On Mon, Jan 04, 2010 at 06:51:31AM -0800, eclectic 923 wrote: > Package: dhcp3-client > Version: 3.1.1-6+lenny3 > Severity: important > > *** Please type your report below this line *** > > As I watched the various wireless security protocols get cracked, > I decided to give up on wireless security, there's a better and > simpler solution, openvpn. It takes a whole lot less work to set up > openvpn-client/openvpn-server than a supplicant/radius-hostap (which I > used to use with TKIP/AES settings). Not to mention, remote access and > wireless access management is consolidated into one place > (openvpn-server) vs the radius and openvpn-servers. > > When my system connects to a wireless router, it runs a dhclient to set > up the wireless interface wlan0. Openvpn supplies my real connection thru > the tap0 virtual network device. The firewall is set up to only allow dhcp > traffic and openvpn traffic on the wireless link (wlan0). This also has the > added virtue of allowing me to use any of several wireless routers, yet > always have the same network IP address as the wired network connection, > thereby eliminating the need for a dynamic dns server. > > When using this set up, after initial connection, the default route is > switched to the openvpn tap0 device (aka default route moves from wlan0 > to tap0). > > The problem is that /sbin/dhclient-script has some 'naughty' code in it. > > Specifically, under BOUND|RENEW|REBIND|REBOOT) and TIMEOUT) one finds: > > for router in $new_routers; do > route add default dev $interface gw $router $metric_arg > done > > The problem with this, is that the default route is *unconditionally* > set. Which is why the system gets two default routes in the routing table, > and stops working. > > There needs to be a check added to make sure that the default route isn't > already set. If the default route is set, then the naughty code should > NOT be run. Something along the lines of: > > if [ "`ip route show | egrep -c '^default'`" -eq 0 ]; then > for router in $new_routers; do > route add default dev $interface gw $router $metric_arg > done > fi > > This would preserve backwards compatiblity with those needing the default > route set by the dhclient, and stop breaking network set ups where the > default route is already set. >
What is supposed to happen when the DHCP administrator wants to roll out a change to the default route? I think at best I could add what you're asking for only in the case of initial lease acquisition and not renewal. Even then, I suspect this is going to surprise people who expect or rely on the current behaviour. I think for your particular case, it might be best to use a custom DHCP client hook, which goes and explicitly removes the default route provided by DHCP.
signature.asc
Description: Digital signature
