Manual Page Search Parameters

DHCPCD.CONF(5) File Formats Manual DHCPCD.CONF(5)

dhcpcd.confdhcpcd configuration file

Although dhcpcd can do everything from the command line, there are cases where it's just easier to do it once in a configuration file. Most of the options found in dhcpcd(8) can be used here. The first word on the line is the option and the rest of the line is the value. Leading and trailing whitespace for the option and value are trimmed. You can escape characters in the value using the \ character. Comments can be prefixed with the # character. String values should be quoted with the " character.

Here's a list of available options:

pattern
When discovering interfaces, the interface name must match pattern which is a space or comma separated list of patterns passed to fnmatch(3). If the same interface is matched in denyinterfaces then it is still denied.
pattern
When discovering interfaces, the interface name must not match pattern which is a space or comma separated list of patterns passed to fnmatch(3).
Enables Anonymity Profiles for DHCP, RFC 7844. Any DUID is ignored and ClientID is set to LL only. All non essential options are then masked at this point, but they could be unmasked by explicitly requesting the option the anonymous option is processed. As such, the anonymous option be the last option in the configuration unless you really want to send something which could identify you. dhcpcd will not try and reboot an old lease, it will go straight into DISCOVER/SOLICIT.
Forces a hardware address randomisation when the interface is brought up or when the carrier is lost. This is generally used in tandem with the anonymous option.
address [address]
dhcpcd will arping each address in order before attempting DHCP. If an address is found, we will select the replying hardware address as the profile, otherwise the IP address. Example:

interface bge0
arping 192.168.0.1

# My specific 192.168.0.1 network
profile dd:ee:aa:dd:bb:ee
static ip_address=192.168.0.10/24

# A generic 192.168.0.1 network
profile 192.168.0.1
static ip_address=192.168.0.98/24
protocol [algorithm [rdm]]
Authenticate DHCP messages. See the Supported Authentication Protocols section. If protocol is token then algorithm is snd_secretid/rcv_secretid so you can send and receive different tokens.
secretid realm expire key
Define a shared key for use in authentication. realm can be "" to for use with the delayed protocol. expire is the date the token expires and should be formatted "yyy-mm-dd HH:MM". You can use the keyword forever or 0 which means the token never expires. For the token protocol, secretid needs to be 0 and realm needs to be "". If dhcpcd has the error
dhcp_auth_encode: Invalid argument
then it means that dhcpcd could not find the correct authentication token in your configuration.
Fork to the background immediately. This is useful for startup scripts which don't disable link messages for carrier status.
address[/cidr]
Ignores all packets from address[/cidr].
address[/cidr]
Only accept packets from address[/cidr]. blacklist is ignored if whitelist is set.
Be a BOOTP client. Basically, this just doesn't send a DHCP Message Type option and will only interact with a BOOTP server. All other DHCP options still work.
Instructs the DHCP server to broadcast replies back to the client. Normally this is only set for non-Ethernet interfaces, such as FireWire and InfiniBand. In most cases, dhcpcd will set this automatically.
group
Sets the group ownership of /run/dhcpcd/sock so that users other than root can connect to dhcpcd.
Echo debug messages to the stderr and syslog.
value
Load the value /dev management module. dhcpcd will load the first one found to work, if any.
value
Push value to the environment for use in dhcpcd-run-hooks(8). For example, you can force the hostname hook to always set the hostname with env force_hostname=YES. Or set which driver wpa_supplicant(8) should use with env wpa_supplicant_driver=nl80211

If the hostname is set, it will be will set to the FQDN if possible as per RFC 4702, section 3.1. If the FQDN option is missing, dhcpcd will still try and set a FQDN from the hostname and domain options for consistency. To override this, set env hostname_fqdn=[YES|NO|SERVER]. A value of SERVER means just what the server says, don't manipulate it. This could lead to an inconsistent hostname on a DHCPv4 and DHCPv6 network where the DHCPv4 hostname is short and the DHCPv6 has an FQDN. DHCPv6 has no hostname option.

string
Send the clientid. If the string is of the format 01:02:03 then it is encoded as hex. For interfaces whose hardware address is longer than 8 bytes, or if the clientid is an empty string then dhcpcd sends a default clientid of the hardware family and the hardware address.
[ll | lt | uuid | value]
Use a DHCP Unique Identifier. If a system UUID is available, that will be used to create a DUID-UUID, otherwise if persistent storage is available then a DUID-LLT (link local address + time) is generated, otherwise DUID-LL is generated (link local address). The DUID type can be hinted as an optional parameter if the file /var/db/dhcpcd/duid does not exist. If not ll, lt or uuid then value will be converted from 00:11:22:33 format. This, plus the IAID will be used as the clientid. The DUID generated will be held in /var/db/dhcpcd/duid and should not be copied to other hosts. This file also takes precedence over the above rules except for setting a value.
iaid
Set the Interface Association Identifier to iaid. This option must be used in an interface block. This defaults to the VLANID (prefixed with 0xff) for the interface if set, otherwise the last 4 bytes of the hardware address assigned to the interface. Each instance of this should be unique within the scope of the client and dhcpcd warns if a conflict is detected. If there is a conflict, it is only a problem if the conflicted IAIDs are used on the same network.
Enable DHCP on the interface, on by default.
Enable DHCPv6 on the interface, on by default.
Enable IPv4 on the interface, on by default.
Enable IPv6 on the interface, on by default.
[address]
Request the address in the DHCP DISCOVER message. There is no guarantee this is the address the DHCP server will actually give. If no address is given then the first address currently assigned to the interface is used.
[address[/cidr[/broadcast_address]]]
Behaves like request as above, but sends a DHCP INFORM instead of DISCOVER/REQUEST. This does not get a lease as such, just notifies the DHCP server of the address in use. You should also include the optional cidr network number in case the address is not already configured on the interface. dhcpcd remains running and pretends it has an infinite lease. dhcpcd will not de-configure the interface when it exits. If dhcpcd fails to contact a DHCP server then it returns a failure instead of falling back on IPv4LL.
Performs a DHCPv6 Information Request. No address is requested or specified, but all other DHCPv6 options are allowed. This is normally performed automatically when an IPv6 Router Advertisement indicates that the client should perform this operation. This option is only needed when dhcpcd is not processing IPv6 RA messages and the need for a DHCPv6 Information Request exists.
dhcpcd normally de-configures the interface and configuration when it exits. Sometimes, this isn't desirable if, for example, you have root mounted over NFS or SSH clients connect to this host and they need to be notified of the host shutting down. You can use this option to stop this from happening.
profile
Fall back to using this profile if DHCP fails. This allows you to configure a static profile instead of using ZeroConf.
seconds
Start fallback after seconds. The default is 5 seconds.
name
Sends the hostname name to the DHCP server so it can be registered in DNS. If name is an empty string then the current system hostname is sent. If name is a FQDN (i.e., contains a .) then it will be encoded as such.
Sends the short hostname to the DHCP server instead of the FQDN. This is useful because DHCP servers will not register the FQDN in their DNS if the domain part does not match theirs.

Also, see the env option above to control how the hostname is set on the host.

[iaid [/ address]]
Request a DHCPv6 Normal Address for iaid. iaid defaults to the iaid option as described above. You can request more than one ia_na by specifying a unique iaid for each one.
[iaid]
Request a DHCPv6 Temporary Address for iaid. You can request more than one ia_ta by specifying a unique iaid for each one.
[iaid [/ prefix / prefix_len] [interface [/ sla_id [/ prefix_len [/ suffix]]]]]
Request a DHCPv6 Delegated Prefix for iaid. This option must be used in an interface block. Unless a sla_id of 0 is assigned with the same resultant prefix length as the delegation, a reject route is installed for the Delegated Prefix to stop unallocated addresses being resolved upstream. If no interface is given then we will assign a prefix to every other interface with a sla_id equivalent to the interface index assigned by the OS. Otherwise addresses are only assigned for each interface and sla_id. To avoid delegating to any interface, use - as the invalid interface name. Each assigned address will have a suffix, defaulting to 1. If the suffix is 0 then a SLAAC address is assigned. You cannot assign a prefix to the requesting interface unless the DHCPv6 server supports the RFC 6603 Prefix Exclude Option. dhcpcd has to be running for all the interfaces it is delegating to. A default prefix_len of 64 is assumed, unless the maximum sla_id does not fit. In this case prefix_len is increased to the highest multiple of 8 that can accommodate the sla_id. sla_id is an integer which must be unique inside the iaid and is added to the prefix which must fit inside prefix_len less the length of the delegated prefix. You can specify multiple interface / sla_id / prefix_len per ia_pd, space separated. IPv6RS should be disabled globally when requesting a Prefix Delegation.

In the following example eth0 is the externally facing interface to be configured for both IPv4 and IPv6. The DHCPv4 server will provide us with an IPv4 address and a default route. The DHCPv6 server is going to provide us with an IPv6 address, a default route and a /64 subnet to be delegated to the internal interface. The eth1 interface will be automatically configured for IPv6 using the first address (::1) from the delegated prefix. A second prefix is requested and assigned to two other interfaces. rtadvd(8) can be used with an empty configuration file on eth1, eth2 and eth3, to provide automatic IPv6 address configuration for the internal network.

noipv6rs                 # disable routing solicitation
denyinterfaces eth2      # Don't touch eth2 at all
interface eth0
  ipv6rs                 # enable routing solicitation for eth0
  ia_na 1                # request an IPv6 address
  ia_pd 2 eth1/0         # request a PD and assign it to eth1
  ia_pd 3 eth2/1 eth3/2  # req a PD and assign it to eth2 and eth3
  ia_pd 4 -              # request a PD but don't assign it
Only configure IPv4.
Only configure IPv6.
[disable | none | ptr | both]
none will not ask the DHCP server to update DNS. ptr just asks the DHCP server to update the PTR record of the host in DNS, whereas both also updates the A record. disable will disable the FQDN option. The default is both. dhcpcd itself never does any DNS updates. dhcpcd encodes the FQDN hostname as specified in RFC 1035.
interface
Subsequent options are only parsed for this interface.
seconds
Wait for seconds before starting IPv4LL. The default is 5 seconds.
Generate SLAAC addresses for each Prefix advertised by an IPv6 Router Advertisement message with the Auto flag set. On by default.
Disables the above option.
By default, when dhcpcd receives an IPv6 Router Advertisement, dhcpcd will only fork to the background if the RA contains at least one unexpired RDNSS option and a valid prefix or no DHCPv6 instruction. Set this option so to make dhcpcd always fork on a RA.
Enables IPv6 Router Advertisement solicitation. This is on by default, but is documented here in the case where it is disabled globally but needs to be enabled for one interface.
seconds
Request DHCP a lease time of seconds. -1 represents an infinite lease time. By default dhcpcd does not request any lease time and leaves it in the hands of the DHCP server. It is not possible to request a DHCPv6 lease time as this is not RFC compliant. See RFC 8415 21.4, 21.6, 21.21 and 21.22.
Override the size of the link receive buffer from the kernel default. While dhcpcd will recover from link buffer overflows, this may not be desirable on heavily loaded systems.
logfile
Writes to the specified logfile. dhcpcd still writes to syslog(3). The logfile is reopened when dhcpcd receives the SIGUSR2 signal.
metric
Metrics are used to prefer an interface over another one, lowest wins. dhcpcd will supply a default metric of 1000 + if_nametoindex(3). This will be offset by 2000 for wireless interfaces, with additional offsets of 1000000 for IPv4LL and 2000000 for roaming interfaces.
url
Specifies the URL for a Manufacturer Usage Description (MUD). The description is used by upstream network devices to instantiate any desired access lists. See draft-ietf-opsawg-mud for more information.
Any pre-existing IPv4 addresses will be removed from the interface when adding a new IPv4 address.
Don't send any ARP requests. This also disables IPv4LL.
Keep the IP address even if defence fails upon IP Address conflict.
Don't require authentication even though we requested it. Also allows FORCERENEW and RECONFIGURE messages without authentication.
Don't delay for an initial randomised time when starting protocols.
Don't load /dev management modules.
Don't start DHCP or listen to DHCP messages. This is only useful when allowing IPv4LL.
Don't start DHCPv6 or listen to DHCPv6 messages. Normally DHCPv6 is started by an IPv6 Router Advertisement instruction or configuration.
Don't install any default routes.
Install a default route if available (default).
script
Don't run this hook script. Matches full name, or prefixed with 2 numbers optionally ending with .sh.

So to stop dhcpcd from touching your DNS settings or starting wpa_supplicant you would do:-

nohook resolv.conf, wpa_supplicant
Don't attempt to configure an IPv4 address.
Don't attempt to obtain an IPv4LL address if we failed to get one via DHCP. See RFC 3927.
Don't solicit or accept IPv6 Router Advertisements and DHCPv6.
Don't solicit or accept IPv6 Router Advertisements.
Don't receive link messages about carrier status. You should only set this for buggy interface drivers.
Don't bring the interface up when in manager mode.
option
Requests the option from the server. It can be a variable to be used in dhcpcd-run-hooks(8) or the numerical value. You can specify more options separated by commas, spaces or more option lines. Prepend dhcp6_ to option to request a DHCPv6 option. If no DHCPv6 options are configured, then DHCPv4 options are mapped to equivalent DHCPv6 options.

Prepend nd_ to option to handle ND options, but this only works for the nooption, reject and require options.

To see a list of options you can use, call dhcpcd with the -V, --variables argument.

option
Remove the option from the message before it's processed.
option
Requires the option to be present in all messages, otherwise the message is ignored. To enforce that dhcpcd only responds to DHCP servers and not BOOTP servers, you can require dhcp_message_type. This isn't an exact science though because a BOOTP server can send DHCP-like options.
option
Reject a message that contains the option. This is useful when you cannot use require to select / de-select BOOTP messages.
option
If dhcpcd.conf detects an address added to a point to point interface (PPP, TUN, etc) then it will set the listed DHCP options to the destination address of the interface.
name
Subsequent options are only parsed for this profile name.
Suppress any dhcpcd output to the console, except for errors.
seconds
Allow reboot seconds before moving to the DISCOVER phase if we have an old lease to use. Allow reboot seconds before starting fallback states from the DISCOVER phase. IPv4LL is started when the first reboot timeout is reached. The default is 5 seconds. A setting of 0 seconds causes dhcpcd.conf to skip the reboot phase and go straight into DISCOVER. This is desirable for mobile users because if you change from network A to network B and they use the same subnet and the address from network A isn't in use on network B, then the DHCP server will remain silent even if authoritative which means dhcpcd will timeout before moving back to the DISCOVER phase. This has no effect on DHCPv6 other than skipping the reboot phase.
dhcpcd will release the lease prior to stopping the interface.
script
Use script instead of the default /usr/libexec/dhcpcd-run-hooks.
seconds
Request the lease for seconds before going back to DISCOVER. The default is 180 seconds.
ssid
Subsequent options are only parsed for this wireless ssid.
hwaddr | | token [temp | temporary]
Selects the interface identifier used for SLAAC generated IPv6 addresses. If private is used, a RFC 7217 address is generated. If token token is used then the token is combined with the prefix to make the final address. The temporary directive will create a temporary address for the prefix as well.
value
Configures a static value. If you set ip_address then dhcpcd will not attempt to obtain a lease and will just use the value for the address with an infinite lease time. If you set an empty value this removes all prior static allocations to the same value. This is useful when using profiles and in the case of ip_address it will remove the static allocation. Note that setting 0.0.0.0 keeps the static allocation but waits for a 3rdparty to configure the address. If you set ip6_address, dhcpcd will continue auto-configuration as normal.

Here is an example which configures two static address, overriding the default IPv4 broadcast address, an IPv4 router, DNS and disables IPv6 auto-configuration. You could also use the inform6 command here if you wished to obtain more information via DHCPv6. For IPv4, you should use the inform ipaddress option instead of setting a static address.

interface eth0
noipv6rs
static ip_address=192.168.0.10/24
static broadcast_address=192.168.0.63
static ip6_address=fd51:42f8:caae:d92e::ff/64
static routers=192.168.0.1
static domain_name_servers=192.168.0.1 fd51:42f8:caae:d92e::1

Here is an example for PPP which gives the destination a default route. It uses the special destination keyword to insert the destination address into the value.

interface ppp0
static ip_address=0.0.0.0
destination routers
seconds
Time out after seconds, instead of the default 30. A setting of 0 seconds causes dhcpcd to wait forever to get a lease. If dhcpcd is working on a single interface then dhcpcd will exit when a timeout occurs, otherwise dhcpcd will fork into the background. If using IPv4LL then dhcpcd start the IPv4LL process after the timeout and then wait a little longer before really timing out.
string
Tag the DHCPv4 message with the userclass. You can specify more than one.
string
Tag the DHCPv4 mesasge with the Microsoft userclass. Unlike the userclass option, this one can only be added once. It should only be used for Microsoft DHCP servers and the vendorclassid should be set to "MSFT 98" or "MSFT 5.0". This option is not RFC compliant.
code,value
Add an encapsulated vendor option. code should be between 1 and 254 inclusive. To add a raw vendor string, omit code but keep the comma. Examples.

Set the vendor option 01 with an IP address.

vendor 01,192.168.0.2
Set the vendor option 02 with a hex code.
vendor 02,01:02:03:04:05
Set the vendor option 03 with an IP address as a string.
vendor 03,\"192.168.0.2\"
Set un-encapsulated vendor option to hello world.
vendor ,"hello world"
string
Set the DHCP Vendor Class. DHCPv6 has its own option as shown below. The default is dhcpcd-<version>:<os>:<machine>:<platform>. For example
dhcpcd-5.5.6:NetBSD-6.99.5:i386:i386
If not set then none is sent. Some badly configured DHCP servers reject unknown vendorclassids. To work around it, try and impersonate Windows by using the MSFT vendorclassid.
en data
Add the DHCPv6 Vendor Indetifying Vendor Class with the IANA assigned Enterprise Number en with the data. This option can be set more than once to add more data, but the behaviour, as per RFC 3925 is undefined if the Enterprise Number differs.
[4 | 6]
Wait for an address to be assigned before forking to the background. 4 means wait for an IPv4 address to be assigned. 6 means wait for an IPv6 address to be assigned. If no argument is given, dhcpcd.conf will wait for any address protocol to be assigned. It is possible to wait for more than one address protocol and dhcpcd.conf will only fork to the background when all waiting conditions are satisfied.
Use the last four bytes of the hardware address as the DHCP xid instead of a randomly generated number.

DHCP, ND and DHCPv6 allow for the use of custom options, and RFC 3925 vendor options for DHCP can also be supplied. Each option needs to be started with the define, definend, define6 or vendopt directive. This can optionally be followed by both embed or encap options. Both can be specified more than once and embed must come before encap.

code type variable
Defines the DHCP option code of type with a name of variable exported to dhcpcd-run-hooks(8).
code type variable
Defines the ND option code of type with a name of variable exported to dhcpcd-run-hooks(8), with a prefix of nd_.
code type variable
Defines the DHCPv6 option code of type with a name of variable exported to dhcpcd-run-hooks(8), with a prefix of dhcp6_.
code type variable
Defines the Vendor-Identifying Vendor Options. The code is the IANA Enterprise Number which will uniquely describe the encapsulated options. type is normally encap. variable names the Vendor option to be exported.
type variable
Defines an embedded variable within the defined option. The length is determined by the type. If the variable is not the same as defined in the parent option, it is prefixed with the parent variable first with an underscore. If the variable has the name of reserved then it is not processed.
code type variable
Defines an encapsulated variable within the defined option. The length is determined by the type. If the variable is not the same as defined in the parent option, it is prefixed with the parent variable first with an underscore.

These keywords come before the type itself, to describe it more fully. You can use more than one, but they must appear in the order listed below.

Requests the option by default without having to be specified in user configuration.
This option cannot be requested, regardless of user configuration.
This option is optional. Only makes sense for embedded options like the client FQDN option, where the FQDN string itself is optional.
The option can appear more than once and will be indexed.
The option data is split into a space separated array, each element being the same type.

The type directly affects the length of data consumed inside the option. Any remaining data is normally discarded. Lengths can be specified for string and binhex types, but this is generally with other data embedded afterwards in the same option.

An IPv4 address, 4 bytes.
An IPv6 address, 16 bytes.
[: length]
A NVT ASCII string of printable characters.
A byte.
: flags
A byte represented as a string of flags, most significant bit first. For example, using ABCDEFGH then A would equal 10000000, B 01000000, C 00100000, etc. If the bit is not set, the flag is not printed. A flag of 0 is not printed even if the bit position is set. This is to allow reservation of the first bits while assigning the last bits.
A signed 16bit integer, 2 bytes.
An unsigned 16bit integer, 2 bytes.
A signed 32bit integer, 4 bytes.
An unsigned 32bit integer, 4 bytes.
A fixed value (1) to indicate that the option is present, 0 bytes.
An RFC 3397 encoded string.
An RFC 1035 validated string.
If an array then the first two bytes are the URI length inside the option data. Otherwise, the whole option data is the URI. As a space is not allowed in the URI encoding, the URIs are space separated.
[: length]
Binary data expressed as hexadecimal.
Contains embedded options (implies encap as well).
Contains encapsulated options (implies embed as well).
References an option from the global definition.

# DHCP option 81, Fully Qualified Domain Name, RFC 4702
define 81 embed fqdn
embed byte flags
embed byte rcode1
embed byte rcode2
embed domain fqdn

# DHCP option 125, Vendor Specific Information Option, RFC 3925
define 125 encap vsio
embed uint32 enterprise_number
# Options defined for the enterprise number
encap 1 ipaddress ipaddress

Sends a plain text token the server expects and matches a token sent by the server. The tokens do not have to be the same. If unspecified, the token with a secretid of 0 will be used in sending messages and validating received messages.
Delayed Authentication. dhcpcd will send an authentication option with no key or MAC. The server will see this option, and select a key for dhcpcd.conf, writing the realm and secretid in it. dhcpcd will then look for an unexpired token with a matching realm and secretid. This token is used to authenticate all other messages.
Same as above, but without a realm.

If none specified, hmac-md5 is the default.

 

If none specified, monotonic is the default. If this is changed from what was previously used, or the means of calculating or storing it is broken, then the DHCP server will probably have to have its notion of the client's Replay Detection Value reset.

Read the number in the file /var/db/dhcpcd/dhcpcd-rdm.monotonic and add one to it.
Create an NTP timestamp from the system time.
Same as monotime.

fnmatch(3), if_nametoindex(3), dhcpcd(8), dhcpcd-run-hooks(8)

Roy Marples <roy@marples.name>

Please report them to https://roy.marples.name/projects/dhcpcd

May 24, 2024 x86_64