-
Notifications
You must be signed in to change notification settings - Fork 13
/
example.yaml
398 lines (394 loc) · 17.8 KB
/
example.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
# (default false) Normally, client id is determined by (opt 61) client identifier option,
# or the DHCP header field `chaddr`. Sometimes, we want to configure
# the server to only look at the `chaddr` field. Setting `chaddr_only` to true
# will do that.
#
# chaddr_only: false
#
# (default true) enable/disable BOOTP support. Dora supports only RFC1497. BOOTP clients
# will be assigned an IP based on their chaddr, they don't have client-ids.
# The `lease_time` property of a reservation will be ignored
#
# bootp_enable: true
#
# (default false) enable/disable rapid commit RFC4093. If enabled, and a message is received with the
# rapid commit option, then dora will attempt a 1-step lease instead of 2.
#
# rapid_commit: false
#
# (default off) The DHCP flood attack protection enables the DHCP device to detect DHCP
# flood attacks according to the DHCP packet rate threshold on a per-MAC basis.
# By default this section is not enabled.
#
# flood_protection_threshold:
# packets: 6
# secs: 5
#
# (default 0) The cache_threshold statement takes one integer parameter with
# allowed values between 0 (disabled) and 100. This parameter expresses the
# percentage of the total lease time, measured from the beginning,
# during which a client's attempt to renew its lease will result
# in getting the already assigned lease, rather than an extended lease.
#
# cache_threshold: 0
#
# Dora binds to inaddr_any, if an interface is specified dora will filter
# all traffic not from this interface.
# If no interface is specified, we will listen on inaddr_any (0.0.0.0) and send
# each response on the same interface we recv'd it on.
#
# interfaces:
# - enp6s0
#
networks:
192.168.5.0/24:
# Authoritative:
# When the DHCP server is configured as authoritative, the server will respond with
# ACK or NACK as appropriate for all the received REQUEST and INFORM messages
# belonging to the subnet. If non-authoritative, INFORM will be ignored on this network
#
# authoritative: true
#
# `ping_check` (default false) set to true will ping before assigning an IP
#
# ping_check: false
#
# adjust the default ping timeout (default: 500ms)
#
# ping_timeout_ms: 500
#
# Decline & Duplicate Address Detection:
# `probation_period` (seconds) is defined per-network. If any DHCP messages are received from
# this network with a message type of DECLINE, or if a ping check is successful
# (meaning the address is in use), dora will not attempt to lease the IP inside of
# the probation period.
#
probation_period: 86400
# (optional)
# `server_id` _must_ be an IP that dora is reachable on.
# OR IF IT IS NOT specified, dora will use the IP of the interface we recv'd the message on.
# OR we will just use the first non-loopback interface IP
server_id: 192.168.5.1
# (optional) this will replace the `sname` field in the DHCP header
# server_name: "example.org"
#
# (optional) this will replace the `fname` field in the DHCP header
# file_name: "bootfile.efi"
ranges:
-
# (optional) specifies the class name that must have been matched on
class: "my_class"
# start of your range
start: 192.168.5.2
# end of your range
end: 192.168.5.250
# configured lease time (only `default` is required)
config:
lease_time:
default: 3600
min: 1200
max: 4800
# Both reservations & ranges can include an options map, if an incoming dhcp msg gets
# an IP from that reservation or range, it will also use the corresponding `options`
# to respond to any parameter request list values.
options:
values:
# each option has a `type`/`value`. the 'value' field can implicitly be a list (all types except b64/hex/sub_option).
# valid types are:
# ip ex. 1.2.3.4 or [1.2.3.4, 1.2.3.4]
# domain (encodes list of domains in compressed DNS format) ex. ["foobar.com.", "apple.marketing.com."] or a single domain ex. "foobar.com."
# str ex. "foobar" or ["foo", "bar"]
# u8 ex. 1 or [1, 2, 3]
# u16 ex. 1 or [1, 2, 3]
# u32 ex. 1 or [1, 2, 3]
# i32 ex. -1 or [-1, 2, 3]
# b64 ex. "Zm9vYmFy"
# hex ex. "DEADBEEF"
# sub_option
# Look at: https://docs.rs/dhcproto/latest/dhcproto/v4/enum.DhcpOption.html for available opts and their corresponding type.
#
# For specifying options, use the number code or the name, for example
# 1:
# type: ip
# value: 255.255.255.0
# is equivalent to
# subnet_mask:
# type: ip
# value: 255.255.255.0
# only some options have support for the string name identifier.
1: # subnet mask (if not specified, comes from `interfaces`)
type: ip
value: 255.255.255.0
3: # router (if not specified, will come from `interfaces`)
type: ip
value:
- 192.168.5.1
6: # domain name (if running a DNS server like dnsmasq also, use its IP)
type: ip
value:
- 8.8.8.8
28: # broadcast addr (if not specified, comes from `interfaces`)
type: ip
value: 192.168.5.255
# you can add exceptions each range
#
# except:
# - 192.168.0.123
# - 192.168.0.124
# each network block can have reservations
reservations:
-
ip: 192.168.5.166
config:
lease_time:
default: 3600
options:
values:
1:
type: ip
value: 255.255.255.0
3:
type: ip
value:
- 192.168.5.1
6:
type: ip
value:
- 8.8.8.8
28:
type: ip
value: 192.168.5.255
43:
type: sub_option
value:
1:
type: str
value: "foobar"
2:
type: ip
value: 1.2.3.4
# Reservations are supported based on `chaddr`, or `options`. Currently, only a single
# options may be specified for a match. There is no AND/OR logic for matching on options.
match:
chaddr: f8:1a:67:1f:c9:7d
# OR match using an option
# options:
# values:
# x:
# type: ip
# value: x.x.x.x
#
# You can have as many networks as you want
#
# 192.168.0.0/24:
# ping_check: false
# probation_period: 86400
# server_id: 192.168.0.1
#
# DHCPv6
# v6 support is largely experimental and unfinished. There is some early support for
# responding to INFOREQ.
v6:
# optional, interfaces to bind
# interfaces:
# - enp6s0
# Optional, if server_id is not specified, we will generate an server identifer or use previous generated server identifier(if exists). Addtionally, if all settings are the same as previous settings, we will also use previous generated server identifier.
server_id:
type: LLT # LLT (default) | LL | EN | UUID
identifier: fe80::c981:b769:461a:bfb4 # Optional, set blank or remove to auto-generate link-layer address. For LLT and LL, it must be a valid link-layer address.
time: 1111112 # Optional, set blank or remove to auto-generate time. For LLT, it must be a valid u32 timestamp
hardware_type: 1 # Optional, set blank or remove to auto-generate hardware type. For LL, it must be a valid u16 hardware type
#enterprise_id: 1 # Optional, set blank or remove to auto-generate enterprise id. For EN, it must be a valid u32 enterprise id
persist: true # Optional, default value is true. set false to generate a new DUID every time the server is restarted.
path: ./server_id # optional. default is /var/lib/dora/server_id
# global options (optional)
options:
values:
# dns
23:
type: ip_list
value:
- 2001:db8::1
- 2001:db8::2
# optional
networks:
# subnet selection:
# we will attempt to match first the IP of the `interfaces` field below to determine
# which subnet to apply, if none is specified we will use the link-local, then the global IP
# of the interface we received the message on.
# (this method should be double checked, I'm not sure it's correct)
#
# https://kea.readthedocs.io/en/kea-1.6.0/arm/dhcp6-srv.html#dhcp6-config-subnets
# https://datatracker.ietf.org/doc/html/rfc8415#section-13.1
# https://techhub.hpe.com/eginfolib/networking/docs/switches/5130ei/5200-3942_l3-ip-svcs_cg/content/483572577.htm
#
2001:db8:1::/64: # https://en.wikipedia.org/wiki/IPv6_address#Documentation
# optional - what interfaces we will apply to this network
interfaces:
# - enp6s0
# no explicit ranges (yet)
config:
lease_time:
default: 3600
preferred_time:
default: 3600
# same with options
# inspiration: https://kea.readthedocs.io/en/kea-2.2.0/arm/dhcp6-srv.html?highlight=router%20advertisement#dhcp6-std-options-list
options:
values:
# dns
23:
type: ip_list
value:
- 2001:db8::1
- 2001:db8::2
# Example Client Classifier
#
# We define in the dora config a client_classes section, where each class has a predicate whose syntax
# is identical to Kea's expression syntax. At least initially, all client classes will be evaluated when a packet is received.
# The classes will be evaluated in topological order, according to their dependencies. Option precedence will still be
# given by the order in the config.
# A range/reservation can then define a client_class field with the name of a class that will restrict
# that range/reservation to only allow packets that have evaluated the associated client class predicate to true.
#
# Ex.
# ```
# client_classes:
# v4:
# - name: my_class
# assert: <some expression that evaluates to true/false>
# options:
# <options data>
# networks:
# 192.168.1.100/30:
# ranges:
# -
# class: my_class
# ...
# ```
#
# Dora does not allow the same level of configuration as Kea (right now).
# We will not allow classes to be set on subnets, only ranges/reservations.
# This follows with dora’s generally ‘flattened’ config structure.
# This doesn’t close the door on adding those features in the future, just defines a minimum set of functionality.
# DHCP message flow:
#
# - Dora receives a DHCP packet, it evaluates any globally defined client classes.
# Dora attaches matching classes to the currently processing message
# - Dora uses subnet selection logic to determine which top level network
# a given message should get its IP from (giaddr/ iaddr and opts like subnet select & relay agent info).
# - Dora checks to see if any static IP reservations exist with matching client classes, if so it uses that reservation,
# potentially with option/config data from the client class. Precedence for option data goes to the reservation
# over any client class data.
# - Dora iterates ranges in the network and if any client class is defined for the range, it checks
# to see that the packet evaluated a match for that client class-- i.e. the packet’s matching classes
# must contain the range’s class if it exists. Range precedence is set by index in the range list.
# Precedence for option data goes to the range over any client class option data.
# - If, during iterating through ranges, there are classless ranges, we attempt to assign an IP
# from the classless range. If the packet has classes associated with it, it may get
# option data from those classes, but it can still have an IP assigned from a classless range.
# - Continue normal execution
#
# Note on precedence: If multiple client classes are applied to an incoming message,
# the options given to the client will be the union of all matching client classes.
# Where there is a duplicate, precedence will be given in the order it was evaluated.
#
# Predicate evaluation:
# see: https://kea.readthedocs.io/en/kea-2.2.0/arm/classify.html#using-expressions-in-classification
# and if anything you want isn't supported yet file a ticket asking us to work on it!
#
# Currently supports all grammar defined in the `grammar.pest` file in libs/client-classification:
#
# primitives: integer (123), 'string', ip (1.2.3.4), 0xhex, true/false
#
# prefix: not (`not false`)
#
# infix: == != or and (`1 == 1 and 2 != 3 or true`)
#
# options: option[12]
# option[xx].hex: gets the data as a byte string.
# You can still compare with 'strings' as long as the byte representation matches (`option[12].hex == 'hostname'` or `option[244].hex == 0x1234`)
# option[xx].text: gets the data as a utf-8 encoded string (`option[12].text == 'hostname'`)
# option[xx].exists: returns true/false if the option exists (`option[12].exists`)
#
# pkt header:
# pkt4.mac: chaddr in DHCP message header (`pkt4.mac == 0xDEADBEEF`)
#
# substring(expr, start, len): substring function (`substring('foobar', 0, 3) == 'foo'`)
#
# concat(expr, concat): concat function (`concat('foo', 'bar') == 'foobar')
#
# ifelse(expr, expr_a, expr_b): if else control flow, first expression must evaluate to true/false
# and if true expr_a will return else expr_b
#
# hexstring(pkt4.mac, ':'): turns bytes into a string separated by the separator string
# ex. hexstring(pkt4.mac, ':') == '66:6f:6f'
# (if pkt4.mac is '0x666f6f')
#
# member('classname'): reference another class using the `member('my_class')` function. Dependency
# cycles will fail to parse the config.
#
# example:
#
# `substring(option[61].hex, 0, 3) == 'foo'`
#
# Vendor classes:
#
# To match on the standard option 60 vendor class identifier, use `option[60].hex` or `option[60].text`
# in your assertion— depending if you want a byte string or utf-8 string representation.
# You can then specify options for the class providing option 43, for the encapsulated vendor options.
# example.
# name: my_vendor_class
# assert: "option[60].hex == 'MSFT5.0'"
# options:
# values:
# 43:
# type: sub_option
# value:
# 1:
# type: str
# value: "foobar"
# 2:
# type: ip
# value: 1.2.3.4
#
# Attaching `my_vendor_class` to a range/reservation will provide the defined opt 43 vendor options.
client_classes:
# only v4 supported at the moment
v4:
-
# class name
name: my_class
# assertion will be run for each class defined
assert: "option[60].text == 'foobar'"
# any options defined here will be provided to the message
options:
values:
6:
type: ip
value: [ 1.1.1.1 ]
# DDNS config (see docs/ddns.md for more information)
# This section is optional, if not included, no DDNS updates will
# be sent
ddns:
# send updates. If the ddns section header is defined, enable_updates defaults to true
enable_updates: true
# default false. whether to override the client update FQDN flags
override_client_updates: false
# default false. whether to override the no update FQDN flags
override_no_updates: false
# list of forward DNS servers
# selects based on FQDN longest match
forward:
- name: "example.com."
# key: (optional) "key_foo"
ip: 192.168.3.111:53
reverse:
- name: "168.192.in-addr.arpa."
ip: 192.168.3.111:53
# map of tsig keys. DNS servers reference these by name
tsig_keys:
key_foo:
algorithm: "hmac-sha1"
# b64 key data
data: "<keydata>"