ConfigFileFormat » History » Revision 10
Revision 9 (Anonymous, 03/29/2014 06:34 PM) → Revision 10/19 (Alex Afanasyev, 04/19/2014 09:16 PM)
# Config file format
Initial state of NFD daemon is configured using an [INFO file](http://www.boost.org/doc/libs/1_42_0/doc/html/boost_propertytree/parsers.html#boost_propertytree.parsers.info_parser).
## Example configuration
; the general section contains settings of nfd process
general
{
}
log
{
; default_level specifies the logging level for modules
; that are not explicitly named. All debugging levels
; listed above the selected value are enabled.
;
; Valid levels:
;
; NONE ; no messages
; ERROR ; error messages
; WARN ; warning messages
; INFO ; informational messages (default)
; DEBUG ; debugging messages
; TRACE ; trace messages (most verbose)
; ALL ; all messages
default_level WARN
; You may override default_level by assigning a logging level
; to the desired module name. Module names can be found in two ways:
;
; Run:
; nfd --modules
;
; Or look for NFD_LOG_INIT(<module name>) statements in .cpp files
FibManager DEBUG
Forwarder INFO
}
; the face_system section defines what faces and channels are created
face_system
{
; the unix section contains settings of UNIX stream faces and channels
unix
{
listen yes ; set to 'no' to disable UNIX stream listener, default 'yes'
path /var/run/nfd.sock ; UNIX stream listener path
}
; the tcp section contains settings of TCP faces and channels
tcp
{
listen yes ; set to 'no' to disable TCP listener, default 'yes'
port 6363 ; TCP listener port number
}
; the udp section contains settings of UDP faces and channels
udp
{
port 6363 ; UDP unicast port number
idle_timeout 30 ; idle time (seconds) before closing a UDP unicast face
keep_alive_interval 25; interval (seconds) between keep-alive refreshes
; NFD creates one UDP multicast face per NIC
mcast yes ; set to 'no' to disable UDP multicast, default 'yes'
mcast_port 56363 ; UDP multicast port number
mcast_group 224.0.23.170 ; UDP multicast group (IPv4 only)
}
; the ether section contains settings of Ethernet faces and channels
ether
{
; NFD creates one Ethernet multicast face per NIC
mcast yes ; set to 'no' to disable Ethernet multicast, default 'yes'
mcast_group 01:00:5E:00:17:AA ; Ethernet multicast group
}
}
; the authorizations section grants privileges to authorized NDN certificates
authorizations
{
; an authorize section grants privileges to an NDN certificate
authorize
{
keyfile "/tmp/cert1.ndncert" ; NDN identity certificate file
privileges ; set of privileges granted to this identity
{
fib
stats
}
}
authorize
{
keyfile "/tmp/cert2.ndncert" ; NDN identity certificate file
privileges ; set of privileges granted to this identity
{
faces
}
}
}
rib_security
{
; This section defines the trust model for NFD RIB Management. It consists of rules and
; trust-anchors, which are briefly defined in this file. For more information refer to
; manpage of ndn-validator.conf:
;
; man ndn-validator.conf
;
; A trust-anchor is a pre-trusted certificate. This can be any certificate that is the
; root of certification chain (e.g., NDN testbed root certificate) or an existing
; default system certificate `default.ndncert`.
;
; A rule defines conditions a valid packet MUST have. A packet must satisfy one of the
; rules defined here. A rule can be broken into two parts: matching & checking. A packet
; will be matched against rules from the first to the last until a matched rule is
; encountered. The matched rule will be used to check the packet. If a packet does not
; match any rule, it will be treated as invalid. The matching part of a rule consists
; of `for` and `filter` sections. They collectively define which packets can be checked
; with this rule. `for` defines packet type (data or interest) and `filter` defines
; conditions on other properties of a packet. Right now, you can only define conditions
; on packet name, and you can only specify ONLY ONE filter for packet name. The
; checking part of a rule consists of `checker`, which defines the conditions that a
; VALID packet MUST have. See comments in checker section for more details.
rule
{
id "NRD Prefix Registration Command Rule"
for interest ; rule for Interests (to validate CommandInterests)
filter
{
type name ; condition on interest name (w/o signature)
regex ^[<localhop><localhost>]<nfd><rib>[<register><unregister>]<>{3}$
}
checker
{
type customized
sig-type rsa-sha256 ; interest must have a rsa-sha256 signature
key-locator
{
type name ; key locator must be the certificate name of
; the signing key
regex ^[^<KEY>]*<KEY><>*<ksk-.*><ID-CERT>$
}
}
}
rule
{
id "NDN Testbed Hierarchy Rule"
for data ; rule for Data (to validate NDN certificates)
filter
{
type name ; condition on data name
regex ^[^<KEY>]*<KEY><>*<ksk-.*><ID-CERT><>$
}
checker
{
type hierarchical ; the certificate name of the signing key and
; the data name must follow the hierarchical model
sig-type rsa-sha256 ; data must have a rsa-sha256 signature
}
}
trust-anchor
{
type file
file-name keys/default.ndncert ; the file name, by default this file should be placed in the
; same folder as this config file.
}
; trust-anchor ; Can be repeated multiple times to specify multiple trust anchors
; {
; type file
; file-name keys/ndn-testbed.ndncert
; }
}