Debian Bug report logs - #648401
DHCP relay agent does not listen properly for return packets

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Geoff Crompton <geoffc@trinity.unimelb.edu.au>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: isc-dhcp-relay: dhcrelay(8) doesn't mention need for -i on server facing interface

Date: Fri, 11 Nov 2011 16:53:22 +1100

[Message part 1 (text/plain, inline)]

Package: isc-dhcp-relay
Version: 4.1.1-P1-15+squeeze3
Severity: normal
Tags: patch

The dhcrelay man page doesn't mention that if you use any -i option to
specify interfaces, you need to add an -i option for the interface used to
contact the DHCP server. Otherwise dhcrelay silently drops the packets
(which took me an afternoon to figure out).

It seems some versions of the dhcrelay man page have had this as a warning,
see this copy:
http://linuxcommand.org/man_pages/dhcrelay8.html
I haven't checked when the documentation changed. I've added a patch with my
suggested alteration to the man page.


-- System Information:
Debian Release: 6.0.3
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages isc-dhcp-relay depends on:
ii  debconf [debconf-2. 1.5.36.1             Debian configuration management sy
ii  debianutils         3.4                  Miscellaneous utilities specific t
ii  isc-dhcp-common     4.1.1-P1-15+squeeze3 common files used by all the isc-d
ii  libc6               2.11.2-10            Embedded GNU C Library: Shared lib

isc-dhcp-relay recommends no packages.

isc-dhcp-relay suggests no packages.

-- debconf information excluded

[patch (text/plain, attachment)]

Message #10 received at 648401@bugs.debian.org (full text, mbox, reply):

From: Geert Stappers <stappers@stappers.nl>

To: 648401@bugs.debian.org

Subject: Harmfull with debconf

Date: Fri, 16 Mar 2012 15:40:39 +0100

Hello ISC DHCP maintainers,

Bug 648401, isc-dhcp-relay: dhcrelay(8) doesn't mention need for -i on server facing interface,
is harmfull in combination with current debconf text.

The text in

   +--------------------------| DHCP Relay |-----------------------------+
   |                                                                     |
   | Please specify which network interface(s) the DHCP relay should     |
   | attempt to configure. Multiple interface names should be entered    |
   | as a space-separated list.                                          |
   |                                                                     |
   | Leave this field blank to allow for automatic detection and         |
   | configuration of network interfaces by the DHCP relay, in which     |
   | case only broadcast interfaces will be used (if possible).          |
   |                                                                     |
   | Interfaces the DHCP relay should listen on:                         |
   |                                                                     |
   |   __________________________________________________________        |
   |                                                                     |
   |                                   <Ok>                              |
   |                                                                     |
   +---------------------------------------------------------------------+


did trick me to enter only the interface I thought it should listen on.

It took me several hours to find that it is actual asking:

  Enumerate all involved interfaces,
  so that remaining interfaces can be excluded.


Leaving the interface list empty,
did get my (two interface) DHCP relay working in the end.

Having the patch

--- dhcrelay.8.orig	2011-11-11 16:41:22.000000000 +1100
+++ dhcrelay.8	2011-11-11 16:43:01.000000000 +1100
@@ -178,7 +178,10 @@
 interfaces may be specified by using more than one \fB-i\fR option.  If
 no interfaces are specified on the command line, dhcrelay will identify
 all network interfaces, eliminating non-broadcast interfaces if possible,
-and attempt to listen on all of them.
+and attempt to listen on all of them. If you use -i, you should ensure you
+include an -i option for the interface that is used to communicate with the
+DHCP server. Otherwise reply packets from the DHCP server are likely to be
+dropped.
 .TP
 -m \fIappend\fR|\fIreplace\fR|\fIforward\fR|\fIdiscard\fR
 Control the handling of incoming DHCPv4 packets which already contain

in the manual page would have me saved some time
and will surely save time for others.


Thanks & Cheers
Geert Stappers

Message #15 received at 648401@bugs.debian.org (full text, mbox, reply):

From: "Steinar H. Gunderson" <sgunderson@bigfoot.com>

To: Geoff Crompton <geoffc@trinity.unimelb.edu.au>, 648401@bugs.debian.org

Cc: control@bugs.debian.org

Subject: Re: Bug#648401: isc-dhcp-relay: dhcrelay(8) doesn't mention need for -i on server facing interface

Date: Tue, 19 Feb 2013 23:59:05 +0100

severity 648401 grave
retitle 648401 DHCP relay agent does not listen properly for return packets
thanks

On Fri, Nov 11, 2011 at 04:53:22PM +1100, Geoff Crompton wrote:
> The dhcrelay man page doesn't mention that if you use any -i option to
> specify interfaces, you need to add an -i option for the interface used to
> contact the DHCP server. Otherwise dhcrelay silently drops the packets
> (which took me an afternoon to figure out).

Actually this is not an acceptable workaround. If you add -i on the interface
used to contact the DHCP server, dhcrelay will try to relay the packet _back
to the server_, which means that it will get every packet twice, and NAK one
of them. This breaks DHCP on the upstream net, unless of course you are in the
situation where the DHCP server _only_ sees relayed packets.

I'd say this means dhcrelay itself is pretty much completely broken, and I'm
upgrading severity accordingly. It shouldn't subject the BOOTREPLY packets to
interface checking, or it should have a separate list of interfaces from
which it can come; I think this actually works for DHCPv6, where you have
separate “lower” and “upper” interface options, but I haven't tested it.

/* Steinar */
-- 
Homepage: http://www.sesse.net/

Message #28 received at 648401@bugs.debian.org (full text, mbox, reply):

From: "Steinar H. Gunderson" <sgunderson@bigfoot.com>

To: Geoff Crompton <geoffc@trinity.unimelb.edu.au>, 648401@bugs.debian.org

Cc: control@bugs.debian.org

Subject: Re: Bug#648401: isc-dhcp-relay: dhcrelay(8) doesn't mention need for -i on server facing interface

Date: Wed, 20 Feb 2013 19:25:28 +0100

[Message part 1 (text/plain, inline)]

tags 648401 + patch
thanks

On Tue, Feb 19, 2013 at 11:59:05PM +0100, Steinar H. Gunderson wrote:
> I'd say this means dhcrelay itself is pretty much completely broken, and I'm
> upgrading severity accordingly. It shouldn't subject the BOOTREPLY packets to
> interface checking, or it should have a separate list of interfaces from
> which it can come; I think this actually works for DHCPv6, where you have
> separate “lower” and “upper” interface options, but I haven't tested it.

Here's a patch that fixes the problem for us. It makes dhcrelay listen on all
interfaces and relay BOOTREPLY packets from them, but still only rely
BOOTREQUEST packets from requested interfaces (those with -i).

What it _doesn't_ fix, is that dhcrelay should only relay broadcast packets
(e.g. DHCPDISCOVER); the unicast packets (e.g. DHCPREQUEST) can already find
their way through, so you end up with duplicates. Those are largely harmless,
though, so I consider fixing that out-of-scope for the wheezy freeze; this is
the minimal patch that I could find.

/* Steinar */
-- 
Homepage: http://www.sesse.net/

[dhcrelay-listen-fix.diff (text/x-diff, attachment)]

Message #35 received at 648401@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>

To: 648401@bugs.debian.org

Subject: Re: [pkg-dhcp-devel] Bug#648401: isc-dhcp-relay: dhcrelay(8) doesn't mention need for -i on server facing interface

Date: Wed, 20 Feb 2013 21:33:38 -0500

control: forwarded -1
https://lists.isc.org/pipermail/dhcp-hackers/2013-February/002007.html

> Here's a patch that fixes the problem for us. It makes dhcrelay listen on all
> interfaces and relay BOOTREPLY packets from them, but still only rely
> BOOTREQUEST packets from requested interfaces (those with -i).
>
> What it _doesn't_ fix, is that dhcrelay should only relay broadcast packets
> (e.g. DHCPDISCOVER); the unicast packets (e.g. DHCPREQUEST) can already find
> their way through, so you end up with duplicates. Those are largely harmless,
> though, so I consider fixing that out-of-scope for the wheezy freeze; this is
> the minimal patch that I could find.

Message #42 received at 648401@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>

To: 648401@bugs.debian.org, sesse@debian.org

Subject: Re: [pkg-dhcp-devel] Bug#648401: isc-dhcp-relay: dhcrelay(8) doesn't mention need for -i on server facing interface

Date: Thu, 28 Feb 2013 21:28:58 -0500

control: severity -1 important

On Tue, Feb 19, 2013 at 5:59 PM, Steinar H. Gunderson wrote:
> I'd say this means dhcrelay itself is pretty much completely broken, and I'm
> upgrading severity accordingly. It shouldn't subject the BOOTREPLY packets to
> interface checking, or it should have a separate list of interfaces from
> which it can come; I think this actually works for DHCPv6, where you have
> separate “lower” and “upper” interface options, but I haven't tested it.

Although this behavior is not quite right, its also not entirely
broken, so I'm downgrading the severity.  For wheezy, those few users
that really require correct behavior here can apply the patch
themselves.

Best wishes,
Mike

Message #49 received at 648401-close@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>

To: 648401-close@bugs.debian.org

Subject: Bug#648401: fixed in isc-dhcp 4.3.3-7

Date: Sun, 31 Jan 2016 03:50:59 +0000

Source: isc-dhcp
Source-Version: 4.3.3-7

We believe that the bug you reported is fixed in the latest version of
isc-dhcp, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 648401@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Gilbert <mgilbert@debian.org> (supplier of updated isc-dhcp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 31 Jan 2016 01:31:59 +0000
Source: isc-dhcp
Binary: isc-dhcp-server isc-dhcp-server-ldap isc-dhcp-common isc-dhcp-dev isc-dhcp-client isc-dhcp-client-ddns isc-dhcp-client-udeb isc-dhcp-relay
Architecture: source
Version: 4.3.3-7
Distribution: unstable
Urgency: medium
Maintainer: Debian ISC DHCP maintainers <pkg-dhcp-devel@lists.alioth.debian.org>
Changed-By: Michael Gilbert <mgilbert@debian.org>
Description:
 isc-dhcp-client - DHCP client for automatically obtaining an IP address
 isc-dhcp-client-ddns - Dynamic DNS (DDNS) enabled DHCP client
 isc-dhcp-client-udeb - ISC DHCP Client for debian-installer (udeb)
 isc-dhcp-common - common files used by all of the isc-dhcp packages
 isc-dhcp-dev - API for accessing and modifying the DHCP server and client state
 isc-dhcp-relay - ISC DHCP relay daemon
 isc-dhcp-server - ISC DHCP server for automatic IP address assignment
 isc-dhcp-server-ldap - DHCP server that uses LDAP as its backend
Closes: 648401 800914 810875 812525
Changes:
 isc-dhcp (4.3.3-7) unstable; urgency=medium
 .
   * Migrate to dbgsym debug packages.
   * Fix spelling error in changelog entry.
   * Include LDFLAGS in all calls to configure.
   * Fix relaying return packets (closes: #648401).
     - Thanks to Steinar H. Gunderson.
   * Fix cross-architecture building (closes: #812525).
     - Thanks to Helmut Grohne.
   * Initialize exit status in dhclient-script (closes: #800914).
   * Fix CVE-2015-8605: maliciously crafted IPv4 packet can cause any of the
     running DHCP applications to crash (closes: #810875).
Checksums-Sha1:
 8b3087ec2d0d6cc65f2d2edc29e4169226d350dc 3250 isc-dhcp_4.3.3-7.dsc
 75674b1d055e233567ddc7eb2eba914978f0d060 83292 isc-dhcp_4.3.3-7.debian.tar.xz
Checksums-Sha256:
 25393f5a8da023661efe1ff4e0cb0cfebf2eeb09ab23e4d2109cd94644b1c10c 3250 isc-dhcp_4.3.3-7.dsc
 b82a7f78a73498759c96480636f3d837539a6c02df595706e90020815978e970 83292 isc-dhcp_4.3.3-7.debian.tar.xz
Files:
 5a835a878efbe2f3d262f96b5a93bfcc 3250 net important isc-dhcp_4.3.3-7.dsc
 6883fe5bad65f346c761556b1484c093 83292 net important isc-dhcp_4.3.3-7.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQQcBAEBCgAGBQJWrXZgAAoJELjWss0C1vRzGAYgAJ8yT03ACtZXi60IMf5R4Dmg
NqBA+uWk8q7dbhtFlDD2VxzUC6MWjp60Cpq5Gohcoxx+kYnyluN9pI+XYJmVSeRT
GfTEpMgUDEy74bm8MW7MeKpVgke+r9/o6GRiO8/ZrOG1Ylb/7hj7z9DuLzhnSC/Y
5WlT9HJAarJ83R27Xufhr5ZlzVAzj8A7NXCY4OhnAdrrc5XxFsxg1qwO8t1RgEeo
RKvBwY1c3zIv91f8NSVJRa9E9rvV0pbyCyflcjZKHsxKODaNH6QCIHFE/vvGFQ8t
hlriEdV6RYeK2Keh7Ka2N07MMs8FnG2yteuz2MeN9gEytR0gRVSZkXGbrlFpWjjp
Nwo9lfzlszbPlwDnExde7iJpntErY7ioAUxB3rvTu20vyJubs9dgg8BkaL+kg5cK
ZNvo1jXf7sgWsofr4SzuN4Vk3NMOm0MeaNc7Fv8b15Tq2aq8LnTvlPuuRYaJ6hi8
44r3FE6lPw1v+isQk3DQOnM0O7dMsVuQDkdfEX1FmtVhGoSDr4zzvSLTd3lXTNLx
KA91GSqi2RWh1vtNtlEPLqJ3aGChFT/purt/XVTT46TmOlAcrHPLC+GEMcZcp2O2
tpZ18e/utetQI3WsLm2OouAITk7bCNu5wdfiHl4tn+OCX1NuVrC3tlUIr6171ae6
IJJgDtCHPDgSvqQX80Y2/7sNmVEsrOcAs9Di19gOmPRVNy/5iS1mChEWHVeZw06K
uF1kyTPqJ2gKWI1RL0VRDHA4kuaoTQxqBscgH9APxMWGlm5fmvNAYTJKmtm2oJxA
gq7F9wZF8oHb0zTPLYD0r5kZxTzY+9qwU2qUcT/6VL0+RyvXh1AnU/2Y2YE2KMVO
UbWRXRrMKgQGWZ/Es3jw69SkG/5aAJYGhzEWrE+b9+NxLIgPN9kSW6fK+5qQdCU1
OQJIyNnsFfF5+i549O3dGTN16CNcixxU/Y1+ICLXaHcrzgd1LGNeuYmvpj51ciJ1
c1lBBIXcj3Jg7EQpHJfkaRfufUvuvrsG9/BifW8/rHk2N0tPUgketj1yM3aRkhNV
pqRHf5L07F3dBDu/ABaS8+L7sjisfRTsbstWtjPn4HJ70u9N5UOFBOuXg1HoirHU
5kI5VWb8FtM/EnzrgwLk+4sIzypyA3QwQOqlBuUKOaZ4msOo1R8Ejz23OnkYr3bR
WOfbDnNfISPHV554Lst9ExwQpDj4e0XcvHAxrMY3T/aPEPCdwejGwLEF7FljHMea
EDPN0aPQue99ZuSBc3IT9uuNr5dRryo/GetWjQWbH55KqxvtyvDLFl6H66KodLLz
KQbTj64Tdmld6RMzd0v3XOB6gbtM5Xc1pFEUVfEhonbHa5OLTYNfqiAEFggjpDo=
=62sA
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.