- 论坛徽章:
- 0
|
Iptables对ISC DHCP Server无效。
https://lists.netfilter.org/pipe ... 002-May/023826.html
Derrik Pates touched on this earlier in the thread, but I'll try and
clarify a bit.
The DNCP server of the ISC (Internet Software Consortium,
http://www.isc.org) uses a different type of network access in Linux,
so to speak. Normally, when programs need network access, they open
up an Internet socket of the correct protocol (TCP/UDP), which gets
any packets destined for it and can send packets after the kernel has
applied all IP Tables rules to them. So if you have a policy of
DROP/REJECT or you have a rule that matches a packet to.from this
socket that DROP/REJECTs it, the socket will not receive or be able to
send that packet.
However, the ISC DHCP server uses an Internet Socket of protocol Raw
instead of TCP or UDP. This facility, naturally, is only available to
root (uid 0, really), and receives packets before the IP Tables
processing. It also receives all Internet packet headers as well, so
it gets to do additional processing.
But because Raw sockets get packets before the IP Tables processing,
the ISC DHCP server is able to obtain an IP address through DHCP.
More information (possibly not in a useful state) can be found in the
man pages for socket, ip, tcp, udp,
http://nodevice.com/sections/ManIndex/man1275.html, and, of course,
the source code. |
|