1 .\" $Id: dhcp-eval.5,v 1.33 2012/05/17 15:50:14 sar Exp $
3 .\" Copyright (c) 2009-2012 by Internet Systems Consortium, Inc. ("ISC")
4 .\" Copyright (c) 2004,2007 by Internet Systems Consortium, Inc. ("ISC")
5 .\" Copyright (c) 1996-2003 by Internet Software Consortium
7 .\" Permission to use, copy, modify, and distribute this software for any
8 .\" purpose with or without fee is hereby granted, provided that the above
9 .\" copyright notice and this permission notice appear in all copies.
11 .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
12 .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13 .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR
14 .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15 .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
17 .\" OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 .\" Internet Systems Consortium, Inc.
20 .\" 950 Charter Street
21 .\" Redwood City, CA 94063
23 .\" https://www.isc.org/
25 .\" This software has been written for Internet Systems Consortium
26 .\" by Ted Lemon in cooperation with Vixie Enterprises and Nominum, Inc.
28 .\" Support and other services are available for ISC products - see
29 .\" https://www.isc.org for more information or to learn more about ISC.
33 dhcp-eval - ISC DHCP conditional evaluation
35 The Internet Systems Consortium DHCP client and server both provide
36 the ability to perform conditional behavior depending on the contents
37 of packets they receive. The syntax for specifying this conditional
38 behaviour is documented here.
39 .SH REFERENCE: CONDITIONAL BEHAVIOUR
40 Conditional behaviour is specified using the if statement and the else
41 or elsif statements. A conditional statement can appear anywhere
42 that a regular statement (e.g., an option statement) can appear, and
43 can enclose one or more such statements. A typical conditional
44 statement in a server might be:
47 if option dhcp-user-class = "accounting" {
49 option domain-name "accounting.example.org";
50 option domain-name-servers ns1.accounting.example.org,
51 ns2.accounting.example.org;
52 } elsif option dhcp-user-class = "sales" {
54 option domain-name "sales.example.org";
55 option domain-name-servers ns1.sales.example.org,
56 ns2.sales.example.org;
57 } elsif option dhcp-user-class = "engineering" {
59 option domain-name "engineering.example.org";
60 option domain-name-servers ns1.engineering.example.org,
61 ns2.engineering.example.org;
64 option domain-name "misc.example.org";
65 option domain-name-servers ns1.misc.example.org,
70 On the client side, an example of conditional evaluation might be:
73 # example.org filters DNS at its firewall, so we have to use their DNS
74 # servers when we connect to their network. If we are not at
75 # example.org, prefer our own DNS server.
76 if not option domain-name = "example.org" {
77 prepend domain-name-servers 127.0.0.1;
85 continuation statement both take boolean expressions as their
86 arguments. That is, they take expressions that, when evaluated,
87 produce a boolean result. If the expression evaluates to true, then
88 the statements enclosed in braces following the
90 statement are executed, and all subsequent
94 clauses are skipped. Otherwise, each subsequent
96 clause's expression is checked, until an elsif clause is encountered
97 whose test evaluates to true. If such a clause is found, the
98 statements in braces following it are executed, and then any
103 clauses are skipped. If all the
107 clauses are checked but none
108 of their expressions evaluate true, then if there is an
110 clause, the statements enclosed in braces following the
112 are evaluated. Boolean expressions that evaluate to null are
113 treated as false in conditionals.
114 .SH BOOLEAN EXPRESSIONS
115 The following is the current list of boolean expressions that are
116 supported by the DHCP distribution.
118 .I data-expression-1 \fB=\fR \fIdata-expression-2\fR
121 The \fB=\fR operator compares the values of two data expressions,
122 returning true if they are the same, false if they are not. If
123 either the left-hand side or the right-hand side are null, the
127 .I data-expression-1 \fB~=\fR \fIdata-expression-2\fR
128 .I data-expression-1 \fB~~\fR \fIdata-expression-2\fR
131 The \fB~=\fR and \fB~~\fR operators (not available on all systems) perform
132 extended regex(7) matching of the values of two data expressions, returning
133 true if \fIdata-expression-1\fR matches against the regular expression
134 evaluated by \fIdata-expression-2\fR, or false if it does not match or
135 encounters some error. If either the left-hand side or the right-hand side
136 are null or empty strings, the result is also false. The \fB~~\fR operator
137 differs from the \fB~=\fR operator in that it is case-insensitive.
140 .I boolean-expression-1 \fBand\fR \fIboolean-expression-2\fR
143 The \fBand\fR operator evaluates to true if the boolean expression on
144 the left-hand side and the boolean expression on the right-hand side
145 both evaluate to true. Otherwise, it evaluates to false. If either
146 the expression on the left-hand side or the expression on the
147 right-hand side are null, the result is null.
150 .I boolean-expression-1 \fBor\fR \fIboolean-expression-2\fR
153 The \fBor\fR operator evaluates to true if either the boolean
154 expression on the left-hand side or the boolean expression on the
155 right-hand side evaluate to true. Otherwise, it evaluates to false.
156 If either the expression on the left-hand side or the expression on
157 the right-hand side are null, the result is null.
160 .B not \fIboolean-expression
163 The \fBnot\fR operator evaluates to true if \fIboolean-expression\fR
164 evaluates to false, and returns false if \fIboolean-expression\fR evaluates
165 to true. If \fIboolean-expression\fR evaluates to null, the result
169 .B exists \fIoption-name\fR
172 The \fBexists\fR expression returns true if the specified option
173 exists in the incoming DHCP packet being processed.
178 The \fBknown\fR expression returns true if the client whose request is
179 currently being processed is known - that is, if there's a host
185 The \fBstatic\fR expression returns true if the lease assigned to the
186 client whose request is currently being processed is derived from a static
190 Several of the boolean expressions above depend on the results of
191 evaluating data expressions. A list of these expressions is provided
194 .B substring (\fIdata-expr\fB, \fIoffset\fB, \fIlength\fB)\fR
197 The \fBsubstring\fR operator evaluates the data expression and returns
198 the substring of the result of that evaluation that starts
199 \fIoffset\fR bytes from the beginning, continuing for \fIlength\fR
200 bytes. \fIOffset\fR and \fIlength\fR are both numeric expressions.
201 If \fIdata-expr\fR, \fIoffset\fR or \fIlength\fR evaluate to null,
202 then the result is also null. If \fIoffset\fR is greater than or
203 equal to the length of the evaluated data, then a zero-length data
204 string is returned. If \fIlength\fI is greater then the remaining
205 length of the evaluated data after \fIoffset\fR, then a data string
206 containing all data from \fIoffset\fR to the end of the evaluated data
210 .B suffix (\fIdata-expr\fB, \fIlength\fB)\fR
213 The \fBsuffix\fR operator evaluates \fIdata-expr\fR and returns the
214 last \fIlength\fR bytes of the result of that evaluation. \fILength\fR
215 is a numeric expression. If \fIdata-expr\fR or \fIlength\fR evaluate
216 to null, then the result is also null. If \fIsuffix\fR evaluates to a
217 number greater than the length of the evaluated data, then the
218 evaluated data is returned.
221 .B lcase (\fIdata-expr\fB)\fR
224 The \fBlcase\fR function returns the result of evaluating
225 \fIdata-expr\fR converted to lower case. If \fIdata-expr\fR evaluates
226 to null, then the result is also null.
229 .B ucase (\fIdata-expr\fB)\fR
232 The \fBucase\fR function returns the result of evaluating
233 \fIdata-expr\fR converted to upper case. If \fIdata-expr\fR evaluates
234 to null, then the result is also null.
237 .B option \fIoption-name\fR
240 The \fBoption\fR operator returns the contents of the specified option in
241 the packet to which the server is responding.
244 .B config-option \fIoption-name\fR
247 The \fBconfig-option\fR operator returns the value for the specified option
248 that the DHCP client or server has been configured to send.
254 The \fBgethostname()\fR function returns a data string whose contents are a
255 character string, the results of calling gethostname() on the local
256 system with a size limit of 255 bytes (not including NULL terminator). This
257 can be used for example to configure dhclient to send the local hostname
258 without knowing the local hostname at the time dhclient.conf is written.
264 The \fBhardware\fR operator returns a data string whose first element
265 is the type of network interface indicated in packet being considered,
266 and whose subsequent elements are client's link-layer address. If
267 there is no packet, or if the RFC2131 \fIhlen\fR field is invalid,
268 then the result is null. Hardware types include ethernet (1),
269 token-ring (6), and fddi (8). Hardware types are specified by the
270 IETF, and details on how the type numbers are defined can be found in
271 RFC2131 (in the ISC DHCP distribution, this is included in the doc/
275 .B packet (\fIoffset\fB, \fIlength\fB)\fR
278 The \fBpacket\fR operator returns the specified portion of the packet
279 being considered, or null in contexts where no packet is being
280 considered. \fIOffset\fR and \fIlength\fR are applied to the
281 contents packet as in the \fBsubstring\fR operator.
287 A string, enclosed in quotes, may be specified as a data expression,
288 and returns the text between the quotes, encoded in ASCII. The
289 backslash ('\\') character is treated specially, as in C programming: '\\t'
290 means TAB, '\\r' means carriage return, '\\n' means newline, and '\\b' means
291 bell. Any octal value can be specified with '\\nnn', where nnn is any
292 positive octal number less than 0400. Any hexadecimal value can be
293 specified with '\\xnn', where nn is any positive hexadecimal number less
294 than or equal to 0xff.
297 .I colon-separated hexadecimal list
300 A list of hexadecimal octet values, separated by colons, may be
301 specified as a data expression.
304 .B concat (\fIdata-expr1\fB, ..., \fIdata-exprN\fB)\fR
306 The expressions are evaluated, and the results of each evaluation are
307 concatenated in the sequence that the subexpressions are listed. If
308 any subexpression evaluates to null, the result of the concatenation
312 .B reverse (\fInumeric-expr1\fB, \fIdata-expr2\fB)\fR
314 The two expressions are evaluated, and then the result of evaluating
315 the data expression is reversed in place, using hunks of the size
316 specified in the numeric expression. For example, if the numeric
317 expression evaluates to four, and the data expression evaluates to
318 twelve bytes of data, then the reverse expression will evaluate to
319 twelve bytes of data, consisting of the last four bytes of the the
320 input data, followed by the middle four bytes, followed by the first
326 In any context where the client whose request is being processed has
327 been assigned an IP address, this data expression returns that IP
328 address. In any context where the client whose request is being
329 processed has not been assigned an ip address, if this data expression
330 is found in executable statements executed on that client's behalf,
331 a log message indicating "there is no lease associated with this client"
332 is syslogged to the debug level (this is considered dhcpd.conf debugging
336 .B binary-to-ascii (\fInumeric-expr1\fB, \fInumeric-expr2\fB,
337 .B \fIdata-expr1\fB,\fR \fIdata-expr2\fB)\fR
339 Converts the result of evaluating data-expr2 into a text string
340 containing one number for each element of the result of evaluating
341 data-expr2. Each number is separated from the other by the result of
342 evaluating data-expr1. The result of evaluating numeric-expr1
343 specifies the base (2 through 16) into which the numbers should be
344 converted. The result of evaluating numeric-expr2 specifies the
345 width in bits of each number, which may be either 8, 16 or 32.
347 As an example of the preceding three types of expressions, to produce
348 the name of a PTR record for the IP address being assigned to a
349 client, one could write the following expression:
353 concat (binary-to-ascii (10, 8, ".",
354 reverse (1, leased-address)),
360 .B encode-int (\fInumeric-expr\fB, \fIwidth\fB)\fR
362 Numeric-expr is evaluated and encoded as a data string of the
363 specified width, in network byte order (most significant byte first).
364 If the numeric expression evaluates to the null value, the result is
368 .B pick-first-value (\fIdata-expr1\fR [ ... \fIexpr\fRn ] \fB)\fR
370 The pick-first-value function takes any number of data expressions as
371 its arguments. Each expression is evaluated, starting with the first
372 in the list, until an expression is found that does not evaluate to a
373 null value. That expression is returned, and none of the subsequent
374 expressions are evaluated. If all expressions evaluate to a null
375 value, the null value is returned.
380 The host-decl-name function returns the name of the host declaration
381 that matched the client whose request is currently being processed, if
382 any. If no host declaration matched, the result is the null value.
384 .SH NUMERIC EXPRESSIONS
385 Numeric expressions are expressions that evaluate to an integer. In
386 general, the maximum size of such an integer should not be assumed to
387 be representable in fewer than 32 bits, but the precision of such
388 integers may be more than 32 bits.
390 .B extract-int (\fIdata-expr\fB, \fIwidth\fB)\fR
393 The \fBextract-int\fR operator extracts an integer value in network
394 byte order from the result of evaluating the specified data
395 expression. Width is the width in bits of the integer to extract.
396 Currently, the only supported widths are 8, 16 and 32. If the
397 evaluation of the data expression doesn't provide sufficient bits to
398 extract an integer of the specified size, the null value is returned.
404 The duration of the current lease - that is, the difference between
405 the current time and the time that the lease expires.
411 Any number between zero and the maximum representable size may be
412 specified as a numeric expression.
418 The current state of the client instance being processed. This is
419 only useful in DHCP client configuration files. Possible values are:
422 Booting - DHCP client is in the INIT state, and does not yet have an
423 IP address. The next message transmitted will be a DHCPDISCOVER,
424 which will be broadcast.
427 Reboot - DHCP client is in the INIT-REBOOT state. It has an IP
428 address, but is not yet using it. The next message to be transmitted
429 will be a DHCPREQUEST, which will be broadcast. If no response is
430 heard, the client will bind to its address and move to the BOUND state.
433 Select - DHCP client is in the SELECTING state - it has received at
434 least one DHCPOFFER message, but is waiting to see if it may receive
435 other DHCPOFFER messages from other servers. No messages are sent in
439 Request - DHCP client is in the REQUESTING state - it has received at
440 least one DHCPOFFER message, and has chosen which one it will
441 request. The next message to be sent will be a DHCPREQUEST message,
442 which will be broadcast.
445 Bound - DHCP client is in the BOUND state - it has an IP address. No
446 messages are transmitted in this state.
449 Renew - DHCP client is in the RENEWING state - it has an IP address,
450 and is trying to contact the server to renew it. The next message to
451 be sent will be a DHCPREQUEST message, which will be unicast directly
455 Rebind - DHCP client is in the REBINDING state - it has an IP address,
456 and is trying to contact any server to renew it. The next message to
457 be sent will be a DHCPREQUEST, which will be broadcast.
459 .SH REFERENCE: ACTION EXPRESSIONS
461 .B log (\fIpriority\fB, \fIdata-expr\fB)\fR
464 Logging statements may be used to send information to the standard logging
465 channels. A logging statement includes an optional priority (\fBfatal\fR,
466 \fBerror\fR, \fBinfo\fR, or \fBdebug\fR), and a data expression.
468 Logging statements take only a single data expression argument, so if you
469 want to output multiple data values, you will need to use the \fBconcat\fR
470 operator to concatenate them.
473 .B execute (\fIcommand-path\fB [, \fIdata-expr1\fB, ... \fIdata-exprN\fB]);\fR
476 The \fBexecute\fR statement runs an external command. The first argument
477 is a string literal containing the name or path of the command to run.
478 The other arguments, if present, are either string literals or data-
479 expressions which evaluate to text strings, to be passed as command-line
480 arguments to the command.
482 \fBexecute\fR is synchronous; the program will block until the external
483 command being run has finished. Please note that lengthy program
484 execution (for example, in an "on commit" in dhcpd.conf) may result in
485 bad performance and timeouts. Only external applications with very short
486 execution times are suitable for use.
488 Passing user-supplied data to an external application might be dangerous.
489 Make sure the external application checks input buffers for validity.
490 Non-printable ASCII characters will be converted into dhcpd.conf language
491 octal escapes ("\\nnn"), make sure your external command handles them as
494 It is possible to use the execute statement in any context, not only
495 on events. If you put it in a regular scope in the configuration file
496 you will execute that command every time a scope is evaluated.
498 .SH REFERENCE: DYNAMIC DNS UPDATES
500 The DHCP client and server have the ability to dynamically update the
501 Domain Name System. Within the configuration files, you can define
502 how you want the Domain Name System to be updated. These updates are
503 RFC 2136 compliant so any DNS server supporting RFC 2136 should be
504 able to accept updates from the DHCP server.
506 Support for TSIG and DNSSEC is not yet available. When you set your
507 DNS server up to allow updates from the DHCP server or client, you may
508 be exposing it to unauthorized updates. To avoid this, the best you
509 can do right now is to use IP address-based packet filtering to
510 prevent unauthorized hosts from submitting update requests.
511 Obviously, there is currently no way to provide security for client
512 updates - this will require TSIG or DNSSEC, neither of which is yet
513 available in the DHCP distribution.
515 Dynamic DNS (DDNS) updates are performed by using the \fBdns-update\fR
516 expression. The \fBdns-update\fR expression is a boolean expression
517 that takes four parameters. If the update succeeds, the result is
518 true. If it fails, the result is false. The four parameters that the
519 are the resource record type (RR), the left hand side of the RR, the
520 right hand side of the RR and the ttl that should be applied to the
521 record. The simplest example of the use of the function can be found
522 in the reference section of the dhcpd.conf file, where events are
523 described. In this example several statements are being used to make
524 the arguments to the \fBdns-update\fR.
526 In the example, the first argument to the first \f\Bdns-update\fR
527 expression is a data expression that evaluates to the A RR type. The
528 second argument is constructed by concatenating the DHCP host-name
529 option with a text string containing the local domain, in this case
530 "ssd.example.net". The third argument is constructed by converting
531 the address the client has been assigned from a 32-bit number into an
532 ascii string with each byte separated by a ".". The fourth argument,
533 the TTL, specifies the amount of time remaining in the lease (note
534 that this isn't really correct, since the DNS server will pass this
535 TTL out whenever a request comes in, even if that is only a few
536 seconds before the lease expires).
538 If the first \fBdns-update\fR statement succeeds, it is followed up
539 with a second update to install a PTR RR. The installation of a PTR
540 record is similar to installing an A RR except that the left hand side
541 of the record is the leased address, reversed, with ".in-addr.arpa"
542 concatenated. The right hand side is the fully qualified domain name
543 of the client to which the address is being leased.
545 dhcpd.conf(5), dhcpd.leases(5), dhclient.conf(5), dhcp-options(5), dhcpd(8),
546 dhclient(8), RFC2132, RFC2131.
548 The Internet Systems Consortium DHCP Distribution was written by Ted
549 Lemon under a contract with Vixie Labs. Funding for
550 this project was provided through Internet Systems Consortium.
551 Information about Internet Systems Consortium can be found at
552 .B https://www.isc.org.