some problems with classes

Glenn Satchell glenn.satchell at
Wed Nov 4 14:18:46 UTC 2015

On Thu, November 5, 2015 1:03 am, Simon Hobson wrote:
> Andreas Burger <andreas at> wrote:
>>  allow mebers of "agrl";
>>  deny unknown clients;
> That's probably the problem. I can't remember the exact logic, but allow
> and deny in combination don't work as you might expect. Either use only
> "allow" in which case anything not specifically allowed is denied, or use
> only "deny" in which case anything not specifically denied is allowed.
> Ah, a quick search came up with this message from the archives :
>> I _always_ have to check the code.
>> 	if ((uid_lease -> pool -> prohibit_list &&
>> 	     permitted (packet, uid_lease -> pool -> prohibit_list)) ||
>> 	    (uid_lease -> pool -> permit_list &&
>> 	     !permitted (packet, uid_lease -> pool -> permit_list))) {
>> 		log_info ("not permitted: %s",
>> 		...
>> 	}
>> It's not intuitive...permit and deny lists don't go onto one ACL with
>> preservation of order of operations like normal people expect.
> I don't know enough about the language (I don't even recognise the syntax
> of some of it) to reliably determine exactly what it's doing from that.
> I *think* it's doing something like :
> If there is a deny list, and the client matches any statement in it
>   OR there's an allow list, and the client doesn't match any element in it
> THEN deny the client
> ELSE permit the client (fall through to the following code)
> Had to double check in "the book"*, "known" means the client has a host
> declaration. So actually I think in your case the combination ought to
> work :
> There is a deny list, but because the client is known then it doesn't
> match
> else: There is an allow list, but the client matches it
> therefore: the client should be allowed access to the pool.
> * The DHCP Handbook by Ralph Droms and Ted Lemon
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at

According to the man page it's "unknown-clients" with a dash in there.
There is also the inverse "known-clients", so reversing the logic to give
you two "allows" might behave as you expect:

    allow members of "agrl";
    allow known-clients;


More information about the dhcp-users mailing list