From 7d451abcc956ce92c6c6dfd6286757ce9da2aaa6 Mon Sep 17 00:00:00 2001 From: John Southworth Date: Wed, 12 Dec 2012 14:34:54 -0800 Subject: revert 918bd40d3e3f238a800b1486f70e2d5ee1d71a72 --- scripts/install-system | 8 +-- scripts/install/install-functions | 7 +- scripts/vyatta-first-login-passwd.sh | 127 ----------------------------------- 3 files changed, 2 insertions(+), 140 deletions(-) delete mode 100755 scripts/vyatta-first-login-passwd.sh (limited to 'scripts') diff --git a/scripts/install-system b/scripts/install-system index 80e58f6c..5dd06256 100755 --- a/scripts/install-system +++ b/scripts/install-system @@ -1094,7 +1094,7 @@ change_password() { local pwd1="1" local pwd2="2" - until [[ "$pwd1" == "$pwd2" && "$pwd1" != "vyatta" ]] + until [[ "$pwd1" == "$pwd2" ]] do read -p "Enter password for user '$user': " -r -s pwd1 <>/dev/tty 2>&0 echo @@ -1108,12 +1108,6 @@ change_password() { if [ "$pwd1" != "$pwd2" ] then echo "Passwords do not match" - continue - fi - if [ "$pwd1" == "vyatta" ] - then - echo "'vyatta' is not a valid password" - continue fi done diff --git a/scripts/install/install-functions b/scripts/install/install-functions index 34ced705..0c2210fb 100755 --- a/scripts/install/install-functions +++ b/scripts/install/install-functions @@ -236,7 +236,7 @@ change_password() { local pwd1="1" local pwd2="2" - until [[ "$pwd1" == "$pwd2" && "$pwd1" != "vyatta" ]]; do + until [[ "$pwd1" == "$pwd2" ]]; do read -p "Enter password for user '$user':" -r -s pwd1 <>/dev/tty 2>&0 echo if [[ "$pwd1" == "" ]]; then @@ -248,12 +248,7 @@ change_password() { if [ "$pwd1" != "$pwd2" ]; then echo "Passwords do not match" - continue fi - if [[ "$pwd1" == "vyatta" ]]; then - echo "'vyatta' is not a vaild password" - continue - fi done # escape any slashes in resulting password diff --git a/scripts/vyatta-first-login-passwd.sh b/scripts/vyatta-first-login-passwd.sh deleted file mode 100755 index 3c7a0995..00000000 --- a/scripts/vyatta-first-login-passwd.sh +++ /dev/null @@ -1,127 +0,0 @@ -#!/bin/bash -trap '' INT KILL - -# don't run as operators -if ! groups | grep -q vyattacfg; then - exit 0 -fi - -# don't run if we've already done this, -# the commit system will handle the invalid password -if [ -e /opt/vyatta/etc/.nofirstpasswd ]; then - exit 0 -fi - -# don't run on livecd installer will do the check -if grep -q -e '^unionfs.*/filesystem.squashfs' /proc/mounts; then - exit 0 -fi - -configdiff=$(cli-shell-api showConfig --show-cfg1 @ACTIVE --show-cfg2 /config/config.boot --show-context-diff) - -API=/bin/cli-shell-api - -session_env=$($API getSessionEnv $PPID) -eval $session_env -$API setupSession - -exit_configure () -{ - $API teardownSession - echo -n 'export -n VYATTA_CONFIG_TMP; ' - echo -n 'export -n VYATTA_CHANGES_ONLY_DIR; ' - echo -n 'export -n VYATTA_ACTIVE_CONFIGURATION_DIR; ' - echo -n 'export -n VYATTA_TEMPLATE_LEVEL; ' - echo -n 'export -n VYATTA_CONFIG_TEMPLATE; ' - echo -n 'export -n VYATTA_TEMP_CONFIG_DIR; ' - echo -n 'export -n VYATTA_EDIT_LEVEL; ' -} - -set () -{ - /opt/vyatta/sbin/my_set $* -} - -commit () -{ - /opt/vyatta/sbin/my_commit "$@" -} - -save () -{ - # do this the same way that vyatta-cfg does it - local save_cmd=/opt/vyatta/sbin/vyatta-save-config.pl - eval "sudo sg vyattacfg \"umask 0002 ; $save_cmd\"" -} - -show () -{ - $API showCfg "$@" -} - -change_password() { - local user=$1 - local pwd1="1" - local pwd2="2" - - echo "Invalid password detected for user $user" - echo "Please enter a new password" - until [[ "$pwd1" == "$pwd2" && "$pwd1" != "vyatta" ]]; do - read -p "Enter $user password:" -r -s pwd1 <>/dev/tty 2>&0 - echo - if [[ "$pwd1" == "" ]]; then - echo "'' is not a valid password" - continue - fi - read -p "Retype $user password:" -r -s pwd2 <>/dev/tty 2>&0 - echo - - if [[ "$pwd1" != "$pwd2" ]]; then - echo "Passwords do not match" - continue - fi - if [[ "$pwd1" == "vyatta" ]]; then - echo "'vyatta' is not a vaild password" - continue - fi - done - - # escape any slashes in resulting password - local epwd=$(mkpasswd -H md5 "$pwd1" | sed 's:/:\\/:g') - set system login user $user authentication plaintext-password "$pwd1" -} - -dpwd='"*"' -for user in $($API listEffectiveNodes system login user); do - user=${user//\'/} - epwd=$(show system login user $user authentication encrypted-password) - epwd=$(awk '{ print $2 }' <<<$epwd) - # check for old unsalted default password string. - if [[ $epwd == '$1$$Ht7gBYnxI1xCdO/JOnodh.' ]]; then - change_password $user - continue - fi - if [[ $epwd != $dpwd ]]; then - salt=$(awk 'BEGIN{ FS="$" }; { print $3 }' <<<$epwd) - if [[ $salt == '' ]];then - continue - fi - vyatta_epwd=$(mkpasswd -H md5 -S $salt vyatta) - if [[ $epwd == $vyatta_epwd ]]; then - change_password $user - fi - fi -done - -if $API sessionChanged; then - commit - if [[ -z $configdiff ]] ; then - save - else - echo "Warning: potential configuration issues exist." - echo "User passwords have been updated but the configuration has not been saved." - echo "Please review and validate the running configuration before saving." - fi -fi -eval $(exit_configure) -sudo touch /opt/vyatta/etc/.nofirstpasswd -- cgit v1.2.3 From f62565d998f5ed5f85f91a00f5dbf0db9792205c Mon Sep 17 00:00:00 2001 From: Saurabh Mohan Date: Wed, 26 Dec 2012 15:29:57 -0800 Subject: mgre support initial commit. --- scripts/vyatta-tunnel-cleanup | 3 +++ templates/interfaces/tunnel/node.def | 31 +++++++++++++++------- .../interfaces/tunnel/node.tag/address/node.def | 2 +- .../tunnel/node.tag/encapsulation/node.def | 25 +++++++++++++++-- .../interfaces/tunnel/node.tag/local-ip/node.def | 4 +-- .../tunnel/node.tag/parameters/ip/key/node.def | 4 +-- .../tunnel/node.tag/parameters/ip/tos/node.def | 4 +-- .../tunnel/node.tag/parameters/ip/ttl/node.def | 4 +-- .../interfaces/tunnel/node.tag/remote-ip/node.def | 6 ++--- 9 files changed, 60 insertions(+), 23 deletions(-) (limited to 'scripts') diff --git a/scripts/vyatta-tunnel-cleanup b/scripts/vyatta-tunnel-cleanup index 979fb7bd..af73bc04 100755 --- a/scripts/vyatta-tunnel-cleanup +++ b/scripts/vyatta-tunnel-cleanup @@ -26,6 +26,9 @@ my %tunnel; foreach my $tun ( $config->listEffectiveNodes() ) { my $mode = $config->returnEffectiveValue("$tun encapsulation"); next if ($interface eq $tun); # don't count the one being deleted + if ($mode eq "gre-multipoint") { + $mode = "gre"; + } $tunnel{$mode} = 1; } diff --git a/templates/interfaces/tunnel/node.def b/templates/interfaces/tunnel/node.def index 85bed6ac..7490f336 100644 --- a/templates/interfaces/tunnel/node.def +++ b/templates/interfaces/tunnel/node.def @@ -8,17 +8,18 @@ syntax:expression: pattern $VAR(@) "^tun[0-9]+$" \ commit:expression: $VAR(./local-ip/) != "" ; \ "Must configure the tunnel local-ip for $VAR(@)" -commit:expression: $VAR(./remote-ip/) != "" ; \ - "Must configure the tunnel remote-ip for $VAR(@)" commit:expression: $VAR(./encapsulation/) != "" ; \ "Must configure the tunnel encapsulation for $VAR(@)" create: + if [ "$VAR(./encapsulation/@)" == "gre-multipoint" ]; then + sudo invoke-rc.d opennhrp.init start; + fi if [ x$VAR(./multicast/@) == xenable ]; then MC="multicast on allmulticast on"; fi case "$VAR(./encapsulation/@)" in - "gre" | "ipip" | "sit") + "gre" | "ipip" | "sit" | "gre-multipoint") if [ -n "$VAR(./parameters/ip/bridge-group/)" ] ; then echo "interfaces tunnel $VAR(@): Tunnel encapsulation type must be gre-bridge if a bridge group is defined"; exit 1; @@ -29,8 +30,15 @@ create: if [ -n "$VAR(./parameters/ip/key/@)" ]; then KEY="key $VAR(./parameters/ip/key/@)"; fi - ip tunnel add $VAR(@) local $VAR(./local-ip/@) remote $VAR(./remote-ip/@) mode $VAR(./encapsulation/@) $KEY $TTL || - echo "interfaces tunnel $VAR(@): error creating tunnel interface" + if [ "$VAR(./encapsulation/@)" == "gre-multipoint" ]; then + ip tunnel add $VAR(@) local $VAR(./local-ip/@) mode gre $KEY $TTL + else + ip tunnel add $VAR(@) local $VAR(./local-ip/@) remote $VAR(./remote-ip/@) mode $VAR(./encapsulation/@) $KEY $TTL + fi + if [ -z "`ip tun sh | grep $VAR(@)`" ]; then + echo interfaces tunnel $VAR(@): error creating tunnel interface + exit 1 + fi ;; "gre-bridge") ip link add $VAR(@) type gretap local $VAR(./local-ip/@) remote $VAR(./remote-ip/@) || @@ -53,10 +61,15 @@ delete: ip link delete $VAR(@) ;; "ipip6" | "ip6ip6") ip -6 tunnel del $VAR(@) mode $VAR(./encapsulation/@);; + "gre-multipoint") + ip tunnel del $VAR(@) mode gre;; esac -end: -if [ "${COMMIT_ACTION}" == DELETE ]; then - /opt/vyatta/sbin/vyatta-tunnel-cleanup $VAR(@) -fi +end: + if [ "${COMMIT_ACTION}" == DELETE ]; then + /opt/vyatta/sbin/vyatta-tunnel-cleanup $VAR(@) + fi + if [ -e /opt/vyatta/sbin/vyatta-update-nhrp.pl ]; then + sudo /opt/vyatta/sbin/vyatta-update-nhrp.pl --tun "$VAR(@)" --commit_tun; + fi diff --git a/templates/interfaces/tunnel/node.tag/address/node.def b/templates/interfaces/tunnel/node.tag/address/node.def index 04612379..539f7509 100644 --- a/templates/interfaces/tunnel/node.tag/address/node.def +++ b/templates/interfaces/tunnel/node.tag/address/node.def @@ -1,7 +1,7 @@ multi: type: ipv4net,ipv6net val_help: ipv4net; IPv4 address and prefix length -val_help: ipv6net; IPv6 address and prefix length +val_help: ipv6net; IPv6 address and prefix length [NOTICE: unavailable for gre-multipoint encapsulation] help: IP address syntax:expression: exec "/opt/vyatta/sbin/valid_address $VAR(@)" diff --git a/templates/interfaces/tunnel/node.tag/encapsulation/node.def b/templates/interfaces/tunnel/node.tag/encapsulation/node.def index b0df7a10..bb93e373 100644 --- a/templates/interfaces/tunnel/node.tag/encapsulation/node.def +++ b/templates/interfaces/tunnel/node.tag/encapsulation/node.def @@ -1,8 +1,28 @@ type: txt help: Encapsulation of this tunnel interface [REQUIRED] -syntax:expression: $VAR(@) in "ipip", "gre", "sit", "gre-bridge", "ipip6", "ip6ip6"; "Must be (ipip, gre, gre-bridge, sit, ipip6, ip6ip6)" -allowed: echo gre gre-bridge ipip sit ipip6 ip6ip6 +syntax:expression: $VAR(@) in "ipip", "gre", "sit", "gre-bridge", "ipip6", "ip6ip6", "gre-multipoint"; "Must be (ipip, gre, gre-bridge, gre-multipoint, sit, ipip6, ip6ip6)" + +allowed: echo gre gre-bridge ipip sit ipip6 ip6ip6 gre-multipoint + +commit:expression: (!(pattern $VAR(../local-ip/@) ".*:.*") && $VAR(@) == "gre-multipoint") || \ + $VAR(@) != "gre-multipoint"; "IPv6 local-ip ($VAR(../local-ip/@)) is forbidden for gre-multipoint encapsulation type." + +commit:expression: (!(pattern $VAR(../address/@@) ".*:.*") && $VAR(@) == "gre-multipoint") || \ + $VAR(@) != "gre-multipoint"; "IPv6 addresses ($VAR(../address/@@)) are forbidden for gre-multipoint encapsulation type." + +commit:expression: +exec " + if [ $VAR(@) == gre-multipoint ] && [ -n \"$VAR(../remote-ip/)\" ]; then \ + echo \"Remote-ip shouldn't be set for mGRE mode for $VAR(../@)\"; \ + exit 1; \ + fi; \ + if [ $VAR(@) != gre-multipoint ] && [ ! -n \"$VAR(../remote-ip/)\" ]; then \ + echo \"Must configure the tunnel remote-ip for $VAR(../@)\"; \ + exit 1; \ + fi; + + exit 0" create:expression: "true" update:expression: "false" ; \ @@ -10,6 +30,7 @@ update:expression: "false" ; \ val_help: gre; Generic Routing Encapsulation val_help: gre-bridge; Generic Routing Encapsulation bridge interface +val_help: gre-multipoint; Multipoint Generic Routing Encapsulation val_help: ipip; IP in IP encapsulation val_help: sit; Simple Internet Transition encapsulation val_help: ipip6; IP in IP6 encapsulation diff --git a/templates/interfaces/tunnel/node.tag/local-ip/node.def b/templates/interfaces/tunnel/node.tag/local-ip/node.def index e393f35c..4176fc31 100644 --- a/templates/interfaces/tunnel/node.tag/local-ip/node.def +++ b/templates/interfaces/tunnel/node.tag/local-ip/node.def @@ -1,7 +1,7 @@ type: ipv4, ipv6 help: Local IP address for this tunnel [REQUIRED] val_help: ipv4; Local IPv4 address for this tunnel [REQUIRED] -val_help: ipv6; Local IPv6 address for this tunnel [REQUIRED] +val_help: ipv6; Local IPv6 address for this tunnel [REQUIRED] [NOTICE: unavailable for gre-multipoint encapsulation] update:if ! /opt/vyatta/sbin/local_ip $VAR(@) then @@ -11,7 +11,7 @@ update:if ! /opt/vyatta/sbin/local_ip $VAR(@) case "$VAR(../encapsulation/@)" in "gre-bridge") ;; - "gre" | "ipip" | "sit") + "gre" | "gre-multipoint" | "ipip" | "sit") sudo ip tunnel cha $VAR(../@) local $VAR(@) ;; "ipip6" | "ip6ip6") diff --git a/templates/interfaces/tunnel/node.tag/parameters/ip/key/node.def b/templates/interfaces/tunnel/node.tag/parameters/ip/key/node.def index b9ed181e..a6ba8708 100644 --- a/templates/interfaces/tunnel/node.tag/parameters/ip/key/node.def +++ b/templates/interfaces/tunnel/node.tag/parameters/ip/key/node.def @@ -10,8 +10,8 @@ syntax:expression: exec " \ exit 1 ; \ fi ; " -commit:expression: $VAR(../../../encapsulation/@) in "gre" ; \ - "Key only valid for GRE for $VAR(../../../@)" +commit:expression: $VAR(../../../encapsulation/@) in "gre", "gre-multipoint" ; \ + "Key only valid for GRE/GRE-MULTIPOINT for $VAR(../../../@)" create:expression: "true" update:expression: "false" ; \ diff --git a/templates/interfaces/tunnel/node.tag/parameters/ip/tos/node.def b/templates/interfaces/tunnel/node.tag/parameters/ip/tos/node.def index c784e512..32080dce 100644 --- a/templates/interfaces/tunnel/node.tag/parameters/ip/tos/node.def +++ b/templates/interfaces/tunnel/node.tag/parameters/ip/tos/node.def @@ -3,8 +3,8 @@ help: Type of Service (TOS) syntax:expression: $VAR(@) >= 0 && $VAR(@) <= 99; "Must be between 0-99" val_help: u32:0-99; Type Of Service (TOS) -commit:expression: $VAR(../../../encapsulation/@) in "gre", "sit", "ipip" ; \ - "tunnel encapsulation must be GRE, SIT or IPIP" +commit:expression: $VAR(../../../encapsulation/@) in "gre", "gre-multipoint", "sit", "ipip" ; \ + "tunnel encapsulation must be GRE, GRE-MULTIPOINT, SIT or IPIP" update: ip tunnel change $VAR(../../../@) tos $VAR(@) delete: ip tunnel change $VAR(../../../@) tos inherit diff --git a/templates/interfaces/tunnel/node.tag/parameters/ip/ttl/node.def b/templates/interfaces/tunnel/node.tag/parameters/ip/ttl/node.def index 24d27104..3bb2ec72 100644 --- a/templates/interfaces/tunnel/node.tag/parameters/ip/ttl/node.def +++ b/templates/interfaces/tunnel/node.tag/parameters/ip/ttl/node.def @@ -3,8 +3,8 @@ help: Time to live field val_help: u32:0-255; Time to live (default 255) syntax:expression: $VAR(@) >= 0 && $VAR(@) <= 255; "Must be between 0-255" -commit:expression: $VAR(../../../encapsulation/@) in "gre", "sit", "ipip" ; \ - "tunnel encapsulation must be GRE, SIT or IPIP" +commit:expression: $VAR(../../../encapsulation/@) in "gre", "gre-multipoint", "sit", "ipip" ; \ + "tunnel encapsulation must be GRE, GRE-MULTIPOINT, SIT or IPIP" update:sudo ip tunnel change $VAR(../../../@) ttl $VAR(@) delete:sudo ip tunnel change $VAR(../../../@) ttl inherit diff --git a/templates/interfaces/tunnel/node.tag/remote-ip/node.def b/templates/interfaces/tunnel/node.tag/remote-ip/node.def index 1ce6c789..eb4694c6 100644 --- a/templates/interfaces/tunnel/node.tag/remote-ip/node.def +++ b/templates/interfaces/tunnel/node.tag/remote-ip/node.def @@ -1,7 +1,7 @@ type: ipv4, ipv6 -help: Remote IP address for this tunnel [REQUIRED] -val_help: ipv4; Remote IPv4 address for this tunnel [REQUIRED] -val_help: ipv6; Remote IPv6 address for this tunnel [REQUIRED] +help: Remote IP address for this tunnel [REQUIRED for all encapsulation types except gre-multipoint] +val_help: ipv4; Remote IPv4 address for this tunnel [REQUIRED for all encapsulation types except gre-multipoint] +val_help: ipv6; Remote IPv6 address for this tunnel [REQUIRED for all encapsulation types except gre-multipoint] update:case "$VAR(../encapsulation/@)" in "gre-bridge") -- cgit v1.2.3 From 2dd6be60ba0b888d138292f5ccec3bacfc5d4949 Mon Sep 17 00:00:00 2001 From: James Davidson Date: Tue, 8 Jan 2013 14:54:19 -0800 Subject: Bug 7856: Set default neighbour table size to 8192 Also increase the max allowed value to 32768. --- scripts/vyatta-update-arp-params | 81 ++++++++-------------- templates/system/ip/arp/table-size/node.def | 7 +- templates/system/ipv6/neighbor/table-size/node.def | 7 +- 3 files changed, 32 insertions(+), 63 deletions(-) (limited to 'scripts') diff --git a/scripts/vyatta-update-arp-params b/scripts/vyatta-update-arp-params index 094d0751..36275731 100755 --- a/scripts/vyatta-update-arp-params +++ b/scripts/vyatta-update-arp-params @@ -35,29 +35,37 @@ print_usage() echo -e "\t$0 delete " } +set_table_thresholds() { + local ip_type=$1 + local arp_value=$2 + local softmax=$((arp_value / 2)); + local min=$((arp_value / 8)); + sudo sysctl -q net.$ip_type.neigh.default.gc_thresh3=$arp_value + sudo sysctl -q net.$ip_type.neigh.default.gc_thresh2=$softmax + sudo sysctl -q net.$ip_type.neigh.default.gc_thresh1=$min +} + syntax_arp_param () { - arp_type=$1 - arp_value=$2 - ip_type=$3 + local arp_type=$1 + local arp_value=$2 + local ip_type=$3 case "$arp_type" in - table-size) - allowed_values=(1024 2048 4096 8192 16384) - allowed_values_len=${#allowed_values[*]} - i=0 - while [ $i -lt $allowed_values_len ]; do - if [ "${allowed_values[$i]}" == "$arp_value" ] ; then - exit 0 - fi - let i++ + table-size) + local allowed_values=(1024 2048 4096 8192 16384 32768) + local i + for i in ${allowed_values[@]}; do + if [[ "$i" == "$arp_value" ]]; then + exit 0 + fi done - echo "Allowed values for ARP table-size - 1024 2048 4096 8192 16384" + echo "Allowed values for ARP table-size - ${allowed_values[*]}" exit 1 ;; - *) + *) echo Invalid arp parameter $arp_type to set exit 1 ;; @@ -66,40 +74,16 @@ syntax_arp_param () update_arp_param () { - arp_type=$1 - arp_value=$2 - ip_type=$3 - - case "$arp_type" in - - table-size) - let softmax=$arp_value\/2; - let min=$arp_value\/8; - sudo sysctl -q net.$ip_type.neigh.default.gc_thresh3=$arp_value - sudo sysctl -q net.$ip_type.neigh.default.gc_thresh2=$softmax - sudo sysctl -q net.$ip_type.neigh.default.gc_thresh1=$min - ;; - - *) - echo Invalid arp parameter $arp_type to update - ;; - esac -} - -delete_arp_param () -{ - arp_type=$1 - ip_type=$2 - + local arp_type=$1 + local arp_value=$2 + local ip_type=$3 case "$arp_type" in - table-size) - sudo sysctl -q net.$ip_type.neigh.default.gc_thresh3=1024 - sudo sysctl -q net.$ip_type.neigh.default.gc_thresh2=512 - sudo sysctl -q net.$ip_type.neigh.default.gc_thresh1=128 + table-size) + set_table_thresholds $ip_type $arp_value ;; - *) + *) echo Invalid arp parameter $arp_type to update ;; esac @@ -126,15 +110,6 @@ case "$1" in update_arp_param $2 $3 $4 ;; - delete) - if [ $# -ne 3 ]; then - print_usage - exit 1 - fi - delete_arp_param $2 $3 - ;; - - *) print_usage exit 1 diff --git a/templates/system/ip/arp/table-size/node.def b/templates/system/ip/arp/table-size/node.def index bdeea371..b4d0a9e3 100644 --- a/templates/system/ip/arp/table-size/node.def +++ b/templates/system/ip/arp/table-size/node.def @@ -2,9 +2,9 @@ help: Maximum number of entries to keep in the ARP cache type: u32 -default: 1024 +default: 8192 -allowed: echo "1024 2048 4096 8192 16384" +allowed: echo "1024 2048 4096 8192 16384 32768" syntax:expression: exec " \ /opt/vyatta/sbin/vyatta-update-arp-params \ @@ -12,6 +12,3 @@ syntax:expression: exec " \ update: /opt/vyatta/sbin/vyatta-update-arp-params 'update' 'table-size' '$VAR(@)' 'ipv4' - -delete: - /opt/vyatta/sbin/vyatta-update-arp-params 'delete' 'table-size' 'ipv4' diff --git a/templates/system/ipv6/neighbor/table-size/node.def b/templates/system/ipv6/neighbor/table-size/node.def index cf4d066d..0ea4816e 100644 --- a/templates/system/ipv6/neighbor/table-size/node.def +++ b/templates/system/ipv6/neighbor/table-size/node.def @@ -2,9 +2,9 @@ help: Maximum number of entries to keep in the Neighbor cache type: u32 -default: 1024 +default: 8192 -allowed: echo "1024 2048 4096 8192 16384" +allowed: echo "1024 2048 4096 8192 16384 32768" syntax:expression: exec " \ /opt/vyatta/sbin/vyatta-update-arp-params \ @@ -12,6 +12,3 @@ syntax:expression: exec " \ update: /opt/vyatta/sbin/vyatta-update-arp-params 'update' 'table-size' '$VAR(@)' 'ipv6' - -delete: - /opt/vyatta/sbin/vyatta-update-arp-params 'delete' 'table-size' 'ipv6' -- cgit v1.2.3 From 318f4cd607204b98b323824127b3d969b41a8b86 Mon Sep 17 00:00:00 2001 From: Saurabh Mohan Date: Tue, 22 Jan 2013 12:30:17 -0800 Subject: Dmvpn merge with mirantis jan22-2013 --- Makefile.am | 1 + scripts/vyatta-encapsulation | 12 ++++++++++++ templates/interfaces/tunnel/node.tag/encapsulation/node.def | 6 +++--- 3 files changed, 16 insertions(+), 3 deletions(-) create mode 100644 scripts/vyatta-encapsulation (limited to 'scripts') diff --git a/Makefile.am b/Makefile.am index 8329e30b..5ac51967 100644 --- a/Makefile.am +++ b/Makefile.am @@ -72,6 +72,7 @@ sbin_SCRIPTS += scripts/vyatta-bridge.pl sbin_SCRIPTS += scripts/vyatta-bridgegroup-depedency.pl sbin_SCRIPTS += scripts/vyatta-dhcpv6-client.pl sbin_SCRIPTS += scripts/vyatta-update-grub.pl +sbin_SCRIPTS += scripts/vyatta-encapsulation sbin_PROGRAMS = src/valid_address sbin_PROGRAMS += src/local_ip diff --git a/scripts/vyatta-encapsulation b/scripts/vyatta-encapsulation new file mode 100644 index 00000000..8c64341e --- /dev/null +++ b/scripts/vyatta-encapsulation @@ -0,0 +1,12 @@ +#!/bin/sh + +list="gre gre-bridge ipip sit ipip6 ip6ip6" +if [[ `dpkg -l | grep "vyatta-nhrp" | awk '{print $1}'` = "ii" ]]; then tmp="gre-multipoint"; fi +full_list="${list} ${tmp}" +if [[ -n "$1" ]]; then + for f in ${full_list}; do if [[ "$1" = "$f" ]]; then exit 0; fi; done + echo "Must be (${full_list})" + exit 1; +else + echo ${full_list} +fi diff --git a/templates/interfaces/tunnel/node.tag/encapsulation/node.def b/templates/interfaces/tunnel/node.tag/encapsulation/node.def index bb93e373..b858147c 100644 --- a/templates/interfaces/tunnel/node.tag/encapsulation/node.def +++ b/templates/interfaces/tunnel/node.tag/encapsulation/node.def @@ -1,9 +1,9 @@ type: txt help: Encapsulation of this tunnel interface [REQUIRED] -syntax:expression: $VAR(@) in "ipip", "gre", "sit", "gre-bridge", "ipip6", "ip6ip6", "gre-multipoint"; "Must be (ipip, gre, gre-bridge, gre-multipoint, sit, ipip6, ip6ip6)" +syntax:expression: ((pattern $VAR(@) "^[-a-zA-Z0-9_]+$") && (exec "sudo /opt/vyatta/sbin/vyatta-encapsulation $VAR(@)")) -allowed: echo gre gre-bridge ipip sit ipip6 ip6ip6 gre-multipoint +allowed: sudo /opt/vyatta/sbin/vyatta-encapsulation commit:expression: (!(pattern $VAR(../local-ip/@) ".*:.*") && $VAR(@) == "gre-multipoint") || \ $VAR(@) != "gre-multipoint"; "IPv6 local-ip ($VAR(../local-ip/@)) is forbidden for gre-multipoint encapsulation type." @@ -30,7 +30,7 @@ update:expression: "false" ; \ val_help: gre; Generic Routing Encapsulation val_help: gre-bridge; Generic Routing Encapsulation bridge interface -val_help: gre-multipoint; Multipoint Generic Routing Encapsulation +val_help: gre-multipoint; Multipoint Generic Routing Encapsulation(allowed if the package vyatta-nhrp installed) val_help: ipip; IP in IP encapsulation val_help: sit; Simple Internet Transition encapsulation val_help: ipip6; IP in IP6 encapsulation -- cgit v1.2.3 From a2b2ce86df549560ee4438e92a8663c0a0706b82 Mon Sep 17 00:00:00 2001 From: James Davidson Date: Tue, 29 Jan 2013 09:50:46 -0800 Subject: Add ability to restart services when hostname changes Currently only restart rsyslog but more can be added as needed. Fixes bug 8237. --- scripts/system/vyatta_update_hosts.pl | 20 ++++++++++++++++++-- templates/system/domain-name/node.def | 4 ++-- 2 files changed, 20 insertions(+), 4 deletions(-) (limited to 'scripts') diff --git a/scripts/system/vyatta_update_hosts.pl b/scripts/system/vyatta_update_hosts.pl index 7c8bc8e6..22b141ab 100755 --- a/scripts/system/vyatta_update_hosts.pl +++ b/scripts/system/vyatta_update_hosts.pl @@ -13,7 +13,7 @@ # General Public License for more details. # # This code was originally developed by Vyatta, Inc. -# Portions created by Vyatta are Copyright (C) 2012 Vyatta, Inc. +# Portions created by Vyatta are Copyright (C) 2012-2013 Vyatta, Inc. # All Rights Reserved. # # Description: @@ -24,16 +24,19 @@ # use strict; +use English; use lib "/opt/vyatta/share/perl5/"; use File::Temp qw(tempfile); use Vyatta::File qw(touch); use Vyatta::Config; +use Getopt::Long; my $HOSTS_CFG = '/etc/hosts'; my $HOSTS_TMPL = "/tmp/hosts.XXXXXX"; my $HOSTNAME_CFG = '/etc/hostname'; my $MAILNAME_CFG = '/etc/mailname'; +my $restart_services = 1; sub set_hostname { my ( $hostname ) = @_; @@ -52,6 +55,13 @@ sub set_mailname { close ($f); } +if ($EUID != 0) { + printf("This program must be run by root.\n"); + exit 1; +} + +GetOptions("restart-services!" => \$restart_services); + my $vc = new Vyatta::Config(); $vc->setLevel('system'); @@ -91,8 +101,14 @@ print $out $hosts_line; close ($in); close ($out); -system("sudo cp $tempname $HOSTS_CFG") == 0 +system("cp $tempname $HOSTS_CFG") == 0 or die "Can't copy $tempname to $HOSTS_CFG: $!"; set_hostname $host_name; set_mailname $mail_name; + +# Restart services that use the system hostname; +# add more ase needed. +if ($restart_services) { + system("invoke-rc.d rsyslog restart"); +} diff --git a/templates/system/domain-name/node.def b/templates/system/domain-name/node.def index 429fd47f..5ea44f32 100644 --- a/templates/system/domain-name/node.def +++ b/templates/system/domain-name/node.def @@ -6,7 +6,7 @@ help: System domain name syntax:expression: exec "/opt/vyatta/sbin/vyatta_check_domainname.pl $VAR(../host-name).$VAR(@)" update: sudo /opt/vyatta/sbin/vyatta_update_resolv.pl - sudo /opt/vyatta/sbin/vyatta_update_hosts.pl + sudo /opt/vyatta/sbin/vyatta_update_hosts.pl --no-restart-services delete: sudo /opt/vyatta/sbin/vyatta_update_resolv.pl - sudo /opt/vyatta/sbin/vyatta_update_hosts.pl \ No newline at end of file + sudo /opt/vyatta/sbin/vyatta_update_hosts.pl --no-restart-servces \ No newline at end of file -- cgit v1.2.3 From 65c77d40bd43a20974f0d8556b80ec1f9bc7b9e9 Mon Sep 17 00:00:00 2001 From: James Davidson Date: Wed, 6 Feb 2013 14:48:21 -0800 Subject: Skip biosdevname if running in Xen Bug 8676 biosdevname does not behave well on Xen so simply skip it when running in Xen. (cherry picked from commit dc53d09decae1cd8098ee92c7c1dab72dc80ae50) --- scripts/vyatta_net_name | 3 +++ 1 file changed, 3 insertions(+) (limited to 'scripts') diff --git a/scripts/vyatta_net_name b/scripts/vyatta_net_name index ade77623..3df23adf 100755 --- a/scripts/vyatta_net_name +++ b/scripts/vyatta_net_name @@ -85,6 +85,9 @@ sub biosdevname { # biosdevname works only on ethernet devices return $ifname unless ($ifname =~ /^eth/); + # Don't use biosdevname in Xen + return $ifname if ( -d "/proc/xen" ); + # Let the interface name changes ordered by previous invocations of this # script complete before we call biosdevname. If we don't, biosdevame # may generate incorrect name. -- cgit v1.2.3 From 1d917be739f1db7b1ff1d26a0238322d7fd475c5 Mon Sep 17 00:00:00 2001 From: James Davidson Date: Tue, 12 Feb 2013 13:02:11 -0800 Subject: Initial SNMPv3 support --- Makefile.am | 1 + scripts/snmp/vyatta-snmp-v3.pl | 527 +++++++++++++++++++++ scripts/snmp/vyatta-snmp.pl | 22 +- templates/service/snmp/node.def | 23 +- templates/service/snmp/v3/group/node.def | 5 + .../service/snmp/v3/group/node.tag/mode/node.def | 8 + .../service/snmp/v3/group/node.tag/view/node.def | 11 + templates/service/snmp/v3/node.def | 30 ++ templates/service/snmp/v3/trap-target/node.def | 12 + .../node.tag/auth/encrypted-key/node.def | 3 + .../snmp/v3/trap-target/node.tag/auth/node.def | 4 + .../node.tag/auth/plaintext-key/node.def | 3 + .../v3/trap-target/node.tag/auth/type/node.def | 8 + .../snmp/v3/trap-target/node.tag/port/node.def | 7 + .../node.tag/privacy/encrypted-key/node.def | 3 + .../snmp/v3/trap-target/node.tag/privacy/node.def | 4 + .../node.tag/privacy/plaintext-key/node.def | 3 + .../v3/trap-target/node.tag/privacy/type/node.def | 8 + .../snmp/v3/trap-target/node.tag/protocol/node.def | 8 + .../snmp/v3/trap-target/node.tag/type/node.def | 8 + .../snmp/v3/trap-target/node.tag/user/node.def | 4 + templates/service/snmp/v3/tsm/local-key/node.def | 10 + templates/service/snmp/v3/tsm/node.def | 3 + templates/service/snmp/v3/tsm/port/node.def | 7 + templates/service/snmp/v3/user/node.def | 6 + .../v3/user/node.tag/auth/encrypted-key/node.def | 2 + .../service/snmp/v3/user/node.tag/auth/node.def | 3 + .../v3/user/node.tag/auth/plaintext-key/node.def | 5 + .../snmp/v3/user/node.tag/auth/type/node.def | 8 + .../service/snmp/v3/user/node.tag/group/node.def | 11 + .../service/snmp/v3/user/node.tag/mode/node.def | 8 + .../user/node.tag/privacy/encrypted-key/node.def | 2 + .../service/snmp/v3/user/node.tag/privacy/node.def | 3 + .../user/node.tag/privacy/plaintext-key/node.def | 5 + .../snmp/v3/user/node.tag/privacy/type/node.def | 8 + .../service/snmp/v3/user/node.tag/tsm-key/node.def | 10 + templates/service/snmp/v3/view/node.def | 5 + .../service/snmp/v3/view/node.tag/oid/node.def | 4 + .../v3/view/node.tag/oid/node.tag/exclude/node.def | 1 + .../v3/view/node.tag/oid/node.tag/mask/node.def | 4 + 40 files changed, 786 insertions(+), 21 deletions(-) create mode 100755 scripts/snmp/vyatta-snmp-v3.pl create mode 100644 templates/service/snmp/v3/group/node.def create mode 100644 templates/service/snmp/v3/group/node.tag/mode/node.def create mode 100644 templates/service/snmp/v3/group/node.tag/view/node.def create mode 100644 templates/service/snmp/v3/node.def create mode 100644 templates/service/snmp/v3/trap-target/node.def create mode 100644 templates/service/snmp/v3/trap-target/node.tag/auth/encrypted-key/node.def create mode 100644 templates/service/snmp/v3/trap-target/node.tag/auth/node.def create mode 100644 templates/service/snmp/v3/trap-target/node.tag/auth/plaintext-key/node.def create mode 100644 templates/service/snmp/v3/trap-target/node.tag/auth/type/node.def create mode 100644 templates/service/snmp/v3/trap-target/node.tag/port/node.def create mode 100644 templates/service/snmp/v3/trap-target/node.tag/privacy/encrypted-key/node.def create mode 100644 templates/service/snmp/v3/trap-target/node.tag/privacy/node.def create mode 100644 templates/service/snmp/v3/trap-target/node.tag/privacy/plaintext-key/node.def create mode 100644 templates/service/snmp/v3/trap-target/node.tag/privacy/type/node.def create mode 100644 templates/service/snmp/v3/trap-target/node.tag/protocol/node.def create mode 100644 templates/service/snmp/v3/trap-target/node.tag/type/node.def create mode 100644 templates/service/snmp/v3/trap-target/node.tag/user/node.def create mode 100644 templates/service/snmp/v3/tsm/local-key/node.def create mode 100644 templates/service/snmp/v3/tsm/node.def create mode 100644 templates/service/snmp/v3/tsm/port/node.def create mode 100644 templates/service/snmp/v3/user/node.def create mode 100644 templates/service/snmp/v3/user/node.tag/auth/encrypted-key/node.def create mode 100644 templates/service/snmp/v3/user/node.tag/auth/node.def create mode 100644 templates/service/snmp/v3/user/node.tag/auth/plaintext-key/node.def create mode 100644 templates/service/snmp/v3/user/node.tag/auth/type/node.def create mode 100644 templates/service/snmp/v3/user/node.tag/group/node.def create mode 100644 templates/service/snmp/v3/user/node.tag/mode/node.def create mode 100644 templates/service/snmp/v3/user/node.tag/privacy/encrypted-key/node.def create mode 100644 templates/service/snmp/v3/user/node.tag/privacy/node.def create mode 100644 templates/service/snmp/v3/user/node.tag/privacy/plaintext-key/node.def create mode 100644 templates/service/snmp/v3/user/node.tag/privacy/type/node.def create mode 100644 templates/service/snmp/v3/user/node.tag/tsm-key/node.def create mode 100644 templates/service/snmp/v3/view/node.def create mode 100644 templates/service/snmp/v3/view/node.tag/oid/node.def create mode 100644 templates/service/snmp/v3/view/node.tag/oid/node.tag/exclude/node.def create mode 100644 templates/service/snmp/v3/view/node.tag/oid/node.tag/mask/node.def (limited to 'scripts') diff --git a/Makefile.am b/Makefile.am index 5ac51967..1d7f7dee 100644 --- a/Makefile.am +++ b/Makefile.am @@ -48,6 +48,7 @@ sbin_SCRIPTS += scripts/system/vyatta_update_ntp.pl sbin_SCRIPTS += scripts/system/vyatta_update_telnet sbin_SCRIPTS += scripts/system/irq-affinity.pl sbin_SCRIPTS += scripts/snmp/vyatta-snmp.pl +sbin_SCRIPTS += scripts/snmp/vyatta-snmp-v3.pl sbin_SCRIPTS += scripts/snmp/if-mib-alias sbin_SCRIPTS += scripts/telnetd.init sbin_SCRIPTS += scripts/dns-forwarding/vyatta-dns-forwarding.pl diff --git a/scripts/snmp/vyatta-snmp-v3.pl b/scripts/snmp/vyatta-snmp-v3.pl new file mode 100755 index 00000000..ef93b8a1 --- /dev/null +++ b/scripts/snmp/vyatta-snmp-v3.pl @@ -0,0 +1,527 @@ +#!/usr/bin/perl + +use lib "/opt/vyatta/share/perl5/"; +use Vyatta::Config; +use File::Copy; +use Getopt::Long; +use Socket; +use Socket6; + +my $snmp_v3_level = 'service snmp v3'; +my $snmp_init = 'invoke-rc.d snmpd'; +my $snmpd_conf = '/etc/snmp/snmpd.conf'; +my $snmpd_usr_conf = '/usr/share/snmp/snmpd.conf'; +my $snmpd_var_conf = '/var/lib/snmp/snmpd.conf'; +my $snmpd_conf_tmp = "/tmp/snmpd.conf.$$"; +my $snmpd_usr_conf_tmp = "/tmp/snmpd.usr.conf.$$"; +my $snmpd_var_conf_tmp = "/tmp/snmpd.var.conf.$$"; +my $versionfile = '/opt/vyatta/etc/version'; +my $local_agent = 'unix:/var/run/snmpd.socket'; +my $vyatta_config_file = '/config/snmp/snmp_conf.ini'; +%VConfig = (); + +%OIDs = ( + "md5", ".1.3.6.1.6.3.10.1.1.2", + "sha", ".1.3.6.1.6.3.10.1.1.3", + "aes", ".1.3.6.1.6.3.10.1.2.4", + "des", ".1.3.6.1.6.3.10.1.2.2", + "none", ".1.3.6.1.6.3.10.1.2.1" +); + +# generate a random character hex string +sub randhex { + my $length = shift; + return join "", map { unpack "H*", chr(rand(256)) } 1..($length/2); +} + +sub parse_config_file { + open (CONFIG, "$vyatta_config_file") or return; + while () { + chomp; # no newline + s/#.*//; # no comments + s/^\s+//; # no leading white + s/\s+$//; # no trailing white + next unless length; # anything left? + my ($var, $value) = split(/\s*=\s*/, $_, 2); + $VConfig{$var} = $value; + } + close(CONFIG); +} + +sub write_config_file { + open (my $config_file, '>' , "$vyatta_config_file"); + for my $key (keys %VConfig) { + my $value = $VConfig{$key}; + print $config_file "$key=$value\n"; + } + close $config_file; +} + +sub snmpd_running { + open (my $pidf, '<', "/var/run/snmpd.pid") + or return; + my $pid = <$pidf>; + close $pidf; + + chomp $pid; + my $exe = readlink "/proc/$pid/exe"; + + return (defined($exe) && $exe eq "/usr/sbin/snmpd"); +} + +sub check_snmp_exit_code { + my $code = shift; + # snmpd can start/restart with exit code 256 if trap-target is unavailable + if ($code !=0 && $code != 256) { + return 1; + } else { + return 0; + } +} + +sub snmpd_stop { + system("$snmp_init stop > /dev/null 2>&1"); + if (check_snmp_exit_code($?)) { + print "ERROR: Can not stop snmpd!\n"; + exit(1); + } +} + +sub snmpd_start { + system("$snmp_init start > /dev/null 2>&1"); + if (check_snmp_exit_code($?)) { + print "ERROR: Can not start snmpd!\n"; + exit(1); + } +} + +sub snmpd_update { + system("$snmp_init reload > /dev/null 2>&1"); + if (check_snmp_exit_code($?)) { + print "ERROR: Can not reload snmpd!\n"; + exit(1); + } +} + +sub snmpd_restart { + system("$snmp_init restart > /dev/null 2>&1"); + if (check_snmp_exit_code($?)) { + print "ERROR: Can not restart snmpd!\n"; + exit(1); + } +} + +sub get_version { + my $version = "unknown-version"; + + if (open (my $f, '<', $versionfile)) { + while (<$f>) { + chomp; + if (m/^Version\s*:\s*(.*)$/) { + $version = $1; + last; + } + } + close $f; + } + return $version; +} + +sub ipv6_disabled { + socket ( my $s, PF_INET6, SOCK_DGRAM, 0) + or return 1; + close($s); + return; +} + +sub set_tsm { + my $config = get_snmp_config(); + if ($config->exists("tsm")) { + my $port = $config->returnValue("tsm port"); + my $local_key = $config->returnValue("tsm local-key"); + system("sed -i 's/^agentaddress.*\$/&,tlstcp:$port,dtlsudp:$port/' $snmpd_conf_tmp"); + system("echo \"[snmp] localCert $local_key\" >> $snmpd_conf_tmp"); + } +} + +sub snmp_delete { + snmpd_stop(); + + @files = ($snmpd_conf, $snmpd_usr_conf, $snmpd_var_conf); + foreach $file (@files) { + if (-e $file) { + if (unlink($file) == 0) { + print "File $file was not deleted.\n"; + } else { + print "File $file deleted successfully.\n"; + } + } else { + print "File $file does not exist\n"; + } + } +} + +sub get_snmp_config() { + my $config = new Vyatta::Config; + $config->setLevel($snmp_v3_level); + return $config; +} + +sub set_views() { + print "# views \n"; + my $config = get_snmp_config(); + foreach my $view ($config->listNodes("view")) { + foreach my $oid ($config->listNodes("view $view oid")) { + my $mask = $config->returnValue("view $view oid $oid mask"); + if ($config->exists("view $view oid $oid exclude")) { + print "view $view excluded .$oid $mask\n"; + } else { + print "view $view included .$oid $mask\n"; + } + } + } + print "\n"; +} + +sub set_groups() { + print "#access\n# context sec.model sec.level match read write notif\n"; + my $config = get_snmp_config(); + foreach my $group ($config->listNodes("group")) { + my $mode = $config->returnValue("group $group mode"); + my $view = $config->returnValue("group $group view"); + if ($mode eq "ro") { + print "access $group \"\" usm auth exact $view none none\n"; + print "access $group \"\" tsm auth exact $view none none\n"; + } else { + print "access $group \"\" usm auth exact $view $view none\n"; + print "access $group \"\" tsm auth exact $view $view none\n"; + } + } + print "\n"; +} + +sub set_users_in_etc() { + + print "#group\n"; + + my $config = get_snmp_config(); + foreach my $user ($config->listNodes("user")) { + $config->setLevel($snmp_v3_level." user $user"); + if ($config->exists("group")) { + my $group = $config->returnValue("group"); + print "group $group usm $user\n"; + print "group $group tsm $user\n"; + } + if ($config->exists("tsm-key")) { + my $cert = $config->returnValue("tsm-key"); + #TODO magic number 10 + print "certSecName 10 $cert --sn $user\n"; + } + } + + print "\n"; +} + +sub set_users_to_other() { + open (my $usr_conf, '>>', $snmpd_usr_conf_tmp) + or die "Couldn't open $snmpd_usr_conf_tmp - $!"; + open (my $var_conf, '>>', $snmpd_var_conf_tmp) + or die "Couldn't open $snmpd_var_conf_tmp - $!"; + + print $var_conf "\n"; + + my $config = get_snmp_config(); + my $needTsm = 0; + if ($config->exists("tsm")) { + $needTsm = 1; + } + + my %trap_users=(); + + foreach my $trap ($config->listNodes("trap-target")) { + $trap_users{$config->returnValue("trap-target $trap user")} = 1; + } + + foreach my $user ($config->listNodes("user")) { + delete $trap_users{$user}; + $config->setLevel($snmp_v3_level." user $user"); + my $auth_type = $config->returnValue("auth type"); + my $priv_type = $config->returnValue("privacy type"); + if ($config->exists("auth")) { + if ($config->exists("auth plaintext-key")) { + my $auth_key = $config->returnValue("auth plaintext-key"); + my $priv_key = $config->returnValue("privacy plaintext-key"); + print $var_conf "createUser $user \U$auth_type\E $auth_key \U$priv_type\E $priv_key\n"; + } else { + my $name_print = get_printable_name($user); + my $EngineID = $VConfig{"User.$user.EngineID"}; + my $auth_type_oid = $OIDs{$auth_type}; + my $auth_key_hex = $config->returnValue("auth encrypted-key"); + local ($priv_type_oid, $priv_key_hex); + if ($config->exists("privacy")) { + $priv_type_oid = $OIDs{$priv_type}; + $priv_key_hex = $config->returnValue("privacy encrypted-key"); + } else { + $priv_type_oid = $OIDs{'none'}; + $priv_key_hex = '0x'; + } + print $var_conf "usmUser 1 3 $EngineID $name_print $name_print NULL $auth_type_oid $auth_key_hex $priv_type_oid $priv_key_hex 0x\n"; + } + } + my $mode = $config->returnValue("mode"); + my $end = "auth"; + if ($config->exists("privacy")) { + $end = "priv"; + } + print $usr_conf $mode."user $user $end\n"; + if ($needTsm) { + print $usr_conf $mode."user -s tsm $user $end\n"; + } + } + + foreach my $user (keys %trap_users) { + $name_print = get_printable_name($user); + print $var_conf "usmUser 1 3 0x".randhex(26)." $name_print $name_print NULL .1.3.6.1.6.3.10.1.1.2 0x".randhex(32)." .1.3.6.1.6.3.10.1.2.1 0x 0x\n"; + print $usr_conf "rouser $user auth"; + } + + print $var_conf "setservialno ".$VConfig{"serialno"}."\n"; + print $var_conf "oldEngineID ".$VConfig{"oldEngineID"}."\n"; + + close $usr_conf; + close $var_conf; +} + +sub get_printable_name { + my $name = shift; + if ($name =~ /-/) { + my @array=unpack('C*', $name); + my $stringHex = '0x'; + foreach my $c (@array) { + $stringHex .= sprintf ("%lx", $c); + } + return $stringHex; + } else { + return "\"$name\""; + } +} + +sub update_users_vyatta_conf() { + %VConfig = (); + open (my $var_conf, '<' , $snmpd_var_conf) or die "Couldn't open $snmpd_usr_conf - $!"; + my $config = get_snmp_config(); + while (my $line = <$var_conf>) { + if ($line =~ /^setserialno (.*)$/) { + $VConfig{"serialno"} = $1; + } + if ($line =~ /^oldEngineID (.*)$/) { + $VConfig{"oldEngineID"} = $1; + } + if ($line =~ /^usmUser /) { + my @values = split(/ /, $line); + my $name = $values[4]; + if ($name =~ /^"(.*)"$/) { + $name = $1; + } else { + $name = pack('H*', $name); + } + # this file contain users for trap-target and vyatta... user + # these users recreating automatically on each commit + if ($config->exists("user $name")) { + $VConfig{"User.$name.EngineID"} = $values[3]; + system("/opt/vyatta/sbin/my_set service snmp v3 user \"$name\" auth encrypted-key $values[8] > /dev/null"); + if ($values[10] ne "\"\"" && $values[10] ne "0x") { + system("/opt/vyatta/sbin/my_set service snmp v3 user \"$name\" privacy encrypted-key $values[10] > /dev/null"); + system("/opt/vyatta/sbin/my_delete service snmp v3 user \"$name\" privacy plaintext-key > /dev/null"); + } + system("/opt/vyatta/sbin/my_delete service snmp v3 user \"$name\" auth plaintext-key > /dev/null"); + } + } + } +} + +sub set_hosts() { + print "#trap-target\n"; + my $config = get_snmp_config(); + foreach my $target ($config->listNodes("trap-target")) { + $config->setLevel($snmp_v3_level." trap-target $target"); + my $auth_key = ''; + if ($config->exists("auth plaintext-key")) { + $auth_key = "-A ".$config->returnValue("auth plaintext-key"); + } else { + $auth_key = "-3m ".$config->returnValue("auth encrypted-key"); + } + my $auth_type = $config->returnValue("auth type"); + my $user = $config->returnValue("user"); + my $port = $config->returnValue("port"); + my $protocol = $config->returnValue("protocol"); + my $type = $config->returnValue("type"); + my $inform_flag = ''; + $inform_flag = '-Ci' if ($type eq 'inform'); + my $privacy = ''; + my $secLevel = 'authNoPriv'; + if ($config->exists("privacy")) { + my $priv_key = ''; + if ($config->exists("privacy plaintext-key")) { + $priv_key = "-X ".$config->returnValue("privacy plaintext-key"); + } else { + $priv_key = "-3M ".$config->returnValue("privacy encrypted-key") + } + my $priv_type = $config->returnValue("privacy type"); + $privacy = "-x $priv_type $priv_key"; + $secLevel = 'authPriv'; + } + # TODO + # set -3m / -3M for auth / priv for master + # or -3k / -3K for local + my $target_print = $target; + if ($target =~ /:/) { + $target_print = "[$target]"; + $protocol = $protocol."6"; + } + print "trapsess -v 3 $inform_flag -u $user -l $secLevel -a $auth_type $auth_key $privacy $protocol:$target_print:$port\n"; + } + print "\n"; +} + +sub check_user_auth_changes() { + my $config = get_snmp_config(); + if ($config->isChanged("user")) { + my $haveError = 0; + foreach my $user ($config->listNodes("user")) { + $config->setLevel($snmp_v3_level." user $user"); + if ($config->exists("auth")) { + if ($config->isChanged("auth encrypted-key") || $config->isChanged("privacy encrypted-key")) { + $haveError = 1; + print "Discard encrypted-key on user \"$user\". You can't change encrypted key. It does not supported yet."; + } + my $isAuthKeyChanged = $config->isChanged("auth plaintext-key"); + my $isAuthChanged = $isAuthKeyChanged || $config->isChanged("auth type"); + if (($isAuthChanged || $config->isDeleted("privacy") ) && !$isAuthKeyChanged) { + $haveError = 1; + print "Please, set auth plaintext-key for user \"$user\"\n"; + } + if ($config->exists("privacy")) { + my $isPrivKeyChanged = $config->isChanged("privacy plaintext-key"); + my $isPrivChanged = $isPrivKeyChanged || $config->isChanged("privacy type"); + if ($isPrivChanged && !$isAuthKeyChanged) { + $haveError = 1; + print "Please, set auth plaintext-key for user \"$user\"\n"; + } + if (($isAuthChanged || $isPrivChanged) && !$isPrivKeyChanged) { + $haveError = 1; + print "Please, set privacy plaintext-key for user \"$user\"\n"; + } + } + } else { + if ($config->exists("privacy")) { + $haveError = 1; + print "Please, delete privacy for user \"$user\"\n"; + } + } + } + if ($haveError) { + exit(1); + } + } +} + +sub check_relation() { + my $config = get_snmp_config(); + my $haveError = 0; + foreach my $user ($config->listNodes("user")) { + if ($config->exists("user $user group")) { + my $group = $config->returnValue("user $user group"); + if (! $config->exists("group $group")) { + $haveError = 1; + print "Please, create group \"$group\". It's need for user \"$user\"\n"; + } + } + } + foreach my $group ($config->listNodes("group")) { + my $view = $config->returnValue("group $group view"); + if (! $config->exists("view $view")) { + $haveError = 1; + print "Please, create view \"$view\". It's need for group \"$group\"\n"; + } + } + if ($haveError) { + exit(1); + } +} + +sub check_tsm_port { + my $config = get_snmp_config(); + if ($config->isChanged("tsm port")) { + my $port = $config->returnValue("tsm port"); + my $reg = ":$port\$"; + $output = `netstat -anltup | awk '{print \$4}'`; + foreach my $line (split(/\n/,$output)) { + if ($line =~ /$reg/) { + print "Actually port $port is using. It can not be used for tsm.\n"; + exit(1); + } + } + } +} + +sub copy_conf_to_tmp() { + # these files already contain SNMPv2 configuration + copy($snmpd_conf, $snmpd_conf_tmp) or die "Couldn't copy $snmpd_conf to $snmpd_conf_tmp - $!"; + copy($snmpd_usr_conf, $snmpd_usr_conf_tmp) or die "Couldn't copy $snmpd_usr_conf to $snmpd_usr_conf_tmp - $!"; + copy($snmpd_var_conf, $snmpd_var_conf_tmp) or die "Couldn't copy $snmpd_var_conf to $snmpd_var_conf_tmp - $!"; +} + +sub snmp_update { + + check_user_auth_changes(); + check_relation(); + check_tsm_port(); + + copy_conf_to_tmp(); + + set_tsm(); + + open (my $fh, '>>', $snmpd_conf_tmp) + or die "Couldn't open $snmpd_conf_tmp - $!"; + + select $fh; + + set_views(); + set_groups(); + set_hosts(); + set_users_in_etc(); + + close $fh; + select STDOUT; + + move($snmpd_conf_tmp, $snmpd_conf) + or die "Couldn't move $snmpd_conf_tmp to $snmpd_conf - $!"; + + my $config = get_snmp_config(); + + if ($config->isChanged("user") || $config->isAdded("tsm") || $config->isDeleted("tsm") || $config->isChanged("trap-target")) { + parse_config_file(); + snmpd_stop(); + set_users_to_other(); + move($snmpd_usr_conf_tmp, $snmpd_usr_conf) + or die "Couldn't move $snmpd_usr_conf_tmp to $snmpd_usr_conf - $!"; + move($snmpd_var_conf_tmp, $snmpd_var_conf) + or die "Couldn't move $snmpd_var_conf_tmp to $snmpd_var_conf - $!"; + snmpd_start(); + snmpd_restart(); + update_users_vyatta_conf(); + write_config_file(); + } else { + snmpd_start(); + } +} + +my $update_snmp; +my $delete_snmp; + +GetOptions("update-snmp!" => \$update_snmp, + "delete-snmp!" => \$delete_snmp); + +snmp_update() if ($update_snmp); +snmp_delete() if ($delete_snmp); diff --git a/scripts/snmp/vyatta-snmp.pl b/scripts/snmp/vyatta-snmp.pl index d473e7fa..a4ea9e27 100755 --- a/scripts/snmp/vyatta-snmp.pl +++ b/scripts/snmp/vyatta-snmp.pl @@ -64,6 +64,8 @@ sub snmp_stop { } sub snmp_start { + # we must stop snmpd first for creating vyatta user + system("$snmp_init stop > /dev/null 2>&1"); open (my $fh, '>', $snmp_tmp) or die "Couldn't open $snmp_tmp - $!"; @@ -78,12 +80,6 @@ sub snmp_start { move($snmp_tmp, $snmp_conf) or die "Couldn't move $snmp_tmp to $snmp_conf - $!"; - - if (snmp_running()) { - system("$snmp_init restart > /dev/null 2>&1 &"); - } else { - system("$snmp_init start > /dev/null 2>&1 &"); - } } sub get_version { @@ -235,9 +231,6 @@ sub snmp_get_traps { my $config = new Vyatta::Config; $config->setLevel($snmp_level); - my @trap_targets = $config->listNodes("trap-target"); - return unless @trap_targets; - # linkUp/Down configure the Event MIB tables to monitor # the ifTable for network interfaces being taken up or down # for making internal queries to retrieve any necessary information @@ -257,6 +250,9 @@ monitor -r 10 -e linkUpTrap "Generate linkUp" ifOperStatus != 2 monitor -r 10 -e linkDownTrap "Generate linkDown" ifOperStatus == 2 EOF + my @trap_targets = $config->listNodes("trap-target"); + return unless @trap_targets; + foreach my $trap_target (@trap_targets) { my $port = $config->returnValue("trap-target $trap_target port"); my $community @@ -290,8 +286,9 @@ sub snmp_create_snmpv3_user { my $vyatta_user = shift; my $passphrase = randhex(32); + my $createuser = "createUser $vyatta_user MD5 \"$passphrase\" DES"; - open(my $fh, '>>', $snmp_snmpv3_createuser_conf) || die "Couldn't open $snmp_snmpv3_createuser_conf - $!"; + open(my $fh, '>', $snmp_snmpv3_createuser_conf) || die "Couldn't open $snmp_snmpv3_createuser_conf - $!"; print $fh $createuser; close $fh; } @@ -299,9 +296,8 @@ sub snmp_create_snmpv3_user { sub snmp_write_snmpv3_user { my $vyatta_user = shift; - my $user = "rouser $vyatta_user\n"; - system ("sed -i '/user[[:space:]]*vyatta[[:alnum:]]*/d' $snmp_snmpv3_user_conf 2>/dev/null;"); - open(my $fh, '>>', $snmp_snmpv3_user_conf) || die "Couldn't open $snmp_snmpv3_user_conf - $!"; + my $user = "rwuser $vyatta_user\n"; + open(my $fh, '>', $snmp_snmpv3_user_conf) || die "Couldn't open $snmp_snmpv3_user_conf - $!"; print $fh $user; close $fh; } diff --git a/templates/service/snmp/node.def b/templates/service/snmp/node.def index 183cc5c3..8047121f 100644 --- a/templates/service/snmp/node.def +++ b/templates/service/snmp/node.def @@ -1,13 +1,20 @@ priority: 980 help: Simple Network Management Protocol (SNMP) -commit:expression: $VAR(community/) != "" || $VAR(community6/) != "" \ - ; "must configure a community or community6" +commit:expression: $VAR(community/) != "" || $VAR(community6/) != "" || $VAR(v3/) != "" \ + ; "must configure a community or community6 or v3" delete: touch /tmp/snmp.$PPID end:if [ -f "/tmp/snmp.$PPID" ] - then sudo /opt/vyatta/sbin/vyatta-snmp.pl --stop-snmp - rm /tmp/snmp.$PPID - sudo rm -f /etc/snmp/snmpd.conf - else - sudo /opt/vyatta/sbin/vyatta-snmp.pl --update-snmp - fi + then + sudo /opt/vyatta/sbin/vyatta-snmp.pl --stop-snmp; + rm /tmp/snmp.$PPID; + sudo rm -f /etc/snmp/snmpd.conf; + else + sudo /opt/vyatta/sbin/vyatta-snmp.pl --update-snmp; + if [ -n "$VAR(v3/)" ] + then + sudo /opt/vyatta/sbin/vyatta-snmp-v3.pl --update-snmp; + else + sudo invoke-rc.d snmpd start > /dev/null 2>&1; + fi + fi diff --git a/templates/service/snmp/v3/group/node.def b/templates/service/snmp/v3/group/node.def new file mode 100644 index 00000000..bcfe6795 --- /dev/null +++ b/templates/service/snmp/v3/group/node.def @@ -0,0 +1,5 @@ +tag: +type: txt +help: Specifies the group with name groupname +commit:expression: $VAR(view/) != "" ; "must specify view" +commit:expression: $VAR(mode/) != "" ; "must specify mode" diff --git a/templates/service/snmp/v3/group/node.tag/mode/node.def b/templates/service/snmp/v3/group/node.tag/mode/node.def new file mode 100644 index 00000000..a6d36de5 --- /dev/null +++ b/templates/service/snmp/v3/group/node.tag/mode/node.def @@ -0,0 +1,8 @@ +type: txt +default: "ro" +help: Defines the read/write access +syntax:expression: $VAR(@) in "ro", "rw" +allowed: echo ro rw + +val_help: ro; +val_help: rw; diff --git a/templates/service/snmp/v3/group/node.tag/view/node.def b/templates/service/snmp/v3/group/node.tag/view/node.def new file mode 100644 index 00000000..af7d33c9 --- /dev/null +++ b/templates/service/snmp/v3/group/node.tag/view/node.def @@ -0,0 +1,11 @@ +type: txt +help: Defines the name of view +allowed: list=`cli-shell-api listNodes service snmp v3 view` + echo $list +syntax:expression:exec "regex=\"(^| )$VAR(@)( |$)\"; \ + if [[ \"$VAR(/service/snmp/v3/view/@@)\" =~ $regex ]] ; \ + then \ + exit 0; \ + else \ + exit 1; \ + fi" ; "You must create \"$VAR(@)\" view first" diff --git a/templates/service/snmp/v3/node.def b/templates/service/snmp/v3/node.def new file mode 100644 index 00000000..756a156f --- /dev/null +++ b/templates/service/snmp/v3/node.def @@ -0,0 +1,30 @@ +help: Simple Network Management Protocol (SNMP) v3 + +create: if [ ! -d "/config/snmp" ]; then sudo mkdir /config/snmp ; fi + if [ ! -d "/config/snmp/tls" ]; then + sudo mkdir /config/snmp/tls ; + if [ -d "/etc/snmp/tls" ] ; then + sudo mv /etc/snmp/tls/* /config/snmp/tls > /dev/null 2>&1; + sudo chmod -R 600 /config/snmp/tls; + sudo rmdir /etc/snmp/tls > /dev/null 2>&1; + sudo rm /etc/snmp/tls > /dev/null 2>&1; + fi + sudo ln -s /config/snmp/tls /etc/snmp/tls; + fi + lnk=`readlink /etc/snmp/tls` + if [ "$lnk" != "/config/snmp/tls" ]; then + sudo rm -f /etc/snmp/tls; + sudo ln -s /config/snmp/tls /etc/snmp/tls; + fi + +begin: if [ -d "/config/snmp/tls" ]; then + sudo chmod -R 600 /config/snmp/tls; + fi + +delete: touch /tmp/snmp-v3.$PPID + +end:if [ -f "/tmp/snmp-v3.$PPID" ] + then + sudo /opt/vyatta/sbin/vyatta-snmp-v3.pl --delete-snmp + rm /tmp/snmp-v3.$PPID + fi \ No newline at end of file diff --git a/templates/service/snmp/v3/trap-target/node.def b/templates/service/snmp/v3/trap-target/node.def new file mode 100644 index 00000000..d6203e9b --- /dev/null +++ b/templates/service/snmp/v3/trap-target/node.def @@ -0,0 +1,12 @@ +tag: +type: txt +help: Defines SNMP target for inform or traps for IP +syntax:expression: exec "/opt/vyatta/sbin/valid_address $VAR(@)/20" +commit:expression: $VAR(type/) != ""; "must specify type" +commit:expression: $VAR(auth/) != ""; "must specify auth" +commit:expression: $VAR(protocol/) != ""; "must specify protocol" +commit:expression: $VAR(user/) != ""; "must specify user" +commit:expression: $VAR(port/) != ""; "must specify port" + +val_help: ; IP address of trap target +val_help: ; IPv6 address of trap target \ No newline at end of file diff --git a/templates/service/snmp/v3/trap-target/node.tag/auth/encrypted-key/node.def b/templates/service/snmp/v3/trap-target/node.tag/auth/encrypted-key/node.def new file mode 100644 index 00000000..2365b055 --- /dev/null +++ b/templates/service/snmp/v3/trap-target/node.tag/auth/encrypted-key/node.def @@ -0,0 +1,3 @@ +type: txt +help: Defines the encrypted password for authentication +syntax:expression: pattern $VAR(@) "^0x[0-9a-f]*$" ; "key must start from '0x' and contain hex digits" \ No newline at end of file diff --git a/templates/service/snmp/v3/trap-target/node.tag/auth/node.def b/templates/service/snmp/v3/trap-target/node.tag/auth/node.def new file mode 100644 index 00000000..5c7df0ef --- /dev/null +++ b/templates/service/snmp/v3/trap-target/node.tag/auth/node.def @@ -0,0 +1,4 @@ +help: Defines the authentication +commit:expression: $VAR(type/) != "" ; "must specify type" +commit:expression: $VAR(encrypted-key/) != "" || $VAR(plaintext-key/) != "" ; "must specify encrypted-key or plaintext-key" +commit:expression: !($VAR(encrypted-key/) != "" && $VAR(plaintext-key/) != "") ; "must specify only one of encrypted-key and plaintext-key" \ No newline at end of file diff --git a/templates/service/snmp/v3/trap-target/node.tag/auth/plaintext-key/node.def b/templates/service/snmp/v3/trap-target/node.tag/auth/plaintext-key/node.def new file mode 100644 index 00000000..34563e73 --- /dev/null +++ b/templates/service/snmp/v3/trap-target/node.tag/auth/plaintext-key/node.def @@ -0,0 +1,3 @@ +type: txt +help: Defines the clear text password for authentication +syntax:expression: pattern $VAR(@) "^.{8,}$" ; "key must contain 8 or more characters" diff --git a/templates/service/snmp/v3/trap-target/node.tag/auth/type/node.def b/templates/service/snmp/v3/trap-target/node.tag/auth/type/node.def new file mode 100644 index 00000000..5a2ffc52 --- /dev/null +++ b/templates/service/snmp/v3/trap-target/node.tag/auth/type/node.def @@ -0,0 +1,8 @@ +type: txt +default: "md5" +help: Defines the protocol using for authentication +syntax:expression: $VAR(@) in "md5", "sha" +allowed: echo md5 sha + +val_help: md5; Message Digest 5 +val_help: sha; Secure Hash Algorithm \ No newline at end of file diff --git a/templates/service/snmp/v3/trap-target/node.tag/port/node.def b/templates/service/snmp/v3/trap-target/node.tag/port/node.def new file mode 100644 index 00000000..b38cd1e5 --- /dev/null +++ b/templates/service/snmp/v3/trap-target/node.tag/port/node.def @@ -0,0 +1,7 @@ +type: u32 +default: 162 +help: Specifies the TCP/UDP port of a destination for SNMP traps/informs. + +val_help: u32:1-65535; Numeric IP port +syntax:expression: $VAR(@) > 0 && $VAR(@) <= 65535 ; \ + "Port number must be in range 1 to 65535" diff --git a/templates/service/snmp/v3/trap-target/node.tag/privacy/encrypted-key/node.def b/templates/service/snmp/v3/trap-target/node.tag/privacy/encrypted-key/node.def new file mode 100644 index 00000000..4e762b9f --- /dev/null +++ b/templates/service/snmp/v3/trap-target/node.tag/privacy/encrypted-key/node.def @@ -0,0 +1,3 @@ +type: txt +help: Defines the encrypted key for privacy protocol +syntax:expression: pattern $VAR(@) "^0x[0-9a-f]*$" ; "key must start from '0x' and contain hex digits" \ No newline at end of file diff --git a/templates/service/snmp/v3/trap-target/node.tag/privacy/node.def b/templates/service/snmp/v3/trap-target/node.tag/privacy/node.def new file mode 100644 index 00000000..900cfc9d --- /dev/null +++ b/templates/service/snmp/v3/trap-target/node.tag/privacy/node.def @@ -0,0 +1,4 @@ +help: Defines the privacy +commit:expression: $VAR(type/) != "" ; "must specify type" +commit:expression: $VAR(encrypted-key/) != "" || $VAR(plaintext-key/) != "" ; "must specify encrypted-key or plaintext-key" +commit:expression: !($VAR(encrypted-key/) != "" && $VAR(plaintext-key/) != "") ; "must specify only one of encrypted-key and plaintext-key" diff --git a/templates/service/snmp/v3/trap-target/node.tag/privacy/plaintext-key/node.def b/templates/service/snmp/v3/trap-target/node.tag/privacy/plaintext-key/node.def new file mode 100644 index 00000000..a2442637 --- /dev/null +++ b/templates/service/snmp/v3/trap-target/node.tag/privacy/plaintext-key/node.def @@ -0,0 +1,3 @@ +type: txt +help: Defines the clear text key for privacy protocol +syntax:expression: pattern $VAR(@) "^.{8,}$" ; "key must contain 8 or more characters" diff --git a/templates/service/snmp/v3/trap-target/node.tag/privacy/type/node.def b/templates/service/snmp/v3/trap-target/node.tag/privacy/type/node.def new file mode 100644 index 00000000..bbfd5331 --- /dev/null +++ b/templates/service/snmp/v3/trap-target/node.tag/privacy/type/node.def @@ -0,0 +1,8 @@ +type: txt +default: "des" +help: Defines the protocol for privacy +syntax:expression: $VAR(@) in "des", "aes" +allowed: echo des aes + +val_help: des; Data Encryption Standard +val_help: aes; Advanced Encryption Standard \ No newline at end of file diff --git a/templates/service/snmp/v3/trap-target/node.tag/protocol/node.def b/templates/service/snmp/v3/trap-target/node.tag/protocol/node.def new file mode 100644 index 00000000..ce96ca38 --- /dev/null +++ b/templates/service/snmp/v3/trap-target/node.tag/protocol/node.def @@ -0,0 +1,8 @@ +type: txt +default: "udp" +help: Defines protocol for notification between TCP and UDP +syntax:expression: $VAR(@) in "tcp", "udp" +allowed: echo tcp udp + +val_help: tcp; +val_help: udp; \ No newline at end of file diff --git a/templates/service/snmp/v3/trap-target/node.tag/type/node.def b/templates/service/snmp/v3/trap-target/node.tag/type/node.def new file mode 100644 index 00000000..f678ae69 --- /dev/null +++ b/templates/service/snmp/v3/trap-target/node.tag/type/node.def @@ -0,0 +1,8 @@ +type: txt +default: "inform" +help: Specifies the type of notification between inform and trap +syntax:expression: $VAR(@) in "inform", "trap" +allowed: echo inform trap + +val_help: inform; +val_help: trap; \ No newline at end of file diff --git a/templates/service/snmp/v3/trap-target/node.tag/user/node.def b/templates/service/snmp/v3/trap-target/node.tag/user/node.def new file mode 100644 index 00000000..a0ed8cbf --- /dev/null +++ b/templates/service/snmp/v3/trap-target/node.tag/user/node.def @@ -0,0 +1,4 @@ +type: txt +help: Defines username for authentication +allowed: list=`cli-shell-api listNodes service snmp v3 user` + echo $list diff --git a/templates/service/snmp/v3/tsm/local-key/node.def b/templates/service/snmp/v3/tsm/local-key/node.def new file mode 100644 index 00000000..d238d310 --- /dev/null +++ b/templates/service/snmp/v3/tsm/local-key/node.def @@ -0,0 +1,10 @@ +type: txt +help: Defines the server certificate fingerprint or key-file name. +allowed: sudo ls /etc/snmp/tls/certs +syntax:expression: pattern $VAR(@) "^[0-9A-F]{2}(:[0-9A-F]{2}){19}$" || + exec "if [ `sudo ls \"/etc/snmp/tls/certs/$VAR(@)\" 2> /dev/null` ]; \ + then \ + exit 0; \ + else \ + exit 1; \ + fi" ; "value can be finger print key or filename in /etc/snmp/tls/certs folder" \ No newline at end of file diff --git a/templates/service/snmp/v3/tsm/node.def b/templates/service/snmp/v3/tsm/node.def new file mode 100644 index 00000000..3d12f21d --- /dev/null +++ b/templates/service/snmp/v3/tsm/node.def @@ -0,0 +1,3 @@ +help: Specifies that the snmpd uses encryption. +commit:expression: $VAR(port/) != "" ; "must specify port" +commit:expression: $VAR(local-key/) != "" ; "must specify local-key" \ No newline at end of file diff --git a/templates/service/snmp/v3/tsm/port/node.def b/templates/service/snmp/v3/tsm/port/node.def new file mode 100644 index 00000000..86fd6cca --- /dev/null +++ b/templates/service/snmp/v3/tsm/port/node.def @@ -0,0 +1,7 @@ +type: u32 +default: 10161 +help: Defines the port for tsm. + +val_help: u32:1-65535; Numeric IP port +syntax:expression: $VAR(@) > 0 && $VAR(@) <= 65535 ; \ + "Port number must be in range 1 to 65535" diff --git a/templates/service/snmp/v3/user/node.def b/templates/service/snmp/v3/user/node.def new file mode 100644 index 00000000..e6a8bc87 --- /dev/null +++ b/templates/service/snmp/v3/user/node.def @@ -0,0 +1,6 @@ +tag: +type: txt +help: Specifies the user with name username +syntax:expression: pattern $VAR(@) "^[^-]*$" ; "characters '-' in name is not supported yet" +commit:expression: $VAR(auth/) != "" || $VAR(tsm-key/) != ""; "must specify auth or tsm-key" +commit:expression: $VAR(mode/) != ""; "must specify mode" \ No newline at end of file diff --git a/templates/service/snmp/v3/user/node.tag/auth/encrypted-key/node.def b/templates/service/snmp/v3/user/node.tag/auth/encrypted-key/node.def new file mode 100644 index 00000000..3cf6bd31 --- /dev/null +++ b/templates/service/snmp/v3/user/node.tag/auth/encrypted-key/node.def @@ -0,0 +1,2 @@ +type: txt +help: Defines the encrypted key for authentication protocol diff --git a/templates/service/snmp/v3/user/node.tag/auth/node.def b/templates/service/snmp/v3/user/node.tag/auth/node.def new file mode 100644 index 00000000..68959a8e --- /dev/null +++ b/templates/service/snmp/v3/user/node.tag/auth/node.def @@ -0,0 +1,3 @@ +help: Specifies the auth +commit:expression: $VAR(type/) != "" ; "must specify type" +commit:expression: $VAR(plaintext-key/) != "" || $VAR(encrypted-key/) != "" ; "must specify plaintext-key or encrypted-key" \ No newline at end of file diff --git a/templates/service/snmp/v3/user/node.tag/auth/plaintext-key/node.def b/templates/service/snmp/v3/user/node.tag/auth/plaintext-key/node.def new file mode 100644 index 00000000..4f840d7c --- /dev/null +++ b/templates/service/snmp/v3/user/node.tag/auth/plaintext-key/node.def @@ -0,0 +1,5 @@ +type: txt +help: Defines the key in the clear text for authentication protocol +syntax:expression: pattern $VAR(@) "^.{8,}$" ; "key must contain 8 or more characters" + +update:expression: $VAR(../encrypted-key/@) = "" \ No newline at end of file diff --git a/templates/service/snmp/v3/user/node.tag/auth/type/node.def b/templates/service/snmp/v3/user/node.tag/auth/type/node.def new file mode 100644 index 00000000..5a2ffc52 --- /dev/null +++ b/templates/service/snmp/v3/user/node.tag/auth/type/node.def @@ -0,0 +1,8 @@ +type: txt +default: "md5" +help: Defines the protocol using for authentication +syntax:expression: $VAR(@) in "md5", "sha" +allowed: echo md5 sha + +val_help: md5; Message Digest 5 +val_help: sha; Secure Hash Algorithm \ No newline at end of file diff --git a/templates/service/snmp/v3/user/node.tag/group/node.def b/templates/service/snmp/v3/user/node.tag/group/node.def new file mode 100644 index 00000000..66543579 --- /dev/null +++ b/templates/service/snmp/v3/user/node.tag/group/node.def @@ -0,0 +1,11 @@ +type: txt +help: Specifies group for user name +allowed: list=`cli-shell-api listNodes service snmp v3 group` + echo $list +syntax:expression:exec "regex=\"(^| )$VAR(@)( |$)\"; \ + if [[ \"$VAR(/service/snmp/v3/group/@@)\" =~ $regex ]] ; \ + then \ + exit 0; \ + else \ + exit 1; \ + fi" ; "You must create \"$VAR(@)\" group first" diff --git a/templates/service/snmp/v3/user/node.tag/mode/node.def b/templates/service/snmp/v3/user/node.tag/mode/node.def new file mode 100644 index 00000000..9855f5fb --- /dev/null +++ b/templates/service/snmp/v3/user/node.tag/mode/node.def @@ -0,0 +1,8 @@ +type: txt +default: "ro" +help: Specifies the mode for access rights of user, read only or write +syntax:expression: $VAR(@) in "ro", "rw" +allowed: echo ro rw + +val_help: ro; +val_help: rw; diff --git a/templates/service/snmp/v3/user/node.tag/privacy/encrypted-key/node.def b/templates/service/snmp/v3/user/node.tag/privacy/encrypted-key/node.def new file mode 100644 index 00000000..8feef111 --- /dev/null +++ b/templates/service/snmp/v3/user/node.tag/privacy/encrypted-key/node.def @@ -0,0 +1,2 @@ +type: txt +help: Defines the encrypted key for privacy protocol diff --git a/templates/service/snmp/v3/user/node.tag/privacy/node.def b/templates/service/snmp/v3/user/node.tag/privacy/node.def new file mode 100644 index 00000000..94bf850c --- /dev/null +++ b/templates/service/snmp/v3/user/node.tag/privacy/node.def @@ -0,0 +1,3 @@ +help: Specifies the privacy +commit:expression: $VAR(type/) != "" ; "must specify type" +commit:expression: $VAR(plaintext-key/) != "" || $VAR(encrypted-key/) != "" ; "must specify plaintext-key or encrypted-key" \ No newline at end of file diff --git a/templates/service/snmp/v3/user/node.tag/privacy/plaintext-key/node.def b/templates/service/snmp/v3/user/node.tag/privacy/plaintext-key/node.def new file mode 100644 index 00000000..5d706712 --- /dev/null +++ b/templates/service/snmp/v3/user/node.tag/privacy/plaintext-key/node.def @@ -0,0 +1,5 @@ +type: txt +help: Defines the key in the clear text for protocol for privacy +syntax:expression: pattern $VAR(@) "^.{8,}$" ; "key must contain 8 or more characters" + +update:expression: $VAR(../encrypted-key/@) = "" \ No newline at end of file diff --git a/templates/service/snmp/v3/user/node.tag/privacy/type/node.def b/templates/service/snmp/v3/user/node.tag/privacy/type/node.def new file mode 100644 index 00000000..bbfd5331 --- /dev/null +++ b/templates/service/snmp/v3/user/node.tag/privacy/type/node.def @@ -0,0 +1,8 @@ +type: txt +default: "des" +help: Defines the protocol for privacy +syntax:expression: $VAR(@) in "des", "aes" +allowed: echo des aes + +val_help: des; Data Encryption Standard +val_help: aes; Advanced Encryption Standard \ No newline at end of file diff --git a/templates/service/snmp/v3/user/node.tag/tsm-key/node.def b/templates/service/snmp/v3/user/node.tag/tsm-key/node.def new file mode 100644 index 00000000..e9f55a5f --- /dev/null +++ b/templates/service/snmp/v3/user/node.tag/tsm-key/node.def @@ -0,0 +1,10 @@ +type: txt +help: Specifies finger print or file name of TSM certificate. +allowed: sudo ls /etc/snmp/tls/certs +syntax:expression: pattern $VAR(@) "^[0-9A-F]{2}(:[0-9A-F]{2}){19}$" || + exec "if [ `sudo ls \"/etc/snmp/tls/certs/$VAR(@)\" 2> /dev/null` ]; \ + then \ + exit 0; \ + else \ + exit 1; \ + fi" ; "value can be finger print key or filename in /etc/snmp/tls/certs folder" \ No newline at end of file diff --git a/templates/service/snmp/v3/view/node.def b/templates/service/snmp/v3/view/node.def new file mode 100644 index 00000000..a83c978b --- /dev/null +++ b/templates/service/snmp/v3/view/node.def @@ -0,0 +1,5 @@ +tag: +type: txt +help: Specifies the view with name viewname + +commit:expression: $VAR(oid/) != ""; "must configure an oid" \ No newline at end of file diff --git a/templates/service/snmp/v3/view/node.tag/oid/node.def b/templates/service/snmp/v3/view/node.tag/oid/node.def new file mode 100644 index 00000000..beed3274 --- /dev/null +++ b/templates/service/snmp/v3/view/node.tag/oid/node.def @@ -0,0 +1,4 @@ +tag: +type: txt +help: Specifies the oid +syntax:expression: pattern $VAR(@) "^[0-9]+(\.[0-9]+)*$" ; "oid must start from a number" diff --git a/templates/service/snmp/v3/view/node.tag/oid/node.tag/exclude/node.def b/templates/service/snmp/v3/view/node.tag/oid/node.tag/exclude/node.def new file mode 100644 index 00000000..df3611cb --- /dev/null +++ b/templates/service/snmp/v3/view/node.tag/oid/node.tag/exclude/node.def @@ -0,0 +1 @@ +help: Exclude is optional argument. diff --git a/templates/service/snmp/v3/view/node.tag/oid/node.tag/mask/node.def b/templates/service/snmp/v3/view/node.tag/oid/node.tag/mask/node.def new file mode 100644 index 00000000..bc500afe --- /dev/null +++ b/templates/service/snmp/v3/view/node.tag/oid/node.tag/mask/node.def @@ -0,0 +1,4 @@ +type: txt +help: Defines a bit-mask that is indicating which subidentifiers of the associated subtree OID should be regarded as significant. +syntax:expression: pattern $VAR(@) "^[0-9a-f]{2}([\\.:][0-9a-f]{2})*$" ; \ + "MASK is a list of hex octets, separated by '.' or ':'" \ No newline at end of file -- cgit v1.2.3 From e4c3ae81d2d1f040a8ad363928302d72f8431ef9 Mon Sep 17 00:00:00 2001 From: James Davidson Date: Wed, 6 Mar 2013 10:16:06 -0800 Subject: Sync up SNMPv3 support SNMP-135 store SNMP superuser password to config file SNMP-130 add engineId for trap-target SNMP-134 use 'stop' and 'start' instead of 'restart' SNMP-141 change engineID syntax checking SNMP-136 Users are lost after changing TSM port SNMP-149 TLS Error: Permission denied SNMP-147 Not correct priority in TSM users SNMP-148 Configuring already use port for TSM is destroying users. SNMP-151 Errors in logs after first snmp configuration SNMP-152 Hide 'No such file or directory' error message SNMP-153 Debug messages after 'delete service snmp' SNMP-157 Run Perltidy for all Perl scripts SNMP-158 change syntax of trap-target engineID SNMP-163: added script to check name, apply it for user, group and view names SNMP-161 Faulty configuration with many trap-target SNMP-160 Look for TSM keys in /config folder SNMP-162 CLI permit not correct oid SNMP-163: typo in script SNMP-160 Look for TSM keys in /config folder SNMP-163: added support of upper case for names in the script SNMP-163: create rule for names, permit only a-zA-Z0-9 SNMP-163: typo --- Makefile.am | 1 + scripts/snmp/vyatta-snmp-v3.pl | 772 +++++++++++---------- scripts/snmp/vyatta-snmp.pl | 5 + scripts/system/vyatta_check_snmp_name.pl | 31 + templates/service/snmp/node.def | 7 + templates/service/snmp/v3/group/node.def | 2 + templates/service/snmp/v3/node.def | 4 +- templates/service/snmp/v3/trap-target/node.def | 2 + .../snmp/v3/trap-target/node.tag/engineid/node.def | 3 + templates/service/snmp/v3/tsm/local-key/node.def | 8 +- templates/service/snmp/v3/user/node.def | 5 +- .../service/snmp/v3/user/node.tag/tsm-key/node.def | 8 +- templates/service/snmp/v3/view/node.def | 5 +- .../service/snmp/v3/view/node.tag/oid/node.def | 2 +- 14 files changed, 488 insertions(+), 367 deletions(-) create mode 100755 scripts/system/vyatta_check_snmp_name.pl create mode 100644 templates/service/snmp/v3/trap-target/node.tag/engineid/node.def (limited to 'scripts') diff --git a/Makefile.am b/Makefile.am index 1d7f7dee..77cdfb07 100644 --- a/Makefile.am +++ b/Makefile.am @@ -36,6 +36,7 @@ sbin_SCRIPTS += scripts/vyatta-grub-setup sbin_SCRIPTS += scripts/standalone_root_pw_reset sbin_SCRIPTS += scripts/vyatta-passwd-sync sbin_SCRIPTS += scripts/system/vyatta_check_username.pl +sbin_SCRIPTS += scripts/system/vyatta_check_snmp_name.pl sbin_SCRIPTS += scripts/system/vyatta_check_domainname.pl sbin_SCRIPTS += scripts/system/vyatta_interface_rescan sbin_SCRIPTS += scripts/system/vyatta_update_hosts.pl diff --git a/scripts/snmp/vyatta-snmp-v3.pl b/scripts/snmp/vyatta-snmp-v3.pl index ef93b8a1..20e50e63 100755 --- a/scripts/snmp/vyatta-snmp-v3.pl +++ b/scripts/snmp/vyatta-snmp-v3.pl @@ -7,483 +7,534 @@ use Getopt::Long; use Socket; use Socket6; -my $snmp_v3_level = 'service snmp v3'; -my $snmp_init = 'invoke-rc.d snmpd'; -my $snmpd_conf = '/etc/snmp/snmpd.conf'; -my $snmpd_usr_conf = '/usr/share/snmp/snmpd.conf'; -my $snmpd_var_conf = '/var/lib/snmp/snmpd.conf'; -my $snmpd_conf_tmp = "/tmp/snmpd.conf.$$"; +my $snmp_v3_level = 'service snmp v3'; +my $snmp_init = 'invoke-rc.d snmpd'; +my $snmpd_conf = '/etc/snmp/snmpd.conf'; +my $snmpd_usr_conf = '/usr/share/snmp/snmpd.conf'; +my $snmpd_var_conf = '/var/lib/snmp/snmpd.conf'; +my $snmpd_conf_tmp = "/tmp/snmpd.conf.$$"; my $snmpd_usr_conf_tmp = "/tmp/snmpd.usr.conf.$$"; my $snmpd_var_conf_tmp = "/tmp/snmpd.var.conf.$$"; -my $versionfile = '/opt/vyatta/etc/version'; -my $local_agent = 'unix:/var/run/snmpd.socket'; +my $versionfile = '/opt/vyatta/etc/version'; +my $local_agent = 'unix:/var/run/snmpd.socket'; my $vyatta_config_file = '/config/snmp/snmp_conf.ini'; %VConfig = (); %OIDs = ( - "md5", ".1.3.6.1.6.3.10.1.1.2", - "sha", ".1.3.6.1.6.3.10.1.1.3", - "aes", ".1.3.6.1.6.3.10.1.2.4", - "des", ".1.3.6.1.6.3.10.1.2.2", - "none", ".1.3.6.1.6.3.10.1.2.1" + "md5", ".1.3.6.1.6.3.10.1.1.2", "sha", ".1.3.6.1.6.3.10.1.1.3", + "aes", ".1.3.6.1.6.3.10.1.2.4", "des", ".1.3.6.1.6.3.10.1.2.2", + "none", ".1.3.6.1.6.3.10.1.2.1" ); # generate a random character hex string sub randhex { my $length = shift; - return join "", map { unpack "H*", chr(rand(256)) } 1..($length/2); + return join "", map { unpack "H*", chr( rand(256) ) } 1 .. ( $length / 2 ); } sub parse_config_file { - open (CONFIG, "$vyatta_config_file") or return; + open( CONFIG, "$vyatta_config_file" ) or return; while () { - chomp; # no newline - s/#.*//; # no comments - s/^\s+//; # no leading white - s/\s+$//; # no trailing white - next unless length; # anything left? - my ($var, $value) = split(/\s*=\s*/, $_, 2); - $VConfig{$var} = $value; + chomp; # no newline + s/#.*//; # no comments + s/^\s+//; # no leading white + s/\s+$//; # no trailing white + next unless length; # anything left? + my ( $var, $value ) = split( /\s*=\s*/, $_, 2 ); + $VConfig{$var} = $value; } close(CONFIG); } sub write_config_file { - open (my $config_file, '>' , "$vyatta_config_file"); - for my $key (keys %VConfig) { - my $value = $VConfig{$key}; - print $config_file "$key=$value\n"; + open( my $config_file, '>', "$vyatta_config_file" ); + for my $key ( keys %VConfig ) { + my $value = $VConfig{$key}; + print $config_file "$key=$value\n"; } close $config_file; } sub snmpd_running { - open (my $pidf, '<', "/var/run/snmpd.pid") - or return; + open( my $pidf, '<', "/var/run/snmpd.pid" ) + or return; my $pid = <$pidf>; close $pidf; chomp $pid; my $exe = readlink "/proc/$pid/exe"; - return (defined($exe) && $exe eq "/usr/sbin/snmpd"); + return ( defined($exe) && $exe eq "/usr/sbin/snmpd" ); } sub check_snmp_exit_code { - my $code = shift; - # snmpd can start/restart with exit code 256 if trap-target is unavailable - if ($code !=0 && $code != 256) { - return 1; - } else { - return 0; - } + my $code = shift; + + # snmpd can start/restart with exit code 256 if trap-target is unavailable + if ( $code != 0 && $code != 256 ) { + return 1; + } + else { + return 0; + } } sub snmpd_stop { - system("$snmp_init stop > /dev/null 2>&1"); - if (check_snmp_exit_code($?)) { - print "ERROR: Can not stop snmpd!\n"; - exit(1); + system( +"start-stop-daemon --stop --exec /usr/sbin/snmpd --oknodo -R 2 > /dev/null 2>&1" + ); + if ( check_snmp_exit_code($?) ) { + print "ERROR: Can not stop snmpd!\n"; + exit(1); } } sub snmpd_start { system("$snmp_init start > /dev/null 2>&1"); - if (check_snmp_exit_code($?)) { - print "ERROR: Can not start snmpd!\n"; - exit(1); + if ( check_snmp_exit_code($?) ) { + print "ERROR: Can not start snmpd!\n"; + exit(1); } } sub snmpd_update { system("$snmp_init reload > /dev/null 2>&1"); - if (check_snmp_exit_code($?)) { - print "ERROR: Can not reload snmpd!\n"; - exit(1); + if ( check_snmp_exit_code($?) ) { + print "ERROR: Can not reload snmpd!\n"; + exit(1); } } sub snmpd_restart { system("$snmp_init restart > /dev/null 2>&1"); - if (check_snmp_exit_code($?)) { - print "ERROR: Can not restart snmpd!\n"; - exit(1); + if ( check_snmp_exit_code($?) ) { + print "ERROR: Can not restart snmpd!\n"; + exit(1); } } sub get_version { my $version = "unknown-version"; - if (open (my $f, '<', $versionfile)) { - while (<$f>) { - chomp; - if (m/^Version\s*:\s*(.*)$/) { - $version = $1; - last; - } - } - close $f; + if ( open( my $f, '<', $versionfile ) ) { + while (<$f>) { + chomp; + if (m/^Version\s*:\s*(.*)$/) { + $version = $1; + last; + } + } + close $f; } return $version; } sub ipv6_disabled { - socket ( my $s, PF_INET6, SOCK_DGRAM, 0) - or return 1; + socket( my $s, PF_INET6, SOCK_DGRAM, 0 ) + or return 1; close($s); return; } sub set_tsm { my $config = get_snmp_config(); - if ($config->exists("tsm")) { - my $port = $config->returnValue("tsm port"); - my $local_key = $config->returnValue("tsm local-key"); - system("sed -i 's/^agentaddress.*\$/&,tlstcp:$port,dtlsudp:$port/' $snmpd_conf_tmp"); - system("echo \"[snmp] localCert $local_key\" >> $snmpd_conf_tmp"); + if ( $config->exists("tsm") ) { + my $port = $config->returnValue("tsm port"); + my $local_key = $config->returnValue("tsm local-key"); + system( +"sed -i 's/^agentaddress.*\$/&,tlstcp:$port,dtlsudp:$port/' $snmpd_conf_tmp" + ); + system("echo \"[snmp] localCert $local_key\" >> $snmpd_conf_tmp"); } } sub snmp_delete { snmpd_stop(); - @files = ($snmpd_conf, $snmpd_usr_conf, $snmpd_var_conf); + @files = ( $snmpd_conf, $snmpd_usr_conf, $snmpd_var_conf ); foreach $file (@files) { - if (-e $file) { - if (unlink($file) == 0) { - print "File $file was not deleted.\n"; - } else { - print "File $file deleted successfully.\n"; - } - } else { - print "File $file does not exist\n"; - } + if ( -e $file ) { + unlink($file); + } } } sub get_snmp_config() { - my $config = new Vyatta::Config; + my $config = new Vyatta::Config; $config->setLevel($snmp_v3_level); - return $config; + return $config; } sub set_views() { - print "# views \n"; - my $config = get_snmp_config(); - foreach my $view ($config->listNodes("view")) { - foreach my $oid ($config->listNodes("view $view oid")) { - my $mask = $config->returnValue("view $view oid $oid mask"); - if ($config->exists("view $view oid $oid exclude")) { - print "view $view excluded .$oid $mask\n"; - } else { - print "view $view included .$oid $mask\n"; - } + print "# views \n"; + my $config = get_snmp_config(); + foreach my $view ( $config->listNodes("view") ) { + foreach my $oid ( $config->listNodes("view $view oid") ) { + my $mask = $config->returnValue("view $view oid $oid mask"); + if ( $config->exists("view $view oid $oid exclude") ) { + print "view $view excluded .$oid $mask\n"; + } + else { + print "view $view included .$oid $mask\n"; + } + } } - } - print "\n"; + print "\n"; } sub set_groups() { - print "#access\n# context sec.model sec.level match read write notif\n"; - my $config = get_snmp_config(); - foreach my $group ($config->listNodes("group")) { - my $mode = $config->returnValue("group $group mode"); - my $view = $config->returnValue("group $group view"); - if ($mode eq "ro") { - print "access $group \"\" usm auth exact $view none none\n"; - print "access $group \"\" tsm auth exact $view none none\n"; - } else { - print "access $group \"\" usm auth exact $view $view none\n"; - print "access $group \"\" tsm auth exact $view $view none\n"; + print +"#access\n# context sec.model sec.level match read write notif\n"; + my $config = get_snmp_config(); + foreach my $group ( $config->listNodes("group") ) { + my $mode = $config->returnValue("group $group mode"); + my $view = $config->returnValue("group $group view"); + if ( $mode eq "ro" ) { + print "access $group \"\" usm auth exact $view none none\n"; + print "access $group \"\" tsm auth exact $view none none\n"; + } + else { + print "access $group \"\" usm auth exact $view $view none\n"; + print "access $group \"\" tsm auth exact $view $view none\n"; + } } - } - print "\n"; + print "\n"; } sub set_users_in_etc() { - print "#group\n"; - - my $config = get_snmp_config(); - foreach my $user ($config->listNodes("user")) { - $config->setLevel($snmp_v3_level." user $user"); - if ($config->exists("group")) { - my $group = $config->returnValue("group"); - print "group $group usm $user\n"; - print "group $group tsm $user\n"; + print "#group\n"; + my $tsm_counter = 0; + my $config = get_snmp_config(); + foreach my $user ( $config->listNodes("user") ) { + $config->setLevel( $snmp_v3_level . " user $user" ); + if ( $config->exists("group") ) { + my $group = $config->returnValue("group"); + print "group $group usm $user\n"; + print "group $group tsm $user\n"; + } + if ( $config->exists("tsm-key") ) { + my $cert = $config->returnValue("tsm-key"); + $tsm_counter++; + print "certSecName $tsm_counter $cert --sn $user\n"; + } } - if ($config->exists("tsm-key")) { - my $cert = $config->returnValue("tsm-key"); - #TODO magic number 10 - print "certSecName 10 $cert --sn $user\n"; - } - } - print "\n"; + print "\n"; } sub set_users_to_other() { - open (my $usr_conf, '>>', $snmpd_usr_conf_tmp) - or die "Couldn't open $snmpd_usr_conf_tmp - $!"; - open (my $var_conf, '>>', $snmpd_var_conf_tmp) - or die "Couldn't open $snmpd_var_conf_tmp - $!"; - - print $var_conf "\n"; - - my $config = get_snmp_config(); - my $needTsm = 0; - if ($config->exists("tsm")) { - $needTsm = 1; - } - - my %trap_users=(); - - foreach my $trap ($config->listNodes("trap-target")) { - $trap_users{$config->returnValue("trap-target $trap user")} = 1; - } - - foreach my $user ($config->listNodes("user")) { - delete $trap_users{$user}; - $config->setLevel($snmp_v3_level." user $user"); - my $auth_type = $config->returnValue("auth type"); - my $priv_type = $config->returnValue("privacy type"); - if ($config->exists("auth")) { - if ($config->exists("auth plaintext-key")) { - my $auth_key = $config->returnValue("auth plaintext-key"); - my $priv_key = $config->returnValue("privacy plaintext-key"); - print $var_conf "createUser $user \U$auth_type\E $auth_key \U$priv_type\E $priv_key\n"; - } else { - my $name_print = get_printable_name($user); - my $EngineID = $VConfig{"User.$user.EngineID"}; - my $auth_type_oid = $OIDs{$auth_type}; - my $auth_key_hex = $config->returnValue("auth encrypted-key"); - local ($priv_type_oid, $priv_key_hex); - if ($config->exists("privacy")) { - $priv_type_oid = $OIDs{$priv_type}; - $priv_key_hex = $config->returnValue("privacy encrypted-key"); - } else { - $priv_type_oid = $OIDs{'none'}; - $priv_key_hex = '0x'; - } - print $var_conf "usmUser 1 3 $EngineID $name_print $name_print NULL $auth_type_oid $auth_key_hex $priv_type_oid $priv_key_hex 0x\n"; - } + open( my $usr_conf, '>>', $snmpd_usr_conf_tmp ) + or die "Couldn't open $snmpd_usr_conf_tmp - $!"; + open( my $var_conf, '>>', $snmpd_var_conf_tmp ) + or die "Couldn't open $snmpd_var_conf_tmp - $!"; + + print $var_conf "\n"; + + my $config = get_snmp_config(); + my $needTsm = 0; + if ( $config->exists("tsm") ) { + $needTsm = 1; } - my $mode = $config->returnValue("mode"); - my $end = "auth"; - if ($config->exists("privacy")) { - $end = "priv"; + + my %trap_users = (); + + foreach my $trap ( $config->listNodes("trap-target") ) { + $trap_users{ $config->returnValue("trap-target $trap user") } = 1; } - print $usr_conf $mode."user $user $end\n"; - if ($needTsm) { - print $usr_conf $mode."user -s tsm $user $end\n"; + + foreach my $user ( $config->listNodes("user") ) { + delete $trap_users{$user}; + $config->setLevel( $snmp_v3_level . " user $user" ); + my $auth_type = $config->returnValue("auth type"); + my $priv_type = $config->returnValue("privacy type"); + if ( $config->exists("auth") ) { + if ( $config->exists("auth plaintext-key") ) { + my $auth_key = $config->returnValue("auth plaintext-key"); + my $priv_key = $config->returnValue("privacy plaintext-key"); + print $var_conf +"createUser $user \U$auth_type\E $auth_key \U$priv_type\E $priv_key\n"; + } + else { + my $name_print = get_printable_name($user); + my $EngineID = $VConfig{"User.$user.EngineID"}; + my $auth_type_oid = $OIDs{$auth_type}; + my $auth_key_hex = $config->returnValue("auth encrypted-key"); + local ( $priv_type_oid, $priv_key_hex ); + if ( $config->exists("privacy") ) { + $priv_type_oid = $OIDs{$priv_type}; + $priv_key_hex = + $config->returnValue("privacy encrypted-key"); + } + else { + $priv_type_oid = $OIDs{'none'}; + $priv_key_hex = '0x'; + } + print $var_conf +"usmUser 1 3 $EngineID $name_print $name_print NULL $auth_type_oid $auth_key_hex $priv_type_oid $priv_key_hex 0x\n"; + } + } + my $mode = $config->returnValue("mode"); + my $end = "auth"; + if ( $config->exists("privacy") ) { + $end = "priv"; + } + print $usr_conf $mode . "user $user $end\n"; + if ($needTsm) { + print $usr_conf $mode . "user -s tsm $user $end\n"; + } } - } - foreach my $user (keys %trap_users) { - $name_print = get_printable_name($user); - print $var_conf "usmUser 1 3 0x".randhex(26)." $name_print $name_print NULL .1.3.6.1.6.3.10.1.1.2 0x".randhex(32)." .1.3.6.1.6.3.10.1.2.1 0x 0x\n"; - print $usr_conf "rouser $user auth"; - } + foreach my $user ( keys %trap_users ) { + $name_print = get_printable_name($user); + print $var_conf "usmUser 1 3 0x" + . randhex(26) + . " $name_print $name_print NULL .1.3.6.1.6.3.10.1.1.2 0x" + . randhex(32) + . " .1.3.6.1.6.3.10.1.2.1 0x 0x\n"; + print $usr_conf "rouser $user auth\n"; + } - print $var_conf "setservialno ".$VConfig{"serialno"}."\n"; - print $var_conf "oldEngineID ".$VConfig{"oldEngineID"}."\n"; + print $var_conf "setserialno " . $VConfig{"serialno"} . "\n" + if exists $VConfig{"serialno"}; + print $var_conf "oldEngineID " . $VConfig{"oldEngineID"} . "\n" + if exists $VConfig{"oldEngineID"}; - close $usr_conf; - close $var_conf; + close $usr_conf; + close $var_conf; } sub get_printable_name { - my $name = shift; - if ($name =~ /-/) { - my @array=unpack('C*', $name); - my $stringHex = '0x'; - foreach my $c (@array) { - $stringHex .= sprintf ("%lx", $c); + my $name = shift; + if ( $name =~ /-/ ) { + my @array = unpack( 'C*', $name ); + my $stringHex = '0x'; + foreach my $c (@array) { + $stringHex .= sprintf( "%lx", $c ); + } + return $stringHex; + } + else { + return "\"$name\""; } - return $stringHex; - } else { - return "\"$name\""; - } } sub update_users_vyatta_conf() { - %VConfig = (); - open (my $var_conf, '<' , $snmpd_var_conf) or die "Couldn't open $snmpd_usr_conf - $!"; - my $config = get_snmp_config(); - while (my $line = <$var_conf>) { - if ($line =~ /^setserialno (.*)$/) { - $VConfig{"serialno"} = $1; - } - if ($line =~ /^oldEngineID (.*)$/) { - $VConfig{"oldEngineID"} = $1; - } - if ($line =~ /^usmUser /) { - my @values = split(/ /, $line); - my $name = $values[4]; - if ($name =~ /^"(.*)"$/) { - $name = $1; - } else { - $name = pack('H*', $name); - } - # this file contain users for trap-target and vyatta... user - # these users recreating automatically on each commit - if ($config->exists("user $name")) { - $VConfig{"User.$name.EngineID"} = $values[3]; - system("/opt/vyatta/sbin/my_set service snmp v3 user \"$name\" auth encrypted-key $values[8] > /dev/null"); - if ($values[10] ne "\"\"" && $values[10] ne "0x") { - system("/opt/vyatta/sbin/my_set service snmp v3 user \"$name\" privacy encrypted-key $values[10] > /dev/null"); - system("/opt/vyatta/sbin/my_delete service snmp v3 user \"$name\" privacy plaintext-key > /dev/null"); - } - system("/opt/vyatta/sbin/my_delete service snmp v3 user \"$name\" auth plaintext-key > /dev/null"); - } + %VConfig = (); + open( my $var_conf, '<', $snmpd_var_conf ) + or die "Couldn't open $snmpd_usr_conf - $!"; + my $config = get_snmp_config(); + while ( my $line = <$var_conf> ) { + if ( $line =~ /^setserialno (.*)$/ ) { + $VConfig{"serialno"} = $1; + } + if ( $line =~ /^oldEngineID (.*)$/ ) { + $VConfig{"oldEngineID"} = $1; + } + if ( $line =~ /^usmUser / ) { + my @values = split( / /, $line ); + my $name = $values[4]; + if ( $name =~ /^"(.*)"$/ ) { + $name = $1; + } + else { + $name = pack( 'H*', $name ); + } + + # this file contain users for trap-target and vyatta... user + # these users recreating automatically on each commit + if ( $config->exists("user $name") ) { + $VConfig{"User.$name.EngineID"} = $values[3]; + system( +"/opt/vyatta/sbin/my_set service snmp v3 user \"$name\" auth encrypted-key $values[8] > /dev/null" + ); + if ( $values[10] ne "\"\"" && $values[10] ne "0x" ) { + system( +"/opt/vyatta/sbin/my_set service snmp v3 user \"$name\" privacy encrypted-key $values[10] > /dev/null" + ); + system( +"/opt/vyatta/sbin/my_delete service snmp v3 user \"$name\" privacy plaintext-key > /dev/null" + ); + } + system( +"/opt/vyatta/sbin/my_delete service snmp v3 user \"$name\" auth plaintext-key > /dev/null" + ); + } + } } - } + close $var_conf; } sub set_hosts() { - print "#trap-target\n"; - my $config = get_snmp_config(); - foreach my $target ($config->listNodes("trap-target")) { - $config->setLevel($snmp_v3_level." trap-target $target"); - my $auth_key = ''; - if ($config->exists("auth plaintext-key")) { - $auth_key = "-A ".$config->returnValue("auth plaintext-key"); - } else { - $auth_key = "-3m ".$config->returnValue("auth encrypted-key"); - } - my $auth_type = $config->returnValue("auth type"); - my $user = $config->returnValue("user"); - my $port = $config->returnValue("port"); - my $protocol = $config->returnValue("protocol"); - my $type = $config->returnValue("type"); - my $inform_flag = ''; - $inform_flag = '-Ci' if ($type eq 'inform'); - my $privacy = ''; - my $secLevel = 'authNoPriv'; - if ($config->exists("privacy")) { - my $priv_key = ''; - if ($config->exists("privacy plaintext-key")) { - $priv_key = "-X ".$config->returnValue("privacy plaintext-key"); - } else { - $priv_key = "-3M ".$config->returnValue("privacy encrypted-key") - } - my $priv_type = $config->returnValue("privacy type"); - $privacy = "-x $priv_type $priv_key"; - $secLevel = 'authPriv'; - } - # TODO - # set -3m / -3M for auth / priv for master - # or -3k / -3K for local - my $target_print = $target; - if ($target =~ /:/) { - $target_print = "[$target]"; - $protocol = $protocol."6"; + print "#trap-target\n"; + my $config = get_snmp_config(); + foreach my $target ( $config->listNodes("trap-target") ) { + $config->setLevel( $snmp_v3_level . " trap-target $target" ); + my $auth_key = ''; + if ( $config->exists("auth plaintext-key") ) { + $auth_key = "-A " . $config->returnValue("auth plaintext-key"); + } + else { + $auth_key = "-3m " . $config->returnValue("auth encrypted-key"); + } + my $auth_type = $config->returnValue("auth type"); + my $user = $config->returnValue("user"); + my $port = $config->returnValue("port"); + my $protocol = $config->returnValue("protocol"); + my $type = $config->returnValue("type"); + my $inform_flag = '-Ci'; + $inform_flag = '-Ci' if ( $type eq 'inform' ); + + if ( $type eq 'trap' ) { + $inform_flag = '-e ' . $config->returnValue("engineid"); + } + my $privacy = ''; + my $secLevel = 'authNoPriv'; + if ( $config->exists("privacy") ) { + my $priv_key = ''; + if ( $config->exists("privacy plaintext-key") ) { + $priv_key = + "-X " . $config->returnValue("privacy plaintext-key"); + } + else { + $priv_key = + "-3M " . $config->returnValue("privacy encrypted-key"); + } + my $priv_type = $config->returnValue("privacy type"); + $privacy = "-x $priv_type $priv_key"; + $secLevel = 'authPriv'; + } + + # TODO + # set -3m / -3M for auth / priv for master + # or -3k / -3K for local + my $target_print = $target; + if ( $target =~ /:/ ) { + $target_print = "[$target]"; + $protocol = $protocol . "6"; + } + print +"trapsess -v 3 $inform_flag -u $user -l $secLevel -a $auth_type $auth_key $privacy $protocol:$target_print:$port\n"; } - print "trapsess -v 3 $inform_flag -u $user -l $secLevel -a $auth_type $auth_key $privacy $protocol:$target_print:$port\n"; - } - print "\n"; + print "\n"; } sub check_user_auth_changes() { - my $config = get_snmp_config(); - if ($config->isChanged("user")) { - my $haveError = 0; - foreach my $user ($config->listNodes("user")) { - $config->setLevel($snmp_v3_level." user $user"); - if ($config->exists("auth")) { - if ($config->isChanged("auth encrypted-key") || $config->isChanged("privacy encrypted-key")) { - $haveError = 1; - print "Discard encrypted-key on user \"$user\". You can't change encrypted key. It does not supported yet."; - } - my $isAuthKeyChanged = $config->isChanged("auth plaintext-key"); - my $isAuthChanged = $isAuthKeyChanged || $config->isChanged("auth type"); - if (($isAuthChanged || $config->isDeleted("privacy") ) && !$isAuthKeyChanged) { - $haveError = 1; - print "Please, set auth plaintext-key for user \"$user\"\n"; - } - if ($config->exists("privacy")) { - my $isPrivKeyChanged = $config->isChanged("privacy plaintext-key"); - my $isPrivChanged = $isPrivKeyChanged || $config->isChanged("privacy type"); - if ($isPrivChanged && !$isAuthKeyChanged) { - $haveError = 1; - print "Please, set auth plaintext-key for user \"$user\"\n"; - } - if (($isAuthChanged || $isPrivChanged) && !$isPrivKeyChanged) { - $haveError = 1; - print "Please, set privacy plaintext-key for user \"$user\"\n"; - } - } - } else { - if ($config->exists("privacy")) { - $haveError = 1; - print "Please, delete privacy for user \"$user\"\n"; - } - } - } - if ($haveError) { - exit(1); + my $config = get_snmp_config(); + if ( $config->isChanged("user") ) { + my $haveError = 0; + foreach my $user ( $config->listNodes("user") ) { + $config->setLevel( $snmp_v3_level . " user $user" ); + if ( $config->exists("auth") ) { + if ( $config->isChanged("auth encrypted-key") + || $config->isChanged("privacy encrypted-key") ) + { + $haveError = 1; + print +"Discard encrypted-key on user \"$user\". You can't change encrypted key. It does not supported yet.\n"; + } + my $isAuthKeyChanged = $config->isChanged("auth plaintext-key"); + my $isAuthChanged = $isAuthKeyChanged + || $config->isChanged("auth type"); + if ( ( $isAuthChanged || $config->isDeleted("privacy") ) + && !$isAuthKeyChanged ) + { + $haveError = 1; + print "Please, set auth plaintext-key for user \"$user\"\n"; + } + if ( $config->exists("privacy") ) { + my $isPrivKeyChanged = + $config->isChanged("privacy plaintext-key"); + my $isPrivChanged = $isPrivKeyChanged + || $config->isChanged("privacy type"); + if ( $isPrivChanged && !$isAuthKeyChanged ) { + $haveError = 1; + print + "Please, set auth plaintext-key for user \"$user\"\n"; + } + if ( ( $isAuthChanged || $isPrivChanged ) + && !$isPrivKeyChanged ) + { + $haveError = 1; + print +"Please, set privacy plaintext-key for user \"$user\"\n"; + } + } + } + else { + if ( $config->exists("privacy") ) { + $haveError = 1; + print "Please, delete privacy for user \"$user\"\n"; + } + } + } + if ($haveError) { + exit(1); + } } - } } sub check_relation() { - my $config = get_snmp_config(); - my $haveError = 0; - foreach my $user ($config->listNodes("user")) { - if ($config->exists("user $user group")) { - my $group = $config->returnValue("user $user group"); - if (! $config->exists("group $group")) { - $haveError = 1; - print "Please, create group \"$group\". It's need for user \"$user\"\n"; - } + my $config = get_snmp_config(); + my $haveError = 0; + foreach my $user ( $config->listNodes("user") ) { + if ( $config->exists("user $user group") ) { + my $group = $config->returnValue("user $user group"); + if ( !$config->exists("group $group") ) { + $haveError = 1; + print +"Please, create group \"$group\". It's need for user \"$user\"\n"; + } + } + } + foreach my $group ( $config->listNodes("group") ) { + my $view = $config->returnValue("group $group view"); + if ( !$config->exists("view $view") ) { + $haveError = 1; + print + "Please, create view \"$view\". It's need for group \"$group\"\n"; + } } - } - foreach my $group ($config->listNodes("group")) { - my $view = $config->returnValue("group $group view"); - if (! $config->exists("view $view")) { - $haveError = 1; - print "Please, create view \"$view\". It's need for group \"$group\"\n"; + if ($haveError) { + exit(1); } - } - if ($haveError) { - exit(1); - } } sub check_tsm_port { - my $config = get_snmp_config(); - if ($config->isChanged("tsm port")) { - my $port = $config->returnValue("tsm port"); - my $reg = ":$port\$"; - $output = `netstat -anltup | awk '{print \$4}'`; - foreach my $line (split(/\n/,$output)) { - if ($line =~ /$reg/) { - print "Actually port $port is using. It can not be used for tsm.\n"; - exit(1); - } + my $config = get_snmp_config(); + if ( $config->isChanged("tsm port") ) { + my $port = $config->returnValue("tsm port"); + my $reg = ":$port\$"; + $output = `netstat -anltup | awk '{print \$4}'`; + foreach my $line ( split( /\n/, $output ) ) { + if ( $line =~ /$reg/ ) { + print + "Actually port $port is using. It can not be used for tsm.\n"; + exit(1); + } + } } - } } sub copy_conf_to_tmp() { - # these files already contain SNMPv2 configuration - copy($snmpd_conf, $snmpd_conf_tmp) or die "Couldn't copy $snmpd_conf to $snmpd_conf_tmp - $!"; - copy($snmpd_usr_conf, $snmpd_usr_conf_tmp) or die "Couldn't copy $snmpd_usr_conf to $snmpd_usr_conf_tmp - $!"; - copy($snmpd_var_conf, $snmpd_var_conf_tmp) or die "Couldn't copy $snmpd_var_conf to $snmpd_var_conf_tmp - $!"; + + # these files already contain SNMPv2 configuration + copy( $snmpd_conf, $snmpd_conf_tmp ) + or die "Couldn't copy $snmpd_conf to $snmpd_conf_tmp - $!"; + copy( $snmpd_usr_conf, $snmpd_usr_conf_tmp ) + or die "Couldn't copy $snmpd_usr_conf to $snmpd_usr_conf_tmp - $!"; + copy( $snmpd_var_conf, $snmpd_var_conf_tmp ) + or die "Couldn't copy $snmpd_var_conf to $snmpd_var_conf_tmp - $!"; } sub snmp_update { - check_user_auth_changes(); - check_relation(); - check_tsm_port(); - copy_conf_to_tmp(); set_tsm(); - open (my $fh, '>>', $snmpd_conf_tmp) - or die "Couldn't open $snmpd_conf_tmp - $!"; + open( my $fh, '>>', $snmpd_conf_tmp ) + or die "Couldn't open $snmpd_conf_tmp - $!"; select $fh; @@ -495,33 +546,42 @@ sub snmp_update { close $fh; select STDOUT; - move($snmpd_conf_tmp, $snmpd_conf) - or die "Couldn't move $snmpd_conf_tmp to $snmpd_conf - $!"; + move( $snmpd_conf_tmp, $snmpd_conf ) + or die "Couldn't move $snmpd_conf_tmp to $snmpd_conf - $!"; my $config = get_snmp_config(); - if ($config->isChanged("user") || $config->isAdded("tsm") || $config->isDeleted("tsm") || $config->isChanged("trap-target")) { - parse_config_file(); - snmpd_stop(); - set_users_to_other(); - move($snmpd_usr_conf_tmp, $snmpd_usr_conf) - or die "Couldn't move $snmpd_usr_conf_tmp to $snmpd_usr_conf - $!"; - move($snmpd_var_conf_tmp, $snmpd_var_conf) - or die "Couldn't move $snmpd_var_conf_tmp to $snmpd_var_conf - $!"; - snmpd_start(); - snmpd_restart(); - update_users_vyatta_conf(); - write_config_file(); - } else { - snmpd_start(); - } + parse_config_file(); + snmpd_stop(); + set_users_to_other(); + move( $snmpd_usr_conf_tmp, $snmpd_usr_conf ) + or die "Couldn't move $snmpd_usr_conf_tmp to $snmpd_usr_conf - $!"; + move( $snmpd_var_conf_tmp, $snmpd_var_conf ) + or die "Couldn't move $snmpd_var_conf_tmp to $snmpd_var_conf - $!"; + snmpd_start(); + snmpd_stop(); + snmpd_start(); + update_users_vyatta_conf(); + write_config_file(); + } +sub snmp_check() { + check_user_auth_changes(); + check_relation(); + check_tsm_port(); +} + +my $check_config; my $update_snmp; my $delete_snmp; -GetOptions("update-snmp!" => \$update_snmp, - "delete-snmp!" => \$delete_snmp); +GetOptions( + "check-config!" => \$check_config, + "update-snmp!" => \$update_snmp, + "delete-snmp!" => \$delete_snmp +); +snmp_check() if ($check_config); snmp_update() if ($update_snmp); snmp_delete() if ($delete_snmp); diff --git a/scripts/snmp/vyatta-snmp.pl b/scripts/snmp/vyatta-snmp.pl index a4ea9e27..073e7c5a 100755 --- a/scripts/snmp/vyatta-snmp.pl +++ b/scripts/snmp/vyatta-snmp.pl @@ -44,6 +44,7 @@ my $snmp_snmpv3_user_conf = '/usr/share/snmp/snmpd.conf'; my $snmp_snmpv3_createuser_conf = '/var/lib/snmp/snmpd.conf'; my $versionfile = '/opt/vyatta/etc/version'; my $local_agent = 'unix:/var/run/snmpd.socket'; +my $password_file = '/config/snmp/superuser_pass'; my $snmp_level = 'service snmp'; @@ -291,6 +292,10 @@ sub snmp_create_snmpv3_user { open(my $fh, '>', $snmp_snmpv3_createuser_conf) || die "Couldn't open $snmp_snmpv3_createuser_conf - $!"; print $fh $createuser; close $fh; + + open(my $pass_file, '>', $password_file) || die "Couldn't open $password_file - $!"; + print $pass_file $passphrase; + close $pass_file; } sub snmp_write_snmpv3_user { diff --git a/scripts/system/vyatta_check_snmp_name.pl b/scripts/system/vyatta_check_snmp_name.pl new file mode 100755 index 00000000..599fe398 --- /dev/null +++ b/scripts/system/vyatta_check_snmp_name.pl @@ -0,0 +1,31 @@ +#!/usr/bin/perl + +# **** License **** +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# This code was originally developed by Vyatta, Inc. +# Portions created by Vyatta are Copyright (C) 2010 Vyatta, Inc. +# All Rights Reserved. +# +# **** End License **** + +use strict; +use warnings; + +foreach my $name (@ARGV) { + die "$name : illegal characters in name\n" + if (!($name =~ /^[a-zA-Z0-9]*$/)); + + # Usernames may only be up to 32 characters long. + die "$name: name may only be up to 32 characters long\n" + if (length($name) > 32); +} + +exit 0; diff --git a/templates/service/snmp/node.def b/templates/service/snmp/node.def index 8047121f..9fb161dc 100644 --- a/templates/service/snmp/node.def +++ b/templates/service/snmp/node.def @@ -3,6 +3,7 @@ help: Simple Network Management Protocol (SNMP) commit:expression: $VAR(community/) != "" || $VAR(community6/) != "" || $VAR(v3/) != "" \ ; "must configure a community or community6 or v3" +create: if [ ! -d "/config/snmp" ]; then sudo mkdir /config/snmp ; fi delete: touch /tmp/snmp.$PPID end:if [ -f "/tmp/snmp.$PPID" ] then @@ -10,6 +11,12 @@ end:if [ -f "/tmp/snmp.$PPID" ] rm /tmp/snmp.$PPID; sudo rm -f /etc/snmp/snmpd.conf; else + if [ -n "$VAR(v3/)" ]; then + sudo /opt/vyatta/sbin/vyatta-snmp-v3.pl --check-config; + if [ $? != 0 ]; then + exit 1; + fi + fi sudo /opt/vyatta/sbin/vyatta-snmp.pl --update-snmp; if [ -n "$VAR(v3/)" ] then diff --git a/templates/service/snmp/v3/group/node.def b/templates/service/snmp/v3/group/node.def index bcfe6795..13579174 100644 --- a/templates/service/snmp/v3/group/node.def +++ b/templates/service/snmp/v3/group/node.def @@ -1,5 +1,7 @@ tag: type: txt help: Specifies the group with name groupname +syntax:expression: pattern $VAR(@) "^[^\(\)\|\&-]+$" ; "illegal characters in name" +syntax:expression: exec "/opt/vyatta/sbin/vyatta_check_snmp_name.pl $VAR(@)" commit:expression: $VAR(view/) != "" ; "must specify view" commit:expression: $VAR(mode/) != "" ; "must specify mode" diff --git a/templates/service/snmp/v3/node.def b/templates/service/snmp/v3/node.def index 756a156f..f89d2328 100644 --- a/templates/service/snmp/v3/node.def +++ b/templates/service/snmp/v3/node.def @@ -1,7 +1,6 @@ help: Simple Network Management Protocol (SNMP) v3 -create: if [ ! -d "/config/snmp" ]; then sudo mkdir /config/snmp ; fi - if [ ! -d "/config/snmp/tls" ]; then +create: if [ ! -d "/config/snmp/tls" ]; then sudo mkdir /config/snmp/tls ; if [ -d "/etc/snmp/tls" ] ; then sudo mv /etc/snmp/tls/* /config/snmp/tls > /dev/null 2>&1; @@ -18,6 +17,7 @@ create: if [ ! -d "/config/snmp" ]; then sudo mkdir /config/snmp ; fi fi begin: if [ -d "/config/snmp/tls" ]; then + sudo chown -R snmp /config/snmp/tls; sudo chmod -R 600 /config/snmp/tls; fi diff --git a/templates/service/snmp/v3/trap-target/node.def b/templates/service/snmp/v3/trap-target/node.def index d6203e9b..6c2717a8 100644 --- a/templates/service/snmp/v3/trap-target/node.def +++ b/templates/service/snmp/v3/trap-target/node.def @@ -7,6 +7,8 @@ commit:expression: $VAR(auth/) != ""; "must specify auth" commit:expression: $VAR(protocol/) != ""; "must specify protocol" commit:expression: $VAR(user/) != ""; "must specify user" commit:expression: $VAR(port/) != ""; "must specify port" +commit:expression: $VAR(type/@) == "inform" || ( $VAR(type/@) == "trap" && $VAR(engineid/) != "" ); \ + "must specify engineid if type is 'trap'" val_help: ; IP address of trap target val_help: ; IPv6 address of trap target \ No newline at end of file diff --git a/templates/service/snmp/v3/trap-target/node.tag/engineid/node.def b/templates/service/snmp/v3/trap-target/node.tag/engineid/node.def new file mode 100644 index 00000000..7a621af6 --- /dev/null +++ b/templates/service/snmp/v3/trap-target/node.tag/engineid/node.def @@ -0,0 +1,3 @@ +type: txt +help: Defines the engineID. (needs for trap) +syntax:expression: pattern $VAR(@) "^([0-9a-f][0-9a-f]){1,16}$" ; "id must contain from 2 to 32 hex digits" \ No newline at end of file diff --git a/templates/service/snmp/v3/tsm/local-key/node.def b/templates/service/snmp/v3/tsm/local-key/node.def index d238d310..4bc3d07b 100644 --- a/templates/service/snmp/v3/tsm/local-key/node.def +++ b/templates/service/snmp/v3/tsm/local-key/node.def @@ -1,8 +1,12 @@ type: txt help: Defines the server certificate fingerprint or key-file name. -allowed: sudo ls /etc/snmp/tls/certs +allowed: if sudo [ -d /etc/snmp/tls/certs ]; then + sudo ls /etc/snmp/tls/certs 2> /dev/null + else + sudo ls /config/snmp/tls/certs 2> /dev/null + fi syntax:expression: pattern $VAR(@) "^[0-9A-F]{2}(:[0-9A-F]{2}){19}$" || - exec "if [ `sudo ls \"/etc/snmp/tls/certs/$VAR(@)\" 2> /dev/null` ]; \ + exec "if sudo [ -f /etc/snmp/tls/certs/$VAR(@) -o -f /config/snmp/tls/certs/$VAR(@) ]; \ then \ exit 0; \ else \ diff --git a/templates/service/snmp/v3/user/node.def b/templates/service/snmp/v3/user/node.def index e6a8bc87..32e0f61f 100644 --- a/templates/service/snmp/v3/user/node.def +++ b/templates/service/snmp/v3/user/node.def @@ -1,6 +1,7 @@ tag: type: txt help: Specifies the user with name username -syntax:expression: pattern $VAR(@) "^[^-]*$" ; "characters '-' in name is not supported yet" +syntax:expression: pattern $VAR(@) "^[^\(\)\|\&-]+$" ; "illegal characters in name" +syntax:expression: exec "/opt/vyatta/sbin/vyatta_check_snmp_name.pl $VAR(@)" commit:expression: $VAR(auth/) != "" || $VAR(tsm-key/) != ""; "must specify auth or tsm-key" -commit:expression: $VAR(mode/) != ""; "must specify mode" \ No newline at end of file +commit:expression: $VAR(mode/) != ""; "must specify mode" diff --git a/templates/service/snmp/v3/user/node.tag/tsm-key/node.def b/templates/service/snmp/v3/user/node.tag/tsm-key/node.def index e9f55a5f..b41be079 100644 --- a/templates/service/snmp/v3/user/node.tag/tsm-key/node.def +++ b/templates/service/snmp/v3/user/node.tag/tsm-key/node.def @@ -1,8 +1,12 @@ type: txt help: Specifies finger print or file name of TSM certificate. -allowed: sudo ls /etc/snmp/tls/certs +allowed: if sudo [ -d /etc/snmp/tls/certs ]; then + sudo ls /etc/snmp/tls/certs 2> /dev/null + else + sudo ls /config/snmp/tls/certs 2> /dev/null + fi syntax:expression: pattern $VAR(@) "^[0-9A-F]{2}(:[0-9A-F]{2}){19}$" || - exec "if [ `sudo ls \"/etc/snmp/tls/certs/$VAR(@)\" 2> /dev/null` ]; \ + exec "if sudo [ -f /etc/snmp/tls/certs/$VAR(@) -o -f /config/snmp/tls/certs/$VAR(@) ]; \ then \ exit 0; \ else \ diff --git a/templates/service/snmp/v3/view/node.def b/templates/service/snmp/v3/view/node.def index a83c978b..1fa589ae 100644 --- a/templates/service/snmp/v3/view/node.def +++ b/templates/service/snmp/v3/view/node.def @@ -1,5 +1,6 @@ tag: type: txt help: Specifies the view with name viewname - -commit:expression: $VAR(oid/) != ""; "must configure an oid" \ No newline at end of file +syntax:expression: pattern $VAR(@) "^[^\(\)\|\&-]+$" ; "illegal characters in name" +syntax:expression: exec "/opt/vyatta/sbin/vyatta_check_snmp_name.pl $VAR(@)" +commit:expression: $VAR(oid/) != ""; "must configure an oid" diff --git a/templates/service/snmp/v3/view/node.tag/oid/node.def b/templates/service/snmp/v3/view/node.tag/oid/node.def index beed3274..ca2a5c5d 100644 --- a/templates/service/snmp/v3/view/node.tag/oid/node.def +++ b/templates/service/snmp/v3/view/node.tag/oid/node.def @@ -1,4 +1,4 @@ tag: type: txt help: Specifies the oid -syntax:expression: pattern $VAR(@) "^[0-9]+(\.[0-9]+)*$" ; "oid must start from a number" +syntax:expression: pattern $VAR(@) "^[0-9]+(\\.[0-9]+)*$" ; "oid must start from a number" -- cgit v1.2.3 From d51d7a787a962ead30478d3fe23a356634ca3577 Mon Sep 17 00:00:00 2001 From: James Davidson Date: Wed, 20 Mar 2013 09:05:00 -0700 Subject: SNMP: Add multicast smux peers --- scripts/snmp/vyatta-snmp.pl | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'scripts') diff --git a/scripts/snmp/vyatta-snmp.pl b/scripts/snmp/vyatta-snmp.pl index 073e7c5a..09ed84b8 100755 --- a/scripts/snmp/vyatta-snmp.pl +++ b/scripts/snmp/vyatta-snmp.pl @@ -163,6 +163,10 @@ sub snmp_get_constants { print "smuxpeer .1.3.6.1.4.1.3317.1.2.2\n"; # ospfd print "smuxpeer .1.3.6.1.4.1.3317.1.2.5\n"; # bgpd print "smuxpeer .1.3.6.1.4.1.3317.1.2.3\n"; # ripd + print "smuxpeer .1.3.6.1.4.1.3317.1.2.9\n"; # mribd + print "smuxpeer .1.3.6.1.2.1.83\n"; # mribd + print "smuxpeer .1.3.6.1.4.1.3317.1.2.8\n"; # pimd + print "smuxpeer .1.3.6.1.2.1.157\n"; # pimd print "smuxsocket localhost\n"; } -- cgit v1.2.3 From 1f90d46cbc889d45dbfd5e499ad24a399b059d3b Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Mon, 1 Apr 2013 13:04:47 -0700 Subject: snmpv3: enable strict warnings and fix perlcritic The SNMPv3 code did not enable strict type checking and had other poor style found by perlcritic. (cherry picked from commit 4dce31b15ce038527cbd03a21b23ad094d71750c) --- scripts/snmp/vyatta-snmp-v3.pl | 64 ++++++++++++++++++++++++++++-------------- 1 file changed, 43 insertions(+), 21 deletions(-) (limited to 'scripts') diff --git a/scripts/snmp/vyatta-snmp-v3.pl b/scripts/snmp/vyatta-snmp-v3.pl index 20e50e63..2bf9b582 100755 --- a/scripts/snmp/vyatta-snmp-v3.pl +++ b/scripts/snmp/vyatta-snmp-v3.pl @@ -1,4 +1,23 @@ #!/usr/bin/perl +# +# **** License **** +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# This code was originally developed by Vyatta, Inc. +# Portions created by Vyatta are Copyright (C) 2013 Vyatta, Inc. +# All Rights Reserved. +# +# **** End License **** + +use strict; +use warnings; use lib "/opt/vyatta/share/perl5/"; use Vyatta::Config; @@ -18,9 +37,10 @@ my $snmpd_var_conf_tmp = "/tmp/snmpd.var.conf.$$"; my $versionfile = '/opt/vyatta/etc/version'; my $local_agent = 'unix:/var/run/snmpd.socket'; my $vyatta_config_file = '/config/snmp/snmp_conf.ini'; -%VConfig = (); -%OIDs = ( +my %VConfig = (); + +my %OIDs = ( "md5", ".1.3.6.1.6.3.10.1.1.2", "sha", ".1.3.6.1.6.3.10.1.1.3", "aes", ".1.3.6.1.6.3.10.1.2.4", "des", ".1.3.6.1.6.3.10.1.2.2", "none", ".1.3.6.1.6.3.10.1.2.1" @@ -33,8 +53,9 @@ sub randhex { } sub parse_config_file { - open( CONFIG, "$vyatta_config_file" ) or return; - while () { + open( my $cfg, '<', $vyatta_config_file ) + or die "Can't open: $vyatta_config_file: $!"; + while (<$cfg>) { chomp; # no newline s/#.*//; # no comments s/^\s+//; # no leading white @@ -43,7 +64,7 @@ sub parse_config_file { my ( $var, $value ) = split( /\s*=\s*/, $_, 2 ); $VConfig{$var} = $value; } - close(CONFIG); + close($cfg); } sub write_config_file { @@ -151,21 +172,21 @@ sub set_tsm { sub snmp_delete { snmpd_stop(); - @files = ( $snmpd_conf, $snmpd_usr_conf, $snmpd_var_conf ); - foreach $file (@files) { + my @files = ( $snmpd_conf, $snmpd_usr_conf, $snmpd_var_conf ); + foreach my $file (@files) { if ( -e $file ) { unlink($file); } } } -sub get_snmp_config() { +sub get_snmp_config { my $config = new Vyatta::Config; $config->setLevel($snmp_v3_level); return $config; } -sub set_views() { +sub set_views { print "# views \n"; my $config = get_snmp_config(); foreach my $view ( $config->listNodes("view") ) { @@ -182,7 +203,7 @@ sub set_views() { print "\n"; } -sub set_groups() { +sub set_groups { print "#access\n# context sec.model sec.level match read write notif\n"; my $config = get_snmp_config(); @@ -201,7 +222,7 @@ sub set_groups() { print "\n"; } -sub set_users_in_etc() { +sub set_users_in_etc { print "#group\n"; my $tsm_counter = 0; @@ -223,7 +244,7 @@ sub set_users_in_etc() { print "\n"; } -sub set_users_to_other() { +sub set_users_to_other { open( my $usr_conf, '>>', $snmpd_usr_conf_tmp ) or die "Couldn't open $snmpd_usr_conf_tmp - $!"; open( my $var_conf, '>>', $snmpd_var_conf_tmp ) @@ -260,7 +281,8 @@ sub set_users_to_other() { my $EngineID = $VConfig{"User.$user.EngineID"}; my $auth_type_oid = $OIDs{$auth_type}; my $auth_key_hex = $config->returnValue("auth encrypted-key"); - local ( $priv_type_oid, $priv_key_hex ); + + my ( $priv_type_oid, $priv_key_hex ); if ( $config->exists("privacy") ) { $priv_type_oid = $OIDs{$priv_type}; $priv_key_hex = @@ -286,7 +308,7 @@ sub set_users_to_other() { } foreach my $user ( keys %trap_users ) { - $name_print = get_printable_name($user); + my $name_print = get_printable_name($user); print $var_conf "usmUser 1 3 0x" . randhex(26) . " $name_print $name_print NULL .1.3.6.1.6.3.10.1.1.2 0x" @@ -319,7 +341,7 @@ sub get_printable_name { } } -sub update_users_vyatta_conf() { +sub update_users_vyatta_conf { %VConfig = (); open( my $var_conf, '<', $snmpd_var_conf ) or die "Couldn't open $snmpd_usr_conf - $!"; @@ -365,7 +387,7 @@ sub update_users_vyatta_conf() { close $var_conf; } -sub set_hosts() { +sub set_hosts { print "#trap-target\n"; my $config = get_snmp_config(); foreach my $target ( $config->listNodes("trap-target") ) { @@ -419,7 +441,7 @@ sub set_hosts() { print "\n"; } -sub check_user_auth_changes() { +sub check_user_auth_changes { my $config = get_snmp_config(); if ( $config->isChanged("user") ) { my $haveError = 0; @@ -474,7 +496,7 @@ sub check_user_auth_changes() { } } -sub check_relation() { +sub check_relation { my $config = get_snmp_config(); my $haveError = 0; foreach my $user ( $config->listNodes("user") ) { @@ -505,7 +527,7 @@ sub check_tsm_port { if ( $config->isChanged("tsm port") ) { my $port = $config->returnValue("tsm port"); my $reg = ":$port\$"; - $output = `netstat -anltup | awk '{print \$4}'`; + my $output = `netstat -anltup | awk '{print \$4}'`; foreach my $line ( split( /\n/, $output ) ) { if ( $line =~ /$reg/ ) { print @@ -516,7 +538,7 @@ sub check_tsm_port { } } -sub copy_conf_to_tmp() { +sub copy_conf_to_tmp { # these files already contain SNMPv2 configuration copy( $snmpd_conf, $snmpd_conf_tmp ) @@ -566,7 +588,7 @@ sub snmp_update { } -sub snmp_check() { +sub snmp_check { check_user_auth_changes(); check_relation(); check_tsm_port(); -- cgit v1.2.3 From 3786debc7c62597ee0b39cdcb3a08b4d304cc2d4 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Thu, 28 Mar 2013 16:47:01 -0700 Subject: fix device naming on boot Bug 8804 Previous change was passing a logfile to biosdevname, but parent directory was not necessarily created at that point! Log file is useless anyway, just redirect to dev null. (cherry picked from commit dcabba83be38ee6f79ab5a347f0cb3cce5a9eca8) --- scripts/vyatta_net_name | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'scripts') diff --git a/scripts/vyatta_net_name b/scripts/vyatta_net_name index 3df23adf..90dd8615 100755 --- a/scripts/vyatta_net_name +++ b/scripts/vyatta_net_name @@ -93,7 +93,7 @@ sub biosdevname { # may generate incorrect name. sleep 1; - my $biosname = `/sbin/biosdevname --policy all_ethN -i $ifname 2>>$UDEVLOG/biosdevname`; + my $biosname = `/sbin/biosdevname --policy all_ethN -i $ifname 2>/dev/null`; chomp $biosname; # if biosdevname has no answer it outputs a nothing -- cgit v1.2.3 From aec7e4cefd206fa9397456917ec5e83e86089343 Mon Sep 17 00:00:00 2001 From: James Davidson Date: Mon, 15 Apr 2013 13:23:46 -0700 Subject: Replace original config file handling behaviour Bug 8864: Commit 1f90d46cbc889d45dbfd5e499ad24a399b059d3b changed the behaviour of when a config file was not present. This change replaces the original behaviour. --- scripts/snmp/vyatta-snmp-v3.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'scripts') diff --git a/scripts/snmp/vyatta-snmp-v3.pl b/scripts/snmp/vyatta-snmp-v3.pl index 2bf9b582..5391a85f 100755 --- a/scripts/snmp/vyatta-snmp-v3.pl +++ b/scripts/snmp/vyatta-snmp-v3.pl @@ -54,7 +54,7 @@ sub randhex { sub parse_config_file { open( my $cfg, '<', $vyatta_config_file ) - or die "Can't open: $vyatta_config_file: $!"; + or return; while (<$cfg>) { chomp; # no newline s/#.*//; # no comments -- cgit v1.2.3