summary refs log tree commit diff
diff options
context:
space:
mode:
authorDanny Milosavljevic <dannym@scratchpost.org>2020-09-27 21:06:30 +0200
committerDanny Milosavljevic <dannym@scratchpost.org>2020-10-06 08:13:39 +0200
commit34d1c0a03b51fdaef26a3bc630ab096da740e1d6 (patch)
tree87e07a7452346ecc8fd44a1d2eeb4cfb360ea6c2
parent3e34f89980416a3b2f8637b3f7d15e35ff56e92d (diff)
downloadguix-34d1c0a03b51fdaef26a3bc630ab096da740e1d6.tar.gz
services: dnsmasq: Add TFTP configuration fields.
* gnu/services/dns.scm (<dnsmasq-configuration>): Add TFTP configuration
fields.
(dnsmasq-shepherd-service): Use them.
* doc/guix.texi (DNS Services): Document them.
-rw-r--r--doc/guix.texi54
-rw-r--r--gnu/services/dns.scm70
2 files changed, 121 insertions, 3 deletions
diff --git a/doc/guix.texi b/doc/guix.texi
index eed7bbec6e..2b1ffbc55f 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -23363,6 +23363,60 @@ disables caching.
 @item @code{negative-cache?} (default: @code{#t})
 When false, disable negative caching.
 
+@item @code{tftp-enable?} (default: @code{#f})
+Whether to enable the built-in TFTP server.
+
+@item @code{tftp-no-fail?} (default: @code{#f})
+If true, does not fail dnsmasq if the TFTP server could not start up.
+
+@item @code{tftp-single-port?} (default: @code{#f})
+Whether to use only one single port for TFTP.
+
+@item @code{tftp-secure?} (default: @code{#f})
+If true, only files owned by the user running the dnsmasq process are accessible.
+
+If dnsmasq is being run as root, different rules apply:
+@code{tftp-secure?} has no effect, but only files which have the
+world-readable bit set are accessible.
+
+@item @code{tftp-max} (default: @code{#f})
+If set, sets the maximal number of concurrent connections allowed.
+
+@item @code{tftp-mtu} (default: @code{#f})
+If set, sets the MTU for TFTP packets to that value.
+
+@item @code{tftp-no-blocksize?} (default: @code{#f})
+If true, stops the TFTP server from negotiating the blocksize with a client.
+
+@item @code{tftp-lowercase?} (default: @code{#f})
+Whether to convert all filenames in TFTP requests to lowercase.
+
+@item @code{tftp-port-range} (default: @code{#f})
+If set, fixes the dynamical ports (one per client) to the given range
+(@code{"<start>,<end>"}).
+
+@item @code{tftp-root} (default: @code{/var/empty,lo})
+Look for files to transfer using TFTP relative to the given directory.
+When this is set, TFTP paths which include ".." are rejected, to stop clients
+getting outside the specified root. Absolute paths (starting with /) are
+allowed, but they must be within the tftp-root. If the optional interface
+argument is given, the directory is only used for TFTP requests via that
+interface.
+
+@item @code{tftp-unique-root} (default: @code{#f})
+If set, add the IP or hardware address of the TFTP client as a path component
+on the end of the TFTP-root.  Only valid if a TFTP root is set and the
+directory exists.  Defaults to adding IP address (in standard dotted-quad
+format).
+
+For instance, if --tftp-root is "/tftp" and client 1.2.3.4 requests file
+"myfile" then the effective path will be "/tftp/1.2.3.4/myfile" if
+/tftp/1.2.3.4 exists or /tftp/myfile otherwise. When "=mac" is specified
+it will append the MAC address instead, using lowercase zero padded digits
+separated by dashes, e.g.: 01-02-03-04-aa-bb Note that resolving MAC
+addresses is only possible if the client is in the local network or obtained
+a DHCP lease from dnsmasq.
+
 @end table
 @end deftp
 
diff --git a/gnu/services/dns.scm b/gnu/services/dns.scm
index 9caa3611be..572880561c 100644
--- a/gnu/services/dns.scm
+++ b/gnu/services/dns.scm
@@ -757,7 +757,29 @@ cache.size = 100 * MB
   (cache-size       dnsmasq-configuration-cache-size
                     (default 150))      ;integer
   (negative-cache?  dnsmasq-configuration-negative-cache?
-                    (default #t)))      ;boolean
+                    (default #t))      ;boolean
+  (tftp-enable?     dnsmasq-configuration-tftp-enable?
+                    (default #f))       ;boolean
+  (tftp-no-fail?    dnsmasq-configuration-tftp-no-fail?
+                    (default #f))       ;boolean
+  (tftp-single-port? dnsmasq-configuration-tftp-single-port?
+                    (default #f))       ;boolean
+  (tftp-secure?     dnsmasq-tftp-secure?
+                    (default #f))       ;boolean
+  (tftp-max         dnsmasq-tftp-max
+                    (default #f))       ;integer
+  (tftp-mtu         dnsmasq-tftp-mtu
+                    (default #f))       ;integer
+  (tftp-no-blocksize? dnsmasq-tftp-no-blocksize?
+                      (default #f))     ;boolean
+  (tftp-lowercase?  dnsmasq-tftp-lowercase?
+                    (default #f))       ;boolean
+  (tftp-port-range  dnsmasq-tftp-port-range
+                    (default #f))       ;string
+  (tftp-root        dnsmasq-tftp-root
+                    (default "/var/empty,lo")) ;string
+  (tftp-unique-root dnsmasq-tftp-unique-root
+                    (default #f)))      ;"" or "ip" or "mac"
 
 (define dnsmasq-shepherd-service
   (match-lambda
@@ -765,7 +787,12 @@ cache.size = 100 * MB
                                 no-hosts?
                                 port local-service? listen-addresses
                                 resolv-file no-resolv? servers
-                                addresses cache-size negative-cache?)
+                                addresses cache-size negative-cache?
+                                tftp-enable? tftp-no-fail?
+                                tftp-single-port? tftp-secure?
+                                tftp-max tftp-mtu tftp-no-blocksize?
+                                tftp-lowercase? tftp-port-range
+                                tftp-root tftp-unique-root)
      (shepherd-service
       (provision '(dnsmasq))
       (requirement '(networking))
@@ -794,7 +821,44 @@ cache.size = 100 * MB
                   #$(format #f "--cache-size=~a" cache-size)
                   #$@(if negative-cache?
                          '()
-                         '("--no-negcache")))
+                         '("--no-negcache"))
+                  #$@(if tftp-enable?
+                         '("--enable-tftp")
+                         '())
+                  #$@(if tftp-no-fail?
+                         '("--tftp-no-fail")
+                         '())
+                  #$@(if tftp-single-port?
+                         '("--tftp-single-port")
+                         '())
+                  #$@(if tftp-secure?
+                         '("--tftp-secure?")
+                         '())
+                  #$@(if tftp-max
+                         (list (format #f "--tftp-max=~a" tftp-max))
+                         '())
+                  #$@(if tftp-mtu
+                         (list (format #f "--tftp-mtu=~a" tftp-mtu))
+                         '())
+                  #$@(if tftp-no-blocksize?
+                         '("--tftp-no-blocksize")
+                         '())
+                  #$@(if tftp-lowercase?
+                         '("--tftp-lowercase")
+                         '())
+                  #$@(if tftp-port-range
+                         (list (format #f "--tftp-port-range=~a"
+                                          tftp-port-range))
+                         '())
+                  #$@(if tftp-root
+                         (list (format #f "--tftp-root=~a" tftp-root))
+                         '())
+                  #$@(if tftp-unique-root
+                         (list
+                          (if (> (length tftp-unique-root) 0)
+                              (format #f "--tftp-unique-root=~a" tftp-unique-root)
+                              (format #f "--tftp-unique-root")))
+                         '()))
                 #:pid-file "/run/dnsmasq.pid"))
       (stop #~(make-kill-destructor))))))