Merge pull request #2736 from webmin/feat-add/kea-dhcp

Add new Kea DHCP server module

kea-dhcp/acl_security.pl

@@ -0,0 +1,42 @@
+use strict;
+use warnings;
+no warnings 'redefine';
+no warnings 'uninitialized';
+
+require 'kea-dhcp-lib.pl'; ## no critic
+
+our (%in, %text);
+
+# acl_security_form(&options)
+# Output HTML for editing security options for the Kea DHCP module
+sub acl_security_form
+{
+my ($o) = @_;
+
+# Keep read-only capabilities separate from actions that change files or daemon
+# state, matching the way the module's tabs and buttons are gated.
+print ui_table_span(&ui_tag('b', &html_escape($text{'acl_section_view'})));
+foreach my $a (qw(dhcp4 dhcp6 ddns services runtime)) {
+	print ui_table_row($text{'acl_'.$a},
+			   ui_yesno_radio($a, kea_check_acl($a, $o)), 3);
+	}
+print ui_table_hr();
+print ui_table_span(&ui_tag('b', &html_escape($text{'acl_section_change'})));
+foreach my $a (qw(edit4 edit6 editddns manual apply install)) {
+	print ui_table_row($text{'acl_'.$a},
+			   ui_yesno_radio($a, kea_check_acl($a, $o)), 3);
+	}
+}
+
+# acl_security_save(&options)
+# Parse the form for security options for the Kea DHCP module
+sub acl_security_save
+{
+my ($o) = @_;
+
+foreach my $a (kea_acl_keys()) {
+	$o->{$a} = $in{$a} || 0;
+	}
+}
+
+1;

kea-dhcp/backup_config.pl

@@ -0,0 +1,46 @@
+
+use strict;
+use warnings;
+require 'kea-dhcp-lib.pl';
+
+# backup_config_files()
+# Returns files that can be backed up.
+sub backup_config_files
+{
+return &get_all_config_files();
+}
+
+# pre_backup()
+# Runs before Webmin backs up Kea configuration files.
+sub pre_backup
+{
+# No pre-backup daemon action is needed; Kea configs are ordinary files.
+return;
+}
+
+# post_backup()
+# Runs after Webmin completes a Kea configuration backup.
+sub post_backup
+{
+# Backups are read-only, so leave running services untouched.
+return;
+}
+
+# pre_restore()
+# Runs before Webmin restores Kea configuration files.
+sub pre_restore
+{
+# Restore writes happen before service reload, so there is nothing to prepare.
+return;
+}
+
+# post_restore()
+# Runs after Webmin restores Kea configuration files.
+sub post_restore
+{
+# If Kea was active before restore, reload it so restored files take effect.
+return &kea_run_action('restart') if (&kea_running_pids());
+return;
+}
+
+1;

kea-dhcp/config

@@ -0,0 +1,22 @@
+dhcp4_conf=/etc/kea/kea-dhcp4.conf
+dhcp6_conf=/etc/kea/kea-dhcp6.conf
+ddns_conf=/etc/kea/kea-dhcp-ddns.conf
+ctrl_agent_conf=/etc/kea/kea-ctrl-agent.conf
+dhcp4_path=/usr/sbin/kea-dhcp4
+dhcp6_path=/usr/sbin/kea-dhcp6
+ddns_path=/usr/sbin/kea-dhcp-ddns
+ctrl_agent_path=/usr/sbin/kea-ctrl-agent
+keactrl_path=/usr/sbin/keactrl
+dhcp4_lease_file=/var/lib/kea/kea-leases4.csv
+dhcp6_lease_file=/var/lib/kea/kea-leases6.csv
+dhcp4_pid_file=/run/kea/kea-dhcp4.kea-dhcp4.pid
+dhcp6_pid_file=/run/kea/kea-dhcp6.kea-dhcp6.pid
+ddns_pid_file=/run/kea/kea-dhcp-ddns.kea-dhcp-ddns.pid
+ctrl_agent_pid_file=/run/kea/kea-ctrl-agent.kea-ctrl-agent.pid
+dhcp4_unit=kea-dhcp4-server.service
+dhcp6_unit=kea-dhcp6-server.service
+ddns_unit=kea-dhcp-ddns-server.service
+ctrl_agent_unit=kea-ctrl-agent.service
+start_cmd=systemctl start kea-dhcp4-server.service kea-dhcp6-server.service kea-dhcp-ddns-server.service kea-ctrl-agent.service
+stop_cmd=systemctl stop kea-dhcp4-server.service kea-dhcp6-server.service kea-dhcp-ddns-server.service kea-ctrl-agent.service
+restart_cmd=systemctl restart kea-dhcp4-server.service kea-dhcp6-server.service kea-dhcp-ddns-server.service kea-ctrl-agent.service

kea-dhcp/config-freebsd

@@ -0,0 +1,22 @@
+dhcp4_conf=/usr/local/etc/kea/kea-dhcp4.conf
+dhcp6_conf=/usr/local/etc/kea/kea-dhcp6.conf
+ddns_conf=/usr/local/etc/kea/kea-dhcp-ddns.conf
+ctrl_agent_conf=/usr/local/etc/kea/kea-ctrl-agent.conf
+dhcp4_path=/usr/local/sbin/kea-dhcp4
+dhcp6_path=/usr/local/sbin/kea-dhcp6
+ddns_path=/usr/local/sbin/kea-dhcp-ddns
+ctrl_agent_path=/usr/local/sbin/kea-ctrl-agent
+keactrl_path=/usr/local/sbin/keactrl
+dhcp4_lease_file=/var/db/kea/kea-leases4.csv
+dhcp6_lease_file=/var/db/kea/kea-leases6.csv
+dhcp4_pid_file=/var/run/kea/kea-dhcp4.kea-dhcp4.pid
+dhcp6_pid_file=/var/run/kea/kea-dhcp6.kea-dhcp6.pid
+ddns_pid_file=/var/run/kea/kea-dhcp-ddns.kea-dhcp-ddns.pid
+ctrl_agent_pid_file=/var/run/kea/kea-ctrl-agent.kea-ctrl-agent.pid
+dhcp4_unit=
+dhcp6_unit=
+ddns_unit=
+ctrl_agent_unit=
+start_cmd=/usr/local/sbin/keactrl start
+stop_cmd=/usr/local/sbin/keactrl stop
+restart_cmd=/usr/local/sbin/keactrl reload

kea-dhcp/config-redhat-linux

@@ -0,0 +1,22 @@
+dhcp4_conf=/etc/kea/kea-dhcp4.conf
+dhcp6_conf=/etc/kea/kea-dhcp6.conf
+ddns_conf=/etc/kea/kea-dhcp-ddns.conf
+ctrl_agent_conf=/etc/kea/kea-ctrl-agent.conf
+dhcp4_path=/usr/sbin/kea-dhcp4
+dhcp6_path=/usr/sbin/kea-dhcp6
+ddns_path=/usr/sbin/kea-dhcp-ddns
+ctrl_agent_path=/usr/sbin/kea-ctrl-agent
+keactrl_path=/usr/sbin/keactrl
+dhcp4_lease_file=/var/lib/kea/kea-leases4.csv
+dhcp6_lease_file=/var/lib/kea/kea-leases6.csv
+dhcp4_pid_file=/run/kea/kea-dhcp4.kea-dhcp4.pid
+dhcp6_pid_file=/run/kea/kea-dhcp6.kea-dhcp6.pid
+ddns_pid_file=/run/kea/kea-dhcp-ddns.kea-dhcp-ddns.pid
+ctrl_agent_pid_file=/run/kea/kea-ctrl-agent.kea-ctrl-agent.pid
+dhcp4_unit=kea-dhcp4.service
+dhcp6_unit=kea-dhcp6.service
+ddns_unit=kea-dhcp-ddns.service
+ctrl_agent_unit=kea-ctrl-agent.service
+start_cmd=systemctl start kea-dhcp4.service kea-dhcp6.service kea-dhcp-ddns.service kea-ctrl-agent.service
+stop_cmd=systemctl stop kea-dhcp4.service kea-dhcp6.service kea-dhcp-ddns.service kea-ctrl-agent.service
+restart_cmd=systemctl restart kea-dhcp4.service kea-dhcp6.service kea-dhcp-ddns.service kea-ctrl-agent.service

kea-dhcp/config.info

@@ -0,0 +1,28 @@
+line1=Configuration files,11
+dhcp4_conf=Kea DHCPv4 config file,0
+dhcp6_conf=Kea DHCPv6 config file,0
+ddns_conf=Kea DHCP-DDNS config file,0
+ctrl_agent_conf=Kea Control Agent config file,0
+line2=Executables,11
+dhcp4_path=Kea DHCPv4 executable,0
+dhcp6_path=Kea DHCPv6 executable,0
+ddns_path=Kea DHCP-DDNS executable,0
+ctrl_agent_path=Kea Control Agent executable,0
+keactrl_path=Kea control script,0
+line3=Lease files,11
+dhcp4_lease_file=Kea DHCPv4 memfile leases file,0
+dhcp6_lease_file=Kea DHCPv6 memfile leases file,0
+line4=PID files,11
+dhcp4_pid_file=Kea DHCPv4 PID file,3,None
+dhcp6_pid_file=Kea DHCPv6 PID file,3,None
+ddns_pid_file=Kea DHCP-DDNS PID file,3,None
+ctrl_agent_pid_file=Kea Control Agent PID file,3,None
+line5=Systemd units,11
+dhcp4_unit=Kea DHCPv4 systemd unit,0
+dhcp6_unit=Kea DHCPv6 systemd unit,0
+ddns_unit=Kea DHCP-DDNS systemd unit,0
+ctrl_agent_unit=Kea Control Agent systemd unit,0
+line6=Commands,11
+start_cmd=Command to start Kea services,3,Use systemd service units
+stop_cmd=Command to stop Kea services,3,Use systemd service units
+restart_cmd=Command to apply Kea configuration,3,Restart systemd service units

kea-dhcp/defaultacl

@@ -0,0 +1,11 @@
+dhcp4=1
+dhcp6=1
+ddns=1
+services=1
+runtime=1
+edit4=1
+edit6=1
+editddns=1
+manual=1
+apply=1
+install=1

kea-dhcp/delete_objects.cgi

@@ -0,0 +1,53 @@
+#!/usr/local/bin/perl
+# Delete selected Kea DHCP subnets and shared networks.
+
+use strict;
+use warnings;
+require './kea-dhcp-lib.pl';
+&ReadParse();
+our (%in, %text);
+&error_setup($text{'eacl_aviol'});
+
+my $ver = $in{'version'} == 6 ? 6 : 4;
+&kea_assert_acl('edit'.$ver);
+my ($c, $root, $data, $err) = &kea_read_dhcp_config($ver);
+&error($err) if ($err);
+
+&error_setup($text{'delete_failsave'});
+my @shared = split(/\0/, defined($in{'d_shared'}) ? $in{'d_shared'} : "");
+my @subnets = split(/\0/, defined($in{'d_subnet'}) ? $in{'d_subnet'} : "");
+@shared || @subnets || &error($text{'delete_enone'});
+
+# Group subnet deletions by parent so indexes can be removed descending within
+# each array without disturbing later deletions.
+my %subnets_by_parent;
+foreach my $v (@subnets) {
+	$v =~ /^(\d*):(\d+)$/ || &error($text{'subnet_enone'});
+	my ($sidx, $idx) = ($1, $2);
+	&error($text{'subnet_enone'})
+		if (!&kea_valid_subnet_parent($root, $sidx));
+	my $list = &kea_subnet_list($root, $ver, $sidx);
+	&error($text{'subnet_enone'}) if (!$list->[$idx]);
+	push(@{$subnets_by_parent{$sidx}}, $idx);
+	}
+foreach my $sidx (keys %subnets_by_parent) {
+	my $list = &kea_subnet_list($root, $ver, $sidx);
+	foreach my $idx (sort { $b <=> $a } @{$subnets_by_parent{$sidx}}) {
+		splice(@$list, $idx, 1);
+		}
+	}
+
+# Shared networks are top-level siblings, so delete them after nested subnets.
+my $shareds = &kea_shared_networks($root);
+foreach my $idx (sort { $b <=> $a } @shared) {
+	$idx =~ /^\d+$/ || &error($text{'shared_enone'});
+	&error($text{'shared_enone'}) if (!$shareds->[$idx]);
+	my $subs = &kea_subnet_list($root, $ver, $idx);
+	&error($text{'shared_enonempty'}) if (@$subs);
+	splice(@$shareds, $idx, 1);
+	}
+
+my $saveerr = &kea_save_component_config($c, $data);
+&error($saveerr) if ($saveerr);
+&webmin_log("delete", "objects", scalar(@shared) + scalar(@subnets), \%in);
+&redirect("index.cgi?mode=dhcp$ver");

kea-dhcp/edit_ddns.cgi

@@ -0,0 +1,100 @@
+#!/usr/local/bin/perl
+# Edit settings for the Kea DHCP-DDNS daemon.
+
+use strict;
+use warnings;
+require './kea-dhcp-lib.pl';
+&ReadParse();
+our (%in, %text);
+&error_setup($text{'eacl_aviol'});
+&kea_assert_acl('editddns');
+
+my $c = &kea_component('ddns');
+my ($root, $err) = &kea_read_component_config($c);
+&error($err) if ($err);
+
+# D2 is a separate daemon shared by DHCPv4 and DHCPv6, so keep its settings
+# outside the protocol-specific global DHCP pages.
+&ui_print_header(undef, $text{'ddns_title'}, "", undef, 1, 1);
+print &kea_comment_loss_warning($c);
+print &ui_form_start("save_ddns.cgi", "post");
+
+my @tabs = (
+	[ 'listener', $text{'tab_listener'} ],
+	[ 'zones', $text{'tab_zones'} ],
+	[ 'tsig', $text{'tab_tsig'} ],
+	[ 'logging', $text{'tab_logging'} ],
+	);
+print &ui_tabs_start(\@tabs, "mode", $in{'mode'} || "listener", 1);
+
+# The listener receives name-change requests from DHCPv4/DHCPv6 and exposes a
+# local control socket for daemon management.
+print &ui_tabs_start_tab("mode", "listener");
+print &ui_div($text{'ddns_listener_desc'});
+print &ui_alert_box($text{'ddns_listener_warn'}, "warn", undef, undef, "")
+	if (&kea_ddns_listener_non_loopback($root));
+print &ui_alert_box($text{'ddns_listener_warn_loopback'}, "warn", undef, undef, "")
+	if (!&kea_ddns_listener_non_loopback($root) &&
+	    &kea_ddns_listener_non_default_loopback($root));
+print &ui_table_start($text{'ddns_listener'}, "width=100%", 4);
+print &ui_table_row(&kea_field_hlink('ddns-ip-address',
+				     $text{'ddns_ip_address'}),
+	&ui_textbox("ip_address", $root->{'ip-address'} || "", 24));
+print &ui_table_row(&kea_field_hlink('ddns-port', $text{'ddns_port'}),
+	&ui_textbox("port", defined($root->{'port'}) ? $root->{'port'} : "",
+		    8));
+print &ui_table_row(&kea_field_hlink('ddns-timeout', $text{'ddns_timeout'}),
+	&ui_textbox("dns_server_timeout",
+		    defined($root->{'dns-server-timeout'}) ?
+			$root->{'dns-server-timeout'} : "", 8));
+print &ui_table_row(&kea_field_hlink('ncr-protocol',
+				     $text{'ddns_ncr_protocol'}),
+	&ui_select("ncr_protocol", $root->{'ncr-protocol'} || "UDP",
+		&kea_select_options($root->{'ncr-protocol'}, $text{'socket_default'},
+				    'UDP')));
+print &ui_table_row(&kea_field_hlink('ncr-format', $text{'ddns_ncr_format'}),
+	&ui_select("ncr_format", $root->{'ncr-format'} || "JSON",
+		&kea_select_options($root->{'ncr-format'}, $text{'socket_default'},
+				    'JSON')));
+print &ui_table_end();
+
+my $socket = ref($root->{'control-socket'}) eq 'HASH' ?
+	$root->{'control-socket'} : { };
+print &ui_table_start($text{'control_socket'}, "width=100%", 4);
+print &ui_table_row(&kea_field_hlink('control-socket-type',
+				     $text{'control_socket_type'}),
+	&ui_select("control_socket_type", $socket->{'socket-type'} || "",
+		[ [ "", $text{'socket_default'} ],
+		  [ "unix", "Unix" ] ]));
+print &ui_table_row(&kea_field_hlink('control-socket-name',
+				     $text{'control_socket_name'}),
+	&ui_textbox("control_socket_name", $socket->{'socket-name'} || "", 50));
+print &ui_table_end();
+print &ui_tabs_end_tab("mode", "listener");
+
+# Forward and reverse DDNS domains tell D2 where to send DNS updates.
+print &ui_tabs_start_tab("mode", "zones");
+print &ui_div($text{'ddns_zones_desc'});
+print &ui_subheading($text{'ddns_forward'});
+&kea_ddns_domain_rows(&kea_ddns_domains($root, 'forward-ddns'), "fwd_");
+print &ui_subheading($text{'ddns_reverse'});
+&kea_ddns_domain_rows(&kea_ddns_domains($root, 'reverse-ddns'), "rev_");
+print &ui_tabs_end_tab("mode", "zones");
+
+# TSIG keys are referenced by update domains using key-name.
+print &ui_tabs_start_tab("mode", "tsig");
+print &ui_div($text{'ddns_tsig_desc'});
+print &ui_subheading($text{'ddns_tsig_keys'});
+&kea_tsig_key_rows($root->{'tsig-keys'}, "key_");
+print &ui_tabs_end_tab("mode", "tsig");
+
+# D2 uses the same Kea logger format as the DHCP daemons.
+print &ui_tabs_start_tab("mode", "logging");
+print &ui_div($text{'logging_desc'});
+print &ui_subheading($text{'logging_loggers'});
+&kea_logger_rows($root->{'loggers'}, "log_");
+print &ui_tabs_end_tab("mode", "logging");
+print &ui_tabs_end();
+
+print &ui_form_end([ [ "save", $text{'save'} ] ]);
+&ui_print_footer("index.cgi?mode=ddns", $text{'index_return'});

kea-dhcp/edit_options.cgi

@@ -0,0 +1,245 @@
+#!/usr/local/bin/perl
+# Edit global Kea DHCP options for DHCPv4 or DHCPv6.
+
+use strict;
+use warnings;
+require './kea-dhcp-lib.pl';
+&ReadParse();
+our (%in, %text);
+&error_setup($text{'eacl_aviol'});
+
+my $ver = $in{'version'} == 6 ? 6 : 4;
+&kea_assert_acl('edit'.$ver);
+my ($c, $root, $data, $err) = &kea_read_dhcp_config($ver);
+&error($err) if ($err);
+
+# Render one global settings form for either Dhcp4 or Dhcp6. Each tab writes
+# back to the same JSON root object, so the save handler can update all fields
+# in one pass without losing hidden tab values.
+&ui_print_header(undef, &text('options_title', $ver), "", undef, 1, 1);
+print &kea_comment_loss_warning($c);
+print &ui_alert_box($text{'dhcp6_ra_warn'}, "warn", undef, undef, "")
+	if ($ver == 6);
+print &ui_form_start("save_options.cgi", "post");
+print &ui_hidden("version", $ver);
+
+my @tabs = (
+	[ 'interfaces', $text{'tab_interfaces'} ],
+	[ 'storage', $text{'tab_storage'} ],
+	[ 'logging', $text{'tab_logging'} ],
+	[ 'ddns_sender', $text{'tab_ddns_sender'} ],
+	[ 'timers', $text{'tab_timers'} ],
+	[ 'options', $text{'tab_options'} ],
+	[ 'advanced', $text{'tab_advanced'} ],
+	);
+print &ui_tabs_start(\@tabs, "mode", $in{'mode'} || "interfaces", 1);
+
+# Interfaces decide whether Kea listens at all. The DHCPv4 socket mode is kept
+# beside the interface list because it only affects packet capture on DHCPv4.
+print &ui_tabs_start_tab("mode", "interfaces");
+print &ui_div($text{'interfaces_desc'});
+my $ifconf = ref($root->{'interfaces-config'}) eq 'HASH' ?
+	$root->{'interfaces-config'} : { };
+my $ifaces = ref($ifconf->{'interfaces'}) eq 'ARRAY' ?
+	join(" ", @{$ifconf->{'interfaces'}}) : "";
+print &ui_table_start($text{'interfaces_title'}, "width=100%", 4);
+print &ui_table_row(&kea_field_hlink('interfaces', $text{'interfaces_list'}),
+	&ui_textbox("interfaces", $ifaces, 60));
+if ($ver == 4) {
+	print &ui_table_row(&kea_field_hlink('dhcp-socket-type',
+					     $text{'interfaces_socket'}),
+		&ui_select("dhcp-socket-type", $ifconf->{'dhcp-socket-type'} || "",
+			[ [ "", $text{'socket_default'} ],
+			  [ "raw", $text{'socket_raw'} ],
+			  [ "udp", $text{'socket_udp'} ] ]));
+	}
+print &ui_table_end();
+print &ui_tabs_end_tab("mode", "interfaces");
+
+# Storage and control sockets are global daemon settings, not subnet settings.
+print &ui_tabs_start_tab("mode", "storage");
+print &ui_div($text{'storage_desc'});
+my $lease = ref($root->{'lease-database'}) eq 'HASH' ?
+	$root->{'lease-database'} : { };
+print &ui_table_start($text{'lease_database'}, "width=100%", 4);
+print &ui_table_row(&kea_field_hlink('lease-database-type', $text{'lease_type'}),
+	&ui_textbox("lease_type", $lease->{'type'} || "", 20));
+print &ui_table_row(&kea_field_hlink('lfc-interval',
+				     $text{'lease_lfc_interval'}),
+	&ui_textbox("lease_lfc_interval", $lease->{'lfc-interval'} || "", 12));
+print &ui_table_row(&kea_field_hlink('lease-database-name',
+				     $text{'lease_name'}),
+	&ui_textbox("lease_name", $lease->{'name'} || "", 30));
+print &ui_table_row(&kea_field_hlink('lease-database-host',
+				     $text{'lease_host'}),
+	&ui_textbox("lease_host", $lease->{'host'} || "", 30));
+print &ui_table_row(&kea_field_hlink('lease-database-port',
+				     $text{'lease_port'}),
+	&ui_textbox("lease_port", $lease->{'port'} || "", 8));
+print &ui_table_row(&kea_field_hlink('lease-database-user',
+				     $text{'lease_user'}),
+	&ui_textbox("lease_user", $lease->{'user'} || "", 24));
+my $password_note = $lease->{'password'} ?
+	" ".&ui_tag('small', $text{'secret_keep_blank'}, {
+		'style' => 'color:var(--text-color-light, #777)' }) : "";
+print &ui_table_row(&kea_field_hlink('lease-database-password',
+				     $text{'lease_password'}),
+	&ui_password("lease_password", "", 24).$password_note);
+print &ui_table_end();
+
+my $socket = ref($root->{'control-socket'}) eq 'HASH' ?
+	$root->{'control-socket'} : { };
+print &ui_table_start($text{'control_socket'}, "width=100%", 4);
+print &ui_table_row(&kea_field_hlink('control-socket-type',
+				     $text{'control_socket_type'}),
+	&ui_select("control_socket_type", $socket->{'socket-type'} || "",
+		[ [ "", $text{'socket_default'} ],
+		  [ "unix", "Unix" ] ]));
+print &ui_table_row(&kea_field_hlink('control-socket-name',
+				     $text{'control_socket_name'}),
+	&ui_textbox("control_socket_name", $socket->{'socket-name'} || "", 50));
+print &ui_table_end();
+print &ui_tabs_end_tab("mode", "storage");
+
+# Logger settings live at the daemon root, beside lease database and timers.
+print &ui_tabs_start_tab("mode", "logging");
+print &ui_div($text{'logging_desc'});
+print &ui_subheading($text{'logging_loggers'});
+&kea_logger_rows($root->{'loggers'}, "log_");
+print &ui_tabs_end_tab("mode", "logging");
+
+# DHCP-DDNS sender settings control whether this daemon submits name-change
+# requests to the standalone D2 daemon. They are distinct from D2's own
+# listener/zones/keys settings.
+print &ui_tabs_start_tab("mode", "ddns_sender");
+print &ui_div(&text('ddns_sender_settings_desc', $ver));
+my $ddns = ref($root->{'dhcp-ddns'}) eq 'HASH' ?
+	$root->{'dhcp-ddns'} : { };
+my $bool_opts = [
+	[ "", $text{'inherit_default'} ],
+	[ "true", $text{'yes'} ],
+	[ "false", $text{'no'} ],
+	];
+print &ui_table_start($text{'ddns_sender_connectivity'}, "width=100%", 4);
+print &ui_table_row(&kea_field_hlink('ddns-enable-updates',
+				     $text{'ddns_enable_updates'}),
+	&ui_select("ddns_enable_updates",
+		&kea_bool_value($ddns->{'enable-updates'}), $bool_opts));
+print &ui_table_row(&kea_field_hlink('ddns-server-ip',
+				     $text{'ddns_server_ip'}),
+	&ui_textbox("ddns_server_ip", $ddns->{'server-ip'} || "", 24));
+print &ui_table_row(&kea_field_hlink('ddns-server-port',
+				     $text{'ddns_server_port'}),
+	&ui_textbox("ddns_server_port",
+		    defined($ddns->{'server-port'}) ? $ddns->{'server-port'} : "",
+		    8));
+print &ui_table_row(&kea_field_hlink('ddns-sender-ip',
+				     $text{'ddns_sender_ip'}),
+	&ui_textbox("ddns_sender_ip", $ddns->{'sender-ip'} || "", 24));
+print &ui_table_row(&kea_field_hlink('ddns-sender-port',
+				     $text{'ddns_sender_port'}),
+	&ui_textbox("ddns_sender_port",
+		    defined($ddns->{'sender-port'}) ? $ddns->{'sender-port'} : "",
+		    8));
+print &ui_table_row(&kea_field_hlink('ddns-max-queue-size',
+				     $text{'ddns_max_queue_size'}),
+	&ui_textbox("ddns_max_queue_size",
+		    defined($ddns->{'max-queue-size'}) ?
+			$ddns->{'max-queue-size'} : "", 10));
+print &ui_table_row(&kea_field_hlink('ncr-protocol',
+				     $text{'ddns_ncr_protocol'}),
+	&ui_select("ddns_ncr_protocol", $ddns->{'ncr-protocol'} || "",
+		&kea_select_options($ddns->{'ncr-protocol'},
+				    $text{'socket_default'}, 'UDP')));
+print &ui_table_row(&kea_field_hlink('ncr-format',
+				     $text{'ddns_ncr_format'}),
+	&ui_select("ddns_ncr_format", $ddns->{'ncr-format'} || "",
+		&kea_select_options($ddns->{'ncr-format'},
+				    $text{'socket_default'}, 'JSON')));
+print &ui_table_end();
+
+print &ui_table_start($text{'ddns_sender_behavior'}, "width=100%", 4);
+my %ddns_bool_labels = (
+	'ddns-send-updates' => $text{'ddns_send_updates'},
+	'ddns-override-no-update' => $text{'ddns_override_no_update'},
+	'ddns-override-client-update' => $text{'ddns_override_client_update'},
+	'ddns-update-on-renew' => $text{'ddns_update_on_renew'},
+	);
+foreach my $k ('ddns-send-updates', 'ddns-override-no-update',
+	       'ddns-override-client-update', 'ddns-update-on-renew') {
+	print &ui_table_row(&kea_field_hlink($k, $ddns_bool_labels{$k}),
+		&ui_select($k, &kea_bool_value($root->{$k}), $bool_opts));
+	}
+print &ui_table_row(&kea_field_hlink('ddns-replace-client-name',
+				     $text{'ddns_replace_client_name'}),
+	&ui_select("ddns-replace-client-name",
+		$root->{'ddns-replace-client-name'} || "",
+		&kea_select_options($root->{'ddns-replace-client-name'},
+				    $text{'socket_default'},
+				    'never', 'when-present',
+				    'when-not-present', 'always')));
+my %ddns_text_labels = (
+	'ddns-generated-prefix' => $text{'ddns_generated_prefix'},
+	'ddns-qualifying-suffix' => $text{'ddns_qualifying_suffix'},
+	'ddns-conflict-resolution-mode' => $text{'ddns_conflict_resolution_mode'},
+	'hostname-char-set' => $text{'hostname_char_set'},
+	'hostname-char-replacement' => $text{'hostname_char_replacement'},
+	);
+foreach my $k ('ddns-generated-prefix', 'ddns-qualifying-suffix',
+	       'ddns-conflict-resolution-mode', 'hostname-char-set',
+	       'hostname-char-replacement') {
+	print &ui_table_row(&kea_field_hlink($k, $ddns_text_labels{$k}),
+		&ui_textbox($k, defined($root->{$k}) ? $root->{$k} : "", 32));
+	}
+print &ui_table_end();
+print &ui_tabs_end_tab("mode", "ddns_sender");
+
+# Timer defaults apply only when shared networks or subnets do not override.
+print &ui_tabs_start_tab("mode", "timers");
+print &ui_div($text{'timers_desc'});
+print &ui_table_start($text{'options_timers'}, "width=100%", 4);
+foreach my $k ('renew-timer', 'rebind-timer', 'valid-lifetime',
+	       'min-valid-lifetime', 'max-valid-lifetime') {
+	print &ui_table_row(&kea_field_hlink($k),
+		&ui_textbox($k, defined($root->{$k}) ? $root->{$k} : "", 12));
+	}
+print &ui_table_row(&kea_field_hlink('preferred-lifetime'),
+	&ui_textbox("preferred-lifetime",
+		    defined($root->{'preferred-lifetime'}) ? $root->{'preferred-lifetime'} : "", 12))
+	if ($ver == 6);
+print &ui_table_end();
+print &ui_tabs_end_tab("mode", "timers");
+
+# Common options get named fields; everything else remains editable in the
+# additional option-data table below them.
+print &ui_tabs_start_tab("mode", "options");
+print &ui_div($text{'options_desc'});
+&kea_common_option_rows($root->{'option-data'}, $ver, "common_");
+&kea_option_data_section($root->{'option-data'}, "opt_", $ver, 1);
+print &ui_tabs_end_tab("mode", "options");
+
+# Advanced fields are valid Kea globals but are easy to misuse, so keep them
+# away from the everyday options page.
+print &ui_tabs_start_tab("mode", "advanced");
+print &ui_div(&text('global_advanced_desc', $ver));
+print &ui_table_start($text{'global_advanced'}, "width=100%", 4);
+if ($ver == 4) {
+	print &ui_table_row(&kea_field_hlink('authoritative'),
+		&ui_select("authoritative", &kea_bool_value($root->{'authoritative'}),
+			[ [ "", $text{'inherit_default'} ],
+			  [ "true", $text{'yes'} ],
+			  [ "false", $text{'no'} ] ]));
+	}
+&kea_advanced_option_rows($root->{'option-data'}, $ver, "adv_");
+if ($ver == 4) {
+	foreach my $k ('next-server', 'server-hostname', 'boot-file-name') {
+		print &ui_table_row(&kea_field_hlink($k),
+			&ui_textbox($k, defined($root->{$k}) ? $root->{$k} : "", 40));
+		}
+	}
+print &ui_table_end();
+print &ui_tabs_end_tab("mode", "advanced");
+print &ui_tabs_end();
+
+print &ui_form_end([ [ "save", $text{'save'} ] ]);
+&ui_print_footer("index.cgi?mode=dhcp$ver", $text{'index_return'});

kea-dhcp/edit_shared.cgi

@@ -0,0 +1,128 @@
+#!/usr/local/bin/perl
+# Edit or create a Kea shared network.
+
+use strict;
+use warnings;
+require './kea-dhcp-lib.pl';
+&ReadParse();
+our (%in, %text);
+&error_setup($text{'eacl_aviol'});
+
+my $ver = $in{'version'} == 6 ? 6 : 4;
+&kea_assert_acl('edit'.$ver);
+my ($c, $root, $data, $err) = &kea_read_dhcp_config($ver);
+&error($err) if ($err);
+my $shareds = &kea_shared_networks($root);
+&error($text{'shared_enone'})
+	if (!$in{'new'} && (!defined($in{'idx'}) || $in{'idx'} !~ /^\d+$/));
+my $shared = $in{'new'} ? { } : $shareds->[$in{'idx'}];
+&error($text{'shared_enone'}) if (!$shared);
+
+# Shared networks are containers for same-link subnets. New shared networks do
+# not show the Subnets tab until they have a stable index to attach subnets to.
+my $title = $in{'new'} ? $text{'shared_create'} : $text{'shared_edit'};
+&ui_print_header(undef, $title, "", undef, 1, 1);
+print &kea_comment_loss_warning($c);
+print &ui_form_start("save_shared.cgi", "post");
+print &ui_hidden("version", $ver);
+print &ui_hidden("new", 1) if ($in{'new'});
+print &ui_hidden("idx", $in{'idx'}) if (!$in{'new'});
+
+my @tabs = (
+	[ 'general', $text{'tab_general'} ],
+	[ 'options', $text{'tab_options'} ],
+	[ 'advanced', $text{'tab_advanced'} ],
+	);
+splice(@tabs, 1, 0, [ 'subnets', $text{'tab_subnets'} ])
+	if (!$in{'new'});
+my $mode = $in{'mode'} || "general";
+$mode = "general" if ($in{'new'} && $mode eq "subnets");
+print &ui_tabs_start(\@tabs, "mode", $mode, 1);
+
+# General data identifies the shared network and optionally scopes it to an
+# interface or relay address used by Kea during subnet selection.
+print &ui_tabs_start_tab("mode", "general");
+print &ui_div($text{'shared_general_desc'});
+print &ui_table_start($text{'shared_general'}, "width=100%", 4);
+print &ui_table_row(&kea_field_hlink('shared-network-name',
+				     $text{'shared_name'}),
+	&ui_textbox("name", $shared->{'name'} || "", 40));
+print &ui_table_row(&kea_field_hlink('description', $text{'shared_desc'}),
+	&ui_textbox("desc", &kea_get_comment($shared) || "", 60));
+print &ui_table_row(&kea_field_hlink('interface'),
+	&ui_textbox("interface", $shared->{'interface'} || "", 30));
+print &ui_table_row(&kea_field_hlink('relay_ip_addresses'),
+	&ui_textbox("relay_ip_addresses",
+		    join(" ", &kea_relay_addresses($shared)), 50));
+print &ui_table_end();
+print &ui_tabs_end_tab("mode", "general");
+
+if (!$in{'new'}) {
+	# Existing shared networks can show their member subnets and provide a
+	# shortcut for creating a subnet directly under this parent.
+	print &ui_tabs_start_tab("mode", "subnets");
+	print &ui_div($text{'shared_subnets_desc'});
+	my $subs = &kea_subnet_list($root, $ver, $in{'idx'});
+	print &ui_columns_start([
+	$text{'col_id'}, $text{'col_subnet'}, $text{'col_pools'},
+	$text{'col_reservations'}, $text{'col_options'} ], 100);
+for(my $i=0; $i<@$subs; $i++) {
+	my $s = $subs->[$i];
+	print &ui_columns_row([
+		$s->{'id'} || "",
+		&ui_link("edit_subnet.cgi?version=$ver&sidx=$in{'idx'}&idx=$i",
+			 &html_escape($s->{'subnet'} || "")),
+		&kea_count_array($s, 'pools'),
+		&kea_count_array($s, 'reservations'),
+		&kea_count_array($s, 'option-data'),
+		]);
+	}
+print &ui_columns_row([ &ui_tag('i', &html_escape($text{'index_empty'})) ],
+		       [ "colspan=5" ])
+	if (!@$subs);
+print &ui_columns_end();
+print &ui_link_button("edit_subnet.cgi?version=$ver&sidx=$in{'idx'}&new=1",
+		      $text{'index_add_subnet'});
+print &ui_tabs_end_tab("mode", "subnets");
+}
+
+# Shared-network options are inherited by subnets unless a more specific scope
+# overrides them.
+print &ui_tabs_start_tab("mode", "options");
+print &ui_div($text{'shared_options_desc'});
+&kea_common_option_rows($shared->{'option-data'}, $ver, "common_");
+&kea_option_data_section($shared->{'option-data'}, "opt_", $ver);
+print &ui_tabs_end_tab("mode", "options");
+
+# Advanced shared-network settings mirror Kea fields that affect all member
+# subnets, including timers and protocol-specific behavior flags.
+print &ui_tabs_start_tab("mode", "advanced");
+print &ui_div($text{'shared_advanced_desc'});
+print &ui_table_start($text{'shared_advanced'}, "width=100%", 4);
+if ($ver == 4) {
+	print &ui_table_row(&kea_field_hlink('authoritative'),
+		&ui_select("authoritative", &kea_bool_value($shared->{'authoritative'}),
+			[ [ "", $text{'inherit_default'} ],
+			  [ "true", $text{'yes'} ],
+			  [ "false", $text{'no'} ] ]));
+	}
+foreach my $k ('renew-timer', 'rebind-timer', 'valid-lifetime',
+	       'min-valid-lifetime', 'max-valid-lifetime') {
+	print &ui_table_row(&kea_field_hlink($k),
+		&ui_textbox($k, defined($shared->{$k}) ? $shared->{$k} : "", 12));
+	}
+print &ui_table_row(&kea_field_hlink('preferred-lifetime'),
+	&ui_textbox("preferred-lifetime",
+		    defined($shared->{'preferred-lifetime'}) ? $shared->{'preferred-lifetime'} : "", 12))
+	if ($ver == 6);
+&kea_advanced_option_rows($shared->{'option-data'}, $ver, "adv_");
+print &ui_table_end();
+print &ui_tabs_end_tab("mode", "advanced");
+
+print &ui_tabs_end();
+
+my @buttons = $in{'new'} ? ([ "save", $text{'create'} ]) :
+			    ([ "save", $text{'save'} ],
+			     [ "delete", $text{'delete'} ]);
+print &ui_form_end(\@buttons);
+&ui_print_footer("", $text{'index_return'});

kea-dhcp/edit_subnet.cgi

@@ -0,0 +1,257 @@
+#!/usr/local/bin/perl
+# Edit or create a Kea subnet.
+
+use strict;
+use warnings;
+require './kea-dhcp-lib.pl';
+&ReadParse();
+our (%in, %text);
+&error_setup($text{'eacl_aviol'});
+
+my $ver = $in{'version'} == 6 ? 6 : 4;
+&kea_assert_acl('edit'.$ver);
+my ($c, $root, $data, $err) = &kea_read_dhcp_config($ver);
+&error($err) if ($err);
+my $sidx = defined($in{'sidx'}) ? $in{'sidx'} : "";
+&error($text{'subnet_enone'}) if (!&kea_valid_subnet_parent($root, $sidx));
+&error($text{'subnet_enone'})
+	if (!$in{'new'} && (!defined($in{'idx'}) || $in{'idx'} !~ /^\d+$/));
+my $sub = $in{'new'} ? { 'id' => &kea_next_subnet_id($root, $ver) }
+		      : &kea_get_subnet($root, $ver, $sidx, $in{'idx'});
+&error($text{'subnet_enone'}) if (!$sub);
+
+# Main request flow: render the tabbed subnet editor, then delegate repeated
+# row-heavy controls to helpers below.
+my $title = $in{'new'} ? $text{'subnet_create'} : $text{'subnet_edit'};
+&ui_print_header(undef, $title, "", undef, 1, 1);
+print &kea_comment_loss_warning($c);
+print &ui_form_start("save_subnet.cgi", "post");
+print &ui_hidden("version", $ver);
+print &ui_hidden("new", 1) if ($in{'new'});
+print &ui_hidden("idx", $in{'idx'}) if (!$in{'new'});
+print &ui_hidden("sidx", $sidx) if ($sidx ne '');
+
+my @tabs = (
+	[ 'general', $text{'tab_general'} ],
+	[ 'pools', $text{'tab_pools'} ],
+	[ 'reservations', $text{'tab_reservations'} ],
+	[ 'options', $text{'tab_options'} ],
+	[ 'advanced', $text{'tab_advanced'} ],
+	);
+print &ui_tabs_start(\@tabs, "mode", $in{'mode'} || "general", 1);
+
+# General owns the required subnet identity plus the parent shared-network
+# pointer, which determines where the subnet is stored in Kea JSON.
+print &ui_tabs_start_tab("mode", "general");
+print &ui_div($text{'subnet_general_desc'});
+print &ui_table_start($text{'subnet_general'}, "width=100%", 4);
+print &ui_table_row(&kea_field_hlink('subnet-id', $text{'subnet_id'}),
+	&ui_textbox("id", $sub->{'id'} || "", 8));
+print &ui_table_row(&kea_field_hlink('subnet-prefix',
+				     $text{'subnet_prefix'}),
+	&ui_textbox("subnet", $sub->{'subnet'} || "", 40));
+print &ui_table_row(&kea_field_hlink('calculated-subnet-mask',
+				     $text{'subnet_mask_auto'}),
+	&ui_tag('tt', &html_escape(&kea_ipv4_mask_from_subnet($sub->{'subnet'} || "")
+				   || $text{'index_empty'})))
+	if ($ver == 4);
+print &ui_table_row(&kea_field_hlink('description', $text{'subnet_desc'}),
+	&ui_textbox("desc", &kea_get_comment($sub) || "", 60));
+
+# A subnet may be top-level or nested under a shared network. Kea stores those
+# in different arrays, so the selected parent is carried through saves.
+my @shared_opts = ([ "", "<$text{'shared_none'}>" ]);
+my $shareds = &kea_shared_networks($root);
+for(my $i=0; $i<@$shareds; $i++) {
+	push(@shared_opts, [ $i, &kea_scope_name($shareds->[$i], &text('index_shared_num', $i+1)) ]);
+	}
+print &ui_table_row(&kea_field_hlink('shared-network',
+					     $text{'subnet_shared'}),
+	&ui_select("parent", $sidx ne '' ? $sidx : "", \@shared_opts));
+print &ui_table_end();
+print &ui_tabs_end_tab("mode", "general");
+
+# Pools are row editors: DHCPv4/DHCPv6 address pools are common, while prefix
+# delegation is rendered only for DHCPv6.
+print &ui_tabs_start_tab("mode", "pools");
+print &ui_div($text{'subnet_pools_desc'});
+&pool_rows($sub->{'pools'});
+if ($ver == 6) {
+	print &ui_subheading($text{'pd_pools'});
+	&pd_pool_rows($sub->{'pd-pools'});
+	}
+print &ui_tabs_end_tab("mode", "pools");
+
+# Reservations stay compact here, but the parser preserves advanced fields that
+# the UI does not expose.
+print &ui_tabs_start_tab("mode", "reservations");
+print &ui_div($text{'subnet_reservations_desc'});
+&reservation_rows($sub->{'reservations'}, $ver);
+print &ui_tabs_end_tab("mode", "reservations");
+
+# Option editing is split between named common fields and generic option-data
+# rows so uncommon options can still round-trip.
+print &ui_tabs_start_tab("mode", "options");
+print &ui_div($text{'subnet_options_desc'});
+&kea_common_option_rows($sub->{'option-data'}, $ver, "common_");
+&kea_option_data_section($sub->{'option-data'}, "opt_", $ver);
+print &ui_tabs_end_tab("mode", "options");
+
+# Advanced values affect subnet selection, relay matching, lease timing, and
+# DHCPv4 boot fields. They are top-level subnet keys, not normal options.
+print &ui_tabs_start_tab("mode", "advanced");
+print &ui_div($text{'subnet_advanced_desc'});
+print &ui_table_start($text{'subnet_advanced'}, "width=100%", 4);
+print &ui_table_row(&kea_field_hlink('interface'),
+	&ui_textbox("interface", &text_value($sub->{'interface'}), 30));
+print &ui_table_row(&kea_field_hlink('relay_ip_addresses'),
+	&ui_textbox("relay_ip_addresses",
+		    join(" ", &kea_relay_addresses($sub)), 50));
+if ($ver == 4) {
+	print &ui_table_row(&kea_field_hlink('authoritative'),
+		&ui_select("authoritative", &kea_bool_value($sub->{'authoritative'}),
+			[ [ "", $text{'inherit_default'} ],
+			  [ "true", $text{'yes'} ],
+			  [ "false", $text{'no'} ] ]));
+	}
+foreach my $k ('renew-timer', 'rebind-timer', 'valid-lifetime',
+	       'min-valid-lifetime', 'max-valid-lifetime') {
+	print &ui_table_row(&kea_field_hlink($k),
+		&ui_textbox($k, &text_value($sub->{$k}), 12));
+	}
+print &ui_table_row(&kea_field_hlink('preferred-lifetime'),
+	&ui_textbox("preferred-lifetime", &text_value($sub->{'preferred-lifetime'}), 12))
+	if ($ver == 6);
+foreach my $k ('next-server', 'server-hostname', 'boot-file-name') {
+	print &ui_table_row(&kea_field_hlink($k),
+		&ui_textbox($k, &text_value($sub->{$k}), 40))
+		    if ($ver == 4);
+	}
+&kea_advanced_option_rows($sub->{'option-data'}, $ver, "adv_");
+print &ui_table_end();
+print &ui_tabs_end_tab("mode", "advanced");
+
+print &ui_tabs_end();
+
+my @buttons = $in{'new'} ? ([ "save", $text{'create'} ]) :
+			    ([ "save", $text{'save'} ],
+			     [ "delete", $text{'delete'} ]);
+print &ui_form_end(\@buttons);
+&ui_print_footer("", $text{'index_return'});
+
+# text_value(value)
+# Returns a defined scalar for textboxes without hiding valid zero values.
+sub text_value
+{
+my ($v) = @_;
+return defined($v) ? $v : "";
+}
+
+# pool_rows(&pools)
+# Renders address pools with one extra empty row for adding a pool.
+sub pool_rows
+{
+my ($pools) = @_;
+$pools = [ ] if (ref($pools) ne 'ARRAY');
+print &ui_table_start($text{'tab_pools'}, "width=100%", 2);
+
+# Always include one empty row so adding a pool does not need a separate
+# client-side table mutation.
+for(my $i=0; $i<=$#$pools+1; $i++) {
+	my $p = $pools->[$i] || { };
+	print &ui_table_row(&kea_field_hlink('address-pool',
+					     $text{'pool_range'}),
+		&ui_textbox("pool_pool_$i", $p->{'pool'} || "", 60));
+	}
+print &ui_table_end();
+}
+
+# pd_pool_rows(&pd-pools)
+# Renders DHCPv6 prefix delegation pools with room for one new entry.
+sub pd_pool_rows
+{
+my ($pools) = @_;
+$pools = [ ] if (ref($pools) ne 'ARRAY');
+
+# Prefix delegation rows are wider than standard form rows, so keep them in the
+# same table wrapper used by generic option-data editors.
+print &ui_tag_start('div', { 'class' => 'option-data-table' });
+print &ui_columns_start([
+	&kea_field_hlink('pd-prefix', $text{'pd_prefix'}),
+	&kea_field_hlink('pd-prefix-len', $text{'pd_prefix_len'}),
+	&kea_field_hlink('pd-delegated-len', $text{'pd_delegated_len'}),
+	&kea_field_hlink('pd-excluded-prefix', $text{'pd_excluded_prefix'}),
+	&kea_field_hlink('pd-excluded-prefix-len',
+			 $text{'pd_excluded_prefix_len'}) ], 100);
+for(my $i=0; $i<=$#$pools+1; $i++) {
+	my $p = $pools->[$i] || { };
+	print &ui_columns_row([
+		&ui_textbox("pd_prefix_$i", $p->{'prefix'} || "", 26),
+		&ui_textbox("pd_prefix_len_$i", $p->{'prefix-len'} || "", 5),
+		&ui_textbox("pd_delegated_len_$i", $p->{'delegated-len'} || "", 5),
+		&ui_textbox("pd_excluded_prefix_$i", $p->{'excluded-prefix'} || "", 26),
+		&ui_textbox("pd_excluded_prefix_len_$i", $p->{'excluded-prefix-len'} || "", 5),
+		]);
+	}
+print &ui_columns_end();
+print &ui_tag_end('div');
+}
+
+# reservation_rows(&reservations, version)
+# Renders host reservations without trying to flatten every advanced Kea field.
+sub reservation_rows
+{
+my ($reservations, $ver) = @_;
+$reservations = [ ] if (ref($reservations) ne 'ARRAY');
+
+# Kea accepts different reservation identifiers per protocol; the dropdown is
+# limited to identifiers that the selected daemon can actually use.
+my @types = $ver == 6 ?
+	([ 'duid', 'DUID' ], [ 'hw-address', $text{'res_hw'} ],
+	 [ 'flex-id', 'Flex ID' ]) :
+	([ 'hw-address', $text{'res_hw'} ], [ 'client-id', $text{'res_client'} ],
+	 [ 'duid', 'DUID' ], [ 'circuit-id', $text{'res_circuit'} ],
+	 [ 'flex-id', 'Flex ID' ]);
+my @heads = ( &kea_field_hlink('reservation-identifier-type',
+			       $text{'res_type'}),
+	      &kea_field_hlink('reservation-identifier',
+			       $text{'res_identifier'}),
+	      $ver == 6 ?
+		&kea_field_hlink('reservation-addresses',
+				 $text{'res_addresses'}) :
+		&kea_field_hlink('reservation-address',
+				 $text{'res_address'}),
+	      &kea_field_hlink('reservation-hostname',
+			       $text{'res_hostname'}) );
+push(@heads, &kea_field_hlink('reservation-prefixes',
+			      $text{'res_prefixes'})) if ($ver == 6);
+print &ui_tag_start('div', { 'class' => 'option-data-table' });
+print &ui_columns_start(\@heads, 100);
+
+# Pick the first identifier field already present, otherwise default to the
+# common identifier for the protocol.
+for(my $i=0; $i<=$#$reservations+1; $i++) {
+	my $r = $reservations->[$i] || { };
+	my $rtype = "";
+	foreach my $k (map { $_->[0] } @types) {
+		if (defined($r->{$k})) {
+			$rtype = $k;
+			last;
+			}
+		}
+	$rtype ||= $types[0]->[0];
+	my $addr = $ver == 6 ? join(" ", @{$r->{'ip-addresses'} || [ ]}) :
+			       $r->{'ip-address'};
+	my @cols = (
+		&ui_select("res_type_$i", $rtype, \@types),
+		&ui_textbox("res_identifier_$i", $r->{$rtype} || "", 28),
+		&ui_textbox("res_address_$i", $addr || "", 32),
+		&ui_textbox("res_hostname_$i", $r->{'hostname'} || "", 22),
+		);
+	push(@cols, &ui_textbox("res_prefixes_$i",
+		join(" ", @{$r->{'prefixes'} || [ ]}), 30)) if ($ver == 6);
+	print &ui_columns_row(\@cols);
+	}
+print &ui_columns_end();
+print &ui_tag_end('div');
+}

kea-dhcp/edit_text.cgi

@@ -0,0 +1,42 @@
+#!/usr/local/bin/perl
+# Edit Kea files as raw text.
+
+use strict;
+use warnings;
+require './kea-dhcp-lib.pl';
+&ReadParse();
+our (%in, %text);
+&error_setup($text{'eacl_aviol'});
+&kea_assert_acl('manual');
+
+my @files = &kea_manual_edit_files();
+&error($text{'edit_enofile'}) if (!@files);
+my $info = &kea_manual_edit_file($in{'file'}) || $files[0];
+my $file = $info->{'file'};
+&error($text{'save_efile'}) if (!$file);
+
+# The manual editor is intentionally constrained to known Kea config files and
+# Control Agent password files discovered by the library.
+my $data = "";
+if (-r $file) {
+	&lock_file($file);
+	$data = &read_file_contents($file);
+	&unlock_file($file);
+	}
+
+&ui_print_header(undef, $text{'index_edit_manual'}, "", undef, 1, 1);
+
+# Keep file selection and file contents as separate forms, matching nftables.
+print &ui_form_start("edit_text.cgi");
+print &ui_tag('b', &html_escape($text{'edit_select'})),"\n";
+print &ui_select("file", $file, [ map { $_->{'file'} } @files ]),"\n";
+print &ui_submit($text{'edit_ok'});
+print &ui_form_end();
+
+print &ui_form_start("save_text.cgi", "form-data");
+print &ui_hidden("file", $file);
+print &ui_table_start(undef, undef, 2);
+print &ui_table_row(undef, &ui_textarea("data", $data, 30, 120), 2);
+print &ui_table_end();
+print &ui_form_end([ [ "save", $text{'save'} ] ]);
+&ui_print_footer("index.cgi", $text{'index_return'});

kea-dhcp/help/field_address_pool.html

@@ -0,0 +1,9 @@
+<header>Address pool</header>
+
+Dynamic lease range inside the subnet. DHCPv4 pools are usually ranges such as <tt>192.0.2.10 - 192.0.2.200</tt>; DHCPv6 pools are often prefixes such as <tt>2001:db8:1::/80</tt>.
+<p>
+
+If a subnet has no pools, ordinary clients will not receive dynamic leases unless matching reservations exist.
+<p>
+
+<footer>

kea-dhcp/help/field_authoritative.html

@@ -0,0 +1,9 @@
+<header>Authoritative</header>
+
+Controls whether Kea treats this scope as authoritative for clients on the network. An authoritative server can actively reject clients that ask for addresses that are not valid on this network.
+<p>
+
+Leave this unset to inherit the value from the broader Kea scope. Set it explicitly only when this shared network or subnet needs behavior different from the global daemon setting.
+<p>
+
+<footer>

kea-dhcp/help/field_boot_file_name.html

@@ -0,0 +1,9 @@
+<header>Boot file name</header>
+
+Sets the DHCPv4 BOOTP <tt>file</tt> field, often used by PXE and iPXE clients to find the boot program. This is a packet field, not the same thing as a normal <tt>option-data</tt> row.
+<p>
+
+Leave it empty unless your boot clients specifically expect the BOOTP file field instead of, or in addition to, DHCP boot options.
+<p>
+
+<footer>

kea-dhcp/help/field_calculated_subnet_mask.html

@@ -0,0 +1,9 @@
+<header>Calculated subnet mask</header>
+
+Read-only IPv4 subnet mask derived from the subnet prefix. Kea manages the DHCPv4 <tt>subnet-mask</tt> option automatically from the subnet definition.
+<p>
+
+This value is shown for clarity and is not saved as an editable <tt>option-data</tt> entry.
+<p>
+
+<footer>

kea-dhcp/help/field_control_socket_name.html

@@ -0,0 +1,9 @@
+<header>Socket name</header>
+
+Name or path of the Kea control socket for this daemon. Kea uses this socket for runtime commands such as configuration reloads and status operations.
+<p>
+
+The value must match any Control Agent configuration that forwards commands to this daemon.
+<p>
+
+<footer>

kea-dhcp/help/field_control_socket_type.html

@@ -0,0 +1,9 @@
+<header>Socket type</header>
+
+Type of Kea control socket configured for this daemon. Webmin currently exposes Unix sockets because they are the standard local management channel for packaged Kea services.
+<p>
+
+Leave empty to keep the existing Kea default, or select Unix when you want the daemon to accept local control commands through a socket file.
+<p>
+
+<footer>

kea-dhcp/help/field_ddns_conflict_resolution_mode.html

@@ -0,0 +1,7 @@
+<header>Conflict resolution mode</header>
+
+Controls how Kea handles existing DNS records that may belong to another client. This affects the safety checks D2 performs before replacing records.<p>
+
+Leave empty for Kea's default unless you have a deliberate policy for handling conflicts between DHCP clients and existing DNS data.<p>
+
+<footer>

kea-dhcp/help/field_ddns_domain_key.html

@@ -0,0 +1,7 @@
+<header>DDNS TSIG key name</header>
+
+Name of the TSIG key used to sign updates for this DNS zone. It must match a key defined in the TSIG keys tab and a key accepted by the authoritative DNS server.<p>
+
+Leave empty only for zones that intentionally accept unsigned updates on a trusted network.<p>
+
+<footer>

kea-dhcp/help/field_ddns_domain_name.html

@@ -0,0 +1,7 @@
+<header>DDNS domain name</header>
+
+DNS zone name that D2 can update, such as <tt>example.com.</tt> for forward updates or a reverse zone such as <tt>2.0.192.in-addr.arpa.</tt>.<p>
+
+Use the fully qualified zone name expected by the authoritative DNS server. A trailing dot avoids ambiguity.<p>
+
+<footer>

kea-dhcp/help/field_ddns_domain_port.html

@@ -0,0 +1,9 @@
+<header>DDNS server port</header>
+
+DNS port used when sending updates to the authoritative servers listed in this row. Leave empty to use the server default, normally port <tt>53</tt>.<p>
+
+When set, this port is applied to each server address in the same row.<p>
+
+If an existing row uses different ports for different servers, Webmin shows that as mixed per-server ports. Leaving the field empty keeps those per-server values unchanged.<p>
+
+<footer>

kea-dhcp/help/field_ddns_domain_servers.html

@@ -0,0 +1,7 @@
+<header>DDNS server addresses</header>
+
+Authoritative DNS server addresses that should receive updates for this zone. Enter one or more IP addresses separated by spaces or commas.<p>
+
+These are the DNS servers D2 updates after it receives name-change requests from DHCPv4 or DHCPv6.<p>
+
+<footer>

kea-dhcp/help/field_ddns_enable_updates.html

@@ -0,0 +1,7 @@
+<header>Enable updates</header>
+
+Controls whether this DHCP daemon sends Name Change Requests to the DHCP-DDNS daemon. This only enables the sender side; the DHCP-DDNS listener, DNS zones, and TSIG keys must also be configured for updates to succeed.<p>
+
+Set this to <tt>Yes</tt> when DHCPv4 or DHCPv6 should ask D2 to maintain DNS records for leases. Leave it unset to use Kea's default behavior.<p>
+
+<footer>

kea-dhcp/help/field_ddns_generated_prefix.html

@@ -0,0 +1,7 @@
+<header>Generated hostname prefix</header>
+
+Prefix used when Kea generates a hostname for a client instead of using the client-supplied name. The generated name is combined with other Kea-generated data and the qualifying suffix.<p>
+
+Choose a short prefix that clearly identifies names created by DHCP, such as <tt>host</tt> or <tt>dhcp</tt>.<p>
+
+<footer>

kea-dhcp/help/field_ddns_ip_address.html

@@ -0,0 +1,7 @@
+<header>DHCP-DDNS IP address</header>
+
+Address where the Kea DHCP-DDNS daemon listens for name-change requests from DHCPv4 and DHCPv6. Most packaged configurations bind this to <tt>127.0.0.1</tt> so only local Kea daemons can submit DNS update requests.<p>
+
+Use a non-local address only when D2 must accept requests from another trusted host and firewall rules protect the listener.<p>
+
+<footer>

kea-dhcp/help/field_ddns_max_queue_size.html

@@ -0,0 +1,7 @@
+<header>Maximum queue size</header>
+
+Maximum number of outstanding Name Change Requests this DHCP daemon can queue for D2. When the queue fills, new DNS update requests can be delayed or rejected by Kea.<p>
+
+Leave empty for Kea's default unless DNS updates are being produced faster than D2 can process them.<p>
+
+<footer>

kea-dhcp/help/field_ddns_override_client_update.html

@@ -0,0 +1,7 @@
+<header>Override client update request</header>
+
+Allows Kea to perform DNS updates even when the client asks to update its own DNS records. This is useful when the server must remain authoritative for lease-related names.<p>
+
+Leave unset unless the deployment requires server-managed DNS records for all clients.<p>
+
+<footer>

kea-dhcp/help/field_ddns_override_no_update.html

@@ -0,0 +1,7 @@
+<header>Override client no-update request</header>
+
+Allows Kea to send DNS updates even when a client requests that the server should not update DNS on its behalf.<p>
+
+Enable this only when local DNS policy should override client preference. Leave unset to follow Kea's inherited behavior.<p>
+
+<footer>

kea-dhcp/help/field_ddns_port.html

@@ -0,0 +1,7 @@
+<header>DHCP-DDNS port</header>
+
+UDP port used by the Kea DHCP-DDNS daemon to receive name-change requests. The common packaged default is <tt>53001</tt>.<p>
+
+This is not the DNS server port. It is the local D2 intake port used by Kea DHCP daemons before D2 sends updates to authoritative DNS servers.<p>
+
+<footer>

kea-dhcp/help/field_ddns_qualifying_suffix.html

@@ -0,0 +1,7 @@
+<header>Qualifying suffix</header>
+
+DNS suffix appended to client hostnames before Kea sends dynamic DNS updates. This is usually the forward zone that should contain DHCP-managed client records.<p>
+
+Use a fully qualified domain name such as <tt>home.arpa.</tt> or <tt>example.org.</tt>. Leave empty to inherit Kea's default behavior.<p>
+
+<footer>

kea-dhcp/help/field_ddns_replace_client_name.html

@@ -0,0 +1,7 @@
+<header>Replace client name</header>
+
+Controls when Kea replaces the hostname supplied by a client before sending DNS updates. Replacement can be disabled, always enabled, or limited to clients that did or did not send a name.<p>
+
+Use this with the generated hostname prefix and qualifying suffix when client-provided names are missing, unsafe, or not trusted.<p>
+
+<footer>

kea-dhcp/help/field_ddns_send_updates.html

@@ -0,0 +1,7 @@
+<header>Send DDNS updates</header>
+
+Controls whether this scope participates in dynamic DNS updates. It is a behavior setting that works together with the sender connection settings above.<p>
+
+Leave unset to inherit Kea's default or a broader scope's value. Set explicitly only when this DHCP daemon or scope should force updates on or off.<p>
+
+<footer>

kea-dhcp/help/field_ddns_sender_ip.html

@@ -0,0 +1,7 @@
+<header>Sender IP address</header>
+
+Local IP address this DHCP daemon uses as the source for Name Change Requests sent to D2. Most installations leave this empty and allow Kea to choose a suitable source address.<p>
+
+Use this only when the server has multiple addresses and D2 must receive updates from a specific local source.<p>
+
+<footer>

kea-dhcp/help/field_ddns_sender_port.html

@@ -0,0 +1,7 @@
+<header>Sender port</header>
+
+Local UDP source port used when this DHCP daemon sends Name Change Requests. Most installations leave this empty so Kea can choose the default behavior.<p>
+
+Set this only when firewall rules or local policy require a fixed sender port.<p>
+
+<footer>

kea-dhcp/help/field_ddns_server_ip.html

@@ -0,0 +1,7 @@
+<header>Server IP address</header>
+
+IP address of the DHCP-DDNS daemon that receives Name Change Requests from this DHCP daemon. This value should match the listener address configured on the DHCP-DDNS settings page.<p>
+
+Loopback addresses such as <tt>127.0.0.1</tt> are typical when D2 runs on the same host as the DHCP daemon.<p>
+
+<footer>

kea-dhcp/help/field_ddns_server_port.html

@@ -0,0 +1,7 @@
+<header>Server port</header>
+
+UDP port on which the DHCP-DDNS daemon accepts Name Change Requests. This value should match the listener port configured for D2.<p>
+
+The common Kea default is <tt>53001</tt>. Leave empty only when the packaged or inherited Kea default should be used.<p>
+
+<footer>

kea-dhcp/help/field_ddns_timeout.html

@@ -0,0 +1,7 @@
+<header>DNS server timeout, ms</header>
+
+Maximum time, in milliseconds, that the DHCP-DDNS daemon waits for a response from one authoritative DNS server while processing a DNS update. Kea uses its built-in default when this field is empty.<p>
+
+Increase this only when the DNS servers are reachable but slow to answer. Very large values can delay processing of queued name-change requests.<p>
+
+<footer>

kea-dhcp/help/field_ddns_update_on_renew.html

@@ -0,0 +1,7 @@
+<header>Update on renew</header>
+
+Controls whether Kea sends DNS updates again when a lease is renewed. This can refresh DNS state even when the address did not change.<p>
+
+Enable it when DNS update state may expire or be changed outside Kea. Leave unset to use the inherited Kea behavior.<p>
+
+<footer>

kea-dhcp/help/field_description.html

@@ -0,0 +1,9 @@
+<header>Description</header>
+
+Optional administrator note stored in Kea <tt>user-context</tt>. It is useful for explaining what a shared network or subnet represents without affecting DHCP behavior.
+<p>
+
+Leave it empty when no operational note is needed.
+<p>
+
+<footer>

kea-dhcp/help/field_dhcp_socket_type.html

@@ -0,0 +1,9 @@
+<header>DHCPv4 socket type</header>
+
+Controls how the DHCPv4 daemon receives packets. The default raw socket mode is usually best for directly connected clients because it can receive broadcasts from clients that do not yet have an address.
+<p>
+
+Choose UDP only for networks where DHCP traffic is relayed and raw packet capture is not needed.
+<p>
+
+<footer>

kea-dhcp/help/field_hostname_char_replacement.html

@@ -0,0 +1,7 @@
+<header>Hostname replacement character</header>
+
+Character or string used to replace disallowed hostname characters matched by the hostname character set. A hyphen is common because it is valid in DNS labels.<p>
+
+Leave empty unless hostname sanitizing is configured.<p>
+
+<footer>

kea-dhcp/help/field_hostname_char_set.html

@@ -0,0 +1,7 @@
+<header>Hostname character set</header>
+
+Pattern that identifies hostname characters Kea should replace before sending dynamic DNS updates. This helps keep generated DNS names valid and predictable.<p>
+
+Use this only when client hostnames need sanitizing beyond Kea's default behavior.<p>
+
+<footer>

kea-dhcp/help/field_interface.html

@@ -0,0 +1,9 @@
+<header>Interface</header>
+
+Limits this shared network or subnet to packets received on one interface. Kea can use this during subnet selection when multiple networks or relays are present.
+<p>
+
+Leave empty to let Kea use its normal subnet selection rules based on the configured subnets and relay information.
+<p>
+
+<footer>

kea-dhcp/help/field_interfaces.html

@@ -0,0 +1,9 @@
+<header>Listen on interfaces</header>
+
+Lists the network interfaces or interface/address pairs that this Kea daemon should listen on. Leave the list empty only when you want the packaged Kea default; on many systems that means the daemon starts but does not serve DHCP until interfaces are configured.
+<p>
+
+Use spaces between entries, for example <tt>eth0</tt>, <tt>eth0/192.0.2.1</tt>, or <tt>*</tt> when the Kea version and local policy allow listening on all interfaces.
+<p>
+
+<footer>

kea-dhcp/help/field_lease_database_host.html

@@ -0,0 +1,9 @@
+<header>Database host</header>
+
+Host name or address of the SQL server used for lease storage. This is normally empty for the local <tt>memfile</tt> backend.
+<p>
+
+Set this only when the selected backend connects to an external database service.
+<p>
+
+<footer>

kea-dhcp/help/field_lease_database_name.html

@@ -0,0 +1,9 @@
+<header>Database name or file</header>
+
+For SQL lease backends, this is the database name. For backends that use a local file, it can identify the lease file or backend-specific storage target.
+<p>
+
+Leave empty for <tt>memfile</tt> unless your Kea deployment explicitly uses a non-default lease file name.
+<p>
+
+<footer>

kea-dhcp/help/field_lease_database_password.html

@@ -0,0 +1,9 @@
+<header>Database password</header>
+
+Password used with the database user for SQL lease storage. It is stored in the Kea configuration file, so protect the file permissions when this field is used.
+<p>
+
+Leave empty unless the selected lease backend requires password authentication. When a password is already configured, leaving this field empty keeps the existing secret unchanged.
+<p>
+
+<footer>

kea-dhcp/help/field_lease_database_port.html

@@ -0,0 +1,9 @@
+<header>Database port</header>
+
+TCP port used by the SQL lease database backend. Leave it empty to use the backend's default port.
+<p>
+
+This field is ignored by the usual <tt>memfile</tt> backend.
+<p>
+
+<footer>

kea-dhcp/help/field_lease_database_type.html

@@ -0,0 +1,9 @@
+<header>Backend type</header>
+
+Selects the lease database backend used by this Kea daemon. The common default is <tt>memfile</tt>, which keeps leases in memory and writes them to a local CSV lease file.
+<p>
+
+SQL backends such as MySQL or PostgreSQL need matching Kea packages and the database connection fields below.
+<p>
+
+<footer>

kea-dhcp/help/field_lease_database_user.html

@@ -0,0 +1,9 @@
+<header>Database user</header>
+
+User name Kea uses when connecting to an SQL lease database. The account needs the permissions required by Kea for lease reads and writes.
+<p>
+
+Leave empty for <tt>memfile</tt> and other deployments that do not authenticate to a database server.
+<p>
+
+<footer>

kea-dhcp/help/field_lfc_interval.html

@@ -0,0 +1,9 @@
+<header>Lease file cleanup interval</header>
+
+For the <tt>memfile</tt> backend, this is the lease file cleanup interval in seconds. Kea periodically compacts lease files so old or superseded lease records do not grow without bound.
+<p>
+
+Leave the value empty to use Kea's backend default, or set it when you want explicit control over cleanup frequency.
+<p>
+
+<footer>

kea-dhcp/help/field_logger_debuglevel.html

@@ -0,0 +1,9 @@
+<header>Debug level</header>
+
+Debug verbosity used when the logger severity is <tt>DEBUG</tt>. Higher values produce more detailed Kea diagnostics.
+<p>
+
+Leave it at <tt>0</tt> unless you are following a specific troubleshooting procedure.
+<p>
+
+<footer>

kea-dhcp/help/field_logger_name.html

@@ -0,0 +1,9 @@
+<header>Logger name</header>
+
+Kea logger category to configure, such as <tt>kea-dhcp4</tt>, <tt>kea-dhcp6</tt>, <tt>kea-dhcp-ddns</tt>, or <tt>kea-ctrl-agent</tt>. The logger name decides which daemon messages this row controls.
+<p>
+
+Most systems need one logger matching the daemon name.
+<p>
+
+<footer>

kea-dhcp/help/field_logger_output.html

@@ -0,0 +1,9 @@
+<header>Output</header>
+
+Destination for log messages from this logger. Common values are <tt>stdout</tt>, <tt>stderr</tt>, <tt>syslog</tt>, or a file path.
+<p>
+
+Packaged systemd services often use <tt>stdout</tt> so messages are collected by the journal.
+<p>
+
+<footer>

kea-dhcp/help/field_logger_pattern.html

@@ -0,0 +1,9 @@
+<header>Pattern</header>
+
+Formatting pattern used for messages written by this logger. Kea patterns can include severity, message text, timestamps, and other fields.
+<p>
+
+The common systemd-friendly pattern <tt>%-5p %m\n</tt> keeps journal messages short by omitting redundant metadata.
+<p>
+
+<footer>

kea-dhcp/help/field_logger_severity.html

@@ -0,0 +1,9 @@
+<header>Severity</header>
+
+Minimum log severity written by this logger. Common values are <tt>INFO</tt>, <tt>WARN</tt>, <tt>ERROR</tt>, and <tt>DEBUG</tt>.
+<p>
+
+Use <tt>DEBUG</tt> only while troubleshooting, because it can generate a large amount of log output.
+<p>
+
+<footer>

kea-dhcp/help/field_max_valid_lifetime.html

@@ -0,0 +1,9 @@
+<header>Maximum valid lifetime</header>
+
+Maximum lease lifetime, in seconds, that Kea can grant when a client asks for a lease time. This caps unusually long lease requests while still allowing normal clients to use the default valid lifetime.
+<p>
+
+Leave empty unless this scope needs a different maximum from the inherited setting.
+<p>
+
+<footer>

kea-dhcp/help/field_min_valid_lifetime.html

@@ -0,0 +1,9 @@
+<header>Minimum valid lifetime</header>
+
+Minimum lease lifetime, in seconds, that Kea can grant when a client asks for a lease time. This prevents clients from requesting leases shorter than your operational minimum.
+<p>
+
+Leave empty unless this scope needs a different minimum from the inherited setting.
+<p>
+
+<footer>

kea-dhcp/help/field_ncr_format.html

@@ -0,0 +1,7 @@
+<header>NCR format</header>
+
+Encoding format for Name Change Requests handled by the DHCP-DDNS daemon. Kea commonly uses <tt>JSON</tt>.<p>
+
+Leave this empty when the packaged default should be used. Set it only when matching an explicit DHCPv4 or DHCPv6 DDNS configuration.<p>
+
+<footer>

kea-dhcp/help/field_ncr_protocol.html

@@ -0,0 +1,7 @@
+<header>NCR protocol</header>
+
+Protocol used for Name Change Requests sent from Kea DHCP daemons to the DHCP-DDNS daemon. Kea deployments normally use <tt>UDP</tt> here.<p>
+
+Leave this empty to keep the daemon default unless your Kea configuration explicitly sets a different supported transport.<p>
+
+<footer>

kea-dhcp/help/field_next_server.html

@@ -0,0 +1,9 @@
+<header>Next server</header>
+
+Sets the DHCPv4 <tt>siaddr</tt> field, commonly used to point PXE clients at a boot server. This is a BOOTP packet field and is separate from DHCP option 66.
+<p>
+
+Leave empty unless your boot workflow requires this packet field.
+<p>
+
+<footer>

kea-dhcp/help/field_option_code.html

@@ -0,0 +1,9 @@
+<header>Code</header>
+
+Numeric DHCP option code for an <tt>option-data</tt> row. This is useful for uncommon options, vendor options, or options that are easier to identify by number.
+<p>
+
+Do not use a code that is already represented by one of the named fields above on the same page.
+<p>
+
+<footer>

kea-dhcp/help/field_option_data.html

@@ -0,0 +1,9 @@
+<header>Data</header>
+
+Value sent for this DHCP option, written in Kea <tt>option-data</tt> format. Many common options use comma-separated values, while some options use strings, numbers, or hexadecimal data.
+<p>
+
+Use the format expected by the option definition; Webmin stores the value exactly as <tt>option-data</tt>.
+<p>
+
+<footer>

kea-dhcp/help/field_option_name.html

@@ -0,0 +1,9 @@
+<header>Name</header>
+
+Kea <tt>option-data</tt> name, such as <tt>domain-name-servers</tt> or <tt>routers</tt>. Use a name when Kea has a standard symbolic name for the option.
+<p>
+
+Leave this empty when you are specifying the option by numeric code instead.
+<p>
+
+<footer>

kea-dhcp/help/field_option_space.html

@@ -0,0 +1,9 @@
+<header>Space</header>
+
+Option space for this <tt>option-data</tt> entry. Most normal DHCPv4 options use <tt>dhcp4</tt>, and most normal DHCPv6 options use <tt>dhcp6</tt>.
+<p>
+
+Set this for vendor or encapsulated options that belong to another option space.
+<p>
+
+<footer>

kea-dhcp/help/field_pd_delegated_len.html

@@ -0,0 +1,9 @@
+<header>Delegated length</header>
+
+Length of each prefix delegated to clients from the pool. For example, delegating /64 prefixes from a /56 pool allows up to 256 delegated prefixes.
+<p>
+
+The delegated length must be longer than the pool prefix length.
+<p>
+
+<footer>

kea-dhcp/help/field_pd_excluded_prefix.html

@@ -0,0 +1,9 @@
+<header>Excluded prefix</header>
+
+Optional IPv6 prefix inside the delegation pool that Kea must not delegate. Use this when part of the pool is reserved for infrastructure or another purpose.
+<p>
+
+Leave empty unless your prefix delegation plan requires an exclusion.
+<p>
+
+<footer>

kea-dhcp/help/field_pd_excluded_prefix_len.html

@@ -0,0 +1,9 @@
+<header>Excluded length</header>
+
+Prefix length of the excluded delegation range. It is only meaningful when an excluded prefix is also set.
+<p>
+
+The excluded range must fit inside the prefix delegation pool.
+<p>
+
+<footer>

kea-dhcp/help/field_pd_prefix.html

@@ -0,0 +1,9 @@
+<header>Prefix</header>
+
+IPv6 prefix used as the source for prefix delegation leases. Kea delegates smaller prefixes from this pool to requesting routers.
+<p>
+
+Set this only for DHCPv6 networks that provide prefix delegation.
+<p>
+
+<footer>

kea-dhcp/help/field_pd_prefix_len.html

@@ -0,0 +1,9 @@
+<header>Prefix length</header>
+
+Length of the IPv6 prefix delegation pool. For example, a prefix of <tt>2001:db8:8::</tt> with length <tt>56</tt> defines a /56 pool.
+<p>
+
+This must match the size of the prefix you are making available for delegation.
+<p>
+
+<footer>

kea-dhcp/help/field_preferred_lifetime.html

@@ -0,0 +1,9 @@
+<header>Preferred lifetime</header>
+
+Default DHCPv6 preferred lifetime, in seconds. This controls how long an address remains preferred before it becomes deprecated but still valid.
+<p>
+
+It should normally be less than or equal to the valid lifetime for the same scope.
+<p>
+
+<footer>

kea-dhcp/help/field_rebind_timer.html

@@ -0,0 +1,9 @@
+<header>Rebind timer</header>
+
+Default T2 rebind timer, in seconds. Clients use this when renewal with the original server has not succeeded and they need to contact any available server.
+<p>
+
+It should normally be greater than the renew timer and less than the valid lifetime.
+<p>
+
+<footer>

kea-dhcp/help/field_relay_ip_addresses.html

@@ -0,0 +1,9 @@
+<header>Relay IP addresses</header>
+
+Relay agent addresses used by Kea to select this shared network or subnet. This is important for routed or VLAN networks where DHCP requests arrive through relay agents rather than directly connected clients.
+<p>
+
+Enter multiple addresses separated by spaces.
+<p>
+
+<footer>

kea-dhcp/help/field_renew_timer.html

@@ -0,0 +1,9 @@
+<header>Renew timer</header>
+
+Default T1 renew timer, in seconds. Clients use this as the first point at which they try to renew a lease with the server that granted it.
+<p>
+
+It should normally be less than the rebind timer and valid lifetime.
+<p>
+
+<footer>

kea-dhcp/help/field_reservation_address.html

@@ -0,0 +1,9 @@
+<header>IP address</header>
+
+Reserved IPv4 address assigned to the matching client. The address should belong to the subnet, unless your Kea reservation policy intentionally allows out-of-pool reservations.
+<p>
+
+Avoid assigning the same reserved address to more than one client.
+<p>
+
+<footer>

kea-dhcp/help/field_reservation_addresses.html

@@ -0,0 +1,9 @@
+<header>IP addresses</header>
+
+Reserved IPv6 addresses assigned to the matching client. Multiple addresses can be entered when a client should receive more than one reserved address.
+<p>
+
+Separate multiple values with spaces.
+<p>
+
+<footer>

kea-dhcp/help/field_reservation_hostname.html

@@ -0,0 +1,9 @@
+<header>Hostname</header>
+
+Hostname associated with this reservation. Kea can use it for client responses and, when DDNS is configured, for name update decisions.
+<p>
+
+Leave empty when the reservation should not set a hostname.
+<p>
+
+<footer>

kea-dhcp/help/field_reservation_identifier.html

@@ -0,0 +1,9 @@
+<header>Identifier value</header>
+
+Value of the selected reservation identifier. For hardware addresses and many client IDs, this is usually entered in colon-separated hexadecimal form.
+<p>
+
+The value must match what Kea sees in client traffic, otherwise the reservation will not apply.
+<p>
+
+<footer>

kea-dhcp/help/field_reservation_identifier_type.html

@@ -0,0 +1,9 @@
+<header>Identifier</header>
+
+Type of client identifier used to match this host reservation. Common choices include hardware address, client ID, DUID, circuit ID, and flexible identifier.
+<p>
+
+Choose the identifier that the client or relay consistently sends.
+<p>
+
+<footer>

kea-dhcp/help/field_reservation_prefixes.html

@@ -0,0 +1,9 @@
+<header>Prefixes</header>
+
+Reserved IPv6 delegated prefixes assigned to the matching client. This is useful when a router should always receive the same delegated prefix.
+<p>
+
+Separate multiple prefixes with spaces.
+<p>
+
+<footer>

kea-dhcp/help/field_server_hostname.html

@@ -0,0 +1,9 @@
+<header>Server hostname</header>
+
+Sets the DHCPv4 BOOTP <tt>sname</tt> field. This is mostly used by older boot clients and some PXE workflows.
+<p>
+
+Leave it empty unless you know the client expects this packet field.
+<p>
+
+<footer>

kea-dhcp/help/field_shared_network.html

@@ -0,0 +1,9 @@
+<header>Shared network</header>
+
+Selects the shared network that contains this subnet. Subnets in the same shared network are treated as being on the same link, so clients can be assigned from any matching member subnet.
+<p>
+
+Choose <tt>None</tt> for normal standalone subnets.
+<p>
+
+<footer>

kea-dhcp/help/field_shared_network_name.html

@@ -0,0 +1,9 @@
+<header>Name</header>
+
+Name of the Kea shared network. It should describe the link or segment that contains the member subnets.
+<p>
+
+Use a stable, recognizable name because it appears in the Webmin UI and in Kea configuration reviews.
+<p>
+
+<footer>

kea-dhcp/help/field_subnet_id.html

@@ -0,0 +1,9 @@
+<header>Subnet ID</header>
+
+Numeric identifier for this Kea subnet. The ID must be unique within the DHCPv4 or DHCPv6 configuration.
+<p>
+
+Kea uses subnet IDs in lease records, logs, and control commands, so avoid changing an existing ID unless you understand the operational impact.
+<p>
+
+<footer>

kea-dhcp/help/field_subnet_prefix.html

@@ -0,0 +1,9 @@
+<header>Subnet prefix</header>
+
+CIDR prefix for the subnet served by Kea, such as <tt>192.0.2.0/24</tt> or <tt>2001:db8:1::/64</tt>. Kea uses this value to match clients to the correct subnet.
+<p>
+
+Use the canonical network address when possible. Host bits set in the prefix can make subnet selection harder to understand.
+<p>
+
+<footer>

kea-dhcp/help/field_tsig_key_algorithm.html

@@ -0,0 +1,7 @@
+<header>TSIG algorithm</header>
+
+Signing algorithm for this TSIG key, such as <tt>hmac-sha256</tt>. The algorithm must match the DNS server's key definition.<p>
+
+Choose a modern algorithm supported by both Kea and the DNS server. Avoid changing this without also updating the DNS server.<p>
+
+<footer>

kea-dhcp/help/field_tsig_key_name.html

@@ -0,0 +1,7 @@
+<header>TSIG key name</header>
+
+Name used by DDNS domains to reference this TSIG key. The value must match the key name configured on the authoritative DNS server.<p>
+
+Use stable, descriptive names because domain rows link to keys by this exact string.<p>
+
+<footer>

kea-dhcp/help/field_tsig_key_secret.html

@@ -0,0 +1,7 @@
+<header>TSIG secret</header>
+
+Shared secret used to sign DNS update messages. This value must match the secret configured on the authoritative DNS server.<p>
+
+Treat this like a password. Existing secrets are not displayed; leave the field empty to keep the current value, or enter a new secret to replace it.<p>
+
+<footer>

kea-dhcp/help/field_valid_lifetime.html

@@ -0,0 +1,9 @@
+<header>Valid lifetime</header>
+
+Default lease lifetime, in seconds. This is the normal amount of time an address remains valid when the client does not receive a more specific value.
+<p>
+
+Shared networks and subnets can override the global value when needed.
+<p>
+
+<footer>

kea-dhcp/help/opt_boot_file_name.html

@@ -0,0 +1,6 @@
+<header>Boot file name option</header>
+
+DHCPv4 boot file name option data. For PXE workflows, also check the advanced BOOTP fields if your clients expect siaddr, sname, or file values.
+<p>
+
+<footer>

kea-dhcp/help/opt_bootfile_param.html

@@ -0,0 +1,6 @@
+<header>Boot file parameters</header>
+
+DHCPv6 boot file parameters sent to clients that request them. Enter the value in Kea <tt>option-data</tt> format.
+<p>
+
+<footer>

kea-dhcp/help/opt_bootfile_url.html

@@ -0,0 +1,6 @@
+<header>Boot file URL</header>
+
+DHCPv6 boot file URL sent to clients that request it. Use this for boot workflows that expect a URL rather than DHCPv4 BOOTP fields.
+<p>
+
+<footer>

kea-dhcp/help/opt_broadcast_address.html

@@ -0,0 +1,9 @@
+<header>Broadcast address</header>
+
+DHCPv4 broadcast address option sent to clients. Most clients can derive this from the subnet prefix and mask without needing the option.
+<p>
+
+Leave empty unless clients need a value different from what they can derive from the subnet.
+<p>
+
+<footer>

kea-dhcp/help/opt_dhcp_server_identifier.html

@@ -0,0 +1,9 @@
+<header>DHCP server identifier</header>
+
+Overrides the DHCPv4 server identifier sent to clients. Kea normally chooses an appropriate identifier from the serving interface address.
+<p>
+
+Usually leave this empty. An incorrect value can break client/server selection because clients use the identifier to decide which server they are communicating with.
+<p>
+
+<footer>

kea-dhcp/help/opt_dns_servers.html

@@ -0,0 +1,9 @@
+<header>DNS servers</header>
+
+DNS server addresses sent to clients. DHCP clients use these resolvers for normal name lookup unless overridden locally.
+<p>
+
+Enter multiple addresses separated by commas, in the order clients should prefer them.
+<p>
+
+<footer>

kea-dhcp/help/opt_domain_name.html

@@ -0,0 +1,9 @@
+<header>Domain name</header>
+
+Default DNS domain name sent to DHCPv4 clients. Clients commonly use this as their local search domain or to form fully qualified hostnames.
+<p>
+
+Leave empty if clients should not receive a domain-name option from this scope.
+<p>
+
+<footer>

kea-dhcp/help/opt_domain_name_servers.html

@@ -0,0 +1,9 @@
+<header>DNS servers</header>
+
+DHCPv4 DNS server addresses sent to clients as the <tt>domain-name-servers</tt> option. Clients use these resolvers for normal name lookup.
+<p>
+
+Enter multiple addresses separated by commas, in the order clients should prefer them.
+<p>
+
+<footer>

kea-dhcp/help/opt_domain_search.html

@@ -0,0 +1,9 @@
+<header>DNS search domains</header>
+
+DNS search list sent to clients. Clients use this list when resolving short hostnames, trying each domain in order.
+<p>
+
+Enter multiple domains separated by commas.
+<p>
+
+<footer>