[pkg-dhcp-devel] Bug#648401: isc-dhcp-relay: dhcrelay(8) doesn't mention need for -i on server facing interface

Steinar H. Gunderson sgunderson at bigfoot.com
Tue Feb 19 22:59:05 UTC 2013

severity 648401 grave
retitle 648401 DHCP relay agent does not listen properly for return packets

On Fri, Nov 11, 2011 at 04:53:22PM +1100, Geoff Crompton wrote:
> The dhcrelay man page doesn't mention that if you use any -i option to
> specify interfaces, you need to add an -i option for the interface used to
> contact the DHCP server. Otherwise dhcrelay silently drops the packets
> (which took me an afternoon to figure out).

Actually this is not an acceptable workaround. If you add -i on the interface
used to contact the DHCP server, dhcrelay will try to relay the packet _back
to the server_, which means that it will get every packet twice, and NAK one
of them. This breaks DHCP on the upstream net, unless of course you are in the
situation where the DHCP server _only_ sees relayed packets.

I'd say this means dhcrelay itself is pretty much completely broken, and I'm
upgrading severity accordingly. It shouldn't subject the BOOTREPLY packets to
interface checking, or it should have a separate list of interfaces from
which it can come; I think this actually works for DHCPv6, where you have
separate “lower” and “upper” interface options, but I haven't tested it.

/* Steinar */
Homepage: http://www.sesse.net/

More information about the pkg-dhcp-devel mailing list