blob: 960c59c4f739b2991d96359be9ccaf851997eadc [file] [log] [blame]
Steve DiBenedetto1a3c6732014-03-13 06:44:05 -06001; The general section contains settings of nfd process.
Steve DiBenedetto24b9a642014-04-07 15:45:39 -06002general
3{
4 ; Specify a user and/or group for NFD to drop privileges to
5 ; when not performing privileged tasks. NFD does not drop
6 ; privileges by default.
7
8 ; user ndn-user
9 ; group ndn-user
10}
Steve DiBenedetto84da5bf2014-03-11 14:51:29 -060011
Steve DiBenedettobf6a93d2014-03-21 14:03:02 -060012log
13{
14 ; default_level specifies the logging level for modules
15 ; that are not explicitly named. All debugging levels
16 ; listed above the selected value are enabled.
17 ;
18 ; Valid values:
19 ;
20 ; NONE ; no messages
21 ; ERROR ; error messages
22 ; WARN ; warning messages
23 ; INFO ; informational messages (default)
24 ; DEBUG ; debugging messages
25 ; TRACE ; trace messages (most verbose)
26 ; ALL ; all messages
27
Alexander Afanasyev885a85b2014-04-12 21:01:13 -070028 default_level INFO
Steve DiBenedettobf6a93d2014-03-21 14:03:02 -060029
30 ; You may override default_level by assigning a logging level
31 ; to the desired module name. Module names can be found in two ways:
32 ;
33 ; Run:
34 ; nfd --modules
Alexander Afanasyev89cf5e02014-04-17 12:08:57 -070035 ; nrd --modules
Steve DiBenedettobf6a93d2014-03-21 14:03:02 -060036 ;
37 ; Or look for NFD_LOG_INIT(<module name>) statements in .cpp files
38 ;
39 ; Example module-level settings:
40 ;
41 ; FibManager DEBUG
42 ; Forwarder INFO
43}
44
Steve DiBenedetto1a3c6732014-03-13 06:44:05 -060045; The face_system section defines what faces and channels are created.
Steve DiBenedetto84da5bf2014-03-11 14:51:29 -060046face_system
47{
Steve DiBenedetto1a3c6732014-03-13 06:44:05 -060048 ; The unix section contains settings of UNIX stream faces and channels.
Steve DiBenedetto84da5bf2014-03-11 14:51:29 -060049 unix
50 {
51 listen yes ; set to 'no' to disable UNIX stream listener, default 'yes'
52 path /var/run/nfd.sock ; UNIX stream listener path
53 }
54
Steve DiBenedetto1a3c6732014-03-13 06:44:05 -060055 ; The tcp section contains settings of TCP faces and channels.
Steve DiBenedetto84da5bf2014-03-11 14:51:29 -060056 tcp
57 {
58 listen yes ; set to 'no' to disable TCP listener, default 'yes'
59 port 6363 ; TCP listener port number
Steve DiBenedetto95152872014-04-11 12:40:59 -060060 enable_v4 yes ; set to 'no' to disable IPv4 channels, default 'yes'
61 enable_v6 yes ; set to 'no' to disable IPv6 channels, default 'yes'
Steve DiBenedetto84da5bf2014-03-11 14:51:29 -060062 }
63
Steve DiBenedetto1a3c6732014-03-13 06:44:05 -060064 ; The udp section contains settings of UDP faces and channels.
Steve DiBenedetto95152872014-04-11 12:40:59 -060065 ; UDP channel is always listening; delete udp section to disable UDP
Steve DiBenedetto84da5bf2014-03-11 14:51:29 -060066 udp
67 {
68 port 6363 ; UDP unicast port number
Steve DiBenedetto95152872014-04-11 12:40:59 -060069 enable_v4 yes ; set to 'no' to disable IPv4 channels, default 'yes'
70 enable_v6 yes ; set to 'no' to disable IPv6 channels, default 'yes'
Steve DiBenedetto84da5bf2014-03-11 14:51:29 -060071 idle_timeout 600 ; idle time (seconds) before closing a UDP unicast face
72 keep_alive_interval 25; interval (seconds) between keep-alive refreshes
73
Alexander Afanasyev885a85b2014-04-12 21:01:13 -070074 ; UDP multicast settings
Steve DiBenedetto84da5bf2014-03-11 14:51:29 -060075 ; NFD creates one UDP multicast face per NIC
Giulio Grassi6d7176d2014-04-16 16:08:48 +020076 ;
77 ; In multi-homed Linux machines these settings will NOT work without
78 ; root or settings the appropriate permissions:
79 ;
80 ; sudo setcap cap_net_raw=eip /full/path/nfd
81 ;
Alexander Afanasyev885a85b2014-04-12 21:01:13 -070082 mcast yes ; set to 'no' to disable UDP multicast, default 'yes'
83 mcast_port 56363 ; UDP multicast port number
84 mcast_group 224.0.23.170 ; UDP multicast group (IPv4 only)
Steve DiBenedetto84da5bf2014-03-11 14:51:29 -060085 }
86
Steve DiBenedetto1a3c6732014-03-13 06:44:05 -060087 ; The ether section contains settings of Ethernet faces and channels.
88 ; These settings will NOT work without root or setting the appropriate
89 ; permissions:
90 ;
91 ; sudo setcap cap_net_raw,cap_net_admin=eip /full/path/nfd
92 ;
93 ; You may need to install a package to use setcap:
94 ;
95 ; **Ubuntu:**
96 ;
97 ; sudo apt-get install libcap2-bin
98 ;
99 ; **Mac OS X:**
100 ;
101 ; curl https://bugs.wireshark.org/bugzilla/attachment.cgi?id=3373 -o ChmodBPF.tar.gz
102 ; tar zxvf ChmodBPF.tar.gz
103 ; open ChmodBPF/Install\ ChmodBPF.app
104 ;
105 ; or manually:
106 ;
107 ; sudo chgrp admin /dev/bpf*
108 ; sudo chmod g+rw /dev/bpf*
109
Alexander Afanasyev885a85b2014-04-12 21:01:13 -0700110 @IF_HAVE_LIBPCAP@ether
111 @IF_HAVE_LIBPCAP@{
112 @IF_HAVE_LIBPCAP@ ; Ethernet multicast settings
113 @IF_HAVE_LIBPCAP@ ; NFD creates one Ethernet multicast face per NIC
114 @IF_HAVE_LIBPCAP@
115 @IF_HAVE_LIBPCAP@ mcast yes ; set to 'no' to disable Ethernet multicast, default 'yes'
116 @IF_HAVE_LIBPCAP@ mcast_group 01:00:5E:00:17:AA ; Ethernet multicast group
117 @IF_HAVE_LIBPCAP@}
Wentao Shang53df1632014-04-21 12:01:32 -0700118
119 ; The websocket section contains settings of WebSocket faces and channels.
120
121 @IF_HAVE_WEBSOCKET@websocket
122 @IF_HAVE_WEBSOCKET@{
123 @IF_HAVE_WEBSOCKET@ listen yes ; set to 'no' to disable WebSocket listener, default 'yes'
124 @IF_HAVE_WEBSOCKET@ port 9696 ; WebSocket listener port number
125 @IF_HAVE_WEBSOCKET@ enable_v4 yes ; set to 'no' to disable listening on IPv4 socket, default 'yes'
126 @IF_HAVE_WEBSOCKET@ enable_v6 yes ; set to 'no' to disable listening on IPv6 socket, default 'yes'
127 @IF_HAVE_WEBSOCKET@}
Steve DiBenedetto84da5bf2014-03-11 14:51:29 -0600128}
129
Steve DiBenedetto1a3c6732014-03-13 06:44:05 -0600130; The authorizations section grants privileges to authorized keys.
Steve DiBenedetto84da5bf2014-03-11 14:51:29 -0600131authorizations
132{
Steve DiBenedetto1a3c6732014-03-13 06:44:05 -0600133 ; An authorize section grants privileges to a NDN certificate.
Steve DiBenedetto84da5bf2014-03-11 14:51:29 -0600134 authorize
135 {
Steve DiBenedetto1a3c6732014-03-13 06:44:05 -0600136 ; If you do not already have NDN certificate, you can generate
137 ; one with the following commands.
138 ;
139 ; 1. Generate and install a self-signed identity certificate:
140 ;
141 ; ndnsec-keygen /`whoami` | ndnsec-install-cert -
142 ;
143 ; Note that the argument to ndnsec-key will be the identity name of the
144 ; new key (in this case, /your-username). Identities are hierarchical NDN
145 ; names and may have multiple components (e.g. `/ndn/ucla/edu/alice`).
146 ; You may create additional keys and identities as you see fit.
147 ;
148 ; 2. Dump the NDN certificate to a file:
149 ;
150 ; sudo mkdir -p @SYSCONFDIR@/ndn/keys/
151 ; ndnsec-cert-dump -i /`whoami` > default.ndncert
152 ; sudo mv default.ndncert @SYSCONFDIR@/ndn/keys/default.ndncert
153 ;
154 ; The "certfile" field below specifies the default key directory for
155 ; your machine. You may move your newly created key to the location it
156 ; specifies or path.
157
Yingdi Yuc8f214c2014-04-29 20:39:37 -0700158 ; certfile keys/default.ndncert ; NDN identity certificate file
159 certfile any ; "any" authorizes command interests signed under any certificate,
160 ; i.e., no actual validation.
Steve DiBenedetto1a3c6732014-03-13 06:44:05 -0600161 privileges ; set of privileges granted to this identity
Steve DiBenedetto84da5bf2014-03-11 14:51:29 -0600162 {
Steve DiBenedetto84da5bf2014-03-11 14:51:29 -0600163 faces
164 fib
Steve DiBenedetto84da5bf2014-03-11 14:51:29 -0600165 strategy-choice
166 }
167 }
Steve DiBenedetto1a3c6732014-03-13 06:44:05 -0600168
169 ; You may have multiple authorize sections that specify additional
170 ; certificates and their privileges.
171
Alexander Afanasyev885a85b2014-04-12 21:01:13 -0700172 ; authorize
173 ; {
174 ; certfile keys/this_cert_does_not_exist.ndncert
175 ; authorize
176 ; privileges
177 ; {
178 ; faces
179 ; }
180 ; }
Steve DiBenedetto84da5bf2014-03-11 14:51:29 -0600181}
Alexander Afanasyev89cf5e02014-04-17 12:08:57 -0700182
Yingdi Yue5224e92014-04-29 18:04:02 -0700183rib
Alexander Afanasyev89cf5e02014-04-17 12:08:57 -0700184{
Yingdi Yue5224e92014-04-29 18:04:02 -0700185 ; The following localhost_security allows anyone to register routing entries in local RIB
186 localhost_security
187 {
188 trust-anchor
189 {
190 type any
191 }
192 }
Alexander Afanasyev89cf5e02014-04-17 12:08:57 -0700193
Yingdi Yue5224e92014-04-29 18:04:02 -0700194 ; localhop_security should be enabled when NFD runs on a hub.
195 ; "/localhop/nfd/fib" command prefix will be disabled when localhop_security section is missing.
196 ; localhop_security
Alexander Afanasyev89cf5e02014-04-17 12:08:57 -0700197 ; {
Yingdi Yue5224e92014-04-29 18:04:02 -0700198 ; ; This section defines the trust model for NFD RIB Management. It consists of rules and
199 ; ; trust-anchors, which are briefly defined in this file. For more information refer to
200 ; ; manpage of ndn-validator.conf:
201 ; ;
202 ; ; man ndn-validator.conf
203 ; ;
204 ; ; A trust-anchor is a pre-trusted certificate. This can be any certificate that is the
205 ; ; root of certification chain (e.g., NDN testbed root certificate) or an existing
206 ; ; default system certificate `default.ndncert`.
207 ; ;
208 ; ; A rule defines conditions a valid packet MUST have. A packet must satisfy one of the
209 ; ; rules defined here. A rule can be broken into two parts: matching & checking. A packet
210 ; ; will be matched against rules from the first to the last until a matched rule is
211 ; ; encountered. The matched rule will be used to check the packet. If a packet does not
212 ; ; match any rule, it will be treated as invalid. The matching part of a rule consists
213 ; ; of `for` and `filter` sections. They collectively define which packets can be checked
214 ; ; with this rule. `for` defines packet type (data or interest) and `filter` defines
215 ; ; conditions on other properties of a packet. Right now, you can only define conditions
216 ; ; on packet name, and you can only specify ONLY ONE filter for packet name. The
217 ; ; checking part of a rule consists of `checker`, which defines the conditions that a
218 ; ; VALID packet MUST have. See comments in checker section for more details.
219 ;
220 ; rule
221 ; {
222 ; id "NRD Prefix Registration Command Rule"
223 ; for interest ; rule for Interests (to validate CommandInterests)
224 ; filter
225 ; {
226 ; type name ; condition on interest name (w/o signature)
227 ; regex ^[<localhop><localhost>]<nfd><rib>[<register><unregister>]<>{3}$
228 ; }
229 ; checker
230 ; {
231 ; type customized
232 ; sig-type rsa-sha256 ; interest must have a rsa-sha256 signature
233 ; key-locator
234 ; {
235 ; type name ; key locator must be the certificate name of the
236 ; ; signing key
237 ; regex ^[^<KEY>]*<KEY><>*<ksk-.*><ID-CERT>$
238 ; }
239 ; }
240 ; }
241 ; rule
242 ; {
243 ; id "NDN Testbed Hierarchy Rule"
244 ; for data ; rule for Data (to validate NDN certificates)
245 ; filter
246 ; {
247 ; type name ; condition on data name
248 ; regex ^[^<KEY>]*<KEY><>*<ksk-.*><ID-CERT><>$
249 ; }
250 ; checker
251 ; {
252 ; type hierarchical ; the certificate name of the signing key and
253 ; ; the data name must follow the hierarchical model
254 ; sig-type rsa-sha256 ; data must have a rsa-sha256 signature
255 ; }
256 ; }
257 ; trust-anchor
258 ; {
259 ; type file
260 ; file-name keys/default.ndncert ; the file name, by default this file should be placed in the
261 ; ; same folder as this config file.
262 ; }
263 ; ; trust-anchor ; Can be repeated multiple times to specify multiple trust anchors
264 ; ; {
265 ; ; type file
266 ; ; file-name keys/ndn-testbed.ndncert
267 ; ; }
Alexander Afanasyev89cf5e02014-04-17 12:08:57 -0700268 ; }
269}