1.\"	$OpenBSD: dhcpd.8,v 1.13 2006/08/09 11:05:31 stevesk Exp $
2.\"
3.\" Copyright (c) 1995, 1996 The Internet Software Consortium.
4.\" All rights reserved.
5.\"
6.\" Redistribution and use in source and binary forms, with or without
7.\" modification, are permitted provided that the following conditions
8.\" are met:
9.\"
10.\" 1. Redistributions of source code must retain the above copyright
11.\"    notice, this list of conditions and the following disclaimer.
12.\" 2. Redistributions in binary form must reproduce the above copyright
13.\"    notice, this list of conditions and the following disclaimer in the
14.\"    documentation and/or other materials provided with the distribution.
15.\" 3. Neither the name of The Internet Software Consortium nor the names
16.\"    of its contributors may be used to endorse or promote products derived
17.\"    from this software without specific prior written permission.
18.\"
19.\" THIS SOFTWARE IS PROVIDED BY THE INTERNET SOFTWARE CONSORTIUM AND
20.\" CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
21.\" INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
22.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
23.\" DISCLAIMED.  IN NO EVENT SHALL THE INTERNET SOFTWARE CONSORTIUM OR
24.\" CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
25.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
26.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
27.\" USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
28.\" ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
29.\" OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
30.\" OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31.\" SUCH DAMAGE.
32.\"
33.\" This software has been written for the Internet Software Consortium
34.\" by Ted Lemon <mellon@fugue.com> in cooperation with Vixie
35.\" Enterprises.  To learn more about the Internet Software Consortium,
36.\" see ``http://www.isc.org/''.  To learn more about Vixie
37.\" Enterprises, see ``http://www.vix.com''.
38.\"
39.Dd January 1, 1995
40.Dt DHCPD 8
41.Os
42.Sh NAME
43.Nm dhcpd
44.Nd Dynamic Host Configuration Protocol Server
45.Sh SYNOPSIS
46.Nm dhcpd
47.Bk -words
48.Op Fl dfn
49.Op Fl A Ar abandoned_ip_table
50.Op Fl C Ar changed_ip_table
51.Op Fl c Ar config-file
52.Op Fl L Ar leased_ip_table
53.Op Fl l Ar lease-file
54.Op Fl p Ar pf-device
55.Op Ar if0 Op Ar ... ifN
56.Ek
57.Sh DESCRIPTION
58The Internet Software Consortium DHCP Server,
59.Nm dhcpd ,
60implements the Dynamic Host Configuration Protocol (DHCP) and the
61Internet Bootstrap Protocol (BOOTP).
62DHCP allows hosts on a TCP/IP network to request and be assigned IP addresses,
63and also to discover information about the network to which they are attached.
64BOOTP provides similar functionality, with certain restrictions.
65.Pp
66The DHCP protocol allows a host which is unknown to the network
67administrator to be automatically assigned a new IP address out of a
68pool of IP addresses for its network.
69In order for this to work, the network administrator allocates address pools
70in each subnet and enters them into the
71.Xr dhcpd.conf 5
72file.
73.Pp
74On startup,
75.Nm
76reads the
77.Pa dhcpd.conf
78file and stores a list of available addresses on each subnet in memory.
79When a client requests an address using the DHCP protocol,
80.Nm
81allocates an address for it.
82Each client is assigned a lease, which expires after an amount of time
83chosen by the administrator (by default, one day).
84When a leased IP address is assigned to a new hardware address,
85.Nm
86may delete the leased IP from certain
87.Xr pf 4
88tables.
89Before leases expire, the clients to which leases are assigned are expected
90to renew them in order to continue to use the addresses.
91Once a lease has expired, the client to which that lease was assigned is no
92longer permitted to use the leased IP address.
93.Pp
94In order to keep track of leases across system reboots and server restarts,
95.Nm
96keeps a list of leases it has assigned in the
97.Xr dhcpd.leases 5
98file.
99Before
100.Nm
101grants a lease to a host, it records the lease in this file and makes sure
102that the contents of the file are flushed to disk.
103This ensures that even in the event of a system crash,
104.Nm
105will not forget about a lease that it has assigned.
106On startup, after reading the
107.Pa dhcpd.conf
108file,
109.Nm
110reads the
111.Pa dhcpd.leases
112file to refresh its memory about what leases have been assigned.
113.Pp
114BOOTP support is also provided by this server.
115Unlike DHCP, the BOOTP protocol does not provide a protocol for recovering
116dynamically-assigned addresses once they are no longer needed.
117It is still possible to dynamically assign addresses to BOOTP clients, but
118some administrative process for reclaiming addresses is required.
119By default, leases are granted to BOOTP clients in perpetuity, although
120the network administrator may set an earlier cutoff date or a shorter
121lease length for BOOTP leases if that makes sense.
122.Pp
123BOOTP clients may also be served in the old standard way, which is
124simply to provide a declaration in the
125.Pa dhcpd.conf
126file for each BOOTP client, permanently assigning an address to each client.
127.Pp
128Whenever changes are made to the
129.Pa dhcpd.conf
130file,
131.Nm
132must be restarted.
133Because the DHCP server database is not as lightweight as a BOOTP database,
134.Nm
135does not automatically restart itself when it sees a change to the
136.Pa dhcpd.conf
137file.
138.Pp
139DHCP traffic always bypasses IPsec.
140Otherwise there could be situations when a server has an IPsec SA for the
141client and sends replies over that,
142which a newly booted client would not be able to grasp.
143.Sh COMMAND LINE
144The names of the network interfaces on which
145.Nm
146should listen for broadcasts may be specified on the command line.
147This should be done on systems where
148.Nm
149is unable to identify non-broadcast interfaces,
150but should not be required on other systems.
151If no interface names are specified on the command line,
152.Nm
153will identify all network interfaces which are up, eliminating non-broadcast
154interfaces if possible, and listen for DHCP broadcasts on each interface.
155.Pp
156The options are as follows:
157.Bl -tag -width Ds
158.It Fl A Ar abandoned_ip_table
159When an address is abandoned for some reason, add it to the
160.Xr pf 4
161table named
162.Ar abandoned_ip_table .
163This can be used to defend against machines "camping" on an address
164without obtaining a lease.
165When an address is properly leased,
166.Nm
167will remove the address from this table.
168.It Fl C Ar changed_ip_table
169When an address is leased to a different hardware address, delete it from the
170.Xr pf 4
171table named
172.Ar changed_ip_table .
173This feature complements the overload table in a stateful
174.Xr pf 4
175rule.
176If a host appears to be misbehaving, it can be quarantined by using the
177overload feature.
178When the address is leased to a different machine,
179.Nm
180can remove the address from the overload table, thus allowing a well-behaved
181machine to reuse the address.
182.It Fl c Ar config-file
183Use an alternate configuration file,
184.Ar config-file .
185Because of the importance of using the same lease database at all times when
186running
187.Nm
188in production, this option should be used
189.Em only
190for testing database files in a non-production environment.
191.It Fl d
192Force
193.Nm
194to log to
195.Ar stderr .
196This can be useful for debugging, and also at sites where a complete log of
197all dhcp activity must be kept, but
198.Xr syslogd 8
199is not reliable or otherwise cannot be used.
200Normally,
201.Nm
202will log all output using the
203.Xr syslog 3
204function with the log facility set to
205.Dv LOG_DAEMON .
206.It Fl f
207Run
208.Nm
209as a foreground process, rather than allowing it to run as a daemon in the
210background.
211This is useful when running
212.Nm
213under a debugger, or when running it out of inittab on System V systems.
214.It Fl L Ar leased_ip_table
215When an address is leased
216.Nm
217will insert it into the
218.Xr pf 4
219table named
220.Ar leased_ip_table .
221Addresses are removed from the table when the lease expires.
222Combined with the table of abandoned addresses, this can help enforce a
223requirement to use DHCP on a network, or can place DHCP users in a different
224class of service.
225Users are cautioned against placing much trust in Ethernet or IP addresses;
226.Xr ifconfig 8
227can be used to trivially change the interface's address, and on a busy DHCP
228network, IP addresses will likely be quickly recycled.
229.It Fl l Ar lease-file
230Use an alternate lease file,
231.Ar lease-file .
232Because of the importance of using the same lease database at all times when
233running
234.Nm
235in production, this option should be used
236.Em only
237for testing lease files in a non-production environment.
238.It Fl n
239Only test configuration, do not run
240.Nm .
241.It Fl p Ar pf-device
242Use an alternate
243.Xr pf 4
244device,
245.Ar pf-device .
246.El
247.Sh CONFIGURATION
248The syntax of the
249.Xr dhcpd.conf 5
250file is discussed separately.
251This section should be used as an overview of the configuration process,
252and the
253.Xr dhcpd.conf 5
254documentation should be consulted for detailed reference information.
255.Bl -tag -width 3n
256.It Subnets
257.Nm
258needs to know the subnet numbers and netmasks of all subnets for
259which it will be providing service.
260In addition, in order to dynamically allocate addresses, it must be assigned
261one or more ranges of addresses on each subnet which it can in turn assign
262to client hosts as they boot.
263Thus, a very simple configuration providing DHCP support might look like this:
264.Bd -literal -offset indent
265subnet 239.252.197.0 netmask 255.255.255.0 {
266  range 239.252.197.10 239.252.197.250;
267}
268.Ed
269.Pp
270Multiple address ranges may be specified like this:
271.Bd -literal -offset indent
272subnet 239.252.197.0 netmask 255.255.255.0 {
273  range 239.252.197.10 239.252.197.107;
274  range 239.252.197.113 239.252.197.250;
275}
276.Ed
277.Pp
278If a subnet will only be provided with BOOTP service and no dynamic
279address assignment, the range clause can be left out entirely, but the
280subnet statement must appear.
281.It Lease Lengths
282DHCP leases can be assigned almost any length from zero seconds to infinity.
283What lease length makes sense for any given subnet, or for any given
284installation, will vary depending on the kinds of hosts being served.
285.Pp
286For example, in an office environment where systems are added from
287time to time and removed from time to time, but move relatively
288infrequently, it might make sense to allow lease times of a month of more.
289In a final test environment on a manufacturing floor, it may make more sense
290to assign a maximum lease length of 30 minutes \- enough time to go through a
291simple test procedure on a network appliance before packaging it up for
292delivery.
293.Pp
294It is possible to specify two lease lengths: the default length that
295will be assigned if a client doesn't ask for any particular lease
296length, and a maximum lease length.
297These are specified as clauses to the subnet command:
298.Bd -literal -offset indent
299subnet 239.252.197.0 netmask 255.255.255.0 {
300  range 239.252.197.10 239.252.197.107;
301  default-lease-time 600;
302  max-lease-time 7200;
303}
304.Ed
305.Pp
306This particular subnet declaration specifies a default lease time of
307600 seconds (ten minutes), and a maximum lease time of 7200 seconds
308(two hours).
309Other common values would be 86400 (one day), 604800 (one week)
310and 2592000 (30 days).
311.Pp
312Each subnet need not have the same lease \- in the case of an office
313environment and a manufacturing environment served by the same DHCP
314server, it might make sense to have widely disparate values for
315default and maximum lease times on each subnet.
316.It BOOTP Support
317Each BOOTP client must be explicitly declared in the
318.Xr dhcpd.conf 5
319file.
320A very basic client declaration will specify the client network interface's
321hardware address and the IP address to assign to that client.
322If the client needs to be able to load a boot file from the server,
323that file's name must be specified.
324A simple BOOTP client declaration might look like this:
325.Bd -literal -offset indent
326host haagen {
327  hardware ethernet 08:00:2b:4c:59:23;
328  fixed-address 239.252.197.9;
329  filename "haagen.boot";
330}
331.Ed
332.It Options
333DHCP (and also BOOTP with Vendor Extensions) provides a mechanism
334whereby the server can provide the client with information about how
335to configure its network interface (e.g., subnet mask), and also how
336the client can access various network services (e.g., DNS, IP routers,
337and so on).
338.Pp
339These options can be specified on a per-subnet basis, and, for BOOTP
340clients, also on a per-client basis.
341In the event that a BOOTP client declaration specifies options that are
342also specified in its subnet declaration, the options specified in the
343client declaration take precedence.
344A reasonably complete DHCP configuration might look something like this:
345.Bd -literal -offset indent
346subnet 239.252.197.0 netmask 255.255.255.0 {
347  range 239.252.197.10 239.252.197.250;
348  default-lease-time 600;
349  max-lease-time 7200;
350  option subnet-mask 255.255.255.0;
351  option broadcast-address 239.252.197.255;
352  option routers 239.252.197.1;
353  option domain-name-servers 239.252.197.2, 239.252.197.3;
354  option domain-name "isc.org";
355}
356.Ed
357.Pp
358A BOOTP host on that subnet that needs to be in a different domain and
359use a different name server might be declared as follows:
360.Bd -literal -offset indent
361host haagen {
362  hardware ethernet 08:00:2b:4c:59:23;
363  fixed-address 239.252.197.9;
364  filename "haagen.boot";
365  option domain-name-servers 192.5.5.1;
366  option domain-name "vix.com";
367}
368.Ed
369.El
370.Pp
371A more complete description of the
372.Pa dhcpd.conf
373file syntax is provided in
374.Xr dhcpd.conf 5 .
375.Sh FILES
376.Bl -tag -width "/var/db/dhcpd.leases~  " -compact
377.It /etc/dhcpd.conf
378DHCPD configuration file.
379.It /var/db/dhcpd.leases
380DHCPD lease file.
381.El
382.Sh SEE ALSO
383.Xr pf 4 ,
384.Xr dhcpd.conf 5 ,
385.Xr dhcpd.leases 5 ,
386.Xr dhclient 8 ,
387.Xr dhcp 8 ,
388.Xr dhcrelay 8 ,
389.Xr pxeboot 8
390.Sh AUTHORS
391.An -nosplit
392.Nm
393was written by
394.An Ted Lemon Aq mellon@vix.com
395under a contract with Vixie Labs.
396.Pp
397The current implementation was reworked by
398.An Henning Brauer Aq henning@openbsd.org .
399.Sh BUGS
400We realize that it would be nice if one could send a
401.Dv SIGHUP
402to the server and have it reload the database.
403This is not technically impossible, but it would require a great deal of work,
404our resources are extremely limited, and they can be better spent elsewhere.
405So please don't complain about this on the mailing list unless you're prepared
406to fund a project to implement this feature, or prepared to do it yourself.
407