From ab587ce0c92b5aeeb26eb678946a7e1faa6f9db1 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Wed, 12 May 2010 18:38:48 -0700 Subject: Better version of SNMP IPv6 support Need to use different syntax for community values on IPv6 versus IPv4 --- scripts/snmp/vyatta-snmp.pl | 64 +++++++++++++++++++++------------------------ 1 file changed, 30 insertions(+), 34 deletions(-) (limited to 'scripts/snmp/vyatta-snmp.pl') diff --git a/scripts/snmp/vyatta-snmp.pl b/scripts/snmp/vyatta-snmp.pl index 3adb37b7..e3aa3fc1 100644 --- a/scripts/snmp/vyatta-snmp.pl +++ b/scripts/snmp/vyatta-snmp.pl @@ -93,6 +93,8 @@ sub snmp_get_constants { print "sysDescr Vyatta $version\n"; print "sysObjectID 1.3.6.1.4.1.30803\n"; print "sysServices 14\n"; + print "agentaddress unix:/var/run/snmpd.socket,udp:161,udp6:161\n"; + print "smuxpeer .1.3.6.1.4.1.3317.1.2.2\n"; # ospfd print "smuxpeer .1.3.6.1.4.1.3317.1.2.5\n"; # bgpd print "smuxpeer .1.3.6.1.4.1.3317.1.2.3\n"; # ripd @@ -106,44 +108,38 @@ sub randhex { return join "", map { unpack "H*", chr(rand(256)) } 1..($length/2); } +# output snmpd.conf file syntax for community +sub print_community { + my ($config, $community, $type) = @_; + $config->setLevel("service snmp $type $community"); + + my $auth = $config->returnValue('authorization'); + $auth = 'ro' unless $auth; + $auth .= $type; # rocommunity + + my @address = $config->returnValues('client'); + push @address, $config->returnValues('network'); + + if (@address) { + foreach my $addr (@address) { + print "$auth $community $addr\n"; + } + } else { + print "$auth $community\n"; + } +} + sub snmp_get_values { my $config = new Vyatta::Config; - $config->setLevel("service snmp community"); - my @communities = $config->listNodes(); - + my @communities = $config->listNodes("service snmp community"); + foreach my $community (@communities) { + print_community($config, $community, 'community'); + } + + @communities = $config->listNodes("service snmp community6"); foreach my $community (@communities) { - my $authorization = $config->returnValue("$community authorization"); - my @clients = $config->returnValues("$community client"); - my @networks = $config->returnValues("$community network"); - - if (scalar(@clients) == 0 and scalar(@networks) == 0){ - if (defined $authorization and $authorization eq "rw") { - print "rwcommunity $community\n"; - } else { - print "rocommunity $community\n"; - } - } else { - if (scalar(@clients) != 0) { - foreach my $client (@clients){ - if (defined $authorization and $authorization eq "rw") { - print "rwcommunity $community $client\n"; - } else { - print "rocommunity $community $client\n"; - } - } - } - if (scalar(@networks) != 0){ - foreach my $network (@networks){ - if (defined $authorization and $authorization eq "rw") { - print "rwcommunity $community $network\n"; - } else { - print "rocommunity $community $network\n"; - } - - } - } - } + print_community($config, $community, 'community6'); } $config->setLevel($snmp_level); -- cgit v1.2.3 From 496c5f68ebdeb33ca75fac65f0c6f0ae29b781bb Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Wed, 12 May 2010 20:02:10 -0700 Subject: Allow configuring/restricting SNMP listen address Add: service snmp listen-address AAAA [port NNN] --- scripts/snmp/vyatta-snmp.pl | 50 ++++++++++++++++++++-- templates/service/snmp/listen-address/node.def | 3 ++ .../snmp/listen-address/node.tag/port/node.def | 3 ++ 3 files changed, 53 insertions(+), 3 deletions(-) create mode 100644 templates/service/snmp/listen-address/node.def create mode 100644 templates/service/snmp/listen-address/node.tag/port/node.def (limited to 'scripts/snmp/vyatta-snmp.pl') diff --git a/scripts/snmp/vyatta-snmp.pl b/scripts/snmp/vyatta-snmp.pl index e3aa3fc1..f80a68fd 100644 --- a/scripts/snmp/vyatta-snmp.pl +++ b/scripts/snmp/vyatta-snmp.pl @@ -26,6 +26,7 @@ use lib "/opt/vyatta/share/perl5/"; use Vyatta::Config; use Vyatta::Misc; +use NetAddr::IP; use Getopt::Long; use File::Copy; @@ -40,6 +41,7 @@ my $snmp_tmp = "/tmp/snmpd.conf.$$"; my $snmp_snmpv3_user_conf = '/usr/share/snmp/snmpd.conf'; my $snmp_snmpv3_createuser_conf = '/var/lib/snmp/snmpd.conf'; my $versionfile = '/opt/vyatta/etc/version'; +my $local_agent = 'unix:/var/run/snmpd.socket'; my $snmp_level = 'service snmp'; @@ -60,7 +62,7 @@ sub snmp_start { snmp_get_values(); close $fh; select STDOUT; - + snmp_client_config(); move($snmp_tmp, $snmp_conf) @@ -85,15 +87,57 @@ sub get_version { return $version; } +# convert address to snmpd transport syntac +sub transport_syntax { + my ($addr, $port) = @_; + my $ip = new NetAddr::IP $addr; + + return "udp:$addr:$port" if ($ip->version == 4); + return "udp6:[$addr]:$port" if ($ip->version == 6); + die "$addr: unknown protocol address"; +} + +sub ipv6_disabled { + my $config = new Vyatta::Config; + return $config->exists("system ipv6 disable"); +} + +# Find SNMP agent listening addresses +sub get_listen_address { + my $config = new Vyatta::Config; + my @listen; + + $config->setLevel('service snmp listen-address'); + my @address = $config->listNodes(); + + if(@address) { + foreach my $addr (@address) { + my $port = $config->returnValue("$addr port"); + push @listen, transport_syntax($addr, $port); + } + } else { + # default if no address specified + @listen = ( 'udp:' ); + push @listen, 'udp6:' unless ipv6_disabled(); + return @listen; + } + + return @listen; +} + sub snmp_get_constants { my $version = get_version(); my $now = localtime; + my @addr = get_listen_address(); + + # add local unix domain target for use by operational commands + unshift @addr, $local_agent; print "# autogenerated by vyatta-snmp.pl on $now\n"; print "sysDescr Vyatta $version\n"; print "sysObjectID 1.3.6.1.4.1.30803\n"; print "sysServices 14\n"; - print "agentaddress unix:/var/run/snmpd.socket,udp:161,udp6:161\n"; + print "agentaddress ", join(',',@addr), "\n"; print "smuxpeer .1.3.6.1.4.1.3317.1.2.2\n"; # ospfd print "smuxpeer .1.3.6.1.4.1.3317.1.2.5\n"; # bgpd @@ -119,7 +163,7 @@ sub print_community { my @address = $config->returnValues('client'); push @address, $config->returnValues('network'); - + if (@address) { foreach my $addr (@address) { print "$auth $community $addr\n"; diff --git a/templates/service/snmp/listen-address/node.def b/templates/service/snmp/listen-address/node.def new file mode 100644 index 00000000..f234edc8 --- /dev/null +++ b/templates/service/snmp/listen-address/node.def @@ -0,0 +1,3 @@ +tag: +type: ipv4,ipv6 +help: Set IP address to listen for incoming SNMP requests diff --git a/templates/service/snmp/listen-address/node.tag/port/node.def b/templates/service/snmp/listen-address/node.tag/port/node.def new file mode 100644 index 00000000..5a21b1d8 --- /dev/null +++ b/templates/service/snmp/listen-address/node.tag/port/node.def @@ -0,0 +1,3 @@ +type: u32 +default: 161 +help: Set port for SNMP service -- cgit v1.2.3 From ebc6b3916c76ff66f46f708d15194cb28829d066 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Fri, 14 May 2010 10:39:13 -0700 Subject: Change SNMP community handling Allow combination of IPv4 and IPv6 address in community setting. Use script to generate necessary community values in snmpd.conf --- scripts/snmp/vyatta-snmp.pl | 55 ++++++++++++---------- .../snmp/community/node.tag/client/node.def | 2 +- .../snmp/community/node.tag/network/node.def | 2 +- templates/service/snmp/community6/node.def | 5 -- .../community6/node.tag/authorization/node.def | 7 --- .../snmp/community6/node.tag/client/node.def | 3 -- .../snmp/community6/node.tag/network/node.def | 4 -- 7 files changed, 33 insertions(+), 45 deletions(-) delete mode 100644 templates/service/snmp/community6/node.def delete mode 100644 templates/service/snmp/community6/node.tag/authorization/node.def delete mode 100644 templates/service/snmp/community6/node.tag/client/node.def delete mode 100644 templates/service/snmp/community6/node.tag/network/node.def (limited to 'scripts/snmp/vyatta-snmp.pl') diff --git a/scripts/snmp/vyatta-snmp.pl b/scripts/snmp/vyatta-snmp.pl index f80a68fd..1c86321b 100644 --- a/scripts/snmp/vyatta-snmp.pl +++ b/scripts/snmp/vyatta-snmp.pl @@ -87,14 +87,16 @@ sub get_version { return $version; } -# convert address to snmpd transport syntac +# convert address to snmpd transport syntax sub transport_syntax { my ($addr, $port) = @_; my $ip = new NetAddr::IP $addr; + die "$addr: not a valid IP address" unless $ip; - return "udp:$addr:$port" if ($ip->version == 4); - return "udp6:[$addr]:$port" if ($ip->version == 6); - die "$addr: unknown protocol address"; + my $version = $ip->version(); + return "udp:$addr:$port" if ($version == 4); + return "udp6:[$addr]:$port" if ($version == 6); + die "$addr: unknown IP version $version"; } sub ipv6_disabled { @@ -154,22 +156,31 @@ sub randhex { # output snmpd.conf file syntax for community sub print_community { - my ($config, $community, $type) = @_; - $config->setLevel("service snmp $type $community"); - - my $auth = $config->returnValue('authorization'); - $auth = 'ro' unless $auth; - $auth .= $type; # rocommunity - - my @address = $config->returnValues('client'); - push @address, $config->returnValues('network'); + my ($config, $community) = @_; + my $ro = $config->returnValue('authorization'); + $ro = 'ro' unless $ro; + + my @clients = $config->returnValues('client'); + my @networks = $config->returnValues('network'); + + my @restriction = (@clients, @networks); + if (!@restriction) { + print $ro . "community $community\n"; + print $ro . "community6 $community\n" unless ipv6_disabled(); + return; + } - if (@address) { - foreach my $addr (@address) { - print "$auth $community $addr\n"; + foreach my $addr (@restriction) { + my $ip = new NetAddr::IP $addr; + die "$addr: Not a valid IP address" unless $ip; + + if ($ip->version() == 4) { + print $ro . "community $community $addr\n"; + } elsif ($ip->version() == 6) { + print $ro . "community6 $community $addr\n"; + } else { + die "$addr: bad IP version ", $ip->version(); } - } else { - print "$auth $community\n"; } } @@ -178,12 +189,8 @@ sub snmp_get_values { my @communities = $config->listNodes("service snmp community"); foreach my $community (@communities) { - print_community($config, $community, 'community'); - } - - @communities = $config->listNodes("service snmp community6"); - foreach my $community (@communities) { - print_community($config, $community, 'community6'); + $config->setLevel("service snmp community $community"); + print_community($config, $community); } $config->setLevel($snmp_level); diff --git a/templates/service/snmp/community/node.tag/client/node.def b/templates/service/snmp/community/node.tag/client/node.def index 828faa97..427a9939 100644 --- a/templates/service/snmp/community/node.tag/client/node.def +++ b/templates/service/snmp/community/node.tag/client/node.def @@ -1,3 +1,3 @@ multi: -type: ipv4 +type: ipv4,ipv6 help: Set IP address of SNMP client allowed to contact system diff --git a/templates/service/snmp/community/node.tag/network/node.def b/templates/service/snmp/community/node.tag/network/node.def index 00a77d4b..4b80a51b 100644 --- a/templates/service/snmp/community/node.tag/network/node.def +++ b/templates/service/snmp/community/node.tag/network/node.def @@ -1,4 +1,4 @@ multi: -type: ipv4net +type: ipv4net,ipv6net help: Set subnet of SNMP client(s) allowed to contact system syntax:expression: exec "/opt/vyatta/sbin/vyatta_quagga_utils.pl --check-prefix-boundry $VAR(@)" diff --git a/templates/service/snmp/community6/node.def b/templates/service/snmp/community6/node.def deleted file mode 100644 index 32eb4800..00000000 --- a/templates/service/snmp/community6/node.def +++ /dev/null @@ -1,5 +0,0 @@ -tag: -type: txt -help: Set community name [REQUIRED] -syntax:expression: pattern $VAR(@) "^[^%]+$" ; \ - "Community string may not contain %" diff --git a/templates/service/snmp/community6/node.tag/authorization/node.def b/templates/service/snmp/community6/node.tag/authorization/node.def deleted file mode 100644 index c8918d43..00000000 --- a/templates/service/snmp/community6/node.tag/authorization/node.def +++ /dev/null @@ -1,7 +0,0 @@ -type: txt -default: "ro" -help: Set authorization type (rw or ro) (default: ro) -syntax:expression: $VAR(@) in "ro", "rw"; "Authorization type must be either rw or ro" - - - diff --git a/templates/service/snmp/community6/node.tag/client/node.def b/templates/service/snmp/community6/node.tag/client/node.def deleted file mode 100644 index fddbcb91..00000000 --- a/templates/service/snmp/community6/node.tag/client/node.def +++ /dev/null @@ -1,3 +0,0 @@ -multi: -type: ipv6 -help: Set IPv6 address of SNMP client allowed to contact system diff --git a/templates/service/snmp/community6/node.tag/network/node.def b/templates/service/snmp/community6/node.tag/network/node.def deleted file mode 100644 index 266a1bce..00000000 --- a/templates/service/snmp/community6/node.tag/network/node.def +++ /dev/null @@ -1,4 +0,0 @@ -multi: -type: ipv6net -help: Set subnet of SNMP client(s) allowed to contact system -syntax:expression: exec "/opt/vyatta/sbin/vyatta_quagga_utils.pl --check-prefix-boundry $VAR(@)" -- cgit v1.2.3 From 6a88206597a871be376554c010730218bb71dcf9 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Fri, 14 May 2010 10:54:29 -0700 Subject: Fix syntax of default listen address Despite documentation, udp6: is not a valid listen address, need to use udp6:161 --- scripts/snmp/vyatta-snmp.pl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'scripts/snmp/vyatta-snmp.pl') diff --git a/scripts/snmp/vyatta-snmp.pl b/scripts/snmp/vyatta-snmp.pl index 1c86321b..a3be64ad 100644 --- a/scripts/snmp/vyatta-snmp.pl +++ b/scripts/snmp/vyatta-snmp.pl @@ -119,8 +119,8 @@ sub get_listen_address { } } else { # default if no address specified - @listen = ( 'udp:' ); - push @listen, 'udp6:' unless ipv6_disabled(); + @listen = ( 'udp:161' ); + push @listen, 'udp6:161' unless ipv6_disabled(); return @listen; } -- cgit v1.2.3