need special 'mangle' table rule for DHCP in LXC containers

[tycho]

I recently moved my custom iptables config into a FireHOL config, but there's one rule that I can't seem to find a way to replace:

iptables -t mangle -A POSTROUTING -o br0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill

This is a necessary rule for DHCP to work properly for LXC containers that are running on the same physical machine as the DHCP server.

Is there any way for FireHOL to support this kind of rule? If not, could support be added?

[ktsaou]

hi.

Add it exactly as-shown on your comment to your firehol.conf (do not add /sbin/ in front of it).

The iptables command in firehol.conf is a firehol command. It knows how to keep the rule in the generated firewall.

(this is strange though - my lxc does not need it).

[tycho]

Hi @ktsaou, does your LXC setup run on the same machine as the DHCP server? If not, that's probably why you don't need it.

Also, just tried as you suggested, and that worked perfectly. Thanks! 👍

[ktsaou]

does your LXC setup run on the same machine as the DHCP server

yes it does... check this: http://azure-west-eu.my-netdata.io/ - the lxc alpine container there works line that.

[tycho]

@ktsaou May also have to do with what DHCP client it's using. does your LXC container use dhcpcd or dhclient, or something else? In any case, mine were using dhclient, and tried to DHCP but would drop the responses without valid checksums, and they'd never get IP addresses. 😞

[Doccos]

I had the same Problem... i added the line in die firehol.conf
iptables -A POSTROUTING -t mangle -p udp --dport 68 -j CHECKSUM --checksum-fill

when i try "firehol try" i get the error:
`ERROR : # 1.
WHAT : A runtime command failed to execute (returned error CANNOT APPLY IN FAST MODE).
SOURCE : FIN
COMMAND : /sbin/iptables-restore </var/run/firehol/firehol-KUfgwbcfkr/firehol-out.sh.fast
OUTPUT :

iptables-restore v1.4.21: The -t option (seen in line 22) cannot be used in iptables-restore.

Error occurred at line: 22
Try `iptables-restore -h' or 'iptables-restore --help' for more information.

Offending line:
-A POSTROUTING -t mangle -p udp --dport 68 -j CHECKSUM --checksum-fill
`

[ktsaou]

try this:

iptables -t mangle -A POSTROUTING -p udp --dport 68 -j CHECKSUM --checksum-fill

It needs the table first.

[philwhineray]

Looks like you need to disable fast activation. Set FIREHOL_FAST_ACTIVATION=0 in /etc/firehol/firehol-defaults.conf.

@ktsaou it looks like we will need to handle the -t ourselves with iptables commands in fast activation mode, to make sure the rules are appended to a specific table.

[ktsaou]

@ktsaou it looks like we will need to handle the -t ourselves with iptables commands in fast activation mode, to make sure the rules are appended to a specific table.

We do, but it has to be the first parameter to iptables.

[philwhineray]

Oh, OK I see it is, provided it comes first.

[philwhineray]

I'll make a note in the docs this week. I need to update mark and connmark too. They are now just shortcuts for two pre-specified custommarks, right?

[ktsaou]

They are now just shortcuts for two pre-specified custommarks, right?

I think yes. All marks are now bit-mapped.

[Doccos]

iptables -t mangle -A POSTROUTING -p udp --dport 68 -j CHECKSUM --checksum-fill works

thanks 👍