From bf7243caecf5d0bee7604217ea7dd3e89a5488a8 Mon Sep 17 00:00:00 2001
From: Christoph <ckubu@oopen.de>
Date: Wed, 3 Dec 2025 18:30:28 +0100
Subject: [PATCH] ipt-firewall-gateway:  fix error allowing DHCP requests: also
 consider unicast renewal requests.

---
 ipt-firewall-gateway | 28 +++++++++++++++++++++++++++-
 1 file changed, 27 insertions(+), 1 deletion(-)

diff --git a/ipt-firewall-gateway b/ipt-firewall-gateway
index cc98a20..77b3ed1 100755
--- a/ipt-firewall-gateway
+++ b/ipt-firewall-gateway
@@ -1698,11 +1698,37 @@ fi
 
 echononl "\tDHCP"
 
+# Get IPv4 Adresses for local interfaces
+#
+declare -A if_ipv4_map
+for _if in "${local_if_arr[@]}"; do
+    if_ipv4_map["$_if"]=$(
+        ip -4 -o addr show dev "$_if" scope global \
+        | awk '{print $4}' \
+        | cut -d/ -f1 \
+        | tr '\n' ' '
+    )
+done
+
 if $local_dhcp_service ; then
    # - Allow requests from intern networks
    for _dev in ${local_if_arr[@]} ; do
-      # - in
+
+      # - in: Broadcast + Unicast für DHCP erlauben
+      #$ipt -A INPUT -p udp -i $_dev --sport 68 --dport 67 -j ACCEPT
+
+      # - in: DHCP-Broadcasts - The first lease is negotiated via broadcast.
       $ipt -A INPUT -p udp -i $_dev -s 0/0 --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT
+
+      # - in: DHCP-Unicast-Renews - Extension(Verlängerung) of the lease via unicast renewal request
+      for _ip in ${if_ipv4_map["$_dev"]}; do
+
+          # DHCP-Client - Server (Unicast-Renew an lokale IP)
+          $ipt -A INPUT -p udp -i "$_dev" --sport 68 -d "$_ip" --dport 67 -j ACCEPT
+
+      done
+
+
       # - out
       $ipt -A OUTPUT -p udp -o $_dev --sport 67 -d 0/0 --dport 68 -j ACCEPT
    done