# Why does dhclient require bpf?



## ssgriffonuser (Dec 3, 2022)

I'm setting up some jails that require dhcp.  This configuration requires adding the devfs rule to unhide bpf.  From searching online, it seems like BPF allows sniffing of all packets, even on the host (is this still true with vnet and epair?).  My question is, why does dhclient require BPF?  Can we make a cutdown version that does not require BPF?


----------



## zirias@ (Dec 3, 2022)

Think about it, DHCP communication must work before the client even has an IP address. Therefore, `255.255.255.255` is used, which will definitely not be inside the network your interface is connected to (edit: in fact, that doesn't really matter as long as the interface is not even configured....), so you need some "raw" access to make that work.

What's your concern with bpf(4) after all? In any case, you can only see packets on the network your interface is connected to. And you should be aware that any host will always be able to read any packet on the networks it's connected to. If this is a concern, be sure to segment your network properly into subnets and, if you need protections from hosts on the same subnet, use TLS.


----------



## Phishfry (Dec 3, 2022)

ssgriffonuser said:


> jails that require dhcp.


Well if you don't like bpf why not ditch dhcp and use static IP's ?

Off-topic:
I was surprised to find that u-boot contains a dhcp client which garbs an IP before system is even booted.
I am sure it is tied to bootp/tftp booting.


----------



## ssgriffonuser (Dec 3, 2022)

> Therefore, 255.255.255.255 is used, which will definitely not be inside the network your interface is connected to (edit: in fact, that doesn't really matter as long as the interface is not even configured....)


I was under the impression that a user space app can bind to 255.255.255.255 before an ip address was configured.  Maybe that is wrong.



> What's your concern with bpf(4) after all?


It doesn't seem like a jail with a single epair interface should be able to snoop the traffic of all interfaces connected to the host.  My understanding is that bpf gives that ability.



> Well if you don't like bpf why not ditch dhcp and use static IP's ?


That's definitely an option.  I'm more just curious regarding dhclient and bpf.


----------



## zirias@ (Dec 4, 2022)

ssgriffonuser said:


> I was under the impression that a user space app can bind to 255.255.255.255 before an ip address was configured.  Maybe that is wrong.


I don't think you can bind to _any_ address as long as the interface isn't configured. For this to work, the network layer would need an exception specifically for IPv4(!) and 255.255.255.255 to forward packets to the socket layer regardless of its configuration. And then, even if this _was_ the case, it wouldn't be enough for DHCP because it will also just use an address suggested by the client _if_ the server accepts it, again, before the interface is configured.



ssgriffonuser said:


> It doesn't seem like a jail with a single epair interface should be able to snoop the traffic of all interfaces connected to the host.  My understanding is that bpf gives that ability.


You can never see traffic on interfaces not available to your (VNET) jail, that would be black magic. bpf(4) allows you to see any traffic _on your interfaces_. Of course, if this one epair is bridged with all your other interfaces on the host, all their traffic will be present on it as well.

Furthermore, DHCP (obviously) needs superuser (root) privileges, so it _can_ configure the interface. By configuring it to other IPv4 subnets, it would already be possible to read other traffic on the interface. bfp(4) is restricted to root as well. Excluding it from a jail is just a way to prevent the "easy" way of snooping for processes running as root.


----------

