From d6925499f129ed4a893fe6e9bb314106f0a33653 Mon Sep 17 00:00:00 2001
From: Joe LeVeque <jleveque@users.noreply.github.com>
Date: Fri, 17 Jul 2020 11:16:19 -0700
Subject: [PATCH] [caclmgrd] Filter DHCP packets based on dest port only
 (#4995)

---
 files/image_config/caclmgrd/caclmgrd | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/files/image_config/caclmgrd/caclmgrd b/files/image_config/caclmgrd/caclmgrd
index 3f0c7f93ffb0..927675524ea3 100755
--- a/files/image_config/caclmgrd/caclmgrd
+++ b/files/image_config/caclmgrd/caclmgrd
@@ -245,12 +245,12 @@ class ControlPlaneAclManager(object):
         iptables_cmds.append("ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT")
 
         # Add iptables/ip6tables commands to allow all incoming IPv4 DHCP packets
-        iptables_cmds.append("iptables -A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT")
-        iptables_cmds.append("ip6tables -A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT")
+        iptables_cmds.append("iptables -A INPUT -p udp --dport 67:68 -j ACCEPT")
+        iptables_cmds.append("ip6tables -A INPUT -p udp --dport 67:68 -j ACCEPT")
 
         # Add iptables/ip6tables commands to allow all incoming IPv6 DHCP packets
-        iptables_cmds.append("iptables -A INPUT -p udp --dport 546:547 --sport 546:547 -j ACCEPT")
-        iptables_cmds.append("ip6tables -A INPUT -p udp --dport 546:547 --sport 546:547 -j ACCEPT")
+        iptables_cmds.append("iptables -A INPUT -p udp --dport 546:547 -j ACCEPT")
+        iptables_cmds.append("ip6tables -A INPUT -p udp --dport 546:547 -j ACCEPT")
 
         # Add iptables/ip6tables commands to allow all incoming BGP traffic
         # TODO: Determine BGP ACLs based on configured device sessions, and remove this blanket acceptance