ndhc/src/ndhc.8

177 lines
8.1 KiB
Groff
Raw Normal View History

.TH NDHC 8 2012-07-20 Linux "Linux Administrator's Manual"
2010-11-12 04:02:18 -05:00
.SH NAME
ndhc \- secure DHCP client
.SH SYNOPSIS
.B ndhc
.RI [ OPTION ]...
.SH DESCRIPTION
The ndhc client negotiates a lease with the DHCP server and informs ifchd of
the change when it is obtained or lost. It also defends the assigned IP
address against hostile imposters and requests a new lease if it detects that
the interface has been connected to a new network. It requires a cooperating
ifchd server to properly perform its duties.
2010-11-12 04:02:18 -05:00
.SH OPTIONS
.TP
2014-04-14 15:52:39 -04:00
.BI \-c\ CONFIGFILE ,\ \-\-config= CONFIGFILE
Read configuration information from the specified file. The format of
configuration options is a simple 'option = value' for each line. The
names of the options are exactly the same as for command line options.
.TP
.BI \-I\ CLIENTID ,\ \-\-clientid= CLIENTID
Specifies the client identifier that will be sent to the remote server. This
can be any (reasonably sized, <64byte or so) text string, or an ethernet
MAC address in a form similar to 'aa:bb:cc:dd:ee:ff'. ndhc is smart enough
to recognize MAC addresses. ISP DHCP servers commonly check the value of this
field before providing a lease. The default value is the MAC address of
the network interface to which ndhc is bound.
2010-11-12 04:02:18 -05:00
.TP
.BI \-h\ HOSTNAME ,\ \-\-hostname= HOSTNAME
Send the specified client hostname to the remote DHCP server. This option
should not be necessary in most instances, but may perhaps be useful for odd
DHCP servers that perform some kind of authentication against the hostname
option field. The default is to send no hostname option at all.
2010-11-12 04:02:18 -05:00
.TP
.BI \-v\ VENDORID ,\ \-\-vendorid= VENDORID
Send the specified vendor identification string to the remote DHCP server.
This option should not be necessary in most instances, but may perhaps be
useful for odd DHCP servers that perform some kind of authentication against
the vendor id option field. The default is to send the string 'ndhc'.
2010-11-12 04:02:18 -05:00
.TP
.BI \-b ,\ \-\-background
Immediately fork into the background, even before obtaining a lease.
.TP
.BI \-p\ PIDFILE ,\ \-\-pidfile= PIDFILE
Write the process id number of the ndhc process into the specified file name.
The default is to not write the process id number into any file at all.
.TP
.BI \-s\ STATEDIR ,\ \-\-state\-dir= STATEDIR
Specifies the directory where the DHCP state associated with the given
interface will be stored. Such state will include the leased IP, the
IAID, and the DUID. The file representing the leased IP can be quite
useful for reacting to changes in IP address -- one can listen for changes
to it using fanotify() or inotify() on Linux.
2010-11-12 04:02:18 -05:00
.TP
.BI \-i\ INTERFACE ,\ \-\-interface= INTERFACE
Act as a DHCP client for the specified interface. A single ndhc daemon can
only act as a DHCP client for a single interface. Specify the interface it
should use by name. The default is to listen on 'eth0'.
2010-11-12 04:02:18 -05:00
.TP
.BI \-n ,\ \-\-now
Exit with failure if a lease cannot be obtained. Useful for some init scripts.
2010-11-12 04:02:18 -05:00
.TP
.BI \-q ,\ \-\-quit
Exit after obtaining a lease. Useful for some init scripts.
2010-11-12 04:02:18 -05:00
.TP
.BI \-r\ IP ,\ \-\-request= IP
Request the specified IP address from the remote DHCP server. The DHCP server
has no obligation to provide us with this IP, but it may acquiesce to the
request if it would not conflict with another host.
2010-11-12 04:02:18 -05:00
.TP
.BI \-u\ USER ,\ \-\-user= USER
This option specifies the user name or user id that ndhc will change to after
startup. ndhc will also change its group to match the default group of this
user.
.TP
.BI \-U\ USER ,\ \-\-ifch\-user= USER
This option specifies the user name or user id that ndhc-ifch will change to
after startup. ndhc-ifch will also change its group to match the default group
of this user.
.TP
.BI \-C\ CHROOTDIR ,\ \-\-chroot= CHROOTDIR
This option specifies the directory to which ndhc should confine itself via
chroot() after startup. This directory should have access to dev/urandom and
dev/null. For logging to work, a dev/log socket or device should also exist.
.TP
.BI \-d ,\ \-\-relentless\-defense
If specified, ndhc will never back down in defending the IP address that it
has been assigned by the remote DHCP server. This behavior should not be
specified for average machines, but is useful for servers or routers where
the IP address of the machine must remain fixed for proper operation.
.TP
.BI \-R\ RESOLVCONF ,\ \-\-resolv\-conf= RESOLVCONF
Specifies the path to the system resolv.conf. This file will typically be in
/etc/resolv.conf. If this option is specified, ndhc will update the contents
of this file to match the DNS servers specified by the remote DHCP server. If
this option is not specified, ifchd will never change the system DNS resolution
configuration.
.TP
.BI \-H ,\ \-\-dhcp\-set\-hostname
If specified, ndhc will update the system host name in response to any
hostname option field provided by a remote DHCP server on the request of
a ndhc client. If this option is not specified, ndhc will never change
the system hostname.
.TP
.BI \-S ,\ \-\-seccomp\-enforce
Enforces seccomp-based syscall whitelisting. System calls that ndhc and
ndhc-ifch are not expected to need are prohibited from being called if this
flag is set. The lists of allowed syscalls are hardcoded, and attempts
to call a non-listed syscall will result in the ndhc process being
terminated. As systems vary, it cannot be guaranteed that these system
call lists are accurate for your system, and thus seccomp filtering will
not be used unless this flag is set.
.TP
.BI \-w\ TIMEMS ,\ \-\-arp\-probe\-wait= TIMEMS
Adjusts the time that we wait for an ARP response when checking to see if
our lease assignment is already taken by an existing host. Default is
1000ms.
.TP
.BI \-W\ NUMPROBES ,\ \-\-arp\-probe\-num= NUMPROBES
Adjusts the number of ARP packets that we send when probing for collisions
with an existing host that is using our assigned IP. Once we have sent
the specified number of probe packets with no response, ndhc is willing
to believe that there is no colliding host. Default number is 3 probes.
.TP
.BI \-m\ TIMEMS ,\ \-\-arp\-probe\-min= TIMEMS
Adjusts the minimum time that we wait between sending probe packets. The
default is 1000ms. The precise inter-probe wait time is randomized.
.TP
.BI \-M\ TIMEMS ,\ \-\-arp\-probe\-max= TIMEMS
Adjusts the maximum time that we wait between sending probe packets. The
default is 2000ms. The precise inter-probe wait time is randomized.
.TP
.BI \-t\ GWMETRIC ,\ \-\-gw\-metric= GWMETRIC
Specifies the routing metric for the default gateway entry. Defaults to
0 if not specified. Higher values will de-prioritize the route entry.
.TP
.BI \-K\ RFKILLIDX ,\ \-\-rfkill\-idx= RFKILLIDX
If set, specifies the rfkill device index that corresponds to this interface.
ndhc will then listen for matching radio frequency kill switch events
and will bring the interface up and down in reaction to the events.
The rfkill devices can be found in /sys/class/rfkill/rfkill<RFKILLIDX>.
It may be useful to check the contents of the 'name' file within this
directory to determine the correct device index. In any event, if
an rfkill-idx parameter is specified, ndhc will print messages for any
rfkill events that it sees, so it should not be too difficult to locate
the proper rfkill device by checking the logs after hitting the switch.
.TP
.BI \-v ,\ \-\-version
Display the ndhc version number.
.SH SIGNALS
It is not necessary to sleep between sending signals, as signals received are
processed sequentially in the order they are received.
2010-11-12 04:02:18 -05:00
.B ndhc
responds to the following signals:
.TP
.B SIGUSR1
This signal causes
.B ndhc
to renew the current lease or, if it does not have one, obtain a
new lease.
.TP
.B SIGUSR2
This signal causes
2010-11-12 04:02:18 -05:00
.B ndhc
to release the current lease and go to sleep until it receives a SIGUSR1.
.SH NOTES
ndhc will seed its random number generator (used for generating xids)
by reading /dev/urandom. If you have a lot of embedded systems on the same
network, with no entropy, you can either seed /dev/urandom by a method of
your own, or doing the following on startup:
ifconfig eth0 > /dev/urandom
in order to seed /dev/urandom with some data (mac address) unique to your
system. If reading /dev/urandom fails, ndhc will fall back to seeding with
time(0).