Project

General

Profile

ConfigFileFormat » History » Version 11

Alex Afanasyev, 06/26/2014 06:24 PM

1 2 Junxiao Shi
# Config file format
2 1 Alex Afanasyev
3 3 Junxiao Shi
Initial state of NFD daemon is configured using an [INFO file](http://www.boost.org/doc/libs/1_42_0/doc/html/boost_propertytree/parsers.html#boost_propertytree.parsers.info_parser).
4 1 Alex Afanasyev
5 11 Alex Afanasyev
    ; The general section contains settings of nfd process.
6 1 Alex Afanasyev
    general
7
    {
8 11 Alex Afanasyev
      ; Specify a user and/or group for NFD to drop privileges to
9
      ; when not performing privileged tasks. NFD does not drop
10
      ; privileges by default.
11
    
12
      ; user ndn-user
13
      ; group ndn-user
14 1 Alex Afanasyev
    }
15
    
16
    log
17
    {
18 11 Alex Afanasyev
      ; default_level specifies the logging level for modules
19
      ; that are not explicitly named. All debugging levels
20
      ; listed above the selected value are enabled.
21
      ;
22
      ; Valid values:
23
      ;
24
      ;  NONE ; no messages
25
      ;  ERROR ; error messages
26
      ;  WARN ; warning messages
27
      ;  INFO ; informational messages (default)
28
      ;  DEBUG ; debugging messages
29
      ;  TRACE ; trace messages (most verbose)
30
      ;  ALL ; all messages
31
    
32
      default_level INFO
33
    
34
      ; You may override default_level by assigning a logging level
35
      ; to the desired module name. Module names can be found in two ways:
36
      ;
37
      ; Run:
38
      ;   nfd --modules
39
      ;   nrd --modules
40
      ;
41
      ; Or look for NFD_LOG_INIT(<module name>) statements in .cpp files
42
      ;
43
      ; Example module-level settings:
44
      ;
45
      ; FibManager DEBUG
46
      ; Forwarder INFO
47 1 Alex Afanasyev
    }
48 11 Alex Afanasyev
    
49
    ; The tables section configures the CS, PIT, FIB, Strategy Choice, and Measurements
50
    tables
51
    {
52
    
53
      ; ContentStore size limit in number of packets
54
      ; default is 65536, about 500MB with 8KB packet size
55
      cs_max_packets 65536
56
    }
57
    
58
    ; The face_system section defines what faces and channels are created.
59 1 Alex Afanasyev
    face_system
60
    {
61 11 Alex Afanasyev
      ; The unix section contains settings of UNIX stream faces and channels.
62 1 Alex Afanasyev
      unix
63
      {
64
        listen yes ; set to 'no' to disable UNIX stream listener, default 'yes'
65
        path /var/run/nfd.sock ; UNIX stream listener path
66
      }
67 11 Alex Afanasyev
    
68
      ; The tcp section contains settings of TCP faces and channels.
69 1 Alex Afanasyev
      tcp
70
      {
71
        listen yes ; set to 'no' to disable TCP listener, default 'yes'
72
        port 6363 ; TCP listener port number
73 11 Alex Afanasyev
        enable_v4 yes ; set to 'no' to disable IPv4 channels, default 'yes'
74
        enable_v6 yes ; set to 'no' to disable IPv6 channels, default 'yes'
75 1 Alex Afanasyev
      }
76 11 Alex Afanasyev
    
77
      ; The udp section contains settings of UDP faces and channels.
78
      ; UDP channel is always listening; delete udp section to disable UDP
79 1 Alex Afanasyev
      udp
80
      {
81
        port 6363 ; UDP unicast port number
82 11 Alex Afanasyev
        enable_v4 yes ; set to 'no' to disable IPv4 channels, default 'yes'
83
        enable_v6 yes ; set to 'no' to disable IPv6 channels, default 'yes'
84
        idle_timeout 600 ; idle time (seconds) before closing a UDP unicast face
85 10 Alex Afanasyev
        keep_alive_interval 25; interval (seconds) between keep-alive refreshes
86 11 Alex Afanasyev
    
87
        ; UDP multicast settings
88 1 Alex Afanasyev
        ; NFD creates one UDP multicast face per NIC
89 11 Alex Afanasyev
        ;
90
        ; In multi-homed Linux machines these settings will NOT work without
91
        ; root or settings the appropriate permissions:
92
        ;
93
        ;    sudo setcap cap_net_raw=eip /full/path/nfd
94
        ;
95 1 Alex Afanasyev
        mcast yes ; set to 'no' to disable UDP multicast, default 'yes'
96
        mcast_port 56363 ; UDP multicast port number
97
        mcast_group 224.0.23.170 ; UDP multicast group (IPv4 only)
98
      }
99 11 Alex Afanasyev
    
100
      ; The ether section contains settings of Ethernet faces and channels.
101
      ; These settings will NOT work without root or setting the appropriate
102
      ; permissions:
103
      ;
104
      ;    sudo setcap cap_net_raw,cap_net_admin=eip /full/path/nfd
105
      ;
106
      ; You may need to install a package to use setcap:
107
      ;
108
      ; **Ubuntu:**
109
      ;
110
      ;    sudo apt-get install libcap2-bin
111
      ;
112
      ; **Mac OS X:**
113
      ;
114
      ;    curl https://bugs.wireshark.org/bugzilla/attachment.cgi?id=3373 -o ChmodBPF.tar.gz
115
      ;    tar zxvf ChmodBPF.tar.gz
116
      ;    open ChmodBPF/Install\ ChmodBPF.app
117
      ;
118
      ; or manually:
119
      ;
120
      ;    sudo chgrp admin /dev/bpf*
121
      ;    sudo chmod g+rw /dev/bpf*
122
    
123 1 Alex Afanasyev
      ether
124
      {
125 11 Alex Afanasyev
        ; Ethernet multicast settings
126 1 Alex Afanasyev
        ; NFD creates one Ethernet multicast face per NIC
127 11 Alex Afanasyev
      
128 1 Alex Afanasyev
        mcast yes ; set to 'no' to disable Ethernet multicast, default 'yes'
129
        mcast_group 01:00:5E:00:17:AA ; Ethernet multicast group
130
      }
131 11 Alex Afanasyev
    
132
      ; The websocket section contains settings of WebSocket faces and channels.
133
    
134
      websocket
135
      {
136
        listen yes ; set to 'no' to disable WebSocket listener, default 'yes'
137
        port 9696 ; WebSocket listener port number
138
        enable_v4 yes ; set to 'no' to disable listening on IPv4 socket, default 'yes'
139
        enable_v6 yes ; set to 'no' to disable listening on IPv6 socket, default 'yes'
140
      }
141 1 Alex Afanasyev
    }
142 11 Alex Afanasyev
    
143
    ; The authorizations section grants privileges to authorized keys.
144 1 Alex Afanasyev
    authorizations
145
    {
146 11 Alex Afanasyev
      ; An authorize section grants privileges to a NDN certificate.
147 1 Alex Afanasyev
      authorize
148
      {
149 11 Alex Afanasyev
        ; If you do not already have NDN certificate, you can generate
150
        ; one with the following commands.
151
        ;
152
        ; 1. Generate and install a self-signed identity certificate:
153
        ;
154
        ;      ndnsec-keygen /`whoami` | ndnsec-install-cert -
155
        ;
156
        ; Note that the argument to ndnsec-key will be the identity name of the
157
        ; new key (in this case, /your-username). Identities are hierarchical NDN
158
        ; names and may have multiple components (e.g. `/ndn/ucla/edu/alice`).
159
        ; You may create additional keys and identities as you see fit.
160
        ;
161
        ; 2. Dump the NDN certificate to a file:
162
        ;
163
        ;      sudo mkdir -p /usr/local/etc/ndn/keys/
164
        ;      ndnsec-cert-dump -i /`whoami` >  default.ndncert
165
        ;      sudo mv default.ndncert /usr/local/etc/ndn/keys/default.ndncert
166
        ;
167
        ; The "certfile" field below specifies the default key directory for
168
        ; your machine. You may move your newly created key to the location it
169
        ; specifies or path.
170
    
171
        ; certfile keys/default.ndncert ; NDN identity certificate file
172
        certfile any ; "any" authorizes command interests signed under any certificate,
173
                     ; i.e., no actual validation.
174 10 Alex Afanasyev
        privileges ; set of privileges granted to this identity
175
        {
176 11 Alex Afanasyev
          faces
177 10 Alex Afanasyev
          fib
178 11 Alex Afanasyev
          strategy-choice
179 10 Alex Afanasyev
        }
180
      }
181 11 Alex Afanasyev
    
182
      ; You may have multiple authorize sections that specify additional
183
      ; certificates and their privileges.
184
    
185
      ; authorize
186
      ; {
187
      ;   certfile keys/this_cert_does_not_exist.ndncert
188
      ;   authorize
189
      ;   privileges
190
      ;   {
191
      ;     faces
192
      ;   }
193
      ; }
194 10 Alex Afanasyev
    }
195
    
196 11 Alex Afanasyev
    rib
197
    {
198
      ; The following localhost_security allows anyone to register routing entries in local RIB
199
      localhost_security
200 10 Alex Afanasyev
      {
201 11 Alex Afanasyev
        trust-anchor
202 10 Alex Afanasyev
        {
203 11 Alex Afanasyev
          type any
204 10 Alex Afanasyev
        }
205
      }
206 11 Alex Afanasyev
    
207
      ; localhop_security should be enabled when NFD runs on a hub.
208
      ; "/localhop/nfd/fib" command prefix will be disabled when localhop_security section is missing.
209
      ; localhop_security
210 10 Alex Afanasyev
      ; {
211 11 Alex Afanasyev
      ;   ; This section defines the trust model for NFD RIB Management. It consists of rules and
212
      ;   ; trust-anchors, which are briefly defined in this file.  For more information refer to
213
      ;   ; manpage of ndn-validator.conf:
214
      ;   ;
215
      ;   ;     man ndn-validator.conf
216
      ;   ;
217
      ;   ; A trust-anchor is a pre-trusted certificate.  This can be any certificate that is the
218
      ;   ; root of certification chain (e.g., NDN testbed root certificate) or an existing
219
      ;   ; default system certificate `default.ndncert`.
220
      ;   ;
221
      ;   ; A rule defines conditions a valid packet MUST have. A packet must satisfy one of the
222
      ;   ; rules defined here. A rule can be broken into two parts: matching & checking. A packet
223
      ;   ; will be matched against rules from the first to the last until a matched rule is
224
      ;   ; encountered. The matched rule will be used to check the packet. If a packet does not
225
      ;   ; match any rule, it will be treated as invalid.  The matching part of a rule consists
226
      ;   ; of `for` and `filter` sections. They collectively define which packets can be checked
227
      ;   ; with this rule. `for` defines packet type (data or interest) and `filter` defines
228
      ;   ; conditions on other properties of a packet. Right now, you can only define conditions
229
      ;   ; on packet name, and you can only specify ONLY ONE filter for packet name.  The
230
      ;   ; checking part of a rule consists of `checker`, which defines the conditions that a
231
      ;   ; VALID packet MUST have. See comments in checker section for more details.
232
      ;
233
      ;   rule
234
      ;   {
235
      ;     id "NRD Prefix Registration Command Rule"
236
      ;     for interest                         ; rule for Interests (to validate CommandInterests)
237
      ;     filter
238
      ;     {
239
      ;       type name                          ; condition on interest name (w/o signature)
240
      ;       regex ^[<localhop><localhost>]<nfd><rib>[<register><unregister>]<>$ ; prefix before
241
      ;                                                                           ; timestamp
242
      ;     }
243
      ;     checker
244
      ;     {
245
      ;       type customized
246
      ;       sig-type rsa-sha256                ; interest must have a rsa-sha256 signature
247
      ;       key-locator
248
      ;       {
249
      ;         type name                        ; key locator must be the certificate name of the
250
      ;                                          ; signing key
251
      ;         regex ^[^<KEY>]*<KEY><>*<ksk-.*><ID-CERT>$
252
      ;       }
253
      ;     }
254
      ;   }
255
      ;   rule
256
      ;   {
257
      ;     id "NDN Testbed Hierarchy Rule"
258
      ;     for data                             ; rule for Data (to validate NDN certificates)
259
      ;     filter
260
      ;     {
261
      ;       type name                          ; condition on data name
262
      ;       regex ^[^<KEY>]*<KEY><>*<ksk-.*><ID-CERT><>$
263
      ;     }
264
      ;     checker
265
      ;     {
266
      ;       type hierarchical                  ; the certificate name of the signing key and
267
      ;                                          ; the data name must follow the hierarchical model
268
      ;       sig-type rsa-sha256                ; data must have a rsa-sha256 signature
269
      ;     }
270
      ;   }
271
      ;   trust-anchor
272
      ;   {
273
      ;     type file
274
      ;     file-name keys/default.ndncert ; the file name, by default this file should be placed in the
275
      ;                                    ; same folder as this config file.
276
      ;   }
277
      ;   ; trust-anchor ; Can be repeated multiple times to specify multiple trust anchors
278
      ;   ; {
279
      ;   ;   type file
280
      ;   ;   file-name keys/ndn-testbed.ndncert
281
      ;   ; }
282 1 Alex Afanasyev
      ; }
283
    }