class options.

David W. Hankins David_Hankins at
Thu Sep 7 17:18:39 UTC 2006

On Thu, Sep 07, 2006 at 05:12:27PM +0100, Simon Hobson wrote:
> First thing, mixing allow and deny won't do what you expect ! I can't 
> remember the details, but there's some complicated way they work. An 
> allow implies deny anything not allowed, and vice-versa.

This comes up infrequently enough that I can't remember either.  Which
is why I updated 'man dhcpd.conf' to remind me:

	... snipped
       aren’t.   Each  entry  in  a  pool’s permit list is introduced with the
       allow or deny keyword.   If a pool has a permit list, then  only  those
       clients that match specific entries on the permit list will be eligible
       to be assigned addresses from the pool.   If a pool has  a  deny  list,
       then  only those clients that do not match any entries on the deny list
       will be eligible.    If both permit and deny lists exist  for  a  pool,
       then  only clients that match the permit list and do not match the deny
       list will be allowed access.

So, configuring both is "if permitted, and not denied", and the
order of these statements in the config file is unimportant (in
fact, I think the entries are pushed onto a stack, so they're
run in reverse).

ISC Training!  October 16-20, 2006, in the San Francisco Bay Area,
covering topics from DNS to DDNS & DHCP.  Email training at
David W. Hankins	"If you don't do it right the first time,
Software Engineer		you'll just have to do it again."
Internet Systems Consortium, Inc.	-- Jack T. Hankins

More information about the dhcp-users mailing list