Kea
1.9.9-git
|
user_chk is an example hooks library which customizes the DHCP query processing provided by Kea DHCP server modules (kea-dhcp4 and kea-dhcp6). Specifically it allows subnet selection and DHCP response option customization based upon a registry of DHCP clients. Note that the words "client" and "user" are used interchangeably herein. The intent of the custom behavior is three fold:
The source code is provided in the src/hooks/dhcp/use_chk directory.
At the heart of the library is a class hierarchy centered around the class, user_chk::UserRegistry
. This class represents a maintainable, searchable registry of "known" users and their attributes. It provides services to load, clear, and refresh the registry as well as to add, find, and remove users.
Each entry in the registry is an instance of the class, user_chk::User
. Users are uniquely identified by their user_chk::UserId
. UserIds are comprised of data taken from the DHCP request. IPv4 users have a type of "HW_ADDR" and their id is the hardware address from the request. IPv6 users have a type of "DUID" and their id is the DUID from the request.
The registry may be manually populated or loaded from a source of data which implements the UserDataSource
interface. Currently, a single implementation has been implemented, user_chk::UserFile
. UserFile supports reading the registry from a text file in which each line is a user entry in JSON format. Each entry contains the id type and user id along with optional attributes. Attributes are essentially name/value pairs whose significance is left up to the calling layer. UserFile does not enforce any specific content beyond id type and id. (See user_file.h for more details on file content).
The library implements callouts for packet receive, subnet select, and packet send for both IPv4 and IPv6. Regardless of the protocol type, the process flow upon receipt of an inbound request is the same and is as follows:
"pkt_receive" callout is invoked
Note that each time a packet is received, the user registry is refreshed. This ensures that the registry content always has the latest external updates. The primary goal at this stage is check the registry for the user and push the result to the context making it available to subsequent callouts.
"subnet_select" callout is invoked
By convention, the last subnet in the collection of subnets available is assumed to be the "restricted access" subnet. A more sophisticated mechanism is likely to be needed.
"pkt_send" callout is invoked:
This final step is what produces the real time record, referred to as the "user check outcome" file.
In case any other library sets the SKIP flag before pkt4_send or pkt6_send, an exception with the message "the packet pack already handled" will be thrown, to indicate that the action can not be properly performed. To fix this, all other libraries which might set the SKIP flag must appear in the server configuration after this library.
Two steps are required in order to use the library:
Currently, the library uses a hard coded pathname for the user registry defined in load_unload.cc:
Each line in the file is a self-contained JSON snippet which must have the following two entries:
- "type" whose value is "HW_ADDR" for IPv4 users or "DUID" for IPv6 users - "id" whose value is either the hardware address or the DUID from the request formatted as a string of hex digits, with or without ":" delimiters.
and may have the zero or more of the following entries:
- "bootfile" whose value is the pathname of the desired file - "tftp_server" whose value is the hostname or IP address of the desired server
Sample user registry file is shown below:
It is possible to specify additional attributes. They will be loaded and stored with the user's entry in the registry. This allows the library to be extended to perform additional actions based on these attributes.
Upon start up the library will attempt to load this file. If it does not exist the library will unload.
It must be configured as a hook library for the desired DHCP server modules. Note that the user_chk library is installed alongside the Kea libraries in "<install-dir>/lib" where <install-dir> is determined by the –prefix option of the configure script. It defaults to "/usr/local". Assuming the default value then, configuring kea-dhcp4 to load the user_chk library could be done with the following Kea4 configuration:
To configure it for kea-dhcp6, the commands are simply as shown below:
Once up and running, the library should begin adding entries to the outcome file. Currently, the library uses a hard coded pathname for the user registry defined in load_unload.cc:
If the file cannot be created (or opened), the library will unload.
For each lease granted, the library will add the following information to the end of the file: the id type, the user id, the lease or prefix granted, and whether or not the user was found in the registry. This information is written in the form of "name=value" with one value per line. (See subnet_callout.cc for details.)
A sample outcome file is shown below:
Note the library always opens this file in append mode and does not limit its size.
The user_chk hooks library does not define a multi_threading_compatible() C function so is considered as not compatible with multi-threading (and the current code should be in fact really not compatible).