Limiting addresses per user for users with more than one circuit-id
itvirta at iki.fi
Mon Dec 15 11:48:28 UTC 2014
We have users (student apartments) who get addresses from DHCP, and we
need to limit the number of addresses given to each user, so that nobody
can hoard all the addresses in the network. We have a somewhat
convoluted system in place for doing this, but I was thinking if it
could be made simpler with the built-in limiting in dhcpd.
I can tell the users apart by the physical connection
(remote-id + circuit-id) but the problem is that a number of users
have more than one circuit-id in their use, and the limit should still
be per-user (and not per-circuit). For single circuit-id:s, spawning
subclasses should be able to do this nicely, but since I need to
"combine" (in a sense) the circuit-id:s, I don't think this can be done
without creating (full) classes for each and every user?
A class per user would be possibly doable, but with hundreds of users,
the resulting configuration would be rather ugly. (hundreds of class
declarations, dozens of "allow members of" clauses in all pool
declarations). I'm a bit worried if there are any performance issues
with this, too. Since subclasses are described as a "speed hack", full
classes probably aren't very optimal speedwise, but how many would be
Logically, the thing would be for dhcpd to only see some kind
of a "user-id" (or to be able to do the mapping from remote-id +
circuit-id to the user-id) and then do the subclassing and limiting
based on the user-id. But I don't think that's available out of the box.
So, the ideas I came up with:
- Have an external program mangle the circuit-id:s before dhcpd sees them
- Hack dhcpd to do the mapping itself
- Hack dhcpd to call an external program on each and every request
to decide whether to allow the lease or not. and do the limiting there.
I'm not too happy about any of those, would there be a better way for
As an additional thought, it would be "nice" if users could in some
cases step over the limit to use any spare addresses in the subnet; as
long as I can quarantee everyone gets at least one address at all
times... But I think this would definitely need an external program to
handle the logic.
More information about the dhcp-users