net/nfd/files/nfd.conf.sample

; The general section contains settings of nfd process.
; general
; {
; }

log
{
  ; default_level specifies the logging level for modules
  ; that are not explicitly named. All debugging levels
  ; listed above the selected value are enabled.
  ;
  ; Valid values:
  ;
  ;  NONE ; no messages
  ;  ERROR ; error messages
  ;  WARN ; warning messages
  ;  INFO ; informational messages (default)
  ;  DEBUG ; debugging messages
  ;  TRACE ; trace messages (most verbose)
  ;  ALL ; all messages

  default_level INFO

  ; You may override default_level by assigning a logging level
  ; to the desired module name. Module names can be found in two ways:
  ;
  ; Run:
  ;   nfd --modules
  ;
  ; Or look for NFD_LOG_INIT(<module name>) statements in .cpp files
  ;
  ; Example module-level settings:
  ;
  ; FibManager DEBUG
  ; Forwarder INFO
}

; The tables section configures the CS, PIT, FIB, Strategy Choice, and Measurements
tables
{

  ; ContentStore size limit in number of packets
  ; default is 65536, about 500MB with 8KB packet size
  cs_max_packets 65536

  ; Set the forwarding strategy for the specified prefixes:
  ;   <prefix> <strategy>
  strategy_choice
  {
    /               /localhost/nfd/strategy/best-route
    /localhost      /localhost/nfd/strategy/broadcast
    /localhost/nfd  /localhost/nfd/strategy/best-route
    /ndn/broadcast  /localhost/nfd/strategy/broadcast
  }
}

; The face_system section defines what faces and channels are created.
face_system
{
  ; The unix section contains settings of UNIX stream faces and channels.
  ; Unix channel is always listening; delete unix section to disable
  ; Unix stream faces and channels.
  unix
  {
    path /var/run/nfd.sock ; UNIX stream listener path
  }

  ; The tcp section contains settings of TCP faces and channels.
  tcp
  {
    listen yes ; set to 'no' to disable TCP listener, default 'yes'
    port 6363 ; TCP listener port number
    enable_v4 yes ; set to 'no' to disable IPv4 channels, default 'yes'
    enable_v6 yes ; set to 'no' to disable IPv6 channels, default 'yes'
  }

  ; The udp section contains settings of UDP faces and channels.
  ; UDP channel is always listening; delete udp section to disable UDP
  udp
  {
    port 6363 ; UDP unicast port number
    enable_v4 yes ; set to 'no' to disable IPv4 channels, default 'yes'
    enable_v6 yes ; set to 'no' to disable IPv6 channels, default 'yes'
    idle_timeout 600 ; idle time (seconds) before closing a UDP unicast face
    keep_alive_interval 25; interval (seconds) between keep-alive refreshes

    ; UDP multicast settings
    ; NFD creates one UDP multicast face per NIC
    mcast yes ; set to 'no' to disable UDP multicast, default 'yes'
    mcast_port 56363 ; UDP multicast port number
    mcast_group 224.0.23.170 ; UDP multicast group (IPv4 only)
  }

  ; The ether section contains settings of Ethernet faces and channels.
  ether
  {
    ; Ethernet multicast settings
    ; NFD creates one Ethernet multicast face per NIC
    mcast yes ; set to 'no' to disable Ethernet multicast, default 'yes'
    mcast_group 01:00:5E:00:17:AA ; Ethernet multicast group
  }

  ; The websocket section contains settings of WebSocket faces and channels.

  websocket
  {
    listen yes ; set to 'no' to disable WebSocket listener, default 'yes'
    port 9696 ; WebSocket listener port number
    enable_v4 yes ; set to 'no' to disable listening on IPv4 socket, default 'yes'
    enable_v6 yes ; set to 'no' to disable listening on IPv6 socket, default 'yes'
  }
}

authorizations
{
  authorize
  {
    certfile certs/localhost_daemons_nfd.ndncert
    privileges
    {
        faces
        fib
        strategy-choice
    }
  }

  authorize
  {
    certfile any
    privileges
    {
        faces
        strategy-choice
    }
  }
}

rib
{
  ; The following localhost_security allows anyone to register routing entries in local RIB
  localhost_security
  {
    trust-anchor
    {
      type any
    }
  }

  ; localhop_security should be enabled when NFD runs on a hub.
  ; "/localhop/nfd/fib" command prefix will be disabled when localhop_security section is missing.
  ; localhop_security
  ; {
  ;   ; This section defines the trust model for NFD RIB Management. It consists of rules and
  ;   ; trust-anchors, which are briefly defined in this file.  For more information refer to
  ;   ; manpage of ndn-validator.conf:
  ;   ;
  ;   ;     man ndn-validator.conf
  ;   ;
  ;   ; A trust-anchor is a pre-trusted certificate.  This can be any certificate that is the
  ;   ; root of certification chain (e.g., NDN testbed root certificate) or an existing
  ;   ; default system certificate `default.ndncert`.
  ;   ;
  ;   ; A rule defines conditions a valid packet MUST have. A packet must satisfy one of the
  ;   ; rules defined here. A rule can be broken into two parts: matching & checking. A packet
  ;   ; will be matched against rules from the first to the last until a matched rule is
  ;   ; encountered. The matched rule will be used to check the packet. If a packet does not
  ;   ; match any rule, it will be treated as invalid.  The matching part of a rule consists
  ;   ; of `for` and `filter` sections. They collectively define which packets can be checked
  ;   ; with this rule. `for` defines packet type (data or interest) and `filter` defines
  ;   ; conditions on other properties of a packet. Right now, you can only define conditions
  ;   ; on packet name, and you can only specify ONLY ONE filter for packet name.  The
  ;   ; checking part of a rule consists of `checker`, which defines the conditions that a
  ;   ; VALID packet MUST have. See comments in checker section for more details.
  ;
  ;   rule
  ;   {
  ;     id "NRD Prefix Registration Command Rule"
  ;     for interest                         ; rule for Interests (to validate CommandInterests)
  ;     filter
  ;     {
  ;       type name                          ; condition on interest name (w/o signature)
  ;       regex ^[<localhop><localhost>]<nfd><rib>[<register><unregister>]<>{3}$
  ;     }
  ;     checker
  ;     {
  ;       type customized
  ;       sig-type rsa-sha256                ; interest must have a rsa-sha256 signature
  ;       key-locator
  ;       {
  ;         type name                        ; key locator must be the certificate name of the
  ;                                          ; signing key
  ;         regex ^[^<KEY>]*<KEY><>*<ksk-.*><ID-CERT>$
  ;       }
  ;     }
  ;   }
  ;   rule
  ;   {
  ;     id "NDN Testbed Hierarchy Rule"
  ;     for data                             ; rule for Data (to validate NDN certificates)
  ;     filter
  ;     {
  ;       type name                          ; condition on data name
  ;       regex ^[^<KEY>]*<KEY><>*<ksk-.*><ID-CERT><>$
  ;     }
  ;     checker
  ;     {
  ;       type hierarchical                  ; the certificate name of the signing key and
  ;                                          ; the data name must follow the hierarchical model
  ;       sig-type rsa-sha256                ; data must have a rsa-sha256 signature
  ;     }
  ;   }
  ;   trust-anchor
  ;   {
  ;     type file
  ;     file-name keys/default.ndncert ; the file name, by default this file should be placed in the
  ;                                    ; same folder as this config file.
  ;   }
  ;   ; trust-anchor ; Can be repeated multiple times to specify multiple trust anchors
  ;   ; {
  ;   ;   type file
  ;   ;   file-name keys/ndn-testbed.ndncert
  ;   ; }
  ; }

  remote_register
  {
    cost 15 ; forwarding cost of prefix registered on remote router
    timeout 10000 ; timeout (in milliseconds) of remote prefix registration command
    retry 0 ; maximum number of retries for each remote prefix registration command

    refresh_interval 300 ; interval (in seconds) before refreshing the registration
    ; This setting should be less than face_system.udp.idle_time,
    ; so that the face is kept alive on the remote router.
  }
}