Fwd: To add some filter rules in conf file

Glenn Satchell Glenn.Satchell at uniq.com.au
Thu Oct 15 14:05:11 UTC 2009 

>From: Ashmath Khan <hashmat.email at gmail.com>
>Date: Thu, 15 Oct 2009 19:13:13 +0530
>Subject: Re: Fwd: To add some filter rules in conf file
>To: Glenn Satchell <Glenn.Satchell at uniq.com.au>
>
>Thank you very much Glenn.
>For question #5, I don't have known MAC addressess. But I have a range. I
>already looked into subclasses, I don't think i can use that for range. Is
>there a way to define range of MAC addresses with start and end ?

No.

The most common way is where the class matches against a substring of
the mac address, often the first three bytes, eg something like this:

match if substring(hardware, 1, 3) = 00:11:22;

Does that get you closer?

Otherwise, please post to the list what goal you are trying to
achieve. There may be an entirely different and easier way to achieve
the it. There are a lot of experts here who know how to best use the
capabilities of dhcpd.conf statements...

regards,
-glenn


>thanks
>Ashmath
>
>On Thu, Oct 15, 2009 at 7:07 PM, Glenn Satchell
><Glenn.Satchell at uniq.com.au>wrote:
>
>>
>> >From: Ashmath Khan <hashmat.email at gmail.com>
>> >Date: Thu, 15 Oct 2009 18:50:52 +0530
>> >Subject: Fwd: To add some filter rules in conf file
>> >To: Glenn Satchell <Glenn.Satchell at uniq.com.au>,
>> tinzauro at ha-solutions.net
>> >
>> >Can you please reply ? thanks.
>> >
>> >---------- Forwarded message ----------
>> >From: Ashmath Khan <hashmat.email at gmail.com>
>> >Date: Thu, Oct 15, 2009 at 4:07 PM
>> >Subject: Re: To add some filter rules in conf file
>> >To: Users of ISC DHCP <dhcp-users at lists.isc.org>, dhcp1 at thehobsons.co.uk,
>> >dhcp-users at isc.org, Reissom Beshir <Reissom_Beshir at mitel.com>
>> >
>> >
>> >More questions:
>> >4.  Can I scan for a particular option which client has sent from the
>> option
>> >dhcp-parameter-request-list ?
>>
>> Not easily. You could use substring to test each possible position, but
>> there is no regular expression or wildcard matching.
>>
>> >5. How do I filter clients based on their h/w addresses. I tried this, but
>> >it gives error:
>> >class "rule1" {
>> >match if substring (hardware, 1, 6) >= 00:19:7D:72:B7:7A and substring
>> >(hardware, 1, 6) <= FF:FF:FF:FF:FF:FF;
>> >}
>>
>> You can't use > or < for string comparisons. The evaluation engine in
>> dhcpd is very basic.
>>
>> If you have particular known mac addresses then you can add them as a
>> sub-class. This is explained in dhcpd.conf man page, look for the
>> section SUBCLASSES. Then you can use allow or deny of that class inthe
>> pool.
>>
>> More answers below.
>>
>> >subnet 192.168.1.0 netmask 255.255.255.0 {
>> >
>> >pool {
>> >option router-discovery off;
>> >option domain-name-servers 192.168.1.250;
>> >range 192.168.1.66;
>> >allow members of "rule1";
>> >}
>> >default-lease-time 86500;
>> >max-lease-time 86500;
>> >option routers 192.168.1.254;
>> >}
>> >
>> >Thanks in Advance.
>> >
>> >-Ashmath
>> >
>> >
>> >On Thu, Oct 15, 2009 at 3:26 PM, Ashmath Khan <hashmat.email at gmail.com
>> >wrote:
>> >
>> >> Sorry.. i missed that, client didn't request those options. Its working
>> >> now. But I had these further:
>> >>
>> >> 1. Is it possible to group the options together so that I refer them by
>> >> some name ? like in the below example instead of giving router-discovery
>> and
>> >> boot-size, I can just give a group name, which will select those
>> options.
>>
>> No.
>>
>> >> 2.  is it possible to have wild chars in the search string ? like if I
>> want
>> >> to search the string "Phone*client" or "Alcatel?client" etc. I think i
>> can
>> >> use the existing eval expressions to search the strings, but then I need
>> to
>> >> parse these wild char strings, understand them, and apply eval
>> expressions.
>> >> Is there any direct method which would recognize wild chars ?
>>
>> No.
>>
>> >> 3. Say I have this rule below: And rule1 passes, rule2 fails, and I saw
>> >> that it doesn't go into third pool i.e, rule2 deny one, which seems to
>> be
>> >> correct. It means once it finds a pool match, then it won't evaluate
>> other
>> >> pools. Is this understanding correct ?
>> >>
>> >> class "rule1" {
>> >> match if substring (option vendor-class-identifier, 0, 4) = "MSFT";
>> >> }
>> >>
>> >> class "rule2" {
>> >> match if substring (option dhcp-option-overload, 0, 4) = "NSFT";
>> >> }
>> >>
>> >>
>> >> subnet 192.168.1.0 netmask 255.255.255.0 {
>> >>
>> >> pool {
>> >> option router-discovery off;
>> >> option domain-name-servers 192.168.1.254;
>> >> range 192.168.1.66;
>> >> allow members of "rule1";
>> >> }
>> >>
>> >> pool {
>> >> option router-discovery off;
>> >> option domain-name-servers 192.168.1.111;
>> >> range 192.168.1.100;
>> >> allow members of "rule2";
>> >> }
>> >>
>> >> pool {
>> >> option router-discovery on;
>> >> option domain-name-servers 192.168.1.222;
>> >> option boot-size 512;
>> >> range 192.168.1.200;
>> >> deny members of "rule2";
>> >> }
>> >>
>> >>
>> >> default-lease-time 86500;
>> >> max-lease-time 86500;
>> >> option routers 192.168.1.254;
>> >>
>> >> }
>> >>
>> >> thanks
>> >> Ashmath
>>
>> A particular client can be a member of multiple classes. My
>> understanding is the first pool that matches is used.
>>
>> Allowing a class denies all other classes, denying a class allows all
>> others. Mixing allow and deny in the same class can have unexpected
>> results, so use carefully.
>>
>> HTH.
>>
>> regards,
>> -glenn
>> --
>> Glenn Satchell   mailto:glenn.satchell at uniq.com.au | Miss 9: What do you
>> Uniq Advances Pty Ltd       http://www.uniq.com.au | do at work Dad?
>> PO Box 70 Paddington NSW Australia 2021            | Miss 6: He just
>> tel:0409-458-580     fax:02-9380-6416              | types random stuff.
>>
>> >>
>> >>
>> >>
>> >> On Wed, Oct 14, 2009 at 8:50 PM, Simon Hobson <dhcp1 at thehobsons.co.uk
>> >wrote:
>> >>
>> >>> Ashmath Khan wrote:
>> >>>
>> >>>  I tried this:
>> >>>> class "rule1" {
>> >>>> match if substring (option dhcp-client-identifier, 0, 5) =
>> >>>> 01:00:19:7d:72;
>> >>>> option time-offset -12345;
>> >>>> option boot-size 65000;
>> >>>> }
>> >>>> subnet 192.168.1.0 netmask 255.255.255.0 {
>> >>>> pool {
>> >>>> allow members of "rule1";
>> >>>> range 192.168.1.66;
>> >>>> }
>> >>>> default-lease-time 86400;
>> >>>> max-lease-time 86400;
>> >>>> option routers 192.168.1.254;
>> >>>> option domain-name-servers 192.168.1.254;
>> >>>> }
>> >>>>
>> >>>> => it didn't work completely. I did get dhcp offer message but the
>> >>>> options: time-offset and boot-size were not sent as part of dhcp
>> offer. Any
>> >>>> reasons ? How do I make it work ?
>> >>>>
>> >>>
>> >>> Did the client request those options ?
>> >>>
>> >>> If not then the server won't send them. You can force it to (see the
>> >>> recent thread "how to get slp-directory-agent option working"). But if
>> the
>> >>> client doesn't request it, there's a good chance it doesn't know what
>> to do
>> >>> with it and will ignore it.
>> >>>
>> >>>
>> >>> --
>> >>> Simon Hobson
>> >>>
>> >>> Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
>> >>> author Gladys Hobson. Novels - poetry - short stories - ideal as
>> >>> Christmas stocking fillers. Some available as e-books.
>> >>> _______________________________________________
>> >>> dhcp-users mailing list
>> >>> dhcp-users at lists.isc.org
>> >>> https://lists.isc.org/mailman/listinfo/dhcp-users
>> >>>
>> >>
>> >>
>>
>>

More information about the dhcp-users mailing list