[Dnsmasq-discuss] Execute external commands on DHCP lease allocation / deallocation

Simon Kelley simon at thekelleys.org.uk
Mon Apr 24 21:03:47 BST 2006 

Fabio Muzzi wrote:
> Hello dnsmasq-discuss,
> 
>   Hi everyone.
> 
>   I  have  just  subscribed to this list. I have read through the archives
>   and found that I'm not the first to ask for some sort of external script
>   execution on DHCP leases status changes.
> 
>   I'm  trying  to  set up a network for a hotel, which will allow for free
>   access,  but  needs  authentication  and  logging  because  italian  law
>   requires  the  owner  of  the network to log every activity and identify
>   customers (yes, we live in some sort of "1984" nightmare).

I think this is an EU-wide 1984 nightmare. It's still a nightmare.

> 
>   Anyway,  I absolutely need a DHCP server that runs some script when DHCP
>   leases  are  handed out to clients and when they expire, to allow for my
>   firewall rules to be dynamically modified.
> 
>   Ideally,  the script should get the ip address and MAC address passed as
>   parameters from the DHCP server, so I can create firewall rules based on
>   the IP/MAC pairs.
> 
>   I  have  looked  for such a feature in the DHCP server I know about, but
>   found nothing even in the full-featured ISC DHCP server v3.
> 
>   Since  I am an happy user of Dnsmasq in over 20 installations, I thought
>   "Hey,  why  not  asking  for  such  a  feature to be added in this great
>   software?"
> 
>   
> 

This has been asked for before, and I've always said "no", it would be
better to use Dbus for IPC. However, as far as I can see nobody uses
DBus for that, so maybe I'm wrong.

Just as an experiment, I tried to implement an external script. It's not
quite as easy as it looks: you need to call "new lease" for every lease
in the database when dnsmasq starts up, and that can be a lot of leases.
If you just fork processes and run them asynchronously, then starting
dnsmasq when it has a few hundred leases generates a flood of hundreds
of child processes running the script. That would swamp a small machine,
and it makes the script much more difficult to write, if it has to lock
against concurrent execution.

My second attempt serialises script execution: it waits for the first
child process to die before lauching another one. That works much
better, but it needs more work to use the lease records to keep
information about script execution. (You can't throw away a lease record
when it expires until you've run the script.)

The final result adds <100 lines of code, and seems to work quite well.
I'll send it off-list to Fabio for him to try.  The script gets called
with three or four arguments:

"add" or "del" for lease creation or expiry
MAC address
IP address
hostname (if available)

The old problem of userid still exists. A default dnsmasq installation
will call the script as user "nobody". If it need to do root stuff,
either the script will need to play games with sudo, or setuid-binaries,
or (probably better) dnsmasq will have to told not to drop root.

Cheers,

Simon.

More information about the Dnsmasq-discuss mailing list