summaryrefslogtreecommitdiff
path: root/src/conf_mode
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2019-01-30 06:09:04 +0100
committerChristian Poessinger <christian@poessinger.com>2019-01-30 19:27:57 +0100
commitaaf2a728a759c0e22d0ccafc3b2addbc5cfd956e (patch)
tree2620962d768037aa1580bcfc504eaa287bee6063 /src/conf_mode
parent97186852f529935309c009e38403cead2bf0ce75 (diff)
downloadvyos-1x-aaf2a728a759c0e22d0ccafc3b2addbc5cfd956e.tar.gz
vyos-1x-aaf2a728a759c0e22d0ccafc3b2addbc5cfd956e.zip
T1160: fix (ro|rw)community ACL
WHen building up the SNMP v2 community ro/rw access all hosts from a INET version could access even when the community was locked to one INET family. Example #1: set service snmp community bar network 172.16.0.0/12 Allowed access only to IPv4 network 172.16.0.0/12 but it allowed acces from IPv6 ::/0. Example #2: set service snmp community baz network 2001:db8::/64 Limited IPv6 access to 2001:db8::/64 but IPv4 was open to 0.0.0.0/0 (cherry picked from commit cc07c4727bdffb4c220ce28ab9f697b01fe4afb7)
Diffstat (limited to 'src/conf_mode')
-rwxr-xr-xsrc/conf_mode/snmp.py13
1 files changed, 10 insertions, 3 deletions
diff --git a/src/conf_mode/snmp.py b/src/conf_mode/snmp.py
index d21a2b603..06d2e253a 100755
--- a/src/conf_mode/snmp.py
+++ b/src/conf_mode/snmp.py
@@ -134,20 +134,23 @@ agentaddress unix:/run/snmpd.socket{% if listen_on %}{% for li in listen_on %},{
# SNMP communities
{%- for c in communities %}
+
{%- if c.network_v4 %}
{%- for network in c.network_v4 %}
{{ c.authorization }}community {{ c.name }} {{ network }}
{%- endfor %}
-{%- else %}
+{%- elif not c.has_source %}
{{ c.authorization }}community {{ c.name }}
{%- endif %}
+
{%- if c.network_v6 %}
{%- for network in c.network_v6 %}
{{ c.authorization }}community6 {{ c.name }} {{ network }}
{%- endfor %}
-{%- else %}
+{%- elif not c.has_source %}
{{ c.authorization }}community6 {{ c.name }}
{%- endif %}
+
{%- endfor %}
{% if contact %}
@@ -266,7 +269,8 @@ def get_config():
'name': name,
'authorization': 'ro',
'network_v4': [],
- 'network_v6': []
+ 'network_v6': [],
+ 'has_source' : False
}
if conf.exists('community {0} authorization'.format(name)):
@@ -288,6 +292,9 @@ def get_config():
else:
community['network_v6'].append(addr)
+ if (len(community['network_v4']) > 0) or (len(community['network_v6']) > 0):
+ community['has_source'] = True
+
snmp['communities'].append(community)
if conf.exists('contact'):