1dhcp-eval(5) File Formats Manual dhcp-eval(5)
2
6 dhcp-eval - ISC DHCP conditional evaluation
7
9 The Internet Systems Consortium DHCP client and server both provide the
10 ability to perform conditional behavior depending on the contents of
11 packets they receive. The syntax for specifying this conditional be‐
12 haviour is documented here.
13
15 Conditional behaviour is specified using the if statement and the else
16 or elsif statements. A conditional statement can appear anywhere that
17 a regular statement (e.g., an option statement) can appear, and can
18 enclose one or more such statements. A typical conditional statement
19 in a server might be:
20 if option dhcp-user-class = "accounting" {
22 max-lease-time 17600;
23 option domain-name "accounting.example.org";
24 option domain-name-servers ns1.accounting.example.org,
25 ns2.accounting.example.org;
26 } elsif option dhcp-user-class = "sales" {
27 max-lease-time 17600;
28 option domain-name "sales.example.org";
29 option domain-name-servers ns1.sales.example.org,
30 ns2.sales.example.org;
31 } elsif option dhcp-user-class = "engineering" {
32 max-lease-time 17600;
33 option domain-name "engineering.example.org";
34 option domain-name-servers ns1.engineering.example.org,
35 ns2.engineering.example.org;
36 } else {
37 max-lease-time 600;
38 option domain-name "misc.example.org";
39 option domain-name-servers ns1.misc.example.org,
40 ns2.misc.example.org;
41 }
42 On the client side, an example of conditional evaluation might be:
44 # example.org filters DNS at its firewall, so we have to use their DNS
46 # servers when we connect to their network. If we are not at
47 # example.org, prefer our own DNS server.
48 if not option domain-name = "example.org" {
49 prepend domain-name-servers 127.0.0.1;
50 }
51 The if statement and the elsif continuation statement both take boolean
53 expressions as their arguments. That is, they take expressions that,
54 when evaluated, produce a boolean result. If the expression evaluates
55 to true, then the statements enclosed in braces following the if state‐
56 ment are executed, and all subsequent elsif and else clauses are
57 skipped. Otherwise, each subsequent elsif clause's expression is
58 checked, until an elsif clause is encountered whose test evaluates to
59 true. If such a clause is found, the statements in braces following
60 it are executed, and then any subsequent elsif and else clauses are
61 skipped. If all the if and elsif clauses are checked but none of
62 their expressions evaluate true, then if there is an else clause, the
63 statements enclosed in braces following the else are evaluated. Bool‐
64 ean expressions that evaluate to null are treated as false in condi‐
65 tionals.
66
68 The following is the current list of boolean expressions that are sup‐
69 ported by the DHCP distribution.
70 data-expression-1 = data-expression-2
72 The = operator compares the values of two data expressions, returning
74 true if they are the same, false if they are not. If either the
75 left-hand side or the right-hand side are null, the result is also
76 null.
77 data-expression-1 ~= data-expression-2 data-expression-1 ~~ data-
79 expression-2
80 The ~= and ~~ operators (not available on all systems) perform
82 extended regex(7) matching of the values of two data expressions,
83 returning true if data-expression-1 matches against the regular
84 expression evaluated by data-expression-2, or false if it does not
85 match or encounters some error. If either the left-hand side or the
86 right-hand side are null, the result is also false. The ~~ operator
87 differs from the ~= operator in that it is case-insensitive.
88 boolean-expression-1 and boolean-expression-2
90 The and operator evaluates to true if the boolean expression on the
92 left-hand side and the boolean expression on the right-hand side both
93 evaluate to true. Otherwise, it evaluates to false. If either the
94 expression on the left-hand side or the expression on the right-hand
95 side are null, the result is null.
96 boolean-expression-1 or boolean-expression-2
98 The or operator evaluates to true if either the boolean expression on
100 the left-hand side or the boolean expression on the right-hand side
101 evaluate to true. Otherwise, it evaluates to false. If either the
102 expression on the left-hand side or the expression on the right-hand
103 side are null, the result is null.
104 not boolean-expression
106 The not operator evaluates to true if boolean-expression evaluates to
108 false, and returns false if boolean-expression evaluates to true.
109 If boolean-expression evaluates to null, the result is also null.
110 exists option-name
112 The exists expression returns true if the specified option exists in
114 the incoming DHCP packet being processed.
115 known
116 The known expression returns true if the client whose request is cur‐
118 rently being processed is known - that is, if there's a host declara‐
119 tion for it.
120 static
121 The static expression returns true if the lease assigned to the
123 client whose request is currently being processed is derived from a
124 static address assignment.
125
127 Several of the boolean expressions above depend on the results of eval‐
128 uating data expressions. A list of these expressions is provided
129 here.
130 substring (data-expr, offset, length)
132 The substring operator evaluates the data expression and returns the
134 substring of the result of that evaluation that starts offset bytes
135 from the beginning, continuing for length bytes. Offset and length
136 are both numeric expressions. If data-expr, offset or length evalu‐
137 ate to null, then the result is also null. If offset is greater than
138 or equal to the length of the evaluated data, then a zero-length data
139 string is returned. If length is greater then the remaining length
140 of the evaluated data after offset, then a data string containing all
141 data from offset to the end of the evaluated data is returned.
142 suffix (data-expr, length)
144 The suffix operator evaluates data-expr and returns the last length
146 bytes of the result of that evaluation. Length is a numeric expres‐
147 sion. If data-expr or length evaluate to null, then the result is
148 also null. If suffix evaluates to a number greater than the length
149 of the evaluated data, then the evaluated data is returned.
150 lcase (data-expr)
152 The lcase function returns the result of evaluating data-expr con‐
154 verted to lower case. If data-expr evaluates to null, then the
155 result is also null.
156 ucase (data-expr)
158 The ucase function returns the result of evaluating data-expr con‐
160 verted to upper case. If data-expr evaluates to null, then the
161 result is also null.
162 option option-name
164 The option operator returns the contents of the specified option in
166 the packet to which the server is responding.
167 config-option option-name
169 The config-option operator returns the value for the specified option
171 that the DHCP client or server has been configured to send.
172 gethostname()
174 The gethostname() function returns a data string whose contents are a
176 character string, the results of calling gethostname() on the local
177 system with a size limit of 255 bytes (not including NULL termina‐
178 tor). This can be used for example to configure dhclient to send the
179 local hostname without knowing the local hostname at the time
180 dhclient.conf is written.
181 hardware
183 The hardware operator returns a data string whose first element is
185 the type of network interface indicated in packet being considered,
186 and whose subsequent elements are client's link-layer address. If
187 there is no packet, or if the RFC2131 hlen field is invalid, then the
188 result is null. Hardware types include ethernet (1), token-ring
189 (6), and fddi (8). Hardware types are specified by the IETF, and
190 details on how the type numbers are defined can be found in RFC2131
191 (in the ISC DHCP distribution, this is included in the doc/ subdirec‐
192 tory).
193 packet (offset, length)
195 The packet operator returns the specified portion of the packet being
197 considered, or null in contexts where no packet is being considered.
198 Offset and length are applied to the contents packet as in the sub‐
199 string operator.
200 string
202 A string, enclosed in quotes, may be specified as a data expression,
204 and returns the text between the quotes, encoded in ASCII. The
205 backslash ('\') character is treated specially, as in C programming:
206 '\t' means TAB, '\r' means carriage return, '\n' means newline, and
207 '\b' means bell. Any octal value can be specified with '\nnn',
208 where nnn is any positive octal number less than 0400. Any hexadeci‐
209 mal value can be specified with '\xnn', where nn is any positive
210 hexadecimal number less than or equal to 0xff.
211 colon-separated hexadecimal list
213 A list of hexadecimal octet values, separated by colons, may be spec‐
215 ified as a data expression.
216 concat (data-expr1, ..., data-exprN)
218 The expressions are evaluated, and the results of each evaluation are
219 concatenated in the sequence that the subexpressions are listed. If
220 any subexpression evaluates to null, the result of the concatenation
221 is null.
222 reverse (numeric-expr1, data-expr2)
224 The two expressions are evaluated, and then the result of evaluating
225 the data expression is reversed in place, using hunks of the size
226 specified in the numeric expression. For example, if the numeric
227 expression evaluates to four, and the data expression evaluates to
228 twelve bytes of data, then the reverse expression will evaluate to
229 twelve bytes of data, consisting of the last four bytes of the the
230 input data, followed by the middle four bytes, followed by the first
231 four bytes.
232 leased-address
234 In any context where the client whose request is being processed has
235 been assigned an IP address, this data expression returns that IP
236 address. In any context where the client whose request is being pro‐
237 cessed has not been assigned an ip address, if this data expression
238 is found in executable statements executed on that client's behalf, a
239 log message indicating "there is no lease associated with this
240 client" is syslogged to the debug level (this is considered
241 dhcpd.conf debugging information).
242 binary-to-ascii (numeric-expr1, numeric-expr2, data-expr1, data-expr2)
244 Converts the result of evaluating data-expr2 into a text string con‐
245 taining one number for each element of the result of evaluating data-
246 expr2. Each number is separated from the other by the result of
247 evaluating data-expr1. The result of evaluating numeric-expr1 spec‐
248 ifies the base (2 through 16) into which the numbers should be con‐
249 verted. The result of evaluating numeric-expr2 specifies the width
250 in bits of each number, which may be either 8, 16 or 32.
251 As an example of the preceding three types of expressions, to produce
253 the name of a PTR record for the IP address being assigned to a
254 client, one could write the following expression:
255 concat (binary-to-ascii (10, 8, ".",
257 reverse (1, leased-address)),
258 ".in-addr.arpa.");
259 encode-int (numeric-expr, width)
262 Numeric-expr is evaluated and encoded as a data string of the speci‐
263 fied width, in network byte order (most significant byte first). If
264 the numeric expression evaluates to the null value, the result is
265 also null.
266 pick-first-value (data-expr1 [ ... exprn ] )
268 The pick-first-value function takes any number of data expressions as
269 its arguments. Each expression is evaluated, starting with the
270 first in the list, until an expression is found that does not evalu‐
271 ate to a null value. That expression is returned, and none of the
272 subsequent expressions are evaluated. If all expressions evaluate
273 to a null value, the null value is returned.
274 host-decl-name
276 The host-decl-name function returns the name of the host declaration
277 that matched the client whose request is currently being processed,
278 if any. If no host declaration matched, the result is the null
279 value.
280
282 Numeric expressions are expressions that evaluate to an integer. In
283 general, the maximum size of such an integer should not be assumed to
284 be representable in fewer than 32 bits, but the precision of such inte‐
285 gers may be more than 32 bits.
286 extract-int (data-expr, width)
288 The extract-int operator extracts an integer value in network byte
290 order from the result of evaluating the specified data expression.
291 Width is the width in bits of the integer to extract. Currently, the
292 only supported widths are 8, 16 and 32. If the evaluation of the
293 data expression doesn't provide sufficient bits to extract an integer
294 of the specified size, the null value is returned.
295 lease-time
297 The duration of the current lease - that is, the difference between
299 the current time and the time that the lease expires.
300 number
302 Any number between zero and the maximum representable size may be
304 specified as a numeric expression.
305 client-state
307 The current state of the client instance being processed. This is
309 only useful in DHCP client configuration files. Possible values
310 are:
311 · Booting - DHCP client is in the INIT state, and does not yet have
313 an IP address. The next message transmitted will be a DHCPDIS‐
314 COVER, which will be broadcast.
315 · Reboot - DHCP client is in the INIT-REBOOT state. It has an IP
317 address, but is not yet using it. The next message to be trans‐
318 mitted will be a DHCPREQUEST, which will be broadcast. If no
319 response is heard, the client will bind to its address and move to
320 the BOUND state.
321 · Select - DHCP client is in the SELECTING state - it has received at
323 least one DHCPOFFER message, but is waiting to see if it may
324 receive other DHCPOFFER messages from other servers. No messages
325 are sent in the SELECTING state.
326 · Request - DHCP client is in the REQUESTING state - it has received
328 at least one DHCPOFFER message, and has chosen which one it will
329 request. The next message to be sent will be a DHCPREQUEST mes‐
330 sage, which will be broadcast.
331 · Bound - DHCP client is in the BOUND state - it has an IP address.
333 No messages are transmitted in this state.
334 · Renew - DHCP client is in the RENEWING state - it has an IP
336 address, and is trying to contact the server to renew it. The
337 next message to be sent will be a DHCPREQUEST message, which will
338 be unicast directly to the server.
339 · Rebind - DHCP client is in the REBINDING state - it has an IP
341 address, and is trying to contact any server to renew it. The
342 next message to be sent will be a DHCPREQUEST, which will be broad‐
343 cast.
344
346 log (priority, data-expr)
347 Logging statements may be used to send information to the standard
349 logging channels. A logging statement includes an optional priority
350 (fatal, error, info, or debug), and a data expression.
351 Logging statements take only a single data expression argument, so if
353 you want to output multiple data values, you will need to use the
354 concat operator to concatenate them.
355 execute (command-path [, data-expr1, ... data-exprN]);
357 The execute statement runs an external command. The first argument
359 is a string literal containing the name or path of the command to
360 run. The other arguments, if present, are either string literals or
361 data- expressions which evaluate to text strings, to be passed as
362 command-line arguments to the command.
363 execute is synchronous; the program will block until the external
365 command being run has finished. Please note that lengthy program
366 execution (for example, in an "on commit" in dhcpd.conf) may result
367 in bad performance and timeouts. Only external applications with
368 very short execution times are suitable for use.
369 Passing user-supplied data to an external application might be dan‐
371 gerous. Make sure the external application checks input buffers for
372 validity. Non-printable ASCII characters will be converted into
373 dhcpd.conf language octal escapes ("777"), make sure your external
374 command handles them as such.
375 It is possible to use the execute statement in any context, not only
377 on events. If you put it in a regular scope in the configuration file
378 you will execute that command every time a scope is evaluated.
379
381 The DHCP client and server have the ability to dynamically update the
382 Domain Name System. Within the configuration files, you can define how
383 you want the Domain Name System to be updated. These updates are RFC
384 2136 compliant so any DNS server supporting RFC 2136 should be able to
385 accept updates from the DHCP server.
386
388 Support for TSIG and DNSSEC is not yet available. When you set your
389 DNS server up to allow updates from the DHCP server or client, you may
390 be exposing it to unauthorized updates. To avoid this, the best you
391 can do right now is to use IP address-based packet filtering to prevent
392 unauthorized hosts from submitting update requests. Obviously, there
393 is currently no way to provide security for client updates - this will
394 require TSIG or DNSSEC, neither of which is yet available in the DHCP
395 distribution.
396 Dynamic DNS (DDNS) updates are performed by using the dns-update
398 expression. The dns-update expression is a boolean expression that
399 takes four parameters. If the update succeeds, the result is true. If
400 it fails, the result is false. The four parameters that the are the
401 resource record type (RR), the left hand side of the RR, the right hand
402 side of the RR and the ttl that should be applied to the record. The
403 simplest example of the use of the function can be found in the refer‐
404 ence section of the dhcpd.conf file, where events are described. In
405 this example several statements are being used to make the arguments to
406 the dns-update.
407 In the example, the first argument to the first Bdns-update expression
409 is a data expression that evaluates to the A RR type. The second argu‐
410 ment is constructed by concatenating the DHCP host-name option with a
411 text string containing the local domain, in this case "ssd.exam‐
412 ple.net". The third argument is constructed by converting the address
413 the client has been assigned from a 32-bit number into an ascii string
414 with each byte separated by a ".". The fourth argument, the TTL, spec‐
415 ifies the amount of time remaining in the lease (note that this isn't
416 really correct, since the DNS server will pass this TTL out whenever a
417 request comes in, even if that is only a few seconds before the lease
418 expires).
419 If the first dns-update statement succeeds, it is followed up with a
421 second update to install a PTR RR. The installation of a PTR record is
422 similar to installing an A RR except that the left hand side of the
423 record is the leased address, reversed, with ".in-addr.arpa" concate‐
424 nated. The right hand side is the fully qualified domain name of the
425 client to which the address is being leased.
426
428 dhcpd.conf(5), dhcpd.leases(5), dhclient.conf(5), dhcp-options(5),
429 dhcpd(8), dhclient(8), RFC2132, RFC2131.
430
432 The Internet Systems Consortium DHCP Distribution was written by Ted
433 Lemon under a contract with Vixie Labs. Funding for this project was
434 provided through Internet Systems Consortium. Information about Inter‐
435 net Systems Consortium can be found at https://www.isc.org.
436 dhcp-eval(5)