ConfigFileFormat » History » Revision 11
Revision 10 (Alex Afanasyev, 04/19/2014 09:16 PM) → Revision 11/19 (Alex Afanasyev, 06/26/2014 06:24 PM)
# Config file format Initial state of NFD daemon is configured using an [INFO file](http://www.boost.org/doc/libs/1_42_0/doc/html/boost_propertytree/parsers.html#boost_propertytree.parsers.info_parser). ## Example configuration ; The the general section contains settings of nfd process. process general { ; Specify a user and/or group for NFD to drop privileges to ; when not performing privileged tasks. NFD does not drop ; privileges by default. ; user ndn-user ; group ndn-user } log { ; default_level specifies the logging level for modules ; that are not explicitly named. All debugging levels ; listed above the selected value are enabled. ; ; Valid values: levels: ; ; NONE ; no messages ; ERROR ; error messages ; WARN ; warning messages ; INFO ; informational messages (default) ; DEBUG ; debugging messages ; TRACE ; trace messages (most verbose) ; ALL ; all messages default_level INFO WARN ; You may override default_level by assigning a logging level ; to the desired module name. Module names can be found in two ways: ; ; Run: ; nfd --modules ; nrd --modules ; ; Or look for NFD_LOG_INIT(<module name>) statements in .cpp files ; ; Example module-level settings: ; ; FibManager DEBUG ; Forwarder INFO } ; The tables section configures the CS, PIT, FIB, Strategy Choice, and Measurements tables { ; ContentStore size limit in number of packets ; default is 65536, about 500MB with 8KB packet size cs_max_packets 65536 } ; The face_system section defines what faces and channels are created. created face_system { ; The the unix section contains settings of UNIX stream faces and channels. channels unix { listen yes ; set to 'no' to disable UNIX stream listener, default 'yes' path /var/run/nfd.sock ; UNIX stream listener path } ; The the tcp section contains settings of TCP faces and channels. channels tcp { listen yes ; set to 'no' to disable TCP listener, default 'yes' port 6363 ; TCP listener port number enable_v4 yes ; set to 'no' to disable IPv4 channels, default 'yes' enable_v6 yes ; set to 'no' to disable IPv6 channels, default 'yes' } ; The the udp section contains settings of UDP faces and channels. channels ; UDP channel is always listening; delete udp section to disable UDP udp { port 6363 ; UDP unicast port number enable_v4 yes ; set to 'no' to disable IPv4 channels, default 'yes' enable_v6 yes ; set to 'no' to disable IPv6 channels, default 'yes' idle_timeout 600 30 ; idle time (seconds) before closing a UDP unicast face keep_alive_interval 25; interval (seconds) between keep-alive refreshes ; UDP multicast settings ; NFD creates one UDP multicast face per NIC ; ; In multi-homed Linux machines these settings will NOT work without ; root or settings the appropriate permissions: ; ; sudo setcap cap_net_raw=eip /full/path/nfd ; mcast yes ; set to 'no' to disable UDP multicast, default 'yes' mcast_port 56363 ; UDP multicast port number mcast_group 224.0.23.170 ; UDP multicast group (IPv4 only) } ; The the ether section contains settings of Ethernet faces and channels. channels ; These settings will NOT work without root or setting the appropriate ; permissions: ; ; sudo setcap cap_net_raw,cap_net_admin=eip /full/path/nfd ; ; You may need to install a package to use setcap: ; ; **Ubuntu:** ; ; sudo apt-get install libcap2-bin ; ; **Mac OS X:** ; ; curl https://bugs.wireshark.org/bugzilla/attachment.cgi?id=3373 -o ChmodBPF.tar.gz ; tar zxvf ChmodBPF.tar.gz ; open ChmodBPF/Install\ ChmodBPF.app ; ; or manually: ; ; sudo chgrp admin /dev/bpf* ; sudo chmod g+rw /dev/bpf* ether { ; Ethernet multicast settings ; NFD creates one Ethernet multicast face per NIC mcast yes ; set to 'no' to disable Ethernet multicast, default 'yes' mcast_group 01:00:5E:00:17:AA ; Ethernet multicast group } ; The websocket section contains settings of WebSocket faces and channels. websocket { listen yes ; set to 'no' to disable WebSocket listener, default 'yes' port 9696 ; WebSocket listener port number enable_v4 yes ; set to 'no' to disable listening on IPv4 socket, default 'yes' enable_v6 yes ; set to 'no' to disable listening on IPv6 socket, default 'yes' } } ; The the authorizations section grants privileges to authorized keys. NDN certificates authorizations { ; An an authorize section grants privileges to a an NDN certificate. certificate authorize { keyfile "/tmp/cert1.ndncert" ; If you do not already have NDN certificate, you can generate ; one with the following commands. ; ; 1. Generate and install a self-signed identity certificate: ; ; ndnsec-keygen /`whoami` | ndnsec-install-cert - ; ; Note that the argument to ndnsec-key will be the identity name of the ; new key (in this case, /your-username). Identities are hierarchical NDN ; names and may have multiple components (e.g. `/ndn/ucla/edu/alice`). ; You may create additional keys and identities as you see fit. ; ; 2. Dump the NDN certificate to a file: ; ; sudo mkdir -p /usr/local/etc/ndn/keys/ ; ndnsec-cert-dump -i /`whoami` > default.ndncert ; sudo mv default.ndncert /usr/local/etc/ndn/keys/default.ndncert ; ; The "certfile" field below specifies the default key directory for ; your machine. You may move your newly created key to the location it ; specifies or path. ; certfile keys/default.ndncert ; NDN identity certificate file certfile any ; "any" authorizes command interests signed under any certificate, ; i.e., no actual validation. privileges ; set of privileges granted to this identity { faces fib strategy-choice stats } } ; You may have multiple authorize sections that specify additional ; certificates and their privileges. ; authorize ; { keyfile "/tmp/cert2.ndncert" ; certfile keys/this_cert_does_not_exist.ndncert NDN identity certificate file privileges ; authorize ; set of privileges ; granted to this identity { ; faces ; } ; } } rib rib_security { ; The following localhost_security allows anyone to register routing entries in local RIB localhost_security { trust-anchor { type any } } ; localhop_security should be enabled when NFD runs on a hub. ; "/localhop/nfd/fib" command prefix will be disabled when localhop_security section is missing. ; localhop_security ; { ; ; This section defines the trust model for NFD RIB Management. It consists of rules and ; ; trust-anchors, which are briefly defined in this file. For more information refer to ; ; manpage of ndn-validator.conf: ; ; ; ; man ndn-validator.conf ; ; ; ; A trust-anchor is a pre-trusted certificate. This can be any certificate that is the ; ; root of certification chain (e.g., NDN testbed root certificate) or an existing ; ; default system certificate `default.ndncert`. ; ; ; ; A rule defines conditions a valid packet MUST have. A packet must satisfy one of the ; ; rules defined here. A rule can be broken into two parts: matching & checking. A packet ; ; will be matched against rules from the first to the last until a matched rule is ; ; encountered. The matched rule will be used to check the packet. If a packet does not ; ; match any rule, it will be treated as invalid. The matching part of a rule consists ; ; of `for` and `filter` sections. They collectively define which packets can be checked ; ; with this rule. `for` defines packet type (data or interest) and `filter` defines ; ; conditions on other properties of a packet. Right now, you can only define conditions ; ; on packet name, and you can only specify ONLY ONE filter for packet name. The ; ; checking part of a rule consists of `checker`, which defines the conditions that a ; ; VALID packet MUST have. See comments in checker section for more details. ; ; rule ; { ; id "NRD Prefix Registration Command Rule" ; for interest ; rule for Interests (to validate CommandInterests) ; filter ; { ; type name ; condition on interest name (w/o signature) ; regex ^[<localhop><localhost>]<nfd><rib>[<register><unregister>]<>$ ; prefix before ; ; timestamp ; ^[<localhop><localhost>]<nfd><rib>[<register><unregister>]<>{3}$ } ; checker ; { ; type customized ; sig-type rsa-sha256 ; interest must have a rsa-sha256 signature ; key-locator ; { ; type name ; key locator must be the certificate name of ; the ; ; signing key ; regex ^[^<KEY>]*<KEY><>*<ksk-.*><ID-CERT>$ ; } ; } ; } ; rule ; { ; id "NDN Testbed Hierarchy Rule" ; for data ; rule for Data (to validate NDN certificates) ; filter ; { ; type name ; condition on data name ; regex ^[^<KEY>]*<KEY><>*<ksk-.*><ID-CERT><>$ ; } ; checker ; { ; type hierarchical ; the certificate name of the signing key and ; ; the data name must follow the hierarchical model ; sig-type rsa-sha256 ; data must have a rsa-sha256 signature ; } ; } ; trust-anchor ; { ; type file ; file-name keys/default.ndncert ; the file name, by default this file should be placed in the ; ; same folder as this config file. ; } ; ; trust-anchor ; Can be repeated multiple times to specify multiple trust anchors ; ; { ; ; type file ; ; file-name keys/ndn-testbed.ndncert ; ; } ; } }