MAN page from RedHat 7.X dhcp-3.0.2-6.pp-rh73.i386.rpm


Section: File Formats (5)


dhcp-eval - ISC DHCP conditional evaluation 


The Internet Systems Consortium DHCP client and server both providethe ability to perform conditional behavior depending on the contentsof packets they receive. The syntax for specifying this conditionalbehaviour is documented here. 


Conditional behaviour is specified using the if statement and the elseor elsif statements. A conditional statement can appear anywherethat a regular statement (e.g., an option statement) can appear, andcan enclose one or more such statements. A typical conditionalstatement in a server might be:

if option dhcp-user-class = "accounting" {  max-lease-time 17600;  option domain-name "";  option domain-name-servers,                    ;} elsif option dhcp-user-class = "sales" {  max-lease-time 17600;  option domain-name "";  option domain-name-servers,                    ;} elsif option dhcp-user-class = "engineering" {  max-lease-time 17600;  option domain-name "";  option domain-name-servers,                    ;} else {  max-lease-time 600;  option domain-name "";  option domain-name-servers,                    ;}

On the client side, an example of conditional evaluation might be:

# filters DNS at its firewall, so we have to use their DNS# servers when we connect to their network.   If we are not at#, prefer our own DNS server.if not option domain-name = "" {  prepend domain-name-servers;}

Theifstatement and theelsifcontinuation statement both take boolean expressions as theirarguments. That is, they take expressions that, when evaluated,produce a boolean result. If the expression evaluates to true, thenthe statements enclosed in braces following the ifstatement are executed, and all subsequentelsifandelseclauses are skipped. Otherwise, each subsequent elsifclause's expression is checked, until an elsif clause is encounteredwhose test evaluates to true. If such a clause is found, thestatements in braces following it are executed, and then anysubsequentelsifandelseclauses are skipped. If all the ifandelsifclauses are checked but noneof their expressions evaluate true, then if there is anelseclause, the statements enclosed in braces following theelseare evaluated. Boolean expressions that evaluate to null aretreated as false in conditionals. 


The following is the current list of boolean expressions that aresupported by the DHCP distribution.

data-expression-1 = data-expression-2

The = operator compares the values of two data expressions,returning true if they are the same, false if they are not. Ifeither the left-hand side or the right-hand side are null, theresult is also null.

boolean-expression-1 and boolean-expression-2

The and operator evaluates to true if the boolean expression onthe left-hand side and the boolean expression on the right-hand sideboth evaluate to true. Otherwise, it evaluates to false. If eitherthe expression on the left-hand side or the expression on theright-hand side are null, the result is null.

boolean-expression-1 or boolean-expression-2

The or operator evaluates to true if either the booleanexpression on the left-hand side or the boolean expression on theright-hand side evaluate to true. Otherwise, it evaluates to false.If either the expression on the left-hand side or the expression onthe right-hand side are null, the result is null.

not boolean-expression

The not operator evaluates to true if boolean-expressionevaluates to false, and returns false if boolean-expression evaluatesto true. If boolean-expression evaluates to null, the resultis also null.

exists option-name

The exists expression returns true if the specified optionexists in the incoming DHCP packet being processed.

The known expression returns true if the client whose request iscurrently being processed is known - that is, if there's a hostdeclaration for it.

The static expression returns true if the lease assigned to theclient whose request is currently being processed is derived from a staticaddress assignment.


Several of the boolean expressions above depend on the results ofevaluating data expressions. A list of these expressions is providedhere.

substring (data-expr, offset, length)

The substring operator evaluates the data expression and returnsthe substring of the result of that evaluation that startsoffset bytes from the beginning, continuing for lengthbytes. Offset and length are both numeric expressions.If data-expr, offset or length evaluate to null,then the result is also null. If offset is greater than orequal to the length of the evaluated data, then a zero-length datastring is returned. If length is greater then the remaininglength of the evaluated data after offset, then a data stringcontaining all data from offset to the end of the evaluated datais returned.

suffix (data-expr, length)

The suffix operator evaluates data-expr and returns thelast length bytes of the result of that evaluation. Lengthis a numeric expression. If data-expr or length evaluateto null, then the result is also null. If suffix evaluates to anumber greater than the length of the evaluated data, then theevaluated data is returned.

option option-name

The option operator returns the contents of the specified option inthe packet to which the server is responding.

config-option option-name

The config-option operator returns the value for the specified optionthat the DHCP client or server has been configured to send.


The hardware operator returns a data string whose first elementis the type of network interface indicated in packet being considered,and whose subsequent elements are client's link-layer address. Ifthere is no packet, or if the RFC2131 hlen field is invalid,then the result is null. Hardware types include ethernet (1),token-ring (6), and fddi (8). Hardware types are specified by theIETF, and details on how the type numbers are defined can be found inRFC2131 (in the ISC DHCP distribution, this is included in the doc/subdirectory).

packet (offset, length)

The packet operator returns the specified portion of the packetbeing considered, or null in contexts where no packet is beingconsidered. Offset and length are applied to thecontents packet as in the substring operator.


A string, enclosed in quotes, may be specified as a data expression,and returns the text between the quotes, encoded in ASCII. Thebackslash ('\') character is treated specially, as in C programming: '\t'means TAB, '\r' means carriage return, '\n' means newline, and '\b' meansbell. Any octal value can be specified with '\nnn', where nnn is anypositive octal number less than 0400. Any hexadecimal value can bespecified with '\xnn', where nn is any positive hexadecimal number lessthan or equal to 0xff.

colon-separated hexadecimal list

A list of hexadecimal octet values, separated by colons, may bespecified as a data expression.

concat (data-expr1, ..., data-exprN)

The expressions are evaluated, and the results of each evaluation areconcatenated in the sequence that the subexpressions are listed. Ifany subexpression evaluates to null, the result of the concatenationis null.

reverse (numeric-expr1, data-expr2)

The two expressions are evaluated, and then the result of evaluatingthe data expression is reversed in place, using hunks of the sizespecified in the numeric expression. For example, if the numericexpression evaluates to four, and the data expression evaluates to twelve bytes of data, then the reverse expression will evaluate totwelve bytes of data, consisting of the last four bytes of the theinput data, followed by the middle four bytes, followed by the firstfour bytes.


In any context where the client whose request is being processed hasbeen assigned an IP address, this data expression returns that IPaddress.

binary-to-ascii (numeric-expr1, numeric-expr2,data-expr1, data-expr2)

Converts the result of evaluating data-expr2 into a text stringcontaining one number for each element of the result of evaluatingdata-expr2. Each number is separated from the other by the result ofevaluating data-expr1. The result of evaluating numeric-expr1specifies the base (2 through 16) into which the numbers should beconverted. The result of evaluating numeric-expr2 specifies thewidth in bits of each number, which may be either 8, 16 or 32.

As an example of the preceding three types of expressions, to producethe name of a PTR record for the IP address being assigned to aclient, one could write the following expression:

        concat (binary-to-ascii (10, 8, ".",                                 reverse (1, leased-address)),                "");

encode-int (numeric-expr, width)

Numeric-expr is evaluated and encoded as a data string of thespecified width, in network byte order (most significant byte first).If the numeric expression evaluates to the null value, the result isalso null.

pick-first-value (data-expr1 [ ... exprn ] )

The pick-first-value function takes any number of data expressions asits arguments. Each expression is evaluated, starting with the firstin the list, until an expression is found that does not evaluate to anull value. That expression is returned, and none of the subsequentexpressions are evaluated. If all expressions evaluate to a nullvalue, the null value is returned.


The host-decl-name function returns the name of the host declarationthat matched the client whose request is currently being processed, ifany. If no host declaration matched, the result is the null value.


Numeric expressions are expressions that evaluate to an integer. Ingeneral, the maximum size of such an integer should not be assumed tobe representable in fewer than 32 bits, but the precision of suchintegers may be more than 32 bits.

extract-int (data-expr, width)

The extract-int operator extracts an integer value in networkbyte order from the result of evaluating the specified dataexpression. Width is the width in bits of the integer to extract.Currently, the only supported widths are 8, 16 and 32. If theevaluation of the data expression doesn't provide sufficient bits toextract an integer of the specified size, the null value is returned.


The duration of the current lease - that is, the difference betweenthe current time and the time that the lease expires.


Any number between zero and the maximum representable size may bespecified as a numeric expression.


The current state of the client instance being processed. This isonly useful in DHCP client configuration files. Possible values are:
Booting - DHCP client is in the INIT state, and does not yet have anIP address. The next message transmitted will be a DHCPDISCOVER,which will be broadcast.
Reboot - DHCP client is in the INIT-REBOOT state. It has an IPaddress, but is not yet using it. The next message to be transmittedwill be a DHCPREQUEST, which will be broadcast. If no response isheard, the client will bind to its address and move to the BOUND state.
Select - DHCP client is in the SELECTING state - it has received atleast one DHCPOFFER message, but is waiting to see if it may receiveother DHCPOFFER messages from other servers. No messages are sent inthe SELECTING state.
Request - DHCP client is in the REQUESTING state - it has received atleast one DHCPOFFER message, and has chosen which one it willrequest. The next message to be sent will be a DHCPREQUEST message,which will be broadcast.
Bound - DHCP client is in the BOUND state - it has an IP address. Nomessages are transmitted in this state.
Renew - DHCP client is in the RENEWING state - it has an IP address,and is trying to contact the server to renew it. The next message tobe sent will be a DHCPREQUEST message, which will be unicast directlyto the server.
Rebind - DHCP client is in the REBINDING state - it has an IP address,and is trying to contact any server to renew it. The next message tobe sent will be a DHCPREQUEST, which will be broadcast.


Logging statements may be used to send information to the standard loggingchannels. A logging statement includes an optional priority (fatal,error, info, or debug), and a data expression.

log (priority, data-expr)

Logging statements take only a single data expression argument, so if youwant to output multiple data values, you will need to use the concatoperator to concatenate them. 


The DHCP client and server have the ability to dynamically update theDomain Name System. Within the configuration files, you can definehow you want the Domain Name System to be updated. These updates areRFC 2136 compliant so any DNS server supporting RFC 2136 should beable to accept updates from the DHCP server. 


Support for TSIG and DNSSEC is not yet available. When you set yourDNS server up to allow updates from the DHCP server or client, you maybe exposing it to unauthorized updates. To avoid this, the best youcan do right now is to use IP address-based packet filtering toprevent unauthorized hosts from submitting update requests.Obviously, there is currently no way to provide security for clientupdates - this will require TSIG or DNSSEC, neither of which is yetavailable in the DHCP distribution.

Dynamic DNS (DDNS) updates are performed by using the dns-updateexpression. The dns-update expression is a boolean expressionthat takes four parameters. If the update succeeds, the result istrue. If it fails, the result is false. The four parameters that theare the resource record type (RR), the left hand side of the RR, theright hand side of the RR and the ttl that should be applied to therecord. The simplest example of the use of the function can be foundin the reference section of the dhcpd.conf file, where events aredescribed. In this example several statements are being used to makethe arguments to the dns-update.

In the example, the first argument to the first Bdns-updateexpression is a data expression that evaluates to the A RR type. Thesecond argument is constructed by concatenating the DHCP host-nameoption with a text string containing the local domain, in this case"". The third argument is constructed by convertingthe address the client has been assigned from a 32-bit number into anascii string with each byte separated by a ".". The fourth argument,the TTL, specifies the amount of time remaining in the lease (notethat this isn't really correct, since the DNS server will pass thisTTL out whenever a request comes in, even if that is only a fewseconds before the lease expires).

If the first dns-update statement succeeds, it is followed upwith a second update to install a PTR RR. The installation of a PTRrecord is similar to installing an A RR except that the left hand sideof the record is the leased address, reversed, with ""concatenated. The right hand side is the fully qualified domain nameof the client to which the address is being leased. 


dhcpd.conf(5), dhcpd.leases(5), dhclient.conf(5), dhcp-eval(5), dhcpd(8),dhclient(8), RFC2132, RFC2131. 


The Internet Systems Consortium DHCP Distribution was written by TedLemon under a contract with Vixie Labs. Funding forthis project was provided through Internet Systems Consortium.Information about Internet Systems Consortium can be found at




This document was created byman2html,using the manual pages.