-
Notifications
You must be signed in to change notification settings - Fork 154
/
nfd.conf.sample.in
470 lines (435 loc) · 16.6 KB
/
nfd.conf.sample.in
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
; The general section contains global settings for the nfd process.
general
{
; Specify a user and/or group for NFD to drop privileges to
; when not performing privileged tasks. NFD does not drop
; privileges by default.
; user ndn-user
; group ndn-user
}
log
{
; default_level specifies the logging level for modules
; that are not explicitly named. All debugging levels
; listed above the selected value are enabled.
;
; Valid values:
;
; NONE ; no messages
; ERROR ; error messages
; WARN ; warning messages
; INFO ; informational messages (default)
; DEBUG ; debugging messages
; TRACE ; trace messages (most verbose)
; ALL ; all messages
default_level INFO
; You may override default_level by assigning a logging level
; to the desired module name. Module names can be found in two ways:
;
; Run:
; nfd --modules
;
; Or look for NFD_LOG_INIT(<module name>) statements in source files.
; Note that the "nfd." prefix can be omitted.
;
; Example module-level settings:
;
; FibManager DEBUG
; Forwarder INFO
}
; The forwarder section contains settings that affect the core forwarding behavior of nfd.
forwarder
{
; Specify the HopLimit that is added to incoming Interests without a HopLimit element.
; A value of 0 disables adding the HopLimit.
; Must be between 0 and 255. The default is 0.
default_hop_limit 0
}
; The tables section configures the CS, PIT, FIB, Strategy Choice, and Measurements
tables
{
; Content Store capacity limit in number of packets.
; The default is 65536, equivalent to about 500MB with 8KB packet size.
cs_max_packets 65536
; Content Store replacement policy.
; Available policies are: priority_fifo, lru
cs_policy lru
; Set a policy to decide whether to cache or drop unsolicited Data.
; Available policies are: drop-all, admit-local, admit-network, admit-all
cs_unsolicited_policy drop-all
; Set the forwarding strategy for the specified prefixes:
; <prefix> <strategy>
strategy_choice
{
/ /localhost/nfd/strategy/best-route
/localhost /localhost/nfd/strategy/multicast
/localhost/nfd /localhost/nfd/strategy/best-route
/ndn/broadcast /localhost/nfd/strategy/multicast
}
; Declare network region names
; These are used for mobility support. An Interest carrying a Link object is
; assumed to have reached the producer region if any delegation name in the
; Link object is a prefix of any region name.
network_region
{
; /example/region1
; /example/region2
}
}
; The face_system section defines what faces and channels are created.
face_system
{
; This section contains options that apply to multiple face protocols.
general
{
enable_congestion_marking yes ; set to 'no' to disable congestion marking on supported faces, default 'yes'
}
; The unix section contains settings for Unix stream faces and channels.
; A Unix channel is always listening; delete the unix section to disable
; Unix stream faces and channels.
unix
{
; The default transport is 'unix:///run/nfd/nfd.sock' (on Linux) or 'unix:///var/run/nfd/nfd.sock' (on
; other platforms). This should match the 'transport' field in client.conf for ndn-cxx. If you wish
; to use TCP instead of Unix sockets with ndn-cxx, change 'transport' to an appropriate TCP FaceUri.
path @UNIX_SOCKET_PATH@ ; Unix stream listener path
}
; The tcp section contains settings for TCP faces and channels.
tcp
{
listen yes ; set to 'no' to disable TCP listener, default 'yes'
port 6363 ; TCP listener port number
enable_v4 yes ; set to 'no' to disable IPv4 channels, default 'yes'
enable_v6 yes ; set to 'no' to disable IPv6 channels, default 'yes'
; A TCP face has local scope if the local and remote IP addresses match the whitelist but not the blacklist
local
{
whitelist
{
subnet 127.0.0.0/8
subnet ::1/128
}
blacklist
{
}
}
}
; The udp section contains settings for UDP faces and channels.
udp
{
; UDP unicast settings.
listen yes ; set to 'no' to disable UDP listener, default 'yes'
port 6363 ; UDP listener port number
enable_v4 yes ; set to 'no' to disable IPv4 channels, default 'yes'
enable_v6 yes ; set to 'no' to disable IPv6 channels, default 'yes'
; Time (in seconds) before closing an idle UDP unicast face.
; The actual timeout will occur anytime between idle_timeout and 2*idle_timeout.
; The default is 600 (10 minutes).
idle_timeout 600
; Maximum payload size for outgoing packets on unicast faces, used in NDNLPv2 fragmentation.
; This must be between 64 and 8800. The default is 8800.
; This value excludes IPv4/IPv6/UDP headers. On an Ethernet link of MTU=1500, setting this
; to 1452 would leave enough room for IP+UDP headers and prevent IP fragmentation.
; This option is not changable during runtime configuration reload, but the MTU of an
; individual face can be updated via NFD Management Protocol or the 'nfdc' tool.
unicast_mtu 8800
; UDP multicast settings.
; By default, NFD creates one UDP multicast face per NIC.
;
; In multi-homed Linux machines these settings will NOT work without
; root or setting the appropriate permissions:
;
; sudo setcap cap_net_raw=eip /path/to/nfd
;
mcast yes ; set to 'no' to disable UDP multicast, default 'yes'
mcast_group 224.0.23.170 ; UDP multicast group (IPv4)
mcast_port 56363 ; UDP multicast port number (IPv4)
mcast_group_v6 ff02::1234 ; UDP multicast group (IPv6)
mcast_port_v6 56363 ; UDP multicast port number (IPv6)
mcast_ad_hoc no ; set to 'yes' to make all UDP multicast faces "ad hoc", default 'no'
; Whitelist and blacklist can contain, in no particular order:
; - interface names, including wildcard patterns (e.g., 'ifname eth0', 'ifname en*', 'ifname wlp?s0')
; - MAC addresses (e.g., 'ether 85:3b:4d:d3:5f:c2')
; - IPv4 subnets (e.g., 'subnet 192.0.2.0/24')
; - IPv6 subnets (e.g., 'subnet 2001:db8::/32')
; - a single asterisk ('*') that matches all interfaces
; By default, all interfaces are whitelisted.
whitelist
{
*
}
blacklist
{
}
}
; The ether section contains settings for Ethernet faces and channels.
; These settings will NOT work without root or setting the appropriate
; permissions:
;
; sudo setcap cap_net_raw,cap_net_admin=eip /path/to/nfd
;
; You may need to install a package to use setcap:
;
; **Ubuntu:**
;
; sudo apt install libcap2-bin
;
; **Mac OS X:**
;
; curl https://bugs.wireshark.org/bugzilla/attachment.cgi?id=3373 -o ChmodBPF.tar.gz
; tar zxvf ChmodBPF.tar.gz
; open ChmodBPF/Install\ ChmodBPF.app
;
; or manually:
;
; sudo chgrp admin /dev/bpf*
; sudo chmod g+rw /dev/bpf*
;
@IF_HAVE_LIBPCAP@ether
@IF_HAVE_LIBPCAP@{
@IF_HAVE_LIBPCAP@ ; Ethernet unicast settings.
@IF_HAVE_LIBPCAP@ listen yes ; set to 'no' to disable Ethernet listener, default 'yes'
@IF_HAVE_LIBPCAP@
@IF_HAVE_LIBPCAP@ ; Time (in seconds) before closing an idle Ethernet unicast face.
@IF_HAVE_LIBPCAP@ ; The actual timeout will occur anytime between idle_timeout and 2*idle_timeout.
@IF_HAVE_LIBPCAP@ ; The default is 600 (10 minutes).
@IF_HAVE_LIBPCAP@ idle_timeout 600
@IF_HAVE_LIBPCAP@
@IF_HAVE_LIBPCAP@ ; Ethernet multicast settings.
@IF_HAVE_LIBPCAP@ ; By default, NFD creates one Ethernet multicast face per NIC.
@IF_HAVE_LIBPCAP@ mcast yes ; set to 'no' to disable Ethernet multicast, default 'yes'
@IF_HAVE_LIBPCAP@ mcast_group 01:00:5E:00:17:AA ; Ethernet multicast group
@IF_HAVE_LIBPCAP@ mcast_ad_hoc no ; set to 'yes' to make all Ethernet multicast faces "ad hoc", default 'no'
@IF_HAVE_LIBPCAP@
@IF_HAVE_LIBPCAP@ ; Whitelist and blacklist can contain, in no particular order:
@IF_HAVE_LIBPCAP@ ; - interface names, including wildcard patterns (e.g., 'ifname eth0', 'ifname en*', 'ifname wlp?s0')
@IF_HAVE_LIBPCAP@ ; - MAC addresses (e.g., 'ether 85:3b:4d:d3:5f:c2')
@IF_HAVE_LIBPCAP@ ; - IPv4 subnets (e.g., 'subnet 192.0.2.0/24')
@IF_HAVE_LIBPCAP@ ; - IPv6 subnets (e.g., 'subnet 2001:db8::/32')
@IF_HAVE_LIBPCAP@ ; - a single asterisk ('*') that matches all interfaces
@IF_HAVE_LIBPCAP@ ; By default, all interfaces are whitelisted.
@IF_HAVE_LIBPCAP@ whitelist
@IF_HAVE_LIBPCAP@ {
@IF_HAVE_LIBPCAP@ *
@IF_HAVE_LIBPCAP@ }
@IF_HAVE_LIBPCAP@ blacklist
@IF_HAVE_LIBPCAP@ {
@IF_HAVE_LIBPCAP@ }
@IF_HAVE_LIBPCAP@}
; The websocket section contains settings for WebSocket faces and channels.
@IF_HAVE_WEBSOCKET@websocket
@IF_HAVE_WEBSOCKET@{
@IF_HAVE_WEBSOCKET@ listen yes ; set to 'no' to disable WebSocket listener, default 'yes'
@IF_HAVE_WEBSOCKET@ port 9696 ; WebSocket listener port number
@IF_HAVE_WEBSOCKET@ enable_v4 yes ; set to 'no' to disable listening on IPv4 socket, default 'yes'
@IF_HAVE_WEBSOCKET@ enable_v6 yes ; set to 'no' to disable listening on IPv6 socket, default 'yes'
@IF_HAVE_WEBSOCKET@}
; The netdev_bound section defines faces bound to netdevices.
netdev_bound
{
; A rule consists of a whitelist, a blacklist, and a set of remote FaceUris, and will cause the
; creation of zero or more faces bound to netdevices. One face will be created per accepted
; netdev per remote. There can be any number of rules in the netdev_bound section.
; rule
; {
; ; Remote FaceUri to which the netdev-bound faces will connect.
; ; Rule can contain multiple remotes. One face will be created for each remote.
; ; All FaceUris must be in canonical form. Currently only udp4 and udp6 are supported.
; remote udp4://192.0.2.1:6363
;
; ; Whitelist and blacklist can contain, in no particular order:
; ; - interface names, including wildcard patterns (e.g., 'ifname eth0', 'ifname en*', 'ifname wlp?s0')
; ; - MAC addresses (e.g., 'ether 85:3b:4d:d3:5f:c2')
; ; - IPv4 subnets (e.g., 'subnet 192.0.2.0/24')
; ; - IPv6 subnets (e.g., 'subnet 2001:db8::/32')
; ; - a single asterisk ('*') that matches all interfaces
; ; By default, all interfaces are whitelisted.
; whitelist
; {
; *
; }
; blacklist
; {
; }
; }
}
}
; The authorizations section grants privileges to authorized keys.
authorizations
{
; An authorize section grants privileges to a NDN certificate.
authorize
{
; If you do not already have NDN certificate, you can generate
; one with the following commands.
;
; 1. Generate and install a self-signed identity certificate:
;
; ndnsec key-gen /$(whoami) | ndnsec cert-install -
;
; Note that the argument to 'ndnsec key-gen' will be the identity name of
; the new key (in this case, /your-username). Identities are hierarchical
; NDN names and may have multiple components (e.g., /ndn/ucla/edu/alice).
; You may create additional keys and identities as needed.
;
; 2. Export the certificate to a file:
;
; ndnsec cert-dump -i /$(whoami) > default.ndncert
; sudo mkdir -p @SYSCONFDIR@/ndn/keys
; sudo mv default.ndncert @SYSCONFDIR@/ndn/keys/default.ndncert
;
; The 'certfile' field below specifies the default key directory for
; your machine. You may move your newly created key to the location it
; specifies or path.
; certfile keys/default.ndncert ; NDN identity certificate file
certfile any ; 'any' authorizes command interests signed under any certificate,
; i.e., no actual validation.
privileges ; set of privileges granted to this identity
{
faces
fib
cs
strategy-choice
}
}
; You may have multiple authorize sections that specify additional
; certificates and their privileges.
; authorize
; {
; certfile keys/this_cert_does_not_exist.ndncert
; authorize
; privileges
; {
; faces
; }
; }
}
rib
{
; The following localhost_security allows anyone to register routing entries in local RIB
localhost_security
{
trust-anchor
{
type any
}
}
; localhop_security should be enabled when NFD runs on a hub.
; "/localhop/nfd/fib" command prefix will be disabled when localhop_security section is missing.
; localhop_security
; {
; ; This section defines the trust model for NFD RIB Management. It consists of rules and
; ; trust-anchors, which are briefly defined in this file. For more information refer to
; ; validator configuration file format documentation:
; ;
; ; https://docs.named-data.net/ndn-cxx/current/tutorials/security-validator-config.html
; ;
; ; A trust-anchor is a pre-trusted certificate. This can be any certificate that is the
; ; root of certification chain (e.g., NDN testbed root certificate) or an existing
; ; default system certificate `default.ndncert`.
; ;
; ; A rule defines conditions a valid packet MUST have. A packet must satisfy one of the
; ; rules defined here. A rule can be broken into two parts: matching & checking. A packet
; ; will be matched against rules from the first to the last until a matched rule is
; ; encountered. The matched rule will be used to check the packet. If a packet does not
; ; match any rule, it will be treated as invalid. The matching part of a rule consists
; ; of `for` and `filter` sections. They collectively define which packets can be checked
; ; with this rule. `for` defines packet type (data or interest) and `filter` defines
; ; conditions on other properties of a packet. Right now, you can only define conditions
; ; on packet name, and you can only specify ONLY ONE filter for packet name. The
; ; checking part of a rule consists of `checker`, which defines the conditions that a
; ; VALID packet MUST have. See comments in checker section for more details.
;
; rule
; {
; id "RIB Command Interest"
; for interest
; ; match Commmand Interest name (either in v0.3 or v0.2 format)
; filter
; {
; type name
; regex ^<localhop><nfd><rib>[<register><unregister>]<>{1,3}$
; }
; checker
; {
; type customized
; sig-type ecdsa-sha256
; ; KeyLocator must be either a key name or a certificate name
; key-locator
; {
; type name
; regex ^<>*<KEY><>{1,3}$
; }
; }
; }
; rule
; {
; id "NDN Testbed Certificate Hierarchy"
; for data
; ; match certificate name only
; filter
; {
; type name
; regex ^<>*<KEY><>{3}$
; }
; checker
; {
; type customized
; sig-type ecdsa-sha256
; key-locator
; {
; type name
; ; issuer subject name must be a prefix of issued certificate name
; hyper-relation
; {
; k-regex ^(<>*)<KEY><>{1,3}$
; k-expand \\1
; h-relation is-prefix-of
; p-regex ^(<>*)$
; p-expand \\1
; }
; }
; }
; }
; trust-anchor
; {
; type file
; ; certificate path, relative to this config file
; file-name keys/default.ndncert
; }
; ; trust-anchor entry may be repeated to specify multiple trust anchors
; }
; The following localhop_security should be enabled when NFD runs on a hub,
; which accepts all remote registrations and is a short-term solution.
; localhop_security
; {
; trust-anchor
; {
; type any
; }
; }
; The following prefix_announcement_validation accepts any prefix announcement
prefix_announcement_validation
{
trust-anchor
{
type any
}
}
auto_prefix_propagate
{
cost 15 ; forwarding cost of prefix registered on remote router
timeout 10000 ; timeout (in milliseconds) of prefix registration command for propagation
refresh_interval 300 ; interval (in seconds) before refreshing the propagation
; This setting should be less than face_system.udp.idle_time,
; so that the face is kept alive on the remote router.
base_retry_wait 50 ; base wait time (in seconds) before retrying propagation
max_retry_wait 3600 ; maximum wait time (in seconds) before retrying propagation
; for consequent retries, the wait time before each retry is calculated based on the back-off
; policy. Initially, the wait time is set to base_retry_wait, then it will be doubled for every
; retry unless beyond the max_retry_wait, in which case max_retry_wait is set as the wait time.
}
; If enabled, routes registered with origin=client (typically from auto_prefix_propagate)
; will be readvertised into local NLSR daemon.
readvertise_nlsr no
}