Limiting addresses per user for users with more than one circuit-id

Ilkka Virta itvirta at iki.fi
Mon Dec 15 11:48:28 UTC 2014 

Hi,

We have users (student apartments) who get addresses from DHCP, and we 
need to limit the number of addresses given to each user, so that nobody 
can hoard all the addresses in the network. We have a somewhat 
convoluted system in place for doing this, but I was thinking if it 
could be made simpler with the built-in limiting in dhcpd.


I can tell the users apart by the physical connection
(remote-id + circuit-id) but the problem is that a number of users
have more than one circuit-id in their use, and the limit should still
be per-user (and not per-circuit). For single circuit-id:s, spawning
subclasses should be able to do this nicely, but since I need to
"combine" (in a sense) the circuit-id:s, I don't think this can be done
without creating (full) classes for each and every user?

A class per user would be possibly doable, but with hundreds of users, 
the resulting configuration would be rather ugly. (hundreds of class 
declarations, dozens of "allow members of" clauses in all pool 
declarations). I'm a bit worried if there are any performance issues 
with this, too. Since subclasses are described as a "speed hack", full 
classes probably aren't very optimal speedwise, but how many would be 
"too many"?


Logically, the thing would be for dhcpd to only see some kind
of a "user-id" (or to be able to do the mapping from remote-id +
circuit-id to the user-id) and then do the subclassing and limiting
based on the user-id. But I don't think that's available out of the box.

So, the ideas I came up with:
- Have an external program mangle the circuit-id:s before dhcpd sees them
- Hack dhcpd to do the mapping itself
- Hack dhcpd to call an external program on each and every request
to decide whether to allow the lease or not. and do the limiting there.

I'm not too happy about any of those, would there be a better way for 
achieving this?

---

As an additional thought, it would be "nice" if users could in some 
cases step over the limit to use any spare addresses in the subnet; as 
long as I can quarantee everyone gets at least one address at all 
times... But I think this would definitely need an external program to 
handle the logic.

More information about the dhcp-users mailing list