+ 73
- 0
README.md
查看文件
| @@ -33,9 +33,13 @@ The `--queue-bypass` will tell iptables to continue to forward packets if DHCP P | |||
| ## Example IPv4 | |||
| `iptables -A INPUT -p udp -m udp --dport 67 -j NFQUEUE --queue-num 67 --queue-bypass` | |||
| `iptables -A OUTPUT -p udp -m udp --sport 67 -j NFQUEUE --queue-num 67 --queue-bypass` (optional for accounting) | |||
| ## Example IPv6 | |||
| `ip6tables -A INPUT -p udp -m udp --dport 547 -j NFQUEUE --queue-num 67 --queue-bypass` | |||
| `ip6tables -A OUTPUT -p udp -m udp --sport 547 -j NFQUEUE --queue-num 67 --queue-bypass` (optional for accounting) | |||
| # Configuration | |||
| The configuration file may be tuned, but the defaults should be fine. | |||
| ``` | |||
| @@ -67,6 +71,13 @@ queue=67 | |||
| # actions. | |||
| # Set to 0 for production. | |||
| dryrun=0 | |||
| # stats file and interval (seconds) | |||
| # the stats file will be overwritten every n seconds | |||
| # as defined below. The counters are absolute AND | |||
| # relative (both included). | |||
| stats_file=/var/run/dhcp_protect_status.json | |||
| stats_interval=10 | |||
| ``` | |||
| # Starting / Stopping | |||
| @@ -76,12 +87,74 @@ root@hostname:~/# systemd <start|stop|restart> dhcp_protect | |||
| # Logging / Accounting | |||
| ## Syslog | |||
| The program will log every blacklisting action to syslog (also in dryrun mode). | |||
| ``` | |||
| Oct 23 16:50:18 router dhcp_protect[9706]: 00000000021b: blacklisting started | |||
| Oct 23 16:52:18 router dhcp_protect[9706]: 00000000021b: blacklisting ended | |||
| ``` | |||
| ## Status | |||
| DHCP Protect will update its status in `stats_file` every `stats_interval` seconds. This is a JSON file containing the UNIX timestamp when the file was created/updated, absolute and relative (relative to late update) counters of all different DHCPv4/DHCPv6 messages types and the current blacklist entries. | |||
| For example: | |||
| ``` | |||
| root@dhcp:~# cat /var/run/dhcp_protect_status.json | json_pp | |||
| { | |||
| "dhcpv4" : { | |||
| "DISCOVER" : { | |||
| "abs" : 2, | |||
| "rel" : 0 | |||
| }, | |||
| "ACK" : { | |||
| "rel" : 0, | |||
| "abs" : 52 | |||
| }, | |||
| "REQUEST" : { | |||
| "rel" : 0, | |||
| "abs" : 52 | |||
| }, | |||
| "OFFER" : { | |||
| "rel" : 0, | |||
| "abs" : 1 | |||
| } | |||
| }, | |||
| "timestamp" : 1572204894, | |||
| "blacklist" : [], | |||
| "dhcpv6" : { | |||
| "RECONFIGURE-REQUEST" : { | |||
| "abs" : 61, | |||
| "rel" : 0 | |||
| }, | |||
| "SOLICIT" : { | |||
| "rel" : 0, | |||
| "abs" : 83 | |||
| }, | |||
| "RELEASE" : { | |||
| "rel" : 0, | |||
| "abs" : 6 | |||
| }, | |||
| "DECLINE" : { | |||
| "abs" : 61, | |||
| "rel" : 0 | |||
| }, | |||
| "RENEW" : { | |||
| "rel" : 0, | |||
| "abs" : 22 | |||
| }, | |||
| "REBIND" : { | |||
| "rel" : 0, | |||
| "abs" : 2 | |||
| }, | |||
| "RELAY-FORW" : { | |||
| "rel" : 0, | |||
| "abs" : 61 | |||
| } | |||
| } | |||
| } | |||
| ``` | |||
| # Copyright / License | |||
| ``` | |||
| Copyright 2019 Pascal Gloor | |||
Loading…