Hello Marek, Hello Dnsmasq Mailinglist,
On Mon, Jun 17, 2024 at 09:31:44PM +0200, Geert Stappers wrote: > From: Marek Skrobacki via Dnsmasq-discuss > <dnsmasq-discuss@lists.thekelleys.org.uk> > > If the DHCP server is running inside a container or behind a load > balancer, the DHCPREQUEST arriving at dnsmasq for processing may have a > Server ID (option 54) configured with an IP address that is not assigned > to the local interface. In this case, dnsmasq will check if the 'Server > Identifier Override' option was set in the incoming packet. > > - If it was not set, the packet is dropped. > - If it was set, dnsmasq evaluates the Server ID against the value > provided in 'Server ID Override' suboption 11, as outlined in RFC5107. > > In both cases, there is no match against the 'backend' IP address > configured on the interface. This results in the DHCPNAK being returned > with the 'wrong server' message. > > The --dhcp-allowed-srvids option allows turning off this security > mechanism for specific address(es). When enabled, the incoming > DHCPREQUEST is evaluated against the provided value(s) instead of the > addresses configured on the local interfaces. > > Signed-off-by: Marek Skrobacki <skro...@skrobul.com> > --- > man/dnsmasq.8 | 20 ++++++++++++++++++++ > src/dnsmasq.h | 2 ++ > src/option.c | 15 +++++++++++++++ > src/rfc2131.c | 46 ++++++++++++++++++++++++++++++++++++++-------- > 4 files changed, 75 insertions(+), 8 deletions(-) > That I did a complete retransmit is for getting the patch at https://lists.sr.ht/~stappers/dnsmasqmlpc/patches The "why" is at https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q2/017608.html Groeten Geert Stappers -- Silence is hard to parse _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
