Bug #3257

ip /mac binding blocks dhcp server requests

Added by Davide Marini about 4 years ago. Updated almost 4 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-firewall-base
Target version:v6.7
Security class: Resolution:
Affected version:v6.6 NEEDINFO:No

Description

Scenario:
*Nethserver with (at least) green + red configuration
  • dhcp server enabled on green
  • dhcp reservation
  • ip /mac binding enabled
  • ip/mac binding policy : block all traffic without binding

this kind of configuration is useful to leave all clients with a dynamic ip, the dhcp server release alway the same ip based on mac identification, the devices not in the dhcp reservations are blocked by the firewall.

In this scenario no devices can receive an ip address from the dhcp server because every request made to the firewall is blocked (the client is asking for an ip address but it hasn't anyone yet, so it won't match on the ip /mac binding table).

Associated revisions

Revision 8db30226
Added by Giovanni Bezicheri about 4 years ago

Fix ip /mac binding blocks dhcp server requests. Refs #3257

Revision d5830b31
Added by Giacomo Sanchietti about 4 years ago

IP/MAC binding: always enable dhcp option on green interfaces. Refs #3257

History

#1 Updated by Davide Marini about 4 years ago

the solution is to add the option "dhcp" in the file /etc/shorewall/interfaces for the loc zones, the option accepts every request on ports 67, 68 UDP, it works even if in case of MACLIST_TABLE=mangle.

#2 Updated by Giovanni Bezicheri about 4 years ago

  • Assignee set to Giovanni Bezicheri

#3 Updated by Giovanni Bezicheri about 4 years ago

  • Category set to nethserver-shorewall
  • Status changed from NEW to TRIAGED
  • Target version set to v6.7
  • % Done changed from 0 to 20
  • Security class set to important
  • Affected version set to v6.6

#4 Updated by Giovanni Bezicheri about 4 years ago

  • Status changed from TRIAGED to ON_DEV
  • % Done changed from 20 to 30

#5 Updated by Giovanni Bezicheri about 4 years ago

  • Category changed from nethserver-shorewall to nethserver-firewall-base

#6 Updated by Giovanni Bezicheri about 4 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 60

#7 Updated by Giovanni Bezicheri about 4 years ago

  • Status changed from MODIFIED to ON_QA
  • Assignee deleted (Giovanni Bezicheri)
  • % Done changed from 60 to 70
Package in nethserver-testing:
  • nethserver-firewall-base-2.8.0-1.2.g8db3022.ns6.noarch.rpm

Check the bug is not reproducible.

#8 Updated by Giacomo Sanchietti about 4 years ago

  • Status changed from ON_QA to TRIAGED
  • % Done changed from 70 to 20
  • Security class deleted (important)

The fix should be much more simpler: add always dhcp option for green interfaces.

#9 Updated by Giacomo Sanchietti about 4 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Giacomo Sanchietti
  • % Done changed from 20 to 30

#10 Updated by Giacomo Sanchietti about 4 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 60

#11 Updated by Giacomo Sanchietti about 4 years ago

  • Status changed from MODIFIED to ON_QA
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 60 to 70
Packages in nethserver-testing:
  • nethserver-firewall-base-2.8.0-1.4.gd5830b3.ns6.noarch.rpm
  • nethserver-firewall-base-ui-2.8.0-1.4.gd5830b3.ns6.noarch.rpm
Test case
  • Check dhcp option is enabled on green interfaces
  • Check the bug is not reproducible

#12 Updated by dz0 0te almost 4 years ago

  • Assignee set to dz0 0te

#13 Updated by dz0 0te almost 4 years ago

  • Status changed from ON_QA to VERIFIED
  • Assignee deleted (dz0 0te)
  • % Done changed from 70 to 90

System and Package Version installed
VM KVM - Clean install of Nethserver 6.7 fully updated - 2 eth
Package Installed: nethserver-firewall-base-2.8.0-1.ns6.noarch
nethserver-firewall-base-ui-2.8.0-1.ns6.noarch
Other Package installed: Basic firewall,DNS and DHCP server,Intrusion Prevention System

Test Original Problem
dhcp server enabled on green
dhcp reservation for client
ip /mac binding enabled
ip/mac binding policy : block all traffic without binding
pc in dhcp and ip/mac binding don't receive IP

Install Updated Package

yum --enablerepo=nethserver-testing update nethserver-firewall-base-2.8.0-1.4.gd5830b3.ns6.noarch nethserver-firewall-base-ui-2.8.0-1.4.gd5830b3.ns6.noarch

Test Results after update
Test case 1:
dhcp server enabled on green
dhcp reservation for client
ip /mac binding enabled
ip/mac binding policy : block all traffic without binding
pc in dhcp and with ip/mac binding enabled with block policy, receive ip and work correctly

Verified or Reopen
Verified

Note

#14 Updated by Giacomo Sanchietti almost 4 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100
Released in nethserver-updates:
  • nethserver-firewall-base-ui-2.9.0-1.ns6.noarch.rpm
  • nethserver-firewall-base-2.9.0-1.ns6.noarch.rpm

Also available in: Atom PDF