[...]
Use "netstat -lnp |grep dhcp". You can see that dhcpd has open 2 sockets. One is UDP socket for reply packet transmission, the second one is raw socket for request recieving. The raw socket has one important attribute: it recieves packets before netfilter. The same mechanism is used by tcpdump/libcap.
Are you saying that We CAN NOT "protect" the DHCP-server with iptables?
Therefore dhcpd can recieve packet even if they are blocked by netfilter. This is feature, not a bug. I have not idea why ISC' DHCP sever is implemented in this manner, but it is. (May be because of indirect broadcast destination IP address in DISCOVERY client request.) -- Petr
Swifty - To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
