Services: Kea DHCP [new]: Kea DHCPv4 - add optional automatic firewall rules for dhcpv4 access. closes https://github.com/opnsense/core/issues/7188

2026-03-15 09:04:39 +00:00 · 2024-02-01 14:05:12 +01:00 · 2024-02-01 14:05:12 +01:00 · b1685d8e46
commit b1685d8e46
parent 46e0bc67bb
4 changed files with 61 additions and 1 deletions
--- a/src/etc/inc/plugins.inc.d/kea.inc
+++ b/src/etc/inc/plugins.inc.d/kea.inc
@ -54,6 +54,45 @@ function kea_syslog()
 }


+function kea_firewall($fw)
+{
+    global $config;
+    $keav4 = new \OPNsense\Kea\KeaDhcpv4();
+    if ($keav4->fwrulesEnabled()) {
+        // automatic (IPv4) rules enabled
+        foreach (explode(',', $keav4->general->interfaces) as $intf) {
+            $fw->registerFilterRule(
+                1,
+                [
+                    'protocol' => 'udp',
+                    'direction' => 'in',
+                    'from_port' => 68,
+                    'to' => '255.255.255.255',
+                    '#ref' => 'ui/kea/dhcp/v4',
+                    'to_port' => 67,
+                    'interface' => $intf,
+                    'descr' => 'allow access to DHCP server',
+                    'log' => !isset($config['syslog']['nologdefaultpass'])
+                ]
+            );
+            $fw->registerFilterRule(
+                1,
+                [
+                    'protocol' => 'udp',
+                    'direction' => 'in',
+                    'from_port' => 68,
+                    'to' => '(self)',
+                    '#ref' => 'ui/kea/dhcp/v4',
+                    'to_port' => 67,
+                    'interface' => $intf,
+                    'descr' => 'allow access to DHCP server',
+                    'log' => !isset($config['syslog']['nologdefaultpass'])
+                ]
+            );
+        }
+    }
+}
+
 function kea_xmlrpc_sync()
 {
    $result = [];
--- a/src/opnsense/mvc/app/controllers/OPNsense/Kea/forms/generalSettings4.xml
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Kea/forms/generalSettings4.xml
@ -21,6 +21,12 @@
        <type>text</type>
        <help>Defines how long the addresses (leases) given out by the server are valid (in seconds)</help>
    </field>
+    <field>
+        <id>dhcpv4.general.fwrules</id>
+        <label>Firewall rules</label>
+        <type>checkbox</type>
+        <help>Automatically add a basic set of firewall rules to allow dhcp traffic, more fine grained controls can be offered manually when disabling this option.</help>
+    </field>
    <field>
        <type>header</type>
        <label>High Availability</label>
--- a/src/opnsense/mvc/app/models/OPNsense/Kea/KeaDhcpv4.php
+++ b/src/opnsense/mvc/app/models/OPNsense/Kea/KeaDhcpv4.php
@ -65,4 +65,15 @@ class KeaDhcpv4 extends BaseModel
        }
        return parent::setNodes($data);
    }
+
+    /**
+     * should filter rules be enabled
+     * @return bool
+     */
+    public function fwrulesEnabled()
+    {
+        return  (string)$this->general->enabled == '1' &&
+                (string)$this->general->fwrules == '1' &&
+                !empty((string)(string)$this->general->interfaces);
+    }
 }
--- a/src/opnsense/mvc/app/models/OPNsense/Kea/KeaDhcpv4.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/Kea/KeaDhcpv4.xml
@ -1,6 +1,6 @@
 <model>
    <mount>//OPNsense/Kea/dhcp4</mount>
-    <version>0.0.1</version>
+    <version>1.0.0</version>
    <description>Kea DHCPv4 configuration</description>
    <items>
        <general>
@ -15,6 +15,10 @@
                <Default>4000</Default>
                <Required>Y</Required>
            </valid_lifetime>
+            <fwrules type="BooleanField">
+                <Required>Y</Required>
+                <Default>1</Default>
+            </fwrules>
        </general>
        <ha>
            <enabled type="BooleanField">