Bug #9267

dhclient does not handle protocol timeouts or script failures correctly

Added by Nash Kaminski about 1 year ago. Updated 2 months ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Affected Version:
Affected Architecture:


pfSense-dhclient-script fails to return nonzero in the case where a DHCP timeout occurs and the cached gateway address is not pingable. This results in a case where the cached IP is removed from the interface, but dhclient is informed via the exit status of 0 that the IP was added successfully. As a result, the impacted interface remains without an IPv4 address until either the DHCP lease expires, the link flaps, or the DHCP lease is renewed manually, instead of the expected behavior of the DHCP protocol being restarted after the defined retry interval.

After addressing this with the patch 'pfsense-dhclient-script-patch.txt', I uncovered another apparent issue where the function 'priv_script_go' in dhclient.c does not correctly isolate and return the child process exit code from the return value of the wait() call.

This was further confirmed by verifying the current implementation in dhclient.c:

(wstatus & 0xff)

is not functionally equivalent to the definition of the WEXITSTATUS macro, which is defined as
((x) >> 8)

To address this, I have applied patch 'dhclient-patch.txt' to the FreeBSD 11.2 source tree, rebuilt dhclient, and installed the new binary to the pfSense appliance.

After performing both of these actions, dhclient and the associated script now behave as expected when a protocol timeout occurs and the cached gateway IP is not pingable, where a timeout is indicated in the relevant logs and the DHCP protocol restarted after the defined retry interval.

pfsense-dhclient-script-patch.txt (1.5 KB) pfsense-dhclient-script-patch.txt Nash Kaminski, 01/10/2019 06:59 PM
dhclient-patch.txt (327 Bytes) dhclient-patch.txt Nash Kaminski, 01/10/2019 07:38 PM


#1 Updated by Nash Kaminski about 1 year ago

Also to add, this is seen on version 2.4.4-RELEASE-p1 (amd64),
FreeBSD 11.2-RELEASE-p4, but affects versions back at least as far as 2.4.0.

#3 Updated by Jim Pingle 8 months ago

  • Category set to Interfaces
  • Priority changed from High to Normal
  • Target version set to 2.5.0
  • Affected Version set to All
  • Affected Architecture set to All

#4 Updated by Patrick Staton 2 months ago

Any status on this? It pretty much breaks our router being able to handle power outages.

#5 Updated by Jim Pingle 2 months ago

The change is included in FreeBSD 12.1. Once we move pfSense to FreeBSD 12.1 (which will happen before 2.5.0-RELEASE), we'll pick this up naturally from upstream. So it won't be too much longer now.

Also available in: Atom PDF