[Kea-users] Denying unknown clients?
Darren Ankney
darren.ankney at gmail.com
Thu Feb 8 10:56:41 UTC 2024
Hi,
If you set reservations for clients that you want to be granted a
lease, then you can replace "require-client-classes": [] with
"client-class": "KNOWN" which will restrict to only "KNOWN" clients in
that subnet (see here:
https://kea.readthedocs.io/en/kea-2.4.0/arm/dhcp4-srv.html#pool-selection-with-client-class-reservations
and here: https://kea.readthedocs.io/en/kea-2.4.0/arm/classify.html#built-in-client-classes)
Thank you,
Darren Ankney
On Wed, Feb 7, 2024 at 12:36 PM L. Pavljuk <lukas.pavljuk at sh.cz> wrote:
>
> Hello,
>
> I am currently in the process of migration from the old DHCPD server
> over to Kea. So far, I have most functionality carried over, as it was
> really simple, but one thing still eludes me.
>
> DHCPD had the directive "deny unknown-clients"
>
> Can that be implemented in Kea? As I create all the leases manually,
> through Kea's ctrl daemon and the hook library libdhcp_lease_cmds,
>
> If I do encounter unknown clients, I'd rather just completely ignore them.
>
> ---
>
> I tried using the require-client-class, thinking it'd only offer an
> address from its subnet to clients who fall into the named class(es).
>
> E.g., a minimal configuration:
>
> {
> "Dhcp4": {
> "subnet4": [{
> "id": 1,
> "subnet": "10.1.1.0/24",
> "pools": [ { "pool": "10.1.1.10 - 10.1.1.128" } ],
> "require-client-classes": [
> "eligible-client"
> ]
> }
> ],
> "client-classes": [{
> "name": "eligible-client",
> "test": "member('KNOWN')"
> }
> ]
> }
> }
>
> In the logs, I can see the class being evaluated as false, yet, DHCP
> Requests still get an offer from the subnet.
>
> My best guess is that it's because the packet arrived to an interface
> from the 10.1.1.0/24 range.
>
> The behavior does not change even if I inverse the logic, create a
> second, random subnet, with the require-client-classes set to
> "unknown-clients" class, defined with a test as not being a member of
> the KNOWN class, the first subnet is still being used.
>
> Only other idea I have is to solve this issue externally, through
> iptables, filtering for known mac addresses only... Before I do, I'd
> appreciate any pointers if this was possible in Kea after all, and if
> so, then how.
>
> Platform: Linux
> Distribution: Debian 12 Bookworm
> Kea version: 2.2.0-6 (Installed from the distribution's package archives)
>
> Thank you!
> ~L. Pavljuk
>
> --
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
> To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
>
> Kea-users mailing list
> Kea-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/kea-users
More information about the Kea-users
mailing list