<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">Em 18/02/2020 15:19, Simon Hobson
escreveu:<br>
</div>
<blockquote type="cite"
cite="mid:D4D29758-DF7C-4C46-875F-1674952B14FC@thehobsons.co.uk">
<pre class="moz-quote-pre" wrap="">Marcio Merlone <a class="moz-txt-link-rfc2396E" href="mailto:marcio.merlone@a1.ind.br"><marcio.merlone@a1.ind.br></a> wrote:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">I am running isc-dhcp-server 4.3.5-3ubuntu7.1 and want to deny classless clients. Have tried "deny unknown-clients" but if I have not a host declaration then the host is unknown even if it has a subclass declaration.
To illustrate:
class "clsFoo" {
match pick-first-value (option dhcp-client-identifier, hardware);
}
subnet 192.168.0.0 netmask 255.255.255.0 {
pool {
deny unknown-clients;
allow members of "clsFoo";
range 192.168.0.30 192.168.0.200;
}
}
subclass "clsFoo" 1:xx:xx:xx:12:34:56;
In such config that clsFoo above gets denied. Is there how to consider a non-declared subclass an unknown host? Any workaround or other way to do it besides duplicate all subclass as hosts declarations?
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
So to be clear, you want members of clsFoo to get a lease, and other clients to be denied ?</pre>
</blockquote>
<p>Yes, kind of, I plan on having another pool for unknown-clients,
like this:<br>
</p>
<pre class="moz-quote-pre" wrap="">subnet ...{
pool {
allow members of "clsFoo";
range 192.168.0.30 192.168.0.200;
}
}
</pre>
<pre class="moz-quote-pre" wrap="">subnet ...{
pool {
allow unknown-clients;
range 10.0.0.30 10.0.0.200;
}
}
</pre>
<p><br>
</p>
<blockquote type="cite"
cite="mid:D4D29758-DF7C-4C46-875F-1674952B14FC@thehobsons.co.uk">
<pre class="moz-quote-pre" wrap="">The first thing to say is DO NOT MIX ALLOW AND DENY in one pool. It can be done, but the way it is processed is non-intuitive (and TBH I can't remember how it works) so is best avoided.
</pre>
</blockquote>
<p>Tks for the tip. But I usually have to add an explicit deny
clause to avoid unwanted clients by experience.<br>
</p>
<p><br>
</p>
<blockquote type="cite"
cite="mid:D4D29758-DF7C-4C46-875F-1674952B14FC@thehobsons.co.uk">
<pre class="moz-quote-pre" wrap="">Where there is an allow statement, anything not allowed by allow statement(s) in the pool will be denied - and similarly with deny statements and anything not denied is allowed.</pre>
</blockquote>
<p>Not true on my experience, see below.</p>
<p><br>
</p>
<blockquote type="cite"
cite="mid:D4D29758-DF7C-4C46-875F-1674952B14FC@thehobsons.co.uk">
<pre class="moz-quote-pre" wrap="">So :
pool {
allow members of "clsFoo";
range 192.168.0.30 192.168.0.200;
}
should be sufficient. Members of clsFoo will be allowed, anything else will be denied.</pre>
</blockquote>
<p>I commented out all deny lines, keeping just allow for all pools.
Yet, an unknown-client just got an IP from the clsFoo pool.</p>
<p>I cannot invert this logic, none of my clients are "known", but
classy. Shouldn't a subclass definition make that a known host?
Itching to open a feature request.<br>
</p>
<br>
<blockquote type="cite"
cite="mid:D4D29758-DF7C-4C46-875F-1674952B14FC@thehobsons.co.uk">
<pre class="moz-quote-pre" wrap="">It gets trickier when you have more than one class, and want to have a pool for "anything else". In that case you would need :
pool {
deny members of "a";
deny members of "b";
...
range ...
}</pre>
</blockquote>
<p>That's the case, I have 4 classes, one pool for each, plus
another pool for unknown-clients. But no luck yet.</p>
<br>
<div class="moz-signature">-- <br>
<style type="text/css">
#a1AssinaturaEmail { font-family: Tahoma, Verdana, Arial; font-size: 12px; }
#a1AssinaturaEmail * { font-family: Tahoma, Verdana, Arial; font-size: 12px; }
#a1AssinaturaEmail a { text-decoration: none; color: #FF9900; }
</style>
<div id="a1AssinaturaEmail"> <span style="font-size: 15px;"><b>Marcio
Merlone</b></span><br>
</div>
</div>
</body>
</html>