
#-----------------------------------------------------------------------
# README
#-----------------------------------------------------------------------
#
# Allow access to a DHCP server on the private network. This module is
# necessary since only subnet IPs are allowed on a private interface.
# The DHCP protocol includes broadcast and network IPs which are given
# access by this module.
#
# To install, copy this file to /etc/firewall-modules/private/services/
# 050-dhcp-clients and execute rc.firewall with the --update-config 
# parameter. The proper options will be added to the configuration file.
#
#-----------------------------------------------------------------------
# CHANGES
#-----------------------------------------------------------------------
#
# 2000-10-14  Jean-Sebastien Morisset <jsmoriss@jsm-mv.dyndns.org>
#             Initial module written for v5.0.
#
#-----------------------------------------------------------------------
# MODULE CONFIGURATION
#-----------------------------------------------------------------------
#
#m# 0123
#a# accept
#n# dhcp
#t# clients
#
#   |--------------------------------------------------------------------|
#d# If you're offering DHCP services on your LAN, you'll want to enter
#d# the network address in this option. Enable only the interface on which
#d# the DHCP server listens.
#d#
#d# Examples:
#d#   accept-eth0-dhcp-clients = 10.1.1.0/24
#   |--------------------------------------------------------------------|
#
#-----------------------------------------------------------------------
# START OF MODULE CODE
#-----------------------------------------------------------------------


if [ "`Option_Value accept $INTOPT dhcp clients`" ]
then
	echo "Accept $INTOPT DHCP Server <- DHCP Requests $LOG_MSG"
	#
	# Note:
	#	bootps = 67
	#	bootpc = 68
	#
	# DHCP Discover / DHCP Request
	ipchains -A $INCHAIN  -j ACCEPT -p udp -s $BROADCAST_SRC bootpc -d $BROADCAST_DEST bootps $LOG
	#
	# DHCP Offer
	ipchains -A $OUTCHAIN -j ACCEPT -p udp -s $BROADCAST_SRC bootps -d $BROADCAST_DEST bootpc $LOG
	ipchains -A $OUTCHAIN -j ACCEPT -p udp -s $IPADDR bootps -d $BROADCAST_DEST bootpc $LOG
	#
	# DHCP Request / DHCP Decline
	ipchains -A $INCHAIN  -j ACCEPT -p udp -s $BROADCAST_SRC bootpc -d $IPADDR bootps $LOG
	#
	# DHCP Ack / DHCP Nak
	ipchains -A $OUTCHAIN -j ACCEPT -p udp -s $IPADDR bootps -d $NETWORK/$NETMASK bootpc $LOG
fi
		
for host in `Option_Value accept $INTOPT dhcp clients`
do
	echo "Accept $INTOPT $IPADDR DHCP Server <- $host DHCP Client (logged)"
	#
	# DHCP Ack
	ipchains -A $OUTCHAIN -j ACCEPT -p udp -s $IPADDR bootps -d $host bootpc -l
	#
	# DHCP Request / DHCP Release
	ipchains -A $INCHAIN  -j ACCEPT -p udp -s $host bootpc -d $IPADDR bootps -l
done
unset host

