blob: b1b704ae8c3db132f7d18e05ce5cab6d95b58768 [file] [log] [blame]
; The general section contains settings of nfd process.
general
{
; Specify a user and/or group for NFD to drop privileges to
; when not performing privileged tasks. NFD does not drop
; privileges by default.
; user ndn-user
; group ndn-user
}
log
{
; default_level specifies the logging level for modules
; that are not explicitly named. All debugging levels
; listed above the selected value are enabled.
;
; Valid values:
;
; NONE ; no messages
; ERROR ; error messages
; WARN ; warning messages
; INFO ; informational messages (default)
; DEBUG ; debugging messages
; TRACE ; trace messages (most verbose)
; ALL ; all messages
default_level INFO
; You may override default_level by assigning a logging level
; to the desired module name. Module names can be found in two ways:
;
; Run:
; nfd --modules
;
; Or look for NFD_LOG_INIT(<module name>) statements in .cpp files
;
; Example module-level settings:
;
; FibManager DEBUG
; Forwarder INFO
}
; The tables section configures the CS, PIT, FIB, Strategy Choice, and Measurements
tables
{
; ContentStore size limit in number of packets
; default is 65536, about 500MB with 8KB packet size
cs_max_packets 65536
; Set the CS replacement policy.
; Available policies are: priority_fifo, lru
cs_policy priority_fifo
; Set a policy to decide whether to cache or drop unsolicited Data.
; Available policies are: drop-all, admit-local, admit-network, admit-all
cs_unsolicited_policy drop-all
; Set the forwarding strategy for the specified prefixes:
; <prefix> <strategy>
strategy_choice
{
/ /localhost/nfd/strategy/best-route
/localhost /localhost/nfd/strategy/multicast
/localhost/nfd /localhost/nfd/strategy/best-route
/ndn/broadcast /localhost/nfd/strategy/multicast
}
; Declare network region names
; These are used for mobility support. An Interest carrying a Link object is
; assumed to have reached the producer region if any delegation name in the
; Link object is a prefix of any region name.
network_region
{
; /example/region1
; /example/region2
}
}
; The face_system section defines what faces and channels are created.
face_system
{
; The unix section contains settings of Unix stream faces and channels.
; Unix channel is always listening; delete unix section to disable
; Unix stream faces and channels.
;
; The ndn-cxx library expects unix:///var/run/nfd.sock
; to be used as the default transport option. Please change
; the "transport" field in client.conf to an appropriate tcp4 FaceUri
; if you need to disable unix sockets.
unix
{
path /var/run/nfd.sock ; Unix stream listener path
}
; The tcp section contains settings of TCP faces and channels.
tcp
{
listen yes ; set to 'no' to disable TCP listener, default 'yes'
port 6363 ; TCP listener port number
enable_v4 yes ; set to 'no' to disable IPv4 channels, default 'yes'
enable_v6 yes ; set to 'no' to disable IPv6 channels, default 'yes'
}
; The udp section contains settings of UDP faces and channels.
; UDP channel is always listening; delete udp section to disable UDP
udp
{
port 6363 ; UDP unicast port number
enable_v4 yes ; set to 'no' to disable IPv4 channels, default 'yes'
enable_v6 yes ; set to 'no' to disable IPv6 channels, default 'yes'
; idle time (seconds) before closing a UDP unicast face, the actual timeout would be
; anywhere within [idle_timeout, 2*idle_timeout), default is 600
idle_timeout 600
keep_alive_interval 25; interval (seconds) between keep-alive refreshes
; UDP multicast settings
; NFD creates one UDP multicast face per NIC
;
; In multi-homed Linux machines these settings will NOT work without
; root or settings the appropriate permissions:
;
; sudo setcap cap_net_raw=eip /full/path/nfd
;
mcast yes ; set to 'no' to disable UDP multicast, default 'yes'
mcast_port 56363 ; UDP multicast port number
mcast_group 224.0.23.170 ; UDP multicast group (IPv4 only)
; Whitelist and blacklist can contain, in no particular order:
; interface names (e.g., ifname eth0),
; mac addresses (e.g., ether 85:3b:4d:d3:5f:c2),
; subnets (e.g., subnet 192.0.2.0/24, note that only IPv4 is supported here),
; or a wildcard (*) that matches all interfaces.
whitelist
{
*
}
blacklist
{
}
}
; The ether section contains settings of Ethernet faces and channels.
; These settings will NOT work without root or setting the appropriate
; permissions:
;
; sudo setcap cap_net_raw,cap_net_admin=eip /full/path/nfd
;
; You may need to install a package to use setcap:
;
; **Ubuntu:**
;
; sudo apt-get install libcap2-bin
;
; **Mac OS X:**
;
; curl https://bugs.wireshark.org/bugzilla/attachment.cgi?id=3373 -o ChmodBPF.tar.gz
; tar zxvf ChmodBPF.tar.gz
; open ChmodBPF/Install\ ChmodBPF.app
;
; or manually:
;
; sudo chgrp admin /dev/bpf*
; sudo chmod g+rw /dev/bpf*
;
@IF_HAVE_LIBPCAP@ether
@IF_HAVE_LIBPCAP@{
@IF_HAVE_LIBPCAP@ ; Ethernet multicast settings
@IF_HAVE_LIBPCAP@ ; NFD creates one Ethernet multicast face per NIC
@IF_HAVE_LIBPCAP@
@IF_HAVE_LIBPCAP@ mcast yes ; set to 'no' to disable Ethernet multicast, default 'yes'
@IF_HAVE_LIBPCAP@ mcast_group 01:00:5E:00:17:AA ; Ethernet multicast group
@IF_HAVE_LIBPCAP@
@IF_HAVE_LIBPCAP@ ; Whitelist and blacklist can contain, in no particular order:
@IF_HAVE_LIBPCAP@ ; interface names (e.g., ifname eth0),
@IF_HAVE_LIBPCAP@ ; mac addresses (e.g., ether 85:3b:4d:d3:5f:c2),
@IF_HAVE_LIBPCAP@ ; subnets (e.g., subnet 192.0.2.0/24, note that only IPv4 is supported here),
@IF_HAVE_LIBPCAP@ ; or a wildcard (*) that matches all interfaces.
@IF_HAVE_LIBPCAP@
@IF_HAVE_LIBPCAP@ whitelist
@IF_HAVE_LIBPCAP@ {
@IF_HAVE_LIBPCAP@ *
@IF_HAVE_LIBPCAP@ }
@IF_HAVE_LIBPCAP@ blacklist
@IF_HAVE_LIBPCAP@ {
@IF_HAVE_LIBPCAP@ }
@IF_HAVE_LIBPCAP@}
; The websocket section contains settings of WebSocket faces and channels.
@IF_HAVE_WEBSOCKET@websocket
@IF_HAVE_WEBSOCKET@{
@IF_HAVE_WEBSOCKET@ listen yes ; set to 'no' to disable WebSocket listener, default 'yes'
@IF_HAVE_WEBSOCKET@ port 9696 ; WebSocket listener port number
@IF_HAVE_WEBSOCKET@ enable_v4 yes ; set to 'no' to disable listening on IPv4 socket, default 'yes'
@IF_HAVE_WEBSOCKET@ enable_v6 yes ; set to 'no' to disable listening on IPv6 socket, default 'yes'
@IF_HAVE_WEBSOCKET@}
}
; The authorizations section grants privileges to authorized keys.
authorizations
{
; An authorize section grants privileges to a NDN certificate.
authorize
{
; If you do not already have NDN certificate, you can generate
; one with the following commands.
;
; 1. Generate and install a self-signed identity certificate:
;
; ndnsec-keygen /`whoami` | ndnsec-install-cert -
;
; Note that the argument to ndnsec-key will be the identity name of the
; new key (in this case, /your-username). Identities are hierarchical NDN
; names and may have multiple components (e.g. `/ndn/ucla/edu/alice`).
; You may create additional keys and identities as you see fit.
;
; 2. Dump the NDN certificate to a file:
;
; sudo mkdir -p @SYSCONFDIR@/ndn/keys/
; ndnsec-cert-dump -i /`whoami` > default.ndncert
; sudo mv default.ndncert @SYSCONFDIR@/ndn/keys/default.ndncert
;
; The "certfile" field below specifies the default key directory for
; your machine. You may move your newly created key to the location it
; specifies or path.
; certfile keys/default.ndncert ; NDN identity certificate file
certfile any ; "any" authorizes command interests signed under any certificate,
; i.e., no actual validation.
privileges ; set of privileges granted to this identity
{
faces
fib
strategy-choice
}
}
; You may have multiple authorize sections that specify additional
; certificates and their privileges.
; authorize
; {
; certfile keys/this_cert_does_not_exist.ndncert
; authorize
; privileges
; {
; faces
; }
; }
}
rib
{
; The following localhost_security allows anyone to register routing entries in local RIB
localhost_security
{
trust-anchor
{
type any
}
}
; localhop_security should be enabled when NFD runs on a hub.
; "/localhop/nfd/fib" command prefix will be disabled when localhop_security section is missing.
; localhop_security
; {
; ; This section defines the trust model for NFD RIB Management. It consists of rules and
; ; trust-anchors, which are briefly defined in this file. For more information refer to
; ; manpage of ndn-validator.conf:
; ;
; ; man ndn-validator.conf
; ;
; ; A trust-anchor is a pre-trusted certificate. This can be any certificate that is the
; ; root of certification chain (e.g., NDN testbed root certificate) or an existing
; ; default system certificate `default.ndncert`.
; ;
; ; A rule defines conditions a valid packet MUST have. A packet must satisfy one of the
; ; rules defined here. A rule can be broken into two parts: matching & checking. A packet
; ; will be matched against rules from the first to the last until a matched rule is
; ; encountered. The matched rule will be used to check the packet. If a packet does not
; ; match any rule, it will be treated as invalid. The matching part of a rule consists
; ; of `for` and `filter` sections. They collectively define which packets can be checked
; ; with this rule. `for` defines packet type (data or interest) and `filter` defines
; ; conditions on other properties of a packet. Right now, you can only define conditions
; ; on packet name, and you can only specify ONLY ONE filter for packet name. The
; ; checking part of a rule consists of `checker`, which defines the conditions that a
; ; VALID packet MUST have. See comments in checker section for more details.
;
; rule
; {
; id "NRD Prefix Registration Command Rule"
; for interest ; rule for Interests (to validate CommandInterests)
; filter
; {
; type name ; condition on interest name (w/o signature)
; regex ^[<localhop><localhost>]<nfd><rib>[<register><unregister>]<>$ ; prefix before
; ; timestamp
; }
; checker
; {
; type customized
; sig-type rsa-sha256 ; interest must have a rsa-sha256 signature
; key-locator
; {
; type name ; key locator must be the certificate name of the
; ; signing key
; regex ^[^<KEY>]*<KEY><>*<ksk-.*><ID-CERT>$
; }
; }
; }
; rule
; {
; id "NDN Testbed Hierarchy Rule"
; for data ; rule for Data (to validate NDN certificates)
; filter
; {
; type name ; condition on data name
; regex ^[^<KEY>]*<KEY><>*<ksk-.*><ID-CERT><>$
; }
; checker
; {
; type hierarchical ; the certificate name of the signing key and
; ; the data name must follow the hierarchical model
; sig-type rsa-sha256 ; data must have a rsa-sha256 signature
; }
; }
; trust-anchor
; {
; type file
; file-name keys/default.ndncert ; the file name, by default this file should be placed in the
; ; same folder as this config file.
; }
; ; trust-anchor ; Can be repeated multiple times to specify multiple trust anchors
; ; {
; ; type file
; ; file-name keys/ndn-testbed.ndncert
; ; }
; }
; The following localhop_security should be enabled when NFD runs on a hub,
; which accepts all remote registrations and is a short-term solution.
; localhop_security
; {
; trust-anchor
; {
; type any
; }
; }
auto_prefix_propagate
{
cost 15 ; forwarding cost of prefix registered on remote router
timeout 10000 ; timeout (in milliseconds) of prefix registration command for propagation
refresh_interval 300 ; interval (in seconds) before refreshing the propagation
; This setting should be less than face_system.udp.idle_time,
; so that the face is kept alive on the remote router.
base_retry_wait 50 ; base wait time (in seconds) before retrying propagation
max_retry_wait 3600 ; maximum wait time (in seconds) before retrying propagation
; for consequent retries, the wait time before each retry is calculated based on the back-off
; policy. Initially, the wait time is set to base_retry_wait, then it will be doubled for every
; retry unless beyond the max_retry_wait, in which case max_retry_wait is set as the wait time.
}
}