Project

General

Profile

Actions

Configuration file format

The initial state of NFD is configured using a textual file in Boost INFO format.

; The general section contains settings of nfd process.
general
{
  ; Specify a user and/or group for NFD to drop privileges to
  ; when not performing privileged tasks. NFD does not drop
  ; privileges by default.

  ; user ndn-user
  ; group ndn-user
}

log
{
  ; default_level specifies the logging level for modules
  ; that are not explicitly named. All debugging levels
  ; listed above the selected value are enabled.
  ;
  ; Valid values:
  ;
  ;  NONE ; no messages
  ;  ERROR ; error messages
  ;  WARN ; warning messages
  ;  INFO ; informational messages (default)
  ;  DEBUG ; debugging messages
  ;  TRACE ; trace messages (most verbose)
  ;  ALL ; all messages

  default_level INFO

  ; You may override default_level by assigning a logging level
  ; to the desired module name. Module names can be found in two ways:
  ;
  ; Run:
  ;   nfd --modules
  ;
  ; Or look for NFD_LOG_INIT(<module name>) statements in source files.
  ; Note that the "nfd." prefix can be omitted.
  ;
  ; Example module-level settings:
  ;
  ; FibManager DEBUG
  ; Forwarder INFO
}

; The tables section configures the CS, PIT, FIB, Strategy Choice, and Measurements
tables
{
  ; ContentStore size limit in number of packets
  ; default is 65536, about 500MB with 8KB packet size
  cs_max_packets 65536

  ; Set the CS replacement policy.
  ; Available policies are: priority_fifo, lru
  cs_policy lru

  ; Set a policy to decide whether to cache or drop unsolicited Data.
  ; Available policies are: drop-all, admit-local, admit-network, admit-all
  cs_unsolicited_policy drop-all

  ; Set the forwarding strategy for the specified prefixes:
  ;   <prefix> <strategy>
  strategy_choice
  {
    /               /localhost/nfd/strategy/best-route
    /localhost      /localhost/nfd/strategy/multicast
    /localhost/nfd  /localhost/nfd/strategy/best-route
    /ndn/broadcast  /localhost/nfd/strategy/multicast
  }

  ; Declare network region names
  ; These are used for mobility support.  An Interest carrying a Link object is
  ; assumed to have reached the producer region if any delegation name in the
  ; Link object is a prefix of any region name.
  network_region
  {
    ; /example/region1
    ; /example/region2
  }
}

; The face_system section defines what faces and channels are created.
face_system
{
  ; This section contains options that apply to multiple face protocols.
  general
  {
    enable_congestion_marking yes ; set to 'no' to disable congestion marking on supported faces, default 'yes'
  }

  ; The unix section contains settings for Unix stream faces and channels.
  ; A Unix channel is always listening; delete the unix section to disable
  ; Unix stream faces and channels.
  unix
  {
    ; The default transport is unix:///run/nfd.sock (on Linux) or unix:///var/run/nfd.sock (on
    ; other platforms). This should match the "transport" field in client.conf for ndn-cxx. If you
    ; wish to use TCP instead of Unix sockets with ndn-cxx, change "transport" to an appropriate
    ; TCP FaceUri.
    path /run/nfd.sock ; Unix stream listener path
  }

  ; The tcp section contains settings for TCP faces and channels.
  tcp
  {
    listen yes ; set to 'no' to disable TCP listener, default 'yes'
    port 6363 ; TCP listener port number
    enable_v4 yes ; set to 'no' to disable IPv4 channels, default 'yes'
    enable_v6 yes ; set to 'no' to disable IPv6 channels, default 'yes'

    ; A TCP face has local scope if the local and remote IP addresses match the whitelist but not the blacklist
    local
    {
      whitelist
      {
        subnet 127.0.0.0/8
        subnet ::1/128
      }
      blacklist
      {
      }
    }
  }

  ; The udp section contains settings for UDP faces and channels.
  udp
  {
    ; UDP unicast settings.
    listen yes ; set to 'no' to disable UDP listener, default 'yes'
    port 6363 ; UDP listener port number
    enable_v4 yes ; set to 'no' to disable IPv4 channels, default 'yes'
    enable_v6 yes ; set to 'no' to disable IPv6 channels, default 'yes'

    ; Time (in seconds) before closing an idle UDP unicast face.
    ; The actual timeout will occur anytime between idle_timeout and 2*idle_timeout.
    ; The default is 600 (10 minutes).
    idle_timeout 600

    ; Maximum payload size for outgoing packets on unicast faces, used in NDNLPv2 fragmentation.
    ; This must be between 64 and 8800. The default is 8800.
    ; This value excludes IPv4/IPv6/UDP headers. On an Ethernet link of MTU=1500, setting this
    ; to 1452 would leave enough room for IP+UDP headers and prevent IP fragmentation.
    ; This option is not changable during runtime configuration reload, but the MTU of an
    ; individual face can be updated via NFD Management Protocol or the 'nfdc' tool.
    unicast_mtu 8800

    ; UDP multicast settings.
    ; By default, NFD creates one UDP multicast face per NIC.
    ;
    ; In multi-homed Linux machines these settings will NOT work without
    ; root or setting the appropriate permissions:
    ;
    ;    sudo setcap cap_net_raw=eip /path/to/nfd
    ;
    mcast yes ; set to 'no' to disable UDP multicast, default 'yes'
    mcast_group 224.0.23.170 ; UDP multicast group (IPv4)
    mcast_port 56363 ; UDP multicast port number (IPv4)
    mcast_group_v6 ff02::1234 ; UDP multicast group (IPv6)
    mcast_port_v6 56363 ; UDP multicast port number (IPv6)
    mcast_ad_hoc no ; set to 'yes' to make all UDP multicast faces "ad hoc", default 'no'

    ; Whitelist and blacklist can contain, in no particular order:
    ; - interface names, including wildcard patterns (e.g., 'ifname eth0', 'ifname en*', 'ifname wlp?s0')
    ; - MAC addresses (e.g., 'ether 85:3b:4d:d3:5f:c2')
    ; - IPv4 subnets (e.g., 'subnet 192.0.2.0/24')
    ; - IPv6 subnets (e.g., 'subnet 2001:db8::/32')
    ; - a single asterisk ('*') that matches all interfaces
    ; By default, all interfaces are whitelisted.
    whitelist
    {
      *
    }
    blacklist
    {
    }
  }

  ; The ether section contains settings for Ethernet faces and channels.
  ; These settings will NOT work without root or setting the appropriate
  ; permissions:
  ;
  ;    sudo setcap cap_net_raw,cap_net_admin=eip /path/to/nfd
  ;
  ; You may need to install a package to use setcap:
  ;
  ; **Ubuntu:**
  ;
  ;    sudo apt install libcap2-bin
  ;
  ; **Mac OS X:**
  ;
  ;    curl https://bugs.wireshark.org/bugzilla/attachment.cgi?id=3373 -o ChmodBPF.tar.gz
  ;    tar zxvf ChmodBPF.tar.gz
  ;    open ChmodBPF/Install\ ChmodBPF.app
  ;
  ; or manually:
  ;
  ;    sudo chgrp admin /dev/bpf*
  ;    sudo chmod g+rw /dev/bpf*
  ;
  ether
  {
    ; Ethernet unicast settings.
    listen yes ; set to 'no' to disable Ethernet listener, default 'yes'

    ; Time (in seconds) before closing an idle Ethernet unicast face.
    ; The actual timeout will occur anytime between idle_timeout and 2*idle_timeout.
    ; The default is 600 (10 minutes).
    idle_timeout 600

    ; Ethernet multicast settings.
    ; By default, NFD creates one Ethernet multicast face per NIC.
    mcast yes ; set to 'no' to disable Ethernet multicast, default 'yes'
    mcast_group 01:00:5E:00:17:AA ; Ethernet multicast group
    mcast_ad_hoc no ; set to 'yes' to make all Ethernet multicast faces "ad hoc", default 'no'

    ; Whitelist and blacklist can contain, in no particular order:
    ; - interface names, including wildcard patterns (e.g., 'ifname eth0', 'ifname en*', 'ifname wlp?s0')
    ; - MAC addresses (e.g., 'ether 85:3b:4d:d3:5f:c2')
    ; - IPv4 subnets (e.g., 'subnet 192.0.2.0/24')
    ; - IPv6 subnets (e.g., 'subnet 2001:db8::/32')
    ; - a single asterisk ('*') that matches all interfaces
    ; By default, all interfaces are whitelisted.
    whitelist
    {
      *
    }
    blacklist
    {
    }
  }

  ; The websocket section contains settings for WebSocket faces and channels.
  websocket
  {
    listen yes ; set to 'no' to disable WebSocket listener, default 'yes'
    port 9696 ; WebSocket listener port number
    enable_v4 yes ; set to 'no' to disable listening on IPv4 socket, default 'yes'
    enable_v6 yes ; set to 'no' to disable listening on IPv6 socket, default 'yes'
  }

  ; The netdev_bound section defines faces bound to netdevices.
  netdev_bound
  {
    ; A rule consists of a whitelist, a blacklist, and a set of remote FaceUris, and will cause the
    ; creation of zero or more faces bound to netdevices. One face will be created per accepted
    ; netdev per remote. There can be any number of rules in the netdev_bound section.

    ; rule
    ; {
    ;   ; Remote FaceUri to which the netdev-bound faces will connect.
    ;   ; Rule can contain multiple remotes. One face will be created for each remote.
    ;   ; All FaceUris must be in canonical form. Currently only udp4 and udp6 are supported.
    ;   remote udp4://192.0.2.1:6363
    ;
    ;   ; Whitelist and blacklist can contain, in no particular order:
    ;   ; - interface names, including wildcard patterns (e.g., 'ifname eth0', 'ifname en*', 'ifname wlp?s0')
    ;   ; - MAC addresses (e.g., 'ether 85:3b:4d:d3:5f:c2')
    ;   ; - IPv4 subnets (e.g., 'subnet 192.0.2.0/24')
    ;   ; - IPv6 subnets (e.g., 'subnet 2001:db8::/32')
    ;   ; - a single asterisk ('*') that matches all interfaces
    ;   ; By default, all interfaces are whitelisted.
    ;   whitelist
    ;   {
    ;     *
    ;   }
    ;   blacklist
    ;   {
    ;   }
    ; }
  }
}

; The authorizations section grants privileges to authorized keys.
authorizations
{
  ; An authorize section grants privileges to a NDN certificate.
  authorize
  {
    ; If you do not already have NDN certificate, you can generate
    ; one with the following commands.
    ;
    ; 1. Generate and install a self-signed identity certificate:
    ;
    ;      ndnsec key-gen /$(whoami) | ndnsec cert-install -
    ;
    ; Note that the argument to 'ndnsec key-gen' will be the identity name of
    ; the new key (in this case, /your-username). Identities are hierarchical
    ; NDN names and may have multiple components (e.g., /ndn/ucla/edu/alice).
    ; You may create additional keys and identities as needed.
    ;
    ; 2. Dump the NDN certificate to a file:
    ;
    ;      sudo mkdir -p /usr/local/etc/ndn/keys/
    ;      ndnsec cert-dump -i /$(whoami) >  default.ndncert
    ;      sudo mv default.ndncert /usr/local/etc/ndn/keys/default.ndncert
    ;
    ; The "certfile" field below specifies the default key directory for
    ; your machine. You may move your newly created key to the location it
    ; specifies or path.

    ; certfile keys/default.ndncert ; NDN identity certificate file
    certfile any ; "any" authorizes command interests signed under any certificate,
                 ; i.e., no actual validation.
    privileges ; set of privileges granted to this identity
    {
      faces
      fib
      cs
      strategy-choice
    }
  }

  ; You may have multiple authorize sections that specify additional
  ; certificates and their privileges.

  ; authorize
  ; {
  ;   certfile keys/this_cert_does_not_exist.ndncert
  ;   authorize
  ;   privileges
  ;   {
  ;     faces
  ;   }
  ; }
}

rib
{
  ; The following localhost_security allows anyone to register routing entries in local RIB
  localhost_security
  {
    trust-anchor
    {
      type any
    }
  }

  ; localhop_security should be enabled when NFD runs on a hub.
  ; "/localhop/nfd/fib" command prefix will be disabled when localhop_security section is missing.
  ; localhop_security
  ; {
  ;   ; This section defines the trust model for NFD RIB Management. It consists of rules and
  ;   ; trust-anchors, which are briefly defined in this file.  For more information refer to
  ;   ; validator configuration file format documentation:
  ;   ;
  ;   ;    https://named-data.net/doc/ndn-cxx/current/tutorials/security-validator-config.html
  ;   ;
  ;   ; A trust-anchor is a pre-trusted certificate.  This can be any certificate that is the
  ;   ; root of certification chain (e.g., NDN testbed root certificate) or an existing
  ;   ; default system certificate `default.ndncert`.
  ;   ;
  ;   ; A rule defines conditions a valid packet MUST have. A packet must satisfy one of the
  ;   ; rules defined here. A rule can be broken into two parts: matching & checking. A packet
  ;   ; will be matched against rules from the first to the last until a matched rule is
  ;   ; encountered. The matched rule will be used to check the packet. If a packet does not
  ;   ; match any rule, it will be treated as invalid.  The matching part of a rule consists
  ;   ; of `for` and `filter` sections. They collectively define which packets can be checked
  ;   ; with this rule. `for` defines packet type (data or interest) and `filter` defines
  ;   ; conditions on other properties of a packet. Right now, you can only define conditions
  ;   ; on packet name, and you can only specify ONLY ONE filter for packet name.  The
  ;   ; checking part of a rule consists of `checker`, which defines the conditions that a
  ;   ; VALID packet MUST have. See comments in checker section for more details.
  ;
  ;   rule
  ;   {
  ;     id "RIB Command Interest"
  ;     for interest
  ;     ; match Commmand Interest name
  ;     ; last three components are ControlParameters, timestamp, and random-value
  ;     ; SignatureInfo and SignatureValue are stripped before passing to the filter
  ;     filter
  ;     {
  ;       type name
  ;       regex ^<localhop><nfd><rib>[<register><unregister>]<>{3}$
  ;     }
  ;     checker
  ;     {
  ;       type customized
  ;       sig-type ecdsa-sha256
  ;       ; KeyLocator must be either a key name or a certificate name
  ;       key-locator
  ;       {
  ;         type name
  ;         regex ^<>*<KEY><>{1,3}$
  ;       }
  ;     }
  ;   }
  ;   rule
  ;   {
  ;     id "NDN Testbed Certificate Hierarchy"
  ;     for data
  ;     ; match certificate name only
  ;     filter
  ;     {
  ;       type name
  ;       regex ^<>*<KEY><>{3}$
  ;     }
  ;     checker
  ;     {
  ;       type customized
  ;       sig-type ecdsa-sha256
  ;       key-locator
  ;       {
  ;         type name
  ;         ; issuer subject name must be a prefix of issued certificate name
  ;         hyper-relation
  ;         {
  ;           k-regex ^(<>*)<KEY><>{1,3}$
  ;           k-expand \\1
  ;           h-relation is-prefix-of
  ;           p-regex ^(<>*)$
  ;           p-expand \\1
  ;         }
  ;       }
  ;     }
  ;   }
  ;   trust-anchor
  ;   {
  ;     type file
  ;     ; certificate path, relative to this config file
  ;     file-name keys/default.ndncert
  ;   }
  ;   ; trust-anchor entry may be repeated to specify multiple trust anchors
  ; }

  ; The following localhop_security should be enabled when NFD runs on a hub,
  ; which accepts all remote registrations and is a short-term solution.
  ; localhop_security
  ; {
  ;   trust-anchor
  ;   {
  ;     type any
  ;   }
  ; }

  ; The following prefix_announcement_validation accepts any prefix announcement
  prefix_announcement_validation
  {
    trust-anchor
    {
      type any
    }
  }

  auto_prefix_propagate
  {
    cost 15 ; forwarding cost of prefix registered on remote router
    timeout 10000 ; timeout (in milliseconds) of prefix registration command for propagation

    refresh_interval 300 ; interval (in seconds) before refreshing the propagation
    ; This setting should be less than face_system.udp.idle_time,
    ; so that the face is kept alive on the remote router.

    base_retry_wait 50 ; base wait time (in seconds) before retrying propagation
    max_retry_wait 3600 ; maximum wait time (in seconds) before retrying propagation
    ; for consequent retries, the wait time before each retry is calculated based on the back-off
    ; policy. Initially, the wait time is set to base_retry_wait, then it will be doubled for every
    ; retry unless beyond the max_retry_wait, in which case max_retry_wait is set as the wait time.
  }

  ; If enabled, routes registered with origin=client (typically from auto_prefix_propagate)
  ; will be readvertised into local NLSR daemon.
  readvertise_nlsr no
}

Updated by Davide Pesavento 4 months ago · 19 revisions