forked from named-data/NFD
-
Notifications
You must be signed in to change notification settings - Fork 32
/
nfd.conf.sample.in
319 lines (293 loc) · 11 KB
/
nfd.conf.sample.in
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
; The general section contains settings of nfd process.
general
{
; Specify a user and/or group for NFD to drop privileges to
; when not performing privileged tasks. NFD does not drop
; privileges by default.
; user ndn-user
; group ndn-user
}
log
{
; default_level specifies the logging level for modules
; that are not explicitly named. All debugging levels
; listed above the selected value are enabled.
;
; Valid values:
;
; NONE ; no messages
; ERROR ; error messages
; WARN ; warning messages
; INFO ; informational messages (default)
; DEBUG ; debugging messages
; TRACE ; trace messages (most verbose)
; ALL ; all messages
default_level INFO
; You may override default_level by assigning a logging level
; to the desired module name. Module names can be found in two ways:
;
; Run:
; nfd --modules
;
; Or look for NFD_LOG_INIT(<module name>) statements in .cpp files
;
; Example module-level settings:
;
; FibManager DEBUG
; Forwarder INFO
}
; The tables section configures the CS, PIT, FIB, Strategy Choice, and Measurements
tables
{
; ContentStore size limit in number of packets
; default is 65536, about 500MB with 8KB packet size
cs_max_packets 65536
; Set the forwarding strategy for the specified prefixes:
; <prefix> <strategy>
strategy_choice
{
/ /localhost/nfd/strategy/best-route
/localhost /localhost/nfd/strategy/multicast
/localhost/nfd /localhost/nfd/strategy/best-route
/ndn/broadcast /localhost/nfd/strategy/multicast
}
}
; The face_system section defines what faces and channels are created.
face_system
{
; The unix section contains settings of Unix stream faces and channels.
; Unix channel is always listening; delete unix section to disable
; Unix stream faces and channels.
;
; The ndn-cxx library expects unix:///var/run/nfd.sock
; to be used as the default transport option. Please change
; the "transport" field in client.conf to an appropriate tcp4 FaceUri
; if you need to disable unix sockets.
unix
{
path /var/run/nfd.sock ; Unix stream listener path
}
; The tcp section contains settings of TCP faces and channels.
tcp
{
listen yes ; set to 'no' to disable TCP listener, default 'yes'
port 6363 ; TCP listener port number
enable_v4 yes ; set to 'no' to disable IPv4 channels, default 'yes'
enable_v6 yes ; set to 'no' to disable IPv6 channels, default 'yes'
}
; The udp section contains settings of UDP faces and channels.
; UDP channel is always listening; delete udp section to disable UDP
udp
{
port 6363 ; UDP unicast port number
enable_v4 yes ; set to 'no' to disable IPv4 channels, default 'yes'
enable_v6 yes ; set to 'no' to disable IPv6 channels, default 'yes'
; idle time (seconds) before closing a UDP unicast face, the actual timeout would be
; anywhere within [idle_timeout, 2*idle_timeout), default is 600
idle_timeout 600
keep_alive_interval 25; interval (seconds) between keep-alive refreshes
; UDP multicast settings
; NFD creates one UDP multicast face per NIC
;
; In multi-homed Linux machines these settings will NOT work without
; root or settings the appropriate permissions:
;
; sudo setcap cap_net_raw=eip /full/path/nfd
;
mcast yes ; set to 'no' to disable UDP multicast, default 'yes'
mcast_port 56363 ; UDP multicast port number
mcast_group 224.0.23.170 ; UDP multicast group (IPv4 only)
}
; The ether section contains settings of Ethernet faces and channels.
; These settings will NOT work without root or setting the appropriate
; permissions:
;
; sudo setcap cap_net_raw,cap_net_admin=eip /full/path/nfd
;
; You may need to install a package to use setcap:
;
; **Ubuntu:**
;
; sudo apt-get install libcap2-bin
;
; **Mac OS X:**
;
; curl https://bugs.wireshark.org/bugzilla/attachment.cgi?id=3373 -o ChmodBPF.tar.gz
; tar zxvf ChmodBPF.tar.gz
; open ChmodBPF/Install\ ChmodBPF.app
;
; or manually:
;
; sudo chgrp admin /dev/bpf*
; sudo chmod g+rw /dev/bpf*
@IF_HAVE_LIBPCAP@ether
@IF_HAVE_LIBPCAP@{
@IF_HAVE_LIBPCAP@ ; Ethernet multicast settings
@IF_HAVE_LIBPCAP@ ; NFD creates one Ethernet multicast face per NIC
@IF_HAVE_LIBPCAP@
@IF_HAVE_LIBPCAP@ mcast yes ; set to 'no' to disable Ethernet multicast, default 'yes'
@IF_HAVE_LIBPCAP@ mcast_group 01:00:5E:00:17:AA ; Ethernet multicast group
@IF_HAVE_LIBPCAP@}
; The websocket section contains settings of WebSocket faces and channels.
@IF_HAVE_WEBSOCKET@websocket
@IF_HAVE_WEBSOCKET@{
@IF_HAVE_WEBSOCKET@ listen yes ; set to 'no' to disable WebSocket listener, default 'yes'
@IF_HAVE_WEBSOCKET@ port 9696 ; WebSocket listener port number
@IF_HAVE_WEBSOCKET@ enable_v4 yes ; set to 'no' to disable listening on IPv4 socket, default 'yes'
@IF_HAVE_WEBSOCKET@ enable_v6 yes ; set to 'no' to disable listening on IPv6 socket, default 'yes'
@IF_HAVE_WEBSOCKET@}
}
; The authorizations section grants privileges to authorized keys.
authorizations
{
; An authorize section grants privileges to a NDN certificate.
authorize
{
; If you do not already have NDN certificate, you can generate
; one with the following commands.
;
; 1. Generate and install a self-signed identity certificate:
;
; ndnsec-keygen /`whoami` | ndnsec-install-cert -
;
; Note that the argument to ndnsec-key will be the identity name of the
; new key (in this case, /your-username). Identities are hierarchical NDN
; names and may have multiple components (e.g. `/ndn/ucla/edu/alice`).
; You may create additional keys and identities as you see fit.
;
; 2. Dump the NDN certificate to a file:
;
; sudo mkdir -p @SYSCONFDIR@/ndn/keys/
; ndnsec-cert-dump -i /`whoami` > default.ndncert
; sudo mv default.ndncert @SYSCONFDIR@/ndn/keys/default.ndncert
;
; The "certfile" field below specifies the default key directory for
; your machine. You may move your newly created key to the location it
; specifies or path.
; certfile keys/default.ndncert ; NDN identity certificate file
certfile any ; "any" authorizes command interests signed under any certificate,
; i.e., no actual validation.
privileges ; set of privileges granted to this identity
{
faces
fib
strategy-choice
}
}
; You may have multiple authorize sections that specify additional
; certificates and their privileges.
; authorize
; {
; certfile keys/this_cert_does_not_exist.ndncert
; authorize
; privileges
; {
; faces
; }
; }
}
rib
{
; The following localhost_security allows anyone to register routing entries in local RIB
localhost_security
{
trust-anchor
{
type any
}
}
; localhop_security should be enabled when NFD runs on a hub.
; "/localhop/nfd/fib" command prefix will be disabled when localhop_security section is missing.
; localhop_security
; {
; ; This section defines the trust model for NFD RIB Management. It consists of rules and
; ; trust-anchors, which are briefly defined in this file. For more information refer to
; ; manpage of ndn-validator.conf:
; ;
; ; man ndn-validator.conf
; ;
; ; A trust-anchor is a pre-trusted certificate. This can be any certificate that is the
; ; root of certification chain (e.g., NDN testbed root certificate) or an existing
; ; default system certificate `default.ndncert`.
; ;
; ; A rule defines conditions a valid packet MUST have. A packet must satisfy one of the
; ; rules defined here. A rule can be broken into two parts: matching & checking. A packet
; ; will be matched against rules from the first to the last until a matched rule is
; ; encountered. The matched rule will be used to check the packet. If a packet does not
; ; match any rule, it will be treated as invalid. The matching part of a rule consists
; ; of `for` and `filter` sections. They collectively define which packets can be checked
; ; with this rule. `for` defines packet type (data or interest) and `filter` defines
; ; conditions on other properties of a packet. Right now, you can only define conditions
; ; on packet name, and you can only specify ONLY ONE filter for packet name. The
; ; checking part of a rule consists of `checker`, which defines the conditions that a
; ; VALID packet MUST have. See comments in checker section for more details.
;
; rule
; {
; id "NRD Prefix Registration Command Rule"
; for interest ; rule for Interests (to validate CommandInterests)
; filter
; {
; type name ; condition on interest name (w/o signature)
; regex ^[<localhop><localhost>]<nfd><rib>[<register><unregister>]<>$ ; prefix before
; ; timestamp
; }
; checker
; {
; type customized
; sig-type rsa-sha256 ; interest must have a rsa-sha256 signature
; key-locator
; {
; type name ; key locator must be the certificate name of the
; ; signing key
; regex ^[^<KEY>]*<KEY><>*<ksk-.*><ID-CERT>$
; }
; }
; }
; rule
; {
; id "NDN Testbed Hierarchy Rule"
; for data ; rule for Data (to validate NDN certificates)
; filter
; {
; type name ; condition on data name
; regex ^[^<KEY>]*<KEY><>*<ksk-.*><ID-CERT><>$
; }
; checker
; {
; type hierarchical ; the certificate name of the signing key and
; ; the data name must follow the hierarchical model
; sig-type rsa-sha256 ; data must have a rsa-sha256 signature
; }
; }
; trust-anchor
; {
; type file
; file-name keys/default.ndncert ; the file name, by default this file should be placed in the
; ; same folder as this config file.
; }
; ; trust-anchor ; Can be repeated multiple times to specify multiple trust anchors
; ; {
; ; type file
; ; file-name keys/ndn-testbed.ndncert
; ; }
; }
; The following localhop_security should be enabled when NFD runs on a hub,
; which accepts all remote registrations and is a short-term solution.
; localhop_security
; {
; trust-anchor
; {
; type any
; }
; }
remote_register
{
cost 15 ; forwarding cost of prefix registered on remote router
timeout 10000 ; timeout (in milliseconds) of remote prefix registration command
retry 0 ; maximum number of retries for each remote prefix registration command
refresh_interval 300 ; interval (in seconds) before refreshing the registration
; This setting should be less than face_system.udp.idle_time,
; so that the face is kept alive on the remote router.
}
}