul at skrobul.com>
> ---
> man/dnsmasq.8 | 20 ++++++++++++++++++++
> src/dnsmasq.h | 2 ++
> src/option.c | 15 +++++++++++++++
> src/rfc2131.c | 46 ++++++++++++++++++++++++++++++++++++++--------
> 4 files changed, 75 insertions(+), 8 deletions(-)
>
That I did a complete retransmit is for getting the patch
at https://lists.sr.ht/~stappers/dnsmasqmlpc/patches
The "why" is at https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q2/017608.html
Groeten
Geert Stappers
--
Silence is hard to parse
More information about the Dnsmasq-discuss
mailing list