DHCP and conntrack?

DHCP and conntrack?

[James Garrison]

Does connection tracking understand incoming DHCP responses as
being related to recent outgoing broadcast DHCP requests?  In other
words,  if I configure iptables to allow outgoing DHCP broadcast
requests, do I have to explicitly open up a hole for the returning
response, or will conntrack do it for me with RELATED?

-- 
James Garrison                                Athens Group, Inc.
mailto:jhg@athensgroup.com                    5608 Parkcrest Dr
http://www.athensgroup.com                    Austin, TX 78731
PGP: RSA=0x92E90A3B DH/DSS=0x498D331C         (512) 345-0600 x150

Re: DHCP and conntrack?

[sshore]

[-- Attachment #1: Type: text/plain, Size: 742 bytes --]

On Fri, Jun 07, 2002 at 12:00:19PM -0500, James Garrison wrote:
> Does connection tracking understand incoming DHCP responses as
> being related to recent outgoing broadcast DHCP requests?  In other
> words,  if I configure iptables to allow outgoing DHCP broadcast
> requests, do I have to explicitly open up a hole for the returning
> response, or will conntrack do it for me with RELATED?

Since dhcp requests go out on port 68, and responses come back on port 67, 
connection tracking will not relate them. you'll need to explicitly open 
up a hole for the returning response.

-- 
Scottie Shore <sshore@escape.ca>
"You haven't gamed until you've circle-strafed while barrel rolling."
  - Blair on the Logitech Cyberman II

[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]

Re: DHCP and conntrack?

[James Garrison]

So what you're saying is that there's no "ip_conntrack_dhcp" function
builtin, analogous to ip_conntrack_ftp, that would maintain the
relationship in spite of the different port numbers, right?

sshore@escape.ca wrote:
> Since dhcp requests go out on port 68, and responses come back on port 67, 
> connection tracking will not relate them. you'll need to explicitly open 
> up a hole for the returning response.

-- 
James Garrison                                Athens Group, Inc.
mailto:jhg@athensgroup.com                    5608 Parkcrest Dr
http://www.athensgroup.com                    Austin, TX 78731
PGP: RSA=0x92E90A3B DH/DSS=0x498D331C         (512) 345-0600 x150

Re: DHCP and conntrack?

[Ramin Alidousti]

On Fri, Jun 07, 2002 at 12:38:35PM -0500, sshore@escape.ca wrote:

> On Fri, Jun 07, 2002 at 12:00:19PM -0500, James Garrison wrote:
> > Does connection tracking understand incoming DHCP responses as
> > being related to recent outgoing broadcast DHCP requests?  In other
> > words,  if I configure iptables to allow outgoing DHCP broadcast
> > requests, do I have to explicitly open up a hole for the returning
> > response, or will conntrack do it for me with RELATED?
> 
> Since dhcp requests go out on port 68, and responses come back on port 67, 
> connection tracking will not relate them.

It's like you say, http traffic is not being tracked because the
outgoing packets go out on port 8 and the incoming packets come in
on port whatever like 1025. So, no, that's not the reason. The
reason could be this:

15:26:43.933324 vlan6 B 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0xdefebd43
15:26:43.981708 vlan6 > 10.0.6.1.bootps > 255.255.255.255.bootpc: xid:0xdefebd43

As you can see there is no "regular" src.port/dst.port relationship
here for the general conntrack module to catch this.

I hope that some guru someday will add this intelligence to the
code :-)

Ramin

> you'll need to explicitly open 
> up a hole for the returning response.
> 
> -- 
> Scottie Shore <sshore@escape.ca>
> "You haven't gamed until you've circle-strafed while barrel rolling."
>   - Blair on the Logitech Cyberman II