forked from named-data/NFD
-
Notifications
You must be signed in to change notification settings - Fork 0
/
nfd.conf.sample.in
405 lines (375 loc) · 14.6 KB
/
nfd.conf.sample.in
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
; The general section contains settings of nfd process.
general
{
; Specify a user and/or group for NFD to drop privileges to
; when not performing privileged tasks. NFD does not drop
; privileges by default.
; user ndn-user
; group ndn-user
}
log
{
; default_level specifies the logging level for modules
; that are not explicitly named. All debugging levels
; listed above the selected value are enabled.
;
; Valid values:
;
; NONE ; no messages
; ERROR ; error messages
; WARN ; warning messages
; INFO ; informational messages (default)
; DEBUG ; debugging messages
; TRACE ; trace messages (most verbose)
; ALL ; all messages
default_level INFO
; You may override default_level by assigning a logging level
; to the desired module name. Module names can be found in two ways:
;
; Run:
; nfd --modules
;
; Or look for NFD_LOG_INIT(<module name>) statements in source files.
; Note that the "nfd." prefix can be omitted.
;
; Example module-level settings:
;
; FibManager DEBUG
; Forwarder INFO
}
; The tables section configures the CS, PIT, FIB, Strategy Choice, and Measurements
tables
{
; ContentStore size limit in number of packets
; default is 65536, about 500MB with 8KB packet size
cs_max_packets 65536
; Set the CS replacement policy.
; Available policies are: priority_fifo, lru
cs_policy lru
; Set a policy to decide whether to cache or drop unsolicited Data.
; Available policies are: drop-all, admit-local, admit-network, admit-all
cs_unsolicited_policy drop-all
; Set the forwarding strategy for the specified prefixes:
; <prefix> <strategy>
strategy_choice
{
/ /localhost/nfd/strategy/best-route
/localhost /localhost/nfd/strategy/multicast
/localhost/nfd /localhost/nfd/strategy/best-route
/ndn/broadcast /localhost/nfd/strategy/multicast
}
; Declare network region names
; These are used for mobility support. An Interest carrying a Link object is
; assumed to have reached the producer region if any delegation name in the
; Link object is a prefix of any region name.
network_region
{
; /example/region1
; /example/region2
}
}
; The face_system section defines what faces and channels are created.
face_system
{
; This section contains options that apply to multiple face protocols.
general
{
enable_congestion_marking yes ; set to 'no' to disable congestion marking on supported faces, default 'yes'
}
; The unix section contains settings for Unix stream faces and channels.
; A Unix channel is always listening; delete the unix section to disable
; Unix stream faces and channels.
;
; The ndn-cxx library expects unix:///var/run/nfd.sock to be used as
; the default transport option. Please change the "transport" field
; in client.conf to an appropriate tcp4 FaceUri if you want to
; disable Unix sockets and use TCP instead.
unix
{
path /var/run/nfd.sock ; Unix stream listener path
}
; The tcp section contains settings for TCP faces and channels.
tcp
{
listen yes ; set to 'no' to disable TCP listener, default 'yes'
port 6363 ; TCP listener port number
enable_v4 yes ; set to 'no' to disable IPv4 channels, default 'yes'
enable_v6 yes ; set to 'no' to disable IPv6 channels, default 'yes'
; A TCP face has local scope if the local and remote IP addresses match the whitelist but not the blacklist
local
{
whitelist
{
subnet 127.0.0.0/8
subnet ::1/128
}
blacklist
{
}
}
}
; The udp section contains settings for UDP faces and channels.
udp
{
; UDP unicast settings.
listen yes ; set to 'no' to disable UDP listener, default 'yes'
port 6363 ; UDP listener port number
enable_v4 yes ; set to 'no' to disable IPv4 channels, default 'yes'
enable_v6 yes ; set to 'no' to disable IPv6 channels, default 'yes'
; Time (in seconds) before closing an idle UDP unicast face.
; The actual timeout will occur anytime between idle_timeout and 2*idle_timeout.
; The default is 600 (10 minutes).
idle_timeout 600
; UDP multicast settings.
; By default, NFD creates one UDP multicast face per NIC.
;
; In multi-homed Linux machines these settings will NOT work without
; root or setting the appropriate permissions:
;
; sudo setcap cap_net_raw=eip /path/to/nfd
;
mcast yes ; set to 'no' to disable UDP multicast, default 'yes'
mcast_group 224.0.23.170 ; UDP multicast group (IPv4)
mcast_port 56363 ; UDP multicast port number (IPv4)
mcast_group_v6 ff02::1234 ; UDP multicast group (IPv6)
mcast_port_v6 56363 ; UDP multicast port number (IPv6)
mcast_ad_hoc no ; set to 'yes' to make all UDP multicast faces "ad hoc", default 'no'
; Whitelist and blacklist can contain, in no particular order:
; - interface names, including wildcard patterns (e.g., 'ifname eth0', 'ifname en*', 'ifname wlp?s0')
; - MAC addresses (e.g., 'ether 85:3b:4d:d3:5f:c2')
; - IPv4 subnets (e.g., 'subnet 192.0.2.0/24')
; - IPv6 subnets (e.g., 'subnet 2001:db8::/32')
; - a single asterisk ('*') that matches all interfaces
; By default, all interfaces are whitelisted.
whitelist
{
*
}
blacklist
{
}
}
; The ether section contains settings for Ethernet faces and channels.
; These settings will NOT work without root or setting the appropriate
; permissions:
;
; sudo setcap cap_net_raw,cap_net_admin=eip /path/to/nfd
;
; You may need to install a package to use setcap:
;
; **Ubuntu:**
;
; sudo apt-get install libcap2-bin
;
; **Mac OS X:**
;
; curl https://bugs.wireshark.org/bugzilla/attachment.cgi?id=3373 -o ChmodBPF.tar.gz
; tar zxvf ChmodBPF.tar.gz
; open ChmodBPF/Install\ ChmodBPF.app
;
; or manually:
;
; sudo chgrp admin /dev/bpf*
; sudo chmod g+rw /dev/bpf*
;
@IF_HAVE_LIBPCAP@ether
@IF_HAVE_LIBPCAP@{
@IF_HAVE_LIBPCAP@ ; Ethernet unicast settings.
@IF_HAVE_LIBPCAP@ listen yes ; set to 'no' to disable Ethernet listener, default 'yes'
@IF_HAVE_LIBPCAP@
@IF_HAVE_LIBPCAP@ ; Time (in seconds) before closing an idle Ethernet unicast face.
@IF_HAVE_LIBPCAP@ ; The actual timeout will occur anytime between idle_timeout and 2*idle_timeout.
@IF_HAVE_LIBPCAP@ ; The default is 600 (10 minutes).
@IF_HAVE_LIBPCAP@ idle_timeout 600
@IF_HAVE_LIBPCAP@
@IF_HAVE_LIBPCAP@ ; Ethernet multicast settings.
@IF_HAVE_LIBPCAP@ ; By default, NFD creates one Ethernet multicast face per NIC.
@IF_HAVE_LIBPCAP@ mcast yes ; set to 'no' to disable Ethernet multicast, default 'yes'
@IF_HAVE_LIBPCAP@ mcast_group 01:00:5E:00:17:AA ; Ethernet multicast group
@IF_HAVE_LIBPCAP@ mcast_ad_hoc no ; set to 'yes' to make all Ethernet multicast faces "ad hoc", default 'no'
@IF_HAVE_LIBPCAP@
@IF_HAVE_LIBPCAP@ ; Whitelist and blacklist can contain, in no particular order:
@IF_HAVE_LIBPCAP@ ; - interface names, including wildcard patterns (e.g., 'ifname eth0', 'ifname en*', 'ifname wlp?s0')
@IF_HAVE_LIBPCAP@ ; - MAC addresses (e.g., 'ether 85:3b:4d:d3:5f:c2')
@IF_HAVE_LIBPCAP@ ; - IPv4 subnets (e.g., 'subnet 192.0.2.0/24')
@IF_HAVE_LIBPCAP@ ; - IPv6 subnets (e.g., 'subnet 2001:db8::/32')
@IF_HAVE_LIBPCAP@ ; - a single asterisk ('*') that matches all interfaces
@IF_HAVE_LIBPCAP@ ; By default, all interfaces are whitelisted.
@IF_HAVE_LIBPCAP@ whitelist
@IF_HAVE_LIBPCAP@ {
@IF_HAVE_LIBPCAP@ *
@IF_HAVE_LIBPCAP@ }
@IF_HAVE_LIBPCAP@ blacklist
@IF_HAVE_LIBPCAP@ {
@IF_HAVE_LIBPCAP@ }
@IF_HAVE_LIBPCAP@}
; The websocket section contains settings for WebSocket faces and channels.
@IF_HAVE_WEBSOCKET@websocket
@IF_HAVE_WEBSOCKET@{
@IF_HAVE_WEBSOCKET@ listen yes ; set to 'no' to disable WebSocket listener, default 'yes'
@IF_HAVE_WEBSOCKET@ port 9696 ; WebSocket listener port number
@IF_HAVE_WEBSOCKET@ enable_v4 yes ; set to 'no' to disable listening on IPv4 socket, default 'yes'
@IF_HAVE_WEBSOCKET@ enable_v6 yes ; set to 'no' to disable listening on IPv6 socket, default 'yes'
@IF_HAVE_WEBSOCKET@}
}
; The authorizations section grants privileges to authorized keys.
authorizations
{
; An authorize section grants privileges to a NDN certificate.
authorize
{
; If you do not already have NDN certificate, you can generate
; one with the following commands.
;
; 1. Generate and install a self-signed identity certificate:
;
; ndnsec-keygen /`whoami` | ndnsec-install-cert -
;
; Note that the argument to ndnsec-key will be the identity name of the
; new key (in this case, /your-username). Identities are hierarchical NDN
; names and may have multiple components (e.g. `/ndn/ucla/edu/alice`).
; You may create additional keys and identities as you see fit.
;
; 2. Dump the NDN certificate to a file:
;
; sudo mkdir -p @SYSCONFDIR@/ndn/keys/
; ndnsec-cert-dump -i /`whoami` > default.ndncert
; sudo mv default.ndncert @SYSCONFDIR@/ndn/keys/default.ndncert
;
; The "certfile" field below specifies the default key directory for
; your machine. You may move your newly created key to the location it
; specifies or path.
; certfile keys/default.ndncert ; NDN identity certificate file
certfile any ; "any" authorizes command interests signed under any certificate,
; i.e., no actual validation.
privileges ; set of privileges granted to this identity
{
faces
fib
cs
strategy-choice
}
}
; You may have multiple authorize sections that specify additional
; certificates and their privileges.
; authorize
; {
; certfile keys/this_cert_does_not_exist.ndncert
; authorize
; privileges
; {
; faces
; }
; }
}
rib
{
; The following localhost_security allows anyone to register routing entries in local RIB
localhost_security
{
trust-anchor
{
type any
}
}
; localhop_security should be enabled when NFD runs on a hub.
; "/localhop/nfd/fib" command prefix will be disabled when localhop_security section is missing.
; localhop_security
; {
; ; This section defines the trust model for NFD RIB Management. It consists of rules and
; ; trust-anchors, which are briefly defined in this file. For more information refer to
; ; validator configuration file format documentation:
; ;
; ; https://named-data.net/doc/ndn-cxx/current/tutorials/security-validator-config.html
; ;
; ; A trust-anchor is a pre-trusted certificate. This can be any certificate that is the
; ; root of certification chain (e.g., NDN testbed root certificate) or an existing
; ; default system certificate `default.ndncert`.
; ;
; ; A rule defines conditions a valid packet MUST have. A packet must satisfy one of the
; ; rules defined here. A rule can be broken into two parts: matching & checking. A packet
; ; will be matched against rules from the first to the last until a matched rule is
; ; encountered. The matched rule will be used to check the packet. If a packet does not
; ; match any rule, it will be treated as invalid. The matching part of a rule consists
; ; of `for` and `filter` sections. They collectively define which packets can be checked
; ; with this rule. `for` defines packet type (data or interest) and `filter` defines
; ; conditions on other properties of a packet. Right now, you can only define conditions
; ; on packet name, and you can only specify ONLY ONE filter for packet name. The
; ; checking part of a rule consists of `checker`, which defines the conditions that a
; ; VALID packet MUST have. See comments in checker section for more details.
;
; rule
; {
; id "RIB Registration Command Rule"
; for interest ; rule for Interests (to validate CommandInterests)
; filter
; {
; type name ; condition on interest name (w/o SignatureInfo/SignatureValue)
; regex ^[<localhop><localhost>]<nfd><rib>[<register><unregister>]<><><>$
; }
; checker
; {
; type customized
; sig-type rsa-sha256 ; interest must have a rsa-sha256 signature
; key-locator
; {
; type name ; key locator must be the certificate name of the
; ; signing key
; regex ^<>*<KEY><>$
; }
; }
; }
; rule
; {
; id "NDN Testbed Hierarchy Rule"
; for data ; rule for Data (to validate NDN certificates)
; filter
; {
; type name ; condition on data name
; regex ^<>*<KEY><><><>$
; }
; checker
; {
; type hierarchical ; the certificate name of the signing key and
; ; the data name must follow the hierarchical model
; sig-type rsa-sha256 ; data must have a rsa-sha256 signature
; }
; }
; trust-anchor
; {
; type file
; file-name keys/default.ndncert ; the file name, by default this file should be placed in the
; ; same folder as this config file.
; }
; ; trust-anchor ; Can be repeated multiple times to specify multiple trust anchors
; ; {
; ; type file
; ; file-name keys/ndn-testbed.ndncert
; ; }
; }
; The following localhop_security should be enabled when NFD runs on a hub,
; which accepts all remote registrations and is a short-term solution.
; localhop_security
; {
; trust-anchor
; {
; type any
; }
; }
auto_prefix_propagate
{
cost 15 ; forwarding cost of prefix registered on remote router
timeout 10000 ; timeout (in milliseconds) of prefix registration command for propagation
refresh_interval 300 ; interval (in seconds) before refreshing the propagation
; This setting should be less than face_system.udp.idle_time,
; so that the face is kept alive on the remote router.
base_retry_wait 50 ; base wait time (in seconds) before retrying propagation
max_retry_wait 3600 ; maximum wait time (in seconds) before retrying propagation
; for consequent retries, the wait time before each retry is calculated based on the back-off
; policy. Initially, the wait time is set to base_retry_wait, then it will be doubled for every
; retry unless beyond the max_retry_wait, in which case max_retry_wait is set as the wait time.
}
; If enabled, routes registered with origin=client (typically from auto_prefix_propagate)
; will be readvertised into local NLSR daemon.
readvertise_nlsr no
}