summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJames Davidson <james.davidson@vyatta.com>2013-02-12 13:02:11 -0800
committerJames Davidson <james.davidson@vyatta.com>2013-02-12 13:02:11 -0800
commit1d917be739f1db7b1ff1d26a0238322d7fd475c5 (patch)
treeac3bdbdcd28f0bd0f9f16477a384e6ccd53970cd
parent34f23c48bf38c6c88f3c74e958a084bf30380bd6 (diff)
downloadvyatta-cfg-system-1d917be739f1db7b1ff1d26a0238322d7fd475c5.tar.gz
vyatta-cfg-system-1d917be739f1db7b1ff1d26a0238322d7fd475c5.zip
Initial SNMPv3 support
-rw-r--r--Makefile.am1
-rwxr-xr-xscripts/snmp/vyatta-snmp-v3.pl527
-rwxr-xr-xscripts/snmp/vyatta-snmp.pl22
-rw-r--r--templates/service/snmp/node.def23
-rw-r--r--templates/service/snmp/v3/group/node.def5
-rw-r--r--templates/service/snmp/v3/group/node.tag/mode/node.def8
-rw-r--r--templates/service/snmp/v3/group/node.tag/view/node.def11
-rw-r--r--templates/service/snmp/v3/node.def30
-rw-r--r--templates/service/snmp/v3/trap-target/node.def12
-rw-r--r--templates/service/snmp/v3/trap-target/node.tag/auth/encrypted-key/node.def3
-rw-r--r--templates/service/snmp/v3/trap-target/node.tag/auth/node.def4
-rw-r--r--templates/service/snmp/v3/trap-target/node.tag/auth/plaintext-key/node.def3
-rw-r--r--templates/service/snmp/v3/trap-target/node.tag/auth/type/node.def8
-rw-r--r--templates/service/snmp/v3/trap-target/node.tag/port/node.def7
-rw-r--r--templates/service/snmp/v3/trap-target/node.tag/privacy/encrypted-key/node.def3
-rw-r--r--templates/service/snmp/v3/trap-target/node.tag/privacy/node.def4
-rw-r--r--templates/service/snmp/v3/trap-target/node.tag/privacy/plaintext-key/node.def3
-rw-r--r--templates/service/snmp/v3/trap-target/node.tag/privacy/type/node.def8
-rw-r--r--templates/service/snmp/v3/trap-target/node.tag/protocol/node.def8
-rw-r--r--templates/service/snmp/v3/trap-target/node.tag/type/node.def8
-rw-r--r--templates/service/snmp/v3/trap-target/node.tag/user/node.def4
-rw-r--r--templates/service/snmp/v3/tsm/local-key/node.def10
-rw-r--r--templates/service/snmp/v3/tsm/node.def3
-rw-r--r--templates/service/snmp/v3/tsm/port/node.def7
-rw-r--r--templates/service/snmp/v3/user/node.def6
-rw-r--r--templates/service/snmp/v3/user/node.tag/auth/encrypted-key/node.def2
-rw-r--r--templates/service/snmp/v3/user/node.tag/auth/node.def3
-rw-r--r--templates/service/snmp/v3/user/node.tag/auth/plaintext-key/node.def5
-rw-r--r--templates/service/snmp/v3/user/node.tag/auth/type/node.def8
-rw-r--r--templates/service/snmp/v3/user/node.tag/group/node.def11
-rw-r--r--templates/service/snmp/v3/user/node.tag/mode/node.def8
-rw-r--r--templates/service/snmp/v3/user/node.tag/privacy/encrypted-key/node.def2
-rw-r--r--templates/service/snmp/v3/user/node.tag/privacy/node.def3
-rw-r--r--templates/service/snmp/v3/user/node.tag/privacy/plaintext-key/node.def5
-rw-r--r--templates/service/snmp/v3/user/node.tag/privacy/type/node.def8
-rw-r--r--templates/service/snmp/v3/user/node.tag/tsm-key/node.def10
-rw-r--r--templates/service/snmp/v3/view/node.def5
-rw-r--r--templates/service/snmp/v3/view/node.tag/oid/node.def4
-rw-r--r--templates/service/snmp/v3/view/node.tag/oid/node.tag/exclude/node.def1
-rw-r--r--templates/service/snmp/v3/view/node.tag/oid/node.tag/mask/node.def4
40 files changed, 786 insertions, 21 deletions
diff --git a/Makefile.am b/Makefile.am
index 5ac51967..1d7f7dee 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -48,6 +48,7 @@ sbin_SCRIPTS += scripts/system/vyatta_update_ntp.pl
sbin_SCRIPTS += scripts/system/vyatta_update_telnet
sbin_SCRIPTS += scripts/system/irq-affinity.pl
sbin_SCRIPTS += scripts/snmp/vyatta-snmp.pl
+sbin_SCRIPTS += scripts/snmp/vyatta-snmp-v3.pl
sbin_SCRIPTS += scripts/snmp/if-mib-alias
sbin_SCRIPTS += scripts/telnetd.init
sbin_SCRIPTS += scripts/dns-forwarding/vyatta-dns-forwarding.pl
diff --git a/scripts/snmp/vyatta-snmp-v3.pl b/scripts/snmp/vyatta-snmp-v3.pl
new file mode 100755
index 00000000..ef93b8a1
--- /dev/null
+++ b/scripts/snmp/vyatta-snmp-v3.pl
@@ -0,0 +1,527 @@
+#!/usr/bin/perl
+
+use lib "/opt/vyatta/share/perl5/";
+use Vyatta::Config;
+use File::Copy;
+use Getopt::Long;
+use Socket;
+use Socket6;
+
+my $snmp_v3_level = 'service snmp v3';
+my $snmp_init = 'invoke-rc.d snmpd';
+my $snmpd_conf = '/etc/snmp/snmpd.conf';
+my $snmpd_usr_conf = '/usr/share/snmp/snmpd.conf';
+my $snmpd_var_conf = '/var/lib/snmp/snmpd.conf';
+my $snmpd_conf_tmp = "/tmp/snmpd.conf.$$";
+my $snmpd_usr_conf_tmp = "/tmp/snmpd.usr.conf.$$";
+my $snmpd_var_conf_tmp = "/tmp/snmpd.var.conf.$$";
+my $versionfile = '/opt/vyatta/etc/version';
+my $local_agent = 'unix:/var/run/snmpd.socket';
+my $vyatta_config_file = '/config/snmp/snmp_conf.ini';
+%VConfig = ();
+
+%OIDs = (
+ "md5", ".1.3.6.1.6.3.10.1.1.2",
+ "sha", ".1.3.6.1.6.3.10.1.1.3",
+ "aes", ".1.3.6.1.6.3.10.1.2.4",
+ "des", ".1.3.6.1.6.3.10.1.2.2",
+ "none", ".1.3.6.1.6.3.10.1.2.1"
+);
+
+# generate a random character hex string
+sub randhex {
+ my $length = shift;
+ return join "", map { unpack "H*", chr(rand(256)) } 1..($length/2);
+}
+
+sub parse_config_file {
+ open (CONFIG, "$vyatta_config_file") or return;
+ while (<CONFIG>) {
+ chomp; # no newline
+ s/#.*//; # no comments
+ s/^\s+//; # no leading white
+ s/\s+$//; # no trailing white
+ next unless length; # anything left?
+ my ($var, $value) = split(/\s*=\s*/, $_, 2);
+ $VConfig{$var} = $value;
+ }
+ close(CONFIG);
+}
+
+sub write_config_file {
+ open (my $config_file, '>' , "$vyatta_config_file");
+ for my $key (keys %VConfig) {
+ my $value = $VConfig{$key};
+ print $config_file "$key=$value\n";
+ }
+ close $config_file;
+}
+
+sub snmpd_running {
+ open (my $pidf, '<', "/var/run/snmpd.pid")
+ or return;
+ my $pid = <$pidf>;
+ close $pidf;
+
+ chomp $pid;
+ my $exe = readlink "/proc/$pid/exe";
+
+ return (defined($exe) && $exe eq "/usr/sbin/snmpd");
+}
+
+sub check_snmp_exit_code {
+ my $code = shift;
+ # snmpd can start/restart with exit code 256 if trap-target is unavailable
+ if ($code !=0 && $code != 256) {
+ return 1;
+ } else {
+ return 0;
+ }
+}
+
+sub snmpd_stop {
+ system("$snmp_init stop > /dev/null 2>&1");
+ if (check_snmp_exit_code($?)) {
+ print "ERROR: Can not stop snmpd!\n";
+ exit(1);
+ }
+}
+
+sub snmpd_start {
+ system("$snmp_init start > /dev/null 2>&1");
+ if (check_snmp_exit_code($?)) {
+ print "ERROR: Can not start snmpd!\n";
+ exit(1);
+ }
+}
+
+sub snmpd_update {
+ system("$snmp_init reload > /dev/null 2>&1");
+ if (check_snmp_exit_code($?)) {
+ print "ERROR: Can not reload snmpd!\n";
+ exit(1);
+ }
+}
+
+sub snmpd_restart {
+ system("$snmp_init restart > /dev/null 2>&1");
+ if (check_snmp_exit_code($?)) {
+ print "ERROR: Can not restart snmpd!\n";
+ exit(1);
+ }
+}
+
+sub get_version {
+ my $version = "unknown-version";
+
+ if (open (my $f, '<', $versionfile)) {
+ while (<$f>) {
+ chomp;
+ if (m/^Version\s*:\s*(.*)$/) {
+ $version = $1;
+ last;
+ }
+ }
+ close $f;
+ }
+ return $version;
+}
+
+sub ipv6_disabled {
+ socket ( my $s, PF_INET6, SOCK_DGRAM, 0)
+ or return 1;
+ close($s);
+ return;
+}
+
+sub set_tsm {
+ my $config = get_snmp_config();
+ if ($config->exists("tsm")) {
+ my $port = $config->returnValue("tsm port");
+ my $local_key = $config->returnValue("tsm local-key");
+ system("sed -i 's/^agentaddress.*\$/&,tlstcp:$port,dtlsudp:$port/' $snmpd_conf_tmp");
+ system("echo \"[snmp] localCert $local_key\" >> $snmpd_conf_tmp");
+ }
+}
+
+sub snmp_delete {
+ snmpd_stop();
+
+ @files = ($snmpd_conf, $snmpd_usr_conf, $snmpd_var_conf);
+ foreach $file (@files) {
+ if (-e $file) {
+ if (unlink($file) == 0) {
+ print "File $file was not deleted.\n";
+ } else {
+ print "File $file deleted successfully.\n";
+ }
+ } else {
+ print "File $file does not exist\n";
+ }
+ }
+}
+
+sub get_snmp_config() {
+ my $config = new Vyatta::Config;
+ $config->setLevel($snmp_v3_level);
+ return $config;
+}
+
+sub set_views() {
+ print "# views \n";
+ my $config = get_snmp_config();
+ foreach my $view ($config->listNodes("view")) {
+ foreach my $oid ($config->listNodes("view $view oid")) {
+ my $mask = $config->returnValue("view $view oid $oid mask");
+ if ($config->exists("view $view oid $oid exclude")) {
+ print "view $view excluded .$oid $mask\n";
+ } else {
+ print "view $view included .$oid $mask\n";
+ }
+ }
+ }
+ print "\n";
+}
+
+sub set_groups() {
+ print "#access\n# context sec.model sec.level match read write notif\n";
+ my $config = get_snmp_config();
+ foreach my $group ($config->listNodes("group")) {
+ my $mode = $config->returnValue("group $group mode");
+ my $view = $config->returnValue("group $group view");
+ if ($mode eq "ro") {
+ print "access $group \"\" usm auth exact $view none none\n";
+ print "access $group \"\" tsm auth exact $view none none\n";
+ } else {
+ print "access $group \"\" usm auth exact $view $view none\n";
+ print "access $group \"\" tsm auth exact $view $view none\n";
+ }
+ }
+ print "\n";
+}
+
+sub set_users_in_etc() {
+
+ print "#group\n";
+
+ my $config = get_snmp_config();
+ foreach my $user ($config->listNodes("user")) {
+ $config->setLevel($snmp_v3_level." user $user");
+ if ($config->exists("group")) {
+ my $group = $config->returnValue("group");
+ print "group $group usm $user\n";
+ print "group $group tsm $user\n";
+ }
+ if ($config->exists("tsm-key")) {
+ my $cert = $config->returnValue("tsm-key");
+ #TODO magic number 10
+ print "certSecName 10 $cert --sn $user\n";
+ }
+ }
+
+ print "\n";
+}
+
+sub set_users_to_other() {
+ open (my $usr_conf, '>>', $snmpd_usr_conf_tmp)
+ or die "Couldn't open $snmpd_usr_conf_tmp - $!";
+ open (my $var_conf, '>>', $snmpd_var_conf_tmp)
+ or die "Couldn't open $snmpd_var_conf_tmp - $!";
+
+ print $var_conf "\n";
+
+ my $config = get_snmp_config();
+ my $needTsm = 0;
+ if ($config->exists("tsm")) {
+ $needTsm = 1;
+ }
+
+ my %trap_users=();
+
+ foreach my $trap ($config->listNodes("trap-target")) {
+ $trap_users{$config->returnValue("trap-target $trap user")} = 1;
+ }
+
+ foreach my $user ($config->listNodes("user")) {
+ delete $trap_users{$user};
+ $config->setLevel($snmp_v3_level." user $user");
+ my $auth_type = $config->returnValue("auth type");
+ my $priv_type = $config->returnValue("privacy type");
+ if ($config->exists("auth")) {
+ if ($config->exists("auth plaintext-key")) {
+ my $auth_key = $config->returnValue("auth plaintext-key");
+ my $priv_key = $config->returnValue("privacy plaintext-key");
+ print $var_conf "createUser $user \U$auth_type\E $auth_key \U$priv_type\E $priv_key\n";
+ } else {
+ my $name_print = get_printable_name($user);
+ my $EngineID = $VConfig{"User.$user.EngineID"};
+ my $auth_type_oid = $OIDs{$auth_type};
+ my $auth_key_hex = $config->returnValue("auth encrypted-key");
+ local ($priv_type_oid, $priv_key_hex);
+ if ($config->exists("privacy")) {
+ $priv_type_oid = $OIDs{$priv_type};
+ $priv_key_hex = $config->returnValue("privacy encrypted-key");
+ } else {
+ $priv_type_oid = $OIDs{'none'};
+ $priv_key_hex = '0x';
+ }
+ print $var_conf "usmUser 1 3 $EngineID $name_print $name_print NULL $auth_type_oid $auth_key_hex $priv_type_oid $priv_key_hex 0x\n";
+ }
+ }
+ my $mode = $config->returnValue("mode");
+ my $end = "auth";
+ if ($config->exists("privacy")) {
+ $end = "priv";
+ }
+ print $usr_conf $mode."user $user $end\n";
+ if ($needTsm) {
+ print $usr_conf $mode."user -s tsm $user $end\n";
+ }
+ }
+
+ foreach my $user (keys %trap_users) {
+ $name_print = get_printable_name($user);
+ print $var_conf "usmUser 1 3 0x".randhex(26)." $name_print $name_print NULL .1.3.6.1.6.3.10.1.1.2 0x".randhex(32)." .1.3.6.1.6.3.10.1.2.1 0x 0x\n";
+ print $usr_conf "rouser $user auth";
+ }
+
+ print $var_conf "setservialno ".$VConfig{"serialno"}."\n";
+ print $var_conf "oldEngineID ".$VConfig{"oldEngineID"}."\n";
+
+ close $usr_conf;
+ close $var_conf;
+}
+
+sub get_printable_name {
+ my $name = shift;
+ if ($name =~ /-/) {
+ my @array=unpack('C*', $name);
+ my $stringHex = '0x';
+ foreach my $c (@array) {
+ $stringHex .= sprintf ("%lx", $c);
+ }
+ return $stringHex;
+ } else {
+ return "\"$name\"";
+ }
+}
+
+sub update_users_vyatta_conf() {
+ %VConfig = ();
+ open (my $var_conf, '<' , $snmpd_var_conf) or die "Couldn't open $snmpd_usr_conf - $!";
+ my $config = get_snmp_config();
+ while (my $line = <$var_conf>) {
+ if ($line =~ /^setserialno (.*)$/) {
+ $VConfig{"serialno"} = $1;
+ }
+ if ($line =~ /^oldEngineID (.*)$/) {
+ $VConfig{"oldEngineID"} = $1;
+ }
+ if ($line =~ /^usmUser /) {
+ my @values = split(/ /, $line);
+ my $name = $values[4];
+ if ($name =~ /^"(.*)"$/) {
+ $name = $1;
+ } else {
+ $name = pack('H*', $name);
+ }
+ # this file contain users for trap-target and vyatta... user
+ # these users recreating automatically on each commit
+ if ($config->exists("user $name")) {
+ $VConfig{"User.$name.EngineID"} = $values[3];
+ system("/opt/vyatta/sbin/my_set service snmp v3 user \"$name\" auth encrypted-key $values[8] > /dev/null");
+ if ($values[10] ne "\"\"" && $values[10] ne "0x") {
+ system("/opt/vyatta/sbin/my_set service snmp v3 user \"$name\" privacy encrypted-key $values[10] > /dev/null");
+ system("/opt/vyatta/sbin/my_delete service snmp v3 user \"$name\" privacy plaintext-key > /dev/null");
+ }
+ system("/opt/vyatta/sbin/my_delete service snmp v3 user \"$name\" auth plaintext-key > /dev/null");
+ }
+ }
+ }
+}
+
+sub set_hosts() {
+ print "#trap-target\n";
+ my $config = get_snmp_config();
+ foreach my $target ($config->listNodes("trap-target")) {
+ $config->setLevel($snmp_v3_level." trap-target $target");
+ my $auth_key = '';
+ if ($config->exists("auth plaintext-key")) {
+ $auth_key = "-A ".$config->returnValue("auth plaintext-key");
+ } else {
+ $auth_key = "-3m ".$config->returnValue("auth encrypted-key");
+ }
+ my $auth_type = $config->returnValue("auth type");
+ my $user = $config->returnValue("user");
+ my $port = $config->returnValue("port");
+ my $protocol = $config->returnValue("protocol");
+ my $type = $config->returnValue("type");
+ my $inform_flag = '';
+ $inform_flag = '-Ci' if ($type eq 'inform');
+ my $privacy = '';
+ my $secLevel = 'authNoPriv';
+ if ($config->exists("privacy")) {
+ my $priv_key = '';
+ if ($config->exists("privacy plaintext-key")) {
+ $priv_key = "-X ".$config->returnValue("privacy plaintext-key");
+ } else {
+ $priv_key = "-3M ".$config->returnValue("privacy encrypted-key")
+ }
+ my $priv_type = $config->returnValue("privacy type");
+ $privacy = "-x $priv_type $priv_key";
+ $secLevel = 'authPriv';
+ }
+ # TODO
+ # set -3m / -3M for auth / priv for master
+ # or -3k / -3K for local
+ my $target_print = $target;
+ if ($target =~ /:/) {
+ $target_print = "[$target]";
+ $protocol = $protocol."6";
+ }
+ print "trapsess -v 3 $inform_flag -u $user -l $secLevel -a $auth_type $auth_key $privacy $protocol:$target_print:$port\n";
+ }
+ print "\n";
+}
+
+sub check_user_auth_changes() {
+ my $config = get_snmp_config();
+ if ($config->isChanged("user")) {
+ my $haveError = 0;
+ foreach my $user ($config->listNodes("user")) {
+ $config->setLevel($snmp_v3_level." user $user");
+ if ($config->exists("auth")) {
+ if ($config->isChanged("auth encrypted-key") || $config->isChanged("privacy encrypted-key")) {
+ $haveError = 1;
+ print "Discard encrypted-key on user \"$user\". You can't change encrypted key. It does not supported yet.";
+ }
+ my $isAuthKeyChanged = $config->isChanged("auth plaintext-key");
+ my $isAuthChanged = $isAuthKeyChanged || $config->isChanged("auth type");
+ if (($isAuthChanged || $config->isDeleted("privacy") ) && !$isAuthKeyChanged) {
+ $haveError = 1;
+ print "Please, set auth plaintext-key for user \"$user\"\n";
+ }
+ if ($config->exists("privacy")) {
+ my $isPrivKeyChanged = $config->isChanged("privacy plaintext-key");
+ my $isPrivChanged = $isPrivKeyChanged || $config->isChanged("privacy type");
+ if ($isPrivChanged && !$isAuthKeyChanged) {
+ $haveError = 1;
+ print "Please, set auth plaintext-key for user \"$user\"\n";
+ }
+ if (($isAuthChanged || $isPrivChanged) && !$isPrivKeyChanged) {
+ $haveError = 1;
+ print "Please, set privacy plaintext-key for user \"$user\"\n";
+ }
+ }
+ } else {
+ if ($config->exists("privacy")) {
+ $haveError = 1;
+ print "Please, delete privacy for user \"$user\"\n";
+ }
+ }
+ }
+ if ($haveError) {
+ exit(1);
+ }
+ }
+}
+
+sub check_relation() {
+ my $config = get_snmp_config();
+ my $haveError = 0;
+ foreach my $user ($config->listNodes("user")) {
+ if ($config->exists("user $user group")) {
+ my $group = $config->returnValue("user $user group");
+ if (! $config->exists("group $group")) {
+ $haveError = 1;
+ print "Please, create group \"$group\". It's need for user \"$user\"\n";
+ }
+ }
+ }
+ foreach my $group ($config->listNodes("group")) {
+ my $view = $config->returnValue("group $group view");
+ if (! $config->exists("view $view")) {
+ $haveError = 1;
+ print "Please, create view \"$view\". It's need for group \"$group\"\n";
+ }
+ }
+ if ($haveError) {
+ exit(1);
+ }
+}
+
+sub check_tsm_port {
+ my $config = get_snmp_config();
+ if ($config->isChanged("tsm port")) {
+ my $port = $config->returnValue("tsm port");
+ my $reg = ":$port\$";
+ $output = `netstat -anltup | awk '{print \$4}'`;
+ foreach my $line (split(/\n/,$output)) {
+ if ($line =~ /$reg/) {
+ print "Actually port $port is using. It can not be used for tsm.\n";
+ exit(1);
+ }
+ }
+ }
+}
+
+sub copy_conf_to_tmp() {
+ # these files already contain SNMPv2 configuration
+ copy($snmpd_conf, $snmpd_conf_tmp) or die "Couldn't copy $snmpd_conf to $snmpd_conf_tmp - $!";
+ copy($snmpd_usr_conf, $snmpd_usr_conf_tmp) or die "Couldn't copy $snmpd_usr_conf to $snmpd_usr_conf_tmp - $!";
+ copy($snmpd_var_conf, $snmpd_var_conf_tmp) or die "Couldn't copy $snmpd_var_conf to $snmpd_var_conf_tmp - $!";
+}
+
+sub snmp_update {
+
+ check_user_auth_changes();
+ check_relation();
+ check_tsm_port();
+
+ copy_conf_to_tmp();
+
+ set_tsm();
+
+ open (my $fh, '>>', $snmpd_conf_tmp)
+ or die "Couldn't open $snmpd_conf_tmp - $!";
+
+ select $fh;
+
+ set_views();
+ set_groups();
+ set_hosts();
+ set_users_in_etc();
+
+ close $fh;
+ select STDOUT;
+
+ move($snmpd_conf_tmp, $snmpd_conf)
+ or die "Couldn't move $snmpd_conf_tmp to $snmpd_conf - $!";
+
+ my $config = get_snmp_config();
+
+ if ($config->isChanged("user") || $config->isAdded("tsm") || $config->isDeleted("tsm") || $config->isChanged("trap-target")) {
+ parse_config_file();
+ snmpd_stop();
+ set_users_to_other();
+ move($snmpd_usr_conf_tmp, $snmpd_usr_conf)
+ or die "Couldn't move $snmpd_usr_conf_tmp to $snmpd_usr_conf - $!";
+ move($snmpd_var_conf_tmp, $snmpd_var_conf)
+ or die "Couldn't move $snmpd_var_conf_tmp to $snmpd_var_conf - $!";
+ snmpd_start();
+ snmpd_restart();
+ update_users_vyatta_conf();
+ write_config_file();
+ } else {
+ snmpd_start();
+ }
+}
+
+my $update_snmp;
+my $delete_snmp;
+
+GetOptions("update-snmp!" => \$update_snmp,
+ "delete-snmp!" => \$delete_snmp);
+
+snmp_update() if ($update_snmp);
+snmp_delete() if ($delete_snmp);
diff --git a/scripts/snmp/vyatta-snmp.pl b/scripts/snmp/vyatta-snmp.pl
index d473e7fa..a4ea9e27 100755
--- a/scripts/snmp/vyatta-snmp.pl
+++ b/scripts/snmp/vyatta-snmp.pl
@@ -64,6 +64,8 @@ sub snmp_stop {
}
sub snmp_start {
+ # we must stop snmpd first for creating vyatta user
+ system("$snmp_init stop > /dev/null 2>&1");
open (my $fh, '>', $snmp_tmp)
or die "Couldn't open $snmp_tmp - $!";
@@ -78,12 +80,6 @@ sub snmp_start {
move($snmp_tmp, $snmp_conf)
or die "Couldn't move $snmp_tmp to $snmp_conf - $!";
-
- if (snmp_running()) {
- system("$snmp_init restart > /dev/null 2>&1 &");
- } else {
- system("$snmp_init start > /dev/null 2>&1 &");
- }
}
sub get_version {
@@ -235,9 +231,6 @@ sub snmp_get_traps {
my $config = new Vyatta::Config;
$config->setLevel($snmp_level);
- my @trap_targets = $config->listNodes("trap-target");
- return unless @trap_targets;
-
# linkUp/Down configure the Event MIB tables to monitor
# the ifTable for network interfaces being taken up or down
# for making internal queries to retrieve any necessary information
@@ -257,6 +250,9 @@ monitor -r 10 -e linkUpTrap "Generate linkUp" ifOperStatus != 2
monitor -r 10 -e linkDownTrap "Generate linkDown" ifOperStatus == 2
EOF
+ my @trap_targets = $config->listNodes("trap-target");
+ return unless @trap_targets;
+
foreach my $trap_target (@trap_targets) {
my $port = $config->returnValue("trap-target $trap_target port");
my $community
@@ -290,8 +286,9 @@ sub snmp_create_snmpv3_user {
my $vyatta_user = shift;
my $passphrase = randhex(32);
+
my $createuser = "createUser $vyatta_user MD5 \"$passphrase\" DES";
- open(my $fh, '>>', $snmp_snmpv3_createuser_conf) || die "Couldn't open $snmp_snmpv3_createuser_conf - $!";
+ open(my $fh, '>', $snmp_snmpv3_createuser_conf) || die "Couldn't open $snmp_snmpv3_createuser_conf - $!";
print $fh $createuser;
close $fh;
}
@@ -299,9 +296,8 @@ sub snmp_create_snmpv3_user {
sub snmp_write_snmpv3_user {
my $vyatta_user = shift;
- my $user = "rouser $vyatta_user\n";
- system ("sed -i '/user[[:space:]]*vyatta[[:alnum:]]*/d' $snmp_snmpv3_user_conf 2>/dev/null;");
- open(my $fh, '>>', $snmp_snmpv3_user_conf) || die "Couldn't open $snmp_snmpv3_user_conf - $!";
+ my $user = "rwuser $vyatta_user\n";
+ open(my $fh, '>', $snmp_snmpv3_user_conf) || die "Couldn't open $snmp_snmpv3_user_conf - $!";
print $fh $user;
close $fh;
}
diff --git a/templates/service/snmp/node.def b/templates/service/snmp/node.def
index 183cc5c3..8047121f 100644
--- a/templates/service/snmp/node.def
+++ b/templates/service/snmp/node.def
@@ -1,13 +1,20 @@
priority: 980
help: Simple Network Management Protocol (SNMP)
-commit:expression: $VAR(community/) != "" || $VAR(community6/) != "" \
- ; "must configure a community or community6"
+commit:expression: $VAR(community/) != "" || $VAR(community6/) != "" || $VAR(v3/) != "" \
+ ; "must configure a community or community6 or v3"
delete: touch /tmp/snmp.$PPID
end:if [ -f "/tmp/snmp.$PPID" ]
- then sudo /opt/vyatta/sbin/vyatta-snmp.pl --stop-snmp
- rm /tmp/snmp.$PPID
- sudo rm -f /etc/snmp/snmpd.conf
- else
- sudo /opt/vyatta/sbin/vyatta-snmp.pl --update-snmp
- fi
+ then
+ sudo /opt/vyatta/sbin/vyatta-snmp.pl --stop-snmp;
+ rm /tmp/snmp.$PPID;
+ sudo rm -f /etc/snmp/snmpd.conf;
+ else
+ sudo /opt/vyatta/sbin/vyatta-snmp.pl --update-snmp;
+ if [ -n "$VAR(v3/)" ]
+ then
+ sudo /opt/vyatta/sbin/vyatta-snmp-v3.pl --update-snmp;
+ else
+ sudo invoke-rc.d snmpd start > /dev/null 2>&1;
+ fi
+ fi
diff --git a/templates/service/snmp/v3/group/node.def b/templates/service/snmp/v3/group/node.def
new file mode 100644
index 00000000..bcfe6795
--- /dev/null
+++ b/templates/service/snmp/v3/group/node.def
@@ -0,0 +1,5 @@
+tag:
+type: txt
+help: Specifies the group with name groupname
+commit:expression: $VAR(view/) != "" ; "must specify view"
+commit:expression: $VAR(mode/) != "" ; "must specify mode"
diff --git a/templates/service/snmp/v3/group/node.tag/mode/node.def b/templates/service/snmp/v3/group/node.tag/mode/node.def
new file mode 100644
index 00000000..a6d36de5
--- /dev/null
+++ b/templates/service/snmp/v3/group/node.tag/mode/node.def
@@ -0,0 +1,8 @@
+type: txt
+default: "ro"
+help: Defines the read/write access
+syntax:expression: $VAR(@) in "ro", "rw"
+allowed: echo ro rw
+
+val_help: ro;
+val_help: rw;
diff --git a/templates/service/snmp/v3/group/node.tag/view/node.def b/templates/service/snmp/v3/group/node.tag/view/node.def
new file mode 100644
index 00000000..af7d33c9
--- /dev/null
+++ b/templates/service/snmp/v3/group/node.tag/view/node.def
@@ -0,0 +1,11 @@
+type: txt
+help: Defines the name of view
+allowed: list=`cli-shell-api listNodes service snmp v3 view`
+ echo $list
+syntax:expression:exec "regex=\"(^| )$VAR(@)( |$)\"; \
+ if [[ \"$VAR(/service/snmp/v3/view/@@)\" =~ $regex ]] ; \
+ then \
+ exit 0; \
+ else \
+ exit 1; \
+ fi" ; "You must create \"$VAR(@)\" view first"
diff --git a/templates/service/snmp/v3/node.def b/templates/service/snmp/v3/node.def
new file mode 100644
index 00000000..756a156f
--- /dev/null
+++ b/templates/service/snmp/v3/node.def
@@ -0,0 +1,30 @@
+help: Simple Network Management Protocol (SNMP) v3
+
+create: if [ ! -d "/config/snmp" ]; then sudo mkdir /config/snmp ; fi
+ if [ ! -d "/config/snmp/tls" ]; then
+ sudo mkdir /config/snmp/tls ;
+ if [ -d "/etc/snmp/tls" ] ; then
+ sudo mv /etc/snmp/tls/* /config/snmp/tls > /dev/null 2>&1;
+ sudo chmod -R 600 /config/snmp/tls;
+ sudo rmdir /etc/snmp/tls > /dev/null 2>&1;
+ sudo rm /etc/snmp/tls > /dev/null 2>&1;
+ fi
+ sudo ln -s /config/snmp/tls /etc/snmp/tls;
+ fi
+ lnk=`readlink /etc/snmp/tls`
+ if [ "$lnk" != "/config/snmp/tls" ]; then
+ sudo rm -f /etc/snmp/tls;
+ sudo ln -s /config/snmp/tls /etc/snmp/tls;
+ fi
+
+begin: if [ -d "/config/snmp/tls" ]; then
+ sudo chmod -R 600 /config/snmp/tls;
+ fi
+
+delete: touch /tmp/snmp-v3.$PPID
+
+end:if [ -f "/tmp/snmp-v3.$PPID" ]
+ then
+ sudo /opt/vyatta/sbin/vyatta-snmp-v3.pl --delete-snmp
+ rm /tmp/snmp-v3.$PPID
+ fi \ No newline at end of file
diff --git a/templates/service/snmp/v3/trap-target/node.def b/templates/service/snmp/v3/trap-target/node.def
new file mode 100644
index 00000000..d6203e9b
--- /dev/null
+++ b/templates/service/snmp/v3/trap-target/node.def
@@ -0,0 +1,12 @@
+tag:
+type: txt
+help: Defines SNMP target for inform or traps for IP
+syntax:expression: exec "/opt/vyatta/sbin/valid_address $VAR(@)/20"
+commit:expression: $VAR(type/) != ""; "must specify type"
+commit:expression: $VAR(auth/) != ""; "must specify auth"
+commit:expression: $VAR(protocol/) != ""; "must specify protocol"
+commit:expression: $VAR(user/) != ""; "must specify user"
+commit:expression: $VAR(port/) != ""; "must specify port"
+
+val_help: <x.x.x.x>; IP address of trap target
+val_help: <h:h:h:h:h:h:h:h>; IPv6 address of trap target \ No newline at end of file
diff --git a/templates/service/snmp/v3/trap-target/node.tag/auth/encrypted-key/node.def b/templates/service/snmp/v3/trap-target/node.tag/auth/encrypted-key/node.def
new file mode 100644
index 00000000..2365b055
--- /dev/null
+++ b/templates/service/snmp/v3/trap-target/node.tag/auth/encrypted-key/node.def
@@ -0,0 +1,3 @@
+type: txt
+help: Defines the encrypted password for authentication
+syntax:expression: pattern $VAR(@) "^0x[0-9a-f]*$" ; "key must start from '0x' and contain hex digits" \ No newline at end of file
diff --git a/templates/service/snmp/v3/trap-target/node.tag/auth/node.def b/templates/service/snmp/v3/trap-target/node.tag/auth/node.def
new file mode 100644
index 00000000..5c7df0ef
--- /dev/null
+++ b/templates/service/snmp/v3/trap-target/node.tag/auth/node.def
@@ -0,0 +1,4 @@
+help: Defines the authentication
+commit:expression: $VAR(type/) != "" ; "must specify type"
+commit:expression: $VAR(encrypted-key/) != "" || $VAR(plaintext-key/) != "" ; "must specify encrypted-key or plaintext-key"
+commit:expression: !($VAR(encrypted-key/) != "" && $VAR(plaintext-key/) != "") ; "must specify only one of encrypted-key and plaintext-key" \ No newline at end of file
diff --git a/templates/service/snmp/v3/trap-target/node.tag/auth/plaintext-key/node.def b/templates/service/snmp/v3/trap-target/node.tag/auth/plaintext-key/node.def
new file mode 100644
index 00000000..34563e73
--- /dev/null
+++ b/templates/service/snmp/v3/trap-target/node.tag/auth/plaintext-key/node.def
@@ -0,0 +1,3 @@
+type: txt
+help: Defines the clear text password for authentication
+syntax:expression: pattern $VAR(@) "^.{8,}$" ; "key must contain 8 or more characters"
diff --git a/templates/service/snmp/v3/trap-target/node.tag/auth/type/node.def b/templates/service/snmp/v3/trap-target/node.tag/auth/type/node.def
new file mode 100644
index 00000000..5a2ffc52
--- /dev/null
+++ b/templates/service/snmp/v3/trap-target/node.tag/auth/type/node.def
@@ -0,0 +1,8 @@
+type: txt
+default: "md5"
+help: Defines the protocol using for authentication
+syntax:expression: $VAR(@) in "md5", "sha"
+allowed: echo md5 sha
+
+val_help: md5; Message Digest 5
+val_help: sha; Secure Hash Algorithm \ No newline at end of file
diff --git a/templates/service/snmp/v3/trap-target/node.tag/port/node.def b/templates/service/snmp/v3/trap-target/node.tag/port/node.def
new file mode 100644
index 00000000..b38cd1e5
--- /dev/null
+++ b/templates/service/snmp/v3/trap-target/node.tag/port/node.def
@@ -0,0 +1,7 @@
+type: u32
+default: 162
+help: Specifies the TCP/UDP port of a destination for SNMP traps/informs.
+
+val_help: u32:1-65535; Numeric IP port
+syntax:expression: $VAR(@) > 0 && $VAR(@) <= 65535 ; \
+ "Port number must be in range 1 to 65535"
diff --git a/templates/service/snmp/v3/trap-target/node.tag/privacy/encrypted-key/node.def b/templates/service/snmp/v3/trap-target/node.tag/privacy/encrypted-key/node.def
new file mode 100644
index 00000000..4e762b9f
--- /dev/null
+++ b/templates/service/snmp/v3/trap-target/node.tag/privacy/encrypted-key/node.def
@@ -0,0 +1,3 @@
+type: txt
+help: Defines the encrypted key for privacy protocol
+syntax:expression: pattern $VAR(@) "^0x[0-9a-f]*$" ; "key must start from '0x' and contain hex digits" \ No newline at end of file
diff --git a/templates/service/snmp/v3/trap-target/node.tag/privacy/node.def b/templates/service/snmp/v3/trap-target/node.tag/privacy/node.def
new file mode 100644
index 00000000..900cfc9d
--- /dev/null
+++ b/templates/service/snmp/v3/trap-target/node.tag/privacy/node.def
@@ -0,0 +1,4 @@
+help: Defines the privacy
+commit:expression: $VAR(type/) != "" ; "must specify type"
+commit:expression: $VAR(encrypted-key/) != "" || $VAR(plaintext-key/) != "" ; "must specify encrypted-key or plaintext-key"
+commit:expression: !($VAR(encrypted-key/) != "" && $VAR(plaintext-key/) != "") ; "must specify only one of encrypted-key and plaintext-key"
diff --git a/templates/service/snmp/v3/trap-target/node.tag/privacy/plaintext-key/node.def b/templates/service/snmp/v3/trap-target/node.tag/privacy/plaintext-key/node.def
new file mode 100644
index 00000000..a2442637
--- /dev/null
+++ b/templates/service/snmp/v3/trap-target/node.tag/privacy/plaintext-key/node.def
@@ -0,0 +1,3 @@
+type: txt
+help: Defines the clear text key for privacy protocol
+syntax:expression: pattern $VAR(@) "^.{8,}$" ; "key must contain 8 or more characters"
diff --git a/templates/service/snmp/v3/trap-target/node.tag/privacy/type/node.def b/templates/service/snmp/v3/trap-target/node.tag/privacy/type/node.def
new file mode 100644
index 00000000..bbfd5331
--- /dev/null
+++ b/templates/service/snmp/v3/trap-target/node.tag/privacy/type/node.def
@@ -0,0 +1,8 @@
+type: txt
+default: "des"
+help: Defines the protocol for privacy
+syntax:expression: $VAR(@) in "des", "aes"
+allowed: echo des aes
+
+val_help: des; Data Encryption Standard
+val_help: aes; Advanced Encryption Standard \ No newline at end of file
diff --git a/templates/service/snmp/v3/trap-target/node.tag/protocol/node.def b/templates/service/snmp/v3/trap-target/node.tag/protocol/node.def
new file mode 100644
index 00000000..ce96ca38
--- /dev/null
+++ b/templates/service/snmp/v3/trap-target/node.tag/protocol/node.def
@@ -0,0 +1,8 @@
+type: txt
+default: "udp"
+help: Defines protocol for notification between TCP and UDP
+syntax:expression: $VAR(@) in "tcp", "udp"
+allowed: echo tcp udp
+
+val_help: tcp;
+val_help: udp; \ No newline at end of file
diff --git a/templates/service/snmp/v3/trap-target/node.tag/type/node.def b/templates/service/snmp/v3/trap-target/node.tag/type/node.def
new file mode 100644
index 00000000..f678ae69
--- /dev/null
+++ b/templates/service/snmp/v3/trap-target/node.tag/type/node.def
@@ -0,0 +1,8 @@
+type: txt
+default: "inform"
+help: Specifies the type of notification between inform and trap
+syntax:expression: $VAR(@) in "inform", "trap"
+allowed: echo inform trap
+
+val_help: inform;
+val_help: trap; \ No newline at end of file
diff --git a/templates/service/snmp/v3/trap-target/node.tag/user/node.def b/templates/service/snmp/v3/trap-target/node.tag/user/node.def
new file mode 100644
index 00000000..a0ed8cbf
--- /dev/null
+++ b/templates/service/snmp/v3/trap-target/node.tag/user/node.def
@@ -0,0 +1,4 @@
+type: txt
+help: Defines username for authentication
+allowed: list=`cli-shell-api listNodes service snmp v3 user`
+ echo $list
diff --git a/templates/service/snmp/v3/tsm/local-key/node.def b/templates/service/snmp/v3/tsm/local-key/node.def
new file mode 100644
index 00000000..d238d310
--- /dev/null
+++ b/templates/service/snmp/v3/tsm/local-key/node.def
@@ -0,0 +1,10 @@
+type: txt
+help: Defines the server certificate fingerprint or key-file name.
+allowed: sudo ls /etc/snmp/tls/certs
+syntax:expression: pattern $VAR(@) "^[0-9A-F]{2}(:[0-9A-F]{2}){19}$" ||
+ exec "if [ `sudo ls \"/etc/snmp/tls/certs/$VAR(@)\" 2> /dev/null` ]; \
+ then \
+ exit 0; \
+ else \
+ exit 1; \
+ fi" ; "value can be finger print key or filename in /etc/snmp/tls/certs folder" \ No newline at end of file
diff --git a/templates/service/snmp/v3/tsm/node.def b/templates/service/snmp/v3/tsm/node.def
new file mode 100644
index 00000000..3d12f21d
--- /dev/null
+++ b/templates/service/snmp/v3/tsm/node.def
@@ -0,0 +1,3 @@
+help: Specifies that the snmpd uses encryption.
+commit:expression: $VAR(port/) != "" ; "must specify port"
+commit:expression: $VAR(local-key/) != "" ; "must specify local-key" \ No newline at end of file
diff --git a/templates/service/snmp/v3/tsm/port/node.def b/templates/service/snmp/v3/tsm/port/node.def
new file mode 100644
index 00000000..86fd6cca
--- /dev/null
+++ b/templates/service/snmp/v3/tsm/port/node.def
@@ -0,0 +1,7 @@
+type: u32
+default: 10161
+help: Defines the port for tsm.
+
+val_help: u32:1-65535; Numeric IP port
+syntax:expression: $VAR(@) > 0 && $VAR(@) <= 65535 ; \
+ "Port number must be in range 1 to 65535"
diff --git a/templates/service/snmp/v3/user/node.def b/templates/service/snmp/v3/user/node.def
new file mode 100644
index 00000000..e6a8bc87
--- /dev/null
+++ b/templates/service/snmp/v3/user/node.def
@@ -0,0 +1,6 @@
+tag:
+type: txt
+help: Specifies the user with name username
+syntax:expression: pattern $VAR(@) "^[^-]*$" ; "characters '-' in name is not supported yet"
+commit:expression: $VAR(auth/) != "" || $VAR(tsm-key/) != ""; "must specify auth or tsm-key"
+commit:expression: $VAR(mode/) != ""; "must specify mode" \ No newline at end of file
diff --git a/templates/service/snmp/v3/user/node.tag/auth/encrypted-key/node.def b/templates/service/snmp/v3/user/node.tag/auth/encrypted-key/node.def
new file mode 100644
index 00000000..3cf6bd31
--- /dev/null
+++ b/templates/service/snmp/v3/user/node.tag/auth/encrypted-key/node.def
@@ -0,0 +1,2 @@
+type: txt
+help: Defines the encrypted key for authentication protocol
diff --git a/templates/service/snmp/v3/user/node.tag/auth/node.def b/templates/service/snmp/v3/user/node.tag/auth/node.def
new file mode 100644
index 00000000..68959a8e
--- /dev/null
+++ b/templates/service/snmp/v3/user/node.tag/auth/node.def
@@ -0,0 +1,3 @@
+help: Specifies the auth
+commit:expression: $VAR(type/) != "" ; "must specify type"
+commit:expression: $VAR(plaintext-key/) != "" || $VAR(encrypted-key/) != "" ; "must specify plaintext-key or encrypted-key" \ No newline at end of file
diff --git a/templates/service/snmp/v3/user/node.tag/auth/plaintext-key/node.def b/templates/service/snmp/v3/user/node.tag/auth/plaintext-key/node.def
new file mode 100644
index 00000000..4f840d7c
--- /dev/null
+++ b/templates/service/snmp/v3/user/node.tag/auth/plaintext-key/node.def
@@ -0,0 +1,5 @@
+type: txt
+help: Defines the key in the clear text for authentication protocol
+syntax:expression: pattern $VAR(@) "^.{8,}$" ; "key must contain 8 or more characters"
+
+update:expression: $VAR(../encrypted-key/@) = "" \ No newline at end of file
diff --git a/templates/service/snmp/v3/user/node.tag/auth/type/node.def b/templates/service/snmp/v3/user/node.tag/auth/type/node.def
new file mode 100644
index 00000000..5a2ffc52
--- /dev/null
+++ b/templates/service/snmp/v3/user/node.tag/auth/type/node.def
@@ -0,0 +1,8 @@
+type: txt
+default: "md5"
+help: Defines the protocol using for authentication
+syntax:expression: $VAR(@) in "md5", "sha"
+allowed: echo md5 sha
+
+val_help: md5; Message Digest 5
+val_help: sha; Secure Hash Algorithm \ No newline at end of file
diff --git a/templates/service/snmp/v3/user/node.tag/group/node.def b/templates/service/snmp/v3/user/node.tag/group/node.def
new file mode 100644
index 00000000..66543579
--- /dev/null
+++ b/templates/service/snmp/v3/user/node.tag/group/node.def
@@ -0,0 +1,11 @@
+type: txt
+help: Specifies group for user name
+allowed: list=`cli-shell-api listNodes service snmp v3 group`
+ echo $list
+syntax:expression:exec "regex=\"(^| )$VAR(@)( |$)\"; \
+ if [[ \"$VAR(/service/snmp/v3/group/@@)\" =~ $regex ]] ; \
+ then \
+ exit 0; \
+ else \
+ exit 1; \
+ fi" ; "You must create \"$VAR(@)\" group first"
diff --git a/templates/service/snmp/v3/user/node.tag/mode/node.def b/templates/service/snmp/v3/user/node.tag/mode/node.def
new file mode 100644
index 00000000..9855f5fb
--- /dev/null
+++ b/templates/service/snmp/v3/user/node.tag/mode/node.def
@@ -0,0 +1,8 @@
+type: txt
+default: "ro"
+help: Specifies the mode for access rights of user, read only or write
+syntax:expression: $VAR(@) in "ro", "rw"
+allowed: echo ro rw
+
+val_help: ro;
+val_help: rw;
diff --git a/templates/service/snmp/v3/user/node.tag/privacy/encrypted-key/node.def b/templates/service/snmp/v3/user/node.tag/privacy/encrypted-key/node.def
new file mode 100644
index 00000000..8feef111
--- /dev/null
+++ b/templates/service/snmp/v3/user/node.tag/privacy/encrypted-key/node.def
@@ -0,0 +1,2 @@
+type: txt
+help: Defines the encrypted key for privacy protocol
diff --git a/templates/service/snmp/v3/user/node.tag/privacy/node.def b/templates/service/snmp/v3/user/node.tag/privacy/node.def
new file mode 100644
index 00000000..94bf850c
--- /dev/null
+++ b/templates/service/snmp/v3/user/node.tag/privacy/node.def
@@ -0,0 +1,3 @@
+help: Specifies the privacy
+commit:expression: $VAR(type/) != "" ; "must specify type"
+commit:expression: $VAR(plaintext-key/) != "" || $VAR(encrypted-key/) != "" ; "must specify plaintext-key or encrypted-key" \ No newline at end of file
diff --git a/templates/service/snmp/v3/user/node.tag/privacy/plaintext-key/node.def b/templates/service/snmp/v3/user/node.tag/privacy/plaintext-key/node.def
new file mode 100644
index 00000000..5d706712
--- /dev/null
+++ b/templates/service/snmp/v3/user/node.tag/privacy/plaintext-key/node.def
@@ -0,0 +1,5 @@
+type: txt
+help: Defines the key in the clear text for protocol for privacy
+syntax:expression: pattern $VAR(@) "^.{8,}$" ; "key must contain 8 or more characters"
+
+update:expression: $VAR(../encrypted-key/@) = "" \ No newline at end of file
diff --git a/templates/service/snmp/v3/user/node.tag/privacy/type/node.def b/templates/service/snmp/v3/user/node.tag/privacy/type/node.def
new file mode 100644
index 00000000..bbfd5331
--- /dev/null
+++ b/templates/service/snmp/v3/user/node.tag/privacy/type/node.def
@@ -0,0 +1,8 @@
+type: txt
+default: "des"
+help: Defines the protocol for privacy
+syntax:expression: $VAR(@) in "des", "aes"
+allowed: echo des aes
+
+val_help: des; Data Encryption Standard
+val_help: aes; Advanced Encryption Standard \ No newline at end of file
diff --git a/templates/service/snmp/v3/user/node.tag/tsm-key/node.def b/templates/service/snmp/v3/user/node.tag/tsm-key/node.def
new file mode 100644
index 00000000..e9f55a5f
--- /dev/null
+++ b/templates/service/snmp/v3/user/node.tag/tsm-key/node.def
@@ -0,0 +1,10 @@
+type: txt
+help: Specifies finger print or file name of TSM certificate.
+allowed: sudo ls /etc/snmp/tls/certs
+syntax:expression: pattern $VAR(@) "^[0-9A-F]{2}(:[0-9A-F]{2}){19}$" ||
+ exec "if [ `sudo ls \"/etc/snmp/tls/certs/$VAR(@)\" 2> /dev/null` ]; \
+ then \
+ exit 0; \
+ else \
+ exit 1; \
+ fi" ; "value can be finger print key or filename in /etc/snmp/tls/certs folder" \ No newline at end of file
diff --git a/templates/service/snmp/v3/view/node.def b/templates/service/snmp/v3/view/node.def
new file mode 100644
index 00000000..a83c978b
--- /dev/null
+++ b/templates/service/snmp/v3/view/node.def
@@ -0,0 +1,5 @@
+tag:
+type: txt
+help: Specifies the view with name viewname
+
+commit:expression: $VAR(oid/) != ""; "must configure an oid" \ No newline at end of file
diff --git a/templates/service/snmp/v3/view/node.tag/oid/node.def b/templates/service/snmp/v3/view/node.tag/oid/node.def
new file mode 100644
index 00000000..beed3274
--- /dev/null
+++ b/templates/service/snmp/v3/view/node.tag/oid/node.def
@@ -0,0 +1,4 @@
+tag:
+type: txt
+help: Specifies the oid
+syntax:expression: pattern $VAR(@) "^[0-9]+(\.[0-9]+)*$" ; "oid must start from a number"
diff --git a/templates/service/snmp/v3/view/node.tag/oid/node.tag/exclude/node.def b/templates/service/snmp/v3/view/node.tag/oid/node.tag/exclude/node.def
new file mode 100644
index 00000000..df3611cb
--- /dev/null
+++ b/templates/service/snmp/v3/view/node.tag/oid/node.tag/exclude/node.def
@@ -0,0 +1 @@
+help: Exclude is optional argument.
diff --git a/templates/service/snmp/v3/view/node.tag/oid/node.tag/mask/node.def b/templates/service/snmp/v3/view/node.tag/oid/node.tag/mask/node.def
new file mode 100644
index 00000000..bc500afe
--- /dev/null
+++ b/templates/service/snmp/v3/view/node.tag/oid/node.tag/mask/node.def
@@ -0,0 +1,4 @@
+type: txt
+help: Defines a bit-mask that is indicating which subidentifiers of the associated subtree OID should be regarded as significant.
+syntax:expression: pattern $VAR(@) "^[0-9a-f]{2}([\\.:][0-9a-f]{2})*$" ; \
+ "MASK is a list of hex octets, separated by '.' or ':'" \ No newline at end of file