To add some filter rules in conf file

Mon Oct 19 18:21:41 UTC 2009

Quoting (especially top posting) fixed !

Ashmath Khan wrote:

>>I do have one last idea, though if it will work or not I don't 
>>know. If you check "man dhcp-eval" you'll find there is an "if ... 
>>elseif ... else" mechanism. I could see the possibility of using 
>>this to set a variable to say how far a client matched your 
>>sequential list of tests - so you could drop out the test with a 
>>variable set to "r1", "r2" etc. Then configure your classes with 
>>match if <somevariable> = "r1" and so on.

>Sorry, I can't make out much from this.

OK, taking the example given by Jeff Haran :

rule 1: If its red, use the red pool, else
rule 2: If its fat, use the fat pool, else
rule 3: If its tall, use the tall pool, else
rule 4: Use the cold pool

You'd express this in terms of :
If it's Red, then set kind:=red
Elseif it's fat, then set kind:=fat
Elseif it's tall, then set kind:=tall
Else, set kind:=cold

Then you'd have classes like this :
Class "red" { match if kind="red" ; ...}
Class "fat" { match if kind="fat" ; ...}
Class "tall" { match if kind="tall" ; ...}
Class "cold" { match if kind="cold" ; ...}

You now have four classes that are mutually exclusive and so you just 
have to "allow member of ..." a single class in each pool.

It's not something I've ever tried. I'd hope that the expression and 
conditionals would be evaluated before evaluating the class 
memberships - if not then it can't ever hope to work.

>>Finally - what are you actually trying to achieve ?

>Let me point you to the initial post I sent to this list: 
><https://lists.isc.org/pipermail/dhcp-users/2009-September/009879.html>https://lists.isc.org/pipermail/dhcp-users/2009-September/009879.html
>Basically I want to filter clients based on some rules and the 
>actions would be to either assign some pools to them or ignore those 
>clients. If a rule is met I don't evaluate further rules. Hope its 
>clear now!

>Here's as example:
>rule 1 type dhcp-option
>rule 1 dhcp-option 60
>rule 1 match-str "*VIP*"
>rule 1 match-action discard
>rule 1 absent-action continue
>rule 2 type dhcp-option
>rule 2 dhcp-option 60
>rule 2 match-str "*"
>rule 2 match-action pass
>rule 2 match-pool 192.168.1.100
>rule 2 match-option-group ""
>rule 2 absent-action continue
>etc

Sorry, but I'm no wiser as to what the objective is. It's an 
incredibly complex set of requirements and I can't recall anyone else 
ever coming to the list with anything quite like it. You're telling 
us how you want to achieve something, but I cannot see what it is 
that you want to achieve.

>Also from dhcpd.conf:
>"
>If both permit and deny lists exist  for  a  pool,
>        then  only clients that match the permit list and do not match the deny
>
>
>        list will be allowed access.
>"
>So it says we can mix allow and deny statements.

I didn't say you can't, but it's general advice to avoid mixing them 
- it seems to be a good source of confusion as people will still read 
a list of allow/deny statements and still think in terms of a linear 
"match first" operation. If that happens then the results won't be as 
expected.

-- 
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.