diff --git a/src/etc/inc/plugins.inc.d/kea.inc b/src/etc/inc/plugins.inc.d/kea.inc
index b510e7c5f..6028e9ffe 100644
--- a/src/etc/inc/plugins.inc.d/kea.inc
+++ b/src/etc/inc/plugins.inc.d/kea.inc
@@ -54,6 +54,45 @@ function kea_syslog()
}
+function kea_firewall($fw)
+{
+ global $config;
+ $keav4 = new \OPNsense\Kea\KeaDhcpv4();
+ if ($keav4->fwrulesEnabled()) {
+ // automatic (IPv4) rules enabled
+ foreach (explode(',', $keav4->general->interfaces) as $intf) {
+ $fw->registerFilterRule(
+ 1,
+ [
+ 'protocol' => 'udp',
+ 'direction' => 'in',
+ 'from_port' => 68,
+ 'to' => '255.255.255.255',
+ '#ref' => 'ui/kea/dhcp/v4',
+ 'to_port' => 67,
+ 'interface' => $intf,
+ 'descr' => 'allow access to DHCP server',
+ 'log' => !isset($config['syslog']['nologdefaultpass'])
+ ]
+ );
+ $fw->registerFilterRule(
+ 1,
+ [
+ 'protocol' => 'udp',
+ 'direction' => 'in',
+ 'from_port' => 68,
+ 'to' => '(self)',
+ '#ref' => 'ui/kea/dhcp/v4',
+ 'to_port' => 67,
+ 'interface' => $intf,
+ 'descr' => 'allow access to DHCP server',
+ 'log' => !isset($config['syslog']['nologdefaultpass'])
+ ]
+ );
+ }
+ }
+}
+
function kea_xmlrpc_sync()
{
$result = [];
diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Kea/forms/generalSettings4.xml b/src/opnsense/mvc/app/controllers/OPNsense/Kea/forms/generalSettings4.xml
index 04b4de9e1..e2c82fe9f 100644
--- a/src/opnsense/mvc/app/controllers/OPNsense/Kea/forms/generalSettings4.xml
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Kea/forms/generalSettings4.xml
@@ -21,6 +21,12 @@
text
Defines how long the addresses (leases) given out by the server are valid (in seconds)
+
+ dhcpv4.general.fwrules
+
+ checkbox
+ Automatically add a basic set of firewall rules to allow dhcp traffic, more fine grained controls can be offered manually when disabling this option.
+
header
diff --git a/src/opnsense/mvc/app/models/OPNsense/Kea/KeaDhcpv4.php b/src/opnsense/mvc/app/models/OPNsense/Kea/KeaDhcpv4.php
index 5fda86f59..7ef659725 100644
--- a/src/opnsense/mvc/app/models/OPNsense/Kea/KeaDhcpv4.php
+++ b/src/opnsense/mvc/app/models/OPNsense/Kea/KeaDhcpv4.php
@@ -65,4 +65,15 @@ class KeaDhcpv4 extends BaseModel
}
return parent::setNodes($data);
}
+
+ /**
+ * should filter rules be enabled
+ * @return bool
+ */
+ public function fwrulesEnabled()
+ {
+ return (string)$this->general->enabled == '1' &&
+ (string)$this->general->fwrules == '1' &&
+ !empty((string)(string)$this->general->interfaces);
+ }
}
diff --git a/src/opnsense/mvc/app/models/OPNsense/Kea/KeaDhcpv4.xml b/src/opnsense/mvc/app/models/OPNsense/Kea/KeaDhcpv4.xml
index 201a73bc2..b32705d67 100644
--- a/src/opnsense/mvc/app/models/OPNsense/Kea/KeaDhcpv4.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/Kea/KeaDhcpv4.xml
@@ -1,6 +1,6 @@
//OPNsense/Kea/dhcp4
- 0.0.1
+ 1.0.0
Kea DHCPv4 configuration
@@ -15,6 +15,10 @@
4000
Y
+
+ Y
+ 1
+