From 34d1c0a03b51fdaef26a3bc630ab096da740e1d6 Mon Sep 17 00:00:00 2001 From: Danny Milosavljevic Date: Sun, 27 Sep 2020 21:06:30 +0200 Subject: services: dnsmasq: Add TFTP configuration fields. * gnu/services/dns.scm (): Add TFTP configuration fields. (dnsmasq-shepherd-service): Use them. * doc/guix.texi (DNS Services): Document them. --- doc/guix.texi | 54 ++++++++++++++++++++++++++++++++++++++++ gnu/services/dns.scm | 70 +++++++++++++++++++++++++++++++++++++++++++++++++--- 2 files changed, 121 insertions(+), 3 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index eed7bbec6e..2b1ffbc55f 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -23363,6 +23363,60 @@ disables caching. @item @code{negative-cache?} (default: @code{#t}) When false, disable negative caching. +@item @code{tftp-enable?} (default: @code{#f}) +Whether to enable the built-in TFTP server. + +@item @code{tftp-no-fail?} (default: @code{#f}) +If true, does not fail dnsmasq if the TFTP server could not start up. + +@item @code{tftp-single-port?} (default: @code{#f}) +Whether to use only one single port for TFTP. + +@item @code{tftp-secure?} (default: @code{#f}) +If true, only files owned by the user running the dnsmasq process are accessible. + +If dnsmasq is being run as root, different rules apply: +@code{tftp-secure?} has no effect, but only files which have the +world-readable bit set are accessible. + +@item @code{tftp-max} (default: @code{#f}) +If set, sets the maximal number of concurrent connections allowed. + +@item @code{tftp-mtu} (default: @code{#f}) +If set, sets the MTU for TFTP packets to that value. + +@item @code{tftp-no-blocksize?} (default: @code{#f}) +If true, stops the TFTP server from negotiating the blocksize with a client. + +@item @code{tftp-lowercase?} (default: @code{#f}) +Whether to convert all filenames in TFTP requests to lowercase. + +@item @code{tftp-port-range} (default: @code{#f}) +If set, fixes the dynamical ports (one per client) to the given range +(@code{","}). + +@item @code{tftp-root} (default: @code{/var/empty,lo}) +Look for files to transfer using TFTP relative to the given directory. +When this is set, TFTP paths which include ".." are rejected, to stop clients +getting outside the specified root. Absolute paths (starting with /) are +allowed, but they must be within the tftp-root. If the optional interface +argument is given, the directory is only used for TFTP requests via that +interface. + +@item @code{tftp-unique-root} (default: @code{#f}) +If set, add the IP or hardware address of the TFTP client as a path component +on the end of the TFTP-root. Only valid if a TFTP root is set and the +directory exists. Defaults to adding IP address (in standard dotted-quad +format). + +For instance, if --tftp-root is "/tftp" and client 1.2.3.4 requests file +"myfile" then the effective path will be "/tftp/1.2.3.4/myfile" if +/tftp/1.2.3.4 exists or /tftp/myfile otherwise. When "=mac" is specified +it will append the MAC address instead, using lowercase zero padded digits +separated by dashes, e.g.: 01-02-03-04-aa-bb Note that resolving MAC +addresses is only possible if the client is in the local network or obtained +a DHCP lease from dnsmasq. + @end table @end deftp diff --git a/gnu/services/dns.scm b/gnu/services/dns.scm index 9caa3611be..572880561c 100644 --- a/gnu/services/dns.scm +++ b/gnu/services/dns.scm @@ -757,7 +757,29 @@ cache.size = 100 * MB (cache-size dnsmasq-configuration-cache-size (default 150)) ;integer (negative-cache? dnsmasq-configuration-negative-cache? - (default #t))) ;boolean + (default #t)) ;boolean + (tftp-enable? dnsmasq-configuration-tftp-enable? + (default #f)) ;boolean + (tftp-no-fail? dnsmasq-configuration-tftp-no-fail? + (default #f)) ;boolean + (tftp-single-port? dnsmasq-configuration-tftp-single-port? + (default #f)) ;boolean + (tftp-secure? dnsmasq-tftp-secure? + (default #f)) ;boolean + (tftp-max dnsmasq-tftp-max + (default #f)) ;integer + (tftp-mtu dnsmasq-tftp-mtu + (default #f)) ;integer + (tftp-no-blocksize? dnsmasq-tftp-no-blocksize? + (default #f)) ;boolean + (tftp-lowercase? dnsmasq-tftp-lowercase? + (default #f)) ;boolean + (tftp-port-range dnsmasq-tftp-port-range + (default #f)) ;string + (tftp-root dnsmasq-tftp-root + (default "/var/empty,lo")) ;string + (tftp-unique-root dnsmasq-tftp-unique-root + (default #f))) ;"" or "ip" or "mac" (define dnsmasq-shepherd-service (match-lambda @@ -765,7 +787,12 @@ cache.size = 100 * MB no-hosts? port local-service? listen-addresses resolv-file no-resolv? servers - addresses cache-size negative-cache?) + addresses cache-size negative-cache? + tftp-enable? tftp-no-fail? + tftp-single-port? tftp-secure? + tftp-max tftp-mtu tftp-no-blocksize? + tftp-lowercase? tftp-port-range + tftp-root tftp-unique-root) (shepherd-service (provision '(dnsmasq)) (requirement '(networking)) @@ -794,7 +821,44 @@ cache.size = 100 * MB #$(format #f "--cache-size=~a" cache-size) #$@(if negative-cache? '() - '("--no-negcache"))) + '("--no-negcache")) + #$@(if tftp-enable? + '("--enable-tftp") + '()) + #$@(if tftp-no-fail? + '("--tftp-no-fail") + '()) + #$@(if tftp-single-port? + '("--tftp-single-port") + '()) + #$@(if tftp-secure? + '("--tftp-secure?") + '()) + #$@(if tftp-max + (list (format #f "--tftp-max=~a" tftp-max)) + '()) + #$@(if tftp-mtu + (list (format #f "--tftp-mtu=~a" tftp-mtu)) + '()) + #$@(if tftp-no-blocksize? + '("--tftp-no-blocksize") + '()) + #$@(if tftp-lowercase? + '("--tftp-lowercase") + '()) + #$@(if tftp-port-range + (list (format #f "--tftp-port-range=~a" + tftp-port-range)) + '()) + #$@(if tftp-root + (list (format #f "--tftp-root=~a" tftp-root)) + '()) + #$@(if tftp-unique-root + (list + (if (> (length tftp-unique-root) 0) + (format #f "--tftp-unique-root=~a" tftp-unique-root) + (format #f "--tftp-unique-root"))) + '())) #:pid-file "/run/dnsmasq.pid")) (stop #~(make-kill-destructor)))))) -- cgit v1.2.3