dhcpd.conf.5

DHCP服务器源码

.\"	dhcpd.conf.5
.\"
.\" Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (c) 1996-2003 by Internet Software Consortium
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
.\" OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.\"   Internet Systems Consortium, Inc.
.\"   950 Charter Street
.\"   Redwood City, CA 94063
.\"   <info@isc.org>
.\"   http://www.isc.org/
.\"
.\" This software has been written for Internet Systems Consortium
.\" by Ted Lemon in cooperation with Vixie Enterprises and Nominum, Inc.
.\" To learn more about Internet Systems Consortium, see
.\" ``http://www.isc.org/''.  To learn more about Vixie Enterprises,
.\" see ``http://www.vix.com''.   To learn more about Nominum, Inc., see
.\" ``http://www.nominum.com''.
.\"
.\" $Id: dhcpd.conf.5,v 1.63.2.19 2004/06/10 17:59:53 dhankins Exp $
.\"
.TH dhcpd.conf 5
.SH NAME
dhcpd.conf - dhcpd configuration file
.SH DESCRIPTION
The dhcpd.conf file contains configuration information for
.IR dhcpd,
the Internet Systems Consortium DHCP Server.
.PP
The dhcpd.conf file is a free-form ASCII text file.   It is parsed by
the recursive-descent parser built into dhcpd.   The file may contain
extra tabs and newlines for formatting purposes.  Keywords in the file
are case-insensitive.   Comments may be placed anywhere within the
file (except within quotes).   Comments begin with the # character and
end at the end of the line.
.PP
The file essentially consists of a list of statements.   Statements
fall into two broad categories - parameters and declarations.
.PP
Parameter statements either say how to do something (e.g., how long a
lease to offer), whether to do something (e.g., should dhcpd provide
addresses to unknown clients), or what parameters to provide to the
client (e.g., use gateway 220.177.244.7).
.PP
Declarations are used to describe the topology of the
network, to describe clients on the network, to provide addresses that
can be assigned to clients, or to apply a group of parameters to a
group of declarations.   In any group of parameters and declarations,
all parameters must be specified before any declarations which depend
on those parameters may be specified.
.PP
Declarations about network topology include the \fIshared-network\fR
and the \fIsubnet\fR declarations.   If clients on a subnet are to be
assigned addresses
dynamically, a \fIrange\fR declaration must appear within the
\fIsubnet\fR declaration.   For clients with statically assigned
addresses, or for installations where only known clients will be
served, each such client must have a \fIhost\fR declaration.   If
parameters are to be applied to a group of declarations which are not
related strictly on a per-subnet basis, the \fIgroup\fR declaration
can be used.
.PP
For every subnet which will be served, and for every subnet
to which the dhcp server is connected, there must be one \fIsubnet\fR
declaration, which tells dhcpd how to recognize that an address is on
that subnet.  A \fIsubnet\fR declaration is required for each subnet
even if no addresses will be dynamically allocated on that subnet.
.PP
Some installations have physical networks on which more than one IP
subnet operates.   For example, if there is a site-wide requirement
that 8-bit subnet masks be used, but a department with a single
physical ethernet network expands to the point where it has more than
254 nodes, it may be necessary to run two 8-bit subnets on the same
ethernet until such time as a new physical network can be added.   In
this case, the \fIsubnet\fR declarations for these two networks must be
enclosed in a \fIshared-network\fR declaration.
.PP
Some sites may have departments which have clients on more than one
subnet, but it may be desirable to offer those clients a uniform set
of parameters which are different than what would be offered to
clients from other departments on the same subnet.   For clients which
will be declared explicitly with \fIhost\fR declarations, these
declarations can be enclosed in a \fIgroup\fR declaration along with
the parameters which are common to that department.   For clients
whose addresses will be dynamically assigned, class declarations and
conditional declarations may be used to group parameter assignments
based on information the client sends.
.PP
When a client is to be booted, its boot parameters are determined by
consulting that client's \fIhost\fR declaration (if any), and then
consulting any \fIclass\fR declarations matching the client,
followed by the \fIpool\fR, \fIsubnet\fR and \fIshared-network\fR
declarations for the IP address assigned to the client.   Each of
these declarations itself appears within a lexical scope, and all
declarations at less specific lexical scopes are also consulted for
client option declarations.   Scopes are never considered
twice, and if parameters are declared in more than one scope, the
parameter declared in the most specific scope is the one that is
used.
.PP
When dhcpd tries to find a \fIhost\fR declaration for a client, it
first looks for a \fIhost\fR declaration which has a
\fIfixed-address\fR declaration that lists an IP address that is valid
for the subnet or shared network on which the client is booting.   If
it doesn't find any such entry, it tries to find an entry which has
no \fIfixed-address\fR declaration.
.SH EXAMPLES
.PP
A typical dhcpd.conf file will look something like this:
.nf

.I global parameters...

subnet 204.254.239.0 netmask 255.255.255.224 {
  \fIsubnet-specific parameters...\fR
  range 204.254.239.10 204.254.239.30;
}

subnet 204.254.239.32 netmask 255.255.255.224 {
  \fIsubnet-specific parameters...\fR
  range 204.254.239.42 204.254.239.62;
}

subnet 204.254.239.64 netmask 255.255.255.224 {
  \fIsubnet-specific parameters...\fR
  range 204.254.239.74 204.254.239.94;
}

group {
  \fIgroup-specific parameters...\fR
  host zappo.test.isc.org {
    \fIhost-specific parameters...\fR
  }
  host beppo.test.isc.org {
    \fIhost-specific parameters...\fR
  }
  host harpo.test.isc.org {
    \fIhost-specific parameters...\fR
  }
}

.ce 1
Figure 1

.fi
.PP
Notice that at the beginning of the file, there's a place
for global parameters.   These might be things like the organization's
domain name, the addresses of the name servers (if they are common to
the entire organization), and so on.   So, for example:
.nf

	option domain-name "isc.org";
	option domain-name-servers ns1.isc.org, ns2.isc.org;

.ce 1
Figure 2
.fi
.PP
As you can see in Figure 2, you can specify host addresses in
parameters using their domain names rather than their numeric IP
addresses.  If a given hostname resolves to more than one IP address
(for example, if that host has two ethernet interfaces), then where
possible, both addresses are supplied to the client.
.PP
The most obvious reason for having subnet-specific parameters as
shown in Figure 1 is that each subnet, of necessity, has its own
router.   So for the first subnet, for example, there should be
something like:
.nf

	option routers 204.254.239.1;
.fi
.PP
Note that the address here is specified numerically.   This is not
required - if you have a different domain name for each interface on
your router, it's perfectly legitimate to use the domain name for that
interface instead of the numeric address.   However, in many cases
there may be only one domain name for all of a router's IP addresses, and
it would not be appropriate to use that name here.
.PP
In Figure 1 there is also a \fIgroup\fR statement, which provides
common parameters for a set of three hosts - zappo, beppo and harpo.
As you can see, these hosts are all in the test.isc.org domain, so it
might make sense for a group-specific parameter to override the domain
name supplied to these hosts:
.nf

	option domain-name "test.isc.org";
.fi
.PP
Also, given the domain they're in, these are probably test machines.
If we wanted to test the DHCP leasing mechanism, we might set the
lease timeout somewhat shorter than the default:

.nf
	max-lease-time 120;
	default-lease-time 120;
.fi
.PP
You may have noticed that while some parameters start with the
\fIoption\fR keyword, some do not.   Parameters starting with the
\fIoption\fR keyword correspond to actual DHCP options, while
parameters that do not start with the option keyword either control
the behavior of the DHCP server (e.g., how long a lease dhcpd will
give out), or specify client parameters that are not optional in the
DHCP protocol (for example, server-name and filename).
.PP
In Figure 1, each host had \fIhost-specific parameters\fR.   These
could include such things as the \fIhostname\fR option, the name of a
file to upload (the \fIfilename\fR parameter) and the address of the
server from which to upload the file (the \fInext-server\fR
parameter).   In general, any parameter can appear anywhere that
parameters are allowed, and will be applied according to the scope in
which the parameter appears.
.PP
Imagine that you have a site with a lot of NCD X-Terminals.   These
terminals come in a variety of models, and you want to specify the
boot files for each model.   One way to do this would be to have host
declarations for each server and group them by model:
.nf

group {
  filename "Xncd19r";
  next-server ncd-booter;

  host ncd1 { hardware ethernet 0:c0:c3:49:2b:57; }
  host ncd4 { hardware ethernet 0:c0:c3:80:fc:32; }
  host ncd8 { hardware ethernet 0:c0:c3:22:46:81; }
}

group {
  filename "Xncd19c";
  next-server ncd-booter;

  host ncd2 { hardware ethernet 0:c0:c3:88:2d:81; }
  host ncd3 { hardware ethernet 0:c0:c3:00:14:11; }
}

group {
  filename "XncdHMX";
  next-server ncd-booter;

  host ncd1 { hardware ethernet 0:c0:c3:11:90:23; }
  host ncd4 { hardware ethernet 0:c0:c3:91:a7:8; }
  host ncd8 { hardware ethernet 0:c0:c3:cc:a:8f; }
}
.fi
.SH ADDRESS POOLS
.PP
The
.B pool
declaration can be used to specify a pool of addresses that will be
treated differently than another pool of addresses, even on the same
network segment or subnet.   For example, you may want to provide a
large set of addresses that can be assigned to DHCP clients that are
registered to your DHCP server, while providing a smaller set of
addresses, possibly with short lease times, that are available for
unknown clients.   If you have a firewall, you may be able to arrange
for addresses from one pool to be allowed access to the Internet,
while addresses in another pool are not, thus encouraging users to
register their DHCP clients.   To do this, you would set up a pair of
pool declarations:
.PP
.nf
subnet 10.0.0.0 netmask 255.255.255.0 {
  option routers 10.0.0.254;

  # Unknown clients get this pool.
  pool {
    option domain-name-servers bogus.example.com;
    max-lease-time 300;
    range 10.0.0.200 10.0.0.253;
    allow unknown-clients;
  }

  # Known clients get this pool.
  pool {
    option domain-name-servers ns1.example.com, ns2.example.com;
    max-lease-time 28800;
    range 10.0.0.5 10.0.0.199;
    deny unknown-clients;
  }
}
.fi
.PP
It is also possible to set up entirely different subnets for known and
unknown clients - address pools exist at the level of shared networks,
so address ranges within pool declarations can be on different
subnets.
.PP
As you can see in the preceding example, pools can have permit lists
that control which clients are allowed access to the pool and which
aren't.  Each entry in a pool's permit list is introduced with the
.I allow
or \fIdeny\fR keyword.   If a pool has a permit list, then only those
clients that match specific entries on the permit list will be
eligible to be assigned addresses from the pool.   If a pool has a
deny list, then only those clients that do not match any entries on
the deny list will be eligible.    If both permit and deny lists exist
for a pool, then only clients that match the permit list and do not
match the deny list will be allowed access.
.SH DYNAMIC ADDRESS ALLOCATION
Address allocation is actually only done when a client is in the INIT
state and has sent a DHCPDISCOVER message.  If the client thinks it
has a valid lease and sends a DHCPREQUEST to initiate or renew that
lease, the server has only three choices - it can ignore the
DHCPREQUEST, send a DHCPNAK to tell the client it should stop using
the address, or send a DHCPACK, telling the client to go ahead and use
the address for a while.
.PP
If the server finds the address the client is requesting, and that