[Kea-users] Query regd access controls

Tomek Mrugalski tomasz at isc.org
Wed Jan 18 12:50:58 UTC 2017

W dniu 17.01.2017 o 19:58, Nandan Adhikari pisze:
> I am unable to see any option to configure known-clients or
> unknown-clients. 
Because there are none there currently.

> Ref: https://kea.isc.org/wiki/ConfigurationMigration#PoolAccessControl
> Is there anyway I can manage the access controls? Any helping pointer
> would be really great.
Can you describe what exactly you want to do? Depending on what's your
goal is, there may be things that could be done. Here are couple things
to consider.

1. If you want to serve only known clients (e.g. a list of known
subscribers or registered devices), you can use host reservation for
that. You can define an empty pool, so clients not having a reservation
will be rejected completely.

2. If you want known clients to get different options, there is a way.
In the upcoming Kea 1.2 we will have the ability to define options for
pools. You can define a subnet with options for known clients, define a
pool in it with options for unknown clients and define reservations for
know clients for addresses that are outside of the pool. This way
clients that have a reservation will get whatever address was reserved
for them and the options specified for the subnet. Clients that don't
have a reservation will get an address from the pool and whatever
options were defined in the pool. Just remember that more specific
scopes "override" more generic scopes. Global scope is most generic and
can be overridden by subnet options. Subnet options can be overridden by
pool options, which in turn can be overridden by host specific options.

The code for having pool options is available in git repo. It hasn't
been tested thoroughly, but you're more than welcome to try it.

3. If you want to have a completely generic way of assigning clients to
"unknown" and "known" classes, you'll need to write a hook for it. It
shouldn't be too complex, but you will need some C++ experience. The
hook should be installed on pkt4_receive hook point. You can then
inspect the query4 parameter and check whether there's a lease for the
value client sent in ciaddr field. Alternatively, you can install a hook
on lease4_select, but it will be a bit more tricky to determine whether
that's a new lease or existing lease being renewed. There's no one
correct choice here. It all depends on what you're trying to accomplish.

Ok, I suppose that's it. Does any of the above answer your question?

On a related note, the page you referenced is 3 years old. It probably
requires some refresh.

Tomek Mrugalski

More information about the Kea-users mailing list