mir/kea
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/kea synced 2025-08-24 18:57:41 +00:00
Code Issues Releases Wiki Activity
kea/doc/guide/hooks.xml

532 lines
23 KiB
XML
Raw Normal View History

[3635] Updated details of how to configure hooks libraries
2014-12-09 17:58:56 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY mdash "&#x2014;" >
]>
<chapter id="hooks-libraries">
<title>Hooks Libraries</title>
<section id="hooks-libraries-introduction">
<title>Introduction</title>
<para>
Although Kea offers a lot of flexibility, there may be cases where
its behavior needs customisation. To accommodate this possibility,
Kea includes the idea of "Hooks". This feature lets Kea load one
or more dynamically-linked libraries (known as "hooks libraries")
and, at various points in its processing ("hook points"), call
functions in them. Those functions perform whatever custom
processing is required.
</para>
<para>
Hooks libraries are attached to individual Kea processes, not to
Kea as a whole. This means (for example) that it is possible
to associate one set of libraries with the DHCP4 server and a
different set to the DHCP6 server.
</para>
<para>
Another point to note is that it is possible for a process to
[3635] Minor corrections after review
2014-12-17 11:58:38 +00:00
load multiple libraries. When processing reaches a hook point,
Kea calls the hooks library functions attached to it. If multiple
libraries have attached a function to a given hook point, Kea calls
all of them, in the order in which the libraries are specified in
the configuration file. The order may be important: consult the
documentation of the libraries to see if this is the case.
[3635] Updated details of how to configure hooks libraries
2014-12-09 17:58:56 +00:00
</para>
<para>
The next section describes how to configure hooks libraries. If you
are interested in writing your own hooks library, information can be
found in the <ulink url="http://git.kea.isc.org/~tester/kea/doxygen">Kea
Developer's Guide</ulink>.
</para>
</section> <!-- end Introduction -->
<section>
<title>Configuring Hooks Libraries</title>
<para>
The hooks libraries for a given process are configured using the
<command>hooks-libraries</command> keyword in the
configuration for that process. (Note that
the word "hooks" is plural). The value of the keyword
[3259] Corrections to the documentation
2015-10-28 13:18:57 +00:00
is an array of map structures, each structure corresponding to a hooks
library. For example, to set up two hooks libraries for the DHCPv4
server, the configuration would be:
[3635] Updated details of how to configure hooks libraries
2014-12-09 17:58:56 +00:00
<screen>
<userinput>"Dhcp4": {
:
"hooks-libraries": [
[3259] Update documentation with new syntax
2015-10-28 11:23:03 +00:00
{
"library": "/opt/charging.so"
},
{
[4297] User's Guide updated.
2016-03-15 10:48:03 +01:00
"library": "/opt/local/notification.so",
"parameters": {
"mail": "spam@example.com",
"floor": 13,
"debug": false,
"users": [ "alice", "bob", "charlie" ],
"languages": {
"french": "bonjour",
"klingon": "yl'el"
}
}
[3259] Update documentation with new syntax
2015-10-28 11:23:03 +00:00
}
[3635] Updated details of how to configure hooks libraries
2014-12-09 17:58:56 +00:00
]
:
}</userinput>
</screen>
</para>
[4297] User's Guide corrected
2016-03-15 11:24:59 +01:00
[3635] Updated details of how to configure hooks libraries
2014-12-09 17:58:56 +00:00
<note><para>
[3259] Update documentation with new syntax
2015-10-28 11:23:03 +00:00
This is a change to the syntax used in Kea 0.9.2 and earlier, where
hooks-libraries was a list of strings, each string being the name of
a library. The change has been made in Kea 1.0 to facilitate the
[3209] user_chk hook lib documented.
2016-09-20 19:09:03 +02:00
specification of library-specific parameters, a capability
available since Kea 1.1.0-beta.
[3635] Updated details of how to configure hooks libraries
2014-12-09 17:58:56 +00:00
</para></note>
[4297] User's Guide updated.
2016-03-15 10:48:03 +01:00
[4297] User's Guide corrected
2016-03-15 11:24:59 +01:00
<note>
<para>
[4297] User's Guide updated.
2016-03-15 10:48:03 +01:00
The library reloading behavior has changed in Kea 1.1. Libraries are
reloaded, even if their list hasn't changed. Kea does that, because
the parameters specified for the library (or the files those
parameters point to) may have changed.
[4297] User's Guide corrected
2016-03-15 11:24:59 +01:00
</para>
</note>
[4297] User's Guide updated.
2016-03-15 10:48:03 +01:00
<para>
Libraries may have additional parameters. Those are not mandatory in the
sense that there may be libraries that don't require them. However, for
specific library there is often specific requirement for specify certain
set of parameters. Please consult the documentation for your library
for details. In the example above, the first library has no parameters.
The second library has five parameters, specifying mail (string
parameter), floor (integer parameter), debug (boolean parameter) and
even lists (list of strings) and maps (containing strings). Nested
parameters could be used if the library supports it. This topic is
explained in detail in the Hooks Developer's Guide in Configuring Hooks
Libraries section.
</para>
[3635] Updated details of how to configure hooks libraries
2014-12-09 17:58:56 +00:00
<para>
Notes:
<itemizedlist mark='bullet'>
<listitem><para>
The full path to each library should be given.
</para></listitem>
<listitem><para>
As noted above, order may be important - consult the documentation for
each library.
</para></listitem>
<listitem><para>
An empty list has the same effect as omitting the
<command>hooks-libraries</command> configuration element all together.
[3259] Changes after review 1. Updated Kea guide to note that removing the hooks-libraries configuration element does not always have the expected effect. 2. Moved some documentation from the dhcp_parsers.cc file to the .h file. 3. Expanded checking of the contents of the hooks-libraries configuration element.
2015-11-09 12:41:52 +00:00
</para>
<note><para>
There is one case where this is not true: if Kea
is running with a configuration that contains a
<command>hooks-libraries</command> item, and that item is
removed and the configuration reloaded, the removal will be
ignored and the libraries remain loaded. As a workaround,
instead of removing the <command>hooks-libraries</command>
item, change it to an empty list. This will be fixed in a
future version of Kea.
</para></note>
</listitem>
[3635] Updated details of how to configure hooks libraries
2014-12-09 17:58:56 +00:00
</itemizedlist>
</para>
<para>
At the present time, only the kea-dhcp4 and kea-dhcp6 processes support
hooks libraries.
</para>
</section>
[trac4511] Add description of the legal log hooks configuration and use
2016-07-31 22:21:56 -07:00
<section>
<title>Available Hooks Libraries</title>
<para>
As described above the hooks functionality provides a way to customize
a Kea server without modifying the core code. ISC has chosen to take
advantage of this feature to provide functions that may not be useful
to all users. To this end ISC has created some hooks libraries which
are discussed in the following sections.
</para>
[3209] user_chk hook lib documented.
2016-09-20 19:09:03 +02:00
<note><para>
Some of these libraries will be available with the base code while others
will be shared with organizations supporting development of the Kea
project, possibly as a 'benefit' or 'thank you' for helping to sustain
the larger Kea project. If you would like to get access to those
libraries, please consider signing up a support contract. It also features a
professional support, advance security notifications, input into our
roadmap planning, consulting hours and many other benefits, while helping
making Kea sustainable in the long term.
</para></note>
<para>Currently the following libraries are available or planned from ISC:
<table frame="all" id="hook-libs">
<title>List of available hook libraries</title>
<tgroup cols='3'>
<colspec colname='name' />
<colspec colname='avail' />
<colspec colname='description' />
<thead>
<row>
<entry>Name</entry>
<entry>Availability</entry>
<entry>Since</entry>
<entry>Description</entry>
</row>
</thead>
<tbody>
<row>
<entry>user_chk</entry>
<entry>Kea sources</entry>
<entry>Kea 0.8</entry>
<entry>Reads known users list from a file. it will be assigned a
lease from the last subnet defined in the configuration file,
e.g. to redirect him into a captive portal. This showcases how
externals source of information can be used to influence Kea
allocation engine. This hook is part of the Kea sources and is
available in src/hooks/dhcp/user_chk directory.</entry>
</row>
<row>
<entry>Forensic Logging</entry>
<entry>Support customers</entry>
<entry>Kea 1.1.0</entry>
<entry>This library povides hooks that record a detailed log of
lease assignments and renewals into a set of log files. In many
legal jurisdictions companies, especially ISPs, must record
information about the addresses they have leased to DHCP
clients. This library is designed to help with that
requirement. If the information that it records is sufficient it
may be used directly. If your jurisdiction requires that you save
a different set of information you may use it as a template or
example and create your own custom logging hooks.</entry>
</row>
<row>
<entry>Lightweight 4over6</entry>
<entry>Support customers</entry>
<entry>Autumn 2016</entry>
<entry>Lightweight 4over6 (RFC7596) is a new IPv6 transition
technology that provides IPv4 as a service in IPv6-only
network. It assumes that dual-stack clients will get regular IPv6
address and IPv6 prefix, but only a fraction of IPv4 address. The
fraction is specified as port-set, which is essentially a range of
TCP and UDP ports a client can use. By doing the transition on the
client side, this technology eliminates the need to deploy
expensive Carrier Grade NATs withing operator's network. The
problem on the DHCP side is the non-trivial logic behind it: each
client needs to receive an unique set of lw4over6 options
(RFC7598), that include IPv4 address (shared among several
clients), port-set (which is unique among clients sharing the same
IPv4 address and a number of additional parameters. This hook
library will generate values of those options dynamically, thus
eliminating the need to manually configure values for each client
separately.
</entry>
</row>
</tbody>
</tgroup>
</table>
</para>
[trac4511] Add description of the legal log hooks configuration and use
2016-07-31 22:21:56 -07:00
<para>
[3209] user_chk hook lib documented.
2016-09-20 19:09:03 +02:00
ISC hopes to see more hook libraries become available as time
progresses, both developed internally and externally. Since
this list may eveolve dynamically, we decided to keep it on a
wiki page, available at this link: <ulink
url="http://kea.isc.org/wiki/Hooks">http://kea.isc.org/wiki/Hooks</ulink>.
If you are a developer or are aware of any hook libraries not
listed there, please send a note to kea-users or kea-dev
mailing lists and someone will update it.
[trac4511] Add description of the legal log hooks configuration and use
2016-07-31 22:21:56 -07:00
</para>
[3209] user_chk hook lib documented.
2016-09-20 19:09:03 +02:00
<section>
<title>user_chk: Checking user access</title>
<para>
User_chk library is the first hook library published by ISC. It
attempts to serve several purposes:
<itemizedlist>
<listitem>
<para>To assign "new" or "unregistered" users to a
restricted subnet, while "known" or "registered" users are assigned
to unrestricted subnets.</para>
</listitem>
<listitem>
<para>To allow DHCP response options or vendor option
values to be customized based upon user identity. </para>
</listitem>
<listitem>
<para>To provide a real time record of the user registration
activity which can be sampled by an external consumer.</para>
</listitem>
<listitem>
<para> To serve as a demonstration of various capabilities
possible using hook interface.</para>
</listitem>
</itemizedlist>
</para>
<para>
Once loaded, the library allows segregating incomings requests into
known and unknown clients. For known clients, the packets are
processed mostly as usual, except it is possible to override certain
options being sent. That can be done on a per host basis. Clients
that are not on the known hosts list will be treated as unknown and
will be assigned to the last subnet defined in the configuration file.
</para>
<para>
For example this behavior may be used to put unknown users into a
separate subnet that leads to a walled garden, where they can only
access a registration portal. Once they fill in necessary data, their
details are added to the known clients file, and they get a proper
address after their device is restarted.
</para>
<note><para>This library has been developed several years before host
reservation mechanism has become available. Currently HR is much more
powerful and flexible, but nevertheless user_chk capability to consult
and external source of information about clients and alter Kea's
behavior is useful and remains to have educational value.
</para></note>
<para>
The library reads the /tmp/user_chk_registry.txt file while being
loaded and processing every incoming packet. The file is expected
to have each line contain a self-contained JSON snippet which must
have the following two entries:
<itemizedlist>
<listitem><para>"type" whose value is "HW_ADDR" for IPv4 users or
"DUID" for IPv6 users</para></listitem>
<listitem><para>"id" whose value is either the hardware address or
the DUID from the equest formatted as a string of hex digits, with
or without ":" delimiters.</para></listitem>
</itemizedlist>
and may have the zero or more of the following entries:
<itemizedlist>
<listitem><para>"bootfile" whose value is the pathname of the
desired file</para></listitem>
<listitem><para>"tftp_server" whose value is the hostname or IP
address of the desired server</para></listitem>
</itemizedlist>
Sample user registry file is shown below:
<screen>{ "type" : "HW_ADDR", "id" : "0c:0e:0a:01:ff:04", "bootfile" : "/tmp/v4bootfile" }
{ "type" : "HW_ADDR", "id" : "0c:0e:0a:01:ff:06", "tftp_server" : "tftp.v4.example.com" }
{ "type" : "DUID", "id" : "00:01:00:01:19:ef:e6:3b:00:0c:01:02:03:04", "bootfile" : "/tmp/v6bootfile" }
{ "type" : "DUID", "id" : "00:01:00:01:19:ef:e6:3b:00:0c:01:02:03:06", "tftp_server" : "tftp.v6.example.com" }</screen>
</para>
</section>
[trac4511] Add description of the legal log hooks configuration and use
2016-07-31 22:21:56 -07:00
<section>
[trac4511] Update per review comments
2016-08-03 12:32:14 -07:00
<title>Forensic Logging Hooks</title>
[trac4511] Add description of the legal log hooks configuration and use
2016-07-31 22:21:56 -07:00
<para>
[trac4511] Update per review comments
2016-08-03 12:32:14 -07:00
This section describes the forensic log hooks library. This library
[trac4511] Add description of the legal log hooks configuration and use
2016-07-31 22:21:56 -07:00
povides hooks that record a detailed log of lease assignments
and renewals into a set of log files. Currently this library
is only available to customers with a support contract.
</para>
<para>
In many legal jurisdictions companies, especially ISPs, must record
information about the addresses they have leased to DHCP clients.
This library is designed to help with that requirement. If the
information that it records is sufficient it may be used directly.
If your jurisdiction requires that you save a different set of
information you may use it as a template or example and create your
own custom logging hooks.
</para>
[trac4511] Update per review comments
2016-08-03 12:32:14 -07:00
<para>
This logging is done as a set of hooks to allow it to be customized
to any particular need. Modifying a hooks library is easier and
safer than updating the core code. In addition by using the hooks
features those users who don't need to log this information can
leave it out and avoid any performance penalties.
</para>
[trac4511] Add description of the legal log hooks configuration and use
2016-07-31 22:21:56 -07:00
<section>
<title>Log File Naming</title>
<para>
The names for the log files have the following form:
</para>
<screen>
path/base-name.CCYYMMDD.txt
</screen>
<para>
The &quot;path&quot; and &quot;base-name&quot; are supplied in the
configuration as described below see
[trac4511] Update per review comments
2016-08-03 12:32:14 -07:00
<xref linkend="forensic-log-configuration"/>. The next part of the name is
[trac4511] Add description of the legal log hooks configuration and use
2016-07-31 22:21:56 -07:00
the date the log file was started, with four digits for year, two digits
for month and two digits for day. The file is rotated on a daily basis.
</para>
<note><para>
When running Kea servers for both DHCPv4 and DHCPv6 the log names must
[trac4511] Update per review comments
2016-08-03 12:32:14 -07:00
be distinct. See the examples in <xref linkend="forensic-log-configuration"/>.
[trac4511] Add description of the legal log hooks configuration and use
2016-07-31 22:21:56 -07:00
</para></note>
</section>
<section>
<title>DHCPv4 Log Entries</title>
<para>
For DHCPv4 the library creates entries based on DHCPREQUEST messages
and corresponding DHCPv4 leases intercepted by lease4_select
(for new leases) and lease4_renew (for renewed leases) hooks.
</para>
<para>
An entry is a single string with no embedded end-of-line markers
and has the following sections:
<screen>
address duration device-id {client-info} {relay-info}
</screen>
</para>
<para>
Where:
<itemizedlist>
<listitem><para>
address - the leased IPv4 address given out and whether it was
assigned or renewed.
</para></listitem>
<listitem><para>
duration - the lease lifetime expressed in days (if present),
hours, minutes and seconds. A lease lifetime of 0xFFFFFFFF will be
denoted with the text &quot;infinite duration&quot;.
</para></listitem>
<listitem><para>
device-id - the client's hardware address shown as numerical type
and hex digit string.
</para></listitem>
<listitem><para>
client-info - the DHCP client id option (61) if present, shown as
a hex string.
</para></listitem>
<listitem><para>
relay-info - for relayed packets the giaddr and the RAI circuit id
and remote id options (option 82 sub options 1 and 2) if present.
The circuit id and remote id are presented as hex strings
</para></listitem>
</itemizedlist>
</para>
<para>
For instance (line breaks added for readability, they would not
be present in the log file).
<screen>
Address: 192.2.1.100 has been renewed for 1 hrs 52 min 15 secs to a device with
hardware address: hwtype=1 08:00:2b:02:3f:4e, client-id: 17:34:e2:ff:09:92:54
connected via relay at address: 192.2.16.33, identified by circuit-id:
68:6f:77:64:79 and remote-id: 87:f6:79:77:ef
</screen>
</para>
</section>
<section>
<title>DHCPv6 Log Entries</title>
<para>
For DHCPv6 the library creates entries based on lease management
actions intercepted by the lease6_select (for new leases), lease6_renew
(for renewed leases) and lease6_rebind (for rebound leases).
</para>
<para>
An entry is a single string with no embedded end-of-line markers
and has the following sections:
<screen>
address duration device-id {relay-info}*
</screen>
</para>
<para>
Where:
<itemizedlist>
<listitem><para>
address - the leased IPv6 address or prefix given out and whether
it was assigned or renewed.
</para></listitem>
<listitem><para>
duration - the lease lifetime expressed in days (if present),
hours, minutes and seconds. A lease lifetime of 0xFFFFFFFF will be
denoted with the text "infinite duration".
</para></listitem>
<listitem><para>
device-id - the client's DUID and hardware address (if present).
</para></listitem>
<listitem><para>
relay-info - for relayed packets the content of relay agent
messages, remote id and subscriber id options (x and xx) if present.
</para></listitem>
</itemizedlist>
</para>
<para>
For instance (line breaks added for readability, they would not
be present in the log file).
<screen>
Address:2001:db8:1:: has been assigned for 0 hrs 11 mins 53 secs to a device with
DUID: 17:34:e2:ff:09:92:54 and hardware address: hwtype=1 08:00:2b:02:3f:4e
(from Raw Socket) connected via relay at address: fe80::abcd for client on
link address: 3001::1, hop count: 1, identified by remote-id:
01:02:03:04:0a:0b:0c:0d:0e:0f and subscriber-id: 1a:2b:3c:4d:5e:6f
</screen>
</para>
</section>
[trac4511] Update per review comments
2016-08-03 12:32:14 -07:00
<section id="forensic-log-configuration">
<title>Configuring the Forensic Log Hooks</title>
[trac4511] Add description of the legal log hooks configuration and use
2016-07-31 22:21:56 -07:00
<para>
To use this functionality the hook library must be included in the
configuration of the desired DHCP server modules. The legal_log
library is installed alongside the Kea libraries in
<filename>[kea-install-dir]/lib</filename> where
<filename>kea-install-dir</filename> is determined by the
&quot;--prefix&quot; option of the configure script. It defaults to
<filename>/usr/local</filename>. Assuming the
default value then, configuring kea-dhcp4 to load the legal_log
library could be done with the following Kea4 configuration:
<screen>
"Dhcp4": { <userinput>
[trac4511] Update per review comments
2016-08-03 12:32:14 -07:00
"hooks-libraries": [
{
"library": "/usr/local/lib/libdhcp_legal_log.so",
"parameters": {
"path": "/var/kea/var",
"base-name": "kea-forensic4"
}
},
[trac4511] Add description of the legal log hooks configuration and use
2016-07-31 22:21:56 -07:00
...
] </userinput>
}
</screen>
</para>
<para>
To configure it for kea-dhcp6, the commands are simply as shown below:
<screen>
"Dhcp6": { <userinput>
[trac4511] Update per review comments
2016-08-03 12:32:14 -07:00
"hooks-libraries": [
{
"library": "/usr/local/lib/libdhcp_legal_log.so",
"parameters": {
"path": "/var/kea/var",
"base-name": "kea-forensic6"
}
},
[trac4511] Add description of the legal log hooks configuration and use
2016-07-31 22:21:56 -07:00
...
] </userinput>
}
</screen>
</para>
<para>
Two Hook Library parameters are supported:
<itemizedlist>
<listitem><para>
[trac4511] Update per review comments
2016-08-03 12:32:14 -07:00
path - the directory in which the forensic file(s) will be written. The
[trac4511] Add description of the legal log hooks configuration and use
2016-07-31 22:21:56 -07:00
default value is
<filename>[prefix]/kea/var</filename>. The directory must exist.
</para></listitem>
<listitem><para>
base-name - an arbitrary value which is used in conjunction with
[trac4511] Update per review comments
2016-08-03 12:32:14 -07:00
the current system date to form the current foresnic file name. It defaults
[trac4511] Add description of the legal log hooks configuration and use
2016-07-31 22:21:56 -07:00
to <filename>kea-legal</filename>.
</para></listitem>
</itemizedlist>
</para>
</section>
</section>
</section>
[3635] Updated details of how to configure hooks libraries
2014-12-09 17:58:56 +00:00
</chapter> <!-- hooks-libraries -->
Reference in New Issue Copy Permalink