No DHCP IP if OFFER or ACK coming from non-BOOTPS port

[Shoikan]

Hi,

We ran into an interesting 'feature' from iPXE. If the source port of the DHCP offer or ack packets come from another source port than the BOOTPS port, iPXE ignores them. This causes it to never properly get a lease.

Normally, if you use a relay and it's a well behaved relay, it will use the proper ports to relay from. But we use a Checkpoint firewall, which insists on using a random non-privileged port (>1024) when passing the offer or ack packets to the client.

When looking at the iPXE source code, we found the following at line 400:

Code:

if ( ip.s_addr && ( peer->sin_port == htons ( BOOTPS_PORT ) ) &&

And there's another such line for the ACK phase. This enforces that the source port of the offer should be the BOOTPS port. The effect in our case is discover -> offer -> timeout -> discover -> offer -> timeout -> etc.

The client in the OS (linux in our case) doesn't seem to care and will work just fine (discover -> offer -> request -> ack).

I have checked the RFC but couldn't find a hard requirement that the source port should be the BOOTPS port (but not 100% sure I didn't miss it in the RFC). So my question is: is iPXE too strict, or is Checkpoint being... euhhh.. 'sub-optimal' here?