<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 11/10/16 11:50 PM,
<a class="moz-txt-link-abbreviated" href="mailto:mrobti@insiberia.net">mrobti@insiberia.net</a> wrote:<br>
</div>
<blockquote
cite="mid:0b880eab88dc4b2717ea1df0f6fb8bf5@insiberia.net"
type="cite">On 2016-11-10 06:12, Thomas Markwalder wrote:
<br>
<blockquote type="cite">On 11/9/16 2:28 PM, <a class="moz-txt-link-abbreviated" href="mailto:mrobti@insiberia.net">mrobti@insiberia.net</a>
wrote:
<br>
<br>
<blockquote type="cite">On 2016-11-09 07:56, Thomas Markwalder
wrote:
<br>
On 11/9/16 4:20 AM, <a class="moz-txt-link-abbreviated" href="mailto:mrobti@insiberia.net">mrobti@insiberia.net</a> wrote:
<br>
On 2016-11-08 15:44, <a class="moz-txt-link-abbreviated" href="mailto:mrobti@insiberia.net">mrobti@insiberia.net</a> wrote:
<br>
I want to assign a client-class using hwaddr, from MySQL
backend,
<br>
and
<br>
restrict a subnet for that client-class. In other words, only
allow
<br>
clients with known MAC addresses to use the subnet they are
trying
<br>
to
<br>
connect to.
<br>
<br>
DB hosts table has an entry for the client:
<br>
dhcp4_subnet_id = 1
<br>
dhcp_identifier_type = 0
<br>
dhcp_identifier = UNHEX(REPLACE('aa:bb:cc:dd:ee:ff', ':', ''))
<br>
hostname = test.local
<br>
dhcp4_client_classes = test_class
<br>
<br>
Config file has:
<br>
"client-classes": [ {
<br>
"name": "test_class"
<br>
} ],
<br>
"subnet4": [ {
<br>
"id": 1,
<br>
"subnet": "192.168.1.0/24",
<br>
"pools": [ { "pool": "192.168.1.10 - 192.168.1.20" } ],
<br>
"client-class": "test_class"
<br>
} ],
<br>
<br>
But Kea says (debug level 50):
<br>
: client packet has been assigned to the following class(es):
<br>
VENDOR_CLASS_MSFT 5.0
<br>
: failed to select subnet for the client
<br>
: no suitable subnet configured for a direct client
<br>
<br>
It works if I remove "client-class" from the subnet
definition, so
<br>
something is not synchronizing the class somewhere.
<br>
<br>
Could it be a problem that the DB hosts entry has no
ipv4_address
<br>
listed? (that column is NULL) I don't have any other ideas.
<br>
<br>
I've found this in the logs:
<br>
<br>
: HOSTS_CFG_GET_ALL_IDENTIFIER get all hosts with reservations
using
<br>
<br>
identifier: hwaddr=aa:bb:cc:dd:ee:ff
<br>
: HOSTS_CFG_GET_ALL_IDENTIFIER_COUNT using identifier
<br>
hwaddr=aa:bb:cc:dd:ee:ff, found 0 host(s)
<br>
<br>
Why would this happen? Yes, I double checked the MAC address.
I
<br>
enabled MySQL logging, and I can't match up timestamps
exactly, but
<br>
I
<br>
do find a query:
<br>
<br>
SELECT host_id, dhcp_identifier, dhcp_identifier_type,
<br>
dhcp4_subnet_id, dhcp6_subnet_id, ipv4_address, hostname,
<br>
dhcp4_client_classes, dhcp6_client_classes FROM hosts WHERE
<br>
dhcp4_subnet_id = ? AND dhcp_identifier_type = ? AND
<br>
dhcp_identifier = ?
<br>
<br>
I don't know if it's possible to see the executed version of
this
<br>
prepared query(?). Is it possible that the value Kea is
placing in
<br>
the
<br>
query is not the correct binary string?
<br>
_______________________________________________
<br>
Kea-users mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:Kea-users@lists.isc.org">Kea-users@lists.isc.org</a>
<br>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/kea-users">https://lists.isc.org/mailman/listinfo/kea-users</a>
<br>
</blockquote>
<br>
Hello:
<br>
<br>
We are looking into this for you. As you probably know, Kea
will
<br>
look
<br>
first for hosts defined its configuration file and then within
the
<br>
hosts
<br>
database (if it is specified). Any log statements you see that
<br>
contain
<br>
"HOSTS_CFG_" pertain to looking at hosts defined via the
configuration
<br>
<br>
file. In your case, since there are none, you see none found.
When
<br>
Kea
<br>
accesses the host database the logs should contain
<br>
HOSTS_MGR_ALTERNATIVE_. The following is a snippet from of the
log
<br>
in
<br>
a setup I am testing with:
<br>
<br>
2016-11-09 10:18:45.018 DEBUG [kea-dhcp4.hosts/24940]
<br>
HOSTS_CFG_GET_ONE_SUBNET_ID_ADDRESS4 get one host with
reservation for
<br>
<br>
subnet id 1 and IPv4 address 178.16.1.101
<br>
2016-11-09 10:18:45.018 DEBUG [kea-dhcp4.hosts/24940]
<br>
HOSTS_CFG_GET_ALL_ADDRESS4 get all hosts with reservations for
IPv4
<br>
address 178.16.1.101
<br>
2016-11-09 10:18:45.018 DEBUG [kea-dhcp4.hosts/24940]
<br>
HOSTS_CFG_GET_ALL_ADDRESS4_COUNT using address 178.16.1.101,
found 0
<br>
host(s)
<br>
2016-11-09 10:18:45.018 DEBUG [kea-dhcp4.hosts/24940]
<br>
HOSTS_CFG_GET_ONE_SUBNET_ID_ADDRESS4_NULL host not found using
subnet
<br>
id
<br>
1 and address 178.16.1.101
<br>
2016-11-09 10:18:45.018 DEBUG [kea-dhcp4.hosts/24940]
<br>
HOSTS_MGR_ALTERNATE_GET4_SUBNET_ID_ADDRESS4 trying alternate
source
<br>
for
<br>
host using subnet id 1 and address 178.16.1.101
<br>
<br>
The last log statement indicates that Kea is looking in MySQL
for
<br>
hosts
<br>
that have the allocated address. It just so happens that Kea
actually
<br>
<br>
conducted a search in MySQL prior to the last one show above.
This
<br>
search is done by subnet id and dhcp identifier. However the
<br>
function
<br>
that performs this search happens to be missing a log entry.
This is
<br>
why you see the two selects you cited in the MySQL log but
only one
<br>
log message against the alternate. The original function we
used
<br>
was deprecated without the new one getting a log message. Sorry
about
<br>
<br>
that.
<br>
<br>
On the surface, it looks like Kea should be matching your host,
we're
<br>
still researching it. You might try defining your host in the
<br>
configuration file, for testing purposes. Do you have a packet
<br>
capture
<br>
and what version of Kea are you running?
<br>
<br>
Thank you for your response. I don't have a packet capture at
the
<br>
moment, but I do see the HOSTS_MGR_ALTERNATE_ line just like
yours.
<br>
I'm running the ubuntu package which shows version 1.0.0, the
package
<br>
name is version 1.0.0-1build1. I know that's behind the curve,
but
<br>
sometimes don't these packages include bugfixes from newer
versions
<br>
than they report?
<br>
<br>
I can begrudgingly compile from source, but would not be happy
taking
<br>
it outside the system package manager.
<br>
<br>
I just tried to test by putting the host in the config file, got
this
<br>
startup error:
<br>
DHCP4_PARSER_FAIL failed to create or run parser for
configuration
<br>
element subnet4: unsupported configuration parameter
'client-classes'
<br>
<br>
I think you meant client-classes failed to parse as part of the
host
<br>
element (not subnet4) ?
<br>
</blockquote>
<br>
I think so, you mean the host element inside the subnet4
reservations list, right? I put "client-classes" in a
"reservations" entry in the "subnet4" as such:
<br>
<br>
"subnet4": [ {
<br>
"reservations": [ {
<br>
"hw-address": "aa:bb:cc:dd:ee:ff",
<br>
"client-classes": [ "test_class" ]
<br>
}],
<br>
"id": 1,
<br>
"subnet": "192.168.1.0/24",
<br>
...
<br>
<br>
That's the right way to do it, correct? Version 1.0.0 didn't see
"client-classes" as valid in that context.
<br>
<br>
<br>
<blockquote type="cite"> But yes, "client-classes" was added in
1.1.0.
<br>
1.1.0 added a good deal more functionality to the RDBMS Host
<br>
Reservations implementations, as well as a lot more with
<br>
classification expression matching.
<br>
<blockquote type="cite">Looks like assigning client-classes to
host reservations was a
<br>
feature only added after version 1.0? Can you please confirm
when it
<br>
was added?
<br>
_______________________________________________
<br>
Kea-users mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:Kea-users@lists.isc.org">Kea-users@lists.isc.org</a>
<br>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/kea-users">https://lists.isc.org/mailman/listinfo/kea-users</a>
<br>
</blockquote>
<br>
When an inbound packet is received things happen in this order:
<br>
<br>
1. The packet is classified by evaluating it against the test
<br>
expression for defined classes
<br>
<br>
2. Subnet matching is conducted based on packet content. This
<br>
includes comparing the classes matched to the packet in step 1
against
<br>
the classes specified by the subnet's "client-class" list.
<br>
<br>
3. Look for host reservations
<br>
<br>
The problem you have is two fold. First, your "test-class"
does not
<br>
define a "test" expression and thus matching it against a packet
<br>
always fails. This causes the subnet selection to fail and the
<br>
server drops the packet. The second issue is that you are
assigning a
<br>
class to the host reservation, but associating the client to a
<br>
reservation occurs after the subnet selection. This is
something of a
<br>
chicken-and-the-egg situation.
<br>
</blockquote>
<br>
This question did come up when I was reading the docs. It does
seem like the host class assignment needs to happen earlier and in
a different configuration scope.
<br>
<br>
<blockquote type="cite">So while you can specify that a host
belongs to one or more classes,
<br>
this currently only means the host inherits options from those
<br>
classes.
<br>
<br>
I think it would help to understand what problem you are trying
to
<br>
solve. Are you trying to ensure that only known clients get
<br>
addresses?
<br>
</blockquote>
<br>
Yes, that's the primary goal.
<br>
<br>
<blockquote type="cite"> Are you trying to map specific hosts to
specific subnets?
<br>
</blockquote>
<br>
Secondary goal is not mapping hosts to subnets, but to pools
within the same subnet. (Later we will add subnets and map to
those.)
<br>
<br>
<blockquote type="cite"> How any hosts in how many subnets do you
anticipate having?
<br>
</blockquote>
<br>
Not many for now, but storing configuration information in a
database is a requirement in this case.
<br>
<br>
<blockquote type="cite">If your network isn't large, you could
define a class for each host
<br>
whose "test" expression matches the host's hardware address.
Then add
<br>
these classes to the desired subnet4 client-class list. Not
ideal
<br>
but it would work. This would be akin to ISC DHCP sub-classing,
<br>
though not quite as neat. Another alternative would be to
write a
<br>
hook but we would need to understand your problem to offer a
more
<br>
detailed suggestion. Our example hook library, user-chk, does
<br>
something similar to what you're after and is a good starting
point
<br>
for what is possible,
<br>
<a class="moz-txt-link-freetext" href="http://kea.isc.org/docs/kea-guide.html#idp54000992">http://kea.isc.org/docs/kea-guide.html#idp54000992</a>. Hooks are
<br>
described in detail in our developer's guide:
<br>
<a class="moz-txt-link-freetext" href="https://jenkins.isc.org/job/Kea_doc/doxygen/df/d46/hooksdgDevelopersGuide.html">https://jenkins.isc.org/job/Kea_doc/doxygen/df/d46/hooksdgDevelopersGuide.html</a>.
<br>
</blockquote>
<br>
Sounds like Kea doesn't support a "known-clients" type of
configuration. I'll read about hooks next, but I wouldn't think
the "known-clients" feature is unusual - is this design issue
something that will be addressed in a future version without the
need for external hook libraries?
<br>
<br>
</blockquote>
This is a feature that is likely to be added. ISC is a small,
non-profit company and we can only do so much at a time. Of course
we are also an open-source project so contributors are always
welcome. As you mention, this is likely a feature many users would
like to have.<br>
<br>
<blockquote
cite="mid:0b880eab88dc4b2717ea1df0f6fb8bf5@insiberia.net"
type="cite">Now, I read briefly about user-chk. Reading a text
file upon each packet arrival doesn't sound efficient, regardless
our requirement is using a database. Would it be possible to:
<br>
1. remove "client-class" from the subnet so all clients can
initially be assigned to the subnet just for purposes of working
around the chicken/egg problem you mentioned
<br>
2. assign class names to known clients using the existing database
reservations system (note, class would be defined in config file
with no "test" expression and our reservations have NULL for the
IP address)
<br>
3. have the user-chk hook library inspect the assigned class and
deny or reassign if the class is empty (not having been assigned
in step 2)
<br>
<br>
If this is possible, can I do it in version 1.0 or is 1.1.0
required for any of the above?
<br>
</blockquote>
<br>
The user_chk library as it stands is really meant as a learning
tool/starting point, not as something intended for busy production
environment. You are free to alter it however you like. You may
find it more expedient to use it as guide or skeleton for your own
new hook lib. It likely has a fair amount of stuff you don't need.
What you are proposing is doable, but not with 1.0 as it does not
support client-classes in the host reservations. <br>
<br>
If you look at the lease4_select hook point arguments:<br>
<br>
<meta http-equiv="content-type" content="text/html;
charset=windows-1252">
<li><b>Arguments:</b>
<ul>
<li>name: <b>query4</b>, type: <a class="el"
href="https://jenkins.isc.org/job/Kea_doc/doxygen/d5/d8c/namespaceisc_1_1dhcp.html#a3f332dc70d05fbe8e0fb453434c22d93"
title="A pointer to Pkt4 object. ">isc::dhcp::Pkt4Ptr</a>,
direction: <b>in</b></li>
<li>name: <b>subnet4</b>, type: <a class="el"
href="https://jenkins.isc.org/job/Kea_doc/doxygen/d5/d8c/namespaceisc_1_1dhcp.html#a17ccc4cfb9f7534dfcedc83ebe0e5d5a"
title="A pointer to a Subnet4 object. ">isc::dhcp::Subnet4Ptr</a>,
direction: <b>in</b></li>
<li>name: <b>fake_allocation</b>, type: bool, direction: <b>in</b></li>
<li>name: <b>lease4</b>, type: <a class="el"
href="https://jenkins.isc.org/job/Kea_doc/doxygen/d5/d8c/namespaceisc_1_1dhcp.html#aec4424838e2e5bb397345cdc32c0ef28"
title="Pointer to a Lease4 structure. ">isc::dhcp::Lease4Ptr</a>,
direction: <b>in/out</b></li>
</ul>
</li>
All classes matched to the client, including those via host
reservations, are accessible via query4->getClasses() (inherited
from isc::dhcp::Pkt). <br>
<br>
<br>
If you want to do something earlier in the process, it would have be
in the subnet4_select hook point, but bear in mind two things:<br>
<br>
1. The host matching as not yet been done, so
query4->getClasses() would not contain any classes contributed by
a reservation. You can, however, look for a host reservation
yourself via the HostMgr singleton, which can be accessed<br>
with this static method:<br>
<br>
HostMgr::instance()<br>
<br>
and the reservation can be searched for with either of these:<br>
<br>
virtual ConstHostPtr<br>
get4(const SubnetID& subnet_id, const HWAddrPtr& hwaddr,<br>
const DuidPtr& duid = DuidPtr()) const;<br>
<br>
virtual ConstHostPtr<br>
get4(const SubnetID& subnet_id, const
Host::IdentifierType& identifier_type,<br>
const uint8_t* identifier_begin, const size_t
identifier_len) const;<br>
<br>
(I would recommend the latter, as the former may eventually be
deprecated)<br>
<br>
2. Host reservations are tied to a subnet via subnet ID. Kea does
not support subnet-less host reservations. Suppose you define a
host reservation to subnet id 1, and you override the subnet
selection with a different subnet, say subnet 23. When<br>
Kea attempts to match hosts to this client, it will use subnet id 23
and fail to find any, unless you add a second reservation for the
host with subnet id 23. On the other hand, if you only want to
use the host reservation to attribute hosts to classes, this may
not matter to you, as you're doing the look explicitly in your hook.<br>
<br>
<br>
Thomas Markwalder<br>
ISC Software Engineering<br>
<br>
<br>
<br>
<br>
<blockquote
cite="mid:0b880eab88dc4b2717ea1df0f6fb8bf5@insiberia.net"
type="cite">_______________________________________________
<br>
Kea-users mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:Kea-users@lists.isc.org">Kea-users@lists.isc.org</a>
<br>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/kea-users">https://lists.isc.org/mailman/listinfo/kea-users</a>
<br>
</blockquote>
<p><br>
</p>
</body>
</html>