some problems with classes

Glenn Satchell glenn.satchell at uniq.com.au
Wed Nov 4 14:18:46 UTC 2015 

On Thu, November 5, 2015 1:03 am, Simon Hobson wrote:
> Andreas Burger <andreas at ethz.ch> wrote:
>
>>  allow mebers of "agrl";
>>  deny unknown clients;
>
> That's probably the problem. I can't remember the exact logic, but allow
> and deny in combination don't work as you might expect. Either use only
> "allow" in which case anything not specifically allowed is denied, or use
> only "deny" in which case anything not specifically denied is allowed.
>
> Ah, a quick search came up with this message from the archives :
> https://lists.isc.org/pipermail/dhcp-users/2008-January/005273.html
>
>> I _always_ have to check the code.
>>
>> 	if ((uid_lease -> pool -> prohibit_list &&
>> 	     permitted (packet, uid_lease -> pool -> prohibit_list)) ||
>> 	    (uid_lease -> pool -> permit_list &&
>> 	     !permitted (packet, uid_lease -> pool -> permit_list))) {
>>
>> 		log_info ("not permitted: %s",
>> 		...
>> 	}
>>
>> It's not intuitive...permit and deny lists don't go onto one ACL with
>> preservation of order of operations like normal people expect.
>
> I don't know enough about the language (I don't even recognise the syntax
> of some of it) to reliably determine exactly what it's doing from that.
> I *think* it's doing something like :
> If there is a deny list, and the client matches any statement in it
>   OR there's an allow list, and the client doesn't match any element in it
> THEN deny the client
> ELSE permit the client (fall through to the following code)
>
> Had to double check in "the book"*, "known" means the client has a host
> declaration. So actually I think in your case the combination ought to
> work :
> There is a deny list, but because the client is known then it doesn't
> match
> else: There is an allow list, but the client matches it
> therefore: the client should be allowed access to the pool.
>
>
> * The DHCP Handbook by Ralph Droms and Ted Lemon
>
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users
>

According to the man page it's "unknown-clients" with a dash in there.
There is also the inverse "known-clients", so reversing the logic to give
you two "allows" might behave as you expect:

    allow members of "agrl";
    allow known-clients;

regards,
-glenn

More information about the dhcp-users mailing list