<div dir="ltr"><br><div class="gmail_extra"><div class="gmail_quote">On Wed, Feb 28, 2018 at 4:48 AM, Ulf Samuelsson <span dir="ltr"><<a href="mailto:dhcp@emagii.com" target="_blank">dhcp@emagii.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">The device consist of a master and several slaves.<br>
Normally, the unit is installed and the slave configuration rarely changes.<br>
Restarting the dhcp server during installation is not a problem<br>
In many cases, the slaves never change after installation.<br>
If the slave configuration changes, then the unit does not need to operate normally during the installation so a few restarts are not a problem.<br>
<br>
In this scenario, only an intruder will cause the adding to the ”untrusted” class.<br>
<br>
I was thinking that omshell might help avoid a restart here, but I have not studied<br>
it in detail, so this is still an unknown.<br>
<br>
The DHCP server has a single ethernet MAC, connected directly to the switch.<br>
<br>
There were VLANs before protecting the slaves, but they were removed for some reason, but I do not know the details.<br>
<br>
Having wildcards still seems useful, anyway.<br>
<br>
Best Regards,<br>
Ulf Samuelsson<br>
<div class="HOEnZb"><div><br>
> 28 feb. 2018 kl. 09:52 skrev Bill Shirley <<a href="mailto:bill@c3po.polymerindustries.biz">bill@c3po.polymerindustries.<wbr>biz</a>>:<br>
><br>
> This sounds like the wrong approach to addressing your problem because<br>
> for dhcpd to honor the new configuration, it would need to be restarted every<br>
> time a file is added/deleted/changed in the wildcard directory.<br>
><br>
> This sounds more like a task for iptables and ipsets.<br>
><br>
> Are all four of these private networks on the same NIC? Are these subnets<br>
> VLANs?<br>
><br>
> As far as I know, there is no mechanism to consult an source external to the<br>
> dhcpd program for information.<br>
><br>
> Bill<br>
><br>
>> On 2/27/2018 5:33 PM, Ulf Samuelsson wrote:<br>
>> I was trying out a dhcpd configuration, and found to my dismay<br>
>> that the DHCP server did not support wildcards for include statements.<br>
>> include "/etc/dhcp/pools/*.conf";<br>
>> did not work.<br>
>><br>
>> BACKGROUND:<br>
>><br>
>> I have an application, where I want to use the DHCP server<br>
>> as part of the authentication process for connected machines.<br>
>><br>
>> I want to use three ranges.<br>
>> pool 0 => 169.254.128.x trusted units<br>
>> pool 1 => 169.254.254.x units demanding to be trusted<br>
>> pool 2 => 169.254.1.x normal units<br>
>> pool 3 => 169.254.253.x untrusted units/intruders<br>
>><br>
>> The DHCP CPU Ethernet Controller communicates through a five port switch.<br>
>> port 0: trusted units pool 0<br>
>> port 2: internet port<br>
>> port 3: service port<br>
>> port 4: CPU port 169.254.1.1<br>
>><br>
>> Units connected on port 0, provides a dhcp-client-identifier indicating that they want an address in pool 0, but initially they will get a short term lease in pool 1, until it is verified that they are on port 0.<br>
>><br>
>> Units without this dhcp-client-identifier, should get an address in pool 2.<br>
>><br>
>> An intruder, trying to get a pool 0 address, will supply the same dhcp-client-identifier as port 0 units. They will also initially get a short term pool 1 address, but when the intrusion attempt is detected, they should be declared "untrusted". Future leases should be in pool 3.<br>
>><br>
>> =====<br>
>> When a pool 1 address is allocated, the commit event is used to run a script which will read out information from the switch and determine if the request comes from port 0.<br>
>><br>
>> Request comes from (port == 0) => the mac address should be "trusted"<br>
>> Request comes from (port != 0) => the mac address should be "untrusted".<br>
>><br>
>> I define:<br>
>> class "trusted" {<br>
>> match hardware;<br>
>> }<br>
>><br>
>> class "untrusted" {<br>
>> match hardware;<br>
>> }<br>
>><br>
>> An incoming request from "00:11:22:33:44:55" adds a file:<br>
>> /etc/dhcp/trusted/00:11:22:33:<wbr>44:55:<br>
>> sub-class "trusted" 1:00:11:22:33:44:55;<br>
>> or<br>
>> /etc/dhcp/untrusted/00:11:22:<wbr>33:44:55:<br>
>> sub-class "trusted" 1:00:11:22:33:44:55;<br>
>><br>
>><br>
>> When the short term pool 1 lease expires (after 1-2 minutes)<br>
>> the new lease will be classified either as "trusted" (getting a pool 0 lease) or "untrusted" (getting a pool 3 lease).<br>
>><br>
>> It would be practical to have the dhcpd.conf file contain:<br>
>><br>
>> include "/etc/dhcp/trusted/*";<br>
>> include "/etc/dhcp/untrusted/*";<br>
>><br>
>> but unfortunately wildcards in include statements are not supported.<br>
>><br>
>> ==============================<wbr>======<br>
>><br>
>> I did a patch for dhcp-4.3.6 which is slightly limited.<br>
>> It supports only wildcards on files within a single directory.<br>
>> I.E: include "/etc/dhcp/pools/*.conf"; is supported<br>
>> I.E: include "/etc/dhcp/*/dhcp.conf"; is not supported<br>
>> The wildcard may not be in a directory.<br>
>><br>
>> Did a small test program which tested the functionality of wildcards,<br>
>> and then patched the dhcp server, but it has not been tested yet, as part of dhcp<br>
>> Still would like to have peoples opinion, whether this type of functionality is desirable.<br>
>> It is certainly possible to do this without wildcards,<br>
>> but wildcards seems a much cleaner solution.<br>
>> ==============================<wbr>======<br>
>><br>
>> From dcc981f1371f390befffc950b9dc3a<wbr>8107059643 Mon Sep 17 00:00:00 2001<br>
>> From: Ulf Samuelsson <<a href="mailto:ulf@emagii.com">ulf@emagii.com</a>><br>
>> Date: Tue, 27 Feb 2018 21:03:52 +0100<br>
>> Subject: [PATCH 14/14] Support wildcard in include files<br>
>><br>
>> Signed-off-by: Ulf Samuelsson <<a href="mailto:ulf@emagii.com">ulf@emagii.com</a>><br>
>> ---<br>
>> includes/dhcpd.h | 3 +++<br>
>> server/confpars.c | 71 ++++++++++++++++++++++++++++++<wbr>+++++++++++++++++++++++--<br>
>> 2 files changed, 72 insertions(+), 2 deletions(-)<br>
>><br>
>> diff --git a/includes/dhcpd.h b/includes/dhcpd.h<br>
>> index eab09a6..8208fbe 100644<br>
>> --- a/includes/dhcpd.h<br>
>> +++ b/includes/dhcpd.h<br>
>> @@ -53,6 +53,9 @@<br>
>> #include <sys/mman.h><br>
>> #include <ctype.h><br>
>> #include <time.h><br>
>> +#include <dirent.h><br>
>> +#include <libgen.h><br>
>> +#include <fnmatch.h><br>
>><br>
>> #include <net/if.h><br>
>> #undef FDDI<br>
>> diff --git a/server/confpars.c b/server/confpars.c<br>
>> index c0735fe..c12f5c7 100644<br>
>> --- a/server/confpars.c<br>
>> +++ b/server/confpars.c<br>
>> @@ -327,7 +327,7 @@ isc_result_t lease_file_subparse (struct parse *cfile)<br>
>> parameter :== DEFAULT_LEASE_TIME lease_time<br>
>> | MAX_LEASE_TIME lease_time<br>
>> | DYNAMIC_BOOTP_LEASE_CUTOFF date<br>
>> - | DYNAMIC_BOOTP_LEASE_LENGTH lease_time<br>
>> + | DYNAMIC_BOOTP_LEASE_LENGTH l#include <string.h>ease_time<br>
>> | BOOT_UNKNOWN_CLIENTS boolean<br>
>> | ONE_LEASE_PER_CLIENT boolean<br>
>> | GET_LEASE_HOSTNAMES boolean<br>
>> @@ -352,6 +352,73 @@ isc_result_t lease_file_subparse (struct parse *cfile)<br>
>> | VENDOR_CLASS class-declaration<br>
>> | USER_CLASS class-declaration<br>
>> | RANGE address-range-declaration */<br>
>> +#include <string.h><br>
>> +isc_result_t read_multiple_conf_files(path, group, type)<br>
>> + const char *path;<br>
>> + struct group *group;<br>
>> + int type;<br>
>> +{<br>
>> + char *buf_dir;<br>
>> + char *dir;<br>
>> + char *buf_base;<br>
>> + char *base;<br>
>> + DIR *d;<br>
>> + struct dirent *entry;<br>
>> + int reti;<br>
>> + isc_result_t status;<br>
>> +<br>
>> + dir = dirname (buf_dir = strdup(path));<br>
>> + base = basename(buf_base = strdup(path));<br>
>> +<br>
>> + if (!(d = opendir(dir))) {<br>
>> + status = DHCP_R_INVALIDARG;<br>
>> + goto exit;<br>
>> + }<br>
>> +<br>
>> + while ((entry = readdir(d)) != NULL) {<br>
>> + if (entry->d_type == DT_DIR) {<br>
>> + continue;<br>
>> + } else {<br>
>> + reti = fnmatch(base, entry->d_name, 0);<br>
>> + if (reti == 0) {<br>
>> + status = read_conf_file (path, group, type, 0);<br>
>> + if (status != ISC_R_SUCCESS) {<br>
>> + goto exit;<br>
>> + }<br>
>> + } else {<br>
>> + continue;<br>
>> + }<br>
>> + }<br>
>> + }<br>
>> + closedir(d);<br>
>> +exit:<br>
>> + free(buf_dir);<br>
>> + free(buf_base);<br>
>> + return status;<br>
>> +}<br>
>> +<br>
>> +isc_result_t include_files(path, group, type)<br>
>> + const char *path;<br>
>> + struct group *group;<br>
>> + int type;<br>
>> +{<br>
>> + const char *eos;<br>
>> + const char *wildcard = strchr(path, '*');<br>
>> + char *p;<br>
>> +<br>
>> + if (wildcard == NULL) {<br>
>> + return read_conf_file (path, group, type, 0);<br>
>> + }<br>
>> +<br>
>> + eos = &path[strlen(path)];<br>
>> + for (wildcard++; wildcard < eos; wildcard++) {<br>
>> + if (*wildcard == '/') {<br>
>> + /* wildcard in directory, not allowed */<br>
>> + return DHCP_R_INVALIDARG;<br>
>> + }<br>
>> + }<br>
>> + return read_multiple_conf_files(path, group, type);<br>
>> +}<br>
>><br>
>> int parse_statement (cfile, group, type, host_decl, declaration)<br>
>> struct parse *cfile;<br>
>> @@ -383,7 +450,7 @@ int parse_statement (cfile, group, type, host_decl, declaration)<br>
>> parse_warn (cfile, "filename string expected.");<br>
>> skip_to_semi (cfile);<br>
>> } else {<br>
>> - status = read_conf_file (val, group, type, 0);<br>
>> + status = include_files(val, group, type);<br>
>> if (status != ISC_R_SUCCESS)<br>
>> parse_warn (cfile, "%s: bad parse.", val);<br>
>> parse_semi (cfile);<br>
<br></div></div></blockquote><br>omshell would be much better - it avoids restarts. I use an appliance (BlueCat) that does it for me, so I have not scripted it myself.<br><br></div><div class="gmail_quote">If you don't use omshell, then you could simply in your scripting:<br><div style="margin-left:40px">cat /etc/dhcp/pools/*.conf > /etc/dhcp/pools.conf<br></div>and then in the dhcpd.conf:<br><div style="margin-left:40px">include "/etc/dhcp/pools.conf";<br></div></div><div class="gmail_quote"><br>-- <br></div><div class="gmail_quote">Bob Harold<br><br></div><div class="gmail_quote"><br></div></div></div>