diff options
author | Christian Poessinger <christian@poessinger.com> | 2019-01-30 06:09:04 +0100 |
---|---|---|
committer | Christian Poessinger <christian@poessinger.com> | 2019-01-30 19:27:57 +0100 |
commit | aaf2a728a759c0e22d0ccafc3b2addbc5cfd956e (patch) | |
tree | 2620962d768037aa1580bcfc504eaa287bee6063 /src/conf_mode | |
parent | 97186852f529935309c009e38403cead2bf0ce75 (diff) | |
download | vyos-1x-aaf2a728a759c0e22d0ccafc3b2addbc5cfd956e.tar.gz vyos-1x-aaf2a728a759c0e22d0ccafc3b2addbc5cfd956e.zip |
T1160: fix (ro|rw)community ACL
WHen building up the SNMP v2 community ro/rw access all hosts from
a INET version could access even when the community was locked to one
INET family.
Example #1:
set service snmp community bar network 172.16.0.0/12
Allowed access only to IPv4 network 172.16.0.0/12 but it allowed acces from
IPv6 ::/0.
Example #2:
set service snmp community baz network 2001:db8::/64
Limited IPv6 access to 2001:db8::/64 but IPv4 was open to 0.0.0.0/0
(cherry picked from commit cc07c4727bdffb4c220ce28ab9f697b01fe4afb7)
Diffstat (limited to 'src/conf_mode')
-rwxr-xr-x | src/conf_mode/snmp.py | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/src/conf_mode/snmp.py b/src/conf_mode/snmp.py index d21a2b603..06d2e253a 100755 --- a/src/conf_mode/snmp.py +++ b/src/conf_mode/snmp.py @@ -134,20 +134,23 @@ agentaddress unix:/run/snmpd.socket{% if listen_on %}{% for li in listen_on %},{ # SNMP communities {%- for c in communities %} + {%- if c.network_v4 %} {%- for network in c.network_v4 %} {{ c.authorization }}community {{ c.name }} {{ network }} {%- endfor %} -{%- else %} +{%- elif not c.has_source %} {{ c.authorization }}community {{ c.name }} {%- endif %} + {%- if c.network_v6 %} {%- for network in c.network_v6 %} {{ c.authorization }}community6 {{ c.name }} {{ network }} {%- endfor %} -{%- else %} +{%- elif not c.has_source %} {{ c.authorization }}community6 {{ c.name }} {%- endif %} + {%- endfor %} {% if contact %} @@ -266,7 +269,8 @@ def get_config(): 'name': name, 'authorization': 'ro', 'network_v4': [], - 'network_v6': [] + 'network_v6': [], + 'has_source' : False } if conf.exists('community {0} authorization'.format(name)): @@ -288,6 +292,9 @@ def get_config(): else: community['network_v6'].append(addr) + if (len(community['network_v4']) > 0) or (len(community['network_v6']) > 0): + community['has_source'] = True + snmp['communities'].append(community) if conf.exists('contact'): |