Fabio Muzzi wrote: > Hello dnsmasq-discuss, > > Hi everyone. > > I have just subscribed to this list. I have read through the archives > and found that I'm not the first to ask for some sort of external script > execution on DHCP leases status changes. > > I'm trying to set up a network for a hotel, which will allow for free > access, but needs authentication and logging because italian law > requires the owner of the network to log every activity and identify > customers (yes, we live in some sort of "1984" nightmare).
I think this is an EU-wide 1984 nightmare. It's still a nightmare. > > Anyway, I absolutely need a DHCP server that runs some script when DHCP > leases are handed out to clients and when they expire, to allow for my > firewall rules to be dynamically modified. > > Ideally, the script should get the ip address and MAC address passed as > parameters from the DHCP server, so I can create firewall rules based on > the IP/MAC pairs. > > I have looked for such a feature in the DHCP server I know about, but > found nothing even in the full-featured ISC DHCP server v3. > > Since I am an happy user of Dnsmasq in over 20 installations, I thought > "Hey, why not asking for such a feature to be added in this great > software?" > > > This has been asked for before, and I've always said "no", it would be better to use Dbus for IPC. However, as far as I can see nobody uses DBus for that, so maybe I'm wrong. Just as an experiment, I tried to implement an external script. It's not quite as easy as it looks: you need to call "new lease" for every lease in the database when dnsmasq starts up, and that can be a lot of leases. If you just fork processes and run them asynchronously, then starting dnsmasq when it has a few hundred leases generates a flood of hundreds of child processes running the script. That would swamp a small machine, and it makes the script much more difficult to write, if it has to lock against concurrent execution. My second attempt serialises script execution: it waits for the first child process to die before lauching another one. That works much better, but it needs more work to use the lease records to keep information about script execution. (You can't throw away a lease record when it expires until you've run the script.) The final result adds <100 lines of code, and seems to work quite well. I'll send it off-list to Fabio for him to try. The script gets called with three or four arguments: "add" or "del" for lease creation or expiry MAC address IP address hostname (if available) The old problem of userid still exists. A default dnsmasq installation will call the script as user "nobody". If it need to do root stuff, either the script will need to play games with sudo, or setuid-binaries, or (probably better) dnsmasq will have to told not to drop root. Cheers, Simon.
