Excluding a class from matches...

David McKen dmlmcken at gmail.com
Wed Aug 5 17:26:59 UTC 2009 

Got it working like this but having the mac in 2 places is not a good
idea in my mind. This also removes the option of using OMAPI to
dynamically update the list.

class "PayYourBill"         { match hardware; }
subclass "Suspend" 1:12:34:56:XX:YY:ZZ;

class "Browsing"          {
        match if substring ( hardware, 1, 3 ) = 12:34:56
        and (
        hardware != 1:12:34:56:XX:YY:ZZ
        );
}

Need to see how I'm going to scale the and statement, hopefully the
list isn't going to get too long. Any ideas on how I can simplify
this?

On Wed, Aug 5, 2009 at 12:39 PM, David McKen<dmlmcken at gmail.com> wrote:
> Sometime that works sometimes it doesn't. The specific macs I am
> attempting to exclude will match the prefix 12:34:56. From going
> through the list the problem is the order in which classes are
> evaluated is not deterministic, nor is it most specific match.
>
> The scenario is there is a pool where customers normally receive ips
> from which gives them ips where they can browse. The mac for this
> interface begins with 12:34:56. When customers don't pay their bill I
> want them to be moved to a different network where all they can see is
> a page saying "pay your bill".
>
> The solution I hoped would work was:
>
> class "PayYourBill" { match hardware; }
> subclass "PayYourBill" 1:12:34:56:XX:YY:ZZ;
>
> class "Browsing" { match if substring ( hardware,  1, 3 ) = 12:34:56; }
>
> Where XX:YY:ZZ is specific to the customer.
>
> As a side note is there any way to specify to the "Browsing" class do
> not match anything that matches the "PayYourBill" class?
>
> BTW, I am using version 3.1.2_p1 (latest of the 3.1 series). Thus far
> I am unaware of any enhancements that would be useful to me from the
> 4.X series.
>
> On Tue, Aug 4, 2009 at 10:38 PM, Glenn
> Satchell<Glenn.Satchell at uniq.com.au> wrote:
>> ok, what if you reverse the logic in your class, then you can allow
>> that class, the allow implies deny everything else? eg:
>>
>> class "DeviceType1" { match if not substring ( hardware, 1, 3 ) = 12:34:56; }
>>
>> subnet .... {
>>        option ... ;
>>        pool {
>>                # deny devices who are not 12:34:56:
>>                allow members of "DeviceType1";
>>                range ... ;
>>                option ... ;
>>        }
>>        pool {
>>                allow members of "DeviceType2";
>>                range ... ;
>>                option ... ;
>>        }
>>
>> regards,
>> -glenn
>>
>> PS Please reply to the list only, I don't need to get the posting twice.
>>
>>>Date: Tue, 4 Aug 2009 19:52:28 -0400
>>>Subject: Re: Excluding a class from matches...
>>>From: David McKen <dmlmcken at gmail.com>
>>>
>>>I considered that option but unfortunately I have one other constraint
>>>that I forgot to mention. I have 3 classes of devices on this network
>>>with isc dhcp classes setup for each, this setup works fine but I need
>>>one of the classes to support this behavior. Due to this the deny
>>>option won't work well for me. I read on the list that is not a good
>>>idea to have allow and deny statements within a single pool. so there
>>>would be no way to apply the extra restrictions.
>>>
>>>The specific setup is that we have management networks on the same
>>>VLAN as customer browsing networks (this is due to a limitation on the
>>>equipment). Both are handed out via DHCP, we use the MAC prefix to
>>>distinguish between the two. The new requirement is to move customers
>>>over to a special "captive" network when they don't pay their bill.
>>>
>>>Most of the data will be stored in a database so being able to have
>>>the dhcp server call some script who's return value is 1 if its a
>>>match and 0 if it isn't will actually work quite well for me so I
>>>don't have to keep restarting the dhcp service every time one of these
>>>macs needs to get added or removed.
>>>
>>>On Tue, Aug 4, 2009 at 7:35 PM, Glenn
>>>Satchell<Glenn.Satchell at uniq.com.au> wrote:
>>>>
>>>>>Date: Tue, 4 Aug 2009 18:30:17 -0400
>>>>>Subject: Excluding a class from matches...
>>>>>From: David McKen <dmlmcken at gmail.com>
>>>>>To: dhcp-users at lists.isc.org
>>>>>X-BeenThere: dhcp-users at lists.isc.org
>>>>>
>>>>>Good Day list,
>>>>>
>>>>>I am looking to do the following:
>>>>>1. For all macs whose prefix do not begin with 12:34:56 do not match /
>>>>>give an ip.
>>>>>2. For specific macs (list is coming from a database so can be
>>>>>provided via subclass or group I guess) put them in a specific subnet
>>>>>#1.
>>>>>3. For all other macs matching criteria #1 put them in subnet #2.
>>>>>
>>>>>If I drop requirement #2 I can do this quite easily via classes.
>>>>>class "DeviceType" { match if substring ( hardware, 1, 3 ) = 12:34:56; }
>>>>>
>>>>>and apply the class to the subnet desired.
>>>>>
>>>>>I am a bit lost as to how to do this with requirement #2 in place
>>>>>which is to put certain devices in a special "holding" network until
>>>>>they can be dealt with.
>>>>>
>>>>>Was looking for some line that would allow me to say " if not in
>>>>>'someclass' " as I could use this to prevent the macs from #2 from
>>>>>matching the "global" matches.
>>>>>
>>>>>Came across something called "execute based class matching" from the
>>>>>mailing lists. I am a bit fuzzy as to how this works but it may be
>>>>>what I'm looking for. Can anyone shed some light on how this works?
>>>>>
>>>>>Signed
>>>>>David McKen
>>>>
>>>> Hi David
>>>>
>>>> So you define your class similar to above
>>>>
>>>> class "DeviceType1" { match if substring ( hardware, 1, 3 ) = 12:34:56; }
>>>>
>>>> class "DeviceType2" { match hardware }
>>>> subclass "DeviceType2"  1:12:34:56:d:e:f;
>>>> subclass "DeviceType2"  1:a:b:c:d:e:f;
>>>> ...
>>>>
>>>> subnet .... {
>>>>        option ... ;
>>>>        pool {
>>>>                # deny devices who are not 12:34:56:
>>>>                deny members of "DeviceType1";
>>>>                # deny our special list
>>>>                deny members of "DeviceType2";
>>>>                range ... ;
>>>>                option ... ;
>>>>        }
>>>>        pool {
>>>>                allow members of "DeviceType2";
>>>>                range ... ;
>>>>                option ... ;
>>>>        }
>>>> }
>>>>
>>>> When you allow a class it denies all other classes in that pool. When
>>>> you deny a class it allows all other classes. The ranges must not
>>>> overlap in the pools. You can also put other options in each pool, eg
>>>> different router, dns servers and so on, and they will apply to devices
>>>> using that pool.
>>>>
>>>> dhcpd.conf man page has examples on subclasses,the leading "1" is the
>>>> hardware type, almost always ethernet these days. dhcp-eval has
>>>> examples of arithmetic and if/else tests, etc.
>>>>
>>>> regards,
>>>> -glenn
>>>> --
>>>> Glenn Satchell     mailto:glenn.satchell at uniq.com.au | I telephoned the
>>>> Uniq Advances Pty Ltd         http://www.uniq.com.au | swine flu info
>>>> PO Box 70 Paddington NSW Australia 2021              | line and all I got
>>>> tel:0409-458-580  tel:02-9380-6360  fax:02-9380-6416 | was crackling.
>>>>
>>>> _______________________________________________
>>>> dhcp-users mailing list
>>>> dhcp-users at lists.isc.org
>>>> https://lists.isc.org/mailman/listinfo/dhcp-users
>>>>
>>>_______________________________________________
>>>dhcp-users mailing list
>>>dhcp-users at lists.isc.org
>>>https://lists.isc.org/mailman/listinfo/dhcp-users
>>>
>>
>> _______________________________________________
>> dhcp-users mailing list
>> dhcp-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/dhcp-users
>>
>

More information about the dhcp-users mailing list