Problem:
My parents have a Linux firewall (Mandriva 2008.0) that I have setup that frontends their network. This machine acts as a firewall and VPN (Openswan) mate to my network in my house. Recently, their ISP changed their config from a static ip address to DHCP with a renew time of about 3900 seconds (65 minutes). I've config'ed Mandriva to use dhclient and it normally works fine.

However they live in a rural area of Iowa, subject to frequent lighting storms / strikes. To combat the storms they install phone line surge suppressors before the DSL modem. But even with this, if they leave the phone line plugged in during a storm, it will likely fry the suppressor; they could go through half-a-dozen suppressors a year (seriously). So when storms start rolling in, they typically unplug the phone lines from the DSL modem. With the old static IP, no problem; after the storm they plug back in the phone line and everything is instantly back up. But with DHCP its another story. Many of these storms happen over night, so it will be 8+ hours of unplugged. By that time the DHCP ipaddress has expired, and the client has aborted the renew. At this point, the network and Shorewall startup scripts have to be re-run before their internet is back up (or reboot the machine).

Questions:
1. How can I get the DHCP client to keep retrying the renew after failure? Perhaps retry every minute or so until success. I guess I could even write a cron script that just checks to see if eth0 has an IP address, but is there a better/easier way?
2. Is there a place I can place a post-renew script to be executed? I want to update OpenSwan, Shorewall, and DDNS settings after the renew in case the IP has changed?

Thanks,
Brian

I do not see the reason why the 'client has aborted the renew'.
If the firewall is configured properly it should allow all the traffic concerned with DHCP - independently on current IP lease. So look at the firewall settings first.

I'm not sure I follow you post. The firewall isn't blocking the renew. The renew fails because the DSL phone line is unplugged for 8+ hours. And when the renew time expires without getting a new IP, it leaves the interface completely unconfigured.

Brian

But there is no matter if the interface has valid IP address or not when the host sends DHCP request.
DHCP request doesn't contain any particular IP value (I do not remember request packet structure - IFAIR broadcast IP is used in the place).

So either request or the lease reply is blocked (somewhere, probably at your host).

Somehow, either I'm totally missing your point, or you mine, so let me try and reexplain.

If the firewall is left plugged into the DSL modem and the modem to the phone line, the DHCP renew works fine. It never looses its IP address, and its always working, so there isn't a firewall rules problem.

But if my parents unplug the DSL modem during an electrical storm (again to stop the equipment from getting fried), and the renew process fires, the renew fails because obviously there is no network connection to the ISP DHCP server of any type. Once the failure happens, and I don't know if its immediate or takes some time, the interface eth0 is left without any IP address, leaving the firewall in serious troubles until several processes are restarted after the DSL modem is plugged back in.

I am trying to figure out a way by which I can prevent the renew process from giving up when the DSL is unplugged, so when they do plug the DSL back in, say the next morning, the machine will quickly restore its DHCP ipaddress and return to service. Or if I can't prevent it from aborting, then I need a process to frequently check if it has aborted and re-run it.

Secondly, I'm looking for a way to fire a customized script that is executed after the DHCP checkout/renew process is complete so potentially do some additional setup with the IP address.

I would like to clarify the nomenclature and understand the configuration.

I assume you have Madriva box with 2 eth interfaces: one connected to the DSL model (let's assume it is eth0) and the second one to your home network.
It is running any kind of stuff which some of them are:
- firewall (see: firewall is not a machine - for me it is a software)
- DHCP client to get IP address from your ISP.
It is not obvious for me since I can imagine (I saw such configurations) that eth0 is up first, gets IP from ISP via DSL, and NEXT the firewall is started blocking all the next DHCP requests.

BTW: The correct order is to start firewall first and next up the interfaces.

Another thing is to be sure that the DHCP client is run as daemon.
I've seen the configurations where DHCP client has been run once as a process. Of course it got the IP but since it finished its work the IP was never renewed. This probably doesn't take place in this case so I mention about it for any reason.

With above configuration you should be able to unplug any DSL modem cables (including power cable) at any time for so long as you wish. The DHCP client SHOULD obtain current IP.

Therefore I do not understand what you are looking for if everything is usually done in natural way with the typical software.

Your understanding is correct. The Mandriva box in question has eth0 and eth1 with eth0 being on the internet, eth1 internal. Box runs Shorewall firewall, DHCPD for internal machines only, postfix, Samba, etc all for the internal network. The eth0 is configured to received its IP address via DHCP using dhclient with the following options:
dhclient -1 -q -lf /var/lib/dhcp/dhclient-eth0.leases -pf /var/run/dhclient-eth0.pid -cf /etc/dhclient-eth0.conf eth0
running as a daemon.
The lease period seems to be hourly from the ISP. Looking at syslog, I see blocks like this:

Oct 22 09:53:48 windward dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 4
Oct 22 09:53:48 windward dhclient: DHCPOFFER from 167.142.225.132
Oct 22 09:53:48 windward dhclient: DHCPREQUEST on eth0 to 255.255.255.255 port 67
Oct 22 09:53:49 windward dhclient: DHCPACK from 167.142.225.132
Oct 22 09:53:49 windward NET[6949]: /sbin/dhclient-script : updated /etc/resolv.conf
Oct 22 09:53:49 windward dhclient: bound to 207.32.16.21 -- renewal in 3134 seconds.

approximately every hour. Now when the network DSL connection is unplugged, I see the following:
Nov 5 04:45:57 windward dhclient: DHCPREQUEST on eth0 to 167.142.225.132 port 67
Nov 5 04:46:08 windward dhclient: DHCPREQUEST on eth0 to 167.142.225.132 port 67
Nov 5 04:46:17 windward dhclient: DHCPREQUEST on eth0 to 167.142.225.132 port 67

for about an hour, then:
Nov 5 05:43:13 windward dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 4
Nov 5 05:43:13 windward dhclient: receive_packet failed on eth0: Network is down
Nov 5 05:43:17 windward dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 8
Nov 5 05:43:23 windward kernel: eth0: no IPv6 routers present
Nov 5 05:43:25 windward dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 13
Nov 5 05:43:38 windward dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 18
Nov 5 05:43:56 windward dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 18
Nov 5 05:44:14 windward dhclient: No DHCPOFFERS received.

after which point the syslog is flooded with
Packet send failed to 10.20.0.1(137) ERRNO=Network is unreachable (or similar msgs).
Inspecting the next morning with ifconfig, I see the eth0 has no IP address anymore. Unfortunately, I didn't notice if dhclient was still running. Performing a "service network restart" and "service shorewall restart" brought back everything fine.

So somehow, the dhclient is giving up and not keeping its old IP address if its unable to renew it past about an additional hour.

The problem is my parents are not that computer/Linux savy and I don't want to have to instruct them on how to perform this root action every time the unplug the network.

Options I see:
1. Some simple config option on dhclient, or use a different dhcp client that won't give up so easily.
2. Write a cron script that checks for the condition and restarts things for them.

Thanks for your help.
Brian

From 'man dhclient':

The -1 flag cause dhclient to try once to get a lease. If it fails, dhclient exits [...]

You have not said how close you live or how frequently you visit. If you happen to be over there long enough to deliberately induce this, you could then check to see if dhclient is still running. Or ... if you are brave enough, you could have your parents do this. (Maybe talk them through it over the phone?)

EDIT: Or maybe set up a script that will test and log the result. Then tell them the next time it happens to "double click on this icon." For that matter, you could set them up with a script to restart the services, allowing the necessary root access via sudo w/o requiring a password. Again, they just click on an icon.