1.\" $OpenBSD: dhcpd.8,v 1.13 2006/08/09 11:05:31 stevesk Exp $ 2.\" 3.\" Copyright (c) 1995, 1996 The Internet Software Consortium. 4.\" All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 10.\" 1. Redistributions of source code must retain the above copyright 11.\" notice, this list of conditions and the following disclaimer. 12.\" 2. Redistributions in binary form must reproduce the above copyright 13.\" notice, this list of conditions and the following disclaimer in the 14.\" documentation and/or other materials provided with the distribution. 15.\" 3. Neither the name of The Internet Software Consortium nor the names 16.\" of its contributors may be used to endorse or promote products derived 17.\" from this software without specific prior written permission. 18.\" 19.\" THIS SOFTWARE IS PROVIDED BY THE INTERNET SOFTWARE CONSORTIUM AND 20.\" CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, 21.\" INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 22.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 23.\" DISCLAIMED. IN NO EVENT SHALL THE INTERNET SOFTWARE CONSORTIUM OR 24.\" CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 25.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 26.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF 27.\" USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 28.\" ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29.\" OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT 30.\" OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31.\" SUCH DAMAGE. 32.\" 33.\" This software has been written for the Internet Software Consortium 34.\" by Ted Lemon <mellon@fugue.com> in cooperation with Vixie 35.\" Enterprises. To learn more about the Internet Software Consortium, 36.\" see ``http://www.isc.org/''. To learn more about Vixie 37.\" Enterprises, see ``http://www.vix.com''. 38.\" 39.Dd January 1, 1995 40.Dt DHCPD 8 41.Os 42.Sh NAME 43.Nm dhcpd 44.Nd Dynamic Host Configuration Protocol Server 45.Sh SYNOPSIS 46.Nm dhcpd 47.Bk -words 48.Op Fl dfn 49.Op Fl A Ar abandoned_ip_table 50.Op Fl C Ar changed_ip_table 51.Op Fl c Ar config-file 52.Op Fl L Ar leased_ip_table 53.Op Fl l Ar lease-file 54.Op Fl p Ar pf-device 55.Op Ar if0 Op Ar ... ifN 56.Ek 57.Sh DESCRIPTION 58The Internet Software Consortium DHCP Server, 59.Nm dhcpd , 60implements the Dynamic Host Configuration Protocol (DHCP) and the 61Internet Bootstrap Protocol (BOOTP). 62DHCP allows hosts on a TCP/IP network to request and be assigned IP addresses, 63and also to discover information about the network to which they are attached. 64BOOTP provides similar functionality, with certain restrictions. 65.Pp 66The DHCP protocol allows a host which is unknown to the network 67administrator to be automatically assigned a new IP address out of a 68pool of IP addresses for its network. 69In order for this to work, the network administrator allocates address pools 70in each subnet and enters them into the 71.Xr dhcpd.conf 5 72file. 73.Pp 74On startup, 75.Nm 76reads the 77.Pa dhcpd.conf 78file and stores a list of available addresses on each subnet in memory. 79When a client requests an address using the DHCP protocol, 80.Nm 81allocates an address for it. 82Each client is assigned a lease, which expires after an amount of time 83chosen by the administrator (by default, one day). 84When a leased IP address is assigned to a new hardware address, 85.Nm 86may delete the leased IP from certain 87.Xr pf 4 88tables. 89Before leases expire, the clients to which leases are assigned are expected 90to renew them in order to continue to use the addresses. 91Once a lease has expired, the client to which that lease was assigned is no 92longer permitted to use the leased IP address. 93.Pp 94In order to keep track of leases across system reboots and server restarts, 95.Nm 96keeps a list of leases it has assigned in the 97.Xr dhcpd.leases 5 98file. 99Before 100.Nm 101grants a lease to a host, it records the lease in this file and makes sure 102that the contents of the file are flushed to disk. 103This ensures that even in the event of a system crash, 104.Nm 105will not forget about a lease that it has assigned. 106On startup, after reading the 107.Pa dhcpd.conf 108file, 109.Nm 110reads the 111.Pa dhcpd.leases 112file to refresh its memory about what leases have been assigned. 113.Pp 114BOOTP support is also provided by this server. 115Unlike DHCP, the BOOTP protocol does not provide a protocol for recovering 116dynamically-assigned addresses once they are no longer needed. 117It is still possible to dynamically assign addresses to BOOTP clients, but 118some administrative process for reclaiming addresses is required. 119By default, leases are granted to BOOTP clients in perpetuity, although 120the network administrator may set an earlier cutoff date or a shorter 121lease length for BOOTP leases if that makes sense. 122.Pp 123BOOTP clients may also be served in the old standard way, which is 124simply to provide a declaration in the 125.Pa dhcpd.conf 126file for each BOOTP client, permanently assigning an address to each client. 127.Pp 128Whenever changes are made to the 129.Pa dhcpd.conf 130file, 131.Nm 132must be restarted. 133Because the DHCP server database is not as lightweight as a BOOTP database, 134.Nm 135does not automatically restart itself when it sees a change to the 136.Pa dhcpd.conf 137file. 138.Pp 139DHCP traffic always bypasses IPsec. 140Otherwise there could be situations when a server has an IPsec SA for the 141client and sends replies over that, 142which a newly booted client would not be able to grasp. 143.Sh COMMAND LINE 144The names of the network interfaces on which 145.Nm 146should listen for broadcasts may be specified on the command line. 147This should be done on systems where 148.Nm 149is unable to identify non-broadcast interfaces, 150but should not be required on other systems. 151If no interface names are specified on the command line, 152.Nm 153will identify all network interfaces which are up, eliminating non-broadcast 154interfaces if possible, and listen for DHCP broadcasts on each interface. 155.Pp 156The options are as follows: 157.Bl -tag -width Ds 158.It Fl A Ar abandoned_ip_table 159When an address is abandoned for some reason, add it to the 160.Xr pf 4 161table named 162.Ar abandoned_ip_table . 163This can be used to defend against machines "camping" on an address 164without obtaining a lease. 165When an address is properly leased, 166.Nm 167will remove the address from this table. 168.It Fl C Ar changed_ip_table 169When an address is leased to a different hardware address, delete it from the 170.Xr pf 4 171table named 172.Ar changed_ip_table . 173This feature complements the overload table in a stateful 174.Xr pf 4 175rule. 176If a host appears to be misbehaving, it can be quarantined by using the 177overload feature. 178When the address is leased to a different machine, 179.Nm 180can remove the address from the overload table, thus allowing a well-behaved 181machine to reuse the address. 182.It Fl c Ar config-file 183Use an alternate configuration file, 184.Ar config-file . 185Because of the importance of using the same lease database at all times when 186running 187.Nm 188in production, this option should be used 189.Em only 190for testing database files in a non-production environment. 191.It Fl d 192Force 193.Nm 194to log to 195.Ar stderr . 196This can be useful for debugging, and also at sites where a complete log of 197all dhcp activity must be kept, but 198.Xr syslogd 8 199is not reliable or otherwise cannot be used. 200Normally, 201.Nm 202will log all output using the 203.Xr syslog 3 204function with the log facility set to 205.Dv LOG_DAEMON . 206.It Fl f 207Run 208.Nm 209as a foreground process, rather than allowing it to run as a daemon in the 210background. 211This is useful when running 212.Nm 213under a debugger, or when running it out of inittab on System V systems. 214.It Fl L Ar leased_ip_table 215When an address is leased 216.Nm 217will insert it into the 218.Xr pf 4 219table named 220.Ar leased_ip_table . 221Addresses are removed from the table when the lease expires. 222Combined with the table of abandoned addresses, this can help enforce a 223requirement to use DHCP on a network, or can place DHCP users in a different 224class of service. 225Users are cautioned against placing much trust in Ethernet or IP addresses; 226.Xr ifconfig 8 227can be used to trivially change the interface's address, and on a busy DHCP 228network, IP addresses will likely be quickly recycled. 229.It Fl l Ar lease-file 230Use an alternate lease file, 231.Ar lease-file . 232Because of the importance of using the same lease database at all times when 233running 234.Nm 235in production, this option should be used 236.Em only 237for testing lease files in a non-production environment. 238.It Fl n 239Only test configuration, do not run 240.Nm . 241.It Fl p Ar pf-device 242Use an alternate 243.Xr pf 4 244device, 245.Ar pf-device . 246.El 247.Sh CONFIGURATION 248The syntax of the 249.Xr dhcpd.conf 5 250file is discussed separately. 251This section should be used as an overview of the configuration process, 252and the 253.Xr dhcpd.conf 5 254documentation should be consulted for detailed reference information. 255.Bl -tag -width 3n 256.It Subnets 257.Nm 258needs to know the subnet numbers and netmasks of all subnets for 259which it will be providing service. 260In addition, in order to dynamically allocate addresses, it must be assigned 261one or more ranges of addresses on each subnet which it can in turn assign 262to client hosts as they boot. 263Thus, a very simple configuration providing DHCP support might look like this: 264.Bd -literal -offset indent 265subnet 239.252.197.0 netmask 255.255.255.0 { 266 range 239.252.197.10 239.252.197.250; 267} 268.Ed 269.Pp 270Multiple address ranges may be specified like this: 271.Bd -literal -offset indent 272subnet 239.252.197.0 netmask 255.255.255.0 { 273 range 239.252.197.10 239.252.197.107; 274 range 239.252.197.113 239.252.197.250; 275} 276.Ed 277.Pp 278If a subnet will only be provided with BOOTP service and no dynamic 279address assignment, the range clause can be left out entirely, but the 280subnet statement must appear. 281.It Lease Lengths 282DHCP leases can be assigned almost any length from zero seconds to infinity. 283What lease length makes sense for any given subnet, or for any given 284installation, will vary depending on the kinds of hosts being served. 285.Pp 286For example, in an office environment where systems are added from 287time to time and removed from time to time, but move relatively 288infrequently, it might make sense to allow lease times of a month of more. 289In a final test environment on a manufacturing floor, it may make more sense 290to assign a maximum lease length of 30 minutes \- enough time to go through a 291simple test procedure on a network appliance before packaging it up for 292delivery. 293.Pp 294It is possible to specify two lease lengths: the default length that 295will be assigned if a client doesn't ask for any particular lease 296length, and a maximum lease length. 297These are specified as clauses to the subnet command: 298.Bd -literal -offset indent 299subnet 239.252.197.0 netmask 255.255.255.0 { 300 range 239.252.197.10 239.252.197.107; 301 default-lease-time 600; 302 max-lease-time 7200; 303} 304.Ed 305.Pp 306This particular subnet declaration specifies a default lease time of 307600 seconds (ten minutes), and a maximum lease time of 7200 seconds 308(two hours). 309Other common values would be 86400 (one day), 604800 (one week) 310and 2592000 (30 days). 311.Pp 312Each subnet need not have the same lease \- in the case of an office 313environment and a manufacturing environment served by the same DHCP 314server, it might make sense to have widely disparate values for 315default and maximum lease times on each subnet. 316.It BOOTP Support 317Each BOOTP client must be explicitly declared in the 318.Xr dhcpd.conf 5 319file. 320A very basic client declaration will specify the client network interface's 321hardware address and the IP address to assign to that client. 322If the client needs to be able to load a boot file from the server, 323that file's name must be specified. 324A simple BOOTP client declaration might look like this: 325.Bd -literal -offset indent 326host haagen { 327 hardware ethernet 08:00:2b:4c:59:23; 328 fixed-address 239.252.197.9; 329 filename "haagen.boot"; 330} 331.Ed 332.It Options 333DHCP (and also BOOTP with Vendor Extensions) provides a mechanism 334whereby the server can provide the client with information about how 335to configure its network interface (e.g., subnet mask), and also how 336the client can access various network services (e.g., DNS, IP routers, 337and so on). 338.Pp 339These options can be specified on a per-subnet basis, and, for BOOTP 340clients, also on a per-client basis. 341In the event that a BOOTP client declaration specifies options that are 342also specified in its subnet declaration, the options specified in the 343client declaration take precedence. 344A reasonably complete DHCP configuration might look something like this: 345.Bd -literal -offset indent 346subnet 239.252.197.0 netmask 255.255.255.0 { 347 range 239.252.197.10 239.252.197.250; 348 default-lease-time 600; 349 max-lease-time 7200; 350 option subnet-mask 255.255.255.0; 351 option broadcast-address 239.252.197.255; 352 option routers 239.252.197.1; 353 option domain-name-servers 239.252.197.2, 239.252.197.3; 354 option domain-name "isc.org"; 355} 356.Ed 357.Pp 358A BOOTP host on that subnet that needs to be in a different domain and 359use a different name server might be declared as follows: 360.Bd -literal -offset indent 361host haagen { 362 hardware ethernet 08:00:2b:4c:59:23; 363 fixed-address 239.252.197.9; 364 filename "haagen.boot"; 365 option domain-name-servers 192.5.5.1; 366 option domain-name "vix.com"; 367} 368.Ed 369.El 370.Pp 371A more complete description of the 372.Pa dhcpd.conf 373file syntax is provided in 374.Xr dhcpd.conf 5 . 375.Sh FILES 376.Bl -tag -width "/var/db/dhcpd.leases~ " -compact 377.It /etc/dhcpd.conf 378DHCPD configuration file. 379.It /var/db/dhcpd.leases 380DHCPD lease file. 381.El 382.Sh SEE ALSO 383.Xr pf 4 , 384.Xr dhcpd.conf 5 , 385.Xr dhcpd.leases 5 , 386.Xr dhclient 8 , 387.Xr dhcp 8 , 388.Xr dhcrelay 8 , 389.Xr pxeboot 8 390.Sh AUTHORS 391.An -nosplit 392.Nm 393was written by 394.An Ted Lemon Aq mellon@vix.com 395under a contract with Vixie Labs. 396.Pp 397The current implementation was reworked by 398.An Henning Brauer Aq henning@openbsd.org . 399.Sh BUGS 400We realize that it would be nice if one could send a 401.Dv SIGHUP 402to the server and have it reload the database. 403This is not technically impossible, but it would require a great deal of work, 404our resources are extremely limited, and they can be better spent elsewhere. 405So please don't complain about this on the mailing list unless you're prepared 406to fund a project to implement this feature, or prepared to do it yourself. 407