TESTING: Infiniband patch

- Split off services into separate ones to allow more fine grained
  control for e.g. capabilities.
- Tighten access to state and log directories

kea-2.6.1-boost_1.87-compat.patch

@@ -1,191 +0,0 @@
-From 81edc181f85395c39964104ef049a195bafb9737 Mon Sep 17 00:00:00 2001
-From: q66 <q66@chimera-linux.org>
-Date: Sun, 15 Dec 2024 03:04:53 +0100
-Subject: [PATCH] [#3696] Update asiolink for boost 1.87
-
----
- src/lib/asiolink/io_address.cc         |  4 ++--
- src/lib/asiolink/io_service.cc         |  8 ++++----
- src/lib/asiolink/tcp_endpoint.h        |  2 +-
- src/lib/asiolink/udp_endpoint.h        |  2 +-
- src/lib/asiolink/unix_domain_socket.cc | 16 ++++++++--------
- src/lib/dhcp/iface_mgr.cc              |  2 +-
- 6 files changed, 17 insertions(+), 17 deletions(-)
-
-diff --git a/src/lib/asiolink/io_address.cc b/src/lib/asiolink/io_address.cc
-index 43459bfe5ab..06b7d3d990c 100644
---- a/src/lib/asiolink/io_address.cc
-+++ b/src/lib/asiolink/io_address.cc
-@@ -37,7 +37,7 @@ IOAddress::Hash::operator()(const IOAddress &io_address) const {
- // because we'd like to throw our own exception on failure.
- IOAddress::IOAddress(const std::string& address_str) {
-     boost::system::error_code err;
--    asio_address_ = ip::address::from_string(address_str, err);
-+    asio_address_ = ip::make_address(address_str, err);
-     if (err) {
-         isc_throw(IOError, "Failed to convert string to address '"
-                   << address_str << "': " << err.message());
-@@ -116,7 +116,7 @@ IOAddress::isV6Multicast() const {
- uint32_t
- IOAddress::toUint32() const {
-     if (asio_address_.is_v4()) {
--        return (asio_address_.to_v4().to_ulong());
-+        return (asio_address_.to_v4().to_uint());
-     } else {
-         isc_throw(BadValue, "Can't convert " << toText()
-                   << " address to IPv4.");
-diff --git a/src/lib/asiolink/io_service.cc b/src/lib/asiolink/io_service.cc
-index 411de641915..cc28d24c19f 100644
---- a/src/lib/asiolink/io_service.cc
-+++ b/src/lib/asiolink/io_service.cc
-@@ -30,7 +30,7 @@ public:
-     /// @brief The constructor.
-     IOServiceImpl() :
-         io_service_(),
--        work_(new boost::asio::io_service::work(io_service_)) {
-+        work_(boost::asio::make_work_guard(io_service_)) {
-     };
- 
-     /// @brief The destructor.
-@@ -92,7 +92,7 @@ public:
- 
-     /// @brief Restarts the IOService in preparation for a subsequent @ref run() invocation.
-     void restart() {
--        io_service_.reset();
-+        io_service_.restart();
-     }
- 
-     /// @brief Removes IO service work object to let it finish running
-@@ -115,12 +115,12 @@ public:
-     ///
-     /// @param callback The callback to be run on the IO service.
-     void post(const std::function<void ()>& callback) {
--        io_service_.post(callback);
-+        boost::asio::post(io_service_, callback);
-     }
- 
- private:
-     boost::asio::io_service io_service_;
--    boost::shared_ptr<boost::asio::io_service::work> work_;
-+    boost::asio::executor_work_guard<boost::asio::io_service::executor_type> work_;
- };
- 
- IOService::IOService() : io_impl_(new IOServiceImpl()) {
-diff --git a/src/lib/asiolink/tcp_endpoint.h b/src/lib/asiolink/tcp_endpoint.h
-index 8ebd57551db..7c8cb35535d 100644
---- a/src/lib/asiolink/tcp_endpoint.h
-+++ b/src/lib/asiolink/tcp_endpoint.h
-@@ -42,7 +42,7 @@ public:
-     /// \param port The TCP port number of the endpoint.
-     TCPEndpoint(const IOAddress& address, const unsigned short port) :
-         asio_endpoint_placeholder_(
--            new boost::asio::ip::tcp::endpoint(boost::asio::ip::address::from_string(address.toText()),
-+            new boost::asio::ip::tcp::endpoint(boost::asio::ip::make_address(address.toText()),
-                               port)),
-         asio_endpoint_(*asio_endpoint_placeholder_)
-     {}
-diff --git a/src/lib/asiolink/udp_endpoint.h b/src/lib/asiolink/udp_endpoint.h
-index f960bf3ce9f..2a3da9f0464 100644
---- a/src/lib/asiolink/udp_endpoint.h
-+++ b/src/lib/asiolink/udp_endpoint.h
-@@ -42,7 +42,7 @@ public:
-     /// \param port The UDP port number of the endpoint.
-     UDPEndpoint(const IOAddress& address, const unsigned short port) :
-         asio_endpoint_placeholder_(
--            new boost::asio::ip::udp::endpoint(boost::asio::ip::address::from_string(address.toText()),
-+            new boost::asio::ip::udp::endpoint(boost::asio::ip::make_address(address.toText()),
-                               port)),
-         asio_endpoint_(*asio_endpoint_placeholder_)
-     {}
-diff --git a/src/lib/asiolink/unix_domain_socket.cc b/src/lib/asiolink/unix_domain_socket.cc
-index f43e1c9e9bb..43ff3c8f241 100644
---- a/src/lib/asiolink/unix_domain_socket.cc
-+++ b/src/lib/asiolink/unix_domain_socket.cc
-@@ -83,7 +83,7 @@ public:
-     /// @param buffer Buffers holding the data to be sent.
-     /// @param handler User supplied callback to be invoked when data have
-     /// been sent or sending error is signalled.
--    void doSend(const boost::asio::const_buffers_1& buffer,
-+    void doSend(const boost::asio::const_buffer& buffer,
-                 const UnixDomainSocket::Handler& handler);
- 
- 
-@@ -103,7 +103,7 @@ public:
-     /// @param ec Error code returned as a result of sending the data.
-     /// @param length Length of the data sent.
-     void sendHandler(const UnixDomainSocket::Handler& remote_handler,
--                     const boost::asio::const_buffers_1& buffer,
-+                     const boost::asio::const_buffer& buffer,
-                      const boost::system::error_code& ec,
-                      size_t length);
- 
-@@ -127,7 +127,7 @@ public:
-     /// @param buffer A buffer into which the data should be received.
-     /// @param handler User supplied callback invoked when data have been
-     /// received on an error is signalled.
--    void doReceive(const boost::asio::mutable_buffers_1& buffer,
-+    void doReceive(const boost::asio::mutable_buffer& buffer,
-                    const UnixDomainSocket::Handler& handler);
- 
-     /// @brief Local handler invoked as a result of asynchronous receive.
-@@ -146,7 +146,7 @@ public:
-     /// @param ec Error code returned as a result of asynchronous receive.
-     /// @param length Size of the received data.
-     void receiveHandler(const UnixDomainSocket::Handler& remote_handler,
--                        const boost::asio::mutable_buffers_1& buffer,
-+                        const boost::asio::mutable_buffer& buffer,
-                         const boost::system::error_code& ec,
-                         size_t length);
- 
-@@ -197,7 +197,7 @@ UnixDomainSocketImpl::asyncSend(const void* data, const size_t length,
- }
- 
- void
--UnixDomainSocketImpl::doSend(const boost::asio::const_buffers_1& buffer,
-+UnixDomainSocketImpl::doSend(const boost::asio::const_buffer& buffer,
-                              const UnixDomainSocket::Handler& handler) {
-     auto local_handler = std::bind(&UnixDomainSocketImpl::sendHandler,
-                                    shared_from_this(),
-@@ -207,7 +207,7 @@ UnixDomainSocketImpl::doSend(const boost::asio::const_buffers_1& buffer,
- 
- void
- UnixDomainSocketImpl::sendHandler(const UnixDomainSocket::Handler& remote_handler,
--                                  const boost::asio::const_buffers_1& buffer,
-+                                  const boost::asio::const_buffer& buffer,
-                                   const boost::system::error_code& ec,
-                                   size_t length) {
-     // The asynchronous send may return EWOULDBLOCK or EAGAIN on some
-@@ -230,7 +230,7 @@ UnixDomainSocketImpl::asyncReceive(void* data, const size_t length,
- }
- 
- void
--UnixDomainSocketImpl::doReceive(const boost::asio::mutable_buffers_1& buffer,
-+UnixDomainSocketImpl::doReceive(const boost::asio::mutable_buffer& buffer,
-                                 const UnixDomainSocket::Handler& handler) {
-     auto local_handler = std::bind(&UnixDomainSocketImpl::receiveHandler,
-                                    shared_from_this(),
-@@ -240,7 +240,7 @@ UnixDomainSocketImpl::doReceive(const boost::asio::mutable_buffers_1& buffer,
- 
- void
- UnixDomainSocketImpl::receiveHandler(const UnixDomainSocket::Handler& remote_handler,
--                                     const boost::asio::mutable_buffers_1& buffer,
-+                                     const boost::asio::mutable_buffer& buffer,
-                                      const boost::system::error_code& ec,
-                                      size_t length) {
-     // The asynchronous receive may return EWOULDBLOCK or EAGAIN on some
-diff --git a/src/lib/dhcp/iface_mgr.cc b/src/lib/dhcp/iface_mgr.cc
-index 01a1d63da5d..419268bfe5c 100644
---- a/src/lib/dhcp/iface_mgr.cc
-+++ b/src/lib/dhcp/iface_mgr.cc
-@@ -1034,7 +1034,7 @@ IfaceMgr::getLocalAddress(const IOAddress& remote_addr, const uint16_t port) {
-     }
- 
-     // Create socket that will be used to connect to remote endpoint.
--    boost::asio::io_service io_service;
-+    boost::asio::io_context io_service;
-     boost::asio::ip::udp::socket sock(io_service);
- 
-     boost::system::error_code err_code;
--- 
-GitLab
-

kea-2.6.2.tar.gz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEECQoqB5I/kltXZ4A6QuXfeMgycdsFAmfdcgEACgkQQuXfeMgy
-cdtrbA/+MjIYfXn9nu1CoHtX4pxqh35uFYYU6WxDLgeGdHrUIBZe2xGbsZU44n01
-UEJ4u0SJXKpktmnt6R0XZ3R0q5KjQJ1RuOj2nGl/+FupxSYwxZl4ZmT6xivqrPyF
-q5XU/Vp3JQLhxbLo2w4uxcCGV00O4BGXc5SWPwiVUhf3IXElZuLryvjeU39FgfBf
-0y/PkhugUh/PNavkeHuCALbKD4NH4uhDXlbABWJ3GH4rq1gKpl1NAiHFuah2QWtx
-WAstxrR9W0o1SftIrCp2pbmjTXLKEZ2fPxJ4y0hf1ByGrgyN8MIS9JdLQKQdAhDd
-LOe59KxYxYF7lpgfbX4bSQU7XsXkYfETlfC0WvfyoEvl+Eg/LeZuUc1PlG5+u3BG
-RTep9g0WdkPf3SdmdIKGF6/AOvAo1ovms64KVr9mbKGLrGtkiv/mFCKc59EHkl4Y
-MH51YFfE34TB27zi7veGyfsQrKNESnRjVrlnewhWX7WeXkuHkR+Y2cqiYxSCx7Tb
-F2K+qOP2m+ICTWS0APxaUfJyETUyuNFTnfaWj+izYbIkE3vv11hAGuG5t7ef/tXF
-JY68doC9RFc5bF9q89xt93ePL3qls5ADBo4fZI67fpXFnywENiQGwUhBB5sxsYYs
-puVNNq7/nT+05IwpSr1TEpCtPHWDOFHG/lvAjcBYb2AGEnVGdpM=
-=h8nL
------END PGP SIGNATURE-----

kea-3.0.2.tar.xz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE2mo1COZypJ3Tgq/ZW49NkbiO2QkFAmj4qUEACgkQW49NkbiO
+2QkHHw/8C8PLMJfc9JjLWskS8sgI0H8kT2Vs8qMx+oJUWAkOrIcnrVlkC0/PfWkk
+KnZ2UFST+etmZfNySjRgQ5BdSovYQPx570LMsB2Jv/p2npMTvS6zPwPFDjrO/67D
+e4izzzS2cx3fK7uTigq8CZCkMVf0slX6v0arWsa8WHo8OePh+5TF1x0LDfFZLJvJ
+clr0xTVcKLuQs4VjxGlkHZsA69h6/7nXVksFkuzWwkQqNWj5Bfq4mWYXcNF0MK32
+jECgxcsquvPYEw9D7JGXr7Ty8CyuWok+va4PrA/XOQTlxvKaJbl1ljpocplPQgyL
+de73QxmyNmviv6DMMkwo0R2NJnaHMOGzbZef0ps/4aPyuSISOujT/Mef9lb0ifM8
+WdgLWdusmHyYaWnu3MLau923e7tH07Hrofre0yMl9LkLJwPrj1nRsdXuuea5a4LN
+p6YrYECRfNE2JW3xp5aLIhcZe7ouofzkYgdx1DK1UKU7GWlUfWCxImNQ5ZpWdfhT
+kkpWf72/K9mqQFNwvJmcGWg2qlWlel/My0rKh9z/gG+f543WK14gEP34pvQySIJ/
+PZRZDeu8YFYUMujWysuzJ6hDsAX3Q4yAWR8dCb9opfv1wAV94WnUQMMuXjk3MrUQ
+bFcw2dPGSonKP4HPMrbMRpWcq/3W3FG4gpE0lKX8DkaPHtG1fiU=
+=v6zd
+-----END PGP SIGNATURE-----

kea-boost1_89.patch

@@ -0,0 +1,39 @@
+From: Arjen de Korte <suse+build@de-korte.org>
+Date: 2025-10-28 20:05:15 +0100
+
+boost 1.89 does not have boost_system anymore.
+
+diff -purN a/meson.build b/meson.build
+--- a/meson.build	2025-08-20 10:14:44.000000000 +0200
++++ b/meson.build	2025-10-26 13:56:44.801656560 +0100
+@@ -189,7 +189,7 @@ message(f'Detected system "@SYSTEM@".')
+ 
+ #### Dependencies
+ 
+-boost_dep = dependency('boost', version: '>=1.66', modules: ['system'])
++boost_dep = dependency('boost', version: '>=1.66', modules: ['system'], required: false)
+ dl_dep = dependency('dl')
+ threads_dep = dependency('threads')
+ add_project_dependencies(boost_dep, dl_dep, threads_dep, language: ['cpp'])
+diff -purN a/src/lib/asiodns/io_fetch.h b/src/lib/asiodns/io_fetch.h
+--- a/src/lib/asiodns/io_fetch.h	2025-08-20 10:14:44.000000000 +0200
++++ b/src/lib/asiodns/io_fetch.h	2025-10-26 13:52:05.461445874 +0100
+@@ -16,6 +16,7 @@
+ #include <util/buffer.h>
+ 
+ #include <boost/asio/coroutine.hpp>
++#include <boost/asio/deadline_timer.hpp>
+ #include <boost/shared_array.hpp>
+ #include <boost/shared_ptr.hpp>
+ #include <boost/date_time/posix_time/posix_time_types.hpp>
+diff -purN a/src/lib/asiolink/interval_timer.h b/src/lib/asiolink/interval_timer.h
+--- a/src/lib/asiolink/interval_timer.h	2025-08-20 10:14:44.000000000 +0200
++++ b/src/lib/asiolink/interval_timer.h	2025-10-26 12:29:18.357562324 +0100
+@@ -7,6 +7,7 @@
+ #ifndef ASIOLINK_INTERVAL_TIMER_H
+ #define ASIOLINK_INTERVAL_TIMER_H 1
+ 
++#include <boost/asio/deadline_timer.hpp>
+ #include <boost/shared_ptr.hpp>
+ #include <functional>
+ 

kea-boost1_90.patch

@@ -0,0 +1,10 @@
+--- a/src/lib/log/logger_level_impl.cc.orig	2025-11-13 15:04:21.704582532 +0100
++++ b/src/lib/log/logger_level_impl.cc	2025-11-13 15:04:36.005019042 +0100
+@@ -10,6 +10,7 @@
+ #include <string.h>
+ #include <iostream>
+ #include <boost/lexical_cast.hpp>
++#include <boost/static_assert.hpp>
+ 
+ #include <log4cplus/logger.h>
+ 

kea-ctrl-agent.service

@@ -0,0 +1,18 @@
+[Unit]
+Description=ISC Kea Control Agent
+Before=multi-user.target
+Wants=network-online.target
+After=remote-fs.target network-online.target nss-lookup.target time-sync.target ldap.service ndsd.service
+
+[Service]
+User=keadhcp
+Environment=KEA_PIDFILE_DIR=/run/kea
+RuntimeDirectory=kea
+RuntimeDirectoryMode=0750
+RuntimeDirectoryPreserve=yes
+ExecStart=/usr/sbin/kea-ctrl-agent -c /etc/kea/kea-ctrl-agent.conf
+ExecReload=kill -HUP $MAINPID
+ProtectSystem=full
+
+[Install]
+WantedBy=multi-user.target

kea-dhcp-ddns.service

@@ -0,0 +1,19 @@
+[Unit]
+Description=ISC Kea DHCP-DDNS server
+Before=multi-user.target
+Wants=network-online.target
+After=remote-fs.target network-online.target nss-lookup.target time-sync.target ldap.service ndsd.service
+
+[Service]
+User=keadhcp
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+Environment=KEA_PIDFILE_DIR=/run/kea
+RuntimeDirectory=kea
+RuntimeDirectoryMode=0750
+RuntimeDirectoryPreserve=yes
+ExecStart=/usr/sbin/kea-dhcp-ddns -c /etc/kea/kea-dhcp-ddns.conf
+ExecReload=kill -HUP $MAINPID
+ProtectSystem=full
+
+[Install]
+WantedBy=multi-user.target

kea-dhcp4.service

@@ -0,0 +1,19 @@
+[Unit]
+Description=ISC Kea DHCPv4 server
+Before=multi-user.target
+Wants=network-online.target
+After=remote-fs.target network-online.target nss-lookup.target time-sync.target ldap.service ndsd.service
+
+[Service]
+User=keadhcp
+AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW
+Environment=KEA_PIDFILE_DIR=/run/kea
+RuntimeDirectory=kea
+RuntimeDirectoryMode=0750
+RuntimeDirectoryPreserve=yes
+ExecStart=/usr/sbin/kea-dhcp4 -c /etc/kea/kea-dhcp4.conf
+ExecReload=kill -HUP $MAINPID
+ProtectSystem=full
+
+[Install]
+WantedBy=multi-user.target

kea-dhcp6.service

@@ -0,0 +1,19 @@
+[Unit]
+Description=ISC Kea DHCPv6 server
+Before=multi-user.target
+Wants=network-online.target
+After=remote-fs.target network-online.target nss-lookup.target time-sync.target ldap.service ndsd.service
+
+[Service]
+User=keadhcp
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+Environment=KEA_PIDFILE_DIR=/run/kea
+RuntimeDirectory=kea
+RuntimeDirectoryMode=0750
+RuntimeDirectoryPreserve=yes
+ExecStart=/usr/sbin/kea-dhcp6 -c /etc/kea/kea-dhcp6.conf
+ExecReload=kill -HUP $MAINPID
+ProtectSystem=full
+
+[Install]
+WantedBy=multi-user.target

kea-infiniband.patch

@@ -0,0 +1,713 @@
+From adce212eac5453214dc347734682c807f1b2f61a Mon Sep 17 00:00:00 2001
+From: Timo Rothenpieler <timo.rothenpieler@uni-bremen.de>
+Date: Tue, 6 Feb 2024 18:42:13 +0100
+Subject: [PATCH 1/4] Add L2 bcast addr to Iface
+
+---
+ src/lib/dhcp/dhcp4.h            |  4 ++--
+ src/lib/dhcp/iface_mgr.cc       | 33 +++++++++++++++++++++++++++++++--
+ src/lib/dhcp/iface_mgr.h        | 28 ++++++++++++++++++++++++++++
+ src/lib/dhcp/iface_mgr_bsd.cc   | 28 ++++++++++++++++++++++++++++
+ src/lib/dhcp/iface_mgr_linux.cc | 22 ++++++++++++++++++++++
+ src/lib/dhcp/iface_mgr_sun.cc   | 28 ++++++++++++++++++++++++++++
+ 6 files changed, 139 insertions(+), 4 deletions(-)
+
+Index: kea-3.0.2/src/lib/dhcp/dhcp4.h
+===================================================================
+--- kea-3.0.2.orig/src/lib/dhcp/dhcp4.h
++++ kea-3.0.2/src/lib/dhcp/dhcp4.h
+@@ -60,8 +60,8 @@ enum HType {
+                          ///  arp-parameters/arp-parameters.xhtml suggest that
+                          ///  Ethernet (1) should be used in DOCSIS environment.
+     HTYPE_IEEE802 = 6,   ///< IEEE 802.2 Token Ring
+-    HTYPE_FDDI = 8       ///< FDDI
+-    /// TODO Add infiniband here
++    HTYPE_FDDI = 8,      ///< FDDI
++    HTYPE_INFINIBAND = 32 ///< InfiniBand
+ };
+ 
+ /* DHCP Option codes: */
+Index: kea-3.0.2/src/lib/dhcp/iface_mgr.cc
+===================================================================
+--- kea-3.0.2.orig/src/lib/dhcp/iface_mgr.cc
++++ kea-3.0.2/src/lib/dhcp/iface_mgr.cc
+@@ -62,7 +62,7 @@ IfaceMgr::instancePtr() {
+ }
+ 
+ Iface::Iface(const std::string& name, unsigned int ifindex)
+-    : name_(name), ifindex_(ifindex), mac_len_(0), hardware_type_(0),
++    : name_(name), ifindex_(ifindex), mac_len_(0), bcast_mac_len_(0), hardware_type_(0),
+       flag_loopback_(false), flag_up_(false), flag_running_(false),
+       flag_multicast_(false), flag_broadcast_(false), flags_(0),
+       inactive4_(false), inactive6_(false) {
+@@ -142,6 +142,21 @@ Iface::getPlainMac() const {
+     return (tmp.str());
+ }
+ 
++std::string
++Iface::getPlainBcastMac() const {
++    ostringstream tmp;
++    tmp.fill('0');
++    tmp << hex;
++    for (int i = 0; i < bcast_mac_len_; i++) {
++        tmp.width(2);
++        tmp << static_cast<int>(bcast_mac_[i]);
++        if (i < bcast_mac_len_-1) {
++            tmp << ":";
++        }
++    }
++    return (tmp.str());
++}
++
+ void Iface::setMac(const uint8_t* mac, size_t len) {
+     if (len > MAX_MAC_LEN) {
+         isc_throw(OutOfRange, "Interface " << getFullName()
+@@ -155,6 +170,19 @@ void Iface::setMac(const uint8_t* mac, s
+     }
+ }
+ 
++void Iface::setBcastMac(const uint8_t* mac, size_t len) {
++    if (len > MAX_MAC_LEN) {
++        isc_throw(OutOfRange, "Interface " << getFullName()
++                  << " was detected to have link address of length "
++                  << len << ", but maximum supported length is "
++                  << MAX_MAC_LEN);
++    }
++    bcast_mac_len_ = len;
++    if (len > 0) {
++        memcpy(bcast_mac_, mac, len);
++    }
++}
++
+ bool Iface::delAddress(const isc::asiolink::IOAddress& addr) {
+     for (AddressCollection::iterator a = addrs_.begin(); a != addrs_.end(); ++a) {
+         if (a->get() == addr) {
+@@ -791,7 +819,8 @@ IfaceMgr::printIfaces(std::ostream& out
+ 
+         out << "Detected interface " << iface->getFullName()
+             << ", hwtype=" << iface->getHWType()
+-            << ", mac=" << iface->getPlainMac();
++            << ", mac=" << iface->getPlainMac()
++            << ", bcast=" << iface->getPlainBcastMac();
+         out << ", flags=" << hex << iface->flags_ << dec << "("
+             << (iface->flag_loopback_?"LOOPBACK ":"")
+             << (iface->flag_up_?"UP ":"")
+Index: kea-3.0.2/src/lib/dhcp/iface_mgr.h
+===================================================================
+--- kea-3.0.2.orig/src/lib/dhcp/iface_mgr.h
++++ kea-3.0.2/src/lib/dhcp/iface_mgr.h
+@@ -204,6 +204,28 @@ public:
+     /// that returned it.
+     const uint8_t* getMac() const { return mac_; }
+ 
++    /// @brief Returns broadcast MAC address a plain text.
++    ///
++    /// @return MAC address as a plain text (string)
++    std::string getPlainBcastMac() const;
++
++    /// @brief Sets broadcast MAC address of the interface.
++    ///
++    /// @param mac pointer to bcast MAC address buffer
++    /// @param macLen length of bcast mac address
++    void setBcastMac(const uint8_t* bcastMac, size_t bcastMacLen);
++
++    /// @brief Returns broadcast MAC length.
++    ///
++    /// @return length of bcast MAC address
++    size_t getBcastMacLen() const { return bcast_mac_len_; }
++
++    /// @brief Returns pointer to broadcast MAC address.
++    ///
++    /// Note: Returned pointer is only valid as long as the interface object
++    /// that returned it.
++    const uint8_t* getBcastMac() const { return bcast_mac_; }
++
+     /// @brief Sets flag_*_ fields based on bitmask value returned by OS
+     ///
+     /// @note Implementation of this method is OS-dependent as bits have
+@@ -430,6 +452,12 @@ protected:
+     /// Length of link-layer address (usually 6).
+     size_t mac_len_;
+ 
++    /// Link-layer braodcast address.
++    uint8_t bcast_mac_[MAX_MAC_LEN];
++
++    /// Length of link-layer broadcast address (usually 6).
++    size_t bcast_mac_len_;
++
+     /// Hardware type.
+     uint16_t hardware_type_;
+ 
+Index: kea-3.0.2/src/lib/dhcp/iface_mgr_bsd.cc
+===================================================================
+--- kea-3.0.2.orig/src/lib/dhcp/iface_mgr_bsd.cc
++++ kea-3.0.2/src/lib/dhcp/iface_mgr_bsd.cc
+@@ -25,6 +25,22 @@ using namespace isc;
+ using namespace isc::asiolink;
+ using namespace isc::dhcp;
+ 
++namespace {
++
++static const uint8_t default_ib_bcast_addr[20] = {
++       0x00, 0xff, 0xff, 0xff,
++       0xff, 0x12, 0x40, 0x1b,
++       0x00, 0x00, 0x00, 0x00,
++       0x00, 0x00, 0x00, 0x00,
++       0xff, 0xff, 0xff, 0xff
++};
++
++static const uint8_t default_ether_bcast_addr[6] = {
++       0xff, 0xff, 0xff, 0xff, 0xff, 0xff
++};
++
++}
++
+ namespace isc {
+ namespace dhcp {
+ 
+@@ -92,6 +108,18 @@ IfaceMgr::detectIfaces(bool update_only)
+ 
+             iface_iter->second->setHWType(ldata->sdl_type);
+             iface_iter->second->setMac(ptr, ldata->sdl_alen);
++
++            //TODO: I don't have BSD, this needs tested
++            if (ifptr->ifa_flags & IFF_BROADCAST) {
++                ldata = reinterpret_cast<struct sockaddr_dl *>(ifptr->ifa_broadaddr);
++                ptr = reinterpret_cast<uint8_t *>(LLADDR(ldata));
++
++                iface_iter->second->setBcastMac(ptr, ldata->sdl_alen);
++            } else if (interface_info->ifi_type == HTYPE_INFINIBAND) {
++                iface_iter->second->setBcastMac(default_ib_bcast_addr, sizeof(default_ib_bcast_addr));
++            } else if (interface_info->ifi_type == HTYPE_ETHER) {
++                iface_iter->second->setBcastMac(default_ether_bcast_addr, sizeof(default_ether_bcast_addr));
++            }
+         } else if (ifptr->ifa_addr->sa_family == AF_INET6) {
+             // IPv6 Addr
+             struct sockaddr_in6 * adata =
+Index: kea-3.0.2/src/lib/dhcp/iface_mgr_linux.cc
+===================================================================
+--- kea-3.0.2.orig/src/lib/dhcp/iface_mgr_linux.cc
++++ kea-3.0.2/src/lib/dhcp/iface_mgr_linux.cc
+@@ -403,6 +403,18 @@ void Netlink::release_list(NetlinkMessag
+     messages.clear();
+ }
+ 
++static const uint8_t default_ib_bcast_addr[20] = {
++       0x00, 0xff, 0xff, 0xff,
++       0xff, 0x12, 0x40, 0x1b,
++       0x00, 0x00, 0x00, 0x00,
++       0x00, 0x00, 0x00, 0x00,
++       0xff, 0xff, 0xff, 0xff
++};
++
++static const uint8_t default_ether_bcast_addr[6] = {
++       0xff, 0xff, 0xff, 0xff, 0xff, 0xff
++};
++
+ } // end of anonymous namespace
+ 
+ namespace isc {
+@@ -504,6 +516,16 @@ void IfaceMgr::detectIfaces(bool update_
+             // try to dereference it in this manner
+         }
+ 
++        // Does interface have an L2 broadcast address?
++        if ((interface_info->ifi_flags & IFF_BROADCAST) && attribs_table[IFLA_BROADCAST]) {
++            iface->setBcastMac(static_cast<const uint8_t*>(RTA_DATA(attribs_table[IFLA_BROADCAST])),
++                               RTA_PAYLOAD(attribs_table[IFLA_BROADCAST]));
++        } else if (interface_info->ifi_type == HTYPE_INFINIBAND) {
++            iface->setBcastMac(default_ib_bcast_addr, sizeof(default_ib_bcast_addr));
++        } else if (interface_info->ifi_type == HTYPE_ETHER) {
++            iface->setBcastMac(default_ether_bcast_addr, sizeof(default_ether_bcast_addr));
++        }
++
+         nl.ipaddrs_get(*iface, addr_info);
+ 
+         // addInterface can now throw so protect against memory leaks.
+Index: kea-3.0.2/src/lib/dhcp/iface_mgr_sun.cc
+===================================================================
+--- kea-3.0.2.orig/src/lib/dhcp/iface_mgr_sun.cc
++++ kea-3.0.2/src/lib/dhcp/iface_mgr_sun.cc
+@@ -24,6 +24,22 @@ using namespace isc;
+ using namespace isc::asiolink;
+ using namespace isc::dhcp;
+ 
++namespace {
++
++static const uint8_t default_ib_bcast_addr[20] = {
++       0x00, 0xff, 0xff, 0xff,
++       0xff, 0x12, 0x40, 0x1b,
++       0x00, 0x00, 0x00, 0x00,
++       0x00, 0x00, 0x00, 0x00,
++       0xff, 0xff, 0xff, 0xff
++};
++
++static const uint8_t default_ether_bcast_addr[6] = {
++       0xff, 0xff, 0xff, 0xff, 0xff, 0xff
++};
++
++}
++
+ namespace isc {
+ namespace dhcp {
+ 
+@@ -92,6 +108,18 @@ IfaceMgr::detectIfaces(bool update_only)
+ 
+             iface_iter->second->setHWType(ldata->sdl_type);
+             iface_iter->second->setMac(ptr, ldata->sdl_alen);
++
++            //TODO: I don't have SUN, this needs tested
++            if (ifptr->ifa_flags & IFF_BROADCAST) {
++                ldata = reinterpret_cast<struct sockaddr_dl *>(ifptr->ifa_broadaddr);
++                ptr = reinterpret_cast<uint8_t *>(LLADDR(ldata));
++
++                iface_iter->second->setBcastMac(ptr, ldata->sdl_alen);
++            } else if (ldata->sdl_type == HTYPE_INFINIBAND) {
++                iface_iter->second->setBcastMac(default_ib_bcast_addr, sizeof(default_ib_bcast_addr));
++            } else if (ldata->sdl_type == HTYPE_ETHER) {
++                iface_iter->second->setBcastMac(default_ether_bcast_addr, sizeof(default_ether_bcast_addr));
++            }
+         } else if (ifptr->ifa_addr->sa_family == AF_INET6) {
+             // IPv6 Addr
+             struct sockaddr_in6 * adata =
+Index: kea-3.0.2/src/lib/dhcp/hwaddr.h
+===================================================================
+--- kea-3.0.2.orig/src/lib/dhcp/hwaddr.h
++++ kea-3.0.2/src/lib/dhcp/hwaddr.h
+@@ -23,6 +23,9 @@ public:
+     /// @brief Size of an ethernet hardware address.
+     static const size_t ETHERNET_HWADDR_LEN = 6;
+ 
++    /// @brief Size of an infiniband hardware address.
++    static const size_t INFINIBAND_HWADDR_LEN = 20;
++
+     /// @brief Maximum size of a hardware address.
+     static const size_t MAX_HWADDR_LEN = 20;
+ 
+Index: kea-3.0.2/src/lib/dhcp/pkt_filter_lpf.cc
+===================================================================
+--- kea-3.0.2.orig/src/lib/dhcp/pkt_filter_lpf.cc
++++ kea-3.0.2/src/lib/dhcp/pkt_filter_lpf.cc
+@@ -121,6 +121,98 @@ struct sock_filter dhcp_sock_filter [] =
+     BPF_STMT(BPF_RET + BPF_K, 0),
+ };
+ 
++/// The following structure defines a Berkeley Packet Filter program to perform
++/// packet filtering. The program operates on IPoIB pseudo packets. To help with
++/// interpretation of the program, for the types of packets we are interested
++/// in, the header layout is:
++///
++///  20 bytes  Source Interface Address
++///   2 bytes  Packet Type
++///   2 bytes  Reserved/Unused
++///
++///  The rest is identical to aboves Ethernet-Based packets
++///
++/// Each instruction is preceded with the comments giving the instruction
++/// number within a BPF program, in the following format: #123.
++
++struct sock_filter dhcp_sock_filter_ib [] = {
++    // Make sure this is an IP packet: check the half-word (two bytes)
++    // at offset 20 in the packet (the IPoIB pseudo packet type). If it
++    // is, advance to the next instruction. If not, advance 11
++    // instructions (which takes execution to the last instruction in
++    // the sequence: "drop it").
++    // #0
++    BPF_STMT(BPF_LD + BPF_H + BPF_ABS, IPOIB_PACKET_TYPE_OFFSET),
++    // #1
++    BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, ETHERTYPE_IP, 0, 11),
++
++    // Make sure it's a UDP packet. The IP protocol is at offset
++    // 9 in the IP header so, adding the IPoIB packet header size
++    // of 24 bytes gives an absolute byte offset in the packet of 33.
++    // #2
++    BPF_STMT(BPF_LD + BPF_B + BPF_ABS,
++             IPOIB_HEADER_LEN + IP_PROTO_TYPE_OFFSET),
++    // #3
++    BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, IPPROTO_UDP, 0, 9),
++
++    // Make sure this isn't a fragment by checking that the fragment
++    // offset field in the IP header is zero. This field is the
++    // least-significant 13 bits in the bytes at offsets 6 and 7 in
++    // the IP header, so the half-word at offset 30 (6 + size of
++    // IPoIB header) is loaded and an appropriate mask applied.
++    // #4
++    BPF_STMT(BPF_LD + BPF_H + BPF_ABS, IPOIB_HEADER_LEN + IP_FLAGS_OFFSET),
++    // #5
++    BPF_JUMP(BPF_JMP + BPF_JSET + BPF_K, 0x1fff, 7, 0),
++
++    // Check the packet's destination address. The program will only
++    // allow the packets sent to the broadcast address or unicast
++    // to the specific address on the interface. By default, this
++    // address is set to 0 and must be set to the specific value
++    // when the raw socket is created and the program is attached
++    // to it. The caller must assign the address to the
++    // prog.bf_insns[8].k in the network byte order.
++    // #6
++    BPF_STMT(BPF_LD + BPF_W + BPF_ABS,
++             IPOIB_HEADER_LEN + IP_DEST_ADDR_OFFSET),
++    // If this is a broadcast address, skip the next check.
++    // #7
++    BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, 0xffffffff, 1, 0),
++    // If this is not broadcast address, compare it with the unicast
++    // address specified for the interface.
++    // #8
++    BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, 0x00000000, 0, 4),
++
++    // Get the IP header length. This is achieved by the following
++    // (special) instruction that, given the offset of the start
++    // of the IP header (offset 24) loads the IP header length.
++    // #9
++    BPF_STMT(BPF_LDX + BPF_B + BPF_MSH, IPOIB_HEADER_LEN),
++
++    // Make sure it's to the right port. The following instruction
++    // adds the previously extracted IP header length to the given
++    // offset to locate the correct byte. The given offset of 26
++    // comprises the length of the IPoIB header (24) plus the offset
++    // of the UDP destination port (2) within the UDP header.
++    // #10
++    BPF_STMT(BPF_LD + BPF_H + BPF_IND, IPOIB_HEADER_LEN + UDP_DEST_PORT),
++    // The following instruction tests against the default DHCP server port,
++    // but the action port is actually set in PktFilterBPF::openSocket().
++    // N.B. The code in that method assumes that this instruction is at
++    // offset 11 in the program. If this is changed, openSocket() must be
++    // updated.
++    // #11
++    BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, DHCP4_SERVER_PORT, 0, 1),
++
++    // If we passed all the tests, ask for the whole packet.
++    // #12
++    BPF_STMT(BPF_RET + BPF_K, (u_int)-1),
++
++    // Otherwise, drop it.
++    // #13
++    BPF_STMT(BPF_RET + BPF_K, 0),
++};
++
+ }
+ 
+ using namespace isc::util;
+@@ -169,16 +261,30 @@ PktFilterLPF::openSocket(Iface& iface,
+     struct sock_fprog filter_program;
+     memset(&filter_program, 0, sizeof(filter_program));
+ 
+-    filter_program.filter = dhcp_sock_filter;
+-    filter_program.len = sizeof(dhcp_sock_filter) / sizeof(struct sock_filter);
++    if (iface.getHWType() == HTYPE_INFINIBAND) {
++        filter_program.filter = dhcp_sock_filter_ib;
++        filter_program.len = sizeof(dhcp_sock_filter_ib) / sizeof(struct sock_filter);
++
++        // Configure the filter program to receive unicast packets sent to the
++        // specified address. The program will also allow packets sent to the
++        // 255.255.255.255 broadcast address.
++        dhcp_sock_filter_ib[8].k = addr.toUint32();
++
++        // Override the default port value.
++        dhcp_sock_filter_ib[11].k = port;
++    } else {
++        filter_program.filter = dhcp_sock_filter;
++        filter_program.len = sizeof(dhcp_sock_filter) / sizeof(struct sock_filter);
++
++        // Configure the filter program to receive unicast packets sent to the
++        // specified address. The program will also allow packets sent to the
++        // 255.255.255.255 broadcast address.
++        dhcp_sock_filter[8].k = addr.toUint32();
+ 
+-    // Configure the filter program to receive unicast packets sent to the
+-    // specified address. The program will also allow packets sent to the
+-    // 255.255.255.255 broadcast address.
+-    dhcp_sock_filter[8].k = addr.toUint32();
++        // Override the default port value.
++        dhcp_sock_filter[11].k = port;
++    }
+ 
+-    // Override the default port value.
+-    dhcp_sock_filter[11].k = port;
+     // Apply the filter.
+     if (setsockopt(sock, SOL_SOCKET, SO_ATTACH_FILTER, &filter_program,
+                    sizeof(filter_program)) < 0) {
+@@ -315,7 +421,21 @@ PktFilterLPF::receive(Iface& iface, cons
+     Pkt4Ptr dummy_pkt = Pkt4Ptr(new Pkt4(DHCPDISCOVER, 0));
+ 
+     // Decode ethernet, ip and udp headers.
+-    decodeEthernetHeader(buf, dummy_pkt);
++    if (iface.getHWType() == HTYPE_INFINIBAND) {
++        decodeIPoIBHeader(buf, dummy_pkt);
++
++        // The IPoIB header does not contain the local address.
++        // Set it from the interface instead.
++        if (iface.getMacLen() != HWAddr::INFINIBAND_HWADDR_LEN) {
++            isc_throw(SocketReadError,
++                      "Invalid local hardware address size for IPoIB interface.");
++        }
++        HWAddrPtr hwaddr(new HWAddr(iface.getMac(), iface.getMacLen(),
++                                    iface.getHWType()));
++        dummy_pkt->setLocalHWAddr(hwaddr);
++    } else {
++        decodeEthernetHeader(buf, dummy_pkt);
++    }
+     decodeIpUdpHeader(buf, dummy_pkt);
+ 
+     auto v4_len = buf.getLength() - buf.getPosition();
+@@ -379,11 +499,14 @@ PktFilterLPF::send(const Iface& iface, u
+         pkt->setLocalHWAddr(hwaddr);
+     }
+ 
+-
+-    // Ethernet frame header.
+-    // Note that we don't validate whether HW addresses in 'pkt'
+-    // are valid because they are checked by the function called.
+-    writeEthernetHeader(pkt, buf);
++    if (iface.getHWType() == HTYPE_INFINIBAND) {
++        writeIPoIBHeader(iface, pkt, buf);
++    } else {
++        // Ethernet frame header.
++        // Note that we don't validate whether HW addresses in 'pkt'
++        // are valid because they are checked by the function called.
++        writeEthernetHeader(pkt, buf);
++    }
+ 
+     // IP and UDP header
+     writeIpUdpHeader(pkt, buf);
+Index: kea-3.0.2/src/lib/dhcp/protocol_util.cc
+===================================================================
+--- kea-3.0.2.orig/src/lib/dhcp/protocol_util.cc
++++ kea-3.0.2/src/lib/dhcp/protocol_util.cc
+@@ -17,6 +17,14 @@
+ 
+ using namespace isc::asiolink;
+ using namespace isc::util;
++using namespace isc::dhcp;
++
++namespace {
++
++static HWAddr zero_ib_hwaddr(&std::vector<uint8_t>(HWAddr::INFINIBAND_HWADDR_LEN)[0],
++                             HWAddr::INFINIBAND_HWADDR_LEN, HTYPE_INFINIBAND);
++
++}
+ 
+ namespace isc {
+ namespace dhcp {
+@@ -59,6 +67,39 @@ decodeEthernetHeader(InputBuffer& buf, P
+ }
+ 
+ void
++decodeIPoIBHeader(InputBuffer& buf, Pkt4Ptr& pkt) {
++    // The size of the buffer to be parsed must not be lower
++    // then the size of the IPoIB frame header.
++    if (buf.getLength() - buf.getPosition() < IPOIB_HEADER_LEN) {
++        isc_throw(InvalidPacketHeader, "size of ethernet header in received "
++                  << "packet is invalid, expected at least "
++                  << IPOIB_HEADER_LEN << " bytes, received "
++                  << buf.getLength() - buf.getPosition() << " bytes");
++    }
++    // Packet object must not be NULL. We want to output some values
++    // to this object.
++    if (!pkt) {
++        isc_throw(BadValue, "NULL packet object provided when parsing ethernet"
++                  " frame header");
++    }
++
++    // The size of the single address is always lower then the size of
++    // the header that holds this address. Otherwise, it is a programming
++    // error that we want to detect in the compilation time.
++    BOOST_STATIC_ASSERT(IPOIB_HEADER_LEN > HWAddr::INFINIBAND_HWADDR_LEN);
++
++    // Remember initial position.
++    size_t start_pos = buf.getPosition();
++
++    // Read the source HW address.
++    std::vector<uint8_t> src_addr;
++    buf.readVector(src_addr, HWAddr::INFINIBAND_HWADDR_LEN);
++    pkt->setRemoteHWAddr(HWTYPE_INFINIBAND, HWAddr::INFINIBAND_HWADDR_LEN, src_addr);
++    // Move the buffer read pointer to the end of the Ethernet frame header.
++    buf.setPosition(start_pos + IPOIB_HEADER_LEN);
++}
++
++void
+ decodeIpUdpHeader(InputBuffer& buf, Pkt4Ptr& pkt) {
+     // The size of the buffer must be at least equal to the minimal size of
+     // the IPv4 packet header plus UDP header length.
+@@ -162,6 +203,51 @@ writeEthernetHeader(const Pkt4Ptr& pkt,
+ }
+ 
+ void
++writeIPoIBHeader(const Iface& iface, const Pkt4Ptr& pkt, OutputBuffer& out_buf) {
++    // Set destination HW address.
++    HWAddrPtr remote_addr = pkt->getRemoteHWAddr();
++    if (remote_addr) {
++        if (remote_addr->hwaddr_.size() != HWAddr::INFINIBAND_HWADDR_LEN) {
++            isc_throw(BadValue, "invalid size of the remote HW address "
++                      << remote_addr->hwaddr_.size() << " when constructing"
++                      << " an ethernet frame header; expected size is"
++                      << " " << HWAddr::INFINIBAND_HWADDR_LEN);
++        } else if ((!pkt->isRelayed() &&
++                    (pkt->getFlags() & Pkt4::FLAG_BROADCAST_MASK)) ||
++                   *remote_addr == zero_ib_hwaddr) {
++            // We also broadcast if the received hwaddr is full zero.
++            // This happens on some IB drivers which don't provide the remote
++            // hwaddr to userspace.
++            // Generally, according to the RFC, all IPoIB clients MUST request
++            // broadcast anyway, but better to be safe and handle non-compliant
++            // clients.
++            if (iface.getBcastMacLen() != HWAddr::INFINIBAND_HWADDR_LEN) {
++                isc_throw(BadValue, "invalid size of the bcast HW address "
++                          << iface.getBcastMacLen() << " when constructing"
++                          << " an ethernet frame header; expected size is"
++                          << " " << HWAddr::INFINIBAND_HWADDR_LEN);
++            }
++            out_buf.writeData(iface.getBcastMac(),
++                              HWAddr::INFINIBAND_HWADDR_LEN);
++        } else {
++            out_buf.writeData(&remote_addr->hwaddr_[0],
++                              HWAddr::INFINIBAND_HWADDR_LEN);
++        }
++    } else {
++        // HW address has not been specified. This is possible when receiving
++        // packet through a logical interface (e.g. lo). In such cases, we
++        // don't want to fail but rather provide a default HW address, which
++        // consists of zeros.
++        out_buf.writeData(&zero_ib_hwaddr.hwaddr_[0], HWAddr::INFINIBAND_HWADDR_LEN);
++    }
++
++    // Type IP.
++    out_buf.writeUint16(ETHERNET_TYPE_IP);
++    // Reserved
++    out_buf.writeUint16(0);
++}
++
++void
+ writeIpUdpHeader(const Pkt4Ptr& pkt, util::OutputBuffer& out_buf) {
+ 
+     out_buf.writeUint8(0x45); // IP version 4, IP header length 5
+Index: kea-3.0.2/src/lib/dhcp/protocol_util.h
+===================================================================
+--- kea-3.0.2.orig/src/lib/dhcp/protocol_util.h
++++ kea-3.0.2/src/lib/dhcp/protocol_util.h
+@@ -8,6 +8,7 @@
+ #define PROTOCOL_UTIL_H
+ 
+ #include <dhcp/pkt4.h>
++#include <dhcp/iface_mgr.h>
+ #include <util/buffer.h>
+ 
+ #include <stdint.h>
+@@ -39,6 +40,12 @@ static const size_t ETHERNET_PACKET_TYPE
+ /// and locations on different OSes.
+ static const uint16_t ETHERNET_TYPE_IP = 0x0800;
+ 
++/// Size of the IPoIB pseude frame header.
++static const size_t IPOIB_HEADER_LEN = 24;
++/// Offset of the 2-byte word in the IPoIB pseudo packet which
++/// holds the type of the protocol it encapsulates.
++static const size_t IPOIB_PACKET_TYPE_OFFSET = 20;
++
+ /// Minimal IPv4 header length.
+ static const size_t MIN_IP_HEADER_LEN = 20;
+ /// Offset in the IP header where the flags field starts.
+@@ -75,6 +82,25 @@ static const size_t UDP_DEST_PORT = 2;
+ /// @throw BadValue if pkt object is NULL.
+ void decodeEthernetHeader(util::InputBuffer& buf, Pkt4Ptr& pkt);
+ 
++/// @brief Decode the IPoIB pseudo header.
++///
++/// This function reads IPoIB pesudo frame header from the provided
++/// buffer at the current read position. The source HW address
++/// is read from the header and assigned as client address in
++/// the pkt object. The buffer read pointer is set to the end
++/// of the IPoIB frame header if read was successful.
++///
++/// @warning This function does not check that the provided 'pkt'
++/// pointer is valid. Caller must make sure that pointer is
++/// allocated.
++///
++/// @param buf input buffer holding header to be parsed.
++/// @param [out] pkt packet object receiving HW source address read from header.
++///
++/// @throw InvalidPacketHeader if packet header is truncated
++/// @throw BadValue if pkt object is NULL.
++void decodeIPoIBHeader(util::InputBuffer& buf, Pkt4Ptr& pkt);
++
+ /// @brief Decode IP and UDP header.
+ ///
+ /// This function reads IP and UDP headers from the provided buffer
+@@ -105,6 +131,17 @@ void decodeIpUdpHeader(util::InputBuffer
+ void writeEthernetHeader(const Pkt4Ptr& pkt,
+                          util::OutputBuffer& out_buf);
+ 
++/// @brief Writes IPoIB pseudo frame header into a buffer.
++///
++/// @warning This function does not check that the provided 'pkt'
++/// pointer is valid. Caller must make sure that pointer is
++/// allocated.
++///
++/// @param pkt packet object holding source and destination HW address.
++/// @param [out] out_buf buffer where a header is written.
++void writeIPoIBHeader(const Iface& iface, const Pkt4Ptr& pkt,
++                      util::OutputBuffer& out_buf);
++
+ /// @brief Writes both IP and UDP header into output buffer
+ ///
+ /// This utility function assembles IP and UDP packet headers for the
+Index: kea-3.0.2/src/lib/dhcp/pkt4.cc
+===================================================================
+--- kea-3.0.2.orig/src/lib/dhcp/pkt4.cc
++++ kea-3.0.2/src/lib/dhcp/pkt4.cc
+@@ -84,6 +84,15 @@ Pkt4::pack() {
+ 
+     try {
+         size_t hw_len = hwaddr_->hwaddr_.size();
++        size_t hw_offset = 0;
++
++        if (hwaddr_->htype_ == HTYPE_INFINIBAND && hw_len == HWAddr::INFINIBAND_HWADDR_LEN) {
++            // According to RFC4390, hlen MUST be zero and chaddr zeroed out.
++            // However, at least dhclient can't handle that and fails.
++            // Instead, return the last 8 bytes, which contain the actual unique hw part.
++            hw_len = 8;
++            hw_offset = HWAddr::INFINIBAND_HWADDR_LEN - 8;
++        }
+ 
+         buffer_out_.writeUint8(op_);
+         buffer_out_.writeUint8(hwaddr_->htype_);
+@@ -101,7 +110,7 @@ Pkt4::pack() {
+         if ((hw_len > 0) && (hw_len <= MAX_CHADDR_LEN)) {
+             // write up to 16 bytes of the hardware address (CHADDR field is 16
+             // bytes long in DHCPv4 message).
+-            buffer_out_.writeData(&hwaddr_->hwaddr_[0],
++            buffer_out_.writeData(&hwaddr_->hwaddr_[hw_offset],
+                                  (hw_len < MAX_CHADDR_LEN ?
+                                   hw_len : MAX_CHADDR_LEN) );
+             hw_len = MAX_CHADDR_LEN - hw_len;
+@@ -473,13 +482,7 @@ void
+ Pkt4::setHWAddrMember(const uint8_t htype, const uint8_t hlen,
+                       const std::vector<uint8_t>& mac_addr,
+                       HWAddrPtr& hw_addr) {
+-    /// @todo Rewrite this once support for client-identifier option
+-    /// is implemented (ticket 1228?)
+-    if (hlen > MAX_CHADDR_LEN) {
+-        isc_throw(OutOfRange, "Hardware address (len=" << static_cast<uint32_t>(hlen)
+-                  << ") too long. Max " << MAX_CHADDR_LEN << " supported.");
+-
+-    } else if (mac_addr.empty() && (hlen > 0) ) {
++    if (mac_addr.empty() && (hlen > 0) ) {
+         isc_throw(OutOfRange, "Invalid HW Address specified");
+     }
+ 
+Index: kea-3.0.2/doc/sphinx/arm/dhcp4-srv.rst
+===================================================================
+--- kea-3.0.2.orig/doc/sphinx/arm/dhcp4-srv.rst
++++ kea-3.0.2/doc/sphinx/arm/dhcp4-srv.rst
+@@ -8356,9 +8356,11 @@ are clearly marked as such.
+    headers (including data link layer, IP, and UDP headers) are created
+    and parsed by Kea, rather than by the system kernel. Currently, Kea
+    can only parse the data-link layer headers with a format adhering to
+-   the IEEE 802.3 standard, and assumes this data-link-layer header
++   the IEEE 802.3 (Ethernet) standard, and assumes this data-link-layer header
+    format for all interfaces. Thus, Kea does not work on interfaces
+-   which use different data-link-layer header formats (e.g. Infiniband).
++   which use different data-link-layer header formats, with the exception of
++   LPF being able to handle InfiniBand framing, thus enabling Kea to serve
++   these kind of interfaces on Linux.
+ 
+ .. _dhcp4-srv-examples:
+ 

kea.changes

@@ -1,3 +1,214 @@
+-------------------------------------------------------------------
+Thu Nov 13 15:16:39 CET 2025 - aschnell@suse.com
+
+- Fix building with Boost 1.90 Beta 1
+  (add 'kea-boost1_90.patch')
+
+-------------------------------------------------------------------
+Wed Oct 29 15:48:22 UTC 2025 - Jorik Cronenberg <jorik.cronenberg@suse.com>
+
+- Update to release 3.0.2
+  * Security Fixes:
+  * When a hostname or FQDN received from a client is reduced to an
+    empty string by hostname sanitizing, kea-dhcp4 and kea-dhcp6
+    will now drop the option.
+    [CVE-2025-11232, bsc#1252863]
+  * Bug fixes:
+  * Removed logging an error in ping check hook library if using
+    lease cache treshold.
+  * Fixed deadlock in ping-check hooks library.
+  * Fixed a data race in ping-check hooks library.
+
+-------------------------------------------------------------------
+Tue Oct 28 22:43:30 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
+
+- New shorter version of kea-boost1_89.patch
+
+-------------------------------------------------------------------
+Sun Oct 26 13:08:05 UTC 2025 - Arjen de Korte <suse+build@de-korte.org>
+
+- Fix building with Boost >= 1.89
+  (add 'kea-boost1_89.patch')
+
+-------------------------------------------------------------------
+Thu Aug 28 09:03:21 UTC 2025 - Jorik Cronenberg <jorik.cronenberg@suse.com>
+
+- Update to release 3.0.1
+  Security Fixes:
+  * Corrected an issue in kea-dhcp4 that caused the server to abort
+    if a client sent a unicast request with a particular options,
+    and Kea failed to find an appropriate subnet for that client.
+    (CVE-2025-40779)
+    [bsc#1248801]
+
+  Changes:
+  * Moved Botan crypto backend support to version 3.
+  * Avoid adding the qualifying-suffix to fully qualified host
+    names specified in host reservations.
+
+-------------------------------------------------------------------
+Tue Jul 29 09:44:04 UTC 2025 - Jorik Cronenberg <jorik.cronenberg@suse.com>
+
+- Remove `/usr/share/kea/meson-info` directory because it contains
+  non reproducible files.
+  [bsc#1246670]
+
+-------------------------------------------------------------------
+Mon Jul  7 14:40:57 UTC 2025 - Jorik Cronenberg <jorik.cronenberg@suse.com>
+
+- Use meson install_umask to set binaries and libraries
+  permissions.
+
+-------------------------------------------------------------------
+Tue Jul  1 09:28:14 UTC 2025 - Jorik Cronenberg <jorik.cronenberg@suse.com>
+
+- Update to release 3.0.0
+  Noteworthy changes:
+  * Lease caching is now enabled by default.
+  * The control-socket.socket-name and control-socket.socket-type
+    parameters have been removed from the CB.
+  * Kea now rejects certain default passwords. If you copied your
+    Kea configuration from the examples in our documentation using
+    our sample password, change your password to a unique value.
+  * The kea-control-agent is now deprecated. The individual Kea
+    services support HTTP/HTTPS control channels, so the Control
+    Agent (CA) is no longer needed. The CA is still available but
+    will be removed in a future release.
+  * The precedence of options specified in a template class and its
+    spawned classes has been reversed. An option specified in a
+    spawned class now takes precedence over the same option
+    specified in the template class.
+  * The only-if-required and require-client-classes were renamed to
+    only-in-additional-list and evaluate-additional-classes.
+  * Classes included in require-client-classes (now called
+    evaluate-additional-classes) that do not have test expressions
+    will now be unconditionally added to a client's list of
+    matching classes; previously, they were ignored.
+  * Additional classes are now evaluated in the same order as
+    option-data, i.e. pools, subnets, and shared networks. In
+    earlier versions, the order was reversed.
+  * It is now possible to define multiple client classes when
+    limiting access to networks, subnets, and pools. The parameter
+    client-class (a single class name) has been replaced with
+    client-classes (a list of one or more class names). The older
+    syntax is still accepted but is now deprecated and will be
+    removed in the future. You cannot specify both client-class and
+    client-classes within the same scope.
+  * Options name value pairs specified in option-data have a new
+    parameter available: client-classes. This allows the
+    administrator to place a guard on the option requiring
+    membership in a class or classes before that particular option
+    data will be added to the packet. This is intended as a
+    powerful mechanism to bring back some of the functionality from
+    the conditional (if) statements that were widely used in ISC
+    DHCP. See Option Class-Tagging in the ARM for further
+    information.
+  * The build system has been switched to meson.
+
+  Further detailed information of all changes is available at
+  https://gitlab.isc.org/isc-projects/kea/-/wikis/Release-Notes/release-notes-3.0.0
+  and
+  https://kb.isc.org/docs/things-to-be-aware-of-when-upgrading-to-kea-300
+
+- Set RuntimeDirectoryPreserve=yes in services to prevent deletion
+  of RuntimeDirectory when one service gets stopped.
+
+-------------------------------------------------------------------
+Mon Jun 16 12:27:37 UTC 2025 - Jorik Cronenberg <jorik.cronenberg@suse.com>
+
+- Change After= from network.target to network-online.target and
+  add Wants=network-online.target to systemd services to prevent
+  starting up before ip setup is finished.
+
+-------------------------------------------------------------------
+Mon May 26 15:07:13 UTC 2025 - Jorik Cronenberg <jorik.cronenberg@suse.com>
+
+- Update to release 2.6.3
+  Security Fixes:
+  * The default configuration for the Kea Control Agent (CA) has
+    been updated to enable basic HTTP authentication.  Access to
+    the Kea API will thus require a password.
+    (CVE-2025-32801, CVE-2025-32802, CVE-2025-32803)
+    [bsc#1243240]
+  * `kea-dhcp4`, `kea-dhcp6`, `kea-dhcp-ddns`, and
+    `kea-ctrl-agent` now only load hook libraries from the
+    default installation directory. For ease of use, the path may
+    be omitted.
+    (CVE-2025-32801)
+    [bsc#1243240]
+  * The API command `config-write` will now only write to the same
+    directory as the configuration file used when Kea was started
+    (passed as a `-c` argument).
+    (CVE-2025-32802)
+    [bsc#1243240]
+  * Lease files can now only be loaded from the data directory
+    `/var/lib/kea`. This path may be overridden at startup by
+    setting the environment variable `KEA_DHCP_DATA_DIR` to the
+    desired path. If a path outside the defined data directory is
+    used in `lease-database.name`, Kea returns an error and refuses
+    to start or, if already running, aborts and exits. For ease of
+    use in specifying a custom file name, simply omit the path
+    component from `name`.
+    (CVE-2025-32802)
+    [bsc#1243240]
+  * Log files can now only be written to a defined output directory
+    `/var/log/kea`. This path may be overridden at startup by
+    setting the environment variable `KEA_LOG_FILE_DIR` to the
+    desired path. If a path outside the defined output directory is
+    used in `loggers.output_options.output`, Kea returns an error
+    and refuses to start or, if already running, aborts and exits.
+    For ease of use, simply omit the path component from `output`
+    and specify only the file name.
+    (CVE-2025-32802)
+    [bsc#1243240]
+  * Files created by Kea now have more restrictive file
+    permissions. Write access by group and any access by others is
+    now forbidden.
+    (CVE-2025-32803)
+    [bsc#1243240]
+  * Sockets can no longer be created in a world-writable directory,
+    such as `/tmp`. Sockets must now be created in the more
+    restricted `/var/run/kea`.
+    (CVE-2025-32802)
+    [bsc#1243240]
+  * Many sample configuration files have been updated to reflect
+    changes introduced in this release. In the ARM, the Kea
+    Security section has been moved to a more prominent location,
+    and a new section concerning securing the Kea Control Agent has
+    been added.
+    (CVE-2025-32801, CVE-2025-32802, CVE-2025-32803)
+    [bsc#1243240]
+
+  Other changes:
+  * Fix build with the latest Boost 1.87.
+    (Obsoletes patch `kea-2.6.1-boost_1.87-compat.patch`)
+  * Backported a clarification in the ARM about subnet4-delta-add.
+
+- Remove /run/kea from systemd tmpfiles as the creation of this
+  directory is handled by the services.
+- Replace 'chmod -h' and 'chown -h' with 'find' as the '-h' isn't
+  present in Leap/SLE.
+- /run/kea now has mode 0750 for all services.
+
+-------------------------------------------------------------------
+Wed Apr 30 13:21:39 UTC 2025 - Jorik Cronenberg <jorik.cronenberg@suse.com>
+
+- Update owner and perms in %post on modified config files
+
+-------------------------------------------------------------------
+Tue Apr 15 11:01:25 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
+
+- Add logic to %post for switching from kea.service to the new
+  split units, kea-*.service.
+  (Inspiration taken from strongswan.spec.)
+
+-------------------------------------------------------------------
+Wed Apr  2 15:29:59 UTC 2025 - Jorik Cronenberg <jorik.cronenberg@suse.com>
+
+- Split off services into separate ones to allow more fine grained
+  control for e.g. capabilities.
+- Tighten access to state and log directories.
+
 -------------------------------------------------------------------
 Wed Mar 26 16:01:54 UTC 2025 - Jorik Cronenberg <jorik.cronenberg@suse.com>
 

kea.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package kea
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -16,36 +16,33 @@
 #
 
 
-%define asiodns_sover 48
-%define asiolink_sover 71
-%define cc_sover 68
-%define cfgclient_sover 65
-%define cryptolink_sover 50
-%define d2srv_sover 46
-%define database_sover 62
-%define dhcppp_sover 91
-%define dhcp_ddns_sover 56
-%define dhcpsrv_sover 110
-%define dnspp_sover 56
-%define eval_sover 69
-%define exceptions_sover 33
-%define hooks_sover 99
-%define http_sover 71
-%define log_sover 61
-%define mysql_sover 71
-%define pgsql_sover 71
-%define process_sover 73
-%define stats_sover 41
-%define tcp_sover 18
-%define util_io_sover 0
-%define util_sover 85
-%if 0%{?suse_version} >= 1600
-%bcond_without regen_files
-%else
-%bcond_with    regen_files
-%endif
+%define asiodns_sover 62
+%define asiolink_sover 88
+%define cc_sover 82
+%define cfgrpt_sover 3
+%define config_sover 83
+%define cryptolink_sover 64
+%define d2srv_sover 63
+%define database_sover 76
+%define dhcp_sover 109
+%define dhcp_ddns_sover 68
+%define dhcpsrv_sover 131
+%define dns_sover 71
+%define eval_sover 84
+%define exceptions_sover 45
+%define hooks_sover 120
+%define http_sover 87
+%define log_interprocess_sover 3
+%define log_sover 75
+%define mysql_sover 88
+%define pgsql_sover 88
+%define process_sover 90
+%define stats_sover 53
+%define tcp_sover 33
+%define util_io_sover 12
+%define util_sover 101
 Name:           kea
-Version:        2.6.2
+Version:        3.0.2
 Release:        0
 Summary:        Dynamic Host Configuration Protocol daemon
 License:        MPL-2.0
@@ -53,21 +50,24 @@ Group:          Productivity/Networking/Boot/Servers
 URL:            https://kea.isc.org/
 #Git-Clone:     https://gitlab.isc.org/isc-projects/kea
 #Github is out of date / abandoned(?)
-Source:         https://ftp.isc.org/isc/kea/%version/kea-%version.tar.gz
-Source2:        https://ftp.isc.org/isc/kea/%version/kea-%version.tar.gz.asc
+Source:         https://ftp.isc.org/isc/kea/%version/kea-%version.tar.xz
+Source2:        https://ftp.isc.org/isc/kea/%version/kea-%version.tar.xz.asc
 # https://www.isc.org/pgpkey/
 Source3:        kea.keyring
-Patch0:         kea-2.6.1-boost_1.87-compat.patch
-BuildRequires:  autoconf >= 2.59
-BuildRequires:  automake
-%if %{with regen_files}
-BuildRequires:  bison >= 3.3
-%endif
+Source4:        kea-dhcp4.service
+Source5:        kea-dhcp6.service
+Source6:        kea-dhcp-ddns.service
+Source7:        kea-ctrl-agent.service
+Patch1:         kea-boost1_89.patch
+Patch2:         kea-boost1_90.patch
+Patch3:         kea-infiniband.patch
+BuildRequires:  fdupes
 BuildRequires:  freeradius-server-devel
 BuildRequires:  gcc-c++
 BuildRequires:  libmysqlclient-devel
 BuildRequires:  libtool >= 2
 BuildRequires:  log4cplus-devel
+BuildRequires:  meson
 BuildRequires:  pkg-config >= 0.23
 BuildRequires:  postgresql-server-devel
 BuildRequires:  python-rpm-macros
@@ -79,14 +79,10 @@ BuildRequires:  xz
 BuildRequires:  pkgconfig(libcrypto)
 %sysusers_requires
 Suggests:       %name-hooks = %version
-%if %{with regen_files}
-BuildRequires:  flex
-%endif
 %if 0%{?suse_version} >= 1500
-BuildRequires:  libboost_system-devel
-%else
-BuildRequires:  boost-devel
+BuildRequires:  (libboost_system-devel if boost-devel < 1.89)
 %endif
+BuildRequires:  boost-devel
 BuildRequires:  systemd-rpm-macros
 
 %description
@@ -137,11 +133,20 @@ Group:          System/Libraries
 libkea-cc is used for the control channel protocol between keactrl
 and the server.
 
-%package -n libkea-cfgclient%cfgclient_sover
+%package -n libkea-cfgrpt%cfgrpt_sover
+Summary:        Kea DHCP server config report library
+Group:          System/Libraries
+
+%description -n libkea-cfgrpt%cfgrpt_sover
+The cfgrpt library is used for generating configuration reports for Kea,
+providing detailed JSON-formatted summaries of the server's current
+configuration.
+
+%package -n libkea-config%config_sover
 Summary:        Kea DHCP server configuration client library
 Group:          System/Libraries
 
-%description -n libkea-cfgclient%cfgclient_sover
+%description -n libkea-config%config_sover
 The Kea DHCP server can be managed at runtime via the Control
 Channel. The CC allows an external entity (e.g. a tool run by a
 sysadmin or a script) to issue commands to the server which can
@@ -174,12 +179,12 @@ Group:          System/Libraries
 %description -n libkea-database%database_sover
 Kea's database abstraction library.
 
-%package -n libkea-dhcp++%dhcppp_sover
+%package -n libkea-dhcp%dhcp_sover
 Summary:        Kea DHCP library
 Group:          System/Libraries
 
-%description -n libkea-dhcp++%dhcppp_sover
-libdhcp++ is an all-purpose DHCP-manipulation library, written in
+%description -n libkea-dhcp%dhcp_sover
+libdhcp is an all-purpose DHCP-manipulation library, written in
 C++. It offers packet parsing and assembly, DHCPv4 and DHCPv6 options
 parsing and assembly, interface detection, and socket operations It
 can be used by server, client, relay, performance tools and other
@@ -205,11 +210,11 @@ operations, including the "Lease Manager" that manages information
 about leases and the "Configuration Manager" that stores the servers'
 configuration etc.
 
-%package -n libkea-dns++%dnspp_sover
+%package -n libkea-dns%dns_sover
 Summary:        Kea DHCP server component library
 Group:          System/Libraries
 
-%description -n libkea-dns++%dnspp_sover
+%description -n libkea-dns%dns_sover
 One of the many libraries the Kea DHCP server is composed of.
 
 %package -n libkea-eval%eval_sover
@@ -253,6 +258,14 @@ receive messages and send responses over HTTP. This library uses
 boost ASIO for creating TCP connections and asynchronously receive
 and send the data over the sockets.
 
+%package -n libkea-log-interprocess%log_interprocess_sover
+Summary:        Kea DHCP log interprocess library
+Group:          System/Libraries
+
+%description -n libkea-log-interprocess%log_interprocess_sover
+The log-interprocess library facilitates the transfer of logging messages
+between the different Kea processes.
+
 %package -n libkea-log%log_sover
 Summary:        Kea DHCP logging system library
 Group:          System/Libraries
@@ -325,19 +338,21 @@ Group:          Development/Libraries/C and C++
 Requires:       libkea-asiodns%asiodns_sover = %version
 Requires:       libkea-asiolink%asiolink_sover = %version
 Requires:       libkea-cc%cc_sover = %version
-Requires:       libkea-cfgclient%cfgclient_sover = %version
+Requires:       libkea-cfgrpt%cfgrpt_sover = %version
+Requires:       libkea-config%config_sover = %version
 Requires:       libkea-cryptolink%cryptolink_sover = %version
 Requires:       libkea-d2srv%d2srv_sover = %version
 Requires:       libkea-database%database_sover = %version
-Requires:       libkea-dhcp++%dhcppp_sover = %version
+Requires:       libkea-dhcp%dhcp_sover = %version
 Requires:       libkea-dhcp_ddns%dhcp_ddns_sover = %version
 Requires:       libkea-dhcpsrv%dhcpsrv_sover = %version
-Requires:       libkea-dns++%dnspp_sover = %version
+Requires:       libkea-dns%dns_sover = %version
 Requires:       libkea-eval%eval_sover = %version
 Requires:       libkea-exceptions%exceptions_sover = %version
 Requires:       libkea-hooks%hooks_sover = %version
 Requires:       libkea-http%http_sover = %version
 Requires:       libkea-log%log_sover = %version
+Requires:       libkea-log-interprocess%log_interprocess_sover = %version
 Requires:       libkea-mysql%mysql_sover = %version
 Requires:       libkea-pgsql%pgsql_sover = %version
 Requires:       libkea-process%process_sover = %version
@@ -353,46 +368,24 @@ Development files for the Kea DHCP server
 
 %prep
 %autosetup -p1 -n kea-%version
+%if 0%{?suse_version} < 1600
+%patch -R -P 1 -p1
+%endif
 
 %build
 export FREERADIUS_INCLUDE="%_includedir/freeradius"
 export FREERADIUS_LIB=""
 export FREERADIUS_DICTIONARY=""
-autoreconf -fi
-%configure \
-	--disable-rpath --disable-static \
-%if %{with regen_files}
-	--enable-generate-docs --enable-generate-parser \
-%endif
-	--enable-logger-checks \
-	--with-dhcp-mysql --with-dhcp-pgsql \
-	--enable-perfdhcp --enable-shell
-make %{?_smp_mflags}
+%meson --install-umask 022 -D netconf=disabled
+%meson_build
+%meson_build doc
 
 %install
 b=%buildroot
-%make_install
+%meson_install
 find %buildroot -type f -name "*.la" -delete -print
-mkdir -p "$b/%_unitdir" "$b/%_tmpfilesdir" "$b/%_sysusersdir"
-cat <<-EOF >"$b/%_unitdir/kea.service"
-	[Unit]
-	Description=ISC Kea DHCP server
-	Before=multi-user.target
-	After=remote-fs.target network.target nss-lookup.target time-sync.target ldap.service ndsd.service
-	[Service]
-	Type=forking
-	Environment=KEA_PIDFILE_DIR=%_rundir/%name
-        RuntimeDirectory=kea
-	ExecStart=%_sbindir/keactrl start
-	ExecReload=%_sbindir/keactrl reload
-	ExecStop=%_sbindir/keactrl stop
-	[Install]
-	WantedBy=multi-user.target
-	Alias=dhcp-server.service
-EOF
-cat <<-EOF >"$b/%_tmpfilesdir/kea.conf"
-	d /run/kea 0775 keadhcp keadhcp -
-EOF
+mkdir -p "$b/%_unitdir" "$b/%_sysusersdir"
+cp %_sourcedir/*.service "$b/%_unitdir/"
 echo 'u keadhcp - "Kea DHCP server" /var/lib/kea' >system-user-keadhcp.conf
 cp -a system-user-keadhcp.conf "$b/%_sysusersdir/"
 %sysusers_generate_pre system-user-keadhcp.conf random system-user-keadhcp.conf
@@ -403,37 +396,84 @@ perl -i -pe 's{%_localstatedir/log/kea-}{%_localstatedir/log/kea/}' \
 mkdir -p "$b%_localstatedir/log/kea"
 
 # Remove unnecessary files
-find "%buildroot/%_libdir" -name "*.so.*" -type l -delete
 rm -Rf "%buildroot/%python3_sitelib/kea/__pycache__"
+# Remove meson-info directory as it contains non reproducable files
+rm -Rf "%{buildroot}/%{_datadir}/kea/meson-info"
+%fdupes %{buildroot}/%{_datadir}/doc/kea
 
 %pre -f random.pre
-systemd-tmpfiles --create kea.conf || :
-%service_add_pre kea.service
+%service_add_pre kea-dhcp4.service kea-dhcp6.service kea-dhcp-ddns.service kea-ctrl-agent.service
 
 %post
-%service_add_post kea.service
+%service_add_post kea-dhcp4.service kea-dhcp6.service kea-dhcp-ddns.service kea-ctrl-agent.service
+if [ "$1" -gt 1 ]; then
+	chown -R keadhcp:keadhcp "%_localstatedir/lib/kea"
+	chown -R keadhcp:keadhcp "%_localstatedir/log/kea"
+	find %_sysconfdir/kea/ -type f -name '*.conf' -exec chown root:keadhcp {} +
+	find %_sysconfdir/kea/ -type f -name '*.conf' -exec chmod 640 {} +
+fi
+bigkea_enabled=$(/usr/bin/systemctl is-enabled kea.service 2>/dev/null || :)
+bigkea_active=$(/usr/bin/systemctl is-active kea.service 2>/dev/null || :)
+use_dhcp4=$(grep -ie ^dhcp4=yes /etc/kea/keactrl.conf 2>/dev/null || :)
+use_dhcp6=$(grep -ie ^dhcp6=yes /etc/kea/keactrl.conf 2>/dev/null || :)
+use_ddns=$(grep -ie ^dhcp_ddns=yes /etc/kea/keactrl.conf 2>/dev/null || :)
+use_agent=$(grep -ie ^ctrl_agent=yes /etc/kea/keactrl.conf 2>/dev/null || :)
+if [ "$bigkea_enabled" = "enabled" ]; then
+	echo "Transferring enablement of kea.service to new split units..."
+	/usr/bin/systemctl disable kea.service || :
+	if [ -n "$use_dhcp4" ]; then
+		/usr/bin/systemctl enable kea-dhcp4.service || :
+	fi
+	if [ -n "$use_dhcp6" ]; then
+		/usr/bin/systemctl enable kea-dhcp6.service || :
+	fi
+	if [ -n "$use_ddns" ]; then
+		/usr/bin/systemctl enable kea-dhcp-ddns.service || :
+	fi
+	if [ -n "$use_agent" ]; then
+		/usr/bin/systemctl enable kea-ctrl-agent.service || :
+	fi
+fi
+if [ "$bigkea_active" = "active" ]; then
+	echo "Transferring active state of kea.service to new split units..."
+	/usr/bin/systemctl disable --now kea.service || :
+	if [ -n "$use_dhcp4" ]; then
+		/usr/bin/systemctl start kea-dhcp4.service || :
+	fi
+	if [ -n "$use_dhcp6" ]; then
+		/usr/bin/systemctl start kea-dhcp6.service || :
+	fi
+	if [ -n "$use_ddns" ]; then
+		/usr/bin/systemctl start kea-dhcp-ddns.service || :
+	fi
+	if [ -n "$use_agent" ]; then
+		/usr/bin/systemctl start kea-ctrl-agent.service || :
+	fi
+fi
 
 %preun
-%service_del_preun kea.service
+%service_del_preun kea-dhcp4.service kea-dhcp6.service kea-dhcp-ddns.service kea-ctrl-agent.service
 
 %postun
-%service_del_postun kea.service
+%service_del_postun kea-dhcp4.service kea-dhcp6.service kea-dhcp-ddns.service kea-ctrl-agent.service
 
 %ldconfig_scriptlets -n libkea-asiodns%asiodns_sover
 %ldconfig_scriptlets -n libkea-asiolink%asiolink_sover
 %ldconfig_scriptlets -n libkea-cc%cc_sover
-%ldconfig_scriptlets -n libkea-cfgclient%cfgclient_sover
+%ldconfig_scriptlets -n libkea-cfgrpt%cfgrpt_sover
+%ldconfig_scriptlets -n libkea-config%config_sover
 %ldconfig_scriptlets -n libkea-cryptolink%cryptolink_sover
 %ldconfig_scriptlets -n libkea-d2srv%d2srv_sover
 %ldconfig_scriptlets -n libkea-database%database_sover
-%ldconfig_scriptlets -n libkea-dhcp++%dhcppp_sover
+%ldconfig_scriptlets -n libkea-dhcp%dhcp_sover
 %ldconfig_scriptlets -n libkea-dhcp_ddns%dhcp_ddns_sover
 %ldconfig_scriptlets -n libkea-dhcpsrv%dhcpsrv_sover
-%ldconfig_scriptlets -n libkea-dns++%dnspp_sover
+%ldconfig_scriptlets -n libkea-dns%dns_sover
 %ldconfig_scriptlets -n libkea-eval%eval_sover
 %ldconfig_scriptlets -n libkea-exceptions%exceptions_sover
 %ldconfig_scriptlets -n libkea-hooks%hooks_sover
 %ldconfig_scriptlets -n libkea-http%http_sover
+%ldconfig_scriptlets -n libkea-log-interprocess%log_interprocess_sover
 %ldconfig_scriptlets -n libkea-log%log_sover
 %ldconfig_scriptlets -n libkea-mysql%mysql_sover
 %ldconfig_scriptlets -n libkea-pgsql%pgsql_sover
@@ -444,17 +484,16 @@ systemd-tmpfiles --create kea.conf || :
 %ldconfig_scriptlets -n libkea-util%util_sover
 
 %files
-%dir %_sysconfdir/kea
-%config(noreplace) %_sysconfdir/kea/*.conf
+%dir %attr(0755,root,root) %_sysconfdir/kea
+%config(noreplace) %attr(0640,root,keadhcp) %_sysconfdir/kea/*.conf
 %_mandir/man8/*.8%{?ext_man}
 %_sbindir/kea*
 %_sbindir/perfdhcp
 %_datadir/kea/
 %_unitdir/*.service
-%dir %_localstatedir/lib/kea
-%_tmpfilesdir/
-%_sysusersdir/
-%attr(0775,keadhcp,keadhcp) %_localstatedir/log/kea/
+%dir %attr(0750,keadhcp,keadhcp) %_localstatedir/lib/kea
+%_sysusersdir/*
+%attr(0750,keadhcp,keadhcp) %_localstatedir/log/kea/
 
 %files doc
 %doc %_datadir/doc/kea/
@@ -463,74 +502,107 @@ systemd-tmpfiles --create kea.conf || :
 %files hooks
 %dir %_libdir/kea
 %_libdir/kea/hooks/
+%dir %{_sysconfdir}/kea/radius
+%{_sysconfdir}/kea/radius/dictionary
 
 %files -n libkea-asiodns%asiodns_sover
+%_libdir/libkea-asiodns.so.%asiodns_sover
 %_libdir/libkea-asiodns.so.%asiodns_sover.*
 
 %files -n libkea-asiolink%asiolink_sover
+%_libdir/libkea-asiolink.so.%asiolink_sover
 %_libdir/libkea-asiolink.so.%asiolink_sover.*
 
 %files -n libkea-cc%cc_sover
+%_libdir/libkea-cc.so.%cc_sover
 %_libdir/libkea-cc.so.%cc_sover.*
 
-%files -n libkea-cfgclient%cfgclient_sover
-%_libdir/libkea-cfgclient.so.%cfgclient_sover.*
+%files -n libkea-cfgrpt%cfgrpt_sover
+%_libdir/libkea-cfgrpt.so.%cfgrpt_sover
+%_libdir/libkea-cfgrpt.so.%cfgrpt_sover.*
+
+%files -n libkea-config%config_sover
+%_libdir/libkea-config.so.%config_sover
+%_libdir/libkea-config.so.%config_sover.*
 
 %files -n libkea-cryptolink%cryptolink_sover
+%_libdir/libkea-cryptolink.so.%cryptolink_sover
 %_libdir/libkea-cryptolink.so.%cryptolink_sover.*
 
 %files -n libkea-d2srv%d2srv_sover
+%_libdir/libkea-d2srv.so.%d2srv_sover
 %_libdir/libkea-d2srv.so.%d2srv_sover.*
 
 %files -n libkea-database%database_sover
+%_libdir/libkea-database.so.%database_sover
 %_libdir/libkea-database.so.%database_sover.*
 
-%files -n libkea-dhcp++%dhcppp_sover
-%_libdir/libkea-dhcp++.so.%dhcppp_sover.*
+%files -n libkea-dhcp%dhcp_sover
+%_libdir/libkea-dhcp.so.%dhcp_sover
+%_libdir/libkea-dhcp.so.%dhcp_sover.*
 
 %files -n libkea-dhcp_ddns%dhcp_ddns_sover
+%_libdir/libkea-dhcp_ddns.so.%dhcp_ddns_sover
 %_libdir/libkea-dhcp_ddns.so.%dhcp_ddns_sover.*
 
 %files -n libkea-dhcpsrv%dhcpsrv_sover
+%_libdir/libkea-dhcpsrv.so.%dhcpsrv_sover
 %_libdir/libkea-dhcpsrv.so.%dhcpsrv_sover.*
 
-%files -n libkea-dns++%dnspp_sover
-%_libdir/libkea-dns++.so.%dnspp_sover.*
+%files -n libkea-dns%dns_sover
+%_libdir/libkea-dns.so.%dns_sover
+%_libdir/libkea-dns.so.%dns_sover.*
 
 %files -n libkea-eval%eval_sover
+%_libdir/libkea-eval.so.%eval_sover
 %_libdir/libkea-eval.so.%eval_sover.*
 
 %files -n libkea-exceptions%exceptions_sover
+%_libdir/libkea-exceptions.so.%exceptions_sover
 %_libdir/libkea-exceptions.so.%exceptions_sover.*
 
 %files -n libkea-hooks%hooks_sover
+%_libdir/libkea-hooks.so.%hooks_sover
 %_libdir/libkea-hooks.so.%hooks_sover.*
 
 %files -n libkea-http%http_sover
+%_libdir/libkea-http.so.%http_sover
 %_libdir/libkea-http.so.%http_sover.*
 
+%files -n libkea-log-interprocess%log_interprocess_sover
+%_libdir/libkea-log-interprocess.so.%log_interprocess_sover
+%_libdir/libkea-log-interprocess.so.%log_interprocess_sover.*
+
 %files -n libkea-log%log_sover
+%_libdir/libkea-log.so.%log_sover
 %_libdir/libkea-log.so.%log_sover.*
 
 %files -n libkea-mysql%mysql_sover
+%_libdir/libkea-mysql.so.%mysql_sover
 %_libdir/libkea-mysql.so.%mysql_sover.*
 
 %files -n libkea-pgsql%pgsql_sover
+%_libdir/libkea-pgsql.so.%pgsql_sover
 %_libdir/libkea-pgsql.so.%pgsql_sover.*
 
 %files -n libkea-process%process_sover
+%_libdir/libkea-process.so.%process_sover
 %_libdir/libkea-process.so.%process_sover.*
 
 %files -n libkea-stats%stats_sover
+%_libdir/libkea-stats.so.%stats_sover
 %_libdir/libkea-stats.so.%stats_sover.*
 
 %files -n libkea-tcp%tcp_sover
+%_libdir/libkea-tcp.so.%tcp_sover
 %_libdir/libkea-tcp.so.%tcp_sover.*
 
 %files -n libkea-util-io%util_io_sover
+%_libdir/libkea-util-io.so.%util_io_sover
 %_libdir/libkea-util-io.so.%util_io_sover.*
 
 %files -n libkea-util%util_sover
+%_libdir/libkea-util.so.%util_sover
 %_libdir/libkea-util.so.%util_sover.*
 
 %files -n python3-kea
@@ -539,5 +611,7 @@ systemd-tmpfiles --create kea.conf || :
 %files devel
 %_includedir/kea/
 %_libdir/libkea*.so
+%{_libdir}/pkgconfig/*.pc
+%{_bindir}/kea-msg-compiler
 
 %changelog