T1160: fix (ro|rw)community ACL

WHen building up the SNMP v2 community ro/rw access all hosts from
a INET version could access even when the community was locked to one
INET family.

Example #1:
  set service snmp community bar network 172.16.0.0/12

Allowed access only to IPv4 network 172.16.0.0/12 but it allowed acces from
IPv6 ::/0.

Example #2:
  set service snmp community baz network 2001:db8::/64

Limited IPv6 access to 2001:db8::/64 but IPv4 was open to 0.0.0.0/0

1 files changed, 10 insertions, 3 deletions

diff --git a/src/conf_mode/snmp.py b/src/conf_mode/snmp.py
index d21a2b603..06d2e253a 100755
--- a/src/conf_mode/snmp.py
+++ b/src/conf_mode/snmp.py
@@ -134,20 +134,23 @@ agentaddress unix:/run/snmpd.socket{% if listen_on %}{% for li in listen_on %},{
 
 # SNMP communities
 {%- for c in communities %}
+
 {%- if c.network_v4 %}
 {%- for network in c.network_v4 %}
 {{ c.authorization }}community {{ c.name }} {{ network }}
 {%- endfor %}
-{%- else %}
+{%- elif not c.has_source %}
 {{ c.authorization }}community {{ c.name }}
 {%- endif %}
+
 {%- if c.network_v6 %}
 {%- for network in c.network_v6 %}
 {{ c.authorization }}community6 {{ c.name }} {{ network }}
 {%- endfor %}
-{%- else %}
+{%- elif not c.has_source %}
 {{ c.authorization }}community6 {{ c.name }}
 {%- endif %}
+
 {%- endfor %}
 
 {% if contact %}
@@ -266,7 +269,8 @@ def get_config():
                 'name': name,
                 'authorization': 'ro',
                 'network_v4': [],
-                'network_v6': []
+                'network_v6': [],
+                'has_source' : False
             }
 
             if conf.exists('community {0} authorization'.format(name)):
@@ -288,6 +292,9 @@ def get_config():
                     else:
                         community['network_v6'].append(addr)
 
+            if (len(community['network_v4']) > 0) or (len(community['network_v6']) > 0):
+                 community['has_source'] = True
+
             snmp['communities'].append(community)
 
     if conf.exists('contact'):