diff options
40 files changed, 786 insertions, 21 deletions
diff --git a/Makefile.am b/Makefile.am index 5ac51967..1d7f7dee 100644 --- a/Makefile.am +++ b/Makefile.am @@ -48,6 +48,7 @@ sbin_SCRIPTS += scripts/system/vyatta_update_ntp.pl sbin_SCRIPTS += scripts/system/vyatta_update_telnet sbin_SCRIPTS += scripts/system/irq-affinity.pl sbin_SCRIPTS += scripts/snmp/vyatta-snmp.pl +sbin_SCRIPTS += scripts/snmp/vyatta-snmp-v3.pl sbin_SCRIPTS += scripts/snmp/if-mib-alias sbin_SCRIPTS += scripts/telnetd.init sbin_SCRIPTS += scripts/dns-forwarding/vyatta-dns-forwarding.pl diff --git a/scripts/snmp/vyatta-snmp-v3.pl b/scripts/snmp/vyatta-snmp-v3.pl new file mode 100755 index 00000000..ef93b8a1 --- /dev/null +++ b/scripts/snmp/vyatta-snmp-v3.pl @@ -0,0 +1,527 @@ +#!/usr/bin/perl + +use lib "/opt/vyatta/share/perl5/"; +use Vyatta::Config; +use File::Copy; +use Getopt::Long; +use Socket; +use Socket6; + +my $snmp_v3_level = 'service snmp v3'; +my $snmp_init = 'invoke-rc.d snmpd'; +my $snmpd_conf = '/etc/snmp/snmpd.conf'; +my $snmpd_usr_conf = '/usr/share/snmp/snmpd.conf'; +my $snmpd_var_conf = '/var/lib/snmp/snmpd.conf'; +my $snmpd_conf_tmp = "/tmp/snmpd.conf.$$"; +my $snmpd_usr_conf_tmp = "/tmp/snmpd.usr.conf.$$"; +my $snmpd_var_conf_tmp = "/tmp/snmpd.var.conf.$$"; +my $versionfile = '/opt/vyatta/etc/version'; +my $local_agent = 'unix:/var/run/snmpd.socket'; +my $vyatta_config_file = '/config/snmp/snmp_conf.ini'; +%VConfig = (); + +%OIDs = ( + "md5", ".1.3.6.1.6.3.10.1.1.2", + "sha", ".1.3.6.1.6.3.10.1.1.3", + "aes", ".1.3.6.1.6.3.10.1.2.4", + "des", ".1.3.6.1.6.3.10.1.2.2", + "none", ".1.3.6.1.6.3.10.1.2.1" +); + +# generate a random character hex string +sub randhex { + my $length = shift; + return join "", map { unpack "H*", chr(rand(256)) } 1..($length/2); +} + +sub parse_config_file { + open (CONFIG, "$vyatta_config_file") or return; + while (<CONFIG>) { + chomp; # no newline + s/#.*//; # no comments + s/^\s+//; # no leading white + s/\s+$//; # no trailing white + next unless length; # anything left? + my ($var, $value) = split(/\s*=\s*/, $_, 2); + $VConfig{$var} = $value; + } + close(CONFIG); +} + +sub write_config_file { + open (my $config_file, '>' , "$vyatta_config_file"); + for my $key (keys %VConfig) { + my $value = $VConfig{$key}; + print $config_file "$key=$value\n"; + } + close $config_file; +} + +sub snmpd_running { + open (my $pidf, '<', "/var/run/snmpd.pid") + or return; + my $pid = <$pidf>; + close $pidf; + + chomp $pid; + my $exe = readlink "/proc/$pid/exe"; + + return (defined($exe) && $exe eq "/usr/sbin/snmpd"); +} + +sub check_snmp_exit_code { + my $code = shift; + # snmpd can start/restart with exit code 256 if trap-target is unavailable + if ($code !=0 && $code != 256) { + return 1; + } else { + return 0; + } +} + +sub snmpd_stop { + system("$snmp_init stop > /dev/null 2>&1"); + if (check_snmp_exit_code($?)) { + print "ERROR: Can not stop snmpd!\n"; + exit(1); + } +} + +sub snmpd_start { + system("$snmp_init start > /dev/null 2>&1"); + if (check_snmp_exit_code($?)) { + print "ERROR: Can not start snmpd!\n"; + exit(1); + } +} + +sub snmpd_update { + system("$snmp_init reload > /dev/null 2>&1"); + if (check_snmp_exit_code($?)) { + print "ERROR: Can not reload snmpd!\n"; + exit(1); + } +} + +sub snmpd_restart { + system("$snmp_init restart > /dev/null 2>&1"); + if (check_snmp_exit_code($?)) { + print "ERROR: Can not restart snmpd!\n"; + exit(1); + } +} + +sub get_version { + my $version = "unknown-version"; + + if (open (my $f, '<', $versionfile)) { + while (<$f>) { + chomp; + if (m/^Version\s*:\s*(.*)$/) { + $version = $1; + last; + } + } + close $f; + } + return $version; +} + +sub ipv6_disabled { + socket ( my $s, PF_INET6, SOCK_DGRAM, 0) + or return 1; + close($s); + return; +} + +sub set_tsm { + my $config = get_snmp_config(); + if ($config->exists("tsm")) { + my $port = $config->returnValue("tsm port"); + my $local_key = $config->returnValue("tsm local-key"); + system("sed -i 's/^agentaddress.*\$/&,tlstcp:$port,dtlsudp:$port/' $snmpd_conf_tmp"); + system("echo \"[snmp] localCert $local_key\" >> $snmpd_conf_tmp"); + } +} + +sub snmp_delete { + snmpd_stop(); + + @files = ($snmpd_conf, $snmpd_usr_conf, $snmpd_var_conf); + foreach $file (@files) { + if (-e $file) { + if (unlink($file) == 0) { + print "File $file was not deleted.\n"; + } else { + print "File $file deleted successfully.\n"; + } + } else { + print "File $file does not exist\n"; + } + } +} + +sub get_snmp_config() { + my $config = new Vyatta::Config; + $config->setLevel($snmp_v3_level); + return $config; +} + +sub set_views() { + print "# views \n"; + my $config = get_snmp_config(); + foreach my $view ($config->listNodes("view")) { + foreach my $oid ($config->listNodes("view $view oid")) { + my $mask = $config->returnValue("view $view oid $oid mask"); + if ($config->exists("view $view oid $oid exclude")) { + print "view $view excluded .$oid $mask\n"; + } else { + print "view $view included .$oid $mask\n"; + } + } + } + print "\n"; +} + +sub set_groups() { + print "#access\n# context sec.model sec.level match read write notif\n"; + my $config = get_snmp_config(); + foreach my $group ($config->listNodes("group")) { + my $mode = $config->returnValue("group $group mode"); + my $view = $config->returnValue("group $group view"); + if ($mode eq "ro") { + print "access $group \"\" usm auth exact $view none none\n"; + print "access $group \"\" tsm auth exact $view none none\n"; + } else { + print "access $group \"\" usm auth exact $view $view none\n"; + print "access $group \"\" tsm auth exact $view $view none\n"; + } + } + print "\n"; +} + +sub set_users_in_etc() { + + print "#group\n"; + + my $config = get_snmp_config(); + foreach my $user ($config->listNodes("user")) { + $config->setLevel($snmp_v3_level." user $user"); + if ($config->exists("group")) { + my $group = $config->returnValue("group"); + print "group $group usm $user\n"; + print "group $group tsm $user\n"; + } + if ($config->exists("tsm-key")) { + my $cert = $config->returnValue("tsm-key"); + #TODO magic number 10 + print "certSecName 10 $cert --sn $user\n"; + } + } + + print "\n"; +} + +sub set_users_to_other() { + open (my $usr_conf, '>>', $snmpd_usr_conf_tmp) + or die "Couldn't open $snmpd_usr_conf_tmp - $!"; + open (my $var_conf, '>>', $snmpd_var_conf_tmp) + or die "Couldn't open $snmpd_var_conf_tmp - $!"; + + print $var_conf "\n"; + + my $config = get_snmp_config(); + my $needTsm = 0; + if ($config->exists("tsm")) { + $needTsm = 1; + } + + my %trap_users=(); + + foreach my $trap ($config->listNodes("trap-target")) { + $trap_users{$config->returnValue("trap-target $trap user")} = 1; + } + + foreach my $user ($config->listNodes("user")) { + delete $trap_users{$user}; + $config->setLevel($snmp_v3_level." user $user"); + my $auth_type = $config->returnValue("auth type"); + my $priv_type = $config->returnValue("privacy type"); + if ($config->exists("auth")) { + if ($config->exists("auth plaintext-key")) { + my $auth_key = $config->returnValue("auth plaintext-key"); + my $priv_key = $config->returnValue("privacy plaintext-key"); + print $var_conf "createUser $user \U$auth_type\E $auth_key \U$priv_type\E $priv_key\n"; + } else { + my $name_print = get_printable_name($user); + my $EngineID = $VConfig{"User.$user.EngineID"}; + my $auth_type_oid = $OIDs{$auth_type}; + my $auth_key_hex = $config->returnValue("auth encrypted-key"); + local ($priv_type_oid, $priv_key_hex); + if ($config->exists("privacy")) { + $priv_type_oid = $OIDs{$priv_type}; + $priv_key_hex = $config->returnValue("privacy encrypted-key"); + } else { + $priv_type_oid = $OIDs{'none'}; + $priv_key_hex = '0x'; + } + print $var_conf "usmUser 1 3 $EngineID $name_print $name_print NULL $auth_type_oid $auth_key_hex $priv_type_oid $priv_key_hex 0x\n"; + } + } + my $mode = $config->returnValue("mode"); + my $end = "auth"; + if ($config->exists("privacy")) { + $end = "priv"; + } + print $usr_conf $mode."user $user $end\n"; + if ($needTsm) { + print $usr_conf $mode."user -s tsm $user $end\n"; + } + } + + foreach my $user (keys %trap_users) { + $name_print = get_printable_name($user); + print $var_conf "usmUser 1 3 0x".randhex(26)." $name_print $name_print NULL .1.3.6.1.6.3.10.1.1.2 0x".randhex(32)." .1.3.6.1.6.3.10.1.2.1 0x 0x\n"; + print $usr_conf "rouser $user auth"; + } + + print $var_conf "setservialno ".$VConfig{"serialno"}."\n"; + print $var_conf "oldEngineID ".$VConfig{"oldEngineID"}."\n"; + + close $usr_conf; + close $var_conf; +} + +sub get_printable_name { + my $name = shift; + if ($name =~ /-/) { + my @array=unpack('C*', $name); + my $stringHex = '0x'; + foreach my $c (@array) { + $stringHex .= sprintf ("%lx", $c); + } + return $stringHex; + } else { + return "\"$name\""; + } +} + +sub update_users_vyatta_conf() { + %VConfig = (); + open (my $var_conf, '<' , $snmpd_var_conf) or die "Couldn't open $snmpd_usr_conf - $!"; + my $config = get_snmp_config(); + while (my $line = <$var_conf>) { + if ($line =~ /^setserialno (.*)$/) { + $VConfig{"serialno"} = $1; + } + if ($line =~ /^oldEngineID (.*)$/) { + $VConfig{"oldEngineID"} = $1; + } + if ($line =~ /^usmUser /) { + my @values = split(/ /, $line); + my $name = $values[4]; + if ($name =~ /^"(.*)"$/) { + $name = $1; + } else { + $name = pack('H*', $name); + } + # this file contain users for trap-target and vyatta... user + # these users recreating automatically on each commit + if ($config->exists("user $name")) { + $VConfig{"User.$name.EngineID"} = $values[3]; + system("/opt/vyatta/sbin/my_set service snmp v3 user \"$name\" auth encrypted-key $values[8] > /dev/null"); + if ($values[10] ne "\"\"" && $values[10] ne "0x") { + system("/opt/vyatta/sbin/my_set service snmp v3 user \"$name\" privacy encrypted-key $values[10] > /dev/null"); + system("/opt/vyatta/sbin/my_delete service snmp v3 user \"$name\" privacy plaintext-key > /dev/null"); + } + system("/opt/vyatta/sbin/my_delete service snmp v3 user \"$name\" auth plaintext-key > /dev/null"); + } + } + } +} + +sub set_hosts() { + print "#trap-target\n"; + my $config = get_snmp_config(); + foreach my $target ($config->listNodes("trap-target")) { + $config->setLevel($snmp_v3_level." trap-target $target"); + my $auth_key = ''; + if ($config->exists("auth plaintext-key")) { + $auth_key = "-A ".$config->returnValue("auth plaintext-key"); + } else { + $auth_key = "-3m ".$config->returnValue("auth encrypted-key"); + } + my $auth_type = $config->returnValue("auth type"); + my $user = $config->returnValue("user"); + my $port = $config->returnValue("port"); + my $protocol = $config->returnValue("protocol"); + my $type = $config->returnValue("type"); + my $inform_flag = ''; + $inform_flag = '-Ci' if ($type eq 'inform'); + my $privacy = ''; + my $secLevel = 'authNoPriv'; + if ($config->exists("privacy")) { + my $priv_key = ''; + if ($config->exists("privacy plaintext-key")) { + $priv_key = "-X ".$config->returnValue("privacy plaintext-key"); + } else { + $priv_key = "-3M ".$config->returnValue("privacy encrypted-key") + } + my $priv_type = $config->returnValue("privacy type"); + $privacy = "-x $priv_type $priv_key"; + $secLevel = 'authPriv'; + } + # TODO + # set -3m / -3M for auth / priv for master + # or -3k / -3K for local + my $target_print = $target; + if ($target =~ /:/) { + $target_print = "[$target]"; + $protocol = $protocol."6"; + } + print "trapsess -v 3 $inform_flag -u $user -l $secLevel -a $auth_type $auth_key $privacy $protocol:$target_print:$port\n"; + } + print "\n"; +} + +sub check_user_auth_changes() { + my $config = get_snmp_config(); + if ($config->isChanged("user")) { + my $haveError = 0; + foreach my $user ($config->listNodes("user")) { + $config->setLevel($snmp_v3_level." user $user"); + if ($config->exists("auth")) { + if ($config->isChanged("auth encrypted-key") || $config->isChanged("privacy encrypted-key")) { + $haveError = 1; + print "Discard encrypted-key on user \"$user\". You can't change encrypted key. It does not supported yet."; + } + my $isAuthKeyChanged = $config->isChanged("auth plaintext-key"); + my $isAuthChanged = $isAuthKeyChanged || $config->isChanged("auth type"); + if (($isAuthChanged || $config->isDeleted("privacy") ) && !$isAuthKeyChanged) { + $haveError = 1; + print "Please, set auth plaintext-key for user \"$user\"\n"; + } + if ($config->exists("privacy")) { + my $isPrivKeyChanged = $config->isChanged("privacy plaintext-key"); + my $isPrivChanged = $isPrivKeyChanged || $config->isChanged("privacy type"); + if ($isPrivChanged && !$isAuthKeyChanged) { + $haveError = 1; + print "Please, set auth plaintext-key for user \"$user\"\n"; + } + if (($isAuthChanged || $isPrivChanged) && !$isPrivKeyChanged) { + $haveError = 1; + print "Please, set privacy plaintext-key for user \"$user\"\n"; + } + } + } else { + if ($config->exists("privacy")) { + $haveError = 1; + print "Please, delete privacy for user \"$user\"\n"; + } + } + } + if ($haveError) { + exit(1); + } + } +} + +sub check_relation() { + my $config = get_snmp_config(); + my $haveError = 0; + foreach my $user ($config->listNodes("user")) { + if ($config->exists("user $user group")) { + my $group = $config->returnValue("user $user group"); + if (! $config->exists("group $group")) { + $haveError = 1; + print "Please, create group \"$group\". It's need for user \"$user\"\n"; + } + } + } + foreach my $group ($config->listNodes("group")) { + my $view = $config->returnValue("group $group view"); + if (! $config->exists("view $view")) { + $haveError = 1; + print "Please, create view \"$view\". It's need for group \"$group\"\n"; + } + } + if ($haveError) { + exit(1); + } +} + +sub check_tsm_port { + my $config = get_snmp_config(); + if ($config->isChanged("tsm port")) { + my $port = $config->returnValue("tsm port"); + my $reg = ":$port\$"; + $output = `netstat -anltup | awk '{print \$4}'`; + foreach my $line (split(/\n/,$output)) { + if ($line =~ /$reg/) { + print "Actually port $port is using. It can not be used for tsm.\n"; + exit(1); + } + } + } +} + +sub copy_conf_to_tmp() { + # these files already contain SNMPv2 configuration + copy($snmpd_conf, $snmpd_conf_tmp) or die "Couldn't copy $snmpd_conf to $snmpd_conf_tmp - $!"; + copy($snmpd_usr_conf, $snmpd_usr_conf_tmp) or die "Couldn't copy $snmpd_usr_conf to $snmpd_usr_conf_tmp - $!"; + copy($snmpd_var_conf, $snmpd_var_conf_tmp) or die "Couldn't copy $snmpd_var_conf to $snmpd_var_conf_tmp - $!"; +} + +sub snmp_update { + + check_user_auth_changes(); + check_relation(); + check_tsm_port(); + + copy_conf_to_tmp(); + + set_tsm(); + + open (my $fh, '>>', $snmpd_conf_tmp) + or die "Couldn't open $snmpd_conf_tmp - $!"; + + select $fh; + + set_views(); + set_groups(); + set_hosts(); + set_users_in_etc(); + + close $fh; + select STDOUT; + + move($snmpd_conf_tmp, $snmpd_conf) + or die "Couldn't move $snmpd_conf_tmp to $snmpd_conf - $!"; + + my $config = get_snmp_config(); + + if ($config->isChanged("user") || $config->isAdded("tsm") || $config->isDeleted("tsm") || $config->isChanged("trap-target")) { + parse_config_file(); + snmpd_stop(); + set_users_to_other(); + move($snmpd_usr_conf_tmp, $snmpd_usr_conf) + or die "Couldn't move $snmpd_usr_conf_tmp to $snmpd_usr_conf - $!"; + move($snmpd_var_conf_tmp, $snmpd_var_conf) + or die "Couldn't move $snmpd_var_conf_tmp to $snmpd_var_conf - $!"; + snmpd_start(); + snmpd_restart(); + update_users_vyatta_conf(); + write_config_file(); + } else { + snmpd_start(); + } +} + +my $update_snmp; +my $delete_snmp; + +GetOptions("update-snmp!" => \$update_snmp, + "delete-snmp!" => \$delete_snmp); + +snmp_update() if ($update_snmp); +snmp_delete() if ($delete_snmp); diff --git a/scripts/snmp/vyatta-snmp.pl b/scripts/snmp/vyatta-snmp.pl index d473e7fa..a4ea9e27 100755 --- a/scripts/snmp/vyatta-snmp.pl +++ b/scripts/snmp/vyatta-snmp.pl @@ -64,6 +64,8 @@ sub snmp_stop { } sub snmp_start { + # we must stop snmpd first for creating vyatta user + system("$snmp_init stop > /dev/null 2>&1"); open (my $fh, '>', $snmp_tmp) or die "Couldn't open $snmp_tmp - $!"; @@ -78,12 +80,6 @@ sub snmp_start { move($snmp_tmp, $snmp_conf) or die "Couldn't move $snmp_tmp to $snmp_conf - $!"; - - if (snmp_running()) { - system("$snmp_init restart > /dev/null 2>&1 &"); - } else { - system("$snmp_init start > /dev/null 2>&1 &"); - } } sub get_version { @@ -235,9 +231,6 @@ sub snmp_get_traps { my $config = new Vyatta::Config; $config->setLevel($snmp_level); - my @trap_targets = $config->listNodes("trap-target"); - return unless @trap_targets; - # linkUp/Down configure the Event MIB tables to monitor # the ifTable for network interfaces being taken up or down # for making internal queries to retrieve any necessary information @@ -257,6 +250,9 @@ monitor -r 10 -e linkUpTrap "Generate linkUp" ifOperStatus != 2 monitor -r 10 -e linkDownTrap "Generate linkDown" ifOperStatus == 2 EOF + my @trap_targets = $config->listNodes("trap-target"); + return unless @trap_targets; + foreach my $trap_target (@trap_targets) { my $port = $config->returnValue("trap-target $trap_target port"); my $community @@ -290,8 +286,9 @@ sub snmp_create_snmpv3_user { my $vyatta_user = shift; my $passphrase = randhex(32); + my $createuser = "createUser $vyatta_user MD5 \"$passphrase\" DES"; - open(my $fh, '>>', $snmp_snmpv3_createuser_conf) || die "Couldn't open $snmp_snmpv3_createuser_conf - $!"; + open(my $fh, '>', $snmp_snmpv3_createuser_conf) || die "Couldn't open $snmp_snmpv3_createuser_conf - $!"; print $fh $createuser; close $fh; } @@ -299,9 +296,8 @@ sub snmp_create_snmpv3_user { sub snmp_write_snmpv3_user { my $vyatta_user = shift; - my $user = "rouser $vyatta_user\n"; - system ("sed -i '/user[[:space:]]*vyatta[[:alnum:]]*/d' $snmp_snmpv3_user_conf 2>/dev/null;"); - open(my $fh, '>>', $snmp_snmpv3_user_conf) || die "Couldn't open $snmp_snmpv3_user_conf - $!"; + my $user = "rwuser $vyatta_user\n"; + open(my $fh, '>', $snmp_snmpv3_user_conf) || die "Couldn't open $snmp_snmpv3_user_conf - $!"; print $fh $user; close $fh; } diff --git a/templates/service/snmp/node.def b/templates/service/snmp/node.def index 183cc5c3..8047121f 100644 --- a/templates/service/snmp/node.def +++ b/templates/service/snmp/node.def @@ -1,13 +1,20 @@ priority: 980 help: Simple Network Management Protocol (SNMP) -commit:expression: $VAR(community/) != "" || $VAR(community6/) != "" \ - ; "must configure a community or community6" +commit:expression: $VAR(community/) != "" || $VAR(community6/) != "" || $VAR(v3/) != "" \ + ; "must configure a community or community6 or v3" delete: touch /tmp/snmp.$PPID end:if [ -f "/tmp/snmp.$PPID" ] - then sudo /opt/vyatta/sbin/vyatta-snmp.pl --stop-snmp - rm /tmp/snmp.$PPID - sudo rm -f /etc/snmp/snmpd.conf - else - sudo /opt/vyatta/sbin/vyatta-snmp.pl --update-snmp - fi + then + sudo /opt/vyatta/sbin/vyatta-snmp.pl --stop-snmp; + rm /tmp/snmp.$PPID; + sudo rm -f /etc/snmp/snmpd.conf; + else + sudo /opt/vyatta/sbin/vyatta-snmp.pl --update-snmp; + if [ -n "$VAR(v3/)" ] + then + sudo /opt/vyatta/sbin/vyatta-snmp-v3.pl --update-snmp; + else + sudo invoke-rc.d snmpd start > /dev/null 2>&1; + fi + fi diff --git a/templates/service/snmp/v3/group/node.def b/templates/service/snmp/v3/group/node.def new file mode 100644 index 00000000..bcfe6795 --- /dev/null +++ b/templates/service/snmp/v3/group/node.def @@ -0,0 +1,5 @@ +tag: +type: txt +help: Specifies the group with name groupname +commit:expression: $VAR(view/) != "" ; "must specify view" +commit:expression: $VAR(mode/) != "" ; "must specify mode" diff --git a/templates/service/snmp/v3/group/node.tag/mode/node.def b/templates/service/snmp/v3/group/node.tag/mode/node.def new file mode 100644 index 00000000..a6d36de5 --- /dev/null +++ b/templates/service/snmp/v3/group/node.tag/mode/node.def @@ -0,0 +1,8 @@ +type: txt +default: "ro" +help: Defines the read/write access +syntax:expression: $VAR(@) in "ro", "rw" +allowed: echo ro rw + +val_help: ro; +val_help: rw; diff --git a/templates/service/snmp/v3/group/node.tag/view/node.def b/templates/service/snmp/v3/group/node.tag/view/node.def new file mode 100644 index 00000000..af7d33c9 --- /dev/null +++ b/templates/service/snmp/v3/group/node.tag/view/node.def @@ -0,0 +1,11 @@ +type: txt +help: Defines the name of view +allowed: list=`cli-shell-api listNodes service snmp v3 view` + echo $list +syntax:expression:exec "regex=\"(^| )$VAR(@)( |$)\"; \ + if [[ \"$VAR(/service/snmp/v3/view/@@)\" =~ $regex ]] ; \ + then \ + exit 0; \ + else \ + exit 1; \ + fi" ; "You must create \"$VAR(@)\" view first" diff --git a/templates/service/snmp/v3/node.def b/templates/service/snmp/v3/node.def new file mode 100644 index 00000000..756a156f --- /dev/null +++ b/templates/service/snmp/v3/node.def @@ -0,0 +1,30 @@ +help: Simple Network Management Protocol (SNMP) v3 + +create: if [ ! -d "/config/snmp" ]; then sudo mkdir /config/snmp ; fi + if [ ! -d "/config/snmp/tls" ]; then + sudo mkdir /config/snmp/tls ; + if [ -d "/etc/snmp/tls" ] ; then + sudo mv /etc/snmp/tls/* /config/snmp/tls > /dev/null 2>&1; + sudo chmod -R 600 /config/snmp/tls; + sudo rmdir /etc/snmp/tls > /dev/null 2>&1; + sudo rm /etc/snmp/tls > /dev/null 2>&1; + fi + sudo ln -s /config/snmp/tls /etc/snmp/tls; + fi + lnk=`readlink /etc/snmp/tls` + if [ "$lnk" != "/config/snmp/tls" ]; then + sudo rm -f /etc/snmp/tls; + sudo ln -s /config/snmp/tls /etc/snmp/tls; + fi + +begin: if [ -d "/config/snmp/tls" ]; then + sudo chmod -R 600 /config/snmp/tls; + fi + +delete: touch /tmp/snmp-v3.$PPID + +end:if [ -f "/tmp/snmp-v3.$PPID" ] + then + sudo /opt/vyatta/sbin/vyatta-snmp-v3.pl --delete-snmp + rm /tmp/snmp-v3.$PPID + fi
\ No newline at end of file diff --git a/templates/service/snmp/v3/trap-target/node.def b/templates/service/snmp/v3/trap-target/node.def new file mode 100644 index 00000000..d6203e9b --- /dev/null +++ b/templates/service/snmp/v3/trap-target/node.def @@ -0,0 +1,12 @@ +tag: +type: txt +help: Defines SNMP target for inform or traps for IP +syntax:expression: exec "/opt/vyatta/sbin/valid_address $VAR(@)/20" +commit:expression: $VAR(type/) != ""; "must specify type" +commit:expression: $VAR(auth/) != ""; "must specify auth" +commit:expression: $VAR(protocol/) != ""; "must specify protocol" +commit:expression: $VAR(user/) != ""; "must specify user" +commit:expression: $VAR(port/) != ""; "must specify port" + +val_help: <x.x.x.x>; IP address of trap target +val_help: <h:h:h:h:h:h:h:h>; IPv6 address of trap target
\ No newline at end of file diff --git a/templates/service/snmp/v3/trap-target/node.tag/auth/encrypted-key/node.def b/templates/service/snmp/v3/trap-target/node.tag/auth/encrypted-key/node.def new file mode 100644 index 00000000..2365b055 --- /dev/null +++ b/templates/service/snmp/v3/trap-target/node.tag/auth/encrypted-key/node.def @@ -0,0 +1,3 @@ +type: txt +help: Defines the encrypted password for authentication +syntax:expression: pattern $VAR(@) "^0x[0-9a-f]*$" ; "key must start from '0x' and contain hex digits"
\ No newline at end of file diff --git a/templates/service/snmp/v3/trap-target/node.tag/auth/node.def b/templates/service/snmp/v3/trap-target/node.tag/auth/node.def new file mode 100644 index 00000000..5c7df0ef --- /dev/null +++ b/templates/service/snmp/v3/trap-target/node.tag/auth/node.def @@ -0,0 +1,4 @@ +help: Defines the authentication +commit:expression: $VAR(type/) != "" ; "must specify type" +commit:expression: $VAR(encrypted-key/) != "" || $VAR(plaintext-key/) != "" ; "must specify encrypted-key or plaintext-key" +commit:expression: !($VAR(encrypted-key/) != "" && $VAR(plaintext-key/) != "") ; "must specify only one of encrypted-key and plaintext-key"
\ No newline at end of file diff --git a/templates/service/snmp/v3/trap-target/node.tag/auth/plaintext-key/node.def b/templates/service/snmp/v3/trap-target/node.tag/auth/plaintext-key/node.def new file mode 100644 index 00000000..34563e73 --- /dev/null +++ b/templates/service/snmp/v3/trap-target/node.tag/auth/plaintext-key/node.def @@ -0,0 +1,3 @@ +type: txt +help: Defines the clear text password for authentication +syntax:expression: pattern $VAR(@) "^.{8,}$" ; "key must contain 8 or more characters" diff --git a/templates/service/snmp/v3/trap-target/node.tag/auth/type/node.def b/templates/service/snmp/v3/trap-target/node.tag/auth/type/node.def new file mode 100644 index 00000000..5a2ffc52 --- /dev/null +++ b/templates/service/snmp/v3/trap-target/node.tag/auth/type/node.def @@ -0,0 +1,8 @@ +type: txt +default: "md5" +help: Defines the protocol using for authentication +syntax:expression: $VAR(@) in "md5", "sha" +allowed: echo md5 sha + +val_help: md5; Message Digest 5 +val_help: sha; Secure Hash Algorithm
\ No newline at end of file diff --git a/templates/service/snmp/v3/trap-target/node.tag/port/node.def b/templates/service/snmp/v3/trap-target/node.tag/port/node.def new file mode 100644 index 00000000..b38cd1e5 --- /dev/null +++ b/templates/service/snmp/v3/trap-target/node.tag/port/node.def @@ -0,0 +1,7 @@ +type: u32 +default: 162 +help: Specifies the TCP/UDP port of a destination for SNMP traps/informs. + +val_help: u32:1-65535; Numeric IP port +syntax:expression: $VAR(@) > 0 && $VAR(@) <= 65535 ; \ + "Port number must be in range 1 to 65535" diff --git a/templates/service/snmp/v3/trap-target/node.tag/privacy/encrypted-key/node.def b/templates/service/snmp/v3/trap-target/node.tag/privacy/encrypted-key/node.def new file mode 100644 index 00000000..4e762b9f --- /dev/null +++ b/templates/service/snmp/v3/trap-target/node.tag/privacy/encrypted-key/node.def @@ -0,0 +1,3 @@ +type: txt +help: Defines the encrypted key for privacy protocol +syntax:expression: pattern $VAR(@) "^0x[0-9a-f]*$" ; "key must start from '0x' and contain hex digits"
\ No newline at end of file diff --git a/templates/service/snmp/v3/trap-target/node.tag/privacy/node.def b/templates/service/snmp/v3/trap-target/node.tag/privacy/node.def new file mode 100644 index 00000000..900cfc9d --- /dev/null +++ b/templates/service/snmp/v3/trap-target/node.tag/privacy/node.def @@ -0,0 +1,4 @@ +help: Defines the privacy +commit:expression: $VAR(type/) != "" ; "must specify type" +commit:expression: $VAR(encrypted-key/) != "" || $VAR(plaintext-key/) != "" ; "must specify encrypted-key or plaintext-key" +commit:expression: !($VAR(encrypted-key/) != "" && $VAR(plaintext-key/) != "") ; "must specify only one of encrypted-key and plaintext-key" diff --git a/templates/service/snmp/v3/trap-target/node.tag/privacy/plaintext-key/node.def b/templates/service/snmp/v3/trap-target/node.tag/privacy/plaintext-key/node.def new file mode 100644 index 00000000..a2442637 --- /dev/null +++ b/templates/service/snmp/v3/trap-target/node.tag/privacy/plaintext-key/node.def @@ -0,0 +1,3 @@ +type: txt +help: Defines the clear text key for privacy protocol +syntax:expression: pattern $VAR(@) "^.{8,}$" ; "key must contain 8 or more characters" diff --git a/templates/service/snmp/v3/trap-target/node.tag/privacy/type/node.def b/templates/service/snmp/v3/trap-target/node.tag/privacy/type/node.def new file mode 100644 index 00000000..bbfd5331 --- /dev/null +++ b/templates/service/snmp/v3/trap-target/node.tag/privacy/type/node.def @@ -0,0 +1,8 @@ +type: txt +default: "des" +help: Defines the protocol for privacy +syntax:expression: $VAR(@) in "des", "aes" +allowed: echo des aes + +val_help: des; Data Encryption Standard +val_help: aes; Advanced Encryption Standard
\ No newline at end of file diff --git a/templates/service/snmp/v3/trap-target/node.tag/protocol/node.def b/templates/service/snmp/v3/trap-target/node.tag/protocol/node.def new file mode 100644 index 00000000..ce96ca38 --- /dev/null +++ b/templates/service/snmp/v3/trap-target/node.tag/protocol/node.def @@ -0,0 +1,8 @@ +type: txt +default: "udp" +help: Defines protocol for notification between TCP and UDP +syntax:expression: $VAR(@) in "tcp", "udp" +allowed: echo tcp udp + +val_help: tcp; +val_help: udp;
\ No newline at end of file diff --git a/templates/service/snmp/v3/trap-target/node.tag/type/node.def b/templates/service/snmp/v3/trap-target/node.tag/type/node.def new file mode 100644 index 00000000..f678ae69 --- /dev/null +++ b/templates/service/snmp/v3/trap-target/node.tag/type/node.def @@ -0,0 +1,8 @@ +type: txt +default: "inform" +help: Specifies the type of notification between inform and trap +syntax:expression: $VAR(@) in "inform", "trap" +allowed: echo inform trap + +val_help: inform; +val_help: trap;
\ No newline at end of file diff --git a/templates/service/snmp/v3/trap-target/node.tag/user/node.def b/templates/service/snmp/v3/trap-target/node.tag/user/node.def new file mode 100644 index 00000000..a0ed8cbf --- /dev/null +++ b/templates/service/snmp/v3/trap-target/node.tag/user/node.def @@ -0,0 +1,4 @@ +type: txt +help: Defines username for authentication +allowed: list=`cli-shell-api listNodes service snmp v3 user` + echo $list diff --git a/templates/service/snmp/v3/tsm/local-key/node.def b/templates/service/snmp/v3/tsm/local-key/node.def new file mode 100644 index 00000000..d238d310 --- /dev/null +++ b/templates/service/snmp/v3/tsm/local-key/node.def @@ -0,0 +1,10 @@ +type: txt +help: Defines the server certificate fingerprint or key-file name. +allowed: sudo ls /etc/snmp/tls/certs +syntax:expression: pattern $VAR(@) "^[0-9A-F]{2}(:[0-9A-F]{2}){19}$" || + exec "if [ `sudo ls \"/etc/snmp/tls/certs/$VAR(@)\" 2> /dev/null` ]; \ + then \ + exit 0; \ + else \ + exit 1; \ + fi" ; "value can be finger print key or filename in /etc/snmp/tls/certs folder"
\ No newline at end of file diff --git a/templates/service/snmp/v3/tsm/node.def b/templates/service/snmp/v3/tsm/node.def new file mode 100644 index 00000000..3d12f21d --- /dev/null +++ b/templates/service/snmp/v3/tsm/node.def @@ -0,0 +1,3 @@ +help: Specifies that the snmpd uses encryption. +commit:expression: $VAR(port/) != "" ; "must specify port" +commit:expression: $VAR(local-key/) != "" ; "must specify local-key"
\ No newline at end of file diff --git a/templates/service/snmp/v3/tsm/port/node.def b/templates/service/snmp/v3/tsm/port/node.def new file mode 100644 index 00000000..86fd6cca --- /dev/null +++ b/templates/service/snmp/v3/tsm/port/node.def @@ -0,0 +1,7 @@ +type: u32 +default: 10161 +help: Defines the port for tsm. + +val_help: u32:1-65535; Numeric IP port +syntax:expression: $VAR(@) > 0 && $VAR(@) <= 65535 ; \ + "Port number must be in range 1 to 65535" diff --git a/templates/service/snmp/v3/user/node.def b/templates/service/snmp/v3/user/node.def new file mode 100644 index 00000000..e6a8bc87 --- /dev/null +++ b/templates/service/snmp/v3/user/node.def @@ -0,0 +1,6 @@ +tag: +type: txt +help: Specifies the user with name username +syntax:expression: pattern $VAR(@) "^[^-]*$" ; "characters '-' in name is not supported yet" +commit:expression: $VAR(auth/) != "" || $VAR(tsm-key/) != ""; "must specify auth or tsm-key" +commit:expression: $VAR(mode/) != ""; "must specify mode"
\ No newline at end of file diff --git a/templates/service/snmp/v3/user/node.tag/auth/encrypted-key/node.def b/templates/service/snmp/v3/user/node.tag/auth/encrypted-key/node.def new file mode 100644 index 00000000..3cf6bd31 --- /dev/null +++ b/templates/service/snmp/v3/user/node.tag/auth/encrypted-key/node.def @@ -0,0 +1,2 @@ +type: txt +help: Defines the encrypted key for authentication protocol diff --git a/templates/service/snmp/v3/user/node.tag/auth/node.def b/templates/service/snmp/v3/user/node.tag/auth/node.def new file mode 100644 index 00000000..68959a8e --- /dev/null +++ b/templates/service/snmp/v3/user/node.tag/auth/node.def @@ -0,0 +1,3 @@ +help: Specifies the auth +commit:expression: $VAR(type/) != "" ; "must specify type" +commit:expression: $VAR(plaintext-key/) != "" || $VAR(encrypted-key/) != "" ; "must specify plaintext-key or encrypted-key"
\ No newline at end of file diff --git a/templates/service/snmp/v3/user/node.tag/auth/plaintext-key/node.def b/templates/service/snmp/v3/user/node.tag/auth/plaintext-key/node.def new file mode 100644 index 00000000..4f840d7c --- /dev/null +++ b/templates/service/snmp/v3/user/node.tag/auth/plaintext-key/node.def @@ -0,0 +1,5 @@ +type: txt +help: Defines the key in the clear text for authentication protocol +syntax:expression: pattern $VAR(@) "^.{8,}$" ; "key must contain 8 or more characters" + +update:expression: $VAR(../encrypted-key/@) = ""
\ No newline at end of file diff --git a/templates/service/snmp/v3/user/node.tag/auth/type/node.def b/templates/service/snmp/v3/user/node.tag/auth/type/node.def new file mode 100644 index 00000000..5a2ffc52 --- /dev/null +++ b/templates/service/snmp/v3/user/node.tag/auth/type/node.def @@ -0,0 +1,8 @@ +type: txt +default: "md5" +help: Defines the protocol using for authentication +syntax:expression: $VAR(@) in "md5", "sha" +allowed: echo md5 sha + +val_help: md5; Message Digest 5 +val_help: sha; Secure Hash Algorithm
\ No newline at end of file diff --git a/templates/service/snmp/v3/user/node.tag/group/node.def b/templates/service/snmp/v3/user/node.tag/group/node.def new file mode 100644 index 00000000..66543579 --- /dev/null +++ b/templates/service/snmp/v3/user/node.tag/group/node.def @@ -0,0 +1,11 @@ +type: txt +help: Specifies group for user name +allowed: list=`cli-shell-api listNodes service snmp v3 group` + echo $list +syntax:expression:exec "regex=\"(^| )$VAR(@)( |$)\"; \ + if [[ \"$VAR(/service/snmp/v3/group/@@)\" =~ $regex ]] ; \ + then \ + exit 0; \ + else \ + exit 1; \ + fi" ; "You must create \"$VAR(@)\" group first" diff --git a/templates/service/snmp/v3/user/node.tag/mode/node.def b/templates/service/snmp/v3/user/node.tag/mode/node.def new file mode 100644 index 00000000..9855f5fb --- /dev/null +++ b/templates/service/snmp/v3/user/node.tag/mode/node.def @@ -0,0 +1,8 @@ +type: txt +default: "ro" +help: Specifies the mode for access rights of user, read only or write +syntax:expression: $VAR(@) in "ro", "rw" +allowed: echo ro rw + +val_help: ro; +val_help: rw; diff --git a/templates/service/snmp/v3/user/node.tag/privacy/encrypted-key/node.def b/templates/service/snmp/v3/user/node.tag/privacy/encrypted-key/node.def new file mode 100644 index 00000000..8feef111 --- /dev/null +++ b/templates/service/snmp/v3/user/node.tag/privacy/encrypted-key/node.def @@ -0,0 +1,2 @@ +type: txt +help: Defines the encrypted key for privacy protocol diff --git a/templates/service/snmp/v3/user/node.tag/privacy/node.def b/templates/service/snmp/v3/user/node.tag/privacy/node.def new file mode 100644 index 00000000..94bf850c --- /dev/null +++ b/templates/service/snmp/v3/user/node.tag/privacy/node.def @@ -0,0 +1,3 @@ +help: Specifies the privacy +commit:expression: $VAR(type/) != "" ; "must specify type" +commit:expression: $VAR(plaintext-key/) != "" || $VAR(encrypted-key/) != "" ; "must specify plaintext-key or encrypted-key"
\ No newline at end of file diff --git a/templates/service/snmp/v3/user/node.tag/privacy/plaintext-key/node.def b/templates/service/snmp/v3/user/node.tag/privacy/plaintext-key/node.def new file mode 100644 index 00000000..5d706712 --- /dev/null +++ b/templates/service/snmp/v3/user/node.tag/privacy/plaintext-key/node.def @@ -0,0 +1,5 @@ +type: txt +help: Defines the key in the clear text for protocol for privacy +syntax:expression: pattern $VAR(@) "^.{8,}$" ; "key must contain 8 or more characters" + +update:expression: $VAR(../encrypted-key/@) = ""
\ No newline at end of file diff --git a/templates/service/snmp/v3/user/node.tag/privacy/type/node.def b/templates/service/snmp/v3/user/node.tag/privacy/type/node.def new file mode 100644 index 00000000..bbfd5331 --- /dev/null +++ b/templates/service/snmp/v3/user/node.tag/privacy/type/node.def @@ -0,0 +1,8 @@ +type: txt +default: "des" +help: Defines the protocol for privacy +syntax:expression: $VAR(@) in "des", "aes" +allowed: echo des aes + +val_help: des; Data Encryption Standard +val_help: aes; Advanced Encryption Standard
\ No newline at end of file diff --git a/templates/service/snmp/v3/user/node.tag/tsm-key/node.def b/templates/service/snmp/v3/user/node.tag/tsm-key/node.def new file mode 100644 index 00000000..e9f55a5f --- /dev/null +++ b/templates/service/snmp/v3/user/node.tag/tsm-key/node.def @@ -0,0 +1,10 @@ +type: txt +help: Specifies finger print or file name of TSM certificate. +allowed: sudo ls /etc/snmp/tls/certs +syntax:expression: pattern $VAR(@) "^[0-9A-F]{2}(:[0-9A-F]{2}){19}$" || + exec "if [ `sudo ls \"/etc/snmp/tls/certs/$VAR(@)\" 2> /dev/null` ]; \ + then \ + exit 0; \ + else \ + exit 1; \ + fi" ; "value can be finger print key or filename in /etc/snmp/tls/certs folder"
\ No newline at end of file diff --git a/templates/service/snmp/v3/view/node.def b/templates/service/snmp/v3/view/node.def new file mode 100644 index 00000000..a83c978b --- /dev/null +++ b/templates/service/snmp/v3/view/node.def @@ -0,0 +1,5 @@ +tag: +type: txt +help: Specifies the view with name viewname + +commit:expression: $VAR(oid/) != ""; "must configure an oid"
\ No newline at end of file diff --git a/templates/service/snmp/v3/view/node.tag/oid/node.def b/templates/service/snmp/v3/view/node.tag/oid/node.def new file mode 100644 index 00000000..beed3274 --- /dev/null +++ b/templates/service/snmp/v3/view/node.tag/oid/node.def @@ -0,0 +1,4 @@ +tag: +type: txt +help: Specifies the oid +syntax:expression: pattern $VAR(@) "^[0-9]+(\.[0-9]+)*$" ; "oid must start from a number" diff --git a/templates/service/snmp/v3/view/node.tag/oid/node.tag/exclude/node.def b/templates/service/snmp/v3/view/node.tag/oid/node.tag/exclude/node.def new file mode 100644 index 00000000..df3611cb --- /dev/null +++ b/templates/service/snmp/v3/view/node.tag/oid/node.tag/exclude/node.def @@ -0,0 +1 @@ +help: Exclude is optional argument. diff --git a/templates/service/snmp/v3/view/node.tag/oid/node.tag/mask/node.def b/templates/service/snmp/v3/view/node.tag/oid/node.tag/mask/node.def new file mode 100644 index 00000000..bc500afe --- /dev/null +++ b/templates/service/snmp/v3/view/node.tag/oid/node.tag/mask/node.def @@ -0,0 +1,4 @@ +type: txt +help: Defines a bit-mask that is indicating which subidentifiers of the associated subtree OID should be regarded as significant. +syntax:expression: pattern $VAR(@) "^[0-9a-f]{2}([\\.:][0-9a-f]{2})*$" ; \ + "MASK is a list of hex octets, separated by '.' or ':'"
\ No newline at end of file |