[Kea-users] Denying unknown clients?
L. Pavljuk
lukas.pavljuk at sh.cz
Wed Feb 7 17:36:31 UTC 2024
Hello,
I am currently in the process of migration from the old DHCPD server
over to Kea. So far, I have most functionality carried over, as it was
really simple, but one thing still eludes me.
DHCPD had the directive "deny unknown-clients"
Can that be implemented in Kea? As I create all the leases manually,
through Kea's ctrl daemon and the hook library libdhcp_lease_cmds,
If I do encounter unknown clients, I'd rather just completely ignore them.
---
I tried using the require-client-class, thinking it'd only offer an
address from its subnet to clients who fall into the named class(es).
E.g., a minimal configuration:
{
"Dhcp4": {
"subnet4": [{
"id": 1,
"subnet": "10.1.1.0/24",
"pools": [ { "pool": "10.1.1.10 - 10.1.1.128" } ],
"require-client-classes": [
"eligible-client"
]
}
],
"client-classes": [{
"name": "eligible-client",
"test": "member('KNOWN')"
}
]
}
}
In the logs, I can see the class being evaluated as false, yet, DHCP
Requests still get an offer from the subnet.
My best guess is that it's because the packet arrived to an interface
from the 10.1.1.0/24 range.
The behavior does not change even if I inverse the logic, create a
second, random subnet, with the require-client-classes set to
"unknown-clients" class, defined with a test as not being a member of
the KNOWN class, the first subnet is still being used.
Only other idea I have is to solve this issue externally, through
iptables, filtering for known mac addresses only... Before I do, I'd
appreciate any pointers if this was possible in Kea after all, and if
so, then how.
Platform: Linux
Distribution: Debian 12 Bookworm
Kea version: 2.2.0-6 (Installed from the distribution's package archives)
Thank you!
~L. Pavljuk
More information about the Kea-users
mailing list