Opened 7 months ago

Last modified 13 hours ago

#5438 reviewing defect

shared-network option takes precedence before option defined in client class

Reported by: wlodekwencel Owned by: wlodek
Priority: medium Milestone: Kea1.5
Component: classification Version: git
Keywords: Cc:
CVSS Scoring: Parent Tickets:
Sensitive: no Defect Severity: N/A
Sub-Project: DHCP Feature Depending on Ticket:
Estimated Difficulty: 0 Add Hours to Ticket: 0
Total Hours: 0 Internal?: no

Description

When kea6 is configured with shared-network that contain option, and subnet (within that shared-network) which has assigned class with the same option defined - Kea ignores option defined in class.

Example configuration:

{
    "Dhcp6":
    {
        "renew-timer":1000,
        "rebind-timer":2000,
        "preferred-lifetime":3000,
        "valid-lifetime":4000,
        "client-classes":[
        {
            "name":"Client_Class_1",
            "test":"substring(option[1].hex,8,2)==0xf2f1",
            "option-data":[
            {
                "csv-format":true,
                "code":23,
                "data":"2001:db8::888",
                "name":"dns-servers",
                "space":"dhcp6"
            }
            ]
        }
        ],
        "interfaces-config":
        {
            "interfaces":["eth2"]
        },
        "lease-database":
        {
            "type":"memfile"
        },
        "shared-networks":[
        {
            "name":"name-abc",
            "interface":"eth2",
            "option-data":[
            {
                "csv-format":true,
                "code":23,
                "data":"2001:db8::1",
                "name":"dns-servers",
                "space":"dhcp6"
            }
            ],
            "subnet6":[
            {
                "subnet":"2001:db8:a::/64",
                "client-class":"Client_Class_1",
                "pools":[
                {
                    "pool":"2001:db8:a::1-2001:db8:a::10"
                }
                ]
            }
            ]
        }
        ]
    }
}

Packet is evaluated correctly, option 23 has value that is configured on shared-network level, not what is in the class.

DEBUG [kea-dhcp6.eval/18704] EVAL_DEBUG_EQUAL Popping 0xF2F1 and 0xF2F1 pushing result 'true'
INFO  [kea-dhcp6.dhcp6/18704] EVAL_RESULT Expression Client_Class_1 evaluated to 1

but message is created incorreclty:

DHCP6_RESPONSE_DATA responding with packet type 2 data is localAddr=[ff02::1:2]:547 remoteAddr=[fe80::800:27ff:fe00:1]:546
msgtype=2(ADVERTISE), transid=0xeda107
type=00001, len=00010: 00:03:00:01:66:55:44:33:f2:f1
type=00002, len=00014: 00:01:00:01:21:81:be:d4:08:00:27:19:b8:2a
type=00003(IA_NA), len=00040: iaid=39866, t1=1000, t2=2000,
options:
  type=00005(IAADDR), len=00024: address=2001:db8:a::1, preferred-lft=3000, valid-lft=4000
type=00023, len=00016: 2001:db8::1

Entire logs and network capture attached.

Number of subnets within shared-network, or number of shared-networks makes no difference - bug occur.

When client has reservation with option X it correctly overrides option configured on shared-network level.

Subtickets

Attachments (3)

kea.log (13.7 KB) - added by wlodekwencel 7 months ago.
capture.pcap (1.4 KB) - added by wlodekwencel 7 months ago.
configuration_file (1.7 KB) - added by wlodekwencel 7 months ago.

Download all attachments as: .zip

Change History (16)

Changed 7 months ago by wlodekwencel

Changed 7 months ago by wlodekwencel

Changed 7 months ago by wlodekwencel

comment:1 follow-up: Changed 7 months ago by fdupont

It is not incorrect as the current order is:

  • host reservation
  • subnet
  • shared-network
  • classes
  • global

Note ISC DHCP has a different order:

  • host reservation
  • classes
  • subnet
  • shared-network
  • global

IMHO it is why you are complaining.
Note as kea have class guards in subnets and shared-networks (and soon in pools, cf #5425) the Kea order makes sense (i.e., subnets and co can be considered as subdivisions of a class).

comment:2 in reply to: ↑ 1 Changed 7 months ago by wlodekwencel

Replying to fdupont:

It is not incorrect as the current order is:

  • host reservation
  • subnet
  • shared-network
  • classes
  • global

I don't think that is the way Kea works, options defined in class takes precedence over options in subnet. So it's more like:

  • host reservation
  • shared-network
  • classes
  • subnet
  • global

comment:3 Changed 7 months ago by fdupont

I didn't invent the order: it is coded in Dhcpv4Srv::buildCfgOptionList(). BTW the Dhcpv6Srv version is different because it adds pools between host reservation and subnet (this means there are missing code and clearly missing tests from #5288: I give the choice between reopen it or create a new ticket to you).
About this ticket itself I think the order should be clearer in the documentation.

comment:4 Changed 6 months ago by marcin

  • Milestone changed from Kea-proposed to Kea1.4

Per the meeting on November 30th moving to 1.4.0

comment:5 Changed 5 months ago by tomek

  • Component changed from Unclassified to classification

comment:6 Changed 7 weeks ago by fdupont

  • Owner set to wlodek
  • Status changed from new to assigned

Test v6.client.classification.shared-subnet-options-override.aggregated from v6.classification.options.feature.

I propose to fork this test with:

  • reversing the 2001:db8::888 vs 2001:db8::1 check
  • adding an only on required new class, moving the option data setting 2001:db8::1 to the new class and requiring it in the subnet.

The idea is the subnet class takes precedence on classes but standard classes takes precedence on required classes.

Giving the ticket to Wlodek for action and/or further questions.

Last edited 6 weeks ago by fdupont (previous) (diff)

comment:7 Changed 6 weeks ago by tomek

  • Milestone changed from Kea1.4 to Kea1.4-final

As discussed on 2018-05-10, moving to 1.4-final.

comment:8 follow-up: Changed 2 weeks ago by wlodekwencel

  • Owner changed from wlodek to fdupont
  • Why changing value from 2001:db8::888 to 2001:db8::1 should make any difference?

Changed configuration from

{
    "Dhcp6":
    {
        "renew-timer":1000,
        "rebind-timer":2000,
        "preferred-lifetime":3000,
        "valid-lifetime":4000,
        "client-classes":[
        {
            "name":"Client_Class_1",
            "test":"substring(option[1].hex,8,2)==0xf2f1",
            "option-data":[
            {
                "csv-format":true,
                "code":23,
                "data":"2001:db8::888",
                "name":"dns-servers",
                "space":"dhcp6"
            }
            ]
        }
        ],
        "interfaces-config":
        {
            "interfaces":["enp0s9"]
        }
        ,
        "subnet6":[],
        "lease-database":
        {
            "type":"memfile"
        }
        ,
        "shared-networks":[
        {
            "name":"name-abc",
            "interface":"enp0s9",
            "option-data":[
            {
                "csv-format":true,
                "code":23,
                "data":"2001:db8::1",
                "name":"dns-servers",
                "space":"dhcp6"
            }
            ],
            "subnet6":[
            {
                "subnet":"2001:db8:a::/64",
                "client-class":"Client_Class_1",
                "pools":[
                {
                    "pool":"2001:db8:a::1-2001:db8:a::10"
                }
                ]
            }
            ,
            
            {
                "subnet":"2001:db8:b::/64",
                "pools":[
                {
                    "pool":"2001:db8:b::1-2001:db8:b::1"
                }
                ]
            }
            ]
        }
        ]
    }
    ,
    "Logging":
    {
        "loggers":[
        {
            "name":"kea-dhcp6",
            "output_options":[
            {
                "output":"/home/wlodek/installed/git/var/kea/kea.log"
            }
            ],
            "debuglevel":99,
            "severity":"DEBUG"
        }
        ]
    }
    
}

to

{
    "Dhcp6":
    {
        "renew-timer":1000,
        "rebind-timer":2000,
        "preferred-lifetime":3000,
        "valid-lifetime":4000,
        "client-classes":[
        {
            "name":"Client_Class_1",
            "test":"substring(option[1].hex,8,2)==0xf2f1",
            "only-if-required":true,
            "option-data":[
            {
                "csv-format":true,
                "code":23,
                "data":"2001:db8::888",
                "name":"dns-servers",
                "space":"dhcp6"
            }
            ]
        }
        ],
        "interfaces-config":
        {
            "interfaces":["enp0s9"]
        }
        ,
        "subnet6":[],
        "lease-database":
        {
            "type":"memfile"
        }
        ,
        "shared-networks":[
        {
            "name":"name-abc",
            "interface":"enp0s9",
            "option-data":[
            {
                "csv-format":true,
                "code":23,
                "data":"2001:db8::1",
                "name":"dns-servers",
                "space":"dhcp6"
            }
            ],
            "subnet6":[
            {
                "subnet":"2001:db8:a::/64",
                "client-class":"Client_Class_1",
                "require-client-classes":["Client_Class_1"],
                "pools":[
                {
                    "pool":"2001:db8:a::1-2001:db8:a::10"
                }
                ]
            }
            ,
            
            {
                "subnet":"2001:db8:b::/64",
                "pools":[
                {
                    "pool":"2001:db8:b::1-2001:db8:b::1"
                }
                ]
            }
            ]
        }
        ]
    }
    ,
    "Logging":
    {
        "loggers":[
        {
            "name":"kea-dhcp6",
            "output_options":[
            {
                "output":"/home/wlodek/installed/git/var/kea/kea.log"
            }
            ],
            "debuglevel":99,
            "severity":"DEBUG"
        }
        ]
    }
    
}

so adding this functionality doesn't solve problem. Kea still won't assign option defined in the class.

Also you have to configure subnet with two parameters:

            "subnet6":[
            {
                "subnet":"2001:db8:a::/64",
                "client-class":"Client_Class_1",
                "require-client-classes":["Client_Class_1"],
                "pools":[
                {
                    "pool":"2001:db8:a::1-2001:db8:a::10"
                }
                ]
            }

if you set it just with new one:

            "subnet6":[
            {
                "subnet":"2001:db8:a::/64",
                "require-client-classes":["Client_Class_1"],
                "pools":[
                {
                    "pool":"2001:db8:a::1-2001:db8:a::10"
                }
                ]
            }

classification for this subnet is not executed at all, another two configuration parameters for classification? isn't it to much?

comment:9 follow-up: Changed 12 days ago by fdupont

Remove the option-data from the shared-network.

comment:10 Changed 12 days ago by fdupont

  • Owner changed from fdupont to wlodek

comment:11 in reply to: ↑ 9 Changed 12 days ago by wlodekwencel

  • Owner changed from wlodek to fdupont

Replying to fdupont:

Remove the option-data from the shared-network.

That is not a solution, what if other subnets in shared-network will use this option?

I'll propose a full config when I'll be back, so Monday or before.

Last edited 12 days ago by fdupont (previous) (diff)

comment:12 in reply to: ↑ 8 Changed 9 days ago by fdupont

  • Owner changed from fdupont to wlodek
  • Status changed from assigned to reviewing

Replying to wlodekwencel:
You are using a class to select the first subnet. I propose to keep it and to add a delayed class. Even classes are now ordered by declaration I swap the names.
I propose this configuration:

{
    "Dhcp6":
    {
        "renew-timer":1000,
        "rebind-timer":2000,
        "preferred-lifetime":3000,
        "valid-lifetime":4000,
        "client-classes":[
        {
            "name":"Client_Class_1",
            "test":"member('ALL')",
            "only-if-required": true,
            "option-data":[
            {
                "csv-format":true,
                "code":23,
                "data":"2001:db8::1",
                "name":"dns-servers",
                "space":"dhcp6"
            }
            ]
        },
        {
            "name":"Client_Class_2",
            "test":"substring(option[1].hex,8,2)==0xf2f1",
            "option-data":[
            {
                "csv-format":true,
                "code":23,
                "data":"2001:db8::888",
                "name":"dns-servers",
                "space":"dhcp6"
            }
            ]
        }
        ],
        "interfaces-config":
        {
            "interfaces":["enp0s9"]
        }
        ,
        "subnet6":[],
        "lease-database":
        {
            "type":"memfile"
        }
        ,
        "shared-networks":[
        {
            "name":"name-abc",
            "interface":"enp0s9",
            "require-client-classes":["Client_Class_1"],
            "subnet6":[
            {
                "subnet":"2001:db8:a::/64",
                "client-class":"Client_Class_2",
                "pools":[
                {
                    "pool":"2001:db8:a::1-2001:db8:a::10"
                }
                ]
            }
            ,
            
            {
                "subnet":"2001:db8:b::/64",
                "pools":[
                {
                    "pool":"2001:db8:b::1-2001:db8:b::1"
                }
                ]
            }
            ]
        }
        ]
    }
    ,
    "Logging":
    {
        "loggers":[
        {
            "name":"kea-dhcp6",
            "output_options":[
            {
                "output":"/home/wlodek/installed/git/var/kea/kea.log"
            }
            ],
            "debuglevel":99,
            "severity":"DEBUG"
        }
        ]
    }
    
}

Explanation: instead to apply the option-data in the shared network it was moved to a delayed class. Classes are added to the incoming packet when they are successfully evaluated so even if the delayed class is declared first it is by definition evaluated later. The test expression is always true: the class depends only on the shared network selection.

comment:13 Changed 13 hours ago by tomek

  • Milestone changed from Kea1.4-final to Kea1.5

Moving tickets under review to 1.5.

Note: See TracTickets for help on using tickets.