[Kea-users] [External] - Re: Client Class for a Specific Subnet

Darren Ankney darren.ankney at gmail.com
Fri Dec 13 11:54:57 UTC 2024 

Hi Isaac,

The part that is missing is Required Classification
(https://kea.readthedocs.io/en/kea-2.4.1/arm/dhcp4-srv.html#required-classification).
Mark the classes "only-if-required" and then use the
"require-client-classes" list in the shared-network(s), subnet(s) or
pool(s) to prompt evaluation of class membership.  This will also
prevent the clients from being members of the classes if not in a
desired shared-network / subnet / pool

On Mon, Dec 9, 2024 at 11:19 AM Isaac Brummel <ibrummel at xes-inc.com> wrote:
>
> Hi Darren,
>
> Thanks for the information. The option class-tagging looks like a great feature, unfortunately I need to use the stable release for now. I'm trying to recreate what you explained in your first paragraph and I'm having trouble finding a way to make it work. I have generic client classes setup for legacy and efi:
>
> "client-classes": [
>     {
>         "name": "ipxe_legacy",
>         "test": "substring(option[60].hex,0,20) == 'PXEClient:Arch:00000'",
>         "boot-file-name": "youshallnotpass"
>     },
>     {
>         "name": "ipxe_efi",
>         "test": "substring(option[60].hex,0,20) == 'PXEClient:Arch:00007'",
>         "boot-file-name": "youshallnotpass"
>     },
> ],
>
>
> Then I'm using the flex option hook to dynamically set the boot-file-name option. This is the part where I'm struggling. I want to restrict this to a specific subnet so I created a custom option but I later realized this hook only works for the query packet and not the outgoing packet.
>
> {
>     "library": "/usr/lib/x86_64-linux-gnu/kea/hooks/libdhcp_flex_option.so",
>     "parameters": {
>         "options": [
>             {
>                 "name": "boot-file-name",
>                 "add": "ifelse((option[244].text == '1') and (member('ipxe_legacy')),'ipxe/netboot.xyz.kpxe','')"
>             },
>             {
>                 "name": "boot-file-name",
>                 "add": "ifelse((option[244].text == '1') and (member('ipxe_efi')),'ipxe/netboot.xyz.efi','')"
>             }
>         ]
>     }
> }
>
>
> Subnet:
>
> "subnet4": [
>     {
>         "id": 1,
>         "subnet": "10.10.10.0/24",
>         "calculate-tee-times": true,
>         "valid-lifetime": 60,
>         "ddns-qualifying-suffix": "kea-dev.com",
>         "option-data": [
>             {
>                 "name": "subnet-id",
>                 "code": 244,
>                 "data": "1",
>                 "always-send": true
>             }
>         ],
>     }
> ]
>
>
> Do you have any ideas to be able to dynamically set the boot-file-name to a different value per-subnet?
>
> Thanks,
> Isaac
> ________________________________
> From: Kea-users <kea-users-bounces at lists.isc.org> on behalf of Darren Ankney <darren.ankney at gmail.com>
> Sent: Thursday, December 5, 2024 2:35 PM
> To: Kea user's list <kea-users at lists.isc.org>
> Subject: [External] - Re: [Kea-users] Client Class for a Specific Subnet
>
> Hi Isaac,
>
> Your choices are limited at the moment.  You can use the flex option
> hook to replace option content based on class membership as described
> in the hook documentation:
> https://kea.readthedocs.io/en/kea-2.6.1/arm/hooks.html#libdhcp-flex-option-so-flexible-option-actions-for-option-value-settings
> There is also this KB article that shows this in action:
> https://kb.isc.org/docs/redefining-standard-options though the subject
> of the article is actually about sending different content in an
> option than it is supposed to carry.
>
> In this case, you could set the "else" portion of your ISC DHCP
> configuration as an option in the corresponding subnet in the Kea
> configuration.  Make the client a member of the class as you've shown.
> Then use the flex option hook to replace the option content if the
> client is a member of "ipxe_legacy_netbootxyz".
>
> In the development version 2.7.4, there is the new method called
> "Option Class-Tagging":
> https://kea.readthedocs.io/en/kea-2.7.4/arm/classify.html#option-class-tagging
> that will allow you to tag any option to be sent based on class
> membership.  This is an effective replacement for the "if"
> functionality in ISC DHCP.  This will first appear in a stable version
> in 3.0.0.
>
> Thank you,
> Darren Ankney
>
> On Wed, Dec 4, 2024 at 3:48 PM Isaac Brummel <ibrummel at xes-inc.com> wrote:
> >
> > Hello,
> > I'm in the process of migrating an ISC DHCP server to Kea. I'm trying to re-create a feature that we use in the ISC DHCP config to set a boot file name if a specific vendor-class-identifier is met. The ISC DHCP share-network looks like:
> >
> > shared-network FOOBAR {
> >     allow bootp;
> >
> >     subnet 10.10.10.0 netmask 255.255.255.0 {
> >
> >         # default PXE boot
> >         if substring(option vendor-class-identifier, 0, 20) = "PXEClient:Arch:00000" {
> >             filename "ipxe/netboot.xyz.kpxe";
> >         } else {
> >             filename "ipxe/netboot.xyz.efi";
> >         }
> >
> >
> > For Kea I can create the client class just fine, but how can I restrict these client classes to apply only to this subnet? I have other subnets that use a different boot file name. It doesn't seem like using "client-class" in the "subnet4" config would work as that would require a client to meet the classification, when that's not necessary.
> >
> > "client-classes": [
> >     {
> >         "name": "ipxe_legacy_netbootxyz",
> >         "test": "substring(option[60].hex,0,20) == 'PXEClient:Arch:00000'",
> >         "next-server": "10.10.10.5",
> >         "boot-file-name": "ipxe/netboot.xyz.kpxe"
> >     },
> >     {
> >         "name": "ipxe_efi_netbootxyz",
> >         "test": "substring(option[60].hex,0,20) == 'PXEClient:Arch:00007'",
> >         "next-server": "10.10.10.5",
> >         "boot-file-name": "ipxe/netboot.xyz.efi"
> >     }
> > ],
> >
> >
> > Thanks,
> >
> > Isaac Brummel
> > System Administrator
> > Extreme Engineering Solutions
> > --
> > ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> >
> > To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
> >
> > Kea-users mailing list
> > Kea-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/kea-users
> --
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
> To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
>
> Kea-users mailing list
> Kea-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/kea-users
> CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
> --
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
> To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
>
> Kea-users mailing list
> Kea-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/kea-users

More information about the Kea-users mailing list