diff options
433 files changed, 68808 insertions, 4009 deletions
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md index 04ca4070d..61ee1d9ff 100644 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -1,5 +1,5 @@ <!-- All PR should follow this template to allow a clean and transparent review --> -<!-- Text placed between these delimiters is considered a commend and is not rendered --> +<!-- Text placed between these delimiters is considered a comment and is not rendered --> ## Change Summary <!--- Provide a general summary of your changes in the Title above --> diff --git a/.github/reviewers.yml b/.github/reviewers.yml new file mode 100644 index 000000000..9ef3ec961 --- /dev/null +++ b/.github/reviewers.yml @@ -0,0 +1,34 @@ +--- +python/**: + - c-po + - dmbaturin + - jestabro + +interface-definitions/**: + - c-po + - DmitriyEshenko + - dmbaturin + - jestabro + - sever-sever + - zdc + +op-mode-definitions/**: + - c-po + - DmitriyEshenko + - dmbaturin + - jestabro + - sever-sever + - zdc + +src/**: + - c-po + - DmitriyEshenko + - dmbaturin + - jestabro + - sever-sever + - zdc + +.github/**: + - c-po + - dmbaturin + - UnicronNL diff --git a/.github/workflows/auto-author-assign.yml b/.github/workflows/auto-author-assign.yml new file mode 100644 index 000000000..81134206b --- /dev/null +++ b/.github/workflows/auto-author-assign.yml @@ -0,0 +1,27 @@ +name: "PR Triage" +on: + pull_request_target: + types: [opened, reopened, ready_for_review, locked] + +permissions: + pull-requests: write + +jobs: + # https://github.com/marketplace/actions/auto-author-assign + assign-author: + runs-on: ubuntu-latest + steps: + - name: "Assign Author to PR" + uses: toshimaru/auto-author-assign@v1.3.5 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + + # https://github.com/shufo/auto-assign-reviewer-by-files + assign_reviewer: + runs-on: ubuntu-latest + steps: + - name: Request review based on files changes and/or groups the author belongs to + uses: shufo/auto-assign-reviewer-by-files@v1.1.1 + with: + token: ${{ secrets.GITHUB_TOKEN }} + config: .github/reviewers.yml diff --git a/.github/workflows/pr-conflicts.yml b/.github/workflows/pr-conflicts.yml new file mode 100644 index 000000000..72ff3969b --- /dev/null +++ b/.github/workflows/pr-conflicts.yml @@ -0,0 +1,18 @@ +name: "PR Conflicts checker" +on: + pull_request_target: + types: [synchronize] + +jobs: + Conflict_Check: + name: 'Check PR status: conflicts and resolution' + runs-on: ubuntu-18.04 + steps: + - name: check if PRs are dirty + uses: eps1lon/actions-label-merge-conflict@releases/2.x + with: + dirtyLabel: "state: conflict" + removeOnDirtyLabel: "state: conflict resolved" + repoToken: "${{ secrets.GITHUB_TOKEN }}" + commentOnDirty: "This pull request has conflicts, please resolve those before we can evaluate the pull request." + commentOnClean: "Conflicts have been resolved. A maintainer will review the pull request shortly." diff --git a/.gitignore b/.gitignore index e86ef4036..a31d037f2 100644 --- a/.gitignore +++ b/.gitignore @@ -120,6 +120,7 @@ debian/vyos-1x-vmware debian/vyos-1x-smoketest debian/*.postinst.debhelper debian/*.prerm.debhelper +debian/*.postrm.debhelper debian/*.substvars # Sonar Cloud @@ -4,7 +4,6 @@ BUILD_DIR := build DATA_DIR := data SHIM_DIR := src/shim XDP_DIR := src/xdp -CC := gcc LIBS := -lzmq CFLAGS := @@ -15,18 +14,8 @@ op_xml_obj = $(op_xml_src:.xml.in=.xml) %.xml: %.xml.in @echo Generating $(BUILD_DIR)/$@ from $< - # -ansi This turns off certain features of GCC that are incompatible - # with ISO C90. Without this regexes containing '/' as in an URL - # won't work - # -x c By default GCC guesses the input language from its file extension, - # thus XML is unknown. Force it to C language - # -E Stop after the preprocessing stage - # -undef Do not predefine any system-specific or GCC-specific macros. - # -nostdinc Do not search the standard system directories for header files - # -P Inhibit generation of linemarkers in the output from the - # preprocessor mkdir -p $(BUILD_DIR)/$(dir $@) - @$(CC) -x c-header -E -undef -nostdinc -P -I$(CURDIR)/$(dir $<) -o $(BUILD_DIR)/$@ -c $< + $(CURDIR)/scripts/transclude-template $< > $(BUILD_DIR)/$@ .PHONY: interface_definitions .ONESHELL: @@ -38,12 +27,11 @@ interface_definitions: $(config_xml_obj) find $(BUILD_DIR)/interface-definitions -type f -name "*.xml" | xargs -I {} $(CURDIR)/scripts/build-command-templates {} $(CURDIR)/schema/interface_definition.rng $(TMPL_DIR) || exit 1 # XXX: delete top level node.def's that now live in other packages - rm -f $(TMPL_DIR)/firewall/node.def - rm -f $(TMPL_DIR)/system/node.def - rm -f $(TMPL_DIR)/vpn/node.def - rm -f $(TMPL_DIR)/vpn/ipsec/node.def - rm -rf $(TMPL_DIR)/vpn/nipsec - + # IPSec VPN EAP-RADIUS does not support source-address + rm -rf $(TMPL_DIR)/vpn/ipsec/remote-access/radius/source-address + # T3568: firewall is yet not migrated to XML and Python - this is only a dummy + rm -rf $(TMPL_DIR)/firewall/node.def + rm -rf $(TMPL_DIR)/nfirewall # XXX: test if there are empty node.def files - this is not allowed as these # could mask help strings or mandatory priority statements find $(TMPL_DIR) -name node.def -type f -empty -exec false {} + || sh -c 'echo "There are empty node.def files! Check your interface definitions." && exit 1' @@ -62,12 +50,10 @@ op_mode_definitions: $(op_xml_obj) rm -f $(OP_TMPL_DIR)/delete/node.def rm -f $(OP_TMPL_DIR)/generate/node.def rm -f $(OP_TMPL_DIR)/monitor/node.def - rm -f $(OP_TMPL_DIR)/reset/vpn/node.def rm -f $(OP_TMPL_DIR)/set/node.def rm -f $(OP_TMPL_DIR)/show/interfaces/node.def rm -f $(OP_TMPL_DIR)/show/node.def rm -f $(OP_TMPL_DIR)/show/system/node.def - rm -f $(OP_TMPL_DIR)/show/vpn/node.def # XXX: ping must be able to recursivly call itself as the # options are provided from the script itself @@ -103,7 +89,7 @@ clean: .PHONY: test test: - set -e; python3 -m compileall -q . + set -e; python3 -m compileall -q -x '/vmware-tools/scripts/' . PYTHONPATH=python/ python3 -m "nose" --with-xunit src --with-coverage --cover-erase --cover-xml --cover-package src/conf_mode,src/op_mode,src/completion,src/helpers,src/validators,src/tests --verbose .PHONY: sonar diff --git a/data/configd-include.json b/data/configd-include.json index f241d0cb6..3b4e2925b 100644 --- a/data/configd-include.json +++ b/data/configd-include.json @@ -1,5 +1,7 @@ [ "bcast_relay.py", +"conntrack.py", +"conntrack_sync.py", "dhcp_relay.py", "dhcpv6_relay.py", "dns_forwarding.py", @@ -24,12 +26,12 @@ "interfaces-vxlan.py", "interfaces-wireguard.py", "interfaces-wireless.py", -"interfaces-wirelessmodem.py", -"ipsec-settings.py", +"interfaces-wwan.py", "lldp.py", "nat.py", "nat66.py", "ntp.py", +"pki.py", "policy.py", "policy-local-route.py", "protocols_bfd.py", @@ -37,6 +39,7 @@ "protocols_igmp.py", "protocols_isis.py", "protocols_mpls.py", +"protocols_nhrp.py", "protocols_ospf.py", "protocols_ospfv3.py", "protocols_pim.py", @@ -66,6 +69,5 @@ "vpn_pptp.py", "vpn_sstp.py", "vrf.py", -"vrrp.py", -"vyos_cert.py" +"vrrp.py" ] diff --git a/data/templates/accel-ppp/pppoe.config.tmpl b/data/templates/accel-ppp/pppoe.config.tmpl index f444af85c..238e7ee15 100644 --- a/data/templates/accel-ppp/pppoe.config.tmpl +++ b/data/templates/accel-ppp/pppoe.config.tmpl @@ -17,6 +17,10 @@ net-snmp {% if limits is defined %} connlimit {% endif %} +{% if extended_scripts is defined %} +sigchld +pppd_compat +{% endif %} [core] thread-count={{ thread_count }} @@ -91,6 +95,9 @@ ipv6-accept-peer-intf-id={{ "1" if ppp_options.ipv6_accept_peer_intf_id is defin {% endif %} {# MTU #} mtu={{ mtu }} +{% if ppp_options.interface_cache is defined and ppp_options.interface_cache is not none %} +unit-cache={{ ppp_options.interface_cache }} +{% endif %} [pppoe] verbose=1 @@ -133,6 +140,9 @@ service-name={{ service_name | join(',') }} {% endfor %} pado-delay={{ pado_delay_param.value }} {% endif %} +{% if authentication.radius.called_sid_format is defined and authentication.radius.called_sid_format is not none %} +called-sid={{ authentication.radius.called_sid_format }} +{% endif %} {% if limits is defined %} [connlimit] @@ -146,12 +156,19 @@ burst={{ limits.burst }} timeout={{ limits.timeout }} {% endif %} {% endif %} -{% if authentication.radius.called_sid_format is defined and authentication.radius.called_sid_format is not none %} -called-sid={{ authentication.radius.called_sid_format }} -{% endif %} {# Common RADIUS shaper configuration #} {% include 'accel-ppp/config_shaper_radius.j2' %} +{% if extended_scripts is defined %} +[pppd-compat] +verbose=1 +radattr-prefix=/run/accel-pppd/radattr +{% set script_name = {'on_up': 'ip-up', 'on_down': 'ip-down', 'on_change':'ip-change', 'on_pre_up':'ip-pre-up'} %} +{% for script in extended_scripts %} +{{ script_name[script] }}={{ extended_scripts[script] }} +{% endfor %} +{% endif %} + [cli] tcp=127.0.0.1:2001 diff --git a/data/templates/accel-ppp/sstp.config.tmpl b/data/templates/accel-ppp/sstp.config.tmpl index 7ca7b1c1e..fad91d118 100644 --- a/data/templates/accel-ppp/sstp.config.tmpl +++ b/data/templates/accel-ppp/sstp.config.tmpl @@ -29,9 +29,9 @@ disable verbose=1 ifname=sstp%d accept=ssl -ssl-ca-file={{ ssl.ca_cert_file }} -ssl-pemfile={{ ssl.cert_file }} -ssl-keyfile={{ ssl.key_file }} +ssl-ca-file=/run/accel-pppd/sstp-ca.pem +ssl-pemfile=/run/accel-pppd/sstp-cert.pem +ssl-keyfile=/run/accel-pppd/sstp-cert.key {# Common IP pool definitions #} {% include 'accel-ppp/config_ip_pool.j2' %} diff --git a/data/templates/conntrack/sysctl.conf.tmpl b/data/templates/conntrack/sysctl.conf.tmpl new file mode 100644 index 000000000..9e97c3286 --- /dev/null +++ b/data/templates/conntrack/sysctl.conf.tmpl @@ -0,0 +1,26 @@ +# Autogenerated by conntrack.py +{# all values have defaults - thus no checking required #} + +net.netfilter.nf_conntrack_expect_max = {{ expect_table_size }} +net.netfilter.nf_conntrack_max = {{ table_size }} + +net.ipv4.tcp_max_syn_backlog = {{ tcp.half_open_connections }} + +net.netfilter.nf_conntrack_tcp_loose = {{ '1' if tcp.loose == 'enable' else '0' }} +net.netfilter.nf_conntrack_tcp_max_retrans = {{ tcp.max_retrans }} + +net.netfilter.nf_conntrack_icmp_timeout = {{ timeout.icmp }} +net.netfilter.nf_conntrack_generic_timeout = {{ timeout.other }} + +net.netfilter.nf_conntrack_tcp_timeout_close_wait = {{ timeout.tcp.close_wait }} +net.netfilter.nf_conntrack_tcp_timeout_close = {{ timeout.tcp.close }} +net.netfilter.nf_conntrack_tcp_timeout_established = {{ timeout.tcp.established }} +net.netfilter.nf_conntrack_tcp_timeout_fin_wait = {{ timeout.tcp.fin_wait }} +net.netfilter.nf_conntrack_tcp_timeout_last_ack = {{ timeout.tcp.last_ack }} +net.netfilter.nf_conntrack_tcp_timeout_syn_recv = {{ timeout.tcp.syn_recv }} +net.netfilter.nf_conntrack_tcp_timeout_syn_sent = {{ timeout.tcp.syn_sent }} +net.netfilter.nf_conntrack_tcp_timeout_time_wait = {{ timeout.tcp.time_wait }} + +net.netfilter.nf_conntrack_udp_timeout = {{ timeout.udp.other }} +net.netfilter.nf_conntrack_udp_timeout_stream = {{ timeout.udp.stream }} + diff --git a/data/templates/conntrack/vyos_nf_conntrack.conf.tmpl b/data/templates/conntrack/vyos_nf_conntrack.conf.tmpl new file mode 100644 index 000000000..111459485 --- /dev/null +++ b/data/templates/conntrack/vyos_nf_conntrack.conf.tmpl @@ -0,0 +1,3 @@ +# Autogenerated by conntrack.py +options nf_conntrack hashsize={{ hash_size }} nf_conntrack_helper=1 + diff --git a/data/templates/conntrackd/conntrackd.conf.tmpl b/data/templates/conntrackd/conntrackd.conf.tmpl index 17ee529bf..45b7bff09 100644 --- a/data/templates/conntrackd/conntrackd.conf.tmpl +++ b/data/templates/conntrackd/conntrackd.conf.tmpl @@ -6,28 +6,31 @@ Sync { DisableExternalCache {{ 'on' if disable_external_cache is defined else 'off' }} } {% for iface, iface_config in interface.items() %} -{% if loop.first %} -{% if iface_config.peer is defined and iface_config.peer is not none %} +{% if iface_config.peer is defined and iface_config.peer is not none %} UDP { -{% if listen_address is defined and listen_address is not none %} +{% if listen_address is defined and listen_address is not none %} IPv4_address {{ listen_address }} -{% endif %} +{% endif %} IPv4_Destination_Address {{ iface_config.peer }} - Port 3780 -{% else %} -{% set ip_address = iface | get_ipv4 %} + Port {{ iface_config.port if iface_config.port is defined else '3780' }} + Interface {{ iface }} + SndSocketBuffer {{ sync_queue_size | int *1024 *1024 }} + RcvSocketBuffer {{ sync_queue_size | int *1024 *1024 }} + Checksum on + } +{% else %} Multicast { +{% set ip_address = iface | get_ipv4 %} IPv4_address {{ mcast_group }} - Group 3780 + Group {{ iface_config.port if iface_config.port is defined else '3780' }} IPv4_interface {{ ip_address[0] | ip_from_cidr }} -{% endif %} Interface {{ iface }} -{% endif %} -{% endfor %} SndSocketBuffer {{ sync_queue_size | int *1024 *1024 }} RcvSocketBuffer {{ sync_queue_size | int *1024 *1024 }} Checksum on } +{% endif %} +{% endfor %} {% if expect_sync is defined and expect_sync is not none %} Options { {% if 'all' in expect_sync %} diff --git a/data/templates/dhcp-server/dhcpdv6.conf.tmpl b/data/templates/dhcp-server/dhcpdv6.conf.tmpl index 8d653ff72..45d629928 100644 --- a/data/templates/dhcp-server/dhcpdv6.conf.tmpl +++ b/data/templates/dhcp-server/dhcpdv6.conf.tmpl @@ -107,6 +107,9 @@ shared-network {{ network | replace('_','-') }} { {% if host_config.ipv6_address is defined and host_config.ipv6_address is not none %} fixed-address6 {{ host_config.ipv6_address }}; {% endif %} +{% if host_config.ipv6_prefix is defined and host_config.ipv6_prefix is not none %} + fixed-prefix6 {{ host_config.ipv6_prefix }}; +{% endif %} } {% endfor %} {% endif %} diff --git a/data/templates/ethernet/wpa_supplicant.conf.tmpl b/data/templates/ethernet/wpa_supplicant.conf.tmpl index fe518ad45..308d777f1 100644 --- a/data/templates/ethernet/wpa_supplicant.conf.tmpl +++ b/data/templates/ethernet/wpa_supplicant.conf.tmpl @@ -32,11 +32,11 @@ fast_reauth=1 network={ {% if eapol is defined and eapol is not none %} -{% if eapol.ca_cert_file is defined and eapol.ca_cert_file is not none %} - ca_cert="{{ eapol.ca_cert_file }}" +{% if eapol.ca_certificate is defined and eapol.ca_certificate is not none %} + ca_cert="/run/wpa_supplicant/{{ ifname }}_ca.pem" {% endif %} - client_cert="{{ eapol.cert_file }}" - private_key="{{ eapol.key_file }}" + client_cert="/run/wpa_supplicant/{{ ifname }}_cert.pem" + private_key="/run/wpa_supplicant/{{ ifname }}_cert.key" {% endif %} # list of accepted authenticated key management protocols diff --git a/data/templates/firewall/nftables-nat.tmpl b/data/templates/firewall/nftables-nat.tmpl index b80fc1968..40ed1b916 100644 --- a/data/templates/firewall/nftables-nat.tmpl +++ b/data/templates/firewall/nftables-nat.tmpl @@ -73,6 +73,26 @@ {% set trns_addr = 'return' %} {% set trns_port = '' %} {% endif %} +{# T1083: NAT address and port translation options #} +{% if config.translation is defined and config.translation.options is defined and config.translation.options is not none %} +{% if config.translation.options.address_mapping is defined and config.translation.options.address_mapping == "persistent" %} +{% set trns_opts_addr = 'persistent' %} +{% endif %} +{% if config.translation.options.port_mapping is defined %} +{% if config.translation.options.port_mapping == "random" %} +{% set trns_opts_port = 'random' %} +{% elif config.translation.options.port_mapping == "fully-random" %} +{% set trns_opts_port = 'fully-random' %} +{% endif %} +{% endif %} +{% endif %} +{% if trns_opts_addr and trns_opts_port %} +{% set trns_opts = trns_opts_addr + ',' + trns_opts_port %} +{% elif trns_opts_addr %} +{% set trns_opts = trns_opts_addr %} +{% elif trns_opts_port %} +{% set trns_opts = trns_opts_port %} +{% endif %} {% set output = 'add rule ip nat ' + chain + interface %} {% if protocol != 'all' %} {% set output = output + ' ip protocol ' + protocol %} @@ -104,6 +124,9 @@ {# e.g. 192.0.2.10:3389 #} {% set output = output + trns_port %} {% endif %} +{% if trns_opts %} +{% set output = output + ' ' + trns_opts %} +{% endif %} {% if comment %} {% set output = output + ' comment "' + comment + '"' %} {% endif %} diff --git a/data/templates/firewall/nftables-vrf-zones.tmpl b/data/templates/firewall/nftables-vrf-zones.tmpl new file mode 100644 index 000000000..eecf47b78 --- /dev/null +++ b/data/templates/firewall/nftables-vrf-zones.tmpl @@ -0,0 +1,17 @@ +table inet vrf_zones { + # Map of interfaces and connections tracking zones + map ct_iface_map { + typeof iifname : ct zone + } + # Assign unique zones for each VRF + # Chain for inbound traffic + chain vrf_zones_ct_in { + type filter hook prerouting priority raw; policy accept; + counter ct zone set iifname map @ct_iface_map + } + # Chain for locally-generated traffic + chain vrf_zones_ct_out { + type filter hook output priority raw; policy accept; + counter ct zone set oifname map @ct_iface_map + } +} diff --git a/data/templates/frr/bgpd.frr.tmpl b/data/templates/frr/bgpd.frr.tmpl index 5edd3f97d..aa297876b 100644 --- a/data/templates/frr/bgpd.frr.tmpl +++ b/data/templates/frr/bgpd.frr.tmpl @@ -65,6 +65,9 @@ {% if config.shutdown is defined %} neighbor {{ neighbor }} shutdown {% endif %} +{% if config.solo is defined %} + neighbor {{ neighbor }} solo +{% endif %} {% if config.strict_capability_match is defined %} neighbor {{ neighbor }} strict-capability-match {% endif %} @@ -173,6 +176,9 @@ {% if afi_config.maximum_prefix is defined and afi_config.maximum_prefix is not none %} neighbor {{ neighbor }} maximum-prefix {{ afi_config.maximum_prefix }} {% endif %} +{% if afi_config.maximum_prefix_out is defined and afi_config.maximum_prefix_out is not none %} + neighbor {{ neighbor }} maximum-prefix-out {{ afi_config.maximum_prefix_out }} +{% endif %} {% if afi_config.nexthop_self is defined %} neighbor {{ neighbor }} next-hop-self {{ 'force' if afi_config.nexthop_self.force is defined }} {% endif %} @@ -399,15 +405,18 @@ router bgp {{ local_as }} {{ 'vrf ' ~ vrf if vrf is defined and vrf is not none bgp always-compare-med {% endif %} {% if parameters.bestpath is defined and parameters.bestpath is not none %} -{% if parameters.bestpath.compare_routerid is defined %} - bgp bestpath compare-routerid -{% endif %} {% if parameters.bestpath.as_path is defined and parameters.bestpath.as_path is not none %} {% for option in parameters.bestpath.as_path %} {# replace is required for multipath-relax option #} bgp bestpath as-path {{ option|replace('_', '-') }} {% endfor %} {% endif %} +{% if parameters.bestpath.bandwidth is defined and parameters.bestpath.bandwidth is not none %} + bgp bestpath bandwidth {{ parameters.bestpath.bandwidth }} +{% endif %} +{% if parameters.bestpath.compare_routerid is defined %} + bgp bestpath compare-routerid +{% endif %} {% if parameters.bestpath.med is defined and parameters.bestpath.med is not none %} bgp bestpath med {{ 'confed' if parameters.bestpath.med.confed is defined }} {{ 'missing-as-worst' if parameters.bestpath.med.missing_as_worst is defined }} {% endif %} @@ -420,7 +429,7 @@ router bgp {{ local_as }} {{ 'vrf ' ~ vrf if vrf is defined and vrf is not none bgp confederation identifier {{ parameters.confederation.identifier }} {% endif %} {% if parameters.confederation.peers is defined and parameters.confederation.peers is not none %} - bgp confederation peers {{ parameters.confederation.peers }} + bgp confederation peers {{ parameters.confederation.peers | join(' ') }} {% endif %} {% endif %} {% if parameters.dampening is defined and parameters.dampening is defined and parameters.dampening.half_life is defined and parameters.dampening.half_life is not none %} diff --git a/data/templates/frr/isis.frr.tmpl b/data/templates/frr/isisd.frr.tmpl index 433f10892..6cfa076d0 100644 --- a/data/templates/frr/isis.frr.tmpl +++ b/data/templates/frr/isisd.frr.tmpl @@ -13,8 +13,15 @@ router isis VyOS {{ 'vrf ' + vrf if vrf is defined and vrf is not none }} {% if set_overload_bit is defined %} set-overload-bit {% endif %} -{% if domain_password is defined and domain_password.plaintext_password is defined and domain_password.plaintext_password is not none %} +{% if domain_password is defined and domain_password is not none %} +{% if domain_password.md5 is defined and domain_password.md5 is not none %} + domain-password md5 {{ domain_password.plaintext_password }} +{% elif domain_password.plaintext_password is defined and domain_password.plaintext_password is not none %} domain-password clear {{ domain_password.plaintext_password }} +{% endif %} +{% endif %} +{% if log_adjacency_changes is defined %} + log-adjacency-changes {% endif %} {% if lsp_gen_interval is defined and lsp_gen_interval is not none %} lsp-gen-interval {{ lsp_gen_interval }} @@ -95,39 +102,53 @@ router isis VyOS {{ 'vrf ' + vrf if vrf is defined and vrf is not none }} {% if spf_delay_ietf is defined and spf_delay_ietf.init_delay is defined and spf_delay_ietf.init_delay is not none %} spf-delay-ietf init-delay {{ spf_delay_ietf.init_delay }} {% endif %} -{% if area_password is defined and area_password.md5 is defined and area_password.md5 is not none %} +{% if area_password is defined and area_password is not none %} +{% if area_password.md5 is defined and area_password.md5 is not none %} area-password md5 {{ area_password.md5 }} -{% elif area_password is defined and area_password.plaintext_password is defined and area_password.plaintext_password is not none %} +{% elif area_password.plaintext_password is defined and area_password.plaintext_password is not none %} area-password clear {{ area_password.plaintext_password }} +{% endif %} {% endif %} {% if default_information is defined and default_information.originate is defined and default_information.originate is not none %} -{% for level in default_information.originate.ipv4 if default_information.originate.ipv4 is defined %} - default-information originate ipv4 {{ level | replace('_', '-') }} -{% endfor %} -{% for level in default_information.originate.ipv6 if default_information.originate.ipv6 is defined %} - default-information originate ipv6 {{ level | replace('_', '-') }} always +{% for afi, afi_config in default_information.originate.items() %} +{% for level, level_config in afi_config.items() %} + default-information originate {{ afi }} {{ level | replace('_', '-') }} {{ 'always' if level_config.always is defined }} {{ 'route-map ' ~ level_config.route_map if level_config.route_map is defined }} {{ 'metric ' ~ level_config.metric if level_config.metric is defined }} +{% endfor %} {% endfor %} {% endif %} -{% if redistribute is defined and redistribute.ipv4 is defined and redistribute.ipv4 is not none %} -{% for protocol in redistribute.ipv4 %} -{% for level, level_config in redistribute.ipv4[protocol].items() %} -{% if level_config.metric is defined and level_config.metric is not none %} +{% if redistribute is defined %} +{% if redistribute.ipv4 is defined and redistribute.ipv4 is not none %} +{% for protocol, protocol_options in redistribute.ipv4.items() %} +{% for level, level_config in protocol_options.items() %} +{% if level_config.metric is defined and level_config.metric is not none %} redistribute ipv4 {{ protocol }} {{ level | replace('_', '-') }} metric {{ level_config.metric }} -{% elif level_config.route_map is defined and level_config.route_map is not none %} +{% elif level_config.route_map is defined and level_config.route_map is not none %} redistribute ipv4 {{ protocol }} {{ level | replace('_', '-') }} route-map {{ level_config.route_map }} -{% else %} +{% else %} redistribute ipv4 {{ protocol }} {{ level | replace('_', '-') }} -{% endif %} +{% endif %} +{% endfor %} {% endfor %} -{% endfor %} +{% endif %} +{% if redistribute.ipv6 is defined and redistribute.ipv6 is not none %} +{% for protocol, protocol_options in redistribute.ipv6.items() %} +{% for level, level_config in protocol_options.items() %} +{% if level_config.metric is defined and level_config.metric is not none %} + redistribute ipv6 {{ protocol }} {{ level | replace('_', '-') }} metric {{ level_config.metric }} +{% elif level_config.route_map is defined and level_config.route_map is not none %} + redistribute ipv6 {{ protocol }} {{ level | replace('_', '-') }} route-map {{ level_config.route_map }} +{% else %} + redistribute ipv6 {{ protocol }} {{ level | replace('_', '-') }} +{% endif %} +{% endfor %} +{% endfor %} +{% endif %} {% endif %} {% if level is defined and level is not none %} -{% if level == 'level-1' %} - is-type level-1 -{% elif level == 'level-2' %} +{% if level == 'level-2' %} is-type level-2-only -{% elif level == 'level-1-2' %} - is-type level-1-2 +{% else %} + is-type {{ level }} {% endif %} {% endif %} ! @@ -135,6 +156,7 @@ router isis VyOS {{ 'vrf ' + vrf if vrf is defined and vrf is not none }} {% for iface, iface_config in interface.items() %} interface {{ iface }} {{ 'vrf ' + vrf if vrf is defined and vrf is not none }} ip router isis VyOS + ipv6 router isis VyOS {% if iface_config.bfd is defined %} isis bfd {% endif %} @@ -173,4 +195,4 @@ interface {{ iface }} {{ 'vrf ' + vrf if vrf is defined and vrf is not none }} {% endif %} {% endfor %} {% endif %} -! +!
\ No newline at end of file diff --git a/data/templates/frr/ospfv3.frr.tmpl b/data/templates/frr/ospfv3.frr.tmpl index d08972a80..0026c0d2c 100644 --- a/data/templates/frr/ospfv3.frr.tmpl +++ b/data/templates/frr/ospfv3.frr.tmpl @@ -50,6 +50,11 @@ router ospf6 interface {{ interface }} area {{ area_id }} {% endfor %} {% endif %} +{% if area_config.area_type is defined and area_config.area_type is not none %} +{% for type, type_config in area_config.area_type.items() %} + area {{ area_id }} {{ type }} {{ 'no-summary' if type_config.no_summary is defined }} +{% endfor %} +{% endif %} {% if area_config.range is defined and area_config.range is not none %} {% for prefix, prefix_config in area_config.range.items() %} area {{ area_id }} range {{ prefix }} {{ 'advertise' if prefix_config.advertise is defined }} {{ 'not-advertise' if prefix_config.not_advertise is defined }} diff --git a/data/templates/frr/policy.frr.tmpl b/data/templates/frr/policy.frr.tmpl index 881afa21f..b5649b44e 100644 --- a/data/templates/frr/policy.frr.tmpl +++ b/data/templates/frr/policy.frr.tmpl @@ -247,11 +247,14 @@ route-map {{ route_map }} {{ rule_config.action }} {{ rule }} {% if rule_config.set.distance is defined and rule_config.set.distance is not none %} set distance {{ rule_config.set.distance }} {% endif %} -{% if rule_config.set.extcommunity_rt is defined and rule_config.set.extcommunity_rt is not none %} - set extcommunity rt {{ rule_config.set.extcommunity_rt }} +{% if rule_config.set.extcommunity is defined and rule_config.set.extcommunity.bandwidth is defined and rule_config.set.extcommunity.bandwidth is not none %} + set extcommunity bandwidth {{ rule_config.set.extcommunity.bandwidth }} {% endif %} -{% if rule_config.set.extcommunity_soo is defined and rule_config.set.extcommunity_soo is not none %} - set extcommunity soo {{ rule_config.set.extcommunity_soo }} +{% if rule_config.set.extcommunity is defined and rule_config.set.extcommunity.rt is defined and rule_config.set.extcommunity.rt is not none %} + set extcommunity rt {{ rule_config.set.extcommunity.rt }} +{% endif %} +{% if rule_config.set.extcommunity is defined and rule_config.set.extcommunity.soo is defined and rule_config.set.extcommunity.soo is not none %} + set extcommunity soo {{ rule_config.set.extcommunity.soo }} {% endif %} {% if rule_config.set.ip_next_hop is defined and rule_config.set.ip_next_hop is not none %} set ip next-hop {{ rule_config.set.ip_next_hop }} @@ -262,6 +265,9 @@ route-map {{ route_map }} {{ rule_config.action }} {{ rule }} {% if rule_config.set.ipv6_next_hop is defined and rule_config.set.ipv6_next_hop.local is defined and rule_config.set.ipv6_next_hop.local is not none %} set ipv6 next-hop local {{ rule_config.set.ipv6_next_hop.local }} {% endif %} +{% if rule_config.set.ipv6_next_hop is defined and rule_config.set.ipv6_next_hop.prefer_global is defined %} + set ipv6 next-hop prefer-global +{% endif %} {% if rule_config.set.large_community is defined and rule_config.set.large_community is not none %} set large-community {{ rule_config.set.large_community }} {% endif %} diff --git a/data/templates/https/nginx.default.tmpl b/data/templates/https/nginx.default.tmpl index 916764410..b40ddcc74 100644 --- a/data/templates/https/nginx.default.tmpl +++ b/data/templates/https/nginx.default.tmpl @@ -30,7 +30,8 @@ server { include {{ server.certbot_dir }}/options-ssl-nginx.conf; ssl_dhparam {{ server.certbot_dir }}/ssl-dhparams.pem; {% elif server.vyos_cert %} - include {{ server.vyos_cert.conf }}; + ssl_certificate {{ server.vyos_cert.crt }}; + ssl_certificate_key {{ server.vyos_cert.key }}; {% else %} # # Self signed certs generated by the ssl-cert package @@ -40,7 +41,7 @@ server { {% endif %} # proxy settings for HTTP API, if enabled; 503, if not - location ~ /(retrieve|configure|config-file|image|generate|show|docs|openapi.json|redoc) { + location ~ /(retrieve|configure|config-file|image|generate|show|docs|openapi.json|redoc|graphql) { {% if server.api %} proxy_pass http://localhost:{{ server.api.port }}; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; diff --git a/data/templates/ipsec/charon/dhcp.conf.tmpl b/data/templates/ipsec/charon/dhcp.conf.tmpl new file mode 100644 index 000000000..92774b275 --- /dev/null +++ b/data/templates/ipsec/charon/dhcp.conf.tmpl @@ -0,0 +1,22 @@ +dhcp { + load = yes +{% if remote_access is defined and remote_access.dhcp is defined %} +{% if remote_access.dhcp.interface is defined %} + interface = {{ remote_access.dhcp.interface }} +{% endif %} +{% if remote_access.dhcp.server is defined %} + server = {{ remote_access.dhcp.server }} +{% endif %} +{% endif %} + + # Always use the configured server address. + # force_server_address = no + + # Derive user-defined MAC address from hash of IKE identity and send client + # identity DHCP option. + # identity_lease = no + + # Use the DHCP server port (67) as source port when a unicast server address + # is configured. + # use_server_port = no +} diff --git a/data/templates/ipsec/charon/eap-radius.conf.tmpl b/data/templates/ipsec/charon/eap-radius.conf.tmpl new file mode 100644 index 000000000..5ec35c988 --- /dev/null +++ b/data/templates/ipsec/charon/eap-radius.conf.tmpl @@ -0,0 +1,115 @@ +eap-radius { + # Send RADIUS accounting information to RADIUS servers. + # accounting = no + + # Close the IKE_SA if there is a timeout during interim RADIUS accounting + # updates. + # accounting_close_on_timeout = yes + + # Interval in seconds for interim RADIUS accounting updates, if not + # specified by the RADIUS server in the Access-Accept message. + # accounting_interval = 0 + + # If enabled, accounting is disabled unless an IKE_SA has at least one + # virtual IP. Only for IKEv2, for IKEv1 a virtual IP is strictly necessary. + # accounting_requires_vip = no + + # If enabled, adds the Class attributes received in Access-Accept message to + # the RADIUS accounting messages. + # accounting_send_class = no + + # Use class attributes in Access-Accept messages as group membership + # information. + # class_group = no + + # Closes all IKE_SAs if communication with the RADIUS server times out. If + # it is not set only the current IKE_SA is closed. + # close_all_on_timeout = no + + # Send EAP-Start instead of EAP-Identity to start RADIUS conversation. + # eap_start = no + + # Use filter_id attribute as group membership information. + # filter_id = no + + # Prefix to EAP-Identity, some AAA servers use a IMSI prefix to select the + # EAP method. + # id_prefix = + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # NAS-Identifier to include in RADIUS messages. + nas_identifier = {{ remote_access.radius.nas_identifier if remote_access is defined and remote_access.radius is defined and remote_access.radius.nas_identifier is defined else 'strongSwan' }} + + # Port of RADIUS server (authentication). + # port = 1812 + + # Base to use for calculating exponential back off. + # retransmit_base = 1.4 + + # Timeout in seconds before sending first retransmit. + # retransmit_timeout = 2.0 + + # Number of times to retransmit a packet before giving up. + # retransmit_tries = 4 + + # Shared secret between RADIUS and NAS. If set, make sure to adjust the + # permissions of the config file accordingly. + # secret = + + # IP/Hostname of RADIUS server. + # server = + + # Number of sockets (ports) to use, increase for high load. + # sockets = 1 + + # Whether to include the UDP port in the Called- and Calling-Station-Id + # RADIUS attributes. + # station_id_with_port = yes + + dae { + # Enables support for the Dynamic Authorization Extension (RFC 5176). + # enable = no + + # Address to listen for DAE messages from the RADIUS server. + # listen = 0.0.0.0 + + # Port to listen for DAE requests. + # port = 3799 + + # Shared secret used to verify/sign DAE messages. If set, make sure to + # adjust the permissions of the config file accordingly. + # secret = + } + + forward { + # RADIUS attributes to be forwarded from IKEv2 to RADIUS. + # ike_to_radius = + + # Same as ike_to_radius but from RADIUS to IKEv2. + # radius_to_ike = + } + + # Section to specify multiple RADIUS servers. + servers { +{% if remote_access is defined and remote_access.radius is defined and remote_access.radius.server is defined %} +{% for server, server_options in remote_access.radius.server.items() if server_options.disable is not defined %} + {{ server | replace('.', '-') }} { + address = {{ server }} + secret = {{ server_options.key }} + auth_port = {{ server_options.port }} +{% if server_options.disable_accounting is not defined %} + acct_port = {{ server_options.port | int +1 }} +{% endif %} + sockets = 20 + } +{% endfor %} +{% endif %} + } + + # Section to configure multiple XAuth authentication rounds via RADIUS. + xauth { + } +} diff --git a/data/templates/ipsec/interfaces_use.conf.tmpl b/data/templates/ipsec/interfaces_use.conf.tmpl new file mode 100644 index 000000000..a77102396 --- /dev/null +++ b/data/templates/ipsec/interfaces_use.conf.tmpl @@ -0,0 +1,5 @@ +{% if interface is defined %} +charon { + interfaces_use = {{ ', '.join(interface) }} +} +{% endif %}
\ No newline at end of file diff --git a/data/templates/ipsec/ios_profile.tmpl b/data/templates/ipsec/ios_profile.tmpl new file mode 100644 index 000000000..af6c79d6e --- /dev/null +++ b/data/templates/ipsec/ios_profile.tmpl @@ -0,0 +1,104 @@ +<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> +<plist version="1.0"> +<dict> + <!-- Set the name to whatever you like, it is used in the profile list on the device --> + <key>PayloadDisplayName</key> + <string>{{ profile_name }}</string> + <!-- This is a reverse-DNS style unique identifier used to detect duplicate profiles --> + <key>PayloadIdentifier</key> + <string>{{ rfqdn }}</string> + <!-- A globally unique identifier, use uuidgen on Linux/Mac OS X to generate it --> + <key>PayloadUUID</key> + <string>{{ '' | get_uuid }}</string> + <key>PayloadType</key> + <string>Configuration</string> + <key>PayloadVersion</key> + <integer>1</integer> + <key>PayloadContent</key> + <array> + <!-- It is possible to add multiple VPN payloads with different identifiers/UUIDs and names --> + <dict> + <!-- This is an extension of the identifier given above --> + <key>PayloadIdentifier</key> + <string>{{ rfqdn }}.conf1</string> + <!-- A globally unique identifier for this payload --> + <key>PayloadUUID</key> + <string>{{ '' | get_uuid }}</string> + <key>PayloadType</key> + <string>com.apple.vpn.managed</string> + <key>PayloadVersion</key> + <integer>1</integer> + <!-- This is the name of the VPN connection as seen in the VPN application later --> + <key>UserDefinedName</key> + <string>{{ vpn_name }}</string> + <key>VPNType</key> + <string>IKEv2</string> + <key>IKEv2</key> + <dict> + <!-- Hostname or IP address of the VPN server --> + <key>RemoteAddress</key> + <string>{{ remote }}</string> + <!-- Remote identity, can be a FQDN, a userFQDN, an IP or (theoretically) a certificate's subject DN. Can't be empty. + IMPORTANT: DNs are currently not handled correctly, they are always sent as identities of type FQDN --> + <key>RemoteIdentifier</key> + <string>{{ authentication.id if authentication.id is defined else 'fooo' }}</string> + <!-- Local IKE identity, same restrictions as above. If it is empty the client's IP address will be used --> + <key>LocalIdentifier</key> + <string></string> + <!-- Optional, if it matches the CN of the root CA certificate (not the full subject DN) a certificate request will be sent + NOTE: If this is not configured make sure to configure leftsendcert=always on the server, otherwise it won't send its certificate --> + <key>ServerCertificateIssuerCommonName</key> + <string>{{ ca_cn }}</string> + <!-- Optional, the CN or one of the subjectAltNames of the server certificate to verify it, if not set RemoteIdentifier will be used --> + <key>ServerCertificateCommonName</key> + <string>{{ cert_cn }}</string> + <!-- The server is authenticated using a certificate --> + <key>AuthenticationMethod</key> + <string>Certificate</string> + <!-- The client uses EAP to authenticate --> + <key>ExtendedAuthEnabled</key> + <integer>1</integer> + <!-- The next two dictionaries are optional (as are the keys in them), but it is recommended to specify them as the default is to use 3DES. + IMPORTANT: Because only one proposal is sent (even if nothing is configured here) it must match the server configuration --> + <key>IKESecurityAssociationParameters</key> + <dict> + <!-- @see https://developer.apple.com/documentation/networkextension/nevpnikev2encryptionalgorithm --> + <key>EncryptionAlgorithm</key> + <string>{{ ike_encryption.encryption }}</string> + <!-- @see https://developer.apple.com/documentation/networkextension/nevpnikev2integrityalgorithm --> + <key>IntegrityAlgorithm</key> + <string>{{ ike_encryption.hash }}</string> + <!-- @see https://developer.apple.com/documentation/networkextension/nevpnikev2diffiehellmangroup --> + <key>DiffieHellmanGroup</key> + <integer>{{ ike_encryption.dh_group }}</integer> + </dict> + <key>ChildSecurityAssociationParameters</key> + <dict> + <key>EncryptionAlgorithm</key> + <string>{{ esp_encryption.encryption }}</string> + <key>IntegrityAlgorithm</key> + <string>{{ esp_encryption.hash }}</string> + <key>DiffieHellmanGroup</key> + <integer>{{ ike_encryption.dh_group }}</integer> + </dict> + </dict> + </dict> + <!-- This payload is optional but it provides an easy way to install the CA certificate together with the configuration --> + <dict> + <key>PayloadIdentifier</key> + <string>org.example.ca</string> + <key>PayloadUUID</key> + <string>{{ '' | get_uuid }}</string> + <key>PayloadType</key> + <string>com.apple.security.root</string> + <key>PayloadVersion</key> + <integer>1</integer> + <!-- This is the Base64 (PEM) encoded CA certificate --> + <key>PayloadContent</key> + <data> + {{ ca_cert }} + </data> + </dict> + </array> +</dict> +</plist> diff --git a/data/templates/ipsec/ipsec.conf.tmpl b/data/templates/ipsec/ipsec.conf.tmpl index d0b60765b..1cb531e76 100644 --- a/data/templates/ipsec/ipsec.conf.tmpl +++ b/data/templates/ipsec/ipsec.conf.tmpl @@ -1,3 +1,18 @@ -{{delim_ipsec_l2tp_begin}} -include {{ipsec_ra_conn_file}} -{{delim_ipsec_l2tp_end}} +# Created by VyOS - manual changes will be overwritten + +config setup +{% set charondebug = '' %} +{% if log is defined and log.subsystem is defined and log.subsystem is not none %} +{% set subsystem = log.subsystem %} +{% if 'any' in log.subsystem %} +{% set subsystem = ['dmn', 'mgr', 'ike', 'chd','job', 'cfg', 'knl', 'net', 'asn', + 'enc', 'lib', 'esp', 'tls', 'tnc', 'imc', 'imv', 'pts'] %} +{% endif %} +{% set charondebug = subsystem | join (' ' ~ log.level ~ ', ') ~ ' ' ~ log.level %} +{% endif %} + charondebug = "{{ charondebug }}" + uniqueids = {{ "no" if disable_uniqreqids is defined else "yes" }} + +{% if include_ipsec_conf is defined %} +include {{ include_ipsec_conf }} +{% endif %} diff --git a/data/templates/ipsec/ipsec.secrets.tmpl b/data/templates/ipsec/ipsec.secrets.tmpl index 55c010a3b..057e291ed 100644 --- a/data/templates/ipsec/ipsec.secrets.tmpl +++ b/data/templates/ipsec/ipsec.secrets.tmpl @@ -1,7 +1,5 @@ -{{delim_ipsec_l2tp_begin}} -{% if ipsec_l2tp_auth_mode == 'pre-shared-secret' %} -{{outside_addr}} %any : PSK "{{ipsec_l2tp_secret}}" -{% elif ipsec_l2tp_auth_mode == 'x509' %} -: RSA {{server_key_file_copied}} -{% endif%} -{{delim_ipsec_l2tp_end}} +# Created by VyOS - manual changes will be overwritten + +{% if include_ipsec_secrets is defined %} +include {{ include_ipsec_secrets }} +{% endif %} diff --git a/data/templates/ipsec/remote-access.tmpl b/data/templates/ipsec/remote-access.tmpl deleted file mode 100644 index fae48232f..000000000 --- a/data/templates/ipsec/remote-access.tmpl +++ /dev/null @@ -1,28 +0,0 @@ -{{delim_ipsec_l2tp_begin}} -conn {{ra_conn_name}} - type=transport - left={{outside_addr}} - leftsubnet=%dynamic[/1701] - rightsubnet=%dynamic - mark_in=%unique - auto=add - ike=aes256-sha1-modp1024,3des-sha1-modp1024,3des-sha1-modp1024! - dpddelay=15 - dpdtimeout=45 - dpdaction=clear - esp=aes256-sha1,3des-sha1! - rekey=no -{% if ipsec_l2tp_auth_mode == 'pre-shared-secret' %} - authby=secret - leftauth=psk - rightauth=psk -{% elif ipsec_l2tp_auth_mode == 'x509' %} - authby=rsasig - leftrsasigkey=%cert - rightrsasigkey=%cert - rightca=%same - leftcert={{server_cert_file_copied}} -{% endif %} - ikelifetime={{ipsec_l2tp_ike_lifetime}} - keylife={{ipsec_l2tp_lifetime}} -{{delim_ipsec_l2tp_end}} diff --git a/data/templates/ipsec/swanctl.conf.tmpl b/data/templates/ipsec/swanctl.conf.tmpl new file mode 100644 index 000000000..161f19f95 --- /dev/null +++ b/data/templates/ipsec/swanctl.conf.tmpl @@ -0,0 +1,131 @@ +### Autogenerated by vpn_ipsec.py ### +{% import 'ipsec/swanctl/l2tp.tmpl' as l2tp_tmpl %} +{% import 'ipsec/swanctl/profile.tmpl' as profile_tmpl %} +{% import 'ipsec/swanctl/peer.tmpl' as peer_tmpl %} +{% import 'ipsec/swanctl/remote_access.tmpl' as remote_access_tmpl %} + +connections { +{% if profile is defined %} +{% for name, profile_conf in profile.items() if profile_conf.disable is not defined and profile_conf.bind is defined and profile_conf.bind.tunnel is defined %} +{{ profile_tmpl.conn(name, profile_conf, ike_group, esp_group) }} +{% endfor %} +{% endif %} +{% if site_to_site is defined and site_to_site.peer is defined %} +{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not defined %} +{{ peer_tmpl.conn(peer, peer_conf, ike_group, esp_group) }} +{% endfor %} +{% endif %} +{% if remote_access is defined and remote_access.connection is defined and remote_access.connection is not none %} +{% for rw, rw_conf in remote_access.connection.items() if rw_conf.disable is not defined %} +{{ remote_access_tmpl.conn(rw, rw_conf, ike_group, esp_group) }} +{% endfor %} +{% endif %} +{% if l2tp %} +{{ l2tp_tmpl.conn(l2tp, l2tp_outside_address, l2tp_ike_default, l2tp_esp_default, ike_group, esp_group) }} +{% endif %} +} + +pools { +{% if remote_access is defined and remote_access.pool is defined and remote_access.pool is not none %} +{% for pool, pool_config in remote_access.pool.items() %} + {{ pool }} { +{% if pool_config.prefix is defined and pool_config.prefix is not none %} + addrs = {{ pool_config.prefix }} +{% endif %} +{% if pool_config.name_server is defined and pool_config.name_server is not none %} + dns = {{ pool_config.name_server | join(',') }} +{% endif %} +{% if pool_config.exclude is defined and pool_config.exclude is not none %} + split_exclude = {{ pool_config.exclude | join(',') }} +{% endif %} + } +{% endfor %} +{% endif %} +} + +secrets { +{% if profile is defined %} +{% for name, profile_conf in profile.items() if profile_conf.disable is not defined and profile_conf.bind is defined and profile_conf.bind.tunnel is defined %} +{% if profile_conf.authentication.mode == 'pre-shared-secret' %} +{% for interface in profile_conf.bind.tunnel %} + ike-dmvpn-{{ interface }} { + secret = {{ profile_conf.authentication.pre_shared_secret }} + } +{% endfor %} +{% endif %} +{% endfor %} +{% endif %} +{% if site_to_site is defined and site_to_site.peer is defined %} +{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not defined %} +{% set peer_name = peer.replace(".", "-").replace("@", "") %} +{% if peer_conf.authentication.mode == 'pre-shared-secret' %} + ike_{{ peer_name }} { +{% if peer_conf.local_address is defined %} + id-local = {{ peer_conf.local_address }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }} +{% endif %} + id-remote = {{ peer }} +{% if peer_conf.authentication.id is defined %} + id-localid = {{ peer_conf.authentication.id }} +{% endif %} +{% if peer_conf.authentication.remote_id is defined %} + id-remoteid = {{ peer_conf.authentication.remote_id }} +{% endif %} + secret = "{{ peer_conf.authentication.pre_shared_secret }}" + } +{% elif peer_conf.authentication.mode == 'x509' %} + private_{{ peer_name }} { + file = {{ peer_conf.authentication.x509.certificate }}.pem +{% if peer_conf.authentication.x509.passphrase is defined %} + secret = "{{ peer_conf.authentication.x509.passphrase }}" +{% endif %} + } +{% elif peer_conf.authentication.mode == 'rsa' %} + rsa_{{ peer_name }}_local { + file = {{ peer_conf.authentication.rsa.local_key }}.pem +{% if peer_conf.authentication.rsa.passphrase is defined %} + secret = "{{ peer_conf.authentication.rsa.passphrase }}" +{% endif %} + } +{% endif %} +{% endfor %} +{% endif %} +{% if remote_access is defined and remote_access.connection is defined and remote_access.connection is not none %} +{% for ra, ra_conf in remote_access.connection.items() if ra_conf.disable is not defined %} +{% if ra_conf.authentication.server_mode == 'pre-shared-secret' %} + ike_{{ ra }} { +{% if ra_conf.authentication.id is defined %} + id = "{{ ra_conf.authentication.id }}" +{% elif ra_conf.local_address is defined %} + id = "{{ ra_conf.local_address }}" +{% endif %} + secret = "{{ ra_conf.authentication.pre_shared_secret }}" + } +{% endif %} +{% if ra_conf.authentication.client_mode == 'eap-mschapv2' and ra_conf.authentication.local_users is defined and ra_conf.authentication.local_users.username is defined %} +{% for user, user_conf in ra_conf.authentication.local_users.username.items() if user_conf.disable is not defined %} + eap-{{ ra }}-{{ user }} { + secret = "{{ user_conf.password }}" + id-{{ ra }}-{{ user }} = "{{ user }}" + } +{% endfor %} +{% endif %} +{% endfor %} +{% endif %} +{% if l2tp %} +{% if l2tp.authentication.mode == 'pre-shared-secret' %} + ike_l2tp_remote_access { + id = "{{ l2tp_outside_address }}" + secret = "{{ l2tp.authentication.pre_shared_secret }}" + } +{% elif l2tp.authentication.mode == 'x509' %} + private_l2tp_remote_access { + id = "{{ l2tp_outside_address }}" + file = {{ l2tp.authentication.x509.certificate }}.pem +{% if l2tp.authentication.x509.passphrase is defined %} + secret = "{{ l2tp.authentication.x509.passphrase }}" +{% endif %} + } +{% endif %} +{% endif %} +} + diff --git a/data/templates/ipsec/swanctl/l2tp.tmpl b/data/templates/ipsec/swanctl/l2tp.tmpl new file mode 100644 index 000000000..2df5c2a4d --- /dev/null +++ b/data/templates/ipsec/swanctl/l2tp.tmpl @@ -0,0 +1,30 @@ +{% macro conn(l2tp, l2tp_outside_address, l2tp_ike_default, l2tp_esp_default, ike_group, esp_group) %} +{% set l2tp_ike = ike_group[l2tp.ike_group] if l2tp.ike_group is defined else None %} +{% set l2tp_esp = esp_group[l2tp.esp_group] if l2tp.esp_group is defined else None %} + l2tp_remote_access { + proposals = {{ l2tp_ike | get_esp_ike_cipher | join(',') if l2tp_ike else l2tp_ike_default }} + local_addrs = {{ l2tp_outside_address }} + dpd_delay = 15s + dpd_timeout = 45s + rekey_time = {{ l2tp_ike.lifetime if l2tp_ike else l2tp.ike_lifetime }}s + reauth_time = 0 + local { + auth = {{ 'psk' if l2tp.authentication.mode == 'pre-shared-secret' else 'pubkey' }} +{% if l2tp.authentication.mode == 'x509' %} + certs = {{ l2tp.authentication.x509.certificate }}.pem +{% endif %} + } + remote { + auth = {{ 'psk' if l2tp.authentication.mode == 'pre-shared-secret' else 'pubkey' }} + } + children { + l2tp_remote_access_esp { + mode = transport + esp_proposals = {{ l2tp_esp | get_esp_ike_cipher | join(',') if l2tp_esp else l2tp_esp_default }} + life_time = {{ l2tp_esp.lifetime if l2tp_esp else l2tp.lifetime }}s + local_ts = dynamic[/1701] + remote_ts = dynamic + } + } + } +{% endmacro %} diff --git a/data/templates/ipsec/swanctl/peer.tmpl b/data/templates/ipsec/swanctl/peer.tmpl new file mode 100644 index 000000000..dd29ea7d4 --- /dev/null +++ b/data/templates/ipsec/swanctl/peer.tmpl @@ -0,0 +1,134 @@ +{% macro conn(peer, peer_conf, ike_group, esp_group) %} +{% set name = peer.replace(".", "-").replace("@", "") %} +{# peer needs to reference the global IKE configuration for certain values #} +{% set ike = ike_group[peer_conf.ike_group] %} + peer_{{ name }} { + proposals = {{ ike | get_esp_ike_cipher | join(',') }} + version = {{ ike.key_exchange[4:] if ike is defined and ike.key_exchange is defined else "0" }} + local_addrs = {{ peer_conf.local_address if peer_conf.local_address != 'any' else '0.0.0.0/0' }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }} + remote_addrs = {{ peer if peer not in ['any', '0.0.0.0'] and peer[0:1] != '@' else '0.0.0.0/0' }} +{% if peer_conf.authentication is defined and peer_conf.authentication.mode is defined and peer_conf.authentication.mode == 'x509' %} + send_cert = always +{% endif %} +{% if ike.dead_peer_detection is defined %} + dpd_timeout = {{ ike.dead_peer_detection.timeout }} + dpd_delay = {{ ike.dead_peer_detection.interval }} +{% endif %} +{% if ike.key_exchange is defined and ike.key_exchange == "ikev1" and ike.mode is defined and ike.mode == "aggressive" %} + aggressive = yes +{% endif %} + mobike = {{ "yes" if ike.mobike is not defined or ike.mobike == "enable" else "no" }} +{% if peer[0:1] == '@' %} + keyingtries = 0 + rekey_time = 0 + reauth_time = 0 +{% elif peer_conf.connection_type is not defined or peer_conf.connection_type == 'initiate' %} + keyingtries = 0 +{% elif peer_conf.connection_type is defined and peer_conf.connection_type == 'respond' %} + keyingtries = 1 +{% endif %} +{% if peer_conf.force_encapsulation is defined and peer_conf.force_encapsulation == 'enable' %} + encap = yes +{% endif %} + local { +{% if peer_conf.authentication is defined and peer_conf.authentication.id is defined and peer_conf.authentication.use_x509_id is not defined %} + id = "{{ peer_conf.authentication.id }}" +{% endif %} + auth = {{ 'psk' if peer_conf.authentication.mode == 'pre-shared-secret' else 'pubkey' }} +{% if peer_conf.authentication.mode == 'x509' %} + certs = {{ peer_conf.authentication.x509.certificate }}.pem +{% elif peer_conf.authentication.mode == 'rsa' %} + pubkeys = {{ peer_conf.authentication.rsa.local_key }}.pem +{% endif %} + } + remote { +{% if peer_conf.authentication.remote_id is defined %} + id = "{{ peer_conf.authentication.remote_id }}" +{% elif peer[0:1] == '@' %} + id = "{{ peer }}" +{% endif %} + auth = {{ 'psk' if peer_conf.authentication.mode == 'pre-shared-secret' else 'pubkey' }} +{% if peer_conf.authentication.mode == 'rsa' %} + pubkeys = {{ peer_conf.authentication.rsa.remote_key }}.pem +{% endif %} + } + children { +{% if peer_conf.vti is defined and peer_conf.vti.bind is defined and peer_conf.tunnel is not defined %} +{% set vti_esp = esp_group[ peer_conf.vti.esp_group ] if peer_conf.vti.esp_group is defined else esp_group[ peer_conf.default_esp_group ] %} + peer_{{ name }}_vti { + esp_proposals = {{ vti_esp | get_esp_ike_cipher | join(',') }} + local_ts = 0.0.0.0/0,::/0 + remote_ts = 0.0.0.0/0,::/0 + updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }} {{ peer_conf.dhcp_interface if peer_conf.dhcp_interface is defined else 'no' }}" + if_id_in = {{ peer_conf.vti.bind | replace('vti', '') }} + if_id_out = {{ peer_conf.vti.bind | replace('vti', '') }} + ipcomp = {{ 'yes' if vti_esp.compression is defined and vti_esp.compression == 'enable' else 'no' }} + mode = {{ vti_esp.mode }} +{% if peer[0:1] == '@' %} + start_action = none +{% elif peer_conf.connection_type is not defined or peer_conf.connection_type == 'initiate' %} + start_action = start +{% elif peer_conf.connection_type == 'respond' %} + start_action = trap +{% endif %} +{% if ike.dead_peer_detection is defined %} +{% set dpd_translate = {'clear': 'clear', 'hold': 'trap', 'restart': 'start'} %} + dpd_action = {{ dpd_translate[ike.dead_peer_detection.action] }} +{% endif %} + } +{% elif peer_conf.tunnel is defined %} +{% for tunnel_id, tunnel_conf in peer_conf.tunnel.items() if tunnel_conf.disable is not defined %} +{% set tunnel_esp_name = tunnel_conf.esp_group if tunnel_conf.esp_group is defined else peer_conf.default_esp_group %} +{% set tunnel_esp = esp_group[tunnel_esp_name] %} +{% set proto = tunnel_conf.protocol if tunnel_conf.protocol is defined else '' %} +{% set local_port = tunnel_conf.local.port if tunnel_conf.local is defined and tunnel_conf.local.port is defined else '' %} +{% set local_suffix = '[{0}/{1}]'.format(proto, local_port) if proto or local_port else '' %} +{% set remote_port = tunnel_conf.remote.port if tunnel_conf.remote is defined and tunnel_conf.remote.port is defined else '' %} +{% set remote_suffix = '[{0}/{1}]'.format(proto, remote_port) if proto or remote_port else '' %} + peer_{{ name }}_tunnel_{{ tunnel_id }} { + esp_proposals = {{ tunnel_esp | get_esp_ike_cipher | join(',') }} +{% if tunnel_esp.mode is not defined or tunnel_esp.mode == 'tunnel' %} +{% if tunnel_conf.local is defined and tunnel_conf.local.prefix is defined %} +{% set local_prefix = tunnel_conf.local.prefix if 'any' not in tunnel_conf.local.prefix else ['0.0.0.0/0', '::/0'] %} + local_ts = {{ local_prefix | join(local_suffix + ",") }}{{ local_suffix }} +{% endif %} +{% if tunnel_conf.remote is defined and tunnel_conf.remote.prefix is defined %} +{% set remote_prefix = tunnel_conf.remote.prefix if 'any' not in tunnel_conf.remote.prefix else ['0.0.0.0/0', '::/0'] %} + remote_ts = {{ remote_prefix | join(remote_suffix + ",") }}{{ remote_suffix }} +{% endif %} +{% elif tunnel_esp.mode == 'transport' %} + local_ts = {{ peer_conf.local_address }}{{ local_suffix }} + remote_ts = {{ peer }}{{ remote_suffix }} +{% endif %} + ipcomp = {{ 'yes' if tunnel_esp.compression is defined and tunnel_esp.compression == 'enable' else 'no' }} + mode = {{ tunnel_esp.mode }} +{% if peer[0:1] == '@' %} + start_action = none +{% elif peer_conf.connection_type is not defined or peer_conf.connection_type == 'initiate' %} + start_action = start +{% elif peer_conf.connection_type == 'respond' %} + start_action = trap +{% endif %} +{% if ike.dead_peer_detection is defined %} +{% set dpd_translate = {'clear': 'clear', 'hold': 'trap', 'restart': 'start'} %} + dpd_action = {{ dpd_translate[ike.dead_peer_detection.action] }} +{% endif %} +{% if peer_conf.vti is defined and peer_conf.vti.bind is defined %} + updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }} {{ peer_conf.dhcp_interface if peer_conf.dhcp_interface is defined else 'no' }}" + if_id_in = {{ peer_conf.vti.bind | replace('vti', '') }} + if_id_out = {{ peer_conf.vti.bind | replace('vti', '') }} +{% endif %} + } +{% if tunnel_conf.passthrough is defined and tunnel_conf.passthrough %} + peer_{{ name }}_tunnel_{{ tunnel_id }}_passthough { + local_ts = {{ tunnel_conf.passthrough | join(",") }} + remote_ts = {{ tunnel_conf.passthrough | join(",") }} + start_action = trap + mode = pass + } +{% endif %} +{% endfor %} +{% endif %} + } + } +{% endmacro %} diff --git a/data/templates/ipsec/swanctl/profile.tmpl b/data/templates/ipsec/swanctl/profile.tmpl new file mode 100644 index 000000000..0a7268405 --- /dev/null +++ b/data/templates/ipsec/swanctl/profile.tmpl @@ -0,0 +1,39 @@ +{% macro conn(name, profile_conf, ike_group, esp_group) %} +{# peer needs to reference the global IKE configuration for certain values #} +{% set ike = ike_group[profile_conf.ike_group] %} +{% set esp = esp_group[profile_conf.esp_group] %} +{% if profile_conf.bind is defined and profile_conf.bind.tunnel is defined %} +{% for interface in profile_conf.bind.tunnel %} + dmvpn-{{ name }}-{{ interface }} { + proposals = {{ ike_group[profile_conf.ike_group] | get_esp_ike_cipher | join(',') }} + version = {{ ike.key_exchange[4:] if ike is defined and ike.key_exchange is defined else "0" }} + rekey_time = {{ ike.lifetime }}s + keyingtries = 0 +{% if profile_conf.authentication is defined and profile_conf.authentication.mode is defined and profile_conf.authentication.mode == 'pre-shared-secret' %} + local { + auth = psk + } + remote { + auth = psk + } +{% endif %} + children { + dmvpn { + esp_proposals = {{ esp | get_esp_ike_cipher | join(',') }} + rekey_time = {{ esp.lifetime }}s + rand_time = 540s + local_ts = dynamic[gre] + remote_ts = dynamic[gre] + mode = {{ esp.mode }} +{% if ike.dead_peer_detection is defined and ike.dead_peer_detection.action is defined %} + dpd_action = {{ ike.dead_peer_detection.action }} +{% endif %} +{% if esp.compression is defined and esp.compression == 'enable' %} + ipcomp = yes +{% endif %} + } + } + } +{% endfor %} +{% endif %} +{% endmacro %} diff --git a/data/templates/ipsec/swanctl/remote_access.tmpl b/data/templates/ipsec/swanctl/remote_access.tmpl new file mode 100644 index 000000000..456842488 --- /dev/null +++ b/data/templates/ipsec/swanctl/remote_access.tmpl @@ -0,0 +1,47 @@ +{% macro conn(name, rw_conf, ike_group, esp_group) %} +{# peer needs to reference the global IKE configuration for certain values #} +{% set ike = ike_group[rw_conf.ike_group] %} +{% set esp = esp_group[rw_conf.esp_group] %} + ra-{{ name }} { + remote_addrs = %any + local_addrs = {{ rw_conf.local_address if rw_conf.local_address is defined else '%any' }} + proposals = {{ ike_group[rw_conf.ike_group] | get_esp_ike_cipher | join(',') }} + version = {{ ike.key_exchange[4:] if ike is defined and ike.key_exchange is defined else "0" }} + send_certreq = no + rekey_time = {{ ike.lifetime }}s + keyingtries = 0 + unique = {{ rw_conf.unique }} +{% if rw_conf.pool is defined and rw_conf.pool is not none %} + pools = {{ rw_conf.pool | join(',') }} +{% endif %} + local { +{% if rw_conf.authentication.id is defined and rw_conf.authentication.use_x509_id is not defined %} + id = "{{ rw_conf.authentication.id }}" +{% endif %} +{% if rw_conf.authentication.server_mode == 'x509' %} + auth = pubkey + certs = {{ rw_conf.authentication.x509.certificate }}.pem +{% elif rw_conf.authentication.server_mode == 'pre-shared-secret' %} + auth = psk +{% endif %} + } + remote { + auth = {{ rw_conf.authentication.client_mode }} +{% if rw_conf.authentication.client_mode.startswith("eap") %} + eap_id = %any +{% endif %} + } + children { + ikev2-vpn { + esp_proposals = {{ esp | get_esp_ike_cipher | join(',') }} + rekey_time = {{ esp.lifetime }}s + rand_time = 540s + dpd_action = clear +{% set local_prefix = rw_conf.local.prefix if rw_conf.local is defined and rw_conf.local.prefix is defined else ['0.0.0.0/0', '::/0'] %} +{% set local_port = rw_conf.local.port if rw_conf.local is defined and rw_conf.local.port is defined else '' %} +{% set local_suffix = '[%any/{1}]'.format(local_port) if local_port else '' %} + local_ts = {{ local_prefix | join(local_suffix + ",") }}{{ local_suffix }} + } + } + } +{% endmacro %} diff --git a/data/templates/ipsec/windows_profile.tmpl b/data/templates/ipsec/windows_profile.tmpl new file mode 100644 index 000000000..8c26944be --- /dev/null +++ b/data/templates/ipsec/windows_profile.tmpl @@ -0,0 +1,4 @@ +Remove-VpnConnection -Name "{{ vpn_name }}" -Force -PassThru + +Add-VpnConnection -Name "{{ vpn_name }}" -ServerAddress "{{ remote }}" -TunnelType "Ikev2" +Set-VpnConnectionIPsecConfiguration -ConnectionName "{{ vpn_name }}" -AuthenticationTransformConstants {{ ike_encryption.encryption }} -CipherTransformConstants {{ ike_encryption.encryption }} -EncryptionMethod {{ esp_encryption.encryption }} -IntegrityCheckMethod {{ esp_encryption.hash }} -PfsGroup None -DHGroup "Group{{ ike_encryption.dh_group }}" -PassThru -Force diff --git a/data/templates/nhrp/opennhrp.conf.tmpl b/data/templates/nhrp/opennhrp.conf.tmpl new file mode 100644 index 000000000..948327198 --- /dev/null +++ b/data/templates/nhrp/opennhrp.conf.tmpl @@ -0,0 +1,41 @@ +# Created by VyOS - manual changes will be overwritten + +{% if tunnel is defined and tunnel is not none %} +{% for name, tunnel_conf in tunnel.items() %} +{% set type = 'spoke' if tunnel_conf.map is defined or tunnel_conf.dynamic_map is defined else 'hub' %} +{% set profile_name = profile_map[name] if profile_map is defined and name in profile_map else '' %} +interface {{ name }} #{{ type }} {{ profile_name }} +{% if tunnel_conf.map is defined and tunnel_conf.map is not none %} +{% for map, map_conf in tunnel_conf.map.items() %} +{% set cisco = ' cisco' if map_conf.cisco is defined else '' %} +{% set register = ' register' if map_conf.register is defined else '' %} + map {{ map }} {{ map_conf.nbma_address }}{{ register }}{{ cisco }} +{% endfor %} +{% endif %} +{% if tunnel_conf.dynamic_map is defined and tunnel_conf.dynamic_map is not none %} +{% for map, map_conf in tunnel_conf.dynamic_map.items() %} + dynamic-map {{ map }} {{ map_conf.nbma_domain_name }} +{% endfor %} +{% endif %} +{% if tunnel_conf.cisco_authentication is defined and tunnel_conf.cisco_authentication is not none %} + cisco-authentication {{ tunnel_conf.cisco_authentication }} +{% endif %} +{% if tunnel_conf.holding_time is defined and tunnel_conf.holding_time is not none %} + holding-time {{ tunnel_conf.holding_time }} +{% endif %} +{% if tunnel_conf.multicast is defined and tunnel_conf.multicast is not none %} + multicast {{ tunnel_conf.multicast }} +{% endif %} +{% for key in ['non_caching', 'redirect', 'shortcut', 'shortcut_destination'] %} +{% if key in tunnel_conf %} + {{ key | replace("_", "-") }} +{% endif %} +{% endfor %} +{% if tunnel_conf.shortcut_target is defined and tunnel_conf.shortcut_target is not none %} +{% for target, shortcut_conf in tunnel_conf.shortcut_target.items() %} + shortcut-target {{ target }} {{ shortcut_conf.holding_time if shortcut_conf.holding_time is defined else '' }} +{% endfor %} +{% endif %} + +{% endfor %} +{% endif %} diff --git a/data/templates/ocserv/ocserv_config.tmpl b/data/templates/ocserv/ocserv_config.tmpl index 328af0c0d..0be805235 100644 --- a/data/templates/ocserv/ocserv_config.tmpl +++ b/data/templates/ocserv/ocserv_config.tmpl @@ -12,16 +12,16 @@ auth = "radius [config=/run/ocserv/radiusclient.conf]" auth = "plain[/run/ocserv/ocpasswd]" {% endif %} -{% if ssl.cert_file %} -server-cert = {{ ssl.cert_file }} +{% if ssl.certificate is defined %} +server-cert = /run/ocserv/cert.pem +server-key = /run/ocserv/cert.key +{% if ssl.passphrase is defined %} +key-pin = {{ ssl.passphrase }} {% endif %} - -{% if ssl.key_file %} -server-key = {{ ssl.key_file }} {% endif %} -{% if ssl.ca_cert_file %} -ca-cert = {{ ssl.ca_cert_file }} +{% if ssl.ca_certificate is defined %} +ca-cert = /run/ocserv/ca.pem {% endif %} socket-file = /run/ocserv/ocserv.socket diff --git a/data/templates/openvpn/server.conf.tmpl b/data/templates/openvpn/server.conf.tmpl index 79288e40f..d9f01310e 100644 --- a/data/templates/openvpn/server.conf.tmpl +++ b/data/templates/openvpn/server.conf.tmpl @@ -12,7 +12,6 @@ group {{ daemon_group }} dev-type {{ device_type }} dev {{ ifname }} persist-key -iproute /usr/libexec/vyos/system/unpriv-ip {% if protocol == 'tcp-active' %} proto tcp-client {% elif protocol == 'tcp-passive' %} @@ -37,8 +36,8 @@ rport {{ remote_port }} remote {{ remote }} {% endfor %} {% endif %} -{% if shared_secret_key_file is defined and shared_secret_key_file is not none %} -secret {{ shared_secret_key_file }} +{% if shared_secret_key is defined and shared_secret_key is not none %} +secret /run/openvpn/{{ ifname }}_shared.key {% endif %} {% if persistent_tunnel is defined %} persist-tun @@ -158,32 +157,32 @@ ifconfig-ipv6 {{ laddr }} {{ raddr }} {% if tls is defined and tls is not none %} # TLS options -{% if tls.ca_cert_file is defined and tls.ca_cert_file is not none %} -ca {{ tls.ca_cert_file }} +{% if tls.ca_certificate is defined and tls.ca_certificate is not none %} +ca /run/openvpn/{{ ifname }}_ca.pem {% endif %} -{% if tls.cert_file is defined and tls.cert_file is not none %} -cert {{ tls.cert_file }} +{% if tls.certificate is defined and tls.certificate is not none %} +cert /run/openvpn/{{ ifname }}_cert.pem {% endif %} -{% if tls.key_file is defined and tls.key_file is not none %} -key {{ tls.key_file }} +{% if tls.private_key is defined %} +key /run/openvpn/{{ ifname }}_cert.key {% endif %} -{% if tls.crypt_file is defined and tls.crypt_file is not none %} -tls-crypt {{ tls.crypt_file }} +{% if tls.crypt_key is defined and tls.crypt_key is not none %} +tls-crypt /run/openvpn/{{ ifname }}_crypt.key {% endif %} -{% if tls.crl_file is defined and tls.crl_file is not none %} -crl-verify {{ tls.crl_file }} +{% if tls.crl is defined %} +crl-verify /run/openvpn/{{ ifname }}_crl.pem {% endif %} {% if tls.tls_version_min is defined and tls.tls_version_min is not none %} tls-version-min {{ tls.tls_version_min }} {% endif %} -{% if tls.dh_file is defined and tls.dh_file is not none %} -dh {{ tls.dh_file }} +{% if tls.dh_params is defined and tls.dh_params is not none %} +dh /run/openvpn/{{ ifname }}_dh.pem {% endif %} -{% if tls.auth_file is defined and tls.auth_file is not none %} +{% if tls.auth_key is defined and tls.auth_key is not none %} {% if mode == 'client' %} -tls-auth {{ tls.auth_file }} 1 +tls-auth /run/openvpn/{{ ifname }}_auth.key 1 {% elif mode == 'server' %} -tls-auth {{ tls.auth_file }} 0 +tls-auth /run/openvpn/{{ ifname }}_auth.key 0 {% endif %} {% endif %} {% if tls.role is defined and tls.role is not none %} @@ -198,58 +197,15 @@ tls-server # Encryption options {% if encryption is defined and encryption is not none %} {% if encryption.cipher is defined and encryption.cipher is not none %} -{% if encryption.cipher == 'none' %} -cipher none -{% elif encryption.cipher == 'des' %} -cipher des-cbc -{% elif encryption.cipher == '3des' %} -cipher des-ede3-cbc -{% elif encryption.cipher == 'bf128' %} -cipher bf-cbc +cipher {{ encryption.cipher | openvpn_cipher }} +{% if encryption.cipher == 'bf128' %} keysize 128 {% elif encryption.cipher == 'bf256' %} -cipher bf-cbc -keysize 25 -{% elif encryption.cipher == 'aes128gcm' %} -cipher aes-128-gcm -{% elif encryption.cipher == 'aes128' %} -cipher aes-128-cbc -{% elif encryption.cipher == 'aes192gcm' %} -cipher aes-192-gcm -{% elif encryption.cipher == 'aes192' %} -cipher aes-192-cbc -{% elif encryption.cipher == 'aes256gcm' %} -cipher aes-256-gcm -{% elif encryption.cipher == 'aes256' %} -cipher aes-256-cbc +keysize 256 {% endif %} {% endif %} {% if encryption.ncp_ciphers is defined and encryption.ncp_ciphers is not none %} -{% set cipher_list = [] %} -{% for cipher in encryption.ncp_ciphers %} -{% if cipher == 'none' %} -{% set cipher_list = cipher_list.append('none') %} -{% elif cipher == 'des' %} -{% set cipher_list = cipher_list.append('des-cbc') %} -{% elif cipher == '3des' %} -{% set cipher_list = cipher_list.append('des-ede3-cbc') %} -{% elif cipher == 'aes128' %} -{% set cipher_list = cipher_list.append('aes-128-cbc') %} -{% elif cipher == 'aes128gcm' %} -{% set cipher_list = cipher_list.append('aes-128-gcm') %} -{% elif cipher == 'aes192' %} -{% set cipher_list = cipher_list.append('aes-192-cbc') %} -{% elif cipher == 'aes192gcm' %} -{% set cipher_list = cipher_list.append('aes-192-gcm') %} -{% elif cipher == 'aes256' %} -{% set cipher_list = cipher_list.append('aes-256-cbc') %} -{% elif cipher == 'aes256gcm' %} -{% set cipher_list = cipher_list.append('aes-256-gcm') %} -{% endif %} -{% endfor %} -ncp-ciphers {{ cipher_list | join(':') }}:{{ cipher_list | join(':') | upper }} -{% elif encryption.disable_ncp is defined %} -ncp-disable +data-ciphers {{ encryption.ncp_ciphers | openvpn_ncp_ciphers }} {% endif %} {% endif %} @@ -262,20 +218,6 @@ auth-user-pass {{ auth_user_pass_file }} auth-retry nointeract {% endif %} -# DEPRECATED This option will be removed in OpenVPN 2.5 -# Until OpenVPN v2.3 the format of the X.509 Subject fields was formatted like this: -# /C=US/L=Somewhere/CN=John Doe/emailAddress=john@example.com In addition the old -# behaviour was to remap any character other than alphanumeric, underscore ('_'), -# dash ('-'), dot ('.'), and slash ('/') to underscore ('_'). The X.509 Subject -# string as returned by the tls_id environmental variable, could additionally -# contain colon (':') or equal ('='). When using the --compat-names option, this -# old formatting and remapping will be re-enabled again. This is purely implemented -# for compatibility reasons when using older plug-ins or scripts which does not -# handle the new formatting or UTF-8 characters. -# -# See https://phabricator.vyos.net/T1512 -compat-names - {% if openvpn_option is defined and openvpn_option is not none %} # # Custom options added by user (not validated) diff --git a/data/templates/proxy-ndp/ndppd.conf.tmpl b/data/templates/proxy-ndp/ndppd.conf.tmpl index 0137d8135..ccd1d37ad 100644 --- a/data/templates/proxy-ndp/ndppd.conf.tmpl +++ b/data/templates/proxy-ndp/ndppd.conf.tmpl @@ -21,8 +21,8 @@ {% if config.outbound_interface not in global.ndppd_interfaces %} {% set global.ndppd_interfaces = global.ndppd_interfaces + [config.outbound_interface] %} {% endif %} -{% if config.translation.prefix is defined %} -{% set global.ndppd_prefixs = global.ndppd_prefixs + [{'interface':config.outbound_interface,'rule':config.translation.prefix}] %} +{% if config.translation.address is defined and config.translation.address | is_ip_network %} +{% set global.ndppd_prefixs = global.ndppd_prefixs + [{'interface':config.outbound_interface,'rule':config.translation.address}] %} {% endif %} {% endif %} {% endfor %} diff --git a/data/templates/router-advert/radvd.conf.tmpl b/data/templates/router-advert/radvd.conf.tmpl index 2fde78fec..88d066491 100644 --- a/data/templates/router-advert/radvd.conf.tmpl +++ b/data/templates/router-advert/radvd.conf.tmpl @@ -1,45 +1,64 @@ ### Autogenerated by service_router-advert.py ### {% if interface is defined and interface is not none %} -{% for iface in interface %} +{% for iface, iface_config in interface.items() %} interface {{ iface }} { IgnoreIfMissing on; -{% if interface[iface].default_preference is defined and interface[iface].default_preference is not none %} - AdvDefaultPreference {{ interface[iface].default_preference }}; +{% if iface_config.default_preference is defined and iface_config.default_preference is not none %} + AdvDefaultPreference {{ iface_config.default_preference }}; {% endif %} -{% if interface[iface].managed_flag is defined and interface[iface].managed_flag is not none %} - AdvManagedFlag {{ 'on' if interface[iface].managed_flag is defined else 'off' }}; +{% if iface_config.managed_flag is defined and iface_config.managed_flag is not none %} + AdvManagedFlag {{ 'on' if iface_config.managed_flag is defined else 'off' }}; {% endif %} -{% if interface[iface].interval.max is defined and interface[iface].interval.max is not none %} - MaxRtrAdvInterval {{ interface[iface].interval.max }}; +{% if iface_config.interval.max is defined and iface_config.interval.max is not none %} + MaxRtrAdvInterval {{ iface_config.interval.max }}; {% endif %} -{% if interface[iface].interval.min is defined and interface[iface].interval.min is not none %} - MinRtrAdvInterval {{ interface[iface].interval.min }}; +{% if iface_config.interval.min is defined and iface_config.interval.min is not none %} + MinRtrAdvInterval {{ iface_config.interval.min }}; {% endif %} -{% if interface[iface].reachable_time is defined and interface[iface].reachable_time is not none %} - AdvReachableTime {{ interface[iface].reachable_time }}; +{% if iface_config.reachable_time is defined and iface_config.reachable_time is not none %} + AdvReachableTime {{ iface_config.reachable_time }}; {% endif %} - AdvIntervalOpt {{ 'off' if interface[iface].no_send_advert is defined else 'on' }}; - AdvSendAdvert {{ 'off' if interface[iface].no_send_advert is defined else 'on' }}; -{% if interface[iface].default_lifetime is defined %} - AdvDefaultLifetime {{ interface[iface].default_lifetime }}; -{% endif %} -{% if interface[iface].link_mtu is defined %} - AdvLinkMTU {{ interface[iface].link_mtu }}; -{% endif %} - AdvOtherConfigFlag {{ 'on' if interface[iface].other_config_flag is defined else 'off' }}; - AdvRetransTimer {{ interface[iface].retrans_timer }}; - AdvCurHopLimit {{ interface[iface].hop_limit }}; -{% for prefix in interface[iface].prefix %} + AdvIntervalOpt {{ 'off' if iface_config.no_send_advert is defined else 'on' }}; + AdvSendAdvert {{ 'off' if iface_config.no_send_advert is defined else 'on' }}; +{% if iface_config.default_lifetime is defined %} + AdvDefaultLifetime {{ iface_config.default_lifetime }}; +{% endif %} +{% if iface_config.link_mtu is defined %} + AdvLinkMTU {{ iface_config.link_mtu }}; +{% endif %} + AdvOtherConfigFlag {{ 'on' if iface_config.other_config_flag is defined else 'off' }}; + AdvRetransTimer {{ iface_config.retrans_timer }}; + AdvCurHopLimit {{ iface_config.hop_limit }}; +{% if iface_config.route is defined %} +{% for route, route_options in iface_config.route.items() %} + route {{ route }} { +{% if route_options.valid_lifetime is defined %} + AdvRouteLifetime {{ route_options.valid_lifetime }}; +{% endif %} +{% if route_options.route_preference is defined %} + AdvRoutePreference {{ route_options.route_preference }}; +{% endif %} + RemoveRoute {{ 'off' if route_options.no_remove_route is defined else 'on' }}; + }; +{% endfor %} +{% endif %} +{% if iface_config.prefix is defined and iface_config.prefix is not none %} +{% for prefix, prefix_options in iface_config.prefix.items() %} prefix {{ prefix }} { - AdvAutonomous {{ 'off' if interface[iface].prefix[prefix].no_autonomous_flag is defined else 'on' }}; - AdvValidLifetime {{ interface[iface].prefix[prefix].valid_lifetime }}; - AdvOnLink {{ 'off' if interface[iface].prefix[prefix].no_on_link_flag is defined else 'on' }}; - AdvPreferredLifetime {{ interface[iface].prefix[prefix].preferred_lifetime }}; + AdvAutonomous {{ 'off' if prefix_options.no_autonomous_flag is defined else 'on' }}; + AdvValidLifetime {{ prefix_options.valid_lifetime }}; + AdvOnLink {{ 'off' if prefix_options.no_on_link_flag is defined else 'on' }}; + AdvPreferredLifetime {{ prefix_options.preferred_lifetime }}; }; -{% endfor %} -{% if interface[iface].name_server is defined %} - RDNSS {{ interface[iface].name_server | join(" ") }} { +{% endfor %} +{% endif %} +{% if iface_config.name_server is defined %} + RDNSS {{ iface_config.name_server | join(" ") }} { + }; +{% endif %} +{% if iface_config.dnssl is defined %} + DNSSL {{ iface_config.dnssl | join(" ") }} { }; {% endif %} }; diff --git a/data/templates/snmp/override.conf.tmpl b/data/templates/snmp/override.conf.tmpl index 68f5fd931..2ac45a89f 100644 --- a/data/templates/snmp/override.conf.tmpl +++ b/data/templates/snmp/override.conf.tmpl @@ -1,13 +1,14 @@ {% set vrf_command = 'ip vrf exec ' + vrf + ' ' if vrf is defined else '' %} +{% set oid_route_table = ' ' if route_table is sameas true else '-I -ipCidrRouteTable,inetCidrRouteTable' %} [Unit] StartLimitIntervalSec=0 After=vyos-router.service [Service] Environment= -Environment="MIBSDIR=/usr/share/snmp/mibs:/usr/share/snmp/mibs/iana:/usr/share/snmp/mibs/ietf:/usr/share/mibs/site:/usr/share/snmp/mibs:/usr/share/mibs/iana:/usr/share/mibs/ietf:/usr/share/mibs/netsnmp" +Environment="MIBDIRS=/usr/share/snmp/mibs:/usr/share/snmp/mibs/iana:/usr/share/snmp/mibs/ietf:/usr/share/vyos/mibs" ExecStart= -ExecStart={{vrf_command}}/usr/sbin/snmpd -LS0-5d -Lf /dev/null -u Debian-snmp -g Debian-snmp -I -ipCidrRouteTable,inetCidrRouteTable -f -p /run/snmpd.pid +ExecStart={{vrf_command}}/usr/sbin/snmpd -LS0-5d -Lf /dev/null -u Debian-snmp -g Debian-snmp {{oid_route_table}} -f -p /run/snmpd.pid Restart=always RestartSec=10 diff --git a/data/templates/system/sysctl.conf.tmpl b/data/templates/system/sysctl.conf.tmpl new file mode 100644 index 000000000..72af82ee5 --- /dev/null +++ b/data/templates/system/sysctl.conf.tmpl @@ -0,0 +1,7 @@ +# autogenerated by system_sysctl.py
+
+{% if parameter is defined and parameter is not none %}
+{% for k, v in parameter.items() %}
+{{ k }} = {{ v.value }}
+{% endfor %}
+{% endif %}
diff --git a/data/templates/wwan/chat.tmpl b/data/templates/wwan/chat.tmpl deleted file mode 100644 index 386af37e6..000000000 --- a/data/templates/wwan/chat.tmpl +++ /dev/null @@ -1,10 +0,0 @@ -ABORT 'NO DIAL TONE' ABORT 'NO ANSWER' ABORT 'NO CARRIER' ABORT DELAYED -'' AT -OK ATZ -{% if ipv6 is defined and ipv6.address is defined and ipv6.address.autoconf is defined %} -OK 'AT+CGDCONT=1,"IPV4V6","{{ apn }}"' -{% else %} -OK 'AT+CGDCONT=1,"IP","{{ apn }}"' -{% endif %} -OK ATD*99# -CONNECT '' diff --git a/data/templates/wwan/ip-down.script.tmpl b/data/templates/wwan/ip-down.script.tmpl deleted file mode 100644 index 9dc15ea99..000000000 --- a/data/templates/wwan/ip-down.script.tmpl +++ /dev/null @@ -1,27 +0,0 @@ -#!/bin/sh - -# Script parameters will be like: -# wlm0 /dev/serial/by-bus/usb0b1.3p1.3 115200 10.100.118.91 10.64.64.64 wlm0 - -# Only applicable for Wireless Modems (WWAN) -if [ -z $(echo $2 | egrep "(ttyS[0-9]+|usb[0-9]+b.*)$") ]; then - exit 0 -fi - -# Determine if we are running inside a VRF or not, required for proper routing table -# NOTE: the down script can not be properly templated as we need the VRF name, -# which is not present on deletion, thus we read it from the operating system. -if [ -d /sys/class/net/{{ ifname }}/upper_* ]; then - # Determine upper (VRF) interface - VRF=$(basename $(ls -d /sys/class/net/{{ ifname }}/upper_*)) - # Remove upper_ prefix from result string - VRF_NAME=${VRF#"upper_"} - # Remove default route from VRF routing table - vtysh -c "conf t" -c "vrf ${VRF_NAME}" -c "no ip route 0.0.0.0/0 {{ ifname }}" -else - # Remove default route from GRT (global routing table) - vtysh -c "conf t" -c "no ip route 0.0.0.0/0 {{ ifname }}" -fi - -DIALER_PID=$(cat /var/run/{{ ifname }}.pid) -logger -t pppd[$DIALER_PID] "removed default route via {{ ifname }} metric {{ backup.distance }}" diff --git a/data/templates/wwan/ip-pre-up.script.tmpl b/data/templates/wwan/ip-pre-up.script.tmpl deleted file mode 100644 index 199150947..000000000 --- a/data/templates/wwan/ip-pre-up.script.tmpl +++ /dev/null @@ -1,23 +0,0 @@ -#!/bin/sh -# As WWAN is an "on demand" interface we need to re-configure it when it -# becomes 'up' - -ipparam=$6 - -# device name and metric are received using ipparam -device=`echo "$ipparam"|awk '{ print $1 }'` - -if [ "$device" != "{{ ifname }}" ]; then - exit -fi - -# add some info to syslog -DIALER_PID=$(cat /var/run/{{ ifname }}.pid) -logger -t pppd[$DIALER_PID] "executing $0" - -echo "{{ description }}" > /sys/class/net/{{ ifname }}/ifalias - -{% if vrf %} -logger -t pppd[$DIALER_PID] "configuring interface {{ ifname }} for VRF {{ vrf }}" -ip link set dev {{ ifname }} master {{ vrf }} -{% endif %} diff --git a/data/templates/wwan/ip-up.script.tmpl b/data/templates/wwan/ip-up.script.tmpl deleted file mode 100644 index 2603a0286..000000000 --- a/data/templates/wwan/ip-up.script.tmpl +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/sh - -# Script parameters will be like: -# wlm0 /dev/serial/by-bus/usb0b1.3p1.3 115200 10.100.118.91 10.64.64.64 wlm0 - -# Only applicable for Wireless Modems (WWAN) -if [ -z $(echo $2 | egrep "(ttyS[0-9]+|usb[0-9]+b.*)$") ]; then - exit 0 -fi - -# Determine if we are running inside a VRF or not, required for proper routing table -if [ -d /sys/class/net/{{ ifname }}/upper_* ]; then - # Determine upper (VRF) interface - VRF=$(basename $(ls -d /sys/class/net/{{ ifname }}/upper_*)) - # Remove upper_ prefix from result string - VRF_NAME=${VRF#"upper_"} - # Remove default route from VRF routing table - vtysh -c "conf t" -c "vrf ${VRF_NAME}" -c "ip route 0.0.0.0/0 {{ ifname }} {{ backup.distance }}" -else - # Remove default route from GRT (global routing table) - vtysh -c "conf t" -c "ip route 0.0.0.0/0 {{ ifname }} {{ backup.distance }}" -fi - -DIALER_PID=$(cat /var/run/{{ ifname }}.pid) -logger -t pppd[$DIALER_PID] "added default route via {{ ifname }} metric {{ backup.distance }} ${VRF_NAME}" diff --git a/data/templates/wwan/peer.tmpl b/data/templates/wwan/peer.tmpl deleted file mode 100644 index 2807a79a4..000000000 --- a/data/templates/wwan/peer.tmpl +++ /dev/null @@ -1,31 +0,0 @@ -### Autogenerated by interfaces-wirelessmodem.py ### - -{{ "# description: " + description if description is defined }} -ifname {{ ifname }} -ipparam {{ ifname }} -linkname {{ ifname }} - -{{ "usepeerdns" if no_peer_dns is defined }} -# physical device -{{ device }} -lcp-echo-failure 0 -115200 -debug -mtu {{ mtu }} -mru {{ mtu }} -{% if ipv6 is defined and ipv6.address is defined and ipv6.address.autoconf is defined %} -+ipv6 -ipv6cp-use-ipaddr -{% endif %} -nodefaultroute -ipcp-max-failure 4 -ipcp-accept-local -ipcp-accept-remote -noauth -crtscts -lock -persist -{{ "demand" if connect_on_demand is defined }} - -connect '/usr/sbin/chat -v -t6 -f /etc/ppp/peers/chat.{{ ifname }}' - diff --git a/debian/compat b/debian/compat index ec635144f..f599e28b8 100644 --- a/debian/compat +++ b/debian/compat @@ -1 +1 @@ -9 +10 diff --git a/debian/control b/debian/control index de030310e..c5cbeb7d4 100644 --- a/debian/control +++ b/debian/control @@ -4,6 +4,7 @@ Priority: extra Maintainer: VyOS Package Maintainers <maintainers@vyos.net> Build-Depends: debhelper (>= 9), + dh-python, fakeroot, gcc-multilib [amd64], clang [amd64], @@ -30,6 +31,7 @@ Standards-Version: 3.9.6 Package: vyos-1x Architecture: amd64 arm64 Depends: + ${python3:Depends}, accel-ppp, beep, bmon, @@ -41,12 +43,15 @@ Depends: console-data, crda, cron, + curl, dbus, ddclient (>= 3.9.1), dropbear, easy-rsa, etherwake, - fastnetmon, + ethtool, + fdisk, + fastnetmon [amd64], file, frr (>= 7.5), frr-pythontools, @@ -59,6 +64,7 @@ Depends: ipaddrcheck, iperf, iperf3, + iproute2, iputils-arping, isc-dhcp-client, isc-dhcp-relay, @@ -67,23 +73,33 @@ Depends: keepalived (>=2.0.5), lcdproc, libatomic1, + libcharon-extra-plugins (>=5.9), + libcharon-extauth-plugins (>=5.9), libndp-tools, libnetfilter-conntrack3, libnfnetlink0, libpam-radius-auth (>= 1.5.0), + libqmi-utils, + libstrongswan-extra-plugins (>=5.9), + libstrongswan-standard-plugins (>=5.9), libvyosconfig0, lldpd, lm-sensors, lsscsi, mdns-repeater, minisign, + modemmanager, mtr-tiny, + ndisc6, + ndppd, netplug, nftables (>= 0.9.3), nginx-light, ntp, ntpdate, + nvme-cli, ocserv, + opennhrp, openssh-server, openssl, openvpn, @@ -97,9 +113,10 @@ Depends: procps, python3, python3-certbot-nginx, - ${python3:Depends}, + python3-cryptography, python3-flask, python3-hurry.filesize, + python3-inotify, python3-isc-dhcp-leases, python3-jinja2, python3-jmespath, @@ -119,12 +136,18 @@ Depends: qrencode, radvd, salt-minion, + sed, + smartmontools, snmp, snmpd, + squashfs-tools, squid, squidclient, squidguard, ssl-cert, + strongswan (>= 5.9), + strongswan-swanctl (>= 5.9), + sudo, systemd, tcpdump, tcptraceroute, @@ -135,13 +158,14 @@ Depends: udp-broadcast-relay, usb-modeswitch, usbutils, + vyatta-bash, + vyatta-cfg, vyos-http-api-tools, vyos-utils, wide-dhcpv6-client, wireguard-tools, wireless-regdb, - wpasupplicant (>= 0.6.7), - ndppd + wpasupplicant (>= 0.6.7) Description: VyOS configuration scripts and data VyOS configuration scripts, interface definitions, and everything diff --git a/debian/rules b/debian/rules index 8e5aee3e6..70d39c481 100755 --- a/debian/rules +++ b/debian/rules @@ -7,6 +7,7 @@ VYOS_LIBEXEC_DIR := usr/libexec/vyos VYOS_DATA_DIR := usr/share/vyos VYOS_CFG_TMPL_DIR := opt/vyatta/share/vyatta-cfg/templates VYOS_OP_TMPL_DIR := opt/vyatta/share/vyatta-op/templates +VYOS_MIBS_DIR := usr/share/snmp/mibs MIGRATION_SCRIPTS_DIR := opt/vyatta/etc/config-migrate/migrate SYSTEM_SCRIPTS_DIR := usr/libexec/vyos/system @@ -84,6 +85,10 @@ override_dh_auto_install: mkdir -p $(DIR)/$(VYOS_DATA_DIR) cp -r data/* $(DIR)/$(VYOS_DATA_DIR) + # Install SNMP MIBs + mkdir -p $(DIR)/$(VYOS_MIBS_DIR) + cp -d mibs/* $(DIR)/$(VYOS_MIBS_DIR) + # Install etc configuration files mkdir -p $(DIR)/etc cp -r src/etc/* $(DIR)/etc diff --git a/debian/vyos-1x-vmware.preinst b/debian/vyos-1x-vmware.preinst new file mode 100644 index 000000000..2e612522c --- /dev/null +++ b/debian/vyos-1x-vmware.preinst @@ -0,0 +1 @@ +dpkg-divert --package vyos-1x-vmware --add --rename /etc/vmware-tools/tools.conf diff --git a/debian/vyos-1x.install b/debian/vyos-1x.install index 51a1bb38a..2ed25755f 100644 --- a/debian/vyos-1x.install +++ b/debian/vyos-1x.install @@ -1,7 +1,12 @@ +etc/cron.hourly etc/dhcp +etc/ipsec.d etc/netplug -etc/ppp +etc/opennhrp etc/rsyslog.d +etc/securetty +etc/security +etc/sudoers.d etc/systemd etc/sysctl.d etc/udev diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst index 8acc87cc8..4b4c4c13e 100644 --- a/debian/vyos-1x.postinst +++ b/debian/vyos-1x.postinst @@ -1,13 +1,7 @@ #!/bin/sh -e -if ! deb-systemd-helper --quiet was-enabled salt-minion.service; then - # Enables the unit on first installation, creates new - # symlinks on upgrades if the unit file has changed. - deb-systemd-helper disable salt-minion.service >/dev/null || true -fi -if [ -x "/etc/init.d/salt-minion" ]; then - update-rc.d -f salt-minion remove >/dev/null -fi +# Turn off Debian default for %sudo +sed -i -e '/^%sudo/d' /etc/sudoers || true # Add minion user for salt-minion if ! grep -q '^minion' /etc/passwd; then @@ -66,3 +60,26 @@ fi # ensure hte proxy user has a proper shell chsh -s /bin/sh proxy + +# create /opt/vyatta/etc/config/scripts/vyos-postconfig-bootup.script +POSTCONFIG_SCRIPT=/opt/vyatta/etc/config/scripts/vyos-postconfig-bootup.script +if [ ! -x $POSTCONFIG_SCRIPT ]; then + mkdir -p $(dirname $POSTCONFIG_SCRIPT) + touch $POSTCONFIG_SCRIPT + chmod 755 $POSTCONFIG_SCRIPT + cat <<EOF >>$POSTCONFIG_SCRIPT +#!/bin/sh +# This script is executed at boot time after VyOS configuration is fully applied. +# Any modifications required to work around unfixed bugs +# or use services not available through the VyOS CLI system can be placed here. + +EOF +fi + +# symlink destination is deleted during ISO assembly - this generates some noise +# when the system boots: systemd-sysv-generator[1881]: stat() failed on +# /etc/init.d/README, ignoring: No such file or directory. Thus we simply drop +# the file. +if [ -L /etc/init.d/README ]; then + rm -f /etc/init.d/README +fi diff --git a/debian/vyos-1x.preinst b/debian/vyos-1x.preinst new file mode 100644 index 000000000..45440bf64 --- /dev/null +++ b/debian/vyos-1x.preinst @@ -0,0 +1,4 @@ +dpkg-divert --package vyos-1x --add --rename /etc/securetty +dpkg-divert --package vyos-1x --add --rename /etc/security/capability.conf +dpkg-divert --package vyos-1x --add --rename /lib/systemd/system/lcdproc.service + diff --git a/interface-definitions/containers.xml.in b/interface-definitions/containers.xml.in index 6fc53c105..124b1f65e 100644 --- a/interface-definitions/containers.xml.in +++ b/interface-definitions/containers.xml.in @@ -3,6 +3,7 @@ <node name="container" owner="${vyos_conf_scripts_dir}/containers.py"> <properties> <help>Container applications</help> + <priority>1280</priority> </properties> <children> <tagNode name="name"> diff --git a/interface-definitions/cron.xml.in b/interface-definitions/cron.xml.in index ad2cb36ad..58dcf64ac 100644 --- a/interface-definitions/cron.xml.in +++ b/interface-definitions/cron.xml.in @@ -1,7 +1,4 @@ <?xml version="1.0"?> - -<!-- Cron configuration --> - <interfaceDefinition> <node name="system"> <children> diff --git a/interface-definitions/dhcpv6-server.xml.in b/interface-definitions/dhcpv6-server.xml.in index a3cca06da..5d6c64685 100644 --- a/interface-definitions/dhcpv6-server.xml.in +++ b/interface-definitions/dhcpv6-server.xml.in @@ -360,6 +360,18 @@ </constraint> </properties> </leafNode> + <leafNode name="ipv6-prefix"> + <properties> + <help>Client IPv6 prefix for this static mapping</help> + <valueHelp> + <format>ipv6net</format> + <description>IPv6 prefix for this static mapping</description> + </valueHelp> + <constraint> + <validator name="ipv6-prefix"/> + </constraint> + </properties> + </leafNode> </children> </tagNode> </children> diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in new file mode 100644 index 000000000..f07c619a8 --- /dev/null +++ b/interface-definitions/firewall.xml.in @@ -0,0 +1,782 @@ +<?xml version="1.0"?> +<interfaceDefinition> + <node name="nfirewall" owner="${vyos_conf_scripts_dir}/firewall.py"> + <properties> + <priority>199</priority> + <help>Firewall</help> + </properties> + <children> + <leafNode name="all-ping"> + <properties> + <help>Policy for handling of all IPv4 ICMP echo requests</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable processing of all IPv4 ICMP echo requests</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable processing of all IPv4 ICMP echo requests</description> + </valueHelp> + <constraint> + <regex>^(enable|disable)$</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="broadcast-ping"> + <properties> + <help>Policy for handling broadcast IPv4 ICMP echo and timestamp requests</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable processing of broadcast IPv4 ICMP echo/timestamp requests</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable processing of broadcast IPv4 ICMP echo/timestamp requests</description> + </valueHelp> + <constraint> + <regex>^(enable|disable)$</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="config-trap"> + <properties> + <help>SNMP trap generation on firewall configuration changes</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable sending SNMP trap on firewall configuration change</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable sending SNMP trap on firewall configuration change</description> + </valueHelp> + <constraint> + <regex>^(enable|disable)$</regex> + </constraint> + </properties> + </leafNode> + <node name="group"> + <properties> + <help>Firewall group</help> + </properties> + <children> + <tagNode name="address-group"> + <properties> + <help>Firewall address-group</help> + </properties> + <children> + <leafNode name="address"> + <properties> + <help>Address-group member</help> + <valueHelp> + <format>ipv4</format> + <description>IPv4 address to match</description> + </valueHelp> + <valueHelp> + <format>ipv4range</format> + <description>IPv4 range to match (e.g. 10.0.0.1-10.0.0.200)</description> + </valueHelp> + <constraint> + <validator name="ipv4-address"/> + <validator name="ipv4-range"/> + </constraint> + <multi/> + </properties> + </leafNode> + #include <include/generic-description.xml.i> + </children> + </tagNode> + <tagNode name="ipv6-address-group"> + <properties> + <help>Firewall ipv6-address-group</help> + </properties> + <children> + <leafNode name="address"> + <properties> + <help>Address-group member</help> + <valueHelp> + <format>ipv6</format> + <description>IPv6 address to match</description> + </valueHelp> + <constraint> + <validator name="ipv6-address"/> + </constraint> + <multi/> + </properties> + </leafNode> + #include <include/generic-description.xml.i> + </children> + </tagNode> + <tagNode name="ipv6-network-group"> + <properties> + <help>Network-group member</help> + </properties> + <children> + #include <include/generic-description.xml.i> + <leafNode name="network"> + <properties> + <help>Network-group member</help> + <valueHelp> + <format>ipv6net</format> + <description>IPv6 address to match</description> + </valueHelp> + <constraint> + <validator name="ipv6-prefix"/> + </constraint> + <multi/> + </properties> + </leafNode> + </children> + </tagNode> + <tagNode name="network-group"> + <properties> + <help>Firewall network-group</help> + </properties> + <children> + #include <include/generic-description.xml.i> + <leafNode name="network"> + <properties> + <help>Network-group member</help> + <valueHelp> + <format>ipv4net</format> + <description>IPv4 Subnet to match</description> + </valueHelp> + <constraint> + <validator name="ipv4-prefix"/> + </constraint> + <multi/> + </properties> + </leafNode> + </children> + </tagNode> + <tagNode name="port-group"> + <properties> + <help>Firewall port-group</help> + </properties> + <children> + #include <include/generic-description.xml.i> + <leafNode name="port"> + <properties> + <help>Port-group member</help> + <valueHelp> + <format>txt</format> + <description>Named port (any name in /etc/services, e.g., http)</description> + </valueHelp> + <valueHelp> + <format>u32:1-65535</format> + <description>Numbered port</description> + </valueHelp> + <valueHelp> + <format>start-end</format> + <description>Numbered port range (e.g. 1001-1050)</description> + </valueHelp> + <multi/> + </properties> + </leafNode> + </children> + </tagNode> + </children> + </node> + <leafNode name="ip-src-route"> + <properties> + <help>Policy for handling IPv4 packets with source route option</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable processing of IPv4 packets with source route option</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable processing of IPv4 packets with source route option</description> + </valueHelp> + <constraint> + <regex>^(enable|disable)$</regex> + </constraint> + </properties> + </leafNode> + <tagNode name="ipv6-name"> + <properties> + <help>IPv6 firewall rule-set name</help> + </properties> + <children> + #include <include/firewall/name-default-action.xml.i> + #include <include/firewall/name-default-log.xml.i> + #include <include/generic-description.xml.i> + <tagNode name="rule"> + <properties> + <help>Rule number (1-9999)</help> + </properties> + <children> + #include <include/firewall/action.xml.i> + #include <include/generic-description.xml.i> + <node name="destination"> + <properties> + <help>Destination parameters</help> + </properties> + <children> + #include <include/firewall/address-ipv6.xml.i> + #include <include/firewall/source-destination-group.xml.i> + #include <include/firewall/port.xml.i> + </children> + </node> + <node name="source"> + <properties> + <help>Source parameters</help> + </properties> + <children> + #include <include/firewall/address-ipv6.xml.i> + #include <include/firewall/source-destination-group.xml.i> + #include <include/firewall/port.xml.i> + </children> + </node> + #include <include/firewall/common-rule.xml.i> + <node name="hop-limit"> + <properties> + <help>Hop Limit</help> + </properties> + <children> + <leafNode name="eq"> + <properties> + <help>Value to match a hop limit equal to it</help> + <valueHelp> + <format>u32:0-255</format> + <description>Hop limit equal to value</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-255"/> + </constraint> + </properties> + </leafNode> + <leafNode name="gt"> + <properties> + <help>Value to match a hop limit greater than or equal to it</help> + <valueHelp> + <format>u32:0-255</format> + <description>Hop limit greater than value</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-255"/> + </constraint> + </properties> + </leafNode> + <leafNode name="lt"> + <properties> + <help>Value to match a hop limit less than or equal to it</help> + <valueHelp> + <format>u32:0-255</format> + <description>Hop limit less than value</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-255"/> + </constraint> + </properties> + </leafNode> + </children> + </node> + <node name="icmpv6"> + <properties> + <help>ICMPv6 type and code information</help> + </properties> + <children> + <leafNode name="type"> + <properties> + <help>ICMP type-name</help> + <completionHelp> + <list>any echo-reply pong destination-unreachable network-unreachable host-unreachable protocol-unreachable port-unreachable fragmentation-needed source-route-failed network-unknown host-unknown network-prohibited host-prohibited TOS-network-unreachable TOS-host-unreachable communication-prohibited host-precedence-violation precedence-cutoff source-quench redirect network-redirect host-redirect TOS-network-redirect TOS host-redirect echo-request ping router-advertisement router-solicitation time-exceeded ttl-exceeded ttl-zero-during-transit ttl-zero-during-reassembly parameter-problem ip-header-bad required-option-missing timestamp-request timestamp-reply address-mask-request address-mask-reply</list> + </completionHelp> + <valueHelp> + <format>any</format> + <description>Any ICMP type/code</description> + </valueHelp> + <valueHelp> + <format>echo-reply</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>pong</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>destination-unreachable</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>network-unreachable</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>host-unreachable</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>protocol-unreachable</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>port-unreachable</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>fragmentation-needed</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>source-route-failed</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>network-unknown</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>host-unknown</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>network-prohibited</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>host-prohibited</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>TOS-network-unreachable</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>TOS-host-unreachable</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>communication-prohibited</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>host-precedence-violation</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>precedence-cutoff</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>source-quench</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>redirect</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>network-redirect</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>host-redirect</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>TOS-network-redirect</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>TOS host-redirect</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>echo-request</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>ping</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>router-advertisement</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>router-solicitation</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>time-exceeded</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>ttl-exceeded</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>ttl-zero-during-transit</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>ttl-zero-during-reassembly</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>parameter-problem</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>ip-header-bad</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>required-option-missing</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>timestamp-request</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>timestamp-reply</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>address-mask-request</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>address-mask-reply</format> + <description>ICMP type/code name</description> + </valueHelp> + <constraint> + <regex>^(any|echo-reply|pong|destination-unreachable|network-unreachable|host-unreachable|protocol-unreachable|port-unreachable|fragmentation-needed|source-route-failed|network-unknown|host-unknown|network-prohibited|host-prohibited|TOS-network-unreachable|TOS-host-unreachable|communication-prohibited|host-precedence-violation|precedence-cutoff|source-quench|redirect|network-redirect|host-redirect|TOS-network-redirect|TOS host-redirect|echo-request|ping|router-advertisement|router-solicitation|time-exceeded|ttl-exceeded|ttl-zero-during-transit|ttl-zero-during-reassembly|parameter-problem|ip-header-bad|required-option-missing|timestamp-request|timestamp-reply|address-mask-request|address-mask-reply)$</regex> + <validator name="numeric" argument="--range 0-255"/> + </constraint> + </properties> + </leafNode> + </children> + </node> + <node name="p2p"> + <properties> + <help>P2P application packets</help> + </properties> + <children> + <leafNode name="all"> + <properties> + <help>AppleJuice/BitTorrent/Direct Connect/eDonkey/eMule/Gnutella/KaZaA application packets</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="applejuice"> + <properties> + <help>AppleJuice application packets</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="bittorrent"> + <properties> + <help>BitTorrent application packets</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="directconnect"> + <properties> + <help>Direct Connect application packets</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="edonkey"> + <properties> + <help>eDonkey/eMule application packets</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="gnutella"> + <properties> + <help>Gnutella application packets</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="kazaa"> + <properties> + <help>KaZaA application packets</help> + <valueless/> + </properties> + </leafNode> + </children> + </node> + </children> + </tagNode> + </children> + </tagNode> + <leafNode name="ipv6-receive-redirects"> + <properties> + <help>Policy for handling received ICMPv6 redirect messages</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable processing of received ICMPv6 redirect messages</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable processing of received ICMPv6 redirect messages</description> + </valueHelp> + <constraint> + <regex>^(enable|disable)$</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="ipv6-src-route"> + <properties> + <help>Policy for handling IPv6 packets with routing extension header</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable processing of IPv6 packets with routing header type 2</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable processing of IPv6 packets with routing header</description> + </valueHelp> + <constraint> + <regex>^(enable|disable)$</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="log-martians"> + <properties> + <help>Policy for logging IPv4 packets with invalid addresses</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable logging of IPv4 packets with invalid addresses</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable logging of Ipv4 packets with invalid addresses</description> + </valueHelp> + <constraint> + <regex>^(enable|disable)$</regex> + </constraint> + </properties> + </leafNode> + <tagNode name="name"> + <properties> + <help>IPv4 firewall rule-set name</help> + </properties> + <children> + #include <include/firewall/name-default-action.xml.i> + #include <include/firewall/name-default-log.xml.i> + #include <include/generic-description.xml.i> + <tagNode name="rule"> + <properties> + <help>Rule number (1-9999)</help> + </properties> + <children> + #include <include/firewall/action.xml.i> + #include <include/generic-description.xml.i> + <node name="destination"> + <properties> + <help>Destination parameters</help> + </properties> + <children> + #include <include/firewall/address.xml.i> + #include <include/firewall/source-destination-group.xml.i> + #include <include/firewall/port.xml.i> + </children> + </node> + <node name="source"> + <properties> + <help>Source parameters</help> + </properties> + <children> + #include <include/firewall/address.xml.i> + #include <include/firewall/source-destination-group.xml.i> + #include <include/firewall/port.xml.i> + </children> + </node> + #include <include/firewall/common-rule.xml.i> + <node name="icmp"> + <properties> + <help>ICMP type and code information</help> + </properties> + <children> + <leafNode name="code"> + <properties> + <help>ICMP code (0-255)</help> + <valueHelp> + <format>u32:0-255</format> + <description>ICMP code (0-255)</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-255"/> + </constraint> + </properties> + </leafNode> + <leafNode name="type"> + <properties> + <help>ICMP type (0-255)</help> + <valueHelp> + <format>u32:0-255</format> + <description>ICMP type (0-255)</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-255"/> + </constraint> + </properties> + </leafNode> + #include <include/firewall/icmp-type-name.xml.i> + </children> + </node> + </children> + </tagNode> + </children> + </tagNode> + <leafNode name="receive-redirects"> + <properties> + <help>Policy for handling received IPv4 ICMP redirect messages</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable processing of received IPv4 ICMP redirect messages</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable processing of received IPv4 ICMP redirect messages</description> + </valueHelp> + <constraint> + <regex>^(enable|disable)$</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="send-redirects"> + <properties> + <help>Policy for sending IPv4 ICMP redirect messages</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable sending IPv4 ICMP redirect messages</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable sending IPv4 ICMP redirect messages</description> + </valueHelp> + <constraint> + <regex>^(enable|disable)$</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="source-validation"> + <properties> + <help>Policy for source validation by reversed path, as specified in RFC3704</help> + <completionHelp> + <list>strict loose disable</list> + </completionHelp> + <valueHelp> + <format>strict</format> + <description>Enable Strict Reverse Path Forwarding as defined in RFC3704</description> + </valueHelp> + <valueHelp> + <format>loose</format> + <description>Enable Loose Reverse Path Forwarding as defined in RFC3704</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>No source validation</description> + </valueHelp> + <constraint> + <regex>^(strict|loose|disable)$</regex> + </constraint> + </properties> + </leafNode> + <node name="state-policy"> + <properties> + <help>Global firewall state-policy</help> + </properties> + <children> + <node name="established"> + <properties> + <help>Global firewall policy for packets part of an established connection</help> + </properties> + <children> + #include <include/firewall/action-accept-drop-reject.xml.i> + #include <include/firewall/log.xml.i> + </children> + </node> + <node name="invalid"> + <properties> + <help>Global firewall policy for packets part of an invalid connection</help> + </properties> + <children> + #include <include/firewall/action-accept-drop-reject.xml.i> + #include <include/firewall/log.xml.i> + </children> + </node> + <node name="related"> + <properties> + <help>Global firewall policy for packets part of a related connection</help> + </properties> + <children> + #include <include/firewall/action-accept-drop-reject.xml.i> + #include <include/firewall/log.xml.i> + </children> + </node> + </children> + </node> + <leafNode name="syn-cookies"> + <properties> + <help>Policy for using TCP SYN cookies with IPv4</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable use of TCP SYN cookies with IPv4</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable use of TCP SYN cookies with IPv4</description> + </valueHelp> + <constraint> + <regex>^(enable|disable)$</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="twa-hazards-protection"> + <properties> + <help>RFC1337 TCP TIME-WAIT assasination hazards protection</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable RFC1337 TIME-WAIT hazards protection</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable RFC1337 TIME-WAIT hazards protection</description> + </valueHelp> + <constraint> + <regex>^(enable|disable)$</regex> + </constraint> + </properties> + </leafNode> + </children> + </node> +</interfaceDefinition> diff --git a/interface-definitions/https.xml.in b/interface-definitions/https.xml.in index b613e30c1..b65a89b56 100644 --- a/interface-definitions/https.xml.in +++ b/interface-definitions/https.xml.in @@ -1,7 +1,7 @@ <?xml version="1.0"?> <!-- HTTPS configuration --> <interfaceDefinition> - <syntaxVersion component='https' version='2'></syntaxVersion> + <syntaxVersion component='https' version='3'></syntaxVersion> <node name="service"> <children> <node name="https" owner="${vyos_conf_scripts_dir}/https.py"> @@ -123,22 +123,7 @@ <help>TLS certificates</help> </properties> <children> - <node name="system-generated-certificate" owner="${vyos_conf_scripts_dir}/vyos_cert.py"> - <properties> - <help>Use an automatically generated self-signed certificate</help> - </properties> - <children> - <leafNode name="lifetime"> - <properties> - <help>Lifetime in days; default is 365</help> - <valueHelp> - <format>1-65535</format> - <description>Number of days</description> - </valueHelp> - </properties> - </leafNode> - </children> - </node> + #include <include/pki/certificate.xml.i> <node name="certbot" owner="${vyos_conf_scripts_dir}/le_cert.py"> <properties> <help>Request or apply a letsencrypt certificate for domain-name</help> diff --git a/interface-definitions/include/accel-ppp/ppp-interface-cache.xml.i b/interface-definitions/include/accel-ppp/ppp-interface-cache.xml.i new file mode 100644 index 000000000..9f223d7ed --- /dev/null +++ b/interface-definitions/include/accel-ppp/ppp-interface-cache.xml.i @@ -0,0 +1,14 @@ +<!-- include start from accel-ppp/ppp-interface-cache.xml.i --> +<leafNode name="interface-cache"> + <properties> + <help>PPP interface cache</help> + <valueHelp> + <format>1-256000</format> + <description>Count of interfaces to keep in cache</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-256000"/> + </constraint> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/accel-ppp/ppp-options-ipv6.xml.i b/interface-definitions/include/accel-ppp/ppp-options-ipv6.xml.i new file mode 100644 index 000000000..cd40a1f96 --- /dev/null +++ b/interface-definitions/include/accel-ppp/ppp-options-ipv6.xml.i @@ -0,0 +1,30 @@ +<!-- include start from accel-ppp/ppp-options-ipv6.xml.i --> +<leafNode name="ipv6"> + <properties> + <help>IPv6 (IPCP6) negotiation algorithm</help> + <constraint> + <regex>^(deny|allow|prefer|require)$</regex> + </constraint> + <constraintErrorMessage>invalid value</constraintErrorMessage> + <valueHelp> + <format>deny</format> + <description>Do not negotiate IPv6</description> + </valueHelp> + <valueHelp> + <format>allow</format> + <description>Negotiate IPv6 only if client requests</description> + </valueHelp> + <valueHelp> + <format>prefer</format> + <description>Ask client for IPv6 negotiation, do not fail if it rejects</description> + </valueHelp> + <valueHelp> + <format>require</format> + <description>Require IPv6 negotiation</description> + </valueHelp> + <completionHelp> + <list>deny allow prefer require</list> + </completionHelp> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/accel-ppp/radius-additions.xml.i b/interface-definitions/include/accel-ppp/radius-additions.xml.i index e65088c43..fdcff36bf 100644 --- a/interface-definitions/include/accel-ppp/radius-additions.xml.i +++ b/interface-definitions/include/accel-ppp/radius-additions.xml.i @@ -88,11 +88,7 @@ </properties> <defaultValue>3</defaultValue> </leafNode> - <leafNode name="nas-identifier"> - <properties> - <help>NAS-Identifier attribute sent to RADIUS</help> - </properties> - </leafNode> + #include <include/radius-nas-identifier.xml.i> <leafNode name="nas-ip-address"> <properties> <help>NAS-IP-Address attribute sent to RADIUS</help> diff --git a/interface-definitions/include/auth-local-users.xml.i b/interface-definitions/include/auth-local-users.xml.i new file mode 100644 index 000000000..8ef09554e --- /dev/null +++ b/interface-definitions/include/auth-local-users.xml.i @@ -0,0 +1,22 @@ +<!-- include start from auth-local-users.xml.i --> +<node name="local-users"> + <properties> + <help>Local user authentication</help> + </properties> + <children> + <tagNode name="username"> + <properties> + <help>Username used for authentication</help> + </properties> + <children> + #include <include/generic-disable-node.xml.i> + <leafNode name="password"> + <properties> + <help>Password used for authentication</help> + </properties> + </leafNode> + </children> + </tagNode> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/include/bgp/afi-common.xml.i b/interface-definitions/include/bgp/afi-common.xml.i index 20b0dda66..62beff40c 100644 --- a/interface-definitions/include/bgp/afi-common.xml.i +++ b/interface-definitions/include/bgp/afi-common.xml.i @@ -88,6 +88,18 @@ </constraint> </properties> </leafNode> +<leafNode name="maximum-prefix-out"> + <properties> + <help>Maximum number of prefixes to be sent to this peer</help> + <valueHelp> + <format>u32:1-4294967295</format> + <description>Prefix limit</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-4294967295"/> + </constraint> + </properties> +</leafNode> #include <include/bgp/afi-nexthop-self.xml.i> <leafNode name="remove-private-as"> <properties> diff --git a/interface-definitions/include/bgp/afi-l2vpn-common.xml.i b/interface-definitions/include/bgp/afi-l2vpn-common.xml.i index 1673f25a5..aaa69e6c8 100644 --- a/interface-definitions/include/bgp/afi-l2vpn-common.xml.i +++ b/interface-definitions/include/bgp/afi-l2vpn-common.xml.i @@ -11,17 +11,6 @@ <valueless/> </properties> </leafNode> -<leafNode name="rd"> - <properties> - <help>Route Distinguisher</help> - <valueHelp> - <format>txt</format> - <description>Route Distinguisher, (x.x.x.x:yyy|xxxx:yyyy)</description> - </valueHelp> - <constraint> - <regex>^((25[0-5]|2[0-4][0-9]|[1][0-9][0-9]|[1-9][0-9]|[0-9]?)(\.(25[0-5]|2[0-4][0-9]|[1][0-9][0-9]|[1-9][0-9]|[0-9]?)){3}|[0-9]{1,10}):[0-9]{1,5}$</regex> - </constraint> - </properties> -</leafNode> +#include <include/bgp/route-distinguisher.xml.i> #include <include/bgp/route-target.xml.i> <!-- include end --> diff --git a/interface-definitions/include/bgp/protocol-common-config.xml.i b/interface-definitions/include/bgp/protocol-common-config.xml.i index e6b81ceb1..552e85aa4 100644 --- a/interface-definitions/include/bgp/protocol-common-config.xml.i +++ b/interface-definitions/include/bgp/protocol-common-config.xml.i @@ -372,18 +372,7 @@ </constraint> </properties> <children> - <leafNode name="rd"> - <properties> - <help>Route Distinguisher</help> - <valueHelp> - <format>txt</format> - <description>Route Distinguisher, asn:xxx</description> - </valueHelp> - <constraint> - <regex>^[0-9]{1,10}:[0-9]{1,5}$</regex> - </constraint> - </properties> - </leafNode> + #include <include/bgp/route-distinguisher.xml.i> <leafNode name="label"> <properties> <help>MPLS label value assigned to route</help> @@ -772,18 +761,7 @@ </constraint> </properties> <children> - <leafNode name="rd"> - <properties> - <help>Route Distinguisher</help> - <valueHelp> - <format>txt</format> - <description>Route Distinguisher, asn:xxx</description> - </valueHelp> - <constraint> - <regex>^[0-9]{1,10}:[0-9]{1,5}$</regex> - </constraint> - </properties> - </leafNode> + #include <include/bgp/route-distinguisher.xml.i> <leafNode name="label"> <properties> <help>MPLS label value assigned to route</help> @@ -1038,6 +1016,12 @@ </leafNode> #include <include/bgp/remote-as.xml.i> #include <include/bgp/neighbor-shutdown.xml.i> + <leafNode name="solo"> + <properties> + <help>Do not send back prefixes learned from the neighbor</help> + <valueless/> + </properties> + </leafNode> <leafNode name="strict-capability-match"> <properties> <help>Enable strict capability negotiation</help> @@ -1114,6 +1098,29 @@ </leafNode> </children> </node> + <leafNode name="bandwidth"> + <properties> + <help>Link Bandwidth attribute</help> + <completionHelp> + <list>default-weight-for-missing ignore skip-missing</list> + </completionHelp> + <valueHelp> + <format>default-weight-for-missing</format> + <description>Assign low default weight (1) to paths not having link bandwidth</description> + </valueHelp> + <valueHelp> + <format>ignore</format> + <description>Ignore link bandwidth (do regular ECMP, not weighted)</description> + </valueHelp> + <valueHelp> + <format>skip-missing</format> + <description>Ignore paths without link bandwidth for ECMP (if other paths have it)</description> + </valueHelp> + <constraint> + <regex>^(default-weight-for-missing|ignore|skip-missing)$</regex> + </constraint> + </properties> + </leafNode> <leafNode name="compare-routerid"> <properties> <help>Compare the router-id for identical EBGP paths</help> @@ -1180,6 +1187,7 @@ <constraint> <validator name="numeric" argument="--range 1-4294967294"/> </constraint> + <multi/> </properties> </leafNode> </children> diff --git a/interface-definitions/include/bgp/route-distinguisher.xml.i b/interface-definitions/include/bgp/route-distinguisher.xml.i new file mode 100644 index 000000000..fdfbe7076 --- /dev/null +++ b/interface-definitions/include/bgp/route-distinguisher.xml.i @@ -0,0 +1,14 @@ +<!-- include start from bgp/route-distinguisher.xml.i --> +<leafNode name="rd"> + <properties> + <help>Route Distinguisher</help> + <valueHelp> + <format>txt</format> + <description>Route Distinguisher, (x.x.x.x:yyy|xxxx:yyyy)</description> + </valueHelp> + <constraint> + <regex>^((25[0-5]|2[0-4][0-9]|[1][0-9][0-9]|[1-9][0-9]|[0-9]?)(\.(25[0-5]|2[0-4][0-9]|[1][0-9][0-9]|[1-9][0-9]|[0-9]?)){3}|[0-9]{1,10}):[0-9]{1,5}$</regex> + </constraint> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/conntrack-module-disable.xml.i b/interface-definitions/include/conntrack-module-disable.xml.i new file mode 100644 index 000000000..f891225e0 --- /dev/null +++ b/interface-definitions/include/conntrack-module-disable.xml.i @@ -0,0 +1,8 @@ +<!-- include start from conntrack-module-disable.xml.i --> +<leafNode name="disable"> + <properties> + <help>Disable connection tracking helper</help> + <valueless/> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/dhcp-interface.xml.i b/interface-definitions/include/dhcp-interface.xml.i new file mode 100644 index 000000000..939b45f15 --- /dev/null +++ b/interface-definitions/include/dhcp-interface.xml.i @@ -0,0 +1,15 @@ + <leafNode name="dhcp-interface"> + <properties> + <help>DHCP interface supplying next-hop IP address</help> + <completionHelp> + <script>${vyos_completion_dir}/list_interfaces.py</script> + </completionHelp> + <valueHelp> + <format>txt</format> + <description>DHCP interface name</description> + </valueHelp> + <constraint> + <validator name="interface-name"/> + </constraint> + </properties> + </leafNode> diff --git a/interface-definitions/include/firewall/action-accept-drop-reject.xml.i b/interface-definitions/include/firewall/action-accept-drop-reject.xml.i new file mode 100644 index 000000000..9f8baa884 --- /dev/null +++ b/interface-definitions/include/firewall/action-accept-drop-reject.xml.i @@ -0,0 +1,25 @@ +<!-- include start from firewall/action-accept-drop-reject.xml.i --> +<leafNode name="action"> + <properties> + <help>Action for packets</help> + <completionHelp> + <list>accept drop reject</list> + </completionHelp> + <valueHelp> + <format>accept</format> + <description>Action to accept</description> + </valueHelp> + <valueHelp> + <format>drop</format> + <description>Action to drop</description> + </valueHelp> + <valueHelp> + <format>reject</format> + <description>Action to reject</description> + </valueHelp> + <constraint> + <regex>^(accept|drop|reject)$</regex> + </constraint> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/firewall/action.xml.i b/interface-definitions/include/firewall/action.xml.i new file mode 100644 index 000000000..230f590cb --- /dev/null +++ b/interface-definitions/include/firewall/action.xml.i @@ -0,0 +1,21 @@ +<!-- include start from firewall/action.xml.i --> +<leafNode name="action"> + <properties> + <help>Rule action [REQUIRED]</help> + <completionHelp> + <list>permit deny</list> + </completionHelp> + <valueHelp> + <format>permit</format> + <description>Permit matching entries</description> + </valueHelp> + <valueHelp> + <format>deny</format> + <description>Deny matching entries</description> + </valueHelp> + <constraint> + <regex>^(permit|deny)$</regex> + </constraint> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/firewall/address-ipv6.xml.i b/interface-definitions/include/firewall/address-ipv6.xml.i new file mode 100644 index 000000000..fa60c0c8a --- /dev/null +++ b/interface-definitions/include/firewall/address-ipv6.xml.i @@ -0,0 +1,37 @@ +<!-- include start from firewall/address-ipv6.xml.i --> +<leafNode name="address"> + <properties> + <help>IP address, subnet, or range</help> + <valueHelp> + <format>ipv6</format> + <description>IP address to match</description> + </valueHelp> + <valueHelp> + <format>ipv6net</format> + <description>Subnet to match</description> + </valueHelp> + <valueHelp> + <format>ipv6range</format> + <description>IP range to match</description> + </valueHelp> + <valueHelp> + <format>!ipv6</format> + <description>Match everything except the specified address</description> + </valueHelp> + <valueHelp> + <format>!ipv6net</format> + <description>Match everything except the specified prefix</description> + </valueHelp> + <valueHelp> + <format>!ipv6range</format> + <description>Match everything except the specified range</description> + </valueHelp> + <constraint> + <validator name="ipv6"/> + <validator name="ipv6-exclude"/> + <validator name="ipv6-range"/> + <validator name="ipv6-range-exclude"/> + </constraint> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/firewall/address.xml.i b/interface-definitions/include/firewall/address.xml.i new file mode 100644 index 000000000..2e1bde5a5 --- /dev/null +++ b/interface-definitions/include/firewall/address.xml.i @@ -0,0 +1,39 @@ +<!-- include start from firewall/address.xml.i --> +<leafNode name="address"> + <properties> + <help>IP address, subnet, or range</help> + <valueHelp> + <format>ipv4</format> + <description>IPv4 address to match</description> + </valueHelp> + <valueHelp> + <format>ipv4net</format> + <description>IPv4 prefix to match</description> + </valueHelp> + <valueHelp> + <format>ipv4range</format> + <description>IPv4 address range to match</description> + </valueHelp> + <valueHelp> + <format>!ipv4</format> + <description>Match everything except the specified address</description> + </valueHelp> + <valueHelp> + <format>!ipv4net</format> + <description>Match everything except the specified prefix</description> + </valueHelp> + <valueHelp> + <format>!ipv4range</format> + <description>Match everything except the specified range</description> + </valueHelp> + <constraint> + <validator name="ipv4-address"/> + <validator name="ipv4-prefix"/> + <validator name="ipv4-range"/> + <validator name="ipv4-address-exclude"/> + <validator name="ipv4-prefix-exclude"/> + <validator name="ipv4-range-exclude"/> + </constraint> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/firewall/common-rule.xml.i b/interface-definitions/include/firewall/common-rule.xml.i new file mode 100644 index 000000000..1ee8da73d --- /dev/null +++ b/interface-definitions/include/firewall/common-rule.xml.i @@ -0,0 +1,326 @@ +<!-- include start from firewall/common-rule.xml.i --> +#include <include/firewall/action.xml.i> +#include <include/generic-description.xml.i> +<leafNode name="disable"> + <properties> + <help>Option to disable firewall rule</help> + <valueless/> + </properties> +</leafNode> +<node name="fragment"> + <properties> + <help>IP fragment match</help> + </properties> + <children> + <leafNode name="match-frag"> + <properties> + <help>Second and further fragments of fragmented packets</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="match-non-frag"> + <properties> + <help>Head fragments or unfragmented packets</help> + <valueless/> + </properties> + </leafNode> + </children> +</node> +<node name="ipsec"> + <properties> + <help>Inbound IPsec packets</help> + </properties> + <children> + <leafNode name="match-ipsec"> + <properties> + <help>Inbound IPsec packets</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="match-none"> + <properties> + <help>Inbound non-IPsec packets</help> + <valueless/> + </properties> + </leafNode> + </children> +</node> +<node name="limit"> + <properties> + <help>Rate limit using a token bucket filter</help> + </properties> + <children> + <leafNode name="burst"> + <properties> + <help>Maximum number of packets to allow in excess of rate</help> + <valueHelp> + <format>u32:0-4294967295</format> + <description>burst__change_me</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-4294967295"/> + </constraint> + </properties> + </leafNode> + <leafNode name="rate"> + <properties> + <help>Maximum average matching rate</help> + <valueHelp> + <format>u32:0-4294967295</format> + <description>rate__change_me</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-4294967295"/> + </constraint> + </properties> + </leafNode> + </children> +</node> +<leafNode name="log"> + <properties> + <help>Option to log packets matching rule</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable log</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable log</description> + </valueHelp> + <constraint> + <regex>^(enable|disable)$</regex> + </constraint> + </properties> +</leafNode> +<leafNode name="protocol"> + <properties> + <help>Protocol to match (protocol name, number, or "all")</help> + <completionHelp> + <script>cat /etc/protocols | sed -e '/^#.*/d' | awk '{ print $1 }'</script> + </completionHelp> + <valueHelp> + <format>all</format> + <description>All IP protocols</description> + </valueHelp> + <valueHelp> + <format>tcp_udp</format> + <description>Both TCP and UDP</description> + </valueHelp> + <valueHelp> + <format>0-255</format> + <description>IP protocol number</description> + </valueHelp> + <valueHelp> + <format>!<protocol></format> + <description>IP protocol number</description> + </valueHelp> + <constraint> + <validator name="ip-protocol"/> + </constraint> + </properties> + <defaultValue>all</defaultValue> +</leafNode> +<node name="recent"> + <properties> + <help>Parameters for matching recently seen sources</help> + </properties> + <children> + <leafNode name="count"> + <properties> + <help>Source addresses seen more than N times</help> + <valueHelp> + <format>u32:1-255</format> + <description>Source addresses seen more than N times</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-255"/> + </constraint> + </properties> + </leafNode> + <leafNode name="time"> + <properties> + <help>Source addresses seen in the last N seconds</help> + <valueHelp> + <format>u32:0-4294967295</format> + <description>Source addresses seen in the last N seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-4294967295"/> + </constraint> + </properties> + </leafNode> + </children> +</node> +<node name="source"> + <properties> + <help>Source parameters</help> + </properties> + <children> + #include <include/firewall/address.xml.i> + #include <include/firewall/source-destination-group.xml.i> + <leafNode name="mac-address"> + <properties> + <help>Source MAC address</help> + <valueHelp> + <format><MAC address></format> + <description>MAC address to match</description> + </valueHelp> + <valueHelp> + <format>!<MAC address></format> + <description>Match everything except the specified MAC address</description> + </valueHelp> + </properties> + </leafNode> + #include <include/firewall/port.xml.i> + </children> +</node> +<node name="state"> + <properties> + <help>Session state</help> + </properties> + <children> + <leafNode name="established"> + <properties> + <help>Established state</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable</description> + </valueHelp> + <constraint> + <regex>^(enable|disable)$</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="invalid"> + <properties> + <help>Invalid state</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable</description> + </valueHelp> + <constraint> + <regex>^(enable|disable)$</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="new"> + <properties> + <help>New state</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable</description> + </valueHelp> + <constraint> + <regex>^(enable|disable)$</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="related"> + <properties> + <help>Related state</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable</description> + </valueHelp> + <constraint> + <regex>^(enable|disable)$</regex> + </constraint> + </properties> + </leafNode> + </children> +</node> +<node name="tcp"> + <properties> + <help>TCP flags to match</help> + </properties> + <children> + <leafNode name="flags"> + <properties> + <help>TCP flags to match</help> + <valueHelp> + <format>txt</format> + <description>TCP flags to match</description> + </valueHelp> + <valueHelp> + <format> </format> + <description>\n\n Allowed values for TCP flags : SYN ACK FIN RST URG PSH ALL\n When specifying more than one flag, flags should be comma-separated.\n For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with\n the SYN flag set, and the ACK, FIN and RST flags unset</description> + </valueHelp> + </properties> + </leafNode> + </children> +</node> +<node name="time"> + <properties> + <help>Time to match rule</help> + </properties> + <children> + <leafNode name="monthdays"> + <properties> + <help>Monthdays to match rule on</help> + </properties> + </leafNode> + <leafNode name="startdate"> + <properties> + <help>Date to start matching rule</help> + </properties> + </leafNode> + <leafNode name="starttime"> + <properties> + <help>Time of day to start matching rule</help> + </properties> + </leafNode> + <leafNode name="stopdate"> + <properties> + <help>Date to stop matching rule</help> + </properties> + </leafNode> + <leafNode name="stoptime"> + <properties> + <help>Time of day to stop matching rule</help> + </properties> + </leafNode> + <leafNode name="utc"> + <properties> + <help>Interpret times for startdate, stopdate, starttime and stoptime to be UTC</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="weekdays"> + <properties> + <help>Weekdays to match rule on</help> + </properties> + </leafNode> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/include/firewall/icmp-type-name.xml.i b/interface-definitions/include/firewall/icmp-type-name.xml.i new file mode 100644 index 000000000..b45fb619b --- /dev/null +++ b/interface-definitions/include/firewall/icmp-type-name.xml.i @@ -0,0 +1,173 @@ +<!-- include start from firewall/icmp-type-name.xml.i --> +<leafNode name="type-name"> + <properties> + <help>ICMP type-name</help> + <completionHelp> + <list>any echo-reply pong destination-unreachable network-unreachable host-unreachable protocol-unreachable port-unreachable fragmentation-needed source-route-failed network-unknown host-unknown network-prohibited host-prohibited TOS-network-unreachable TOS-host-unreachable communication-prohibited host-precedence-violation precedence-cutoff source-quench redirect network-redirect host-redirect TOS-network-redirect TOS host-redirect echo-request ping router-advertisement router-solicitation time-exceeded ttl-exceeded ttl-zero-during-transit ttl-zero-during-reassembly parameter-problem ip-header-bad required-option-missing timestamp-request timestamp-reply address-mask-request address-mask-reply</list> + </completionHelp> + <valueHelp> + <format>any</format> + <description>Any ICMP type/code</description> + </valueHelp> + <valueHelp> + <format>echo-reply</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>pong</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>destination-unreachable</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>network-unreachable</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>host-unreachable</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>protocol-unreachable</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>port-unreachable</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>fragmentation-needed</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>source-route-failed</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>network-unknown</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>host-unknown</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>network-prohibited</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>host-prohibited</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>TOS-network-unreachable</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>TOS-host-unreachable</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>communication-prohibited</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>host-precedence-violation</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>precedence-cutoff</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>source-quench</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>redirect</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>network-redirect</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>host-redirect</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>TOS-network-redirect</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>TOS host-redirect</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>echo-request</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>ping</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>router-advertisement</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>router-solicitation</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>time-exceeded</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>ttl-exceeded</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>ttl-zero-during-transit</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>ttl-zero-during-reassembly</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>parameter-problem</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>ip-header-bad</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>required-option-missing</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>timestamp-request</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>timestamp-reply</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>address-mask-request</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>address-mask-reply</format> + <description>ICMP type/code name</description> + </valueHelp> + <constraint> + <regex>^(any|echo-reply|pong|destination-unreachable|network-unreachable|host-unreachable|protocol-unreachable|port-unreachable|fragmentation-needed|source-route-failed|network-unknown|host-unknown|network-prohibited|host-prohibited|TOS-network-unreachable|TOS-host-unreachable|communication-prohibited|host-precedence-violation|precedence-cutoff|source-quench|redirect|network-redirect|host-redirect|TOS-network-redirect|TOS host-redirect|echo-request|ping|router-advertisement|router-solicitation|time-exceeded|ttl-exceeded|ttl-zero-during-transit|ttl-zero-during-reassembly|parameter-problem|ip-header-bad|required-option-missing|timestamp-request|timestamp-reply|address-mask-request|address-mask-reply)$</regex> + </constraint> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/firewall/log.xml.i b/interface-definitions/include/firewall/log.xml.i new file mode 100644 index 000000000..46d20c1df --- /dev/null +++ b/interface-definitions/include/firewall/log.xml.i @@ -0,0 +1,15 @@ +<!-- include start from firewall/log.xml.i --> +<node name="log"> + <properties> + <help>Option to log packets</help> + </properties> + <children> + <leafNode name="enable"> + <properties> + <help>Enable logging</help> + <valueless/> + </properties> + </leafNode> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/include/firewall/name-default-action.xml.i b/interface-definitions/include/firewall/name-default-action.xml.i new file mode 100644 index 000000000..1b61b076f --- /dev/null +++ b/interface-definitions/include/firewall/name-default-action.xml.i @@ -0,0 +1,25 @@ +<!-- include start from firewall/name-default-action.xml.i --> +<leafNode name="default-action"> + <properties> + <help>Default-action for rule-set</help> + <completionHelp> + <list>drop reject accept</list> + </completionHelp> + <valueHelp> + <format>drop</format> + <description>Drop if no prior rules are hit (default)</description> + </valueHelp> + <valueHelp> + <format>reject</format> + <description>Drop and notify source if no prior rules are hit</description> + </valueHelp> + <valueHelp> + <format>accept</format> + <description>Accept if no prior rules are hit</description> + </valueHelp> + <constraint> + <regex>^(drop|reject|accept)$</regex> + </constraint> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/firewall/name-default-log.xml.i b/interface-definitions/include/firewall/name-default-log.xml.i new file mode 100644 index 000000000..979395146 --- /dev/null +++ b/interface-definitions/include/firewall/name-default-log.xml.i @@ -0,0 +1,8 @@ +<!-- include start from firewall/name-default-log.xml.i --> +<leafNode name="enable-default-log"> + <properties> + <help>Option to log packets hitting default-action</help> + <valueless/> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/firewall/port.xml.i b/interface-definitions/include/firewall/port.xml.i new file mode 100644 index 000000000..59d92978b --- /dev/null +++ b/interface-definitions/include/firewall/port.xml.i @@ -0,0 +1,23 @@ +<!-- include start from firewall/port.xml.i --> +<leafNode name="port"> + <properties> + <help>Port</help> + <valueHelp> + <format>txt</format> + <description>Named port (any name in /etc/services, e.g., http)</description> + </valueHelp> + <valueHelp> + <format>u32:1-65535</format> + <description>Numbered port</description> + </valueHelp> + <valueHelp> + <format><start-end></format> + <description>Numbered port range (e.g. 1001-1005)</description> + </valueHelp> + <valueHelp> + <format> </format> + <description>\n\n Multiple destination ports can be specified as a comma-separated list.\n The whole list can also be negated using '!'.\n For example: '!22,telnet,http,123,1001-1005'</description> + </valueHelp> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/firewall/source-destination-group.xml.i b/interface-definitions/include/firewall/source-destination-group.xml.i new file mode 100644 index 000000000..30226b0d8 --- /dev/null +++ b/interface-definitions/include/firewall/source-destination-group.xml.i @@ -0,0 +1,24 @@ +<!-- include start from firewall/source-destination-group.xml.i --> +<node name="group"> + <properties> + <help>Group</help> + </properties> + <children> + <leafNode name="address-group"> + <properties> + <help>Group of addresses</help> + </properties> + </leafNode> + <leafNode name="network-group"> + <properties> + <help>Group of networks</help> + </properties> + </leafNode> + <leafNode name="port-group"> + <properties> + <help>Group of ports</help> + </properties> + </leafNode> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/include/policy/description.xml.i b/interface-definitions/include/generic-description.xml.i index e2ff35d02..03fc564e6 100644 --- a/interface-definitions/include/policy/description.xml.i +++ b/interface-definitions/include/generic-description.xml.i @@ -1,4 +1,4 @@ -<!-- include start from policy/description.xml.i --> +<!-- include start from generic-description.xml.i --> <leafNode name="description"> <properties> <help>Description</help> diff --git a/interface-definitions/include/interface/authentication.xml.i b/interface-definitions/include/interface/authentication.xml.i new file mode 100644 index 000000000..c097ca9dd --- /dev/null +++ b/interface-definitions/include/interface/authentication.xml.i @@ -0,0 +1,27 @@ +<!-- include start from interface/authentication.xml.i --> +<node name="authentication"> + <properties> + <help>Authentication settings</help> + </properties> + <children> + <leafNode name="user"> + <properties> + <help>User name</help> + <valueHelp> + <format>txt</format> + <description>Username used for connection</description> + </valueHelp> + </properties> + </leafNode> + <leafNode name="password"> + <properties> + <help>Password</help> + <valueHelp> + <format>txt</format> + <description>Password used for connection</description> + </valueHelp> + </properties> + </leafNode> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/include/interface/interface-eapol.xml.i b/interface-definitions/include/interface/interface-eapol.xml.i index 92b7a3f35..270ec5b13 100644 --- a/interface-definitions/include/interface/interface-eapol.xml.i +++ b/interface-definitions/include/interface/interface-eapol.xml.i @@ -4,9 +4,8 @@ <help>Extensible Authentication Protocol over Local Area Network</help> </properties> <children> - #include <include/certificate.xml.i> - #include <include/certificate-ca.xml.i> - #include <include/certificate-key.xml.i> + #include <include/pki/ca-certificate.xml.i> + #include <include/pki/certificate-key.xml.i> </children> </node> <!-- include end --> diff --git a/interface-definitions/include/interface/interface-parameters-key.xml.i b/interface-definitions/include/interface/interface-parameters-key.xml.i index 1b1d67174..6c59f7879 100644 --- a/interface-definitions/include/interface/interface-parameters-key.xml.i +++ b/interface-definitions/include/interface/interface-parameters-key.xml.i @@ -1,7 +1,7 @@ <!-- include start from interface/interface-parameters-key.xml.i --> <leafNode name="key"> <properties> - <help>Tunnel key</help> + <help>Tunnel key (only GRE tunnels)</help> <valueHelp> <format>u32</format> <description>Tunnel key</description> diff --git a/interface-definitions/include/interface/vif.xml.i b/interface-definitions/include/interface/vif.xml.i index 0355054a4..9e89cbbf6 100644 --- a/interface-definitions/include/interface/vif.xml.i +++ b/interface-definitions/include/interface/vif.xml.i @@ -22,9 +22,10 @@ <leafNode name="egress-qos"> <properties> <help>VLAN egress QoS</help> - <completionHelp> - <script>echo Format for qos mapping, e.g.: '0:1 1:6 7:6'</script> - </completionHelp> + <valueHelp> + <format>txt</format> + <description>Format for qos mapping, e.g.: '0:1 1:6 7:6'</description> + </valueHelp> <constraint> <regex>[:0-7 ]+$</regex> </constraint> @@ -34,9 +35,10 @@ <leafNode name="ingress-qos"> <properties> <help>VLAN ingress QoS</help> - <completionHelp> - <script>echo Format for qos mapping '0:1 1:6 7:6'</script> - </completionHelp> + <valueHelp> + <format>txt</format> + <description>Format for qos mapping, e.g.: '0:1 1:6 7:6'</description> + </valueHelp> <constraint> <regex>[:0-7 ]+$</regex> </constraint> diff --git a/interface-definitions/include/ip-protocol.xml.i b/interface-definitions/include/ip-protocol.xml.i new file mode 100644 index 000000000..ce9345024 --- /dev/null +++ b/interface-definitions/include/ip-protocol.xml.i @@ -0,0 +1,17 @@ +<!-- include start from ip-protocol.xml.i --> +<leafNode name="protocol"> + <properties> + <help>Protocol</help> + <valueHelp> + <format>txt</format> + <description>Protocol name</description> + </valueHelp> + <completionHelp> + <script>${vyos_completion_dir}/list_protocols.sh</script> + </completionHelp> + <constraint> + <validator name="ip-protocol"/> + </constraint> + </properties> +</leafNode> +<!-- include end from ip-protocol.xml.i --> diff --git a/interface-definitions/include/ipsec/authentication-id.xml.i b/interface-definitions/include/ipsec/authentication-id.xml.i new file mode 100644 index 000000000..4967782ec --- /dev/null +++ b/interface-definitions/include/ipsec/authentication-id.xml.i @@ -0,0 +1,11 @@ +<!-- include start from ipsec/authentication-id.xml.i --> +<leafNode name="id"> + <properties> + <help>ID for peer authentication</help> + <valueHelp> + <format>txt</format> + <description>ID used for peer authentication</description> + </valueHelp> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/ipsec/authentication-pre-shared-secret.xml.i b/interface-definitions/include/ipsec/authentication-pre-shared-secret.xml.i new file mode 100644 index 000000000..af2669335 --- /dev/null +++ b/interface-definitions/include/ipsec/authentication-pre-shared-secret.xml.i @@ -0,0 +1,11 @@ +<!-- include start from ipsec/authentication-pre-shared-secret.xml.i --> +<leafNode name="pre-shared-secret"> + <properties> + <help>Pre-shared secret key</help> + <valueHelp> + <format>txt</format> + <description>Pre-shared secret key</description> + </valueHelp> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/ipsec/authentication-rsa.xml.i b/interface-definitions/include/ipsec/authentication-rsa.xml.i new file mode 100644 index 000000000..0a364e838 --- /dev/null +++ b/interface-definitions/include/ipsec/authentication-rsa.xml.i @@ -0,0 +1,30 @@ +<!-- include start from ipsec/authentication-rsa.xml.i --> +<node name="rsa"> + <properties> + <help>RSA keys</help> + </properties> + <children> + <leafNode name="local-key"> + <properties> + <help>Name of PKI key-pair with local private key</help> + <completionHelp> + <path>pki key-pair</path> + </completionHelp> + </properties> + </leafNode> + <leafNode name="passphrase"> + <properties> + <help>Local private key passphrase</help> + </properties> + </leafNode> + <leafNode name="remote-key"> + <properties> + <help>Name of PKI key-pair with remote public key</help> + <completionHelp> + <path>pki key-pair</path> + </completionHelp> + </properties> + </leafNode> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/include/ipsec/authentication-x509.xml.i b/interface-definitions/include/ipsec/authentication-x509.xml.i new file mode 100644 index 000000000..db675c0bf --- /dev/null +++ b/interface-definitions/include/ipsec/authentication-x509.xml.i @@ -0,0 +1,11 @@ +<!-- include start from ipsec/authentication-x509.xml.i --> +<node name="x509"> + <properties> + <help>X.509 certificate</help> + </properties> + <children> + #include <include/pki/certificate-key.xml.i> + #include <include/pki/ca-certificate.xml.i> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/include/ipsec/esp-group.xml.i b/interface-definitions/include/ipsec/esp-group.xml.i new file mode 100644 index 000000000..5e5d8197b --- /dev/null +++ b/interface-definitions/include/ipsec/esp-group.xml.i @@ -0,0 +1,10 @@ +<!-- include start from ipsec/esp-group.xml.i --> +<leafNode name="esp-group"> + <properties> + <help>Encapsulating Security Payloads (ESP) group name</help> + <completionHelp> + <path>vpn ipsec esp-group</path> + </completionHelp> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/ipsec/ike-group.xml.i b/interface-definitions/include/ipsec/ike-group.xml.i new file mode 100644 index 000000000..f7649ed30 --- /dev/null +++ b/interface-definitions/include/ipsec/ike-group.xml.i @@ -0,0 +1,10 @@ +<!-- include start from ipsec/ike-group.xml.i --> +<leafNode name="ike-group"> + <properties> + <help>Internet Key Exchange (IKE) group name</help> + <completionHelp> + <path>vpn ipsec ike-group</path> + </completionHelp> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/ipsec/local-address.xml.i b/interface-definitions/include/ipsec/local-address.xml.i new file mode 100644 index 000000000..2de6ecb1f --- /dev/null +++ b/interface-definitions/include/ipsec/local-address.xml.i @@ -0,0 +1,27 @@ +<!-- include start from ipsec/local-address.xml.i --> +<leafNode name="local-address"> + <properties> + <help>IPv4 or IPv6 address of a local interface to use for VPN</help> + <completionHelp> + <list>any</list> + </completionHelp> + <valueHelp> + <format>ipv4</format> + <description>IPv4 address of a local interface for VPN</description> + </valueHelp> + <valueHelp> + <format>ipv6</format> + <description>IPv6 address of a local interface for VPN</description> + </valueHelp> + <valueHelp> + <format>any</format> + <description>Allow any IPv4 address present on the system to be used for VPN</description> + </valueHelp> + <constraint> + <validator name="ipv4-address"/> + <validator name="ipv6-address"/> + <regex>^(any)$</regex> + </constraint> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/ipsec/local-traffic-selector.xml.i b/interface-definitions/include/ipsec/local-traffic-selector.xml.i new file mode 100644 index 000000000..d30a6d11a --- /dev/null +++ b/interface-definitions/include/ipsec/local-traffic-selector.xml.i @@ -0,0 +1,28 @@ +<!-- include start from ipsec/local-traffic-selector.xml.i --> +<node name="local"> + <properties> + <help>Local parameters for interesting traffic</help> + </properties> + <children> + #include <include/port-number.xml.i> + <leafNode name="prefix"> + <properties> + <help>Local IPv4 or IPv6 prefix</help> + <valueHelp> + <format>ipv4</format> + <description>Local IPv4 prefix</description> + </valueHelp> + <valueHelp> + <format>ipv6</format> + <description>Local IPv6 prefix</description> + </valueHelp> + <constraint> + <validator name="ipv4-prefix"/> + <validator name="ipv6-prefix"/> + </constraint> + <multi/> + </properties> + </leafNode> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/include/isis/default-information-level.xml.i b/interface-definitions/include/isis/default-information-level.xml.i new file mode 100644 index 000000000..5ade72a4b --- /dev/null +++ b/interface-definitions/include/isis/default-information-level.xml.i @@ -0,0 +1,32 @@ +<!-- include start from isis/default-information-level.xml.i --> +<node name="level-1"> + <properties> + <help>Distribute default route into level-1</help> + </properties> + <children> + <leafNode name="always"> + <properties> + <help>Always advertise default route</help> + <valueless/> + </properties> + </leafNode> + #include <include/isis/metric.xml.i> + #include <include/route-map.xml.i> + </children> +</node> +<node name="level-2"> + <properties> + <help>Distribute default route into level-2</help> + </properties> + <children> + <leafNode name="always"> + <properties> + <help>Always advertise default route</help> + <valueless/> + </properties> + </leafNode> + #include <include/isis/metric.xml.i> + #include <include/route-map.xml.i> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/include/isis/metric.xml.i b/interface-definitions/include/isis/metric.xml.i new file mode 100644 index 000000000..30e2cdc10 --- /dev/null +++ b/interface-definitions/include/isis/metric.xml.i @@ -0,0 +1,14 @@ +<!-- include start from isis/metric.xml.i --> +<leafNode name="metric"> + <properties> + <help>Set default metric for circuit</help> + <valueHelp> + <format>u32:0-16777215</format> + <description>Default metric value</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-16777215"/> + </constraint> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/isis/protocol-common-config.xml.i b/interface-definitions/include/isis/protocol-common-config.xml.i index c4a913385..af5a21f49 100644 --- a/interface-definitions/include/isis/protocol-common-config.xml.i +++ b/interface-definitions/include/isis/protocol-common-config.xml.i @@ -39,18 +39,7 @@ <help>Distribute default route for IPv4</help> </properties> <children> - <leafNode name="level-1"> - <properties> - <help>Distribute default route into level-1</help> - <valueless/> - </properties> - </leafNode> - <leafNode name="level-2"> - <properties> - <help>Distribute default route into level-2</help> - <valueless/> - </properties> - </leafNode> + #include <include/isis/default-information-level.xml.i> </children> </node> <node name="ipv6"> @@ -58,30 +47,7 @@ <help>Distribute default route for IPv6</help> </properties> <children> - <leafNode name="level-1"> - <properties> - <help>Distribute default route into level-1</help> - <completionHelp> - <list>always</list> - </completionHelp> - <valueHelp> - <format>always</format> - <description>Always advertise default route</description> - </valueHelp> - </properties> - </leafNode> - <leafNode name="level-2"> - <properties> - <help>Distribute default route into level-2</help> - <completionHelp> - <list>always</list> - </completionHelp> - <valueHelp> - <format>always</format> - <description>Always advertise default route</description> - </valueHelp> - </properties> - </leafNode> + #include <include/isis/default-information-level.xml.i> </children> </node> </children> @@ -102,7 +68,6 @@ </valueHelp> </properties> </leafNode> -<!-- <leafNode name="md5"> <properties> <help>MD5 authentication type</help> @@ -112,7 +77,6 @@ </valueHelp> </properties> </leafNode> ---> </children> </node> <leafNode name="dynamic-hostname"> @@ -144,6 +108,12 @@ </constraint> </properties> </leafNode> +<leafNode name="log-adjacency-changes"> + <properties> + <help>Log adjacency state changes</help> + <valueless/> + </properties> +</leafNode> <leafNode name="lsp-gen-interval"> <properties> <help>Minimum interval between regenerating same LSP</help> @@ -522,6 +492,61 @@ </node> </children> </node> + <node name="ipv6"> + <properties> + <help>Redistribute IPv6 routes</help> + </properties> + <children> + <node name="bgp"> + <properties> + <help>Redistribute BGP routes into IS-IS</help> + </properties> + <children> + #include <include/isis/redistribute-ipv6.xml.i> + </children> + </node> + <node name="connected"> + <properties> + <help>Redistribute connected routes into IS-IS</help> + </properties> + <children> + #include <include/isis/redistribute-ipv6.xml.i> + </children> + </node> + <node name="kernel"> + <properties> + <help>Redistribute kernel routes into IS-IS</help> + </properties> + <children> + #include <include/isis/redistribute-ipv6.xml.i> + </children> + </node> + <node name="ospf6"> + <properties> + <help>Redistribute OSPFv3 routes into IS-IS</help> + </properties> + <children> + #include <include/isis/redistribute-ipv6.xml.i> + </children> + </node> + <node name="ripng"> + <properties> + <help>Redistribute RIPng routes into IS-IS</help> + </properties> + <children> + #include <include/isis/redistribute-ipv6.xml.i> + </children> + </node> + <node name="static"> + <properties> + <help>Redistribute static routes into IS-IS</help> + </properties> + <children> + #include <include/isis/redistribute-ipv6.xml.i> + </children> + </node> + </children> + </node> </children> </node> <leafNode name="set-attached-bit"> @@ -570,7 +595,7 @@ <help>Delay used while in LONG_WAIT</help> <valueHelp> <format>u32:0-60000</format> - <description>Delay used while in LONG_WAIT state (in ms)</description> + <description>Delay used while in LONG_WAIT state in ms</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 0-60000"/> @@ -582,7 +607,7 @@ <help>Time with no received IGP events before considering IGP stable</help> <valueHelp> <format>u32:0-60000</format> - <description>Time with no received IGP events before considering IGP stable (in ms)</description> + <description>Time with no received IGP events before considering IGP stable in ms</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 0-60000"/> @@ -594,7 +619,7 @@ <help>Maximum duration needed to learn all the events related to a single failure</help> <valueHelp> <format>u32:0-60000</format> - <description>Maximum duration needed to learn all the events related to a single failure (in ms)</description> + <description>Maximum duration needed to learn all the events related to a single failure in ms</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 0-60000"/> @@ -608,7 +633,7 @@ <help>Minimum interval between SPF calculations</help> <valueHelp> <format>u32:1-120</format> - <description>Minimum interval between consecutive SPFs in seconds</description> + <description>Interval in seconds</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 1-120"/> @@ -677,18 +702,7 @@ </constraint> </properties> </leafNode> - <leafNode name="metric"> - <properties> - <help>Set default metric for circuit</help> - <valueHelp> - <format>u32:0-16777215</format> - <description>Default metric value</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 0-16777215"/> - </constraint> - </properties> - </leafNode> + #include <include/isis/metric.xml.i> <node name="network"> <properties> <help>Set network type</help> @@ -733,10 +747,10 @@ </leafNode> <leafNode name="psnp-interval"> <properties> - <help>Set PSNP interval in seconds</help> + <help>Set PSNP interval</help> <valueHelp> <format>u32:0-127</format> - <description>Priority value</description> + <description>PSNP interval in seconds</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 0-127"/> @@ -752,4 +766,4 @@ </children> </tagNode> #include <include/route-map.xml.i> -<!-- include end --> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/isis/redistribute-ipv6.xml.i b/interface-definitions/include/isis/redistribute-ipv6.xml.i new file mode 100644 index 000000000..7e679e38a --- /dev/null +++ b/interface-definitions/include/isis/redistribute-ipv6.xml.i @@ -0,0 +1,42 @@ +<!-- include start from isis/redistribute-ipv6.xml.i --> +<node name="level-1"> + <properties> + <help>Redistribute into level-1</help> + </properties> + <children> + <leafNode name="metric"> + <properties> + <help>Metric for redistributed routes</help> + <valueHelp> + <format>u32:0-16777215</format> + <description>ISIS default metric</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-16777215"/> + </constraint> + </properties> + </leafNode> + #include <include/route-map.xml.i> + </children> +</node> +<node name="level-2"> + <properties> + <help>Redistribute into level-2</help> + </properties> + <children> + <leafNode name="metric"> + <properties> + <help>Metric for redistributed routes</help> + <valueHelp> + <format>u32:0-16777215</format> + <description>ISIS default metric</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-16777215"/> + </constraint> + </properties> + </leafNode> + #include <include/route-map.xml.i> + </children> +</node> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/nat-translation-options.xml.i b/interface-definitions/include/nat-translation-options.xml.i new file mode 100644 index 000000000..defc8c0d5 --- /dev/null +++ b/interface-definitions/include/nat-translation-options.xml.i @@ -0,0 +1,51 @@ +<!-- include start from nat-translation-options.xml.i --> +<node name="options"> + <properties> + <help>Translation options</help> + </properties> + <children> + <leafNode name="address-mapping"> + <properties> + <help>Address mapping options</help> + <completionHelp> + <list>persistent random</list> + </completionHelp> + <valueHelp> + <format>persistent</format> + <description>Gives a client the same source or destination-address for each connection</description> + </valueHelp> + <valueHelp> + <format>random</format> + <description>Random source or destination address allocation for each connection (defaut)</description> + </valueHelp> + <constraint> + <regex>^(persistent|random)$</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="port-mapping"> + <properties> + <help>Port mapping options</help> + <completionHelp> + <list>random fully-random none</list> + </completionHelp> + <valueHelp> + <format>random</format> + <description>Randomize source port mapping</description> + </valueHelp> + <valueHelp> + <format>fully-random</format> + <description>Full port randomization</description> + </valueHelp> + <valueHelp> + <format>none</format> + <description>Do not apply port randomization (default)</description> + </valueHelp> + <constraint> + <regex>^(random|fully-random|none)$</regex> + </constraint> + </properties> + </leafNode> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/include/pki/ca-certificate.xml.i b/interface-definitions/include/pki/ca-certificate.xml.i new file mode 100644 index 000000000..14295a281 --- /dev/null +++ b/interface-definitions/include/pki/ca-certificate.xml.i @@ -0,0 +1,14 @@ +<!-- include start from pki/ca-certificate.xml.i --> +<leafNode name="ca-certificate"> + <properties> + <help>Certificate Authority in PKI configuration</help> + <valueHelp> + <format>CA name</format> + <description>Name of CA in PKI configuration</description> + </valueHelp> + <completionHelp> + <path>pki ca</path> + </completionHelp> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/pki/certificate-key.xml.i b/interface-definitions/include/pki/certificate-key.xml.i new file mode 100644 index 000000000..7f26d25c1 --- /dev/null +++ b/interface-definitions/include/pki/certificate-key.xml.i @@ -0,0 +1,12 @@ +<!-- include start from pki/certificate-key.xml.i --> +#include <include/pki/certificate.xml.i> +<leafNode name="passphrase"> + <properties> + <help>Private key passphrase</help> + <valueHelp> + <format>txt</format> + <description>Passphrase to decrypt the private key</description> + </valueHelp> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/pki/certificate.xml.i b/interface-definitions/include/pki/certificate.xml.i new file mode 100644 index 000000000..436aa90ba --- /dev/null +++ b/interface-definitions/include/pki/certificate.xml.i @@ -0,0 +1,14 @@ +<!-- include start from pki/certificate.xml.i --> +<leafNode name="certificate"> + <properties> + <help>Certificate in PKI configuration</help> + <valueHelp> + <format>cert name</format> + <description>Name of certificate in PKI configuration</description> + </valueHelp> + <completionHelp> + <path>pki certificate</path> + </completionHelp> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/pki/private-key.xml.i b/interface-definitions/include/pki/private-key.xml.i new file mode 100644 index 000000000..6099daa89 --- /dev/null +++ b/interface-definitions/include/pki/private-key.xml.i @@ -0,0 +1,30 @@ +<!-- include start from pki/private-key.xml.i --> +<node name="private"> + <properties> + <help>Private key</help> + </properties> + <children> + <leafNode name="key"> + <properties> + <help>Private key in PKI configuration</help> + <valueHelp> + <format>key name</format> + <description>Name of private key in PKI configuration</description> + </valueHelp> + <completionHelp> + <path>pki key-pair</path> + </completionHelp> + </properties> + </leafNode> + <leafNode name="passphrase"> + <properties> + <help>Private key passphrase</help> + <valueHelp> + <format>txt</format> + <description>Passphrase to decrypt the private key</description> + </valueHelp> + </properties> + </leafNode> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/include/pki/public-key.xml.i b/interface-definitions/include/pki/public-key.xml.i new file mode 100644 index 000000000..dfc6979fd --- /dev/null +++ b/interface-definitions/include/pki/public-key.xml.i @@ -0,0 +1,14 @@ +<!-- include start from pki/public-key.xml.i --> +<leafNode name="public-key"> + <properties> + <help>Public key in PKI configuration</help> + <valueHelp> + <format>key name</format> + <description>Name of public key in PKI configuration</description> + </valueHelp> + <completionHelp> + <path>pki key-pair</path> + </completionHelp> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/radius-nas-identifier.xml.i b/interface-definitions/include/radius-nas-identifier.xml.i new file mode 100644 index 000000000..8e6933cc0 --- /dev/null +++ b/interface-definitions/include/radius-nas-identifier.xml.i @@ -0,0 +1,7 @@ +<!-- include start from radius-nas-identifier.xml.i --> +<leafNode name="nas-identifier"> + <properties> + <help>NAS-Identifier attribute sent to RADIUS</help> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/ssh-group.xml.i b/interface-definitions/include/ssh-group.xml.i new file mode 100644 index 000000000..9c8b8692f --- /dev/null +++ b/interface-definitions/include/ssh-group.xml.i @@ -0,0 +1,12 @@ +<!-- include start from ssh-group.xml.i --> +<leafNode name="group"> + <properties> + <help>Allow members of a group to login</help> + <constraint> + <regex>[a-z_][a-z0-9_-]{1,31}[$]?</regex> + </constraint> + <constraintErrorMessage>illegal characters or more than 32 characters</constraintErrorMessage> + <multi/> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/ssh-user.xml.i b/interface-definitions/include/ssh-user.xml.i new file mode 100644 index 000000000..677602dd8 --- /dev/null +++ b/interface-definitions/include/ssh-user.xml.i @@ -0,0 +1,12 @@ +<!-- include start from ssh-user.xml.i --> +<leafNode name="user"> + <properties> + <help>Allow specific users to login</help> + <constraint> + <regex>[a-z_][a-z0-9_-]{1,31}[$]?</regex> + </constraint> + <constraintErrorMessage>illegal characters or more than 32 characters</constraintErrorMessage> + <multi/> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/static/static-route.xml.i b/interface-definitions/include/static/static-route.xml.i index 254ea3163..21babc015 100644 --- a/interface-definitions/include/static/static-route.xml.i +++ b/interface-definitions/include/static/static-route.xml.i @@ -31,21 +31,7 @@ </leafNode> </children> </node> - <leafNode name="dhcp-interface"> - <properties> - <help>DHCP interface supplying next-hop IP address</help> - <completionHelp> - <script>${vyos_completion_dir}/list_interfaces.py</script> - </completionHelp> - <valueHelp> - <format>txt</format> - <description>DHCP interface name</description> - </valueHelp> - <constraint> - <validator name="interface-name"/> - </constraint> - </properties> - </leafNode> + #include <include/dhcp-interface.xml.i> <tagNode name="interface"> <properties> <help>Next-hop IPv4 router interface</help> diff --git a/interface-definitions/include/vpn-ipsec-encryption.xml.i b/interface-definitions/include/vpn-ipsec-encryption.xml.i index 041ba9902..9ef2f7c90 100644 --- a/interface-definitions/include/vpn-ipsec-encryption.xml.i +++ b/interface-definitions/include/vpn-ipsec-encryption.xml.i @@ -1,233 +1,233 @@ <!-- include start from vpn-ipsec-encryption.xml.i --> - <leafNode name="encryption"> - <properties> - <help>Encryption algorithm</help> - <completionHelp> - <list>null aes128 aes192 aes256 aes128ctr aes192ctr aes256ctr aes128ccm64 aes192ccm64 aes256ccm64 aes128ccm96 aes192ccm96 aes256ccm96 aes128ccm128 aes192ccm128 aes256ccm128 aes128gcm64 aes192gcm64 aes256gcm64 aes128gcm96 aes192gcm96 aes256gcm96 aes128gcm128 aes192gcm128 aes256gcm128 aes128gmac aes192gmac aes256gmac 3des blowfish128 blowfish192 blowfish256 camellia128 camellia192 camellia256 camellia128ctr camellia192ctr camellia256ctr camellia128ccm64 camellia192ccm64 camellia256ccm64 camellia128ccm96 camellia192ccm96 camellia256ccm96 camellia128ccm128 camellia192ccm128 camellia256ccm128 serpent128 serpent192 serpent256 twofish128 twofish192 twofish256 cast128 chacha20poly1305</list> - </completionHelp> - <valueHelp> - <format>null</format> - <description>Null encryption</description> - </valueHelp> - <valueHelp> - <format>aes128</format> - <description>128 bit AES-CBC (default)</description> - </valueHelp> - <valueHelp> - <format>aes192</format> - <description>192 bit AES-CBC</description> - </valueHelp> - <valueHelp> - <format>aes256</format> - <description>256 bit AES-CBC</description> - </valueHelp> - <valueHelp> - <format>aes128ctr</format> - <description>128 bit AES-COUNTER</description> - </valueHelp> - <valueHelp> - <format>aes192ctr</format> - <description>192 bit AES-COUNTER</description> - </valueHelp> - <valueHelp> - <format>aes256ctr</format> - <description>256 bit AES-COUNTER</description> - </valueHelp> - <valueHelp> - <format>aes128ccm64</format> - <description>128 bit AES-CCM with 64 bit ICV</description> - </valueHelp> - <valueHelp> - <format>aes192ccm64</format> - <description>192 bit AES-CCM with 64 bit ICV</description> - </valueHelp> - <valueHelp> - <format>aes256ccm64</format> - <description>256 bit AES-CCM with 64 bit ICV</description> - </valueHelp> - <valueHelp> - <format>aes128ccm96</format> - <description>128 bit AES-CCM with 96 bit ICV</description> - </valueHelp> - <valueHelp> - <format>aes192ccm96</format> - <description>192 bit AES-CCM with 96 bit ICV</description> - </valueHelp> - <valueHelp> - <format>aes256ccm96</format> - <description>256 bit AES-CCM with 96 bit ICV</description> - </valueHelp> - <valueHelp> - <format>aes128ccm128</format> - <description>128 bit AES-CCM with 128 bit ICV</description> - </valueHelp> - <valueHelp> - <format>aes192ccm128</format> - <description>192 bit AES-CCM with 128 bit IC</description> - </valueHelp> - <valueHelp> - <format>aes256ccm128</format> - <description>256 bit AES-CCM with 128 bit ICV</description> - </valueHelp> - <valueHelp> - <format>aes128gcm64</format> - <description>128 bit AES-GCM with 64 bit ICV</description> - </valueHelp> - <valueHelp> - <format>aes192gcm64</format> - <description>192 bit AES-GCM with 64 bit ICV</description> - </valueHelp> - <valueHelp> - <format>aes256gcm64</format> - <description>256 bit AES-GCM with 64 bit ICV</description> - </valueHelp> - <valueHelp> - <format>aes128gcm96</format> - <description>128 bit AES-GCM with 96 bit ICV</description> - </valueHelp> - <valueHelp> - <format>aes192gcm96</format> - <description>192 bit AES-GCM with 96 bit ICV</description> - </valueHelp> - <valueHelp> - <format>aes256gcm96</format> - <description>256 bit AES-GCM with 96 bit ICV</description> - </valueHelp> - <valueHelp> - <format>aes128gcm128</format> - <description>128 bit AES-GCM with 128 bit ICV</description> - </valueHelp> - <valueHelp> - <format>aes192gcm128</format> - <description>192 bit AES-GCM with 128 bit ICV</description> - </valueHelp> - <valueHelp> - <format>aes256gcm128</format> - <description>256 bit AES-GCM with 128 bit ICV</description> - </valueHelp> - <valueHelp> - <format>aes128gmac</format> - <description>Null encryption with 128 bit AES-GMAC</description> - </valueHelp> - <valueHelp> - <format>aes192gmac</format> - <description>Null encryption with 192 bit AES-GMAC</description> - </valueHelp> - <valueHelp> - <format>aes256gmac</format> - <description>Null encryption with 256 bit AES-GMAC</description> - </valueHelp> - <valueHelp> - <format>3des</format> - <description>168 bit 3DES-EDE-CBC</description> - </valueHelp> - <valueHelp> - <format>blowfish128</format> - <description>128 bit Blowfish-CBC</description> - </valueHelp> - <valueHelp> - <format>blowfish192</format> - <description>192 bit Blowfish-CBC</description> - </valueHelp> - <valueHelp> - <format>blowfish256</format> - <description>256 bit Blowfish-CBC</description> - </valueHelp> - <valueHelp> - <format>camellia128</format> - <description>128 bit Camellia-CBC</description> - </valueHelp> - <valueHelp> - <format>camellia192</format> - <description>192 bit Camellia-CBC</description> - </valueHelp> - <valueHelp> - <format>camellia256</format> - <description>256 bit Camellia-CBC</description> - </valueHelp> - <valueHelp> - <format>camellia128ctr</format> - <description>128 bit Camellia-COUNTER</description> - </valueHelp> - <valueHelp> - <format>camellia192ctr</format> - <description>192 bit Camellia-COUNTER</description> - </valueHelp> - <valueHelp> - <format>camellia256ctr</format> - <description>256 bit Camellia-COUNTER</description> - </valueHelp> - <valueHelp> - <format>camellia128ccm64</format> - <description>128 bit Camellia-CCM with 64 bit ICV</description> - </valueHelp> - <valueHelp> - <format>camellia192ccm64</format> - <description>192 bit Camellia-CCM with 64 bit ICV</description> - </valueHelp> - <valueHelp> - <format>camellia256ccm64</format> - <description>256 bit Camellia-CCM with 64 bit ICV</description> - </valueHelp> - <valueHelp> - <format>camellia128ccm96</format> - <description>128 bit Camellia-CCM with 96 bit ICV</description> - </valueHelp> - <valueHelp> - <format>camellia192ccm96</format> - <description>192 bit Camellia-CCM with 96 bit ICV</description> - </valueHelp> - <valueHelp> - <format>camellia256ccm96</format> - <description>256 bit Camellia-CCM with 96 bit ICV</description> - </valueHelp> - <valueHelp> - <format>camellia128ccm128</format> - <description>128 bit Camellia-CCM with 128 bit ICV</description> - </valueHelp> - <valueHelp> - <format>camellia192ccm128</format> - <description>192 bit Camellia-CCM with 128 bit ICV</description> - </valueHelp> - <valueHelp> - <format>camellia256ccm128</format> - <description>256 bit Camellia-CCM with 128 bit ICV</description> - </valueHelp> - <valueHelp> - <format>serpent128</format> - <description>128 bit Serpent-CBC</description> - </valueHelp> - <valueHelp> - <format>serpent192</format> - <description>192 bit Serpent-CBC</description> - </valueHelp> - <valueHelp> - <format>serpent256</format> - <description>256 bit Serpent-CBC</description> - </valueHelp> - <valueHelp> - <format>twofish128</format> - <description>128 bit Twofish-CBC</description> - </valueHelp> - <valueHelp> - <format>twofish192</format> - <description>192 bit Twofish-CBC</description> - </valueHelp> - <valueHelp> - <format>twofish256</format> - <description>256 bit Twofish-CBC</description> - </valueHelp> - <valueHelp> - <format>cast128</format> - <description>128 bit CAST-CBC</description> - </valueHelp> - <valueHelp> - <format>chacha20poly1305</format> - <description>256 bit ChaCha20/Poly1305 with 128 bit ICV</description> - </valueHelp> - <constraint> - <regex>^(null|aes128|aes192|aes256|aes128ctr|aes192ctr|aes256ctr|aes128ccm64|aes192ccm64|aes256ccm64|aes128ccm96|aes192ccm96|aes256ccm96|aes128ccm128|aes192ccm128|aes256ccm128|aes128gcm64|aes192gcm64|aes256gcm64|aes128gcm96|aes192gcm96|aes256gcm96|aes128gcm128|aes192gcm128|aes256gcm128|aes128gmac|aes192gmac|aes256gmac|3des|blowfish128|blowfish192|blowfish256|camellia128|camellia192|camellia256|camellia128ctr|camellia192ctr|camellia256ctr|camellia128ccm64|camellia192ccm64|camellia256ccm64|camellia128ccm96|camellia192ccm96|camellia256ccm96|camellia128ccm128|camellia192ccm128|camellia256ccm128|serpent128|serpent192|serpent256|twofish128|twofish192|twofish256|cast128|chacha20poly1305)$</regex> - </constraint> - </properties> - </leafNode> +<leafNode name="encryption"> + <properties> + <help>Encryption algorithm</help> + <completionHelp> + <list>null aes128 aes192 aes256 aes128ctr aes192ctr aes256ctr aes128ccm64 aes192ccm64 aes256ccm64 aes128ccm96 aes192ccm96 aes256ccm96 aes128ccm128 aes192ccm128 aes256ccm128 aes128gcm64 aes192gcm64 aes256gcm64 aes128gcm96 aes192gcm96 aes256gcm96 aes128gcm128 aes192gcm128 aes256gcm128 aes128gmac aes192gmac aes256gmac 3des blowfish128 blowfish192 blowfish256 camellia128 camellia192 camellia256 camellia128ctr camellia192ctr camellia256ctr camellia128ccm64 camellia192ccm64 camellia256ccm64 camellia128ccm96 camellia192ccm96 camellia256ccm96 camellia128ccm128 camellia192ccm128 camellia256ccm128 serpent128 serpent192 serpent256 twofish128 twofish192 twofish256 cast128 chacha20poly1305</list> + </completionHelp> + <valueHelp> + <format>null</format> + <description>Null encryption</description> + </valueHelp> + <valueHelp> + <format>aes128</format> + <description>128 bit AES-CBC (default)</description> + </valueHelp> + <valueHelp> + <format>aes192</format> + <description>192 bit AES-CBC</description> + </valueHelp> + <valueHelp> + <format>aes256</format> + <description>256 bit AES-CBC</description> + </valueHelp> + <valueHelp> + <format>aes128ctr</format> + <description>128 bit AES-COUNTER</description> + </valueHelp> + <valueHelp> + <format>aes192ctr</format> + <description>192 bit AES-COUNTER</description> + </valueHelp> + <valueHelp> + <format>aes256ctr</format> + <description>256 bit AES-COUNTER</description> + </valueHelp> + <valueHelp> + <format>aes128ccm64</format> + <description>128 bit AES-CCM with 64 bit ICV</description> + </valueHelp> + <valueHelp> + <format>aes192ccm64</format> + <description>192 bit AES-CCM with 64 bit ICV</description> + </valueHelp> + <valueHelp> + <format>aes256ccm64</format> + <description>256 bit AES-CCM with 64 bit ICV</description> + </valueHelp> + <valueHelp> + <format>aes128ccm96</format> + <description>128 bit AES-CCM with 96 bit ICV</description> + </valueHelp> + <valueHelp> + <format>aes192ccm96</format> + <description>192 bit AES-CCM with 96 bit ICV</description> + </valueHelp> + <valueHelp> + <format>aes256ccm96</format> + <description>256 bit AES-CCM with 96 bit ICV</description> + </valueHelp> + <valueHelp> + <format>aes128ccm128</format> + <description>128 bit AES-CCM with 128 bit ICV</description> + </valueHelp> + <valueHelp> + <format>aes192ccm128</format> + <description>192 bit AES-CCM with 128 bit IC</description> + </valueHelp> + <valueHelp> + <format>aes256ccm128</format> + <description>256 bit AES-CCM with 128 bit ICV</description> + </valueHelp> + <valueHelp> + <format>aes128gcm64</format> + <description>128 bit AES-GCM with 64 bit ICV</description> + </valueHelp> + <valueHelp> + <format>aes192gcm64</format> + <description>192 bit AES-GCM with 64 bit ICV</description> + </valueHelp> + <valueHelp> + <format>aes256gcm64</format> + <description>256 bit AES-GCM with 64 bit ICV</description> + </valueHelp> + <valueHelp> + <format>aes128gcm96</format> + <description>128 bit AES-GCM with 96 bit ICV</description> + </valueHelp> + <valueHelp> + <format>aes192gcm96</format> + <description>192 bit AES-GCM with 96 bit ICV</description> + </valueHelp> + <valueHelp> + <format>aes256gcm96</format> + <description>256 bit AES-GCM with 96 bit ICV</description> + </valueHelp> + <valueHelp> + <format>aes128gcm128</format> + <description>128 bit AES-GCM with 128 bit ICV</description> + </valueHelp> + <valueHelp> + <format>aes192gcm128</format> + <description>192 bit AES-GCM with 128 bit ICV</description> + </valueHelp> + <valueHelp> + <format>aes256gcm128</format> + <description>256 bit AES-GCM with 128 bit ICV</description> + </valueHelp> + <valueHelp> + <format>aes128gmac</format> + <description>Null encryption with 128 bit AES-GMAC</description> + </valueHelp> + <valueHelp> + <format>aes192gmac</format> + <description>Null encryption with 192 bit AES-GMAC</description> + </valueHelp> + <valueHelp> + <format>aes256gmac</format> + <description>Null encryption with 256 bit AES-GMAC</description> + </valueHelp> + <valueHelp> + <format>3des</format> + <description>168 bit 3DES-EDE-CBC</description> + </valueHelp> + <valueHelp> + <format>blowfish128</format> + <description>128 bit Blowfish-CBC</description> + </valueHelp> + <valueHelp> + <format>blowfish192</format> + <description>192 bit Blowfish-CBC</description> + </valueHelp> + <valueHelp> + <format>blowfish256</format> + <description>256 bit Blowfish-CBC</description> + </valueHelp> + <valueHelp> + <format>camellia128</format> + <description>128 bit Camellia-CBC</description> + </valueHelp> + <valueHelp> + <format>camellia192</format> + <description>192 bit Camellia-CBC</description> + </valueHelp> + <valueHelp> + <format>camellia256</format> + <description>256 bit Camellia-CBC</description> + </valueHelp> + <valueHelp> + <format>camellia128ctr</format> + <description>128 bit Camellia-COUNTER</description> + </valueHelp> + <valueHelp> + <format>camellia192ctr</format> + <description>192 bit Camellia-COUNTER</description> + </valueHelp> + <valueHelp> + <format>camellia256ctr</format> + <description>256 bit Camellia-COUNTER</description> + </valueHelp> + <valueHelp> + <format>camellia128ccm64</format> + <description>128 bit Camellia-CCM with 64 bit ICV</description> + </valueHelp> + <valueHelp> + <format>camellia192ccm64</format> + <description>192 bit Camellia-CCM with 64 bit ICV</description> + </valueHelp> + <valueHelp> + <format>camellia256ccm64</format> + <description>256 bit Camellia-CCM with 64 bit ICV</description> + </valueHelp> + <valueHelp> + <format>camellia128ccm96</format> + <description>128 bit Camellia-CCM with 96 bit ICV</description> + </valueHelp> + <valueHelp> + <format>camellia192ccm96</format> + <description>192 bit Camellia-CCM with 96 bit ICV</description> + </valueHelp> + <valueHelp> + <format>camellia256ccm96</format> + <description>256 bit Camellia-CCM with 96 bit ICV</description> + </valueHelp> + <valueHelp> + <format>camellia128ccm128</format> + <description>128 bit Camellia-CCM with 128 bit ICV</description> + </valueHelp> + <valueHelp> + <format>camellia192ccm128</format> + <description>192 bit Camellia-CCM with 128 bit ICV</description> + </valueHelp> + <valueHelp> + <format>camellia256ccm128</format> + <description>256 bit Camellia-CCM with 128 bit ICV</description> + </valueHelp> + <valueHelp> + <format>serpent128</format> + <description>128 bit Serpent-CBC</description> + </valueHelp> + <valueHelp> + <format>serpent192</format> + <description>192 bit Serpent-CBC</description> + </valueHelp> + <valueHelp> + <format>serpent256</format> + <description>256 bit Serpent-CBC</description> + </valueHelp> + <valueHelp> + <format>twofish128</format> + <description>128 bit Twofish-CBC</description> + </valueHelp> + <valueHelp> + <format>twofish192</format> + <description>192 bit Twofish-CBC</description> + </valueHelp> + <valueHelp> + <format>twofish256</format> + <description>256 bit Twofish-CBC</description> + </valueHelp> + <valueHelp> + <format>cast128</format> + <description>128 bit CAST-CBC</description> + </valueHelp> + <valueHelp> + <format>chacha20poly1305</format> + <description>256 bit ChaCha20/Poly1305 with 128 bit ICV</description> + </valueHelp> + <constraint> + <regex>^(null|aes128|aes192|aes256|aes128ctr|aes192ctr|aes256ctr|aes128ccm64|aes192ccm64|aes256ccm64|aes128ccm96|aes192ccm96|aes256ccm96|aes128ccm128|aes192ccm128|aes256ccm128|aes128gcm64|aes192gcm64|aes256gcm64|aes128gcm96|aes192gcm96|aes256gcm96|aes128gcm128|aes192gcm128|aes256gcm128|aes128gmac|aes192gmac|aes256gmac|3des|blowfish128|blowfish192|blowfish256|camellia128|camellia192|camellia256|camellia128ctr|camellia192ctr|camellia256ctr|camellia128ccm64|camellia192ccm64|camellia256ccm64|camellia128ccm96|camellia192ccm96|camellia256ccm96|camellia128ccm128|camellia192ccm128|camellia256ccm128|serpent128|serpent192|serpent256|twofish128|twofish192|twofish256|cast128|chacha20poly1305)$</regex> + </constraint> + </properties> +</leafNode> <!-- include end --> diff --git a/interface-definitions/include/vpn-ipsec-hash.xml.i b/interface-definitions/include/vpn-ipsec-hash.xml.i index 93d57b622..5a06b290e 100644 --- a/interface-definitions/include/vpn-ipsec-hash.xml.i +++ b/interface-definitions/include/vpn-ipsec-hash.xml.i @@ -1,65 +1,65 @@ -<!-- include start from pn-ipsec-hash.xml.i --> - <leafNode name="hash"> - <properties> - <help>Hash algorithm</help> - <completionHelp> - <list>md5 md5_128 sha1 sha1_160 sha256 sha256_96 sha384 sha512 aesxcbc aescmac aes128gmac aes192gmac aes256gmac</list> - </completionHelp> - <valueHelp> - <format>md5</format> - <description>MD5 HMAC</description> - </valueHelp> - <valueHelp> - <format>md5_128</format> - <description>MD5_128 HMAC</description> - </valueHelp> - <valueHelp> - <format>sha1</format> - <description>SHA1 HMAC (default)</description> - </valueHelp> - <valueHelp> - <format>sha1_160</format> - <description>SHA1_160 HMAC</description> - </valueHelp> - <valueHelp> - <format>sha256</format> - <description>SHA2_256_128 HMAC</description> - </valueHelp> - <valueHelp> - <format>sha256_96</format> - <description>SHA2_256_96 HMAC</description> - </valueHelp> - <valueHelp> - <format>sha384</format> - <description>SHA2_384_192 HMAC</description> - </valueHelp> - <valueHelp> - <format>sha512</format> - <description>SHA2_512_256 HMAC</description> - </valueHelp> - <valueHelp> - <format>aesxcbc</format> - <description>AES XCBC</description> - </valueHelp> - <valueHelp> - <format>aescmac</format> - <description>AES CMAC</description> - </valueHelp> - <valueHelp> - <format>aes128gmac</format> - <description>128-bit AES-GMAC</description> - </valueHelp> - <valueHelp> - <format>aes192gmac</format> - <description>192-bit AES-GMAC</description> - </valueHelp> - <valueHelp> - <format>aes256gmac</format> - <description>256-bit AES-GMAC</description> - </valueHelp> - <constraint> - <regex>^(md5|md5_128|sha1|sha1_160|sha256|sha256_96|sha384|sha512|aesxcbc|aescmac|aes128gmac|aes192gmac|aes256gmac)$</regex> - </constraint> - </properties> - </leafNode> +<!-- include start from vpn-ipsec-hash.xml.i --> +<leafNode name="hash"> + <properties> + <help>Hash algorithm</help> + <completionHelp> + <list>md5 md5_128 sha1 sha1_160 sha256 sha256_96 sha384 sha512 aesxcbc aescmac aes128gmac aes192gmac aes256gmac</list> + </completionHelp> + <valueHelp> + <format>md5</format> + <description>MD5 HMAC</description> + </valueHelp> + <valueHelp> + <format>md5_128</format> + <description>MD5_128 HMAC</description> + </valueHelp> + <valueHelp> + <format>sha1</format> + <description>SHA1 HMAC (default)</description> + </valueHelp> + <valueHelp> + <format>sha1_160</format> + <description>SHA1_160 HMAC</description> + </valueHelp> + <valueHelp> + <format>sha256</format> + <description>SHA2_256_128 HMAC</description> + </valueHelp> + <valueHelp> + <format>sha256_96</format> + <description>SHA2_256_96 HMAC</description> + </valueHelp> + <valueHelp> + <format>sha384</format> + <description>SHA2_384_192 HMAC</description> + </valueHelp> + <valueHelp> + <format>sha512</format> + <description>SHA2_512_256 HMAC</description> + </valueHelp> + <valueHelp> + <format>aesxcbc</format> + <description>AES XCBC</description> + </valueHelp> + <valueHelp> + <format>aescmac</format> + <description>AES CMAC</description> + </valueHelp> + <valueHelp> + <format>aes128gmac</format> + <description>128-bit AES-GMAC</description> + </valueHelp> + <valueHelp> + <format>aes192gmac</format> + <description>192-bit AES-GMAC</description> + </valueHelp> + <valueHelp> + <format>aes256gmac</format> + <description>256-bit AES-GMAC</description> + </valueHelp> + <constraint> + <regex>^(md5|md5_128|sha1|sha1_160|sha256|sha256_96|sha384|sha512|aesxcbc|aescmac|aes128gmac|aes192gmac|aes256gmac)$</regex> + </constraint> + </properties> +</leafNode> <!-- include end --> diff --git a/interface-definitions/interfaces-bonding.xml.in b/interface-definitions/interfaces-bonding.xml.in index 2efdaea3d..4bfc6e730 100644 --- a/interface-definitions/interfaces-bonding.xml.in +++ b/interface-definitions/interfaces-bonding.xml.in @@ -60,7 +60,7 @@ <properties> <help>Bonding transmit hash policy</help> <completionHelp> - <list>layer2 layer2+3 layer3+4</list> + <list>layer2 layer2+3 layer3+4 encap2+3 encap3+4</list> </completionHelp> <valueHelp> <format>layer2</format> @@ -74,10 +74,18 @@ <format>layer3+4</format> <description>combine IP address and port to make hash</description> </valueHelp> + <valueHelp> + <format>encap2+3</format> + <description>combine encapsulated MAC address and IP address to make hash</description> + </valueHelp> + <valueHelp> + <format>encap3+4</format> + <description>combine encapsulated IP address and port to make hash</description> + </valueHelp> <constraint> - <regex>^(layer2\+3|layer3\+4|layer2)$</regex> + <regex>^(layer2\+3|layer3\+4|layer2|encap2\+3|encap3\+4)$</regex> </constraint> - <constraintErrorMessage>hash-policy must be layer2 layer2+3 or layer3+4</constraintErrorMessage> + <constraintErrorMessage>hash-policy must be layer2 layer2+3 layer3+4 encap2+3 or encap3+4</constraintErrorMessage> </properties> <defaultValue>layer2</defaultValue> </leafNode> diff --git a/interface-definitions/interfaces-ethernet.xml.in b/interface-definitions/interfaces-ethernet.xml.in index fff8db2d1..cb451f5be 100644 --- a/interface-definitions/interfaces-ethernet.xml.in +++ b/interface-definitions/interfaces-ethernet.xml.in @@ -9,14 +9,14 @@ <properties> <help>Ethernet Interface</help> <priority>318</priority> - <constraint> - <regex>^((eth|lan)[0-9]+|(eno|ens|enp|enx).+)$</regex> - </constraint> - <constraintErrorMessage>Invalid Ethernet interface name</constraintErrorMessage> <valueHelp> <format>ethN</format> <description>Ethernet interface name</description> </valueHelp> + <constraint> + <regex>^((eth|lan)[0-9]+|(eno|ens|enp|enx).+)$</regex> + </constraint> + <constraintErrorMessage>Invalid Ethernet interface name</constraintErrorMessage> </properties> <children> #include <include/interface/address-ipv4-ipv6-dhcp.xml.i> @@ -80,6 +80,12 @@ <valueless/> </properties> </leafNode> + <leafNode name="lro"> + <properties> + <help>Enable Large Receive Offload</help> + <valueless/> + </properties> + </leafNode> <leafNode name="rps"> <properties> <help>Enable Receive Packet Steering</help> diff --git a/interface-definitions/interfaces-openvpn.xml.in b/interface-definitions/interfaces-openvpn.xml.in index effbdd674..7ff08ac86 100644 --- a/interface-definitions/interfaces-openvpn.xml.in +++ b/interface-definitions/interfaces-openvpn.xml.in @@ -163,12 +163,6 @@ <multi/> </properties> </leafNode> - <leafNode name="disable-ncp"> - <properties> - <help>Disable support for ncp-ciphers</help> - <valueless/> - </properties> - </leafNode> </children> </node> #include <include/interface/interface-ipv6-options.xml.i> @@ -643,16 +637,12 @@ </leafNode> </children> </node> - <leafNode name="shared-secret-key-file"> + <leafNode name="shared-secret-key"> <properties> - <help>File containing the secret key shared with remote end of tunnel</help> - <valueHelp> - <format>filename</format> - <description>File in /config/auth directory</description> - </valueHelp> - <constraint> - <validator name="file-exists" argument="--directory /config/auth"/> - </constraint> + <help>Secret key shared with remote end of tunnel</help> + <completionHelp> + <path>pki openvpn shared-secret</path> + </completionHelp> </properties> </leafNode> <node name="tls"> @@ -660,55 +650,30 @@ <help>Transport Layer Security (TLS) options</help> </properties> <children> - <leafNode name="auth-file"> + <leafNode name="auth-key"> <properties> - <help>File containing tls static key for tls-auth</help> - <valueHelp> - <format>filename</format> - <description>File in /config/auth directory</description> - </valueHelp> - <constraint> - <validator name="file-exists" argument="--directory /config/auth"/> - </constraint> - </properties> - </leafNode> - #include <include/certificate.xml.i> - #include <include/certificate-ca.xml.i> - <leafNode name="crl-file"> - <properties> - <help>File containing certificate revocation list (CRL) for this host</help> - <valueHelp> - <format>filename</format> - <description>File in /config/auth directory</description> - </valueHelp> - <constraint> - <validator name="file-exists" argument="--directory /config/auth"/> - </constraint> + <help>TLS shared secret key for tls-auth</help> + <completionHelp> + <path>pki openvpn shared-secret</path> + </completionHelp> </properties> </leafNode> - <leafNode name="dh-file"> + #include <include/pki/certificate.xml.i> + #include <include/pki/ca-certificate.xml.i> + <leafNode name="dh-params"> <properties> - <help>File containing Diffie Hellman parameters (server only)</help> - <valueHelp> - <format>filename</format> - <description>File in /config/auth directory</description> - </valueHelp> - <constraint> - <validator name="file-exists" argument="--directory /config/auth"/> - </constraint> + <help>Diffie Hellman parameters (server only)</help> + <completionHelp> + <path>pki dh</path> + </completionHelp> </properties> </leafNode> - #include <include/certificate-key.xml.i> - <leafNode name="crypt-file"> + <leafNode name="crypt-key"> <properties> - <help>File containing encryption key to authenticate control channel</help> - <valueHelp> - <format>filename</format> - <description>File in /config/auth directory</description> - </valueHelp> - <constraint> - <validator name="file-exists" argument="--directory /config/auth"/> - </constraint> + <help>Static key to use to authenticate control channel</help> + <completionHelp> + <path>pki openvpn shared-secret</path> + </completionHelp> </properties> </leafNode> <leafNode name="tls-version-min"> diff --git a/interface-definitions/interfaces-pppoe.xml.in b/interface-definitions/interfaces-pppoe.xml.in index 8c2b50eba..96479e057 100644 --- a/interface-definitions/interfaces-pppoe.xml.in +++ b/interface-definitions/interfaces-pppoe.xml.in @@ -25,23 +25,7 @@ <constraintErrorMessage>Access concentrator name must be composed of uppper and lower case letters or numbers only</constraintErrorMessage> </properties> </leafNode> - <node name="authentication"> - <properties> - <help>Authentication settings</help> - </properties> - <children> - <leafNode name="user"> - <properties> - <help>User name</help> - </properties> - </leafNode> - <leafNode name="password"> - <properties> - <help>Password</help> - </properties> - </leafNode> - </children> - </node> + #include <include/interface/authentication.xml.i> #include <include/interface/interface-dial-on-demand.xml.i> <leafNode name="default-route"> <properties> diff --git a/interface-definitions/interfaces-tunnel.xml.in b/interface-definitions/interfaces-tunnel.xml.in index 536edcb99..b994bdafc 100644 --- a/interface-definitions/interfaces-tunnel.xml.in +++ b/interface-definitions/interfaces-tunnel.xml.in @@ -29,14 +29,7 @@ #include <include/interface/interface-ipv6-options.xml.i> #include <include/source-address-ipv4-ipv6.xml.i> #include <include/interface/tunnel-remote.xml.i> - <leafNode name="source-interface"> - <properties> - <help>Physical Interface used for underlaying traffic</help> - <completionHelp> - <script>${vyos_completion_dir}/list_interfaces.py</script> - </completionHelp> - </properties> - </leafNode> + #include <include/source-interface.xml.i> <leafNode name="6rd-prefix"> <properties> <help>6rd network prefix</help> @@ -61,21 +54,7 @@ </constraint> </properties> </leafNode> - <leafNode name="dhcp-interface"> - <properties> - <help>dhcp interface</help> - <valueHelp> - <format>interface</format> - <description>DHCP interface that supplies the local IP address for this tunnel</description> - </valueHelp> - <completionHelp> - <script>${vyos_completion_dir}/list_interfaces.py</script> - </completionHelp> - <constraint> - <regex>^(en|eth|br|bond|gnv|vxlan|wg|tun)[0-9]+$</regex> - </constraint> - </properties> - </leafNode> + #include <include/dhcp-interface.xml.i> <leafNode name="encapsulation"> <properties> <help>Encapsulation of this tunnel interface</help> @@ -227,13 +206,22 @@ <children> <leafNode name="no-pmtu-discovery"> <properties> - <help>Disable path MTU discovery</help> + <help>Disable Path MTU Discovery on this tunnel</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="ignore-df"> + <properties> + <help>Enable IPv4 DF suppression on this tunnel</help> <valueless/> </properties> </leafNode> #include <include/interface/interface-parameters-key.xml.i> #include <include/interface/interface-parameters-tos.xml.i> #include <include/interface/interface-parameters-ttl.xml.i> + <leafNode name="ttl"> + <defaultValue>64</defaultValue> + </leafNode> </children> </node> <node name="ipv6"> diff --git a/interface-definitions/interfaces-vti.xml.in b/interface-definitions/interfaces-vti.xml.in new file mode 100644 index 000000000..10e1feb6b --- /dev/null +++ b/interface-definitions/interfaces-vti.xml.in @@ -0,0 +1,40 @@ +<?xml version="1.0"?> +<interfaceDefinition> + <node name="interfaces"> + <children> + <tagNode name="vti" owner="${vyos_conf_scripts_dir}/interfaces-vti.py"> + <properties> + <help>Virtual Tunnel interface</help> + <priority>381</priority> + <constraint> + <regex>^vti[0-9]+$</regex> + </constraint> + <constraintErrorMessage>VTI interface must be named vtiN</constraintErrorMessage> + <valueHelp> + <format>vtiN</format> + <description>VTI interface name</description> + </valueHelp> + </properties> + <children> + <leafNode name="address"> + <properties> + <help>IP address</help> + <valueHelp> + <format>ipv4net</format> + <description>IPv4 address and prefix length</description> + </valueHelp> + <constraint> + <validator name="ipv4-host"/> + </constraint> + <multi/> + </properties> + </leafNode> + #include <include/interface/interface-description.xml.i> + #include <include/interface/interface-disable.xml.i> + #include <include/interface/interface-mtu-68-16000.xml.i> + #include <include/interface/interface-vrf.xml.i> + </children> + </tagNode> + </children> + </node> +</interfaceDefinition> diff --git a/interface-definitions/interfaces-vxlan.xml.in b/interface-definitions/interfaces-vxlan.xml.in index 7a286eaf2..56d01dfb6 100644 --- a/interface-definitions/interfaces-vxlan.xml.in +++ b/interface-definitions/interfaces-vxlan.xml.in @@ -92,6 +92,7 @@ #include <include/source-address-ipv4-ipv6.xml.i> #include <include/source-interface.xml.i> #include <include/interface/tunnel-remote.xml.i> + #include <include/interface/interface-vrf.xml.i> #include <include/vni.xml.i> </children> </tagNode> diff --git a/interface-definitions/interfaces-wireguard.xml.in b/interface-definitions/interfaces-wireguard.xml.in index 378251fed..773bde09c 100644 --- a/interface-definitions/interfaces-wireguard.xml.in +++ b/interface-definitions/interfaces-wireguard.xml.in @@ -42,12 +42,12 @@ </leafNode> <leafNode name="private-key"> <properties> - <help>Private key to use on that interface</help> - <completionHelp> - <script>${vyos_op_scripts_dir}/wireguard.py --listkdir</script> - </completionHelp> + <help>Base64 encoded private key</help> + <constraint> + <regex>[0-9a-zA-Z\+/]{43}=$</regex> + </constraint> + <constraintErrorMessage>Key is not valid 44-character (32-bytes) base64</constraintErrorMessage> </properties> - <defaultValue>default</defaultValue> </leafNode> <tagNode name="peer"> <properties> @@ -59,7 +59,7 @@ </properties> <children> #include <include/generic-disable-node.xml.i> - <leafNode name="pubkey"> + <leafNode name="public-key"> <properties> <help>base64 encoded public key</help> <constraint> diff --git a/interface-definitions/interfaces-wirelessmodem.xml.in b/interface-definitions/interfaces-wirelessmodem.xml.in deleted file mode 100644 index 25ac2d6e0..000000000 --- a/interface-definitions/interfaces-wirelessmodem.xml.in +++ /dev/null @@ -1,83 +0,0 @@ -<?xml version="1.0"?> -<interfaceDefinition> - <node name="interfaces"> - <children> - <tagNode name="wirelessmodem" owner="${vyos_conf_scripts_dir}/interfaces-wirelessmodem.py"> - <properties> - <help>Wireless Modem (WWAN) Interface</help> - <priority>350</priority> - <constraint> - <regex>^wlm[0-9]+$</regex> - </constraint> - <constraintErrorMessage>Wireless Modem interface must be named wlmN</constraintErrorMessage> - <valueHelp> - <format>wlmN</format> - <description>Wireless modem interface name</description> - </valueHelp> - </properties> - <children> - <leafNode name="apn"> - <properties> - <help>Access Point Name (APN)</help> - </properties> - </leafNode> - <node name="backup"> - <properties> - <help>Insert backup default route</help> - </properties> - <children> - <leafNode name="distance"> - <properties> - <help>Distance backup default route</help> - <valueHelp> - <format>1-255</format> - <description>Distance of the backup route (default: 10)</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 1-255"/> - </constraint> - <constraintErrorMessage>Must be between (1-255)</constraintErrorMessage> - </properties> - <defaultValue>10</defaultValue> - </leafNode> - </children> - </node> - #include <include/interface/interface-description.xml.i> - #include <include/interface/interface-disable.xml.i> - #include <include/interface/interface-vrf.xml.i> - <leafNode name="device"> - <properties> - <help>Serial device </help> - <completionHelp> - <script>ls -1 /dev | grep ttyS</script> - <script>if [ -d /dev/serial/by-bus ]; then ls -1 /dev/serial/by-bus; fi</script> - </completionHelp> - <valueHelp> - <format>ttySXX</format> - <description>TTY device name, regular serial port</description> - </valueHelp> - <valueHelp> - <format>usbNbXpY</format> - <description>TTY device name, USB based</description> - </valueHelp> - <constraint> - <regex>^(ttyS[0-9]+|usb[0-9]+b.*)$</regex> - </constraint> - </properties> - </leafNode> - #include <include/interface/interface-disable-link-detect.xml.i> - #include <include/interface/interface-mtu-68-16000.xml.i> - #include <include/interface/interface-ipv4-options.xml.i> - #include <include/interface/interface-ipv6-options.xml.i> - <leafNode name="no-peer-dns"> - <properties> - <help>Do not use peer supplied DNS server information</help> - <valueless/> - </properties> - </leafNode> - #include <include/interface/interface-dial-on-demand.xml.i> - </children> - </tagNode> - </children> - </node> -</interfaceDefinition> diff --git a/interface-definitions/interfaces-wwan.xml.in b/interface-definitions/interfaces-wwan.xml.in new file mode 100644 index 000000000..ea3184a11 --- /dev/null +++ b/interface-definitions/interfaces-wwan.xml.in @@ -0,0 +1,46 @@ +<?xml version="1.0"?> +<interfaceDefinition> + <node name="interfaces"> + <children> + <tagNode name="wwan" owner="${vyos_conf_scripts_dir}/interfaces-wwan.py"> + <properties> + <help>Wireless Modem (WWAN) Interface</help> + <priority>350</priority> + <completionHelp> + <script>cd /sys/class/net; ls -d wwan*</script> + </completionHelp> + <constraint> + <regex>^wwan[0-9]+$</regex> + </constraint> + <constraintErrorMessage>Wireless Modem interface must be named wwanN</constraintErrorMessage> + <valueHelp> + <format>wwanN</format> + <description>Wireless Wide Area Network interface name</description> + </valueHelp> + </properties> + <children> + #include <include/interface/address-ipv4-ipv6-dhcp.xml.i> + <leafNode name="apn"> + <properties> + <help>Access Point Name (APN)</help> + </properties> + </leafNode> + #include <include/interface/dhcp-options.xml.i> + #include <include/interface/dhcpv6-options.xml.i> + #include <include/interface/authentication.xml.i> + #include <include/interface/interface-description.xml.i> + #include <include/interface/interface-disable.xml.i> + #include <include/interface/interface-vrf.xml.i> + #include <include/interface/interface-disable-link-detect.xml.i> + #include <include/interface/interface-mtu-68-1500.xml.i> + <leafNode name="mtu"> + <defaultValue>1430</defaultValue> + </leafNode> + #include <include/interface/interface-ipv4-options.xml.i> + #include <include/interface/interface-ipv6-options.xml.i> + #include <include/interface/interface-dial-on-demand.xml.i> + </children> + </tagNode> + </children> + </node> +</interfaceDefinition> diff --git a/interface-definitions/ipsec-settings.xml.in b/interface-definitions/ipsec-settings.xml.in deleted file mode 100644 index bc54baa27..000000000 --- a/interface-definitions/ipsec-settings.xml.in +++ /dev/null @@ -1,24 +0,0 @@ -<?xml version="1.0"?> -<interfaceDefinition> - <node name="vpn"> - <children> - <node name="ipsec"> - <children> - <node name="options" owner="${vyos_conf_scripts_dir}/ipsec-settings.py"> - <properties> - <help>Global IPsec settings</help> - </properties> - <children> - <leafNode name="disable-route-autoinstall"> - <properties> - <valueless/> - <help>Do not automatically install routes to remote networks</help> - </properties> - </leafNode> - </children> - </node> - </children> - </node> - </children> - </node> -</interfaceDefinition> diff --git a/interface-definitions/nat.xml.in b/interface-definitions/nat.xml.in index 9862f49b2..3cf3ba6aa 100644 --- a/interface-definitions/nat.xml.in +++ b/interface-definitions/nat.xml.in @@ -50,6 +50,7 @@ </properties> </leafNode> #include <include/nat-translation-port.xml.i> + #include <include/nat-translation-options.xml.i> </children> </node> </children> @@ -101,6 +102,7 @@ </properties> </leafNode> #include <include/nat-translation-port.xml.i> + #include <include/nat-translation-options.xml.i> </children> </node> </children> diff --git a/interface-definitions/pki.xml.in b/interface-definitions/pki.xml.in new file mode 100644 index 000000000..6d137c2ce --- /dev/null +++ b/interface-definitions/pki.xml.in @@ -0,0 +1,209 @@ +<?xml version="1.0"?> +<interfaceDefinition> + <node name="pki" owner="${vyos_conf_scripts_dir}/pki.py"> + <properties> + <help>VyOS PKI configuration</help> + </properties> + <children> + <tagNode name="ca"> + <properties> + <help>Certificate Authority</help> + </properties> + <children> + <leafNode name="certificate"> + <properties> + <help>CA certificate in PEM format</help> + </properties> + </leafNode> + <leafNode name="description"> + <properties> + <help>Description</help> + </properties> + </leafNode> + <node name="private"> + <properties> + <help>CA private key in PEM format</help> + </properties> + <children> + <leafNode name="key"> + <properties> + <help>CA private key in PEM format</help> + </properties> + </leafNode> + <leafNode name="password-protected"> + <properties> + <help>CA private key is password protected</help> + <valueless/> + </properties> + </leafNode> + </children> + </node> + <leafNode name="crl"> + <properties> + <help>Certificate revocation list in PEM format</help> + <multi/> + </properties> + </leafNode> + <leafNode name="revoke"> + <properties> + <help>If parent CA is present, this CA certificate will be included in generated CRLs</help> + <valueless/> + </properties> + </leafNode> + </children> + </tagNode> + <tagNode name="certificate"> + <properties> + <help>Certificate</help> + </properties> + <children> + <leafNode name="certificate"> + <properties> + <help>Certificate in PEM format</help> + </properties> + </leafNode> + <leafNode name="description"> + <properties> + <help>Description</help> + </properties> + </leafNode> + <node name="private"> + <properties> + <help>Certificate private key</help> + </properties> + <children> + <leafNode name="key"> + <properties> + <help>Certificate private key in PEM format</help> + </properties> + </leafNode> + <leafNode name="password-protected"> + <properties> + <help>Certificate private key is password protected</help> + <valueless/> + </properties> + </leafNode> + </children> + </node> + <leafNode name="revoke"> + <properties> + <help>If CA is present, this certificate will be included in generated CRLs</help> + <valueless/> + </properties> + </leafNode> + </children> + </tagNode> + <tagNode name="dh"> + <properties> + <help>Diffie-Hellman parameters</help> + </properties> + <children> + <leafNode name="parameters"> + <properties> + <help>DH parameters in PEM format</help> + </properties> + </leafNode> + </children> + </tagNode> + <tagNode name="key-pair"> + <properties> + <help>Public and private keys</help> + </properties> + <children> + <node name="public"> + <properties> + <help>Public key</help> + </properties> + <children> + <leafNode name="key"> + <properties> + <help>Public key in PEM format</help> + </properties> + </leafNode> + </children> + </node> + <node name="private"> + <properties> + <help>Private key</help> + </properties> + <children> + <leafNode name="key"> + <properties> + <help>Private key in PEM format</help> + </properties> + </leafNode> + <leafNode name="password-protected"> + <properties> + <help>Private key is password protected</help> + <valueless/> + </properties> + </leafNode> + </children> + </node> + </children> + </tagNode> + <node name="openvpn"> + <properties> + <help>OpenVPN keys</help> + </properties> + <children> + <tagNode name="shared-secret"> + <properties> + <help>OpenVPN shared secret key</help> + </properties> + <children> + <leafNode name="key"> + <properties> + <help>OpenVPN shared secret key data</help> + </properties> + </leafNode> + <leafNode name="version"> + <properties> + <help>OpenVPN shared secret key version</help> + </properties> + </leafNode> + </children> + </tagNode> + </children> + </node> + <node name="x509"> + <properties> + <help>X509 Settings</help> + </properties> + <children> + <node name="default"> + <properties> + <help>X509 Default Values</help> + </properties> + <children> + <leafNode name="country"> + <properties> + <help>Default country</help> + </properties> + <defaultValue>GB</defaultValue> + </leafNode> + <leafNode name="state"> + <properties> + <help>Default state</help> + </properties> + <defaultValue>Some-State</defaultValue> + </leafNode> + <leafNode name="locality"> + <properties> + <help>Default locality</help> + </properties> + <defaultValue>Some-City</defaultValue> + </leafNode> + <leafNode name="organization"> + <properties> + <help>Default organization</help> + </properties> + <defaultValue>VyOS</defaultValue> + </leafNode> + </children> + </node> + </children> + </node> + </children> + </node> +</interfaceDefinition> diff --git a/interface-definitions/policy.xml.in b/interface-definitions/policy.xml.in index 900fac27e..5a3c58fa8 100644 --- a/interface-definitions/policy.xml.in +++ b/interface-definitions/policy.xml.in @@ -27,7 +27,7 @@ </valueHelp> </properties> <children> - #include <include/policy/description.xml.i> + #include <include/generic-description.xml.i> <tagNode name="rule"> <properties> <help>Rule for this access-list</help> @@ -41,7 +41,7 @@ </properties> <children> #include <include/policy/action.xml.i> - #include <include/policy/description.xml.i> + #include <include/generic-description.xml.i> <node name="destination"> <properties> <help>Destination network or address</help> @@ -87,7 +87,7 @@ </valueHelp> </properties> <children> - #include <include/policy/description.xml.i> + #include <include/generic-description.xml.i> <tagNode name="rule"> <properties> <help>Rule for this access-list6</help> @@ -101,7 +101,7 @@ </properties> <children> #include <include/policy/action.xml.i> - #include <include/policy/description.xml.i> + #include <include/generic-description.xml.i> <node name="source"> <properties> <help>Source IPv6 network to match</help> @@ -146,7 +146,7 @@ </valueHelp> </properties> <children> - #include <include/policy/description.xml.i> + #include <include/generic-description.xml.i> <tagNode name="rule"> <properties> <help>Rule for this as-path-list</help> @@ -160,7 +160,7 @@ </properties> <children> #include <include/policy/action.xml.i> - #include <include/policy/description.xml.i> + #include <include/generic-description.xml.i> <leafNode name="regex"> <properties> <help>Regular expression to match against an AS path</help> @@ -183,7 +183,7 @@ </valueHelp> </properties> <children> - #include <include/policy/description.xml.i> + #include <include/generic-description.xml.i> <tagNode name="rule"> <properties> <help>Rule for this BGP community list</help> @@ -197,7 +197,7 @@ </properties> <children> #include <include/policy/action.xml.i> - #include <include/policy/description.xml.i> + #include <include/generic-description.xml.i> <leafNode name="regex"> <properties> <help>Regular expression to match against a community-list</help> @@ -243,7 +243,7 @@ </valueHelp> </properties> <children> - #include <include/policy/description.xml.i> + #include <include/generic-description.xml.i> <tagNode name="rule"> <properties> <help>Rule for this BGP extended community list</help> @@ -257,7 +257,7 @@ </properties> <children> #include <include/policy/action.xml.i> - #include <include/policy/description.xml.i> + #include <include/generic-description.xml.i> <leafNode name="regex"> <properties> <help>Regular expression to match against an extended community list</help> @@ -288,7 +288,7 @@ </valueHelp> </properties> <children> - #include <include/policy/description.xml.i> + #include <include/generic-description.xml.i> <tagNode name="rule"> <properties> <help>Rule for this BGP extended community list</help> @@ -302,7 +302,7 @@ </properties> <children> #include <include/policy/action.xml.i> - #include <include/policy/description.xml.i> + #include <include/generic-description.xml.i> <leafNode name="regex"> <properties> <help>Regular expression to match against a large community list</help> @@ -329,7 +329,7 @@ <constraintErrorMessage>Name of prefix-list can only contain alpha-numeric letters, hyphen and underscores</constraintErrorMessage> </properties> <children> - #include <include/policy/description.xml.i> + #include <include/generic-description.xml.i> <tagNode name="rule"> <properties> <help>Rule for this prefix-list</help> @@ -343,7 +343,7 @@ </properties> <children> #include <include/policy/action.xml.i> - #include <include/policy/description.xml.i> + #include <include/generic-description.xml.i> <leafNode name="ge"> <properties> <help>Prefix length to match a netmask greater than or equal to it</help> @@ -397,7 +397,7 @@ <constraintErrorMessage>Name of prefix-list6 can only contain alpha-numeric letters, hyphen and underscores</constraintErrorMessage> </properties> <children> - #include <include/policy/description.xml.i> + #include <include/generic-description.xml.i> <tagNode name="rule"> <properties> <help>Rule for this prefix-list6</help> @@ -411,7 +411,7 @@ </properties> <children> #include <include/policy/action.xml.i> - #include <include/policy/description.xml.i> + #include <include/generic-description.xml.i> <leafNode name="ge"> <properties> <help>Prefix length to match a netmask greater than or equal to it</help> @@ -465,7 +465,7 @@ <constraintErrorMessage>Name of route-map can only contain alpha-numeric letters, hyphen and underscores</constraintErrorMessage> </properties> <children> - #include <include/policy/description.xml.i> + #include <include/generic-description.xml.i> <tagNode name="rule"> <properties> <help>Rule for this route-map</help> @@ -500,7 +500,7 @@ </valueHelp> </properties> </leafNode> - #include <include/policy/description.xml.i> + #include <include/generic-description.xml.i> <node name="match"> <properties> <help>Route parameters to match</help> @@ -912,7 +912,7 @@ </leafNode> <leafNode name="as-path-prepend"> <properties> - <help>as-path-prepend_help</help> + <help>Prepend string for a Border Gateway Protocol (BGP) AS-path attribute</help> <valueHelp> <format>txt</format> <description>BGP AS path prepend string (ex: "64501 64501")</description> @@ -925,15 +925,6 @@ <valueless/> </properties> </leafNode> - <leafNode name="bgp-extcommunity-rt"> - <properties> - <help>Set route target value</help> - <valueHelp> - <format><aa:nn></format> - <description>ExtCommunity in format: asn:value</description> - </valueHelp> - </properties> - </leafNode> <node name="comm-list"> <properties> <help>Border Gateway Protocol (BGP) communities matching a community-list</help> @@ -961,7 +952,7 @@ </node> <leafNode name="community"> <properties> - <help>community_help</help> + <help>Border Gateway Protocl (BGP) community attribute</help> <completionHelp> <list>local-AS no-advertise no-export internet additive none</list> </completionHelp> @@ -1007,24 +998,71 @@ </constraint> </properties> </leafNode> - <leafNode name="extcommunity-rt"> + <node name="extcommunity"> <properties> - <help>Set route target value</help> - <valueHelp> - <format>txt</format> - <description>ASN:nn_or_IP_address:nn VPN extended community</description> - </valueHelp> + <help>BGP extended community attribute</help> </properties> - </leafNode> - <leafNode name="extcommunity-soo"> - <properties> - <help>Set Site of Origin value</help> - <valueHelp> - <format>txt</format> - <description>ASN:nn_or_IP_address:nn VPN extended community</description> - </valueHelp> - </properties> - </leafNode> + <children> + <leafNode name="bandwidth"> + <properties> + <help>Bandwidth value in Mbps</help> + <completionHelp> + <list>cumulative num-multipaths</list> + </completionHelp> + <valueHelp> + <format>u32:1-25600</format> + <description>Bandwidth value in Mbps</description> + </valueHelp> + <valueHelp> + <format>cumulative</format> + <description>Cumulative bandwidth of all multipaths (outbound-only)</description> + </valueHelp> + <valueHelp> + <format>num-multipaths</format> + <description>Internally computed bandwidth based on number of multipaths (outbound-only)</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-25600"/> + <regex>^(cumulative|num-multipaths)$</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="rt"> + <properties> + <help>Set route target value</help> + <valueHelp> + <format>ASN:NN</format> + <description>based on autonomous system number</description> + </valueHelp> + <valueHelp> + <format>IP:NN</format> + <description>Based on a router-id IP address</description> + </valueHelp> + <constraint> + <regex>^((?:[0-9]{1,3}\.){3}[0-9]{1,3}|\d+):\d+$</regex> + </constraint> + <constraintErrorMessage>Should be in form: ASN:NN or IPADDR:NN where ASN is autonomous system number</constraintErrorMessage> + </properties> + </leafNode> + <leafNode name="soo"> + <properties> + <help>Set Site of Origin value</help> + <valueHelp> + <format>ASN:NN</format> + <description>based on autonomous system number</description> + </valueHelp> + <valueHelp> + <format>IP:NN</format> + <description>Based on a router-id IP address</description> + </valueHelp> + <constraint> + <regex>^((?:[0-9]{1,3}\.){3}[0-9]{1,3}|\d+):\d+$</regex> + </constraint> + <constraintErrorMessage>Should be in form: ASN:NN or IPADDR:NN where ASN is autonomous system number</constraintErrorMessage> + </properties> + </leafNode> + </children> + </node> <leafNode name="ip-next-hop"> <properties> <help>Nexthop IP address</help> @@ -1066,6 +1104,12 @@ </constraint> </properties> </leafNode> + <leafNode name="prefer-global"> + <properties> + <help>Prefer global address as the nexthop</help> + <valueless/> + </properties> + </leafNode> </children> </node> <leafNode name="large-community"> @@ -1129,7 +1173,7 @@ </leafNode> <leafNode name="origin"> <properties> - <help>origin_help</help> + <help>Border Gateway Protocl (BGP) origin code</help> <completionHelp> <list>igp egp incomplete</list> </completionHelp> diff --git a/interface-definitions/protocols-nhrp.xml.in b/interface-definitions/protocols-nhrp.xml.in new file mode 100644 index 000000000..9dd9d3389 --- /dev/null +++ b/interface-definitions/protocols-nhrp.xml.in @@ -0,0 +1,134 @@ +<?xml version="1.0" encoding="UTF-8"?> +<interfaceDefinition> + <node name="protocols"> + <children> + <node name="nhrp" owner="${vyos_conf_scripts_dir}/protocols_nhrp.py"> + <properties> + <help>NHRP parameters</help> + <priority>680</priority> + </properties> + <children> + <tagNode name="tunnel"> + <properties> + <help>Tunnel for NHRP [REQUIRED]</help> + <constraint> + <regex>^tun[0-9]+$</regex> + </constraint> + <valueHelp> + <format>tunN</format> + <description>NHRP tunnel name</description> + </valueHelp> + </properties> + <children> + <leafNode name="cisco-authentication"> + <properties> + <help>Pass phrase for cisco authentication</help> + <valueHelp> + <format>txt</format> + <description>Pass phrase for cisco authentication</description> + </valueHelp> + </properties> + </leafNode> + <tagNode name="dynamic-map"> + <properties> + <help>Set an HUB tunnel address</help> + <valueHelp> + <format>ipv4net</format> + <description>Set the IP address and prefix length</description> + </valueHelp> + </properties> + <children> + <leafNode name="nbma-domain-name"> + <properties> + <help>Set HUB fqdn (nbma-address - fqdn) [REQUIRED]</help> + <valueHelp> + <format><fqdn></format> + <description>Set the external HUB fqdn</description> + </valueHelp> + </properties> + </leafNode> + </children> + </tagNode> + <leafNode name="holding-time"> + <properties> + <help>Holding time in seconds</help> + </properties> + </leafNode> + <tagNode name="map"> + <properties> + <help>Set an HUB tunnel address</help> + </properties> + <children> + <leafNode name="cisco"> + <properties> + <help>If the statically mapped peer is running Cisco IOS, specify this</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="nbma-address"> + <properties> + <help>Set HUB address (nbma-address - external hub address or fqdn) [REQUIRED]</help> + </properties> + </leafNode> + <leafNode name="register"> + <properties> + <help>Specifies that Registration Request should be sent to this peer on startup</help> + <valueless/> + </properties> + </leafNode> + </children> + </tagNode> + <leafNode name="multicast"> + <properties> + <help>Set multicast for NHRP</help> + <completionHelp> + <list>dynamic nhs</list> + </completionHelp> + <constraint> + <regex>^(dynamic|nhs)$</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="non-caching"> + <properties> + <help>This can be used to reduce memory consumption on big NBMA subnets</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="redirect"> + <properties> + <help>Enable sending of Cisco style NHRP Traffic Indication packets</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="shortcut-destination"> + <properties> + <help>This instructs opennhrp to reply with authorative answers on NHRP Resolution Requests destined to addresses in this interface</help> + <valueless/> + </properties> + </leafNode> + <tagNode name="shortcut-target"> + <properties> + <help>Defines an off-NBMA network prefix for which the GRE interface will act as a gateway</help> + </properties> + <children> + <leafNode name="holding-time"> + <properties> + <help>Holding time in seconds</help> + </properties> + </leafNode> + </children> + </tagNode> + <leafNode name="shortcut"> + <properties> + <help>Enable creation of shortcut routes. A received NHRP Traffic Indication will trigger the resolution and establishment of a shortcut route</help> + <valueless/> + </properties> + </leafNode> + </children> + </tagNode> + </children> + </node> + </children> + </node> +</interfaceDefinition> diff --git a/interface-definitions/protocols-ospfv3.xml.in b/interface-definitions/protocols-ospfv3.xml.in index 99e671b32..7b42c448d 100644 --- a/interface-definitions/protocols-ospfv3.xml.in +++ b/interface-definitions/protocols-ospfv3.xml.in @@ -25,6 +25,26 @@ </constraint> </properties> <children> + <node name="area-type"> + <properties> + <help>OSPFv3 Area type</help> + </properties> + <children> + <node name="stub"> + <properties> + <help>Stub OSPFv3 area</help> + </properties> + <children> + <leafNode name="no-summary"> + <properties> + <help>Do not inject inter-area routes into the stub</help> + <valueless/> + </properties> + </leafNode> + </children> + </node> + </children> + </node> <leafNode name="export-list"> <properties> <help>Name of export-list</help> diff --git a/interface-definitions/service_conntrack-sync.xml.in b/interface-definitions/service_conntrack-sync.xml.in index 8d6b57183..584f687c7 100644 --- a/interface-definitions/service_conntrack-sync.xml.in +++ b/interface-definitions/service_conntrack-sync.xml.in @@ -133,8 +133,16 @@ <leafNode name="peer"> <properties> <help>IP address of the peer to send the UDP conntrack info too. This disable multicast.</help> + <valueHelp> + <format>ipv4</format> + <description>IP address to listen for incoming connections</description> + </valueHelp> + <constraint> + <validator name="ipv4-address"/> + </constraint> </properties> </leafNode> + #include <include/port-number.xml.i> </children> </tagNode> #include <include/listen-address-ipv4.xml.i> diff --git a/interface-definitions/service_mdns-repeater.xml.in b/interface-definitions/service_mdns-repeater.xml.in index 33ef9a434..d02dac8a6 100644 --- a/interface-definitions/service_mdns-repeater.xml.in +++ b/interface-definitions/service_mdns-repeater.xml.in @@ -23,6 +23,12 @@ <multi/> </properties> </leafNode> + <leafNode name="vrrp-disable"> + <properties> + <help>Disables mDNS repeater on VRRP interfaces not in MASTER state</help> + <valueless/> + </properties> + </leafNode> </children> </node> </children> diff --git a/interface-definitions/service_pppoe-server.xml.in b/interface-definitions/service_pppoe-server.xml.in index dc8af67af..7b96b5692 100644 --- a/interface-definitions/service_pppoe-server.xml.in +++ b/interface-definitions/service_pppoe-server.xml.in @@ -164,6 +164,7 @@ #include <include/accel-ppp/ppp-mppe.xml.i> #include <include/accel-ppp/lcp-echo-interval-failure.xml.i> #include <include/accel-ppp/lcp-echo-timeout.xml.i> + #include <include/accel-ppp/ppp-interface-cache.xml.i> <leafNode name="ipv4"> <properties> <help>IPv4 (IPCP) negotiation algorithm</help> @@ -192,34 +193,7 @@ </completionHelp> </properties> </leafNode> - <leafNode name="ipv6"> - <properties> - <help>IPv6 (IPCP6) negotiation algorithm</help> - <constraint> - <regex>^(deny|allow|prefer|require)$</regex> - </constraint> - <constraintErrorMessage>invalid value</constraintErrorMessage> - <valueHelp> - <format>deny</format> - <description>Do not negotiate IPv6</description> - </valueHelp> - <valueHelp> - <format>allow</format> - <description>Negotiate IPv6 only if client requests</description> - </valueHelp> - <valueHelp> - <format>prefer</format> - <description>Ask client for IPv6 negotiation, do not fail if it rejects</description> - </valueHelp> - <valueHelp> - <format>require</format> - <description>Require IPv6 negotiation</description> - </valueHelp> - <completionHelp> - <list>deny allow prefer require</list> - </completionHelp> - </properties> - </leafNode> + #include <include/accel-ppp/ppp-options-ipv6.xml.i> <leafNode name="ipv6-intf-id"> <properties> <help>Fixed or random interface identifier for IPv6</help> @@ -334,6 +308,45 @@ </leafNode> </children> </node> + <node name="extended-scripts"> + <properties> + <help>Extended script execution</help> + </properties> + <children> + <leafNode name="on-pre-up"> + <properties> + <help>Script to run before PPPoE session interface comes up</help> + <constraint> + <validator name="script"/> + </constraint> + </properties> + </leafNode> + <leafNode name="on-up"> + <properties> + <help>Script to run when PPPoE session interface is completely configured and started</help> + <constraint> + <validator name="script"/> + </constraint> + </properties> + </leafNode> + <leafNode name="on-down"> + <properties> + <help>Script to run when PPPoE session interface going to terminate</help> + <constraint> + <validator name="script"/> + </constraint> + </properties> + </leafNode> + <leafNode name="on-change"> + <properties> + <help>Script to run when PPPoE session interface changed by RADIUS CoA handling</help> + <constraint> + <validator name="script"/> + </constraint> + </properties> + </leafNode> + </children> + </node> </children> </node> </children> diff --git a/interface-definitions/service_router-advert.xml.in b/interface-definitions/service_router-advert.xml.in index 47ac4e25d..750ae314c 100644 --- a/interface-definitions/service_router-advert.xml.in +++ b/interface-definitions/service_router-advert.xml.in @@ -10,7 +10,7 @@ <children> <tagNode name="interface"> <properties> - <help>Interface to send DDNS updates for [REQUIRED]</help> + <help>Interface to send RA on [REQUIRED]</help> <completionHelp> <script>${vyos_completion_dir}/list_interfaces.py</script> </completionHelp> @@ -154,6 +154,72 @@ <valueless/> </properties> </leafNode> + <tagNode name="route"> + <properties> + <help>IPv6 route to be advertised in Router Advertisements (RAs)</help> + <valueHelp> + <format>ipv6net</format> + <description>IPv6 route to be advertized</description> + </valueHelp> + <constraint> + <validator name="ipv6-prefix"/> + </constraint> + </properties> + <children> + <leafNode name="valid-lifetime"> + <properties> + <help>Time in seconds that the route will remain valid (default: 1800 seconds)</help> + <completionHelp> + <list>infinity</list> + </completionHelp> + <valueHelp> + <format>1-4294967295</format> + <description>Time in seconds that the route will remain valid</description> + </valueHelp> + <valueHelp> + <format>infinity</format> + <description>Route will remain preferred forever</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-4294967295"/> + <regex>^(infinity)$</regex> + </constraint> + </properties> + <defaultValue>1800</defaultValue> + </leafNode> + <leafNode name="route-preference"> + <properties> + <help>Preference associated with the route,</help> + <completionHelp> + <list>low medium high</list> + </completionHelp> + <valueHelp> + <format>low</format> + <description>Route has low preference</description> + </valueHelp> + <valueHelp> + <format>medium</format> + <description>Route has medium preference (default)</description> + </valueHelp> + <valueHelp> + <format>high</format> + <description>Route has high preference</description> + </valueHelp> + <constraint> + <regex>^(low|medium|high)$</regex> + </constraint> + <constraintErrorMessage>Route preference must be low, medium or high</constraintErrorMessage> + </properties> + <defaultValue>medium</defaultValue> + </leafNode> + <leafNode name="no-remove-route"> + <properties> + <help>Do not announce this route with a zero second lifetime upon shutdown</help> + <valueless/> + </properties> + </leafNode> + </children> + </tagNode> <tagNode name="prefix"> <properties> <help>IPv6 prefix to be advertised in Router Advertisements (RAs)</help> diff --git a/interface-definitions/snmp.xml.in b/interface-definitions/snmp.xml.in index f57103eac..2654449a1 100644 --- a/interface-definitions/snmp.xml.in +++ b/interface-definitions/snmp.xml.in @@ -129,6 +129,26 @@ <constraintErrorMessage>Location is limited to 255 characters or less</constraintErrorMessage> </properties> </leafNode> + <leafNode name="oid-enable"> + <properties> + <help>Enable specific oids</help> + <valueHelp> + <format>txt</format> + <description>Enable specific oids</description> + </valueHelp> + <valueHelp> + <format>route-table</format> + <description>Enable route table oids (ipCidrRouteTable inetCidrRouteTable)</description> + </valueHelp> + <completionHelp> + <list>route-table</list> + </completionHelp> + <constraint> + <regex>^(route-table)$</regex> + </constraint> + <constraintErrorMessage>Oid must be 'route-table'</constraintErrorMessage> + </properties> + </leafNode> <leafNode name="smux-peer"> <properties> <help>Register a subtree for SMUX-based processing</help> diff --git a/interface-definitions/ssh.xml.in b/interface-definitions/ssh.xml.in index 6faef9bd5..54742f1d0 100644 --- a/interface-definitions/ssh.xml.in +++ b/interface-definitions/ssh.xml.in @@ -1,5 +1,4 @@ <?xml version="1.0"?> -<!--SSH configuration --> <interfaceDefinition> <node name="service"> <properties> @@ -14,9 +13,7 @@ <children> <node name="access-control"> <properties> - <help>SSH user/group access controls. Directives are processed - in the following order: deny-users, allow-users, deny-groups and - allow-groups.</help> + <help>SSH user/group access controls</help> </properties> <children> <node name="allow"> @@ -24,26 +21,8 @@ <help>Allow user/group SSH access</help> </properties> <children> - <leafNode name="group"> - <properties> - <help>Allow members of a group to login</help> - <constraint> - <regex>[a-z_][a-z0-9_-]{1,31}[$]?</regex> - </constraint> - <constraintErrorMessage>illegal characters or more than 32 characters</constraintErrorMessage> - <multi/> - </properties> - </leafNode> - <leafNode name="user"> - <properties> - <help>Allow specific users to login</help> - <constraint> - <regex>[a-z_][a-z0-9_-]{1,31}[$]?</regex> - </constraint> - <constraintErrorMessage>illegal characters or more than 32 characters</constraintErrorMessage> - <multi/> - </properties> - </leafNode> + #include <include/ssh-group.xml.i> + #include <include/ssh-user.xml.i> </children> </node> <node name="deny"> @@ -51,26 +30,8 @@ <help>Deny user/group SSH access</help> </properties> <children> - <leafNode name="group"> - <properties> - <help>Disallow members of a group to login</help> - <constraint> - <regex>[a-z_][a-z0-9_-]{1,31}[$]?</regex> - </constraint> - <constraintErrorMessage>illegal characters or more than 32 characters</constraintErrorMessage> - <multi/> - </properties> - </leafNode> - <leafNode name="user"> - <properties> - <help>Disallow specific users to login</help> - <constraint> - <regex>[a-z_][a-z0-9_-]{1,31}[$]?</regex> - </constraint> - <constraintErrorMessage>illegal characters or more than 32 characters</constraintErrorMessage> - <multi/> - </properties> - </leafNode> + #include <include/ssh-group.xml.i> + #include <include/ssh-user.xml.i> </children> </node> </children> diff --git a/interface-definitions/system-conntrack.xml.in b/interface-definitions/system-conntrack.xml.in new file mode 100644 index 000000000..fa73df3db --- /dev/null +++ b/interface-definitions/system-conntrack.xml.in @@ -0,0 +1,348 @@ +<?xml version="1.0"?> +<interfaceDefinition> + <node name="system"> + <children> + <node name="conntrack" owner="${vyos_conf_scripts_dir}/conntrack.py"> + <properties> + <help>Connection Tracking Engine Options</help> + <!-- Before NAT and conntrack-sync are configured --> + <priority>218</priority> + </properties> + <children> + <leafNode name="expect-table-size"> + <properties> + <help>Size of connection tracking expect table</help> + <valueHelp> + <format>u32:1-50000000</format> + <description>Number of entries allowed in connection tracking expect table</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-50000000"/> + </constraint> + </properties> + <defaultValue>2048</defaultValue> + </leafNode> + <leafNode name="hash-size"> + <properties> + <help>Hash size for connection tracking table</help> + <valueHelp> + <format>u32:1-50000000</format> + <description>Size of hash to use for connection tracking table</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-50000000"/> + </constraint> + </properties> + <defaultValue>32768</defaultValue> + </leafNode> + <node name="modules"> + <properties> + <help>Connection tracking modules settings</help> + </properties> + <children> + <node name="ftp"> + <properties> + <help>FTP connection tracking settings</help> + </properties> + <children> + #include <include/conntrack-module-disable.xml.i> + </children> + </node> + <node name="h323"> + <properties> + <help>H.323 connection tracking settings</help> + </properties> + <children> + #include <include/conntrack-module-disable.xml.i> + </children> + </node> + <node name="nfs"> + <properties> + <help>NFS connection tracking settings</help> + </properties> + <children> + #include <include/conntrack-module-disable.xml.i> + </children> + </node> + <node name="pptp"> + <properties> + <help>PPTP connection tracking settings</help> + </properties> + <children> + #include <include/conntrack-module-disable.xml.i> + </children> + </node> + <node name="sip"> + <properties> + <help>SIP connection tracking settings</help> + </properties> + <children> + #include <include/conntrack-module-disable.xml.i> + </children> + </node> + <node name="sqlnet"> + <properties> + <help>SQLnet connection tracking settings</help> + </properties> + <children> + #include <include/conntrack-module-disable.xml.i> + </children> + </node> + <node name="tftp"> + <properties> + <help>TFTP connection tracking settings</help> + </properties> + <children> + #include <include/conntrack-module-disable.xml.i> + </children> + </node> + </children> + </node> + <leafNode name="table-size"> + <properties> + <help>Size of connection tracking table</help> + <valueHelp> + <format>u32:1-50000000</format> + <description>Number of entries allowed in connection tracking table</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-50000000"/> + </constraint> + </properties> + <defaultValue>262144</defaultValue> + </leafNode> + <node name="tcp"> + <properties> + <help>TCP options</help> + </properties> + <children> + <leafNode name="half-open-connections"> + <properties> + <help>Maximum number of TCP half-open connections</help> + <valueHelp> + <format>u32:1-2147483647</format> + <description>Generic connection timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-2147483647"/> + </constraint> + </properties> + <defaultValue>512</defaultValue> + </leafNode> + <leafNode name="loose"> + <properties> + <help>Policy to track previously established connections</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Allow tracking of previously established connections</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Do not allow tracking of previously established connections</description> + </valueHelp> + <constraint> + <regex>^(enable|disable)$</regex> + </constraint> + </properties> + <defaultValue>enable</defaultValue> + </leafNode> + <leafNode name="max-retrans"> + <properties> + <help>TCP maximum retransmit attempts</help> + <valueHelp> + <format>u32:1-2147483647</format> + <description>Generic connection timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-2147483647"/> + </constraint> + </properties> + <defaultValue>3</defaultValue> + </leafNode> + </children> + </node> + <node name="timeout"> + <properties> + <help>Connection timeout options</help> + </properties> + <children> + <leafNode name="icmp"> + <properties> + <help>ICMP timeout in seconds</help> + <valueHelp> + <format>u32:1-21474836</format> + <description>ICMP timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-21474836"/> + </constraint> + </properties> + <defaultValue>30</defaultValue> + </leafNode> + <leafNode name="other"> + <properties> + <help>Generic connection timeout in seconds</help> + <valueHelp> + <format>u32:1-21474836</format> + <description>Generic connection timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-21474836"/> + </constraint> + </properties> + <defaultValue>600</defaultValue> + </leafNode> + <node name="tcp"> + <properties> + <help>TCP connection timeout options</help> + </properties> + <children> + <leafNode name="close-wait"> + <properties> + <help>TCP CLOSE-WAIT timeout in seconds</help> + <valueHelp> + <format>u32:1-21474836</format> + <description>TCP CLOSE-WAIT timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-21474836"/> + </constraint> + </properties> + <defaultValue>60</defaultValue> + </leafNode> + <leafNode name="close"> + <properties> + <help>TCP CLOSE timeout in seconds</help> + <valueHelp> + <format>u32:1-21474836</format> + <description>TCP CLOSE timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-21474836"/> + </constraint> + </properties> + <defaultValue>10</defaultValue> + </leafNode> + <leafNode name="established"> + <properties> + <help>TCP ESTABLISHED timeout in seconds</help> + <valueHelp> + <format>u32:1-21474836</format> + <description>TCP ESTABLISHED timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-21474836"/> + </constraint> + </properties> + <defaultValue>432000</defaultValue> + </leafNode> + <leafNode name="fin-wait"> + <properties> + <help>TCP FIN-WAIT timeout in seconds</help> + <valueHelp> + <format>u32:1-21474836</format> + <description>TCP FIN-WAIT timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-21474836"/> + </constraint> + </properties> + <defaultValue>120</defaultValue> + </leafNode> + <leafNode name="last-ack"> + <properties> + <help>TCP LAST-ACK timeout in seconds</help> + <valueHelp> + <format>u32:1-21474836</format> + <description>TCP LAST-ACK timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-21474836"/> + </constraint> + </properties> + <defaultValue>30</defaultValue> + </leafNode> + <leafNode name="syn-recv"> + <properties> + <help>TCP SYN-RECEIVED timeout in seconds</help> + <valueHelp> + <format>u32:1-21474836</format> + <description>TCP SYN-RECEIVED timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-21474836"/> + </constraint> + </properties> + <defaultValue>60</defaultValue> + </leafNode> + <leafNode name="syn-sent"> + <properties> + <help>TCP SYN-SENT timeout in seconds</help> + <valueHelp> + <format>u32:1-21474836</format> + <description>TCP SYN-SENT timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-21474836"/> + </constraint> + </properties> + <defaultValue>120</defaultValue> + </leafNode> + <leafNode name="time-wait"> + <properties> + <help>TCP TIME-WAIT timeout in seconds</help> + <valueHelp> + <format>u32:1-21474836</format> + <description>TCP TIME-WAIT timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-21474836"/> + </constraint> + </properties> + <defaultValue>120</defaultValue> + </leafNode> + </children> + </node> + <node name="udp"> + <properties> + <help>UDP timeout options</help> + </properties> + <children> + <leafNode name="other"> + <properties> + <help>UDP generic timeout in seconds</help> + <valueHelp> + <format>u32:1-21474836</format> + <description>UDP generic timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-21474836"/> + </constraint> + </properties> + <defaultValue>30</defaultValue> + </leafNode> + <leafNode name="stream"> + <properties> + <help>UDP stream timeout in seconds</help> + <valueHelp> + <format>u32:1-21474836</format> + <description>UDP stream timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-21474836"/> + </constraint> + </properties> + <defaultValue>180</defaultValue> + </leafNode> + </children> + </node> + </children> + </node> + </children> + </node> + </children> + </node> +</interfaceDefinition> diff --git a/interface-definitions/system-sysctl.xml.in b/interface-definitions/system-sysctl.xml.in new file mode 100644 index 000000000..bf118c24b --- /dev/null +++ b/interface-definitions/system-sysctl.xml.in @@ -0,0 +1,40 @@ +<?xml version="1.0"?> +<interfaceDefinition> + <node name="system"> + <properties> + <help>System parameters</help> + </properties> + <children> + <node name="sysctl" owner="${vyos_conf_scripts_dir}/system_sysctl.py"> + <properties> + <help>Configure kernel parameters at runtime</help> + <priority>318</priority> + </properties> + <children> + <tagNode name="parameter"> + <properties> + <help>Sysctl key name</help> + <completionHelp> + <script>${vyos_completion_dir}/list_sysctl_parameters.sh</script> + </completionHelp> + <valueHelp> + <format>txt</format> + <description>Sysctl key name</description> + </valueHelp> + <constraint> + <validator name="sysctl"/> + </constraint> + </properties> + <children> + <leafNode name="value"> + <properties> + <help>Sysctl configuration value</help> + </properties> + </leafNode> + </children> + </tagNode> + </children> + </node> + </children> + </node> +</interfaceDefinition> diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in index 426d7e71c..b28c86ae6 100644 --- a/interface-definitions/vpn_ipsec.xml.in +++ b/interface-definitions/vpn_ipsec.xml.in @@ -1,24 +1,16 @@ <?xml version="1.0"?> <interfaceDefinition> <node name="vpn"> + <properties> + <help>Virtual Private Network (VPN)</help> + </properties> <children> - <node name="nipsec" owner="${vyos_conf_scripts_dir}/vpn_ipsec.py"> + <node name="ipsec" owner="${vyos_conf_scripts_dir}/vpn_ipsec.py"> <properties> <help>VPN IP security (IPsec) parameters</help> + <priority>901</priority> </properties> <children> - <leafNode name="auto-update"> - <properties> - <help>Set auto-update interval for IPsec daemon</help> - <valueHelp> - <format>u32:30-65535</format> - <description>Auto-update interval (s)</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 30-65535"/> - </constraint> - </properties> - </leafNode> <leafNode name="disable-uniqreqids"> <properties> <help>Option to disable requirement for unique IDs in the Security Database</help> @@ -48,6 +40,7 @@ <regex>^(disable|enable)$</regex> </constraint> </properties> + <defaultValue>disable</defaultValue> </leafNode> <leafNode name="lifetime"> <properties> @@ -60,6 +53,7 @@ <validator name="numeric" argument="--range 30-86400"/> </constraint> </properties> + <defaultValue>3600</defaultValue> </leafNode> <leafNode name="mode"> <properties> @@ -79,6 +73,7 @@ <regex>^(tunnel|transport)$</regex> </constraint> </properties> + <defaultValue>tunnel</defaultValue> </leafNode> <leafNode name="pfs"> <properties> @@ -88,95 +83,95 @@ </completionHelp> <valueHelp> <format>enable</format> - <description>Enable PFS. Use ike-groups dh-group (default)</description> + <description>Use Diffie-Hellman group 2 (modp1024) - default</description> </valueHelp> <valueHelp> <format>dh-group1</format> - <description>Enable PFS. Use Diffie-Hellman group 1 (modp768)</description> + <description>Use Diffie-Hellman group 1 (modp768)</description> </valueHelp> <valueHelp> <format>dh-group2</format> - <description>Enable PFS. Use Diffie-Hellman group 2 (modp1024)</description> + <description>Use Diffie-Hellman group 2 (modp1024)</description> </valueHelp> <valueHelp> <format>dh-group5</format> - <description>Enable PFS. Use Diffie-Hellman group 5 (modp1536)</description> + <description>Use Diffie-Hellman group 5 (modp1536)</description> </valueHelp> <valueHelp> <format>dh-group14</format> - <description>Enable PFS. Use Diffie-Hellman group 14 (modp2048)</description> + <description>Use Diffie-Hellman group 14 (modp2048)</description> </valueHelp> <valueHelp> <format>dh-group15</format> - <description>Enable PFS. Use Diffie-Hellman group 15 (modp3072)</description> + <description>Use Diffie-Hellman group 15 (modp3072)</description> </valueHelp> <valueHelp> <format>dh-group16</format> - <description>Enable PFS. Use Diffie-Hellman group 16 (modp4096)</description> + <description>Use Diffie-Hellman group 16 (modp4096)</description> </valueHelp> <valueHelp> <format>dh-group17</format> - <description>Enable PFS. Use Diffie-Hellman group 17 (modp6144)</description> + <description>Use Diffie-Hellman group 17 (modp6144)</description> </valueHelp> <valueHelp> <format>dh-group18</format> - <description>Enable PFS. Use Diffie-Hellman group 18 (modp8192)</description> + <description>Use Diffie-Hellman group 18 (modp8192)</description> </valueHelp> <valueHelp> <format>dh-group19</format> - <description>Enable PFS. Use Diffie-Hellman group 19 (ecp256)</description> + <description>Use Diffie-Hellman group 19 (ecp256)</description> </valueHelp> <valueHelp> <format>dh-group20</format> - <description>Enable PFS. Use Diffie-Hellman group 20 (ecp384)</description> + <description>Use Diffie-Hellman group 20 (ecp384)</description> </valueHelp> <valueHelp> <format>dh-group21</format> - <description>Enable PFS. Use Diffie-Hellman group 21 (ecp521)</description> + <description>Use Diffie-Hellman group 21 (ecp521)</description> </valueHelp> <valueHelp> <format>dh-group22</format> - <description>Enable PFS. Use Diffie-Hellman group 22 (modp1024s160)</description> + <description>Use Diffie-Hellman group 22 (modp1024s160)</description> </valueHelp> <valueHelp> <format>dh-group23</format> - <description>Enable PFS. Use Diffie-Hellman group 23 (modp2048s224)</description> + <description>Use Diffie-Hellman group 23 (modp2048s224)</description> </valueHelp> <valueHelp> <format>dh-group24</format> - <description>Enable PFS. Use Diffie-Hellman group 24 (modp2048s256)</description> + <description>Use Diffie-Hellman group 24 (modp2048s256)</description> </valueHelp> <valueHelp> <format>dh-group25</format> - <description>Enable PFS. Use Diffie-Hellman group 25 (ecp192)</description> + <description>Use Diffie-Hellman group 25 (ecp192)</description> </valueHelp> <valueHelp> <format>dh-group26</format> - <description>Enable PFS. Use Diffie-Hellman group 26 (ecp224)</description> + <description>Use Diffie-Hellman group 26 (ecp224)</description> </valueHelp> <valueHelp> <format>dh-group27</format> - <description>Enable PFS. Use Diffie-Hellman group 27 (ecp224bp)</description> + <description>Use Diffie-Hellman group 27 (ecp224bp)</description> </valueHelp> <valueHelp> <format>dh-group28</format> - <description>Enable PFS. Use Diffie-Hellman group 28 (ecp256bp)</description> + <description>Use Diffie-Hellman group 28 (ecp256bp)</description> </valueHelp> <valueHelp> <format>dh-group29</format> - <description>Enable PFS. Use Diffie-Hellman group 29 (ecp384bp)</description> + <description>Use Diffie-Hellman group 29 (ecp384bp)</description> </valueHelp> <valueHelp> <format>dh-group30</format> - <description>Enable PFS. Use Diffie-Hellman group 30 (ecp512bp)</description> + <description>Use Diffie-Hellman group 30 (ecp512bp)</description> </valueHelp> <valueHelp> <format>dh-group31</format> - <description>Enable PFS. Use Diffie-Hellman group 31 (curve25519)</description> + <description>Use Diffie-Hellman group 31 (curve25519)</description> </valueHelp> <valueHelp> <format>dh-group32</format> - <description>Enable PFS. Use Diffie-Hellman group 32 (curve448)</description> + <description>Use Diffie-Hellman group 32 (curve448)</description> </valueHelp> <valueHelp> <format>disable</format> @@ -186,6 +181,7 @@ <regex>^(enable|dh-group1|dh-group2|dh-group5|dh-group14|dh-group15|dh-group16|dh-group17|dh-group18|dh-group19|dh-group20|dh-group21|dh-group22|dh-group23|dh-group24|dh-group25|dh-group26|dh-group27|dh-group28|dh-group29|dh-group30|dh-group31|dh-group32|disable)$</regex> </constraint> </properties> + <defaultValue>enable</defaultValue> </leafNode> <tagNode name="proposal"> <properties> @@ -296,7 +292,7 @@ </completionHelp> <valueHelp> <format>yes</format> - <description>Enable remote host re-autentication during an IKE rekey. Currently broken due to a strong swan bug</description> + <description>Enable remote host re-authentication during an IKE rekey. Currently broken due to a strongswan bug</description> </valueHelp> <valueHelp> <format>no</format> @@ -337,6 +333,7 @@ <validator name="numeric" argument="--range 30-86400"/> </constraint> </properties> + <defaultValue>28800</defaultValue> </leafNode> <leafNode name="mobike"> <properties> @@ -483,6 +480,7 @@ <regex>^(1|2|5|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31|32)$</regex> </constraint> </properties> + <defaultValue>2</defaultValue> </leafNode> #include <include/vpn-ipsec-encryption.xml.i> #include <include/vpn-ipsec-hash.xml.i> @@ -500,116 +498,118 @@ <help>Sets to include an additional secrets file for strongSwan. Use an absolute path to specify the included file.</help> </properties> </leafNode> - <node name="ipsec-interfaces"> + <leafNode name="interface"> <properties> - <help>Interface to use for VPN [REQUIRED]</help> + <help>Onterface used for IPsec communication</help> + <completionHelp> + <script>${vyos_completion_dir}/list_interfaces.py</script> + </completionHelp> + <multi/> </properties> - <children> - <leafNode name="interface"> - <properties> - <help>IPsec interface [REQUIRED]</help> - <completionHelp> - <script>${vyos_completion_dir}/list_interfaces.py</script> - </completionHelp> - <multi/> - </properties> - </leafNode> - </children> - </node> - <node name="logging"> + </leafNode> + <node name="log"> <properties> <help>IPsec logging</help> </properties> <children> - <leafNode name="log-level"> + <leafNode name="level"> <properties> <help>strongSwan Logger Level</help> <valueHelp> - <format>u32:0-2</format> - <description>Logger Verbosity Level (default 0)</description> + <format>u32:0</format> + <description>Very basic auditing logs e.g. SA up/SA down (default)</description> + </valueHelp> + <valueHelp> + <format>u32:1</format> + <description>Generic control flow with errors, a good default to see whats going on</description> + </valueHelp> + <valueHelp> + <format>u32:2</format> + <description>More detailed debugging control flow</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 0-2"/> </constraint> </properties> + <defaultValue>0</defaultValue> </leafNode> - <leafNode name="log-modes"> + <leafNode name="subsystem"> <properties> - <help>Log mode. To see what each log mode exactly does, please refer to the strongSwan documentation</help> + <help>Subsystem in the daemon the log comes from</help> <completionHelp> <list>dmn mgr ike chd job cfg knl net asn enc lib esp tls tnc imc imv pts any</list> </completionHelp> <valueHelp> <format>dmn</format> - <description>Debug log option for strongSwan</description> + <description>Main daemon setup/cleanup/signal handling</description> </valueHelp> <valueHelp> <format>mgr</format> - <description>Debug log option for strongSwan</description> + <description>IKE_SA manager, handling synchronization for IKE_SA access</description> </valueHelp> <valueHelp> <format>ike</format> - <description>Debug log option for strongSwan</description> + <description>IKE_SA/ISAKMP SA</description> </valueHelp> <valueHelp> <format>chd</format> - <description>Debug log option for strongSwan</description> + <description>CHILD_SA/IPsec SA</description> </valueHelp> <valueHelp> <format>job</format> - <description>Debug log option for strongSwan</description> + <description>Jobs queuing/processing and thread pool management</description> </valueHelp> <valueHelp> <format>cfg</format> - <description>Debug log option for strongSwan</description> + <description>Configuration management and plugins</description> </valueHelp> <valueHelp> <format>knl</format> - <description>Debug log option for strongSwan</description> + <description>IPsec/Networking kernel interface</description> </valueHelp> <valueHelp> <format>net</format> - <description>Debug log option for strongSwan</description> + <description>IKE network communication</description> </valueHelp> <valueHelp> <format>asn</format> - <description>Debug log option for strongSwan</description> + <description>Low-level encoding/decoding (ASN.1, X.509 etc.)</description> </valueHelp> <valueHelp> <format>enc</format> - <description>Debug log option for strongSwan</description> + <description>Packet encoding/decoding encryption/decryption operations</description> </valueHelp> <valueHelp> <format>lib</format> - <description>Debug log option for strongSwan</description> + <description>libstrongswan library messages</description> </valueHelp> <valueHelp> <format>esp</format> - <description>Debug log option for strongSwan</description> + <description>libipsec library messages</description> </valueHelp> <valueHelp> <format>tls</format> - <description>Debug log option for strongSwan</description> + <description> libtls library messages</description> </valueHelp> <valueHelp> <format>tnc</format> - <description>Debug log option for strongSwan</description> + <description>Trusted Network Connect</description> </valueHelp> <valueHelp> <format>imc</format> - <description>Debug log option for strongSwan</description> + <description>Integrity Measurement Collector</description> </valueHelp> <valueHelp> <format>imv</format> - <description>Debug log option for strongSwan</description> + <description>Integrity Measurement Verifier</description> </valueHelp> <valueHelp> <format>pts</format> - <description>Debug log option for strongSwan</description> + <description> Platform Trust Service</description> </valueHelp> <valueHelp> <format>any</format> - <description>Debug log option for strongSwan</description> + <description>Any subsystem</description> </valueHelp> <constraint> <regex>^(dmn|mgr|ike|chd|job|cfg|knl|net|asn|enc|lib|esp|tls|tnc|imc|imv|pts|any)$</regex> @@ -619,59 +619,6 @@ </leafNode> </children> </node> - <node name="nat-networks"> - <properties> - <help>Network Address Translation (NAT) networks</help> - </properties> - <children> - <tagNode name="allowed-network"> - <properties> - <help>NAT networks to allow</help> - <valueHelp> - <format>ipv4net</format> - <description>NAT networks to allow</description> - </valueHelp> - <constraint> - <validator name="ip-prefix"/> - </constraint> - </properties> - <children> - <leafNode name="exclude"> - <properties> - <help>NAT networks to exclude from allowed-networks</help> - <valueHelp> - <format>ipv4net</format> - <description>NAT networks to exclude from allowed-networks</description> - </valueHelp> - <constraint> - <validator name="ip-prefix"/> - </constraint> - <multi/> - </properties> - </leafNode> - </children> - </tagNode> - </children> - </node> - <leafNode name="nat-traversal"> - <properties> - <help>Network Address Translation (NAT) traversal</help> - <completionHelp> - <list>disable enable</list> - </completionHelp> - <valueHelp> - <format>disable</format> - <description>Disable NAT-T</description> - </valueHelp> - <valueHelp> - <format>enable</format> - <description>Enable NAT-T</description> - </valueHelp> - <constraint> - <regex>^(disable|enable)$</regex> - </constraint> - </properties> - </leafNode> <node name="options"> <properties> <help>Global IPsec settings</help> @@ -690,69 +637,261 @@ <help>VPN IPSec Profile</help> </properties> <children> + #include <include/generic-disable-node.xml.i> <node name="authentication"> <properties> <help>Authentication [REQUIRED]</help> </properties> <children> - <node name="mode"> + <leafNode name="mode"> <properties> <help>Authentication mode</help> + <completionHelp> + <list>pre-shared-secret</list> + </completionHelp> + <valueHelp> + <format>pre-shared-secret</format> + <description>Use pre shared secret key</description> + </valueHelp> + </properties> + </leafNode> + #include <include/ipsec/authentication-pre-shared-secret.xml.i> + </children> + </node> + <node name="bind"> + <properties> + <help>DMVPN crypto configuration</help> + </properties> + <children> + <leafNode name="tunnel"> + <properties> + <help>Tunnel interface associated with this configuration profile</help> + <completionHelp> + <path>interfaces tunnel</path> + </completionHelp> + <valueHelp> + <format>txt</format> + <description>Associated interface to this configuration profile</description> + </valueHelp> + <multi/> + </properties> + </leafNode> + </children> + </node> + #include <include/ipsec/esp-group.xml.i> + #include <include/ipsec/ike-group.xml.i> + </children> + </tagNode> + <node name="remote-access"> + <properties> + <help>IKEv2 remote access VPN</help> + </properties> + <children> + <tagNode name="connection"> + <properties> + <help>IKEv2 VPN connection name</help> + </properties> + <children> + <node name="authentication"> + <properties> + <help>Authentication for remote access</help> </properties> <children> - <leafNode name="pre-shared-secret"> + #include <include/ipsec/authentication-id.xml.i> + #include <include/ipsec/authentication-x509.xml.i> + <leafNode name="client-mode"> <properties> - <help>Use pre-shared secret key</help> - <valueless/> + <help>Client authentication mode</help> + <completionHelp> + <list>eap-tls eap-mschapv2 eap-radius</list> + </completionHelp> + <valueHelp> + <format>eap-tls</format> + <description>Client uses EAP-TLS authentication</description> + </valueHelp> + <valueHelp> + <format>eap-mschapv2</format> + <description>Client uses EAP-MSCHAPv2 authentication</description> + </valueHelp> + <valueHelp> + <format>eap-radius</format> + <description>Client uses EAP-RADIUS authentication</description> + </valueHelp> + <constraint> + <regex>^(eap-tls|eap-mschapv2|eap-radius)$</regex> + </constraint> </properties> + <defaultValue>eap-mschapv2</defaultValue> </leafNode> + #include <include/auth-local-users.xml.i> + <leafNode name="server-mode"> + <properties> + <help>Server authentication mode</help> + <completionHelp> + <list>pre-shared-secret x509</list> + </completionHelp> + <valueHelp> + <format>pre-shared-secret</format> + <description>pre-shared-secret_description</description> + </valueHelp> + <valueHelp> + <format>x509</format> + <description>x509_description</description> + </valueHelp> + <constraint> + <regex>^(pre-shared-secret|x509)$</regex> + </constraint> + </properties> + <defaultValue>x509</defaultValue> + </leafNode> + #include <include/ipsec/authentication-pre-shared-secret.xml.i> </children> </node> - <leafNode name="pre-shared-secret"> + #include <include/generic-description.xml.i> + #include <include/generic-disable-node.xml.i> + #include <include/ipsec/esp-group.xml.i> + #include <include/ipsec/ike-group.xml.i> + #include <include/ipsec/local-address.xml.i> + #include <include/ipsec/local-traffic-selector.xml.i> + <leafNode name="timeout"> <properties> - <help>Pre-shared secret key</help> + <help>Timeout to close connection if no data is transmitted</help> + <valueHelp> + <format>u32:10-86400</format> + <description>Timeout in seconds (default 28800)</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 10-86400"/> + </constraint> + </properties> + <defaultValue>28800</defaultValue> + </leafNode> + <leafNode name="pool"> + <properties> + <help>Pool name used for IP address assignments</help> + <completionHelp> + <path>vpn ipsec remote-access pool</path> + <list>dhcp</list> + </completionHelp> <valueHelp> <format>txt</format> - <description>Pre-shared secret key</description> + <description>Pool name</description> </valueHelp> + <multi/> + </properties> + </leafNode> + <leafNode name="unique"> + <properties> + <help>Connection uniqueness policy to enforce</help> + <completionHelp> + <list>never keep replace</list> + </completionHelp> + <valueHelp> + <format>never</format> + <description>Never enforce connection uniqueness policy</description> + </valueHelp> + <valueHelp> + <format>keep</format> + <description>Rejects new connection attempts if the same user already has an active connection</description> + </valueHelp> + <valueHelp> + <format>replace</format> + <description>Delete any existing connection if a new one for the same user gets established</description> + </valueHelp> + <constraint> + <regex>^(never|keep|replace)$</regex> + </constraint> </properties> </leafNode> </children> - </node> - <node name="bind"> + </tagNode> + <node name="dhcp"> <properties> - <help>DMVPN crypto configuration</help> + <help>DHCP pool options for remote-access</help> </properties> <children> - <leafNode name="bind_child"> + <leafNode name="interface"> <properties> - <help>bind_child_help</help> - <valueless/> + <help>Interface with DHCP server to use</help> + <completionHelp> + <script>${vyos_completion_dir}/list_interfaces.py</script> + </completionHelp> + </properties> + </leafNode> + <leafNode name="server"> + <properties> + <help>DHCP server address</help> + <valueHelp> + <format>ipv4</format> + <description>DHCP server IPv4 address</description> + </valueHelp> + <constraint> + <validator name="ipv4-address"/> + </constraint> </properties> </leafNode> </children> </node> - <leafNode name="esp-group"> + <tagNode name="pool"> <properties> - <help>Esp group name [REQUIRED]</help> - <completionHelp> - <path>vpn ipsec esp-group</path> - </completionHelp> + <help>IP address pool for remote-access users</help> </properties> - </leafNode> - <leafNode name="ike-group"> - <properties> - <help>Ike group name [REQUIRED]</help> - <completionHelp> - <path>vpn ipsec ike-group</path> - </completionHelp> - </properties> - </leafNode> + <children> + <leafNode name="exclude"> + <properties> + <help>Local IPv4 or IPv6 pool prefix exclusions</help> + <valueHelp> + <format>ipv4</format> + <description>Local IPv4 pool prefix exclusion</description> + </valueHelp> + <valueHelp> + <format>ipv6</format> + <description>Local IPv6 pool prefix exclusion</description> + </valueHelp> + <constraint> + <validator name="ipv4-prefix"/> + <validator name="ipv6-prefix"/> + </constraint> + <multi/> + </properties> + </leafNode> + <leafNode name="prefix"> + <properties> + <help>Local IPv4 or IPv6 pool prefix</help> + <valueHelp> + <format>ipv4</format> + <description>Local IPv4 pool prefix</description> + </valueHelp> + <valueHelp> + <format>ipv6</format> + <description>Local IPv6 pool prefix</description> + </valueHelp> + <constraint> + <validator name="ipv4-prefix"/> + <validator name="ipv6-prefix"/> + </constraint> + </properties> + </leafNode> + <!-- Include Accel-PPP definition here, maybe time for a rename? --> + #include <include/accel-ppp/name-server.xml.i> + </children> + </tagNode> + #include <include/radius-server-ipv4.xml.i> + <node name="radius"> + <children> + #include <include/radius-nas-identifier.xml.i> + <tagNode name="server"> + <children> + #include <include/accel-ppp/radius-additions-disable-accounting.xml.i> + </children> + </tagNode> + </children> + </node> </children> - </tagNode> + </node> <node name="site-to-site"> <properties> - <help>Site to site VPN</help> + <help>Site-to-site VPN</help> </properties> <children> <tagNode name="peer"> @@ -776,20 +915,15 @@ </valueHelp> </properties> <children> + #include <include/generic-disable-node.xml.i> <node name="authentication"> <properties> <help>Peer authentication [REQUIRED]</help> </properties> <children> - <leafNode name="id"> - <properties> - <help>ID for peer authentication</help> - <valueHelp> - <format>txt</format> - <description>ID used for peer authentication</description> - </valueHelp> - </properties> - </leafNode> + #include <include/ipsec/authentication-id.xml.i> + #include <include/ipsec/authentication-rsa.xml.i> + #include <include/ipsec/authentication-x509.xml.i> <leafNode name="mode"> <properties> <help>Authentication mode</help> @@ -813,15 +947,7 @@ </constraint> </properties> </leafNode> - <leafNode name="pre-shared-secret"> - <properties> - <help>Pre-shared secret key</help> - <valueHelp> - <format>txt</format> - <description>Pre-shared secret key</description> - </valueHelp> - </properties> - </leafNode> + #include <include/ipsec/authentication-pre-shared-secret.xml.i> <leafNode name="remote-id"> <properties> <help>ID for remote authentication</help> @@ -831,60 +957,12 @@ </valueHelp> </properties> </leafNode> - <leafNode name="rsa-key-name"> - <properties> - <help>RSA key name</help> - </properties> - </leafNode> <leafNode name="use-x509-id"> <properties> <help>Use certificate common name as ID</help> <valueless/> </properties> </leafNode> - <node name="x509"> - <properties> - <help>X.509 certificate</help> - </properties> - <children> - #include <include/certificate.xml.i> - #include <include/certificate-ca.xml.i> - <leafNode name="crl-file"> - <properties> - <help>File containing the X.509 Certificate Revocation List (CRL)</help> - <valueHelp> - <format>txt</format> - <description>File in /config/auth</description> - </valueHelp> - </properties> - </leafNode> - <node name="key"> - <properties> - <help>Key file and password to open it</help> - </properties> - <children> - <leafNode name="file"> - <properties> - <help>File containing the private key for the X.509 certificate for this host</help> - <valueHelp> - <format>txt</format> - <description>File in /config/auth</description> - </valueHelp> - </properties> - </leafNode> - <leafNode name="password"> - <properties> - <help>Password that protects the private key</help> - <valueHelp> - <format>txt</format> - <description>Password that protects the private key</description> - </valueHelp> - </properties> - </leafNode> - </children> - </node> - </children> - </node> </children> </node> <leafNode name="connection-type"> @@ -909,20 +987,13 @@ <leafNode name="default-esp-group"> <properties> <help>Defult ESP group name</help> + <completionHelp> + <path>vpn ipsec esp-group</path> + </completionHelp> </properties> </leafNode> - <leafNode name="description"> - <properties> - <help>VPN peer description</help> - <valueless/> - </properties> - </leafNode> - <leafNode name="dhcp-interface"> - <properties> - <help>DHCP interface to listen on</help> - <valueless/> - </properties> - </leafNode> + #include <include/generic-description.xml.i> + #include <include/dhcp-interface.xml.i> <leafNode name="force-encapsulation"> <properties> <help>Force UDP Encapsulation for ESP Payloads</help> @@ -942,14 +1013,7 @@ </constraint> </properties> </leafNode> - <leafNode name="ike-group"> - <properties> - <help>Internet Key Exchange (IKE) group name [REQUIRED]</help> - <completionHelp> - <path>vpn ipsec ike-group</path> - </completionHelp> - </properties> - </leafNode> + #include <include/ipsec/ike-group.xml.i> <leafNode name="ikev2-reauth"> <properties> <help>Re-authentication of the remote peer during an IKE re-key. IKEv2 option only</help> @@ -973,31 +1037,7 @@ </constraint> </properties> </leafNode> - <leafNode name="local-address"> - <properties> - <help>IPv4 or IPv6 address of a local interface to use for VPN</help> - <completionHelp> - <list>any</list> - </completionHelp> - <valueHelp> - <format>ipv4</format> - <description>IPv4 address of a local interface for VPN</description> - </valueHelp> - <valueHelp> - <format>ipv6</format> - <description>IPv6 address of a local interface for VPN</description> - </valueHelp> - <valueHelp> - <format>any</format> - <description>Allow any IPv4 address present on the system to be used for VPN</description> - </valueHelp> - <constraint> - <validator name="ipv4-address"/> - <validator name="ipv6-address"/> - <regex>^(any)$</regex> - </constraint> - </properties> - </leafNode> + #include <include/ipsec/local-address.xml.i> <tagNode name="tunnel"> <properties> <help>Peer tunnel [REQUIRED]</help> @@ -1007,114 +1047,16 @@ </valueHelp> </properties> <children> - <leafNode name="allow-nat-networks"> - <properties> - <help>Option to allow NAT networks</help> - <completionHelp> - <list>enable disable</list> - </completionHelp> - <valueHelp> - <format>enable</format> - <description>Enable NAT networks</description> - </valueHelp> - <valueHelp> - <format>disable</format> - <description>Disable NAT networks (default)</description> - </valueHelp> - <constraint> - <regex>^(enable|disable)$</regex> - </constraint> - </properties> - </leafNode> - <leafNode name="allow-public-networks"> - <properties> - <help>Option to allow public networks</help> - <completionHelp> - <list>enable disable</list> - </completionHelp> - <valueHelp> - <format>enable</format> - <description>Enable public networks</description> - </valueHelp> - <valueHelp> - <format>disable</format> - <description>Disable public networks (default)</description> - </valueHelp> - <constraint> - <regex>^(enable|disable)$</regex> - </constraint> - </properties> - </leafNode> #include <include/generic-disable-node.xml.i> - <leafNode name="esp-group"> - <properties> - <help>ESP group name</help> - <completionHelp> - <path>vpn ipsec esp-group</path> - </completionHelp> - </properties> - </leafNode> - <node name="local"> - <properties> - <help>Local parameters for interesting traffic</help> - </properties> - <children> - <leafNode name="port"> - <properties> - <help>Any TCP or UDP port</help> - <valueHelp> - <format>port name</format> - <description>Named port (any name in /etc/services, e.g., http)</description> - </valueHelp> - <valueHelp> - <format>u32:1-65535</format> - <description>Numbered port</description> - </valueHelp> - </properties> - </leafNode> - <leafNode name="prefix"> - <properties> - <help>Local IPv4 or IPv6 prefix</help> - <valueHelp> - <format>ipv4</format> - <description>Local IPv4 prefix</description> - </valueHelp> - <valueHelp> - <format>ipv6</format> - <description>Local IPv6 prefix</description> - </valueHelp> - <constraint> - <validator name="ipv4-prefix"/> - <validator name="ipv6-prefix"/> - </constraint> - </properties> - </leafNode> - </children> - </node> - <leafNode name="protocol"> - <properties> - <help>Protocol to encrypt</help> - <valueless/> - </properties> - </leafNode> + #include <include/ipsec/esp-group.xml.i> + #include <include/ipsec/local-traffic-selector.xml.i> + #include <include/ip-protocol.xml.i> <node name="remote"> <properties> <help>Remote parameters for interesting traffic</help> </properties> <children> - <leafNode name="port"> - <properties> - <help>Any TCP or UDP port</help> - <valueHelp> - <format>port name</format> - <description>Named port (any name in /etc/services, e.g., http)</description> - </valueHelp> - <valueHelp> - <format>u32:1-65535</format> - <description>Numbered port</description> - </valueHelp> - </properties> - </leafNode> + #include <include/port-number.xml.i> <leafNode name="prefix"> <properties> <help>Remote IPv4 or IPv6 prefix</help> @@ -1130,6 +1072,7 @@ <validator name="ipv4-prefix"/> <validator name="ipv6-prefix"/> </constraint> + <multi/> </properties> </leafNode> </children> @@ -1143,17 +1086,13 @@ <children> <leafNode name="bind"> <properties> - <help>VTI tunnel interface associated with this configuration [REQUIRED]</help> - </properties> - </leafNode> - <leafNode name="esp-group"> - <properties> - <help>ESP group name [REQUIRED]</help> + <help>VTI tunnel interface associated with this configuration</help> <completionHelp> - <path>vpn ipsec esp-group</path> + <path>interfaces vti</path> </completionHelp> </properties> </leafNode> + #include <include/ipsec/esp-group.xml.i> </children> </node> </children> diff --git a/interface-definitions/vpn_l2tp.xml.in b/interface-definitions/vpn_l2tp.xml.in index 5bdebcb05..cf31af70f 100644 --- a/interface-definitions/vpn_l2tp.xml.in +++ b/interface-definitions/vpn_l2tp.xml.in @@ -70,51 +70,8 @@ </completionHelp> </properties> </leafNode> - <leafNode name="pre-shared-secret"> - <properties> - <help>Pre-shared secret for IPsec</help> - </properties> - </leafNode> - <node name="x509"> - <properties> - <help>X.509 certificate</help> - </properties> - <children> - #include <include/certificate-ca.xml.i> - <leafNode name="crl-file"> - <properties> - <help>File containing the X.509 Certificate Revocation List (CRL)</help> - <valueHelp> - <format>txt</format> - <description>File in /config/auth</description> - </valueHelp> - </properties> - </leafNode> - <leafNode name="server-cert-file"> - <properties> - <help>File containing the X.509 certificate for the remote access VPN server (this host)</help> - <valueHelp> - <format>txt</format> - <description>File in /config/auth</description> - </valueHelp> - </properties> - </leafNode> - <leafNode name="server-key-file"> - <properties> - <help>File containing the private key for the X.509 certificate for the remote access VPN server (this host)</help> - <valueHelp> - <format>txt</format> - <description>File in /config/auth</description> - </valueHelp> - </properties> - </leafNode> - <leafNode name="server-key-password"> - <properties> - <help>Password that protects the private key</help> - </properties> - </leafNode> - </children> - </node> + #include <include/ipsec/authentication-pre-shared-secret.xml.i> + #include <include/ipsec/authentication-x509.xml.i> </children> </node> <leafNode name="ike-lifetime"> @@ -128,6 +85,7 @@ <validator name="numeric" argument="--range 30-86400"/> </constraint> </properties> + <defaultValue>3600</defaultValue> </leafNode> <leafNode name="lifetime"> <properties> @@ -140,7 +98,10 @@ <validator name="numeric" argument="--range 30-86400"/> </constraint> </properties> + <defaultValue>3600</defaultValue> </leafNode> + #include <include/ipsec/esp-group.xml.i> + #include <include/ipsec/ike-group.xml.i> </children> </node> #include <include/accel-ppp/wins-server.xml.i> @@ -159,11 +120,7 @@ <help>Description for L2TP remote-access settings</help> </properties> </leafNode> - <leafNode name="dhcp-interface"> - <properties> - <help>DHCP interface to listen on</help> - </properties> - </leafNode> + #include <include/dhcp-interface.xml.i> <leafNode name="idle"> <properties> <help>PPP idle timeout</help> @@ -248,11 +205,7 @@ <help>Maximum number of tries to send Access-Request/Accounting-Request queries</help> </properties> </leafNode> - <leafNode name="nas-identifier"> - <properties> - <help>Value to send to RADIUS server in NAS-Identifier attribute and to be matched in DM/CoA requests.</help> - </properties> - </leafNode> + #include <include/radius-nas-identifier.xml.i> <node name="dae-server"> <properties> <help>IPv4 address and port to bind Dynamic Authorization Extension server (DM/CoA)</help> @@ -308,6 +261,7 @@ </properties> <children> #include <include/accel-ppp/lcp-echo-interval-failure.xml.i> + #include <include/accel-ppp/ppp-options-ipv6.xml.i> </children> </node> </children> diff --git a/interface-definitions/vpn_openconnect.xml.in b/interface-definitions/vpn_openconnect.xml.in index 1a9d39a12..a33ff67ea 100644 --- a/interface-definitions/vpn_openconnect.xml.in +++ b/interface-definitions/vpn_openconnect.xml.in @@ -32,26 +32,7 @@ </completionHelp> </properties> </leafNode> - <node name="local-users"> - <properties> - <help>Local user authentication for SSL VPN server</help> - </properties> - <children> - <tagNode name="username"> - <properties> - <help>User name for authentication</help> - </properties> - <children> - #include <include/generic-disable-node.xml.i> - <leafNode name="password"> - <properties> - <help>Password for authentication</help> - </properties> - </leafNode> - </children> - </tagNode> - </children> - </node> + #include <include/auth-local-users.xml.i> #include <include/radius-server-ipv4.xml.i> <node name="radius"> <children> @@ -75,7 +56,7 @@ </node> <node name="listen-ports"> <properties> - <help>SSL Certificate, SSL Key and CA (/config/auth)</help> + <help>Specify custom ports to use for client connections</help> </properties> <children> <leafNode name="tcp"> @@ -108,12 +89,11 @@ </node> <node name="ssl"> <properties> - <help>SSL Certificate, SSL Key and CA (/config/auth)</help> + <help>SSL Certificate, SSL Key and CA</help> </properties> <children> - #include <include/certificate.xml.i> - #include <include/certificate-ca.xml.i> - #include <include/certificate-key.xml.i> + #include <include/pki/ca-certificate.xml.i> + #include <include/pki/certificate-key.xml.i> </children> </node> <node name="network-settings"> diff --git a/interface-definitions/vpn_pptp.xml.in b/interface-definitions/vpn_pptp.xml.in index 91c8cd76f..dab317f68 100644 --- a/interface-definitions/vpn_pptp.xml.in +++ b/interface-definitions/vpn_pptp.xml.in @@ -5,6 +5,7 @@ <node name="pptp" owner="${vyos_conf_scripts_dir}/vpn_pptp.py"> <properties> <help>Point to Point Tunneling Protocol (PPTP) Virtual Private Network (VPN)</help> + <priority>901</priority> </properties> <children> <node name="remote-access"> diff --git a/interface-definitions/vpn_sstp.xml.in b/interface-definitions/vpn_sstp.xml.in index e4ade844d..3576bac90 100644 --- a/interface-definitions/vpn_sstp.xml.in +++ b/interface-definitions/vpn_sstp.xml.in @@ -43,18 +43,18 @@ </properties> <children> #include <include/accel-ppp/ppp-mppe.xml.i> + #include <include/accel-ppp/ppp-options-ipv6.xml.i> #include <include/accel-ppp/lcp-echo-interval-failure.xml.i> #include <include/accel-ppp/lcp-echo-timeout.xml.i> </children> </node> <node name="ssl"> <properties> - <help>SSL Certificate, SSL Key and CA (/config/user-data/sstp)</help> + <help>SSL Certificate, SSL Key and CA</help> </properties> <children> - #include <include/certificate.xml.i> - #include <include/certificate-ca.xml.i> - #include <include/certificate-key.xml.i> + #include <include/pki/ca-certificate.xml.i> + #include <include/pki/certificate.xml.i> </children> </node> </children> diff --git a/interface-definitions/vrf.xml.in b/interface-definitions/vrf.xml.in index 426884a11..9d513945c 100644 --- a/interface-definitions/vrf.xml.in +++ b/interface-definitions/vrf.xml.in @@ -19,7 +19,7 @@ <constraint> <validator name="vrf-name"/> </constraint> - <constraintErrorMessage>VRF instance name must be 15 characters or less and can not\nbe named as regular network interfaces.\n</constraintErrorMessage> + <constraintErrorMessage>VRF instance name must be 15 characters or less and can not\nbe named as regular network interfaces.\nA name must starts from a letter.\n</constraintErrorMessage> <valueHelp> <format>txt</format> <description>VRF instance name</description> @@ -76,13 +76,13 @@ <properties> <help>Routing table associated with this instance</help> <valueHelp> - <format>100-2147483647</format> + <format>100-65535</format> <description>Routing table ID</description> </valueHelp> <constraint> - <validator name="numeric" argument="--range 100-2147483647"/> + <validator name="numeric" argument="--range 100-65535"/> </constraint> - <constraintErrorMessage>VRF routing table must be in range from 100 to 2147483647</constraintErrorMessage> + <constraintErrorMessage>VRF routing table must be in range from 100 to 65535</constraintErrorMessage> </properties> </leafNode> #include <include/vni.xml.i> diff --git a/mibs/AGENTX-MIB.txt b/mibs/AGENTX-MIB.txt new file mode 100644 index 000000000..f9e5acd52 --- /dev/null +++ b/mibs/AGENTX-MIB.txt @@ -0,0 +1,527 @@ +AGENTX-MIB DEFINITIONS ::= BEGIN + +IMPORTS + MODULE-IDENTITY, OBJECT-TYPE, Unsigned32, mib-2 + FROM SNMPv2-SMI + SnmpAdminString + FROM SNMP-FRAMEWORK-MIB + MODULE-COMPLIANCE, OBJECT-GROUP + FROM SNMPv2-CONF + TEXTUAL-CONVENTION, TimeStamp, TruthValue, TDomain + FROM SNMPv2-TC; +agentxMIB MODULE-IDENTITY + LAST-UPDATED "200001100000Z" -- Midnight 10 January 2000 + ORGANIZATION "AgentX Working Group" + CONTACT-INFO "WG-email: agentx@dorothy.bmc.com + Subscribe: agentx-request@dorothy.bmc.com + WG-email Archive: ftp://ftp.peer.com/pub/agentx/archives + FTP repository: ftp://ftp.peer.com/pub/agentx + http://www.ietf.org/html.charters/agentx-charter.html + + Chair: Bob Natale + ACE*COMM Corporation + Email: bnatale@acecomm.com + + WG editor: Mark Ellison + Ellison Software Consulting, Inc. + Email: ellison@world.std.com + + Co-author: Lauren Heintz + Cisco Systems, + EMail: lheintz@cisco.com + + Co-author: Smitha Gudur + Independent Consultant + Email: sgudur@hotmail.com + " + DESCRIPTION "This is the MIB module for the SNMP Agent Extensibility + Protocol (AgentX). This MIB module will be implemented by + the master agent. + " + + REVISION "200001100000Z" -- Midnight 10 January 2000 + DESCRIPTION + "Initial version published as RFC 2742." + ::= { mib-2 74 } + + -- Textual Conventions + + AgentxTAddress ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "Denotes a transport service address. This is identical to + the TAddress textual convention (SNMPv2-SMI) except that + zero-length values are permitted. + " + SYNTAX OCTET STRING (SIZE (0..255)) + + -- Administrative assignments + + agentxObjects OBJECT IDENTIFIER ::= { agentxMIB 1 } + agentxGeneral OBJECT IDENTIFIER ::= { agentxObjects 1 } + agentxConnection OBJECT IDENTIFIER ::= { agentxObjects 2 } + agentxSession OBJECT IDENTIFIER ::= { agentxObjects 3 } + agentxRegistration OBJECT IDENTIFIER ::= { agentxObjects 4 } + + agentxDefaultTimeout OBJECT-TYPE + SYNTAX INTEGER (0..255) + UNITS "seconds" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The default length of time, in seconds, that the master + agent should allow to elapse after dispatching a message + to a session before it regards the subagent as not + responding. This is a system-wide value that may + override the timeout value associated with a particular + session (agentxSessionTimeout) or a particular registered + MIB region (agentxRegTimeout). If the associated value of + agentxSessionTimeout and agentxRegTimeout are zero, or + impractical in accordance with implementation-specific + procedure of the master agent, the value represented by + this object will be the effective timeout value for the + + master agent to await a response to a dispatch from a + given subagent. + " + DEFVAL { 5 } + ::= { agentxGeneral 1 } + + agentxMasterAgentXVer OBJECT-TYPE + SYNTAX INTEGER (1..255) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The AgentX protocol version supported by this master agent. + The current protocol version is 1. Note that the master agent + must also allow interaction with earlier version subagents. + " + ::= { agentxGeneral 2 } + + -- The AgentX Subagent Connection Group + + agentxConnTableLastChange OBJECT-TYPE + SYNTAX TimeStamp + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of sysUpTime when the last row creation or deletion + occurred in the agentxConnectionTable. + " + ::= { agentxConnection 1 } + + agentxConnectionTable OBJECT-TYPE + SYNTAX SEQUENCE OF AgentxConnectionEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The agentxConnectionTable tracks all current AgentX transport + connections. There may be zero, one, or more AgentX sessions + carried on a given AgentX connection. + " + ::= { agentxConnection 2 } + + agentxConnectionEntry OBJECT-TYPE + SYNTAX AgentxConnectionEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An agentxConnectionEntry contains information describing a + single AgentX transport connection. A connection may be + + used to support zero or more AgentX sessions. An entry is + created when a new transport connection is established, + and is destroyed when the transport connection is terminated. + " + INDEX { agentxConnIndex } + ::= { agentxConnectionTable 1 } + + AgentxConnectionEntry ::= SEQUENCE { + agentxConnIndex Unsigned32, + agentxConnOpenTime TimeStamp, + agentxConnTransportDomain TDomain, + agentxConnTransportAddress AgentxTAddress } + + agentxConnIndex OBJECT-TYPE + SYNTAX Unsigned32 (1..4294967295) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "agentxConnIndex contains the value that uniquely identifies + an open transport connection used by this master agent + to provide AgentX service. Values of this index should + not be re-used. The value assigned to a given transport + connection is constant for the lifetime of that connection. + " + ::= { agentxConnectionEntry 1 } + + agentxConnOpenTime OBJECT-TYPE + SYNTAX TimeStamp + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of sysUpTime when this connection was established + and, therefore, its value when this entry was added to the table. + " + ::= { agentxConnectionEntry 2 } + + agentxConnTransportDomain OBJECT-TYPE + SYNTAX TDomain + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The transport protocol in use for this connection to the + subagent. + " + ::= { agentxConnectionEntry 3 } + + agentxConnTransportAddress OBJECT-TYPE + SYNTAX AgentxTAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The transport address of the remote (subagent) end of this + connection to the master agent. This object may be zero-length + for unix-domain sockets (and possibly other types of transport + addresses) since the subagent need not bind a filename to its + local socket. + " + ::= { agentxConnectionEntry 4 } + + -- The AgentX Subagent Session Group + + agentxSessionTableLastChange OBJECT-TYPE + SYNTAX TimeStamp + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of sysUpTime when the last row creation or deletion + occurred in the agentxSessionTable. + " + ::= { agentxSession 1 } + + agentxSessionTable OBJECT-TYPE + SYNTAX SEQUENCE OF AgentxSessionEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A table of AgentX subagent sessions currently in effect. + " + ::= { agentxSession 2 } + + agentxSessionEntry OBJECT-TYPE + SYNTAX AgentxSessionEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Information about a single open session between the AgentX + master agent and a subagent is contained in this entry. An + entry is created when a new session is successfully established + and is destroyed either when the subagent transport connection + has terminated or when the subagent session is closed. + " + INDEX { agentxConnIndex, agentxSessionIndex } + ::= { agentxSessionTable 1 } + + AgentxSessionEntry ::= SEQUENCE { + agentxSessionIndex Unsigned32, + agentxSessionObjectID OBJECT IDENTIFIER, + agentxSessionDescr SnmpAdminString, + agentxSessionAdminStatus INTEGER, + agentxSessionOpenTime TimeStamp, + agentxSessionAgentXVer INTEGER, + agentxSessionTimeout INTEGER + } + + agentxSessionIndex OBJECT-TYPE + SYNTAX Unsigned32 (0..4294967295) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A unique index for the subagent session. It is the same as + h.sessionID defined in the agentx header. Note that if + a subagent's session with the master agent is closed for + any reason its index should not be re-used. + A value of zero(0) is specifically allowed in order + to be compatible with the definition of h.sessionId. + " + ::= { agentxSessionEntry 1 } + + agentxSessionObjectID OBJECT-TYPE + SYNTAX OBJECT IDENTIFIER + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This is taken from the o.id field of the agentx-Open-PDU. + This attribute will report a value of '0.0' for subagents + not supporting the notion of an AgentX session object + identifier. + " + ::= { agentxSessionEntry 2 } + + agentxSessionDescr OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "A textual description of the session. This is analogous to + sysDescr defined in the SNMPv2-MIB in RFC 1907 [19] and is + taken from the o.descr field of the agentx-Open-PDU. + This attribute will report a zero-length string value for + subagents not supporting the notion of a session description. + " + ::= { agentxSessionEntry 3 } + + agentxSessionAdminStatus OBJECT-TYPE + SYNTAX INTEGER { + up(1), + down(2) + } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The administrative (desired) status of the session. Setting + the value to 'down(2)' closes the subagent session (with c.reason + set to 'reasonByManager'). + " + ::= { agentxSessionEntry 4 } + + agentxSessionOpenTime OBJECT-TYPE + SYNTAX TimeStamp + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of sysUpTime when this session was opened and, + therefore, its value when this entry was added to the table. + " + ::= { agentxSessionEntry 5 } + + agentxSessionAgentXVer OBJECT-TYPE + SYNTAX INTEGER (1..255) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The version of the AgentX protocol supported by the + session. This must be less than or equal to the value of + agentxMasterAgentXVer. + " + ::= { agentxSessionEntry 6 } + + agentxSessionTimeout OBJECT-TYPE + SYNTAX INTEGER (0..255) + UNITS "seconds" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The length of time, in seconds, that a master agent should + allow to elapse after dispatching a message to this session + before it regards the subagent as not responding. This value + is taken from the o.timeout field of the agentx-Open-PDU. + This is a session-specific value that may be overridden by + values associated with the specific registered MIB regions + (see agentxRegTimeout). A value of zero(0) indicates that + the master agent's default timeout value should be used + + (see agentxDefaultTimeout). + " + ::= { agentxSessionEntry 7 } + + -- The AgentX Registration Group + + agentxRegistrationTableLastChange OBJECT-TYPE + SYNTAX TimeStamp + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of sysUpTime when the last row creation or deletion + occurred in the agentxRegistrationTable. + " + ::= { agentxRegistration 1 } + + agentxRegistrationTable OBJECT-TYPE + SYNTAX SEQUENCE OF AgentxRegistrationEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A table of registered regions. + " + ::= { agentxRegistration 2 } + + agentxRegistrationEntry OBJECT-TYPE + SYNTAX AgentxRegistrationEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Contains information for a single registered region. An + entry is created when a session successfully registers a + region and is destroyed for any of three reasons: this region + is unregistered by the session, the session is closed, + or the subagent connection is closed. + " + INDEX { agentxConnIndex, agentxSessionIndex, agentxRegIndex } + ::= { agentxRegistrationTable 1 } + + AgentxRegistrationEntry ::= SEQUENCE { + agentxRegIndex Unsigned32, + agentxRegContext OCTET STRING, + agentxRegStart OBJECT IDENTIFIER, + agentxRegRangeSubId Unsigned32, + agentxRegUpperBound Unsigned32, + agentxRegPriority Unsigned32, + agentxRegTimeout INTEGER, + agentxRegInstance TruthValue } + + agentxRegIndex OBJECT-TYPE + SYNTAX Unsigned32 (1..4294967295) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "agentxRegIndex uniquely identifies a registration entry. + This value is constant for the lifetime of an entry. + " + ::= { agentxRegistrationEntry 1 } + + agentxRegContext OBJECT-TYPE + SYNTAX OCTET STRING + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The context in which the session supports the objects in this + region. A zero-length context indicates the default context. + " + ::= { agentxRegistrationEntry 2 } + + agentxRegStart OBJECT-TYPE + SYNTAX OBJECT IDENTIFIER + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The starting OBJECT IDENTIFIER of this registration entry. The + session identified by agentxSessionIndex implements objects + starting at this value (inclusive). Note that this value could + identify an object type, an object instance, or a partial object + instance. + " + ::= { agentxRegistrationEntry 3 } + + agentxRegRangeSubId OBJECT-TYPE + SYNTAX Unsigned32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "agentxRegRangeSubId is used to specify the range. This is + taken from r.region_subid in the registration PDU. If the value + of this object is zero, no range is specified. If it is non-zero, + it identifies the `nth' sub-identifier in r.region for which + this entry's agentxRegUpperBound value is substituted in the + OID for purposes of defining the region's upper bound. + " + ::= { agentxRegistrationEntry 4 } + + agentxRegUpperBound OBJECT-TYPE + SYNTAX Unsigned32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "agentxRegUpperBound represents the upper-bound sub-identifier in + a registration. This is taken from the r.upper_bound in the + registration PDU. If agentxRegRangeSubid (r.region_subid) is + zero, this value is also zero and is not used to define an upper + bound for this registration. + " + ::= { agentxRegistrationEntry 5 } + + agentxRegPriority OBJECT-TYPE + SYNTAX Unsigned32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The registration priority. Lower values have higher priority. + This value is taken from r.priority in the register PDU. + Sessions should use the value of 127 for r.priority if a + default value is desired. + " + ::= { agentxRegistrationEntry 6 } + + agentxRegTimeout OBJECT-TYPE + SYNTAX INTEGER (0..255) + UNITS "seconds" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The timeout value, in seconds, for responses to + requests associated with this registered MIB region. + A value of zero(0) indicates the default value (indicated + by by agentxSessionTimeout or agentxDefaultTimeout) is to + be used. This value is taken from the r.timeout field of + the agentx-Register-PDU. + " + ::= { agentxRegistrationEntry 7 } + + agentxRegInstance OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of agentxRegInstance is `true' for + registrations for which the INSTANCE_REGISTRATION + was set, and is `false' for all other registrations. + " + ::= { agentxRegistrationEntry 8 } + + -- Conformance Statements for AgentX + + agentxConformance OBJECT IDENTIFIER ::= { agentxMIB 2 } + agentxMIBGroups OBJECT IDENTIFIER ::= { agentxConformance 1 } + agentxMIBCompliances OBJECT IDENTIFIER ::= { agentxConformance 2 } + + -- Compliance Statements for AgentX + + agentxMIBCompliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The compliance statement for SNMP entities that implement the + AgentX protocol. Note that a compliant agent can implement all + objects in this MIB module as read-only. + " + MODULE -- this module + MANDATORY-GROUPS { agentxMIBGroup } + + OBJECT agentxSessionAdminStatus + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required. + " + ::= { agentxMIBCompliances 1 } + + agentxMIBGroup OBJECT-GROUP + OBJECTS { + agentxDefaultTimeout, + agentxMasterAgentXVer, + agentxConnTableLastChange, + agentxConnOpenTime, + agentxConnTransportDomain, + agentxConnTransportAddress, + agentxSessionTableLastChange, + agentxSessionTimeout, + agentxSessionObjectID, + agentxSessionDescr, + agentxSessionAdminStatus, + agentxSessionOpenTime, + agentxSessionAgentXVer, + agentxRegistrationTableLastChange, + agentxRegContext, + agentxRegStart, + agentxRegRangeSubId, + agentxRegUpperBound, + agentxRegPriority, + agentxRegTimeout, + agentxRegInstance + } + STATUS current + DESCRIPTION + "All accessible objects in the AgentX MIB. + " + ::= { agentxMIBGroups 1 } + + END diff --git a/mibs/BGP4-MIB.txt b/mibs/BGP4-MIB.txt new file mode 100644 index 000000000..c911316c2 --- /dev/null +++ b/mibs/BGP4-MIB.txt @@ -0,0 +1,929 @@ + BGP4-MIB DEFINITIONS ::= BEGIN + + IMPORTS + MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, + IpAddress, Integer32, Counter32, Gauge32, mib-2 + FROM SNMPv2-SMI + MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP + FROM SNMPv2-CONF; + + bgp MODULE-IDENTITY + LAST-UPDATED "9902100000Z" + ORGANIZATION "IETF IDR Working Group" + CONTACT-INFO "E-mail: idr@merit.net + + Susan Hares (Editor) + Merit Network + 4251 Plymouth Road + Suite C + Ann Arbor, MI 48105-2785 + Tel: +1 734 936 2095 + Fax: +1 734 647 3185 + E-mail: skh@merit.edu + + Jeff Johnson (Editor) + RedBack Networks, Inc. + 1389 Moffett Park Drive + Sunnyvale, CA 94089-1134 + Tel: +1 408 548 3516 + Fax: +1 408 548 3599 + E-mail: jeff@redback.com" + DESCRIPTION + "The MIB module for BGP-4." + REVISION "9902100000Z" + DESCRIPTION + "Corrected duplicate OBJECT IDENTIFIER + assignment in the conformance information." + REVISION "9601080000Z" + DESCRIPTION + "1) Fixed the definitions of the traps to + make them equivalent to their initial + definition in RFC 1269. + 2) Added compliance and conformance info." + ::= { mib-2 15 } + + bgpVersion OBJECT-TYPE + SYNTAX OCTET STRING (SIZE (1..255)) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Vector of supported BGP protocol version + numbers. Each peer negotiates the version + from this vector. Versions are identified + via the string of bits contained within this + object. The first octet contains bits 0 to + 7, the second octet contains bits 8 to 15, + and so on, with the most significant bit + referring to the lowest bit number in the + octet (e.g., the MSB of the first octet + refers to bit 0). If a bit, i, is present + and set, then the version (i+1) of the BGP + is supported." + ::= { bgp 1 } + + bgpLocalAs OBJECT-TYPE + SYNTAX INTEGER (0..65535) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The local autonomous system number." + ::= { bgp 2 } + + + + -- BGP Peer table. This table contains, one entry per BGP + -- peer, information about the BGP peer. + + bgpPeerTable OBJECT-TYPE + SYNTAX SEQUENCE OF BgpPeerEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "BGP peer table. This table contains, + one entry per BGP peer, information about the + connections with BGP peers." + ::= { bgp 3 } + + bgpPeerEntry OBJECT-TYPE + SYNTAX BgpPeerEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Entry containing information about the + connection with a BGP peer." + INDEX { bgpPeerRemoteAddr } + ::= { bgpPeerTable 1 } + + BgpPeerEntry ::= SEQUENCE { + bgpPeerIdentifier + IpAddress, + bgpPeerState + INTEGER, + bgpPeerAdminStatus + INTEGER, + bgpPeerNegotiatedVersion + Integer32, + bgpPeerLocalAddr + IpAddress, + bgpPeerLocalPort + INTEGER, + bgpPeerRemoteAddr + IpAddress, + bgpPeerRemotePort + INTEGER, + bgpPeerRemoteAs + INTEGER, + bgpPeerInUpdates + Counter32, + bgpPeerOutUpdates + Counter32, + bgpPeerInTotalMessages + Counter32, + bgpPeerOutTotalMessages + Counter32, + bgpPeerLastError + OCTET STRING, + bgpPeerFsmEstablishedTransitions + Counter32, + bgpPeerFsmEstablishedTime + Gauge32, + bgpPeerConnectRetryInterval + INTEGER, + bgpPeerHoldTime + INTEGER, + bgpPeerKeepAlive + INTEGER, + bgpPeerHoldTimeConfigured + INTEGER, + bgpPeerKeepAliveConfigured + INTEGER, + bgpPeerMinASOriginationInterval + INTEGER, + bgpPeerMinRouteAdvertisementInterval + INTEGER, + bgpPeerInUpdateElapsedTime + Gauge32 + } + + bgpPeerIdentifier OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The BGP Identifier of this entry's BGP peer." + ::= { bgpPeerEntry 1 } + + bgpPeerState OBJECT-TYPE + SYNTAX INTEGER { + idle(1), + connect(2), + active(3), + opensent(4), + openconfirm(5), + established(6) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The BGP peer connection state." + ::= { bgpPeerEntry 2 } + + bgpPeerAdminStatus OBJECT-TYPE + SYNTAX INTEGER { + stop(1), + start(2) + } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The desired state of the BGP connection. A + transition from 'stop' to 'start' will cause + the BGP Start Event to be generated. A + transition from 'start' to 'stop' will cause + the BGP Stop Event to be generated. This + parameter can be used to restart BGP peer + connections. Care should be used in providing + write access to this object without adequate + authentication." + ::= { bgpPeerEntry 3 } + + bgpPeerNegotiatedVersion OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The negotiated version of BGP running between + the two peers." + ::= { bgpPeerEntry 4 } + + bgpPeerLocalAddr OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The local IP address of this entry's BGP + connection." + ::= { bgpPeerEntry 5 } + + bgpPeerLocalPort OBJECT-TYPE + SYNTAX INTEGER (0..65535) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The local port for the TCP connection between + the BGP peers." + ::= { bgpPeerEntry 6 } + + bgpPeerRemoteAddr OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The remote IP address of this entry's BGP + peer." + ::= { bgpPeerEntry 7 } + + bgpPeerRemotePort OBJECT-TYPE + SYNTAX INTEGER (0..65535) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The remote port for the TCP connection between + the BGP peers. Note that the objects + bgpPeerLocalAddr, bgpPeerLocalPort, + bgpPeerRemoteAddr and bgpPeerRemotePort + provide the appropriate reference to the + standard MIB TCP connection table." + ::= { bgpPeerEntry 8 } + + bgpPeerRemoteAs OBJECT-TYPE + SYNTAX INTEGER (0..65535) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The remote autonomous system number." + ::= { bgpPeerEntry 9 } + + bgpPeerInUpdates OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of BGP UPDATE messages received on + this connection. This object should be + initialized to zero (0) when the connection is + established." + ::= { bgpPeerEntry 10 } + + bgpPeerOutUpdates OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of BGP UPDATE messages transmitted + on this connection. This object should be + initialized to zero (0) when the connection is + established." + ::= { bgpPeerEntry 11 } + + bgpPeerInTotalMessages OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of messages received from the + remote peer on this connection. This object + should be initialized to zero when the + connection is established." + ::= { bgpPeerEntry 12 } + + bgpPeerOutTotalMessages OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of messages transmitted to + the remote peer on this connection. This object + should be initialized to zero when the + connection is established." + ::= { bgpPeerEntry 13 } + + bgpPeerLastError OBJECT-TYPE + SYNTAX OCTET STRING (SIZE (2)) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The last error code and subcode seen by this + peer on this connection. If no error has + occurred, this field is zero. Otherwise, the + first byte of this two byte OCTET STRING + contains the error code, and the second byte + contains the subcode." + ::= { bgpPeerEntry 14 } + + bgpPeerFsmEstablishedTransitions OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of times the BGP FSM + transitioned into the established state." + ::= { bgpPeerEntry 15 } + + bgpPeerFsmEstablishedTime OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This timer indicates how long (in seconds) this + peer has been in the Established state or how long + since this peer was last in the Established state. + It is set to zero when a new peer is configured or + the router is booted." + ::= { bgpPeerEntry 16 } + + bgpPeerConnectRetryInterval OBJECT-TYPE + SYNTAX INTEGER (1..65535) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Time interval in seconds for the ConnectRetry + timer. The suggested value for this timer is + 120 seconds." + ::= { bgpPeerEntry 17 } + + bgpPeerHoldTime OBJECT-TYPE + SYNTAX INTEGER ( 0 | 3..65535 ) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Time interval in seconds for the Hold Timer + established with the peer. The value of this + object is calculated by this BGP speaker by + using the smaller of the value in + bgpPeerHoldTimeConfigured and the Hold Time + received in the OPEN message. This value + must be at lease three seconds if it is not + zero (0) in which case the Hold Timer has + not been established with the peer, or, the + value of bgpPeerHoldTimeConfigured is zero (0)." + ::= { bgpPeerEntry 18 } + + bgpPeerKeepAlive OBJECT-TYPE + SYNTAX INTEGER ( 0 | 1..21845 ) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Time interval in seconds for the KeepAlive + timer established with the peer. The value of + this object is calculated by this BGP speaker + such that, when compared with bgpPeerHoldTime, + it has the same proportion as what + bgpPeerKeepAliveConfigured has when compared + with bgpPeerHoldTimeConfigured. If the value + of this object is zero (0), it indicates that + the KeepAlive timer has not been established + with the peer, or, the value of + bgpPeerKeepAliveConfigured is zero (0)." + ::= { bgpPeerEntry 19 } + + bgpPeerHoldTimeConfigured OBJECT-TYPE + SYNTAX INTEGER ( 0 | 3..65535 ) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Time interval in seconds for the Hold Time + configured for this BGP speaker with this peer. + This value is placed in an OPEN message sent to + this peer by this BGP speaker, and is compared + with the Hold Time field in an OPEN message + received from the peer when determining the Hold + Time (bgpPeerHoldTime) with the peer. This value + must not be less than three seconds if it is not + zero (0) in which case the Hold Time is NOT to be + established with the peer. The suggested value for + this timer is 90 seconds." + ::= { bgpPeerEntry 20 } + + bgpPeerKeepAliveConfigured OBJECT-TYPE + SYNTAX INTEGER ( 0 | 1..21845 ) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Time interval in seconds for the KeepAlive timer + configured for this BGP speaker with this peer. + The value of this object will only determine the + KEEPALIVE messages' frequency relative to the value + specified in bgpPeerHoldTimeConfigured; the actual + time interval for the KEEPALIVE messages is + indicated by bgpPeerKeepAlive. A reasonable + maximum value for this timer would be configured to + be one third of that of bgpPeerHoldTimeConfigured. + If the value of this object is zero (0), no + periodical KEEPALIVE messages are sent to the peer + after the BGP connection has been established. The + suggested value for this timer is 30 seconds." + ::= { bgpPeerEntry 21 } + + bgpPeerMinASOriginationInterval OBJECT-TYPE + SYNTAX INTEGER (1..65535) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Time interval in seconds for the + MinASOriginationInterval timer. + The suggested value for this timer is 15 seconds." + ::= { bgpPeerEntry 22 } + + bgpPeerMinRouteAdvertisementInterval OBJECT-TYPE + SYNTAX INTEGER (1..65535) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Time interval in seconds for the + MinRouteAdvertisementInterval timer. + The suggested value for this timer is 30 seconds." + ::= { bgpPeerEntry 23 } + + bgpPeerInUpdateElapsedTime OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Elapsed time in seconds since the last BGP + UPDATE message was received from the peer. + Each time bgpPeerInUpdates is incremented, + the value of this object is set to zero (0)." + ::= { bgpPeerEntry 24 } + + + + bgpIdentifier OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The BGP Identifier of local system." + ::= { bgp 4 } + + + + -- Received Path Attribute Table. This table contains, + -- one entry per path to a network, path attributes + -- received from all peers running BGP version 3 or less. + -- This table is obsolete, having been replaced in + -- functionality with the bgp4PathAttrTable. + + bgpRcvdPathAttrTable OBJECT-TYPE + SYNTAX SEQUENCE OF BgpPathAttrEntry + MAX-ACCESS not-accessible + STATUS obsolete + DESCRIPTION + "The BGP Received Path Attribute Table contains + information about paths to destination networks + received from all peers running BGP version 3 or + less." + ::= { bgp 5 } + + bgpPathAttrEntry OBJECT-TYPE + SYNTAX BgpPathAttrEntry + MAX-ACCESS not-accessible + STATUS obsolete + DESCRIPTION + "Information about a path to a network." + INDEX { bgpPathAttrDestNetwork, + bgpPathAttrPeer } + ::= { bgpRcvdPathAttrTable 1 } + + BgpPathAttrEntry ::= SEQUENCE { + bgpPathAttrPeer + IpAddress, + bgpPathAttrDestNetwork + IpAddress, + bgpPathAttrOrigin + INTEGER, + bgpPathAttrASPath + OCTET STRING, + bgpPathAttrNextHop + IpAddress, + bgpPathAttrInterASMetric + Integer32 + } + + bgpPathAttrPeer OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS obsolete + DESCRIPTION + "The IP address of the peer where the path + information was learned." + ::= { bgpPathAttrEntry 1 } + + bgpPathAttrDestNetwork OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS obsolete + DESCRIPTION + "The address of the destination network." + ::= { bgpPathAttrEntry 2 } + + bgpPathAttrOrigin OBJECT-TYPE + SYNTAX INTEGER { + igp(1),-- networks are interior + egp(2),-- networks learned via EGP + incomplete(3) -- undetermined + } + MAX-ACCESS read-only + STATUS obsolete + DESCRIPTION + "The ultimate origin of the path information." + ::= { bgpPathAttrEntry 3 } + + bgpPathAttrASPath OBJECT-TYPE + SYNTAX OCTET STRING (SIZE (2..255)) + MAX-ACCESS read-only + STATUS obsolete + DESCRIPTION + "The set of ASs that must be traversed to reach + the network. This object is probably best + represented as SEQUENCE OF INTEGER. For SMI + compatibility, though, it is represented as + OCTET STRING. Each AS is represented as a pair + of octets according to the following algorithm: + + first-byte-of-pair = ASNumber / 256; + second-byte-of-pair = ASNumber & 255;" + ::= { bgpPathAttrEntry 4 } + + bgpPathAttrNextHop OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS obsolete + DESCRIPTION + "The address of the border router that should + be used for the destination network." + ::= { bgpPathAttrEntry 5 } + + bgpPathAttrInterASMetric OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS obsolete + DESCRIPTION + "The optional inter-AS metric. If this + attribute has not been provided for this route, + the value for this object is 0." + ::= { bgpPathAttrEntry 6 } + + + + -- BGP-4 Received Path Attribute Table. This table contains, + -- one entry per path to a network, path attributes + -- received from all peers running BGP-4. + + bgp4PathAttrTable OBJECT-TYPE + SYNTAX SEQUENCE OF Bgp4PathAttrEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The BGP-4 Received Path Attribute Table contains + information about paths to destination networks + received from all BGP4 peers." + ::= { bgp 6 } + + bgp4PathAttrEntry OBJECT-TYPE + SYNTAX Bgp4PathAttrEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Information about a path to a network." + INDEX { bgp4PathAttrIpAddrPrefix, + bgp4PathAttrIpAddrPrefixLen, + bgp4PathAttrPeer } + ::= { bgp4PathAttrTable 1 } + + Bgp4PathAttrEntry ::= SEQUENCE { + bgp4PathAttrPeer + IpAddress, + bgp4PathAttrIpAddrPrefixLen + INTEGER, + bgp4PathAttrIpAddrPrefix + IpAddress, + bgp4PathAttrOrigin + INTEGER, + bgp4PathAttrASPathSegment + OCTET STRING, + bgp4PathAttrNextHop + IpAddress, + bgp4PathAttrMultiExitDisc + INTEGER, + bgp4PathAttrLocalPref + INTEGER, + bgp4PathAttrAtomicAggregate + INTEGER, + bgp4PathAttrAggregatorAS + INTEGER, + bgp4PathAttrAggregatorAddr + IpAddress, + bgp4PathAttrCalcLocalPref + INTEGER, + bgp4PathAttrBest + INTEGER, + bgp4PathAttrUnknown + OCTET STRING + } + + bgp4PathAttrPeer OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The IP address of the peer where the path + information was learned." + ::= { bgp4PathAttrEntry 1 } + bgp4PathAttrIpAddrPrefixLen OBJECT-TYPE + SYNTAX INTEGER (0..32) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Length in bits of the IP address prefix in the + Network Layer Reachability Information field." + ::= { bgp4PathAttrEntry 2 } + + bgp4PathAttrIpAddrPrefix OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "An IP address prefix in the Network Layer + Reachability Information field. This object + is an IP address containing the prefix with + length specified by bgp4PathAttrIpAddrPrefixLen. + Any bits beyond the length specified by + bgp4PathAttrIpAddrPrefixLen are zeroed." + ::= { bgp4PathAttrEntry 3 } + + bgp4PathAttrOrigin OBJECT-TYPE + SYNTAX INTEGER { + igp(1),-- networks are interior + egp(2),-- networks learned via EGP + incomplete(3) -- undetermined + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The ultimate origin of the path information." + ::= { bgp4PathAttrEntry 4 } + + bgp4PathAttrASPathSegment OBJECT-TYPE + SYNTAX OCTET STRING (SIZE (2..255)) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The sequence of AS path segments. Each AS + path segment is represented by a triple + <type, length, value>. + + The type is a 1-octet field which has two + possible values: + 1 AS_SET: unordered set of ASs a + route in the UPDATE message + has traversed + 2 AS_SEQUENCE: ordered set of ASs + a route in the UPDATE message + has traversed. + + The length is a 1-octet field containing the + number of ASs in the value field. + + The value field contains one or more AS + numbers, each AS is represented in the octet + string as a pair of octets according to the + following algorithm: + + first-byte-of-pair = ASNumber / 256; + second-byte-of-pair = ASNumber & 255;" + ::= { bgp4PathAttrEntry 5 } + + bgp4PathAttrNextHop OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The address of the border router that should + be used for the destination network." + ::= { bgp4PathAttrEntry 6 } + + bgp4PathAttrMultiExitDisc OBJECT-TYPE + SYNTAX INTEGER (-1..2147483647) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This metric is used to discriminate between + multiple exit points to an adjacent autonomous + system. A value of -1 indicates the absence of + this attribute." + ::= { bgp4PathAttrEntry 7 } + + bgp4PathAttrLocalPref OBJECT-TYPE + SYNTAX INTEGER (-1..2147483647) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The originating BGP4 speaker's degree of + preference for an advertised route. A value of + -1 indicates the absence of this attribute." + ::= { bgp4PathAttrEntry 8 } + + bgp4PathAttrAtomicAggregate OBJECT-TYPE + SYNTAX INTEGER { + lessSpecificRrouteNotSelected(1), + lessSpecificRouteSelected(2) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Whether or not a system has selected + a less specific route without selecting a + more specific route." + ::= { bgp4PathAttrEntry 9 } + + bgp4PathAttrAggregatorAS OBJECT-TYPE + SYNTAX INTEGER (0..65535) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The AS number of the last BGP4 speaker that + performed route aggregation. A value of zero (0) + indicates the absence of this attribute." + ::= { bgp4PathAttrEntry 10 } + + bgp4PathAttrAggregatorAddr OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The IP address of the last BGP4 speaker that + performed route aggregation. A value of + 0.0.0.0 indicates the absence of this attribute." + ::= { bgp4PathAttrEntry 11 } + + bgp4PathAttrCalcLocalPref OBJECT-TYPE + SYNTAX INTEGER (-1..2147483647) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The degree of preference calculated by the + receiving BGP4 speaker for an advertised route. + A value of -1 indicates the absence of this + attribute." + ::= { bgp4PathAttrEntry 12 } + + bgp4PathAttrBest OBJECT-TYPE + SYNTAX INTEGER { + false(1),-- not chosen as best route + true(2) -- chosen as best route + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "An indication of whether or not this route + was chosen as the best BGP4 route." + ::= { bgp4PathAttrEntry 13 } + + bgp4PathAttrUnknown OBJECT-TYPE + SYNTAX OCTET STRING (SIZE(0..255)) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "One or more path attributes not understood + by this BGP4 speaker. Size zero (0) indicates + the absence of such attribute(s). Octets + beyond the maximum size, if any, are not + recorded by this object." + ::= { bgp4PathAttrEntry 14 } + + + -- Traps. + + -- note that in RFC 1657, bgpTraps was incorrectly + -- assigned a value of { bgp 7 }, and each of the + -- traps had the bgpPeerRemoteAddr object inappropriately + -- removed from their OBJECTS clause. The following + -- definitions restore the semantics of the traps as + -- they were initially defined in RFC 1269. + + -- { bgp 7 } is unused + + bgpTraps OBJECT IDENTIFIER ::= { bgp 0 } + + bgpEstablished NOTIFICATION-TYPE + OBJECTS { bgpPeerRemoteAddr, + bgpPeerLastError, + bgpPeerState } + STATUS current + DESCRIPTION + "The BGP Established event is generated when + the BGP FSM enters the ESTABLISHED state." + ::= { bgpTraps 1 } + + bgpBackwardTransition NOTIFICATION-TYPE + OBJECTS { bgpPeerRemoteAddr, + bgpPeerLastError, + bgpPeerState } + STATUS current + DESCRIPTION + "The BGPBackwardTransition Event is generated + when the BGP FSM moves from a higher numbered + state to a lower numbered state." + ::= { bgpTraps 2 } + + -- conformance information + + bgpMIBConformance OBJECT IDENTIFIER ::= { bgp 8 } + bgpMIBCompliances OBJECT IDENTIFIER ::= { bgpMIBConformance 1 } + bgpMIBGroups OBJECT IDENTIFIER ::= { bgpMIBConformance 2 } + + -- compliance statements + + bgpMIBCompliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The compliance statement for entities which + implement the BGP4 mib." + MODULE -- this module + MANDATORY-GROUPS { bgp4MIBGlobalsGroup, + bgp4MIBPeerGroup, + bgp4MIBPathAttrGroup, + bgp4MIBNotificationGroup } + ::= { bgpMIBCompliances 1 } + + -- units of conformance + + bgp4MIBGlobalsGroup OBJECT-GROUP + OBJECTS { bgpVersion, + bgpLocalAs, + bgpIdentifier } + STATUS current + DESCRIPTION + "A collection of objects providing information + on global BGP state." + ::= { bgpMIBGroups 1 } + + bgp4MIBPeerGroup OBJECT-GROUP + OBJECTS { bgpPeerIdentifier, + bgpPeerState, + bgpPeerAdminStatus, + bgpPeerNegotiatedVersion, + bgpPeerLocalAddr, + bgpPeerLocalPort, + bgpPeerRemoteAddr, + bgpPeerRemotePort, + bgpPeerRemoteAs, + bgpPeerInUpdates, + bgpPeerOutUpdates, + bgpPeerInTotalMessages, + bgpPeerOutTotalMessages, + bgpPeerLastError, + bgpPeerFsmEstablishedTransitions, + bgpPeerFsmEstablishedTime, + bgpPeerConnectRetryInterval, + bgpPeerHoldTime, + bgpPeerKeepAlive, + bgpPeerHoldTimeConfigured, + bgpPeerKeepAliveConfigured, + bgpPeerMinASOriginationInterval, + bgpPeerMinRouteAdvertisementInterval, + bgpPeerInUpdateElapsedTime } + STATUS current + DESCRIPTION + "A collection of objects for managing + BGP peers." + ::= { bgpMIBGroups 2 } + + bgp4MIBRcvdPathAttrGroup OBJECT-GROUP + OBJECTS { bgpPathAttrPeer, + bgpPathAttrDestNetwork, + bgpPathAttrOrigin, + bgpPathAttrASPath, + bgpPathAttrNextHop, + bgpPathAttrInterASMetric } + STATUS obsolete + DESCRIPTION + "A collection of objects for managing BGP + path entries. + + This conformance group is obsolete, + replaced by bgp4MIBPathAttrGroup." + ::= { bgpMIBGroups 3 } + + bgp4MIBPathAttrGroup OBJECT-GROUP + OBJECTS { bgp4PathAttrPeer, + bgp4PathAttrIpAddrPrefixLen, + bgp4PathAttrIpAddrPrefix, + bgp4PathAttrOrigin, + bgp4PathAttrASPathSegment, + bgp4PathAttrNextHop, + bgp4PathAttrMultiExitDisc, + bgp4PathAttrLocalPref, + bgp4PathAttrAtomicAggregate, + bgp4PathAttrAggregatorAS, + bgp4PathAttrAggregatorAddr, + bgp4PathAttrCalcLocalPref, + bgp4PathAttrBest, + bgp4PathAttrUnknown } + STATUS current + DESCRIPTION + "A collection of objects for managing + BGP path entries." + ::= { bgpMIBGroups 4 } + + bgp4MIBNotificationGroup NOTIFICATION-GROUP + NOTIFICATIONS { bgpEstablished, + bgpBackwardTransition } + STATUS current + DESCRIPTION + "A collection of notifications for signaling + changes in BGP peer relationships." + ::= { bgpMIBGroups 5 } + + END diff --git a/mibs/BRIDGE-MIB.txt b/mibs/BRIDGE-MIB.txt new file mode 100644 index 000000000..1e77a190f --- /dev/null +++ b/mibs/BRIDGE-MIB.txt @@ -0,0 +1,1472 @@ +BRIDGE-MIB DEFINITIONS ::= BEGIN + +-- ---------------------------------------------------------- -- +-- MIB for IEEE 802.1D devices +-- ---------------------------------------------------------- -- +IMPORTS + MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, + Counter32, Integer32, TimeTicks, mib-2 + FROM SNMPv2-SMI + TEXTUAL-CONVENTION, MacAddress + FROM SNMPv2-TC + MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP + FROM SNMPv2-CONF + InterfaceIndex FROM IF-MIB + ; + +dot1dBridge MODULE-IDENTITY + LAST-UPDATED "200509190000Z" + ORGANIZATION "IETF Bridge MIB Working Group" + CONTACT-INFO + "Email: bridge-mib@ietf.org + + K.C. Norseth (Editor) + L-3 Communications + Tel: +1 801-594-2809 + Email: kenyon.c.norseth@L-3com.com + Postal: 640 N. 2200 West. + Salt Lake City, Utah 84116-0850 + + Les Bell (Editor) + 3Com Europe Limited + Phone: +44 1442 438025 + Email: elbell@ntlworld.com + Postal: 3Com Centre, Boundary Way + Hemel Hempstead + Herts. HP2 7YU + UK + + Send comments to <bridge-mib@ietf.org>" + DESCRIPTION + "The Bridge MIB module for managing devices that support + IEEE 802.1D. + + Copyright (C) The Internet Society (2005). This version of + this MIB module is part of RFC 4188; see the RFC itself for + full legal notices." + REVISION "200509190000Z" + DESCRIPTION + "Third revision, published as part of RFC 4188. + + The MIB module has been converted to SMIv2 format. + Conformance statements have been added and some + description and reference clauses have been updated. + + The object dot1dStpPortPathCost32 was added to + support IEEE 802.1t and the permissible values of + dot1dStpPriority and dot1dStpPortPriority have been + clarified for bridges supporting IEEE 802.1t or + IEEE 802.1w. + + The interpretation of dot1dStpTimeSinceTopologyChange + has been clarified for bridges supporting the Rapid + Spanning Tree Protocol (RSTP)." + REVISION "199307310000Z" + DESCRIPTION + "Second revision, published as part of RFC 1493." + REVISION "199112310000Z" + DESCRIPTION + "Initial revision, published as part of RFC 1286." + ::= { mib-2 17 } + +-- ---------------------------------------------------------- -- +-- Textual Conventions +-- ---------------------------------------------------------- -- + +BridgeId ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "The Bridge-Identifier, as used in the Spanning Tree + Protocol, to uniquely identify a bridge. Its first two + octets (in network byte order) contain a priority value, + and its last 6 octets contain the MAC address used to + refer to a bridge in a unique fashion (typically, the + numerically smallest MAC address of all ports on the + bridge)." + SYNTAX OCTET STRING (SIZE (8)) + +Timeout ::= TEXTUAL-CONVENTION + DISPLAY-HINT "d" + STATUS current + DESCRIPTION + "A Spanning Tree Protocol (STP) timer in units of 1/100 + seconds. Several objects in this MIB module represent + values of timers used by the Spanning Tree Protocol. + In this MIB, these timers have values in units of + hundredths of a second (i.e., 1/100 secs). + + These timers, when stored in a Spanning Tree Protocol's + BPDU, are in units of 1/256 seconds. Note, however, that + 802.1D-1998 specifies a settable granularity of no more + than one second for these timers. To avoid ambiguity, + a conversion algorithm is defined below for converting + between the different units, which ensures a timer's + value is not distorted by multiple conversions. + + To convert a Timeout value into a value in units of + 1/256 seconds, the following algorithm should be used: + + b = floor( (n * 256) / 100) + + where: + floor = quotient [ignore remainder] + n is the value in 1/100 second units + b is the value in 1/256 second units + + To convert the value from 1/256 second units back to + 1/100 seconds, the following algorithm should be used: + + n = ceiling( (b * 100) / 256) + + where: + ceiling = quotient [if remainder is 0], or + quotient + 1 [if remainder is nonzero] + n is the value in 1/100 second units + + b is the value in 1/256 second units + + Note: it is important that the arithmetic operations are + done in the order specified (i.e., multiply first, + divide second)." + SYNTAX Integer32 + +-- ---------------------------------------------------------- -- +-- subtrees in the Bridge MIB +-- ---------------------------------------------------------- -- + +dot1dNotifications OBJECT IDENTIFIER ::= { dot1dBridge 0 } + +dot1dBase OBJECT IDENTIFIER ::= { dot1dBridge 1 } +dot1dStp OBJECT IDENTIFIER ::= { dot1dBridge 2 } + +dot1dSr OBJECT IDENTIFIER ::= { dot1dBridge 3 } +-- documented in RFC 1525 + +dot1dTp OBJECT IDENTIFIER ::= { dot1dBridge 4 } +dot1dStatic OBJECT IDENTIFIER ::= { dot1dBridge 5 } + +-- Subtrees used by Bridge MIB Extensions: +-- pBridgeMIB MODULE-IDENTITY ::= { dot1dBridge 6 } +-- qBridgeMIB MODULE-IDENTITY ::= { dot1dBridge 7 } +-- Note that the practice of registering related MIB modules +-- below dot1dBridge has been discouraged since there is no +-- robust mechanism to track such registrations. + +dot1dConformance OBJECT IDENTIFIER ::= { dot1dBridge 8 } + +-- ---------------------------------------------------------- -- +-- the dot1dBase subtree +-- ---------------------------------------------------------- -- +-- Implementation of the dot1dBase subtree is mandatory for all +-- bridges. +-- ---------------------------------------------------------- -- + +dot1dBaseBridgeAddress OBJECT-TYPE + SYNTAX MacAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The MAC address used by this bridge when it must be + referred to in a unique fashion. It is recommended + that this be the numerically smallest MAC address of + all ports that belong to this bridge. However, it is only + + required to be unique. When concatenated with + dot1dStpPriority, a unique BridgeIdentifier is formed, + which is used in the Spanning Tree Protocol." + REFERENCE + "IEEE 802.1D-1998: clauses 14.4.1.1.3 and 7.12.5" + ::= { dot1dBase 1 } + +dot1dBaseNumPorts OBJECT-TYPE + SYNTAX Integer32 + UNITS "ports" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of ports controlled by this bridging + entity." + REFERENCE + "IEEE 802.1D-1998: clause 14.4.1.1.3" + ::= { dot1dBase 2 } + +dot1dBaseType OBJECT-TYPE + SYNTAX INTEGER { + unknown(1), + transparent-only(2), + sourceroute-only(3), + srt(4) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Indicates what type of bridging this bridge can + perform. If a bridge is actually performing a + certain type of bridging, this will be indicated by + entries in the port table for the given type." + ::= { dot1dBase 3 } + +-- ---------------------------------------------------------- -- +-- The Generic Bridge Port Table +-- ---------------------------------------------------------- -- +dot1dBasePortTable OBJECT-TYPE + SYNTAX SEQUENCE OF Dot1dBasePortEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A table that contains generic information about every + port that is associated with this bridge. Transparent, + source-route, and srt ports are included." + ::= { dot1dBase 4 } + +dot1dBasePortEntry OBJECT-TYPE + SYNTAX Dot1dBasePortEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A list of information for each port of the bridge." + REFERENCE + "IEEE 802.1D-1998: clause 14.4.2, 14.6.1" + INDEX { dot1dBasePort } + ::= { dot1dBasePortTable 1 } + +Dot1dBasePortEntry ::= + SEQUENCE { + dot1dBasePort + Integer32, + dot1dBasePortIfIndex + InterfaceIndex, + dot1dBasePortCircuit + OBJECT IDENTIFIER, + dot1dBasePortDelayExceededDiscards + Counter32, + dot1dBasePortMtuExceededDiscards + Counter32 + } + +dot1dBasePort OBJECT-TYPE + SYNTAX Integer32 (1..65535) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The port number of the port for which this entry + contains bridge management information." + ::= { dot1dBasePortEntry 1 } + +dot1dBasePortIfIndex OBJECT-TYPE + SYNTAX InterfaceIndex + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of the instance of the ifIndex object, + defined in IF-MIB, for the interface corresponding + to this port." + ::= { dot1dBasePortEntry 2 } + +dot1dBasePortCircuit OBJECT-TYPE + SYNTAX OBJECT IDENTIFIER + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "For a port that (potentially) has the same value of + dot1dBasePortIfIndex as another port on the same bridge. + This object contains the name of an object instance + unique to this port. For example, in the case where + multiple ports correspond one-to-one with multiple X.25 + virtual circuits, this value might identify an (e.g., + the first) object instance associated with the X.25 + virtual circuit corresponding to this port. + + For a port which has a unique value of + dot1dBasePortIfIndex, this object can have the value + { 0 0 }." + ::= { dot1dBasePortEntry 3 } + +dot1dBasePortDelayExceededDiscards OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of frames discarded by this port due + to excessive transit delay through the bridge. It + is incremented by both transparent and source + route bridges." + REFERENCE + "IEEE 802.1D-1998: clause 14.6.1.1.3" + ::= { dot1dBasePortEntry 4 } + +dot1dBasePortMtuExceededDiscards OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of frames discarded by this port due + to an excessive size. It is incremented by both + transparent and source route bridges." + REFERENCE + "IEEE 802.1D-1998: clause 14.6.1.1.3" + ::= { dot1dBasePortEntry 5 } + +-- ---------------------------------------------------------- -- +-- the dot1dStp subtree +-- ---------------------------------------------------------- -- +-- Implementation of the dot1dStp subtree is optional. It is +-- implemented by those bridges that support the Spanning Tree +-- Protocol. +-- ---------------------------------------------------------- -- + +dot1dStpProtocolSpecification OBJECT-TYPE + SYNTAX INTEGER { + unknown(1), + decLb100(2), + ieee8021d(3) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "An indication of what version of the Spanning Tree + Protocol is being run. The value 'decLb100(2)' + indicates the DEC LANbridge 100 Spanning Tree protocol. + IEEE 802.1D implementations will return 'ieee8021d(3)'. + If future versions of the IEEE Spanning Tree Protocol + that are incompatible with the current version + are released a new value will be defined." + ::= { dot1dStp 1 } + +dot1dStpPriority OBJECT-TYPE + SYNTAX Integer32 (0..65535) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The value of the write-able portion of the Bridge ID + (i.e., the first two octets of the (8 octet long) Bridge + ID). The other (last) 6 octets of the Bridge ID are + given by the value of dot1dBaseBridgeAddress. + On bridges supporting IEEE 802.1t or IEEE 802.1w, + permissible values are 0-61440, in steps of 4096." + REFERENCE + "IEEE 802.1D-1998 clause 8.10.2, Table 8-4, + IEEE 802.1t clause 8.10.2, Table 8-4, clause 14.3." + ::= { dot1dStp 2 } + +dot1dStpTimeSinceTopologyChange OBJECT-TYPE + SYNTAX TimeTicks + UNITS "centi-seconds" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The time (in hundredths of a second) since the + last time a topology change was detected by the + bridge entity. + For RSTP, this reports the time since the tcWhile + timer for any port on this Bridge was nonzero." + REFERENCE + "IEEE 802.1D-1998 clause 14.8.1.1., + IEEE 802.1w clause 14.8.1.1." + ::= { dot1dStp 3 } + +dot1dStpTopChanges OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of topology changes detected by + this bridge since the management entity was last + reset or initialized." + REFERENCE + "IEEE 802.1D-1998 clause 14.8.1.1." + ::= { dot1dStp 4 } + +dot1dStpDesignatedRoot OBJECT-TYPE + SYNTAX BridgeId + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The bridge identifier of the root of the spanning + tree, as determined by the Spanning Tree Protocol, + as executed by this node. This value is used as + the Root Identifier parameter in all Configuration + Bridge PDUs originated by this node." + REFERENCE + "IEEE 802.1D-1998: clause 8.5.3.1" + ::= { dot1dStp 5 } + +dot1dStpRootCost OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The cost of the path to the root as seen from + this bridge." + REFERENCE + "IEEE 802.1D-1998: clause 8.5.3.2" + ::= { dot1dStp 6 } + +dot1dStpRootPort OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The port number of the port that offers the lowest + cost path from this bridge to the root bridge." + REFERENCE + "IEEE 802.1D-1998: clause 8.5.3.3" + ::= { dot1dStp 7 } + +dot1dStpMaxAge OBJECT-TYPE + SYNTAX Timeout + UNITS "centi-seconds" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The maximum age of Spanning Tree Protocol information + learned from the network on any port before it is + discarded, in units of hundredths of a second. This is + the actual value that this bridge is currently using." + REFERENCE + "IEEE 802.1D-1998: clause 8.5.3.4" + ::= { dot1dStp 8 } + +dot1dStpHelloTime OBJECT-TYPE + SYNTAX Timeout + UNITS "centi-seconds" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The amount of time between the transmission of + Configuration bridge PDUs by this node on any port when + it is the root of the spanning tree, or trying to become + so, in units of hundredths of a second. This is the + actual value that this bridge is currently using." + REFERENCE + "IEEE 802.1D-1998: clause 8.5.3.5" + ::= { dot1dStp 9 } + +dot1dStpHoldTime OBJECT-TYPE + SYNTAX Integer32 + UNITS "centi-seconds" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This time value determines the interval length + during which no more than two Configuration bridge + PDUs shall be transmitted by this node, in units + of hundredths of a second." + REFERENCE + "IEEE 802.1D-1998: clause 8.5.3.14" + ::= { dot1dStp 10 } + +dot1dStpForwardDelay OBJECT-TYPE + SYNTAX Timeout + UNITS "centi-seconds" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This time value, measured in units of hundredths of a + second, controls how fast a port changes its spanning + state when moving towards the Forwarding state. The + value determines how long the port stays in each of the + Listening and Learning states, which precede the + Forwarding state. This value is also used when a + topology change has been detected and is underway, to + age all dynamic entries in the Forwarding Database. + [Note that this value is the one that this bridge is + currently using, in contrast to + dot1dStpBridgeForwardDelay, which is the value that this + bridge and all others would start using if/when this + bridge were to become the root.]" + REFERENCE + "IEEE 802.1D-1998: clause 8.5.3.6" + ::= { dot1dStp 11 } + +dot1dStpBridgeMaxAge OBJECT-TYPE + SYNTAX Timeout (600..4000) + UNITS "centi-seconds" + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The value that all bridges use for MaxAge when this + bridge is acting as the root. Note that 802.1D-1998 + specifies that the range for this parameter is related + to the value of dot1dStpBridgeHelloTime. The + granularity of this timer is specified by 802.1D-1998 to + be 1 second. An agent may return a badValue error if a + set is attempted to a value that is not a whole number + of seconds." + REFERENCE + "IEEE 802.1D-1998: clause 8.5.3.8" + ::= { dot1dStp 12 } + +dot1dStpBridgeHelloTime OBJECT-TYPE + SYNTAX Timeout (100..1000) + UNITS "centi-seconds" + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The value that all bridges use for HelloTime when this + bridge is acting as the root. The granularity of this + timer is specified by 802.1D-1998 to be 1 second. An + agent may return a badValue error if a set is attempted + + to a value that is not a whole number of seconds." + REFERENCE + "IEEE 802.1D-1998: clause 8.5.3.9" + ::= { dot1dStp 13 } + +dot1dStpBridgeForwardDelay OBJECT-TYPE + SYNTAX Timeout (400..3000) + UNITS "centi-seconds" + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The value that all bridges use for ForwardDelay when + this bridge is acting as the root. Note that + 802.1D-1998 specifies that the range for this parameter + is related to the value of dot1dStpBridgeMaxAge. The + granularity of this timer is specified by 802.1D-1998 to + be 1 second. An agent may return a badValue error if a + set is attempted to a value that is not a whole number + of seconds." + REFERENCE + "IEEE 802.1D-1998: clause 8.5.3.10" + ::= { dot1dStp 14 } + +-- ---------------------------------------------------------- -- +-- The Spanning Tree Port Table +-- ---------------------------------------------------------- -- + +dot1dStpPortTable OBJECT-TYPE + SYNTAX SEQUENCE OF Dot1dStpPortEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A table that contains port-specific information + for the Spanning Tree Protocol." + ::= { dot1dStp 15 } + +dot1dStpPortEntry OBJECT-TYPE + SYNTAX Dot1dStpPortEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A list of information maintained by every port about + the Spanning Tree Protocol state for that port." + INDEX { dot1dStpPort } + ::= { dot1dStpPortTable 1 } + +Dot1dStpPortEntry ::= + SEQUENCE { + + dot1dStpPort + Integer32, + dot1dStpPortPriority + Integer32, + dot1dStpPortState + INTEGER, + dot1dStpPortEnable + INTEGER, + dot1dStpPortPathCost + Integer32, + dot1dStpPortDesignatedRoot + BridgeId, + dot1dStpPortDesignatedCost + Integer32, + dot1dStpPortDesignatedBridge + BridgeId, + dot1dStpPortDesignatedPort + OCTET STRING, + dot1dStpPortForwardTransitions + Counter32, + dot1dStpPortPathCost32 + Integer32 + } + +dot1dStpPort OBJECT-TYPE + SYNTAX Integer32 (1..65535) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The port number of the port for which this entry + contains Spanning Tree Protocol management information." + REFERENCE + "IEEE 802.1D-1998: clause 14.8.2.1.2" + ::= { dot1dStpPortEntry 1 } + +dot1dStpPortPriority OBJECT-TYPE + SYNTAX Integer32 (0..255) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The value of the priority field that is contained in + the first (in network byte order) octet of the (2 octet + long) Port ID. The other octet of the Port ID is given + by the value of dot1dStpPort. + On bridges supporting IEEE 802.1t or IEEE 802.1w, + permissible values are 0-240, in steps of 16." + REFERENCE + "IEEE 802.1D-1998 clause 8.10.2, Table 8-4, + IEEE 802.1t clause 8.10.2, Table 8-4, clause 14.3." + ::= { dot1dStpPortEntry 2 } + +dot1dStpPortState OBJECT-TYPE + SYNTAX INTEGER { + disabled(1), + blocking(2), + listening(3), + learning(4), + forwarding(5), + broken(6) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The port's current state, as defined by application of + the Spanning Tree Protocol. This state controls what + action a port takes on reception of a frame. If the + bridge has detected a port that is malfunctioning, it + will place that port into the broken(6) state. For + ports that are disabled (see dot1dStpPortEnable), this + object will have a value of disabled(1)." + REFERENCE + "IEEE 802.1D-1998: clause 8.5.5.2" + ::= { dot1dStpPortEntry 3 } + +dot1dStpPortEnable OBJECT-TYPE + SYNTAX INTEGER { + enabled(1), + disabled(2) + } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The enabled/disabled status of the port." + REFERENCE + "IEEE 802.1D-1998: clause 8.5.5.2" + ::= { dot1dStpPortEntry 4 } + +dot1dStpPortPathCost OBJECT-TYPE + SYNTAX Integer32 (1..65535) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The contribution of this port to the path cost of + paths towards the spanning tree root which include + this port. 802.1D-1998 recommends that the default + value of this parameter be in inverse proportion to + + the speed of the attached LAN. + + New implementations should support dot1dStpPortPathCost32. + If the port path costs exceeds the maximum value of this + object then this object should report the maximum value, + namely 65535. Applications should try to read the + dot1dStpPortPathCost32 object if this object reports + the maximum value." + REFERENCE "IEEE 802.1D-1998: clause 8.5.5.3" + ::= { dot1dStpPortEntry 5 } + +dot1dStpPortDesignatedRoot OBJECT-TYPE + SYNTAX BridgeId + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The unique Bridge Identifier of the Bridge + recorded as the Root in the Configuration BPDUs + transmitted by the Designated Bridge for the + segment to which the port is attached." + REFERENCE + "IEEE 802.1D-1998: clause 8.5.5.4" + ::= { dot1dStpPortEntry 6 } + +dot1dStpPortDesignatedCost OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The path cost of the Designated Port of the segment + connected to this port. This value is compared to the + Root Path Cost field in received bridge PDUs." + REFERENCE + "IEEE 802.1D-1998: clause 8.5.5.5" + ::= { dot1dStpPortEntry 7 } + +dot1dStpPortDesignatedBridge OBJECT-TYPE + SYNTAX BridgeId + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The Bridge Identifier of the bridge that this + port considers to be the Designated Bridge for + this port's segment." + REFERENCE + "IEEE 802.1D-1998: clause 8.5.5.6" + ::= { dot1dStpPortEntry 8 } + +dot1dStpPortDesignatedPort OBJECT-TYPE + SYNTAX OCTET STRING (SIZE (2)) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The Port Identifier of the port on the Designated + Bridge for this port's segment." + REFERENCE + "IEEE 802.1D-1998: clause 8.5.5.7" + ::= { dot1dStpPortEntry 9 } + +dot1dStpPortForwardTransitions OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of times this port has transitioned + from the Learning state to the Forwarding state." + ::= { dot1dStpPortEntry 10 } + +dot1dStpPortPathCost32 OBJECT-TYPE + SYNTAX Integer32 (1..200000000) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The contribution of this port to the path cost of + paths towards the spanning tree root which include + this port. 802.1D-1998 recommends that the default + value of this parameter be in inverse proportion to + the speed of the attached LAN. + + This object replaces dot1dStpPortPathCost to support + IEEE 802.1t." + REFERENCE + "IEEE 802.1t clause 8.10.2, Table 8-5." + ::= { dot1dStpPortEntry 11 } + +-- ---------------------------------------------------------- -- +-- the dot1dTp subtree +-- ---------------------------------------------------------- -- +-- Implementation of the dot1dTp subtree is optional. It is +-- implemented by those bridges that support the transparent +-- bridging mode. A transparent or SRT bridge will implement +-- this subtree. +-- ---------------------------------------------------------- -- + +dot1dTpLearnedEntryDiscards OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of Forwarding Database entries that + have been or would have been learned, but have been + discarded due to a lack of storage space in the + Forwarding Database. If this counter is increasing, it + indicates that the Forwarding Database is regularly + becoming full (a condition that has unpleasant + performance effects on the subnetwork). If this counter + has a significant value but is not presently increasing, + it indicates that the problem has been occurring but is + not persistent." + REFERENCE + "IEEE 802.1D-1998: clause 14.7.1.1.3" + ::= { dot1dTp 1 } + +dot1dTpAgingTime OBJECT-TYPE + SYNTAX Integer32 (10..1000000) + UNITS "seconds" + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The timeout period in seconds for aging out + dynamically-learned forwarding information. + 802.1D-1998 recommends a default of 300 seconds." + REFERENCE + "IEEE 802.1D-1998: clause 14.7.1.1.3" + ::= { dot1dTp 2 } + +-- ---------------------------------------------------------- -- +-- The Forwarding Database for Transparent Bridges +-- ---------------------------------------------------------- -- + +dot1dTpFdbTable OBJECT-TYPE + SYNTAX SEQUENCE OF Dot1dTpFdbEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A table that contains information about unicast + entries for which the bridge has forwarding and/or + filtering information. This information is used + by the transparent bridging function in + determining how to propagate a received frame." + ::= { dot1dTp 3 } + +dot1dTpFdbEntry OBJECT-TYPE + SYNTAX Dot1dTpFdbEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Information about a specific unicast MAC address + for which the bridge has some forwarding and/or + filtering information." + INDEX { dot1dTpFdbAddress } + ::= { dot1dTpFdbTable 1 } + +Dot1dTpFdbEntry ::= + SEQUENCE { + dot1dTpFdbAddress + MacAddress, + dot1dTpFdbPort + Integer32, + dot1dTpFdbStatus + INTEGER + } + +dot1dTpFdbAddress OBJECT-TYPE + SYNTAX MacAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "A unicast MAC address for which the bridge has + forwarding and/or filtering information." + REFERENCE + "IEEE 802.1D-1998: clause 7.9.1, 7.9.2" + ::= { dot1dTpFdbEntry 1 } + +dot1dTpFdbPort OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Either the value '0', or the port number of the port on + which a frame having a source address equal to the value + of the corresponding instance of dot1dTpFdbAddress has + been seen. A value of '0' indicates that the port + number has not been learned, but that the bridge does + have some forwarding/filtering information about this + address (e.g., in the dot1dStaticTable). Implementors + are encouraged to assign the port value to this object + whenever it is learned, even for addresses for which the + corresponding value of dot1dTpFdbStatus is not + learned(3)." + ::= { dot1dTpFdbEntry 2 } + +dot1dTpFdbStatus OBJECT-TYPE + SYNTAX INTEGER { + other(1), + invalid(2), + learned(3), + self(4), + mgmt(5) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The status of this entry. The meanings of the + values are: + other(1) - none of the following. This would + include the case where some other MIB object + (not the corresponding instance of + dot1dTpFdbPort, nor an entry in the + dot1dStaticTable) is being used to determine if + and how frames addressed to the value of the + corresponding instance of dot1dTpFdbAddress are + being forwarded. + invalid(2) - this entry is no longer valid (e.g., + it was learned but has since aged out), but has + not yet been flushed from the table. + learned(3) - the value of the corresponding instance + of dot1dTpFdbPort was learned, and is being + used. + self(4) - the value of the corresponding instance of + dot1dTpFdbAddress represents one of the bridge's + addresses. The corresponding instance of + dot1dTpFdbPort indicates which of the bridge's + ports has this address. + mgmt(5) - the value of the corresponding instance of + dot1dTpFdbAddress is also the value of an + existing instance of dot1dStaticAddress." + ::= { dot1dTpFdbEntry 3 } + +-- ---------------------------------------------------------- -- +-- Port Table for Transparent Bridges +-- ---------------------------------------------------------- -- + +dot1dTpPortTable OBJECT-TYPE + SYNTAX SEQUENCE OF Dot1dTpPortEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A table that contains information about every port that + is associated with this transparent bridge." + ::= { dot1dTp 4 } + +dot1dTpPortEntry OBJECT-TYPE + SYNTAX Dot1dTpPortEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A list of information for each port of a transparent + bridge." + INDEX { dot1dTpPort } + ::= { dot1dTpPortTable 1 } + +Dot1dTpPortEntry ::= + SEQUENCE { + dot1dTpPort + Integer32, + dot1dTpPortMaxInfo + Integer32, + dot1dTpPortInFrames + Counter32, + dot1dTpPortOutFrames + Counter32, + dot1dTpPortInDiscards + Counter32 + } + +dot1dTpPort OBJECT-TYPE + SYNTAX Integer32 (1..65535) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The port number of the port for which this entry + contains Transparent bridging management information." + ::= { dot1dTpPortEntry 1 } + +-- It would be nice if we could use ifMtu as the size of the +-- largest INFO field, but we can't because ifMtu is defined +-- to be the size that the (inter-)network layer can use, which +-- can differ from the MAC layer (especially if several layers +-- of encapsulation are used). + +dot1dTpPortMaxInfo OBJECT-TYPE + SYNTAX Integer32 + UNITS "bytes" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The maximum size of the INFO (non-MAC) field that + + this port will receive or transmit." + ::= { dot1dTpPortEntry 2 } + +dot1dTpPortInFrames OBJECT-TYPE + SYNTAX Counter32 + UNITS "frames" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of frames that have been received by this + port from its segment. Note that a frame received on the + interface corresponding to this port is only counted by + this object if and only if it is for a protocol being + processed by the local bridging function, including + bridge management frames." + REFERENCE + "IEEE 802.1D-1998: clause 14.6.1.1.3" + ::= { dot1dTpPortEntry 3 } + +dot1dTpPortOutFrames OBJECT-TYPE + SYNTAX Counter32 + UNITS "frames" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of frames that have been transmitted by this + port to its segment. Note that a frame transmitted on + the interface corresponding to this port is only counted + by this object if and only if it is for a protocol being + processed by the local bridging function, including + bridge management frames." + REFERENCE + "IEEE 802.1D-1998: clause 14.6.1.1.3" + ::= { dot1dTpPortEntry 4 } + +dot1dTpPortInDiscards OBJECT-TYPE + SYNTAX Counter32 + UNITS "frames" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Count of received valid frames that were discarded + (i.e., filtered) by the Forwarding Process." + REFERENCE + "IEEE 802.1D-1998: clause 14.6.1.1.3" + ::= { dot1dTpPortEntry 5 } + +-- ---------------------------------------------------------- -- + +-- The Static (Destination-Address Filtering) Database +-- ---------------------------------------------------------- -- +-- Implementation of this subtree is optional. +-- ---------------------------------------------------------- -- + +dot1dStaticTable OBJECT-TYPE + SYNTAX SEQUENCE OF Dot1dStaticEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A table containing filtering information configured + into the bridge by (local or network) management + specifying the set of ports to which frames received + from specific ports and containing specific destination + addresses are allowed to be forwarded. The value of + zero in this table, as the port number from which frames + with a specific destination address are received, is + used to specify all ports for which there is no specific + entry in this table for that particular destination + address. Entries are valid for unicast and for + group/broadcast addresses." + REFERENCE + "IEEE 802.1D-1998: clause 14.7.2" + ::= { dot1dStatic 1 } + +dot1dStaticEntry OBJECT-TYPE + SYNTAX Dot1dStaticEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Filtering information configured into the bridge by + (local or network) management specifying the set of + ports to which frames received from a specific port and + containing a specific destination address are allowed to + be forwarded." + REFERENCE + "IEEE 802.1D-1998: clause 14.7.2" + INDEX { dot1dStaticAddress, dot1dStaticReceivePort } + ::= { dot1dStaticTable 1 } + +Dot1dStaticEntry ::= + SEQUENCE { + dot1dStaticAddress MacAddress, + dot1dStaticReceivePort Integer32, + dot1dStaticAllowedToGoTo OCTET STRING, + dot1dStaticStatus INTEGER + } + +dot1dStaticAddress OBJECT-TYPE + SYNTAX MacAddress + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The destination MAC address in a frame to which this + entry's filtering information applies. This object can + take the value of a unicast address, a group address, or + the broadcast address." + REFERENCE + "IEEE 802.1D-1998: clause 7.9.1, 7.9.2" + ::= { dot1dStaticEntry 1 } + +dot1dStaticReceivePort OBJECT-TYPE + SYNTAX Integer32 (0..65535) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "Either the value '0', or the port number of the port + from which a frame must be received in order for this + entry's filtering information to apply. A value of zero + indicates that this entry applies on all ports of the + bridge for which there is no other applicable entry." + ::= { dot1dStaticEntry 2 } + +dot1dStaticAllowedToGoTo OBJECT-TYPE + SYNTAX OCTET STRING (SIZE (0..512)) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The set of ports to which frames received from a + specific port and destined for a specific MAC address, + are allowed to be forwarded. Each octet within the + value of this object specifies a set of eight ports, + with the first octet specifying ports 1 through 8, the + second octet specifying ports 9 through 16, etc. Within + each octet, the most significant bit represents the + lowest numbered port, and the least significant bit + represents the highest numbered port. Thus, each port + of the bridge is represented by a single bit within the + value of this object. If that bit has a value of '1', + then that port is included in the set of ports; the port + is not included if its bit has a value of '0'. (Note + that the setting of the bit corresponding to the port + from which a frame is received is irrelevant.) The + default value of this object is a string of ones of + appropriate length. + + The value of this object may exceed the required minimum + maximum message size of some SNMP transport (484 bytes, + in the case of SNMP over UDP, see RFC 3417, section 3.2). + SNMP engines on bridges supporting a large number of + ports must support appropriate maximum message sizes." + ::= { dot1dStaticEntry 3 } + +dot1dStaticStatus OBJECT-TYPE + SYNTAX INTEGER { + other(1), + invalid(2), + permanent(3), + deleteOnReset(4), + deleteOnTimeout(5) + } + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "This object indicates the status of this entry. + The default value is permanent(3). + other(1) - this entry is currently in use but the + conditions under which it will remain so are + different from each of the following values. + invalid(2) - writing this value to the object + removes the corresponding entry. + permanent(3) - this entry is currently in use and + will remain so after the next reset of the + bridge. + deleteOnReset(4) - this entry is currently in use + and will remain so until the next reset of the + bridge. + deleteOnTimeout(5) - this entry is currently in use + and will remain so until it is aged out." + ::= { dot1dStaticEntry 4 } + +-- ---------------------------------------------------------- -- +-- Notifications for use by Bridges +-- ---------------------------------------------------------- -- +-- Notifications for the Spanning Tree Protocol +-- ---------------------------------------------------------- -- + +newRoot NOTIFICATION-TYPE + -- OBJECTS { } + STATUS current + DESCRIPTION + "The newRoot trap indicates that the sending agent has + become the new root of the Spanning Tree; the trap is + sent by a bridge soon after its election as the new + + root, e.g., upon expiration of the Topology Change Timer, + immediately subsequent to its election. Implementation + of this trap is optional." + ::= { dot1dNotifications 1 } + +topologyChange NOTIFICATION-TYPE + -- OBJECTS { } + STATUS current + DESCRIPTION + "A topologyChange trap is sent by a bridge when any of + its configured ports transitions from the Learning state + to the Forwarding state, or from the Forwarding state to + the Blocking state. The trap is not sent if a newRoot + trap is sent for the same transition. Implementation of + this trap is optional." + ::= { dot1dNotifications 2 } + +-- ---------------------------------------------------------- -- +-- IEEE 802.1D MIB - Conformance Information +-- ---------------------------------------------------------- -- + +dot1dGroups OBJECT IDENTIFIER ::= { dot1dConformance 1 } +dot1dCompliances OBJECT IDENTIFIER ::= { dot1dConformance 2 } + +-- ---------------------------------------------------------- -- +-- units of conformance +-- ---------------------------------------------------------- -- + +-- ---------------------------------------------------------- -- +-- the dot1dBase group +-- ---------------------------------------------------------- -- + +dot1dBaseBridgeGroup OBJECT-GROUP + OBJECTS { + dot1dBaseBridgeAddress, + dot1dBaseNumPorts, + dot1dBaseType + } + STATUS current + DESCRIPTION + "Bridge level information for this device." + ::= { dot1dGroups 1 } + +dot1dBasePortGroup OBJECT-GROUP + OBJECTS { + dot1dBasePort, + dot1dBasePortIfIndex, + dot1dBasePortCircuit, + dot1dBasePortDelayExceededDiscards, + dot1dBasePortMtuExceededDiscards + } + STATUS current + DESCRIPTION + "Information for each port on this device." + ::= { dot1dGroups 2 } + +-- ---------------------------------------------------------- -- +-- the dot1dStp group +-- ---------------------------------------------------------- -- + +dot1dStpBridgeGroup OBJECT-GROUP + OBJECTS { + dot1dStpProtocolSpecification, + dot1dStpPriority, + dot1dStpTimeSinceTopologyChange, + dot1dStpTopChanges, + dot1dStpDesignatedRoot, + dot1dStpRootCost, + dot1dStpRootPort, + dot1dStpMaxAge, + dot1dStpHelloTime, + dot1dStpHoldTime, + dot1dStpForwardDelay, + dot1dStpBridgeMaxAge, + dot1dStpBridgeHelloTime, + dot1dStpBridgeForwardDelay + } + STATUS current + DESCRIPTION + "Bridge level Spanning Tree data for this device." + ::= { dot1dGroups 3 } + +dot1dStpPortGroup OBJECT-GROUP + OBJECTS { + dot1dStpPort, + dot1dStpPortPriority, + dot1dStpPortState, + dot1dStpPortEnable, + dot1dStpPortPathCost, + dot1dStpPortDesignatedRoot, + dot1dStpPortDesignatedCost, + dot1dStpPortDesignatedBridge, + dot1dStpPortDesignatedPort, + dot1dStpPortForwardTransitions + } + STATUS current + DESCRIPTION + "Spanning Tree data for each port on this device." + ::= { dot1dGroups 4 } + +dot1dStpPortGroup2 OBJECT-GROUP + OBJECTS { + dot1dStpPort, + dot1dStpPortPriority, + dot1dStpPortState, + dot1dStpPortEnable, + dot1dStpPortDesignatedRoot, + dot1dStpPortDesignatedCost, + dot1dStpPortDesignatedBridge, + dot1dStpPortDesignatedPort, + dot1dStpPortForwardTransitions, + dot1dStpPortPathCost32 + } + STATUS current + DESCRIPTION + "Spanning Tree data for each port on this device." + ::= { dot1dGroups 5 } + +dot1dStpPortGroup3 OBJECT-GROUP + OBJECTS { + dot1dStpPortPathCost32 + } + STATUS current + DESCRIPTION + "Spanning Tree data for devices supporting 32-bit + path costs." + ::= { dot1dGroups 6 } + +-- ---------------------------------------------------------- -- +-- the dot1dTp group +-- ---------------------------------------------------------- -- + +dot1dTpBridgeGroup OBJECT-GROUP + OBJECTS { + dot1dTpLearnedEntryDiscards, + dot1dTpAgingTime + } + STATUS current + DESCRIPTION + "Bridge level Transparent Bridging data." + ::= { dot1dGroups 7 } + +dot1dTpFdbGroup OBJECT-GROUP + OBJECTS { + + dot1dTpFdbAddress, + dot1dTpFdbPort, + dot1dTpFdbStatus + } + STATUS current + DESCRIPTION + "Filtering Database information for the Bridge." + ::= { dot1dGroups 8 } + +dot1dTpGroup OBJECT-GROUP + OBJECTS { + dot1dTpPort, + dot1dTpPortMaxInfo, + dot1dTpPortInFrames, + dot1dTpPortOutFrames, + dot1dTpPortInDiscards + } + STATUS current + DESCRIPTION + "Dynamic Filtering Database information for each port of + the Bridge." + ::= { dot1dGroups 9 } + +-- ---------------------------------------------------------- -- +-- The Static (Destination-Address Filtering) Database +-- ---------------------------------------------------------- -- + +dot1dStaticGroup OBJECT-GROUP + OBJECTS { + dot1dStaticAddress, + dot1dStaticReceivePort, + dot1dStaticAllowedToGoTo, + dot1dStaticStatus + } + STATUS current + DESCRIPTION + "Static Filtering Database information for each port of + the Bridge." + ::= { dot1dGroups 10 } + +-- ---------------------------------------------------------- -- +-- The Trap Notification Group +-- ---------------------------------------------------------- -- + +dot1dNotificationGroup NOTIFICATION-GROUP + NOTIFICATIONS { + newRoot, + topologyChange + } + STATUS current + DESCRIPTION + "Group of objects describing notifications (traps)." + ::= { dot1dGroups 11 } + +-- ---------------------------------------------------------- -- +-- compliance statements +-- ---------------------------------------------------------- -- + +bridgeCompliance1493 MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The compliance statement for device support of bridging + services, as per RFC1493." + + MODULE + MANDATORY-GROUPS { + dot1dBaseBridgeGroup, + dot1dBasePortGroup + } + + GROUP dot1dStpBridgeGroup + DESCRIPTION + "Implementation of this group is mandatory for bridges + that support the Spanning Tree Protocol." + + GROUP dot1dStpPortGroup + DESCRIPTION + "Implementation of this group is mandatory for bridges + that support the Spanning Tree Protocol." + + GROUP dot1dTpBridgeGroup + DESCRIPTION + "Implementation of this group is mandatory for bridges + that support the transparent bridging mode. A + transparent or SRT bridge will implement this group." + + GROUP dot1dTpFdbGroup + DESCRIPTION + "Implementation of this group is mandatory for bridges + that support the transparent bridging mode. A + transparent or SRT bridge will implement this group." + + GROUP dot1dTpGroup + DESCRIPTION + "Implementation of this group is mandatory for bridges + + that support the transparent bridging mode. A + transparent or SRT bridge will implement this group." + + GROUP dot1dStaticGroup + DESCRIPTION + "Implementation of this group is optional." + + GROUP dot1dNotificationGroup + DESCRIPTION + "Implementation of this group is optional." + ::= { dot1dCompliances 1 } + +bridgeCompliance4188 MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The compliance statement for device support of bridging + services. This supports 32-bit Path Cost values and the + more restricted bridge and port priorities, as per IEEE + 802.1t. + + Full support for the 802.1D management objects requires that + the SNMPv2-MIB [RFC3418] objects sysDescr, and sysUpTime, as + well as the IF-MIB [RFC2863] objects ifIndex, ifType, + ifDescr, ifPhysAddress, and ifLastChange are implemented." + + MODULE + MANDATORY-GROUPS { + dot1dBaseBridgeGroup, + dot1dBasePortGroup + } + + GROUP dot1dStpBridgeGroup + DESCRIPTION + "Implementation of this group is mandatory for + bridges that support the Spanning Tree Protocol." + + OBJECT dot1dStpPriority + SYNTAX Integer32 (0|4096|8192|12288|16384|20480|24576 + |28672|32768|36864|40960|45056|49152 + |53248|57344|61440) + DESCRIPTION + "The possible values defined by IEEE 802.1t." + + GROUP dot1dStpPortGroup2 + DESCRIPTION + "Implementation of this group is mandatory for + bridges that support the Spanning Tree Protocol." + + GROUP dot1dStpPortGroup3 + DESCRIPTION + "Implementation of this group is mandatory for bridges + that support the Spanning Tree Protocol and 32-bit path + costs. In particular, this includes devices supporting + IEEE 802.1t and IEEE 802.1w." + + OBJECT dot1dStpPortPriority + SYNTAX Integer32 (0|16|32|48|64|80|96|112|128 + |144|160|176|192|208|224|240) + DESCRIPTION + "The possible values defined by IEEE 802.1t." + + GROUP dot1dTpBridgeGroup + DESCRIPTION + "Implementation of this group is mandatory for + bridges that support the transparent bridging + mode. A transparent or SRT bridge will implement + this group." + + GROUP dot1dTpFdbGroup + DESCRIPTION + "Implementation of this group is mandatory for + bridges that support the transparent bridging + mode. A transparent or SRT bridge will implement + this group." + + GROUP dot1dTpGroup + DESCRIPTION + "Implementation of this group is mandatory for + bridges that support the transparent bridging + mode. A transparent or SRT bridge will implement + this group." + + GROUP dot1dStaticGroup + DESCRIPTION + "Implementation of this group is optional." + + GROUP dot1dNotificationGroup + DESCRIPTION + "Implementation of this group is optional." + ::= { dot1dCompliances 2 } + +END diff --git a/mibs/DISMAN-EVENT-MIB.txt b/mibs/DISMAN-EVENT-MIB.txt new file mode 100644 index 000000000..f00c7cc89 --- /dev/null +++ b/mibs/DISMAN-EVENT-MIB.txt @@ -0,0 +1,1882 @@ +DISMAN-EVENT-MIB DEFINITIONS ::= BEGIN + +IMPORTS + MODULE-IDENTITY, OBJECT-TYPE, + Integer32, Unsigned32, + NOTIFICATION-TYPE, Counter32, + Gauge32, mib-2, zeroDotZero FROM SNMPv2-SMI + TEXTUAL-CONVENTION, RowStatus, + TruthValue FROM SNMPv2-TC + + MODULE-COMPLIANCE, OBJECT-GROUP, + NOTIFICATION-GROUP FROM SNMPv2-CONF + sysUpTime FROM SNMPv2-MIB + SnmpTagValue FROM SNMP-TARGET-MIB + SnmpAdminString FROM SNMP-FRAMEWORK-MIB; + +dismanEventMIB MODULE-IDENTITY + LAST-UPDATED "200010160000Z" -- 16 October 2000 + ORGANIZATION "IETF Distributed Management Working Group" + CONTACT-INFO "Ramanathan Kavasseri + Cisco Systems, Inc. + 170 West Tasman Drive, + San Jose CA 95134-1706. + Phone: +1 408 526 4527 + Email: ramk@cisco.com" + DESCRIPTION + "The MIB module for defining event triggers and actions + for network management purposes." +-- Revision History + + REVISION "200010160000Z" -- 16 October 2000 + DESCRIPTION "This is the initial version of this MIB. + Published as RFC 2981" + ::= { mib-2 88 } + +dismanEventMIBObjects OBJECT IDENTIFIER ::= { dismanEventMIB 1 } + +-- Management Triggered Event (MTE) objects + +mteResource OBJECT IDENTIFIER ::= { dismanEventMIBObjects 1 } +mteTrigger OBJECT IDENTIFIER ::= { dismanEventMIBObjects 2 } +mteObjects OBJECT IDENTIFIER ::= { dismanEventMIBObjects 3 } +mteEvent OBJECT IDENTIFIER ::= { dismanEventMIBObjects 4 } + +-- +-- Textual Conventions +-- + +FailureReason ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "Reasons for failures in an attempt to perform a management + request. + + The first group of errors, numbered less than 0, are related + to problems in sending the request. The existence of a + particular error code here does not imply that all + implementations are capable of sensing that error and + + returning that code. + + The second group, numbered greater than 0, are copied + directly from SNMP protocol operations and are intended to + carry exactly the meanings defined for the protocol as returned + in an SNMP response. + + localResourceLack some local resource such as memory + lacking or + mteResourceSampleInstanceMaximum + exceeded + badDestination unrecognized domain name or otherwise + invalid destination address + destinationUnreachable can't get to destination address + noResponse no response to SNMP request + badType the data syntax of a retrieved object + as not as expected + sampleOverrun another sample attempt occurred before + the previous one completed" + SYNTAX INTEGER { localResourceLack(-1), + badDestination(-2), + destinationUnreachable(-3), + noResponse(-4), + badType(-5), + sampleOverrun(-6), + noError(0), + tooBig(1), + noSuchName(2), + badValue(3), + readOnly(4), + genErr(5), + noAccess(6), + wrongType(7), + wrongLength(8), + wrongEncoding(9), + wrongValue(10), + noCreation(11), + inconsistentValue(12), + resourceUnavailable(13), + commitFailed(14), + undoFailed(15), + authorizationError(16), + notWritable(17), + inconsistentName(18) } +-- + +-- Resource Control Section +-- + +mteResourceSampleMinimum OBJECT-TYPE + SYNTAX Integer32 (1..2147483647) + UNITS "seconds" + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The minimum mteTriggerFrequency this system will + accept. A system may use the larger values of this minimum to + lessen the impact of constant sampling. For larger + sampling intervals the system samples less often and + suffers less overhead. This object provides a way to enforce + such lower overhead for all triggers created after it is + set. + + Unless explicitly resource limited, a system's value for + this object SHOULD be 1, allowing as small as a 1 second + interval for ongoing trigger sampling. + + Changing this value will not invalidate an existing setting + of mteTriggerFrequency." + ::= { mteResource 1 } + +mteResourceSampleInstanceMaximum OBJECT-TYPE + SYNTAX Unsigned32 + UNITS "instances" + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The maximum number of instance entries this system will + support for sampling. + + These are the entries that maintain state, one for each + instance of each sampled object as selected by + mteTriggerValueID. Note that wildcarded objects result + in multiple instances of this state. + + A value of 0 indicates no preset limit, that is, the limit + is dynamic based on system operation and resources. + + Unless explicitly resource limited, a system's value for + this object SHOULD be 0. + + Changing this value will not eliminate or inhibit existing + sample state but could prevent allocation of additional state + information." + ::= { mteResource 2 } + +mteResourceSampleInstances OBJECT-TYPE + SYNTAX Gauge32 + UNITS "instances" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of currently active instance entries as + defined for mteResourceSampleInstanceMaximum." + ::= { mteResource 3 } + +mteResourceSampleInstancesHigh OBJECT-TYPE + SYNTAX Gauge32 + UNITS "instances" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The highest value of mteResourceSampleInstances that has + occurred since initialization of the management system." + ::= { mteResource 4 } + +mteResourceSampleInstanceLacks OBJECT-TYPE + SYNTAX Counter32 + UNITS "instances" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of times this system could not take a new sample + because that allocation would have exceeded the limit set by + mteResourceSampleInstanceMaximum." + ::= { mteResource 5 } + +-- +-- Trigger Section +-- + +-- Counters + +mteTriggerFailures OBJECT-TYPE + SYNTAX Counter32 + UNITS "failures" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of times an attempt to check for a trigger + condition has failed. This counts individually for each + attempt in a group of targets or each attempt for a + + wildcarded object." + ::= { mteTrigger 1 } + +-- +-- Trigger Table +-- + +mteTriggerTable OBJECT-TYPE + SYNTAX SEQUENCE OF MteTriggerEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A table of management event trigger information." + ::= { mteTrigger 2 } + +mteTriggerEntry OBJECT-TYPE + SYNTAX MteTriggerEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Information about a single trigger. Applications create and + delete entries using mteTriggerEntryStatus." + INDEX { mteOwner, IMPLIED mteTriggerName } + ::= { mteTriggerTable 1 } + +MteTriggerEntry ::= SEQUENCE { + mteOwner SnmpAdminString, + mteTriggerName SnmpAdminString, + mteTriggerComment SnmpAdminString, + mteTriggerTest BITS, + mteTriggerSampleType INTEGER, + mteTriggerValueID OBJECT IDENTIFIER, + mteTriggerValueIDWildcard TruthValue, + mteTriggerTargetTag SnmpTagValue, + mteTriggerContextName SnmpAdminString, + mteTriggerContextNameWildcard TruthValue, + mteTriggerFrequency Unsigned32, + mteTriggerObjectsOwner SnmpAdminString, + mteTriggerObjects SnmpAdminString, + mteTriggerEnabled TruthValue, + mteTriggerEntryStatus RowStatus +} + +mteOwner OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE(0..32)) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The owner of this entry. The exact semantics of this + string are subject to the security policy defined by the + security administrator." + ::= { mteTriggerEntry 1 } + +mteTriggerName OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE (1..32)) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A locally-unique, administratively assigned name for the + trigger within the scope of mteOwner." + ::= { mteTriggerEntry 2 } + +mteTriggerComment OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "A description of the trigger's function and use." + DEFVAL { ''H } + ::= { mteTriggerEntry 3 } + +mteTriggerTest OBJECT-TYPE + SYNTAX BITS { existence(0), boolean(1), threshold(2) } + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The type of trigger test to perform. For 'boolean' and + 'threshold' tests, the object at mteTriggerValueID MUST + evaluate to an integer, that is, anything that ends up encoded + for transmission (that is, in BER, not ASN.1) as an integer. + + For 'existence', the specific test is as selected by + mteTriggerExistenceTest. When an object appears, vanishes + or changes value, the trigger fires. If the object's + appearance caused the trigger firing, the object MUST + vanish before the trigger can be fired again for it, and + vice versa. If the trigger fired due to a change in the + object's value, it will be fired again on every successive + value change for that object. + + For 'boolean', the specific test is as selected by + mteTriggerBooleanTest. If the test result is true the trigger + fires. The trigger will not fire again until the value has + become false and come back to true. + + For 'threshold' the test works as described below for + + mteTriggerThresholdStartup, mteTriggerThresholdRising, and + mteTriggerThresholdFalling. + + Note that combining 'boolean' and 'threshold' tests on the + same object may be somewhat redundant." + DEFVAL { { boolean } } + ::= { mteTriggerEntry 4 } + +mteTriggerSampleType OBJECT-TYPE + SYNTAX INTEGER { absoluteValue(1), deltaValue(2) } + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The type of sampling to perform. + + An 'absoluteValue' sample requires only a single sample to be + meaningful, and is exactly the value of the object at + mteTriggerValueID at the sample time. + + A 'deltaValue' requires two samples to be meaningful and is + thus not available for testing until the second and subsequent + samples after the object at mteTriggerValueID is first found + to exist. It is the difference between the two samples. For + unsigned values it is always positive, based on unsigned + arithmetic. For signed values it can be positive or negative. + + For SNMP counters to be meaningful they should be sampled as a + 'deltaValue'. + + For 'deltaValue' mteTriggerDeltaTable contains further + parameters. + + If only 'existence' is set in mteTriggerTest this object has + no meaning." + DEFVAL { absoluteValue } + ::= { mteTriggerEntry 5 } + +mteTriggerValueID OBJECT-TYPE + SYNTAX OBJECT IDENTIFIER + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The object identifier of the MIB object to sample to see + if the trigger should fire. + + This may be wildcarded by truncating all or part of the + instance portion, in which case the value is obtained + as if with a GetNext function, checking multiple values + + if they exist. If such wildcarding is applied, + mteTriggerValueIDWildcard must be 'true' and if not it must + be 'false'. + + Bad object identifiers or a mismatch between truncating the + identifier and the value of mteTriggerValueIDWildcard result + in operation as one would expect when providing the wrong + identifier to a Get or GetNext operation. The Get will fail + or get the wrong object. The GetNext will indeed get whatever + is next, proceeding until it runs past the initial part of the + identifier and perhaps many unintended objects for confusing + results. If the value syntax of those objects is not usable, + that results in a 'badType' error that terminates the scan. + + Each instance that fills the wildcard is independent of any + additional instances, that is, wildcarded objects operate + as if there were a separate table entry for each instance + that fills the wildcard without having to actually predict + all possible instances ahead of time." + DEFVAL { zeroDotZero } + ::= { mteTriggerEntry 6 } + +mteTriggerValueIDWildcard OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "Control for whether mteTriggerValueID is to be treated as + fully-specified or wildcarded, with 'true' indicating wildcard." + DEFVAL { false } + ::= { mteTriggerEntry 7 } + +mteTriggerTargetTag OBJECT-TYPE + SYNTAX SnmpTagValue + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The tag for the target(s) from which to obtain the condition + for a trigger check. + + A length of 0 indicates the local system. In this case, + access to the objects indicated by mteTriggerValueID is under + the security credentials of the requester that set + mteTriggerEntryStatus to 'active'. Those credentials are the + input parameters for isAccessAllowed from the Architecture for + Describing SNMP Management Frameworks. + + Otherwise access rights are checked according to the security + + parameters resulting from the tag." + DEFVAL { ''H } + ::= { mteTriggerEntry 8 } + +mteTriggerContextName OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The management context from which to obtain mteTriggerValueID. + + This may be wildcarded by leaving characters off the end. For + example use 'Repeater' to wildcard to 'Repeater1', + 'Repeater2', 'Repeater-999.87b', and so on. To indicate such + wildcarding is intended, mteTriggerContextNameWildcard must + be 'true'. + + Each instance that fills the wildcard is independent of any + additional instances, that is, wildcarded objects operate + as if there were a separate table entry for each instance + that fills the wildcard without having to actually predict + all possible instances ahead of time. + + Operation of this feature assumes that the local system has a + list of available contexts against which to apply the + wildcard. If the objects are being read from the local + system, this is clearly the system's own list of contexts. + For a remote system a local version of such a list is not + defined by any current standard and may not be available, so + this function MAY not be supported." + DEFVAL { ''H } + ::= { mteTriggerEntry 9 } + +mteTriggerContextNameWildcard OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "Control for whether mteTriggerContextName is to be treated as + fully-specified or wildcarded, with 'true' indicating wildcard." + DEFVAL { false } + ::= { mteTriggerEntry 10 } + +mteTriggerFrequency OBJECT-TYPE + SYNTAX Unsigned32 + UNITS "seconds" + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The number of seconds to wait between trigger samples. To + encourage consistency in sampling, the interval is measured + from the beginning of one check to the beginning of the next + and the timer is restarted immediately when it expires, not + when the check completes. + + If the next sample begins before the previous one completed the + system may either attempt to make the check or treat this as an + error condition with the error 'sampleOverrun'. + + A frequency of 0 indicates instantaneous recognition of the + condition. This is not possible in many cases, but may + be supported in cases where it makes sense and the system is + able to do so. This feature allows the MIB to be used in + implementations where such interrupt-driven behavior is + possible and is not likely to be supported for all MIB objects + even then since such sampling generally has to be tightly + integrated into low-level code. + + Systems that can support this SHOULD document those cases + where it can be used. In cases where it can not, setting this + object to 0 should be disallowed." + DEFVAL { 600 } + ::= { mteTriggerEntry 11 } + +mteTriggerObjectsOwner OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE (0..32)) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "To go with mteTriggerObjects, the mteOwner of a group of + objects from mteObjectsTable." + DEFVAL { ''H } + ::= { mteTriggerEntry 12 } + +mteTriggerObjects OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE (0..32)) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The mteObjectsName of a group of objects from + mteObjectsTable. These objects are to be added to any + Notification resulting from the firing of this trigger. + + A list of objects may also be added based on the event or on + the value of mteTriggerTest. + + A length of 0 indicates no additional objects." + DEFVAL { ''H } + ::= { mteTriggerEntry 13 } + +mteTriggerEnabled OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "A control to allow a trigger to be configured but not used. + When the value is 'false' the trigger is not sampled." + DEFVAL { false } + ::= { mteTriggerEntry 14 } + +mteTriggerEntryStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The control that allows creation and deletion of entries. + Once made active an entry may not be modified except to + delete it." + ::= { mteTriggerEntry 15 } + +-- +-- Trigger Delta Table +-- + +mteTriggerDeltaTable OBJECT-TYPE + SYNTAX SEQUENCE OF MteTriggerDeltaEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A table of management event trigger information for delta + sampling." + ::= { mteTrigger 3 } + +mteTriggerDeltaEntry OBJECT-TYPE + SYNTAX MteTriggerDeltaEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Information about a single trigger's delta sampling. Entries + automatically exist in this this table for each mteTriggerEntry + that has mteTriggerSampleType set to 'deltaValue'." + INDEX { mteOwner, IMPLIED mteTriggerName } + ::= { mteTriggerDeltaTable 1 } + +MteTriggerDeltaEntry ::= SEQUENCE { + mteTriggerDeltaDiscontinuityID OBJECT IDENTIFIER, + mteTriggerDeltaDiscontinuityIDWildcard TruthValue, + mteTriggerDeltaDiscontinuityIDType INTEGER +} + +sysUpTimeInstance OBJECT IDENTIFIER ::= { sysUpTime 0 } + +mteTriggerDeltaDiscontinuityID OBJECT-TYPE + SYNTAX OBJECT IDENTIFIER + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The OBJECT IDENTIFIER (OID) of a TimeTicks, TimeStamp, or + DateAndTime object that indicates a discontinuity in the value + at mteTriggerValueID. + + The OID may be for a leaf object (e.g. sysUpTime.0) or may + be wildcarded to match mteTriggerValueID. + + This object supports normal checking for a discontinuity in a + counter. Note that if this object does not point to sysUpTime + discontinuity checking MUST still check sysUpTime for an overall + discontinuity. + + If the object identified is not accessible the sample attempt + is in error, with the error code as from an SNMP request. + + Bad object identifiers or a mismatch between truncating the + identifier and the value of mteDeltaDiscontinuityIDWildcard + result in operation as one would expect when providing the + wrong identifier to a Get operation. The Get will fail or get + the wrong object. If the value syntax of those objects is not + usable, that results in an error that terminates the sample + with a 'badType' error code." + DEFVAL { sysUpTimeInstance } + ::= { mteTriggerDeltaEntry 1 } + +mteTriggerDeltaDiscontinuityIDWildcard OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Control for whether mteTriggerDeltaDiscontinuityID is to be + treated as fully-specified or wildcarded, with 'true' + indicating wildcard. Note that the value of this object will + be the same as that of the corresponding instance of + mteTriggerValueIDWildcard when the corresponding + + mteTriggerSampleType is 'deltaValue'." + DEFVAL { false } + ::= { mteTriggerDeltaEntry 2 } + +mteTriggerDeltaDiscontinuityIDType OBJECT-TYPE + SYNTAX INTEGER { timeTicks(1), timeStamp(2), dateAndTime(3) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The value 'timeTicks' indicates the + mteTriggerDeltaDiscontinuityID of this row is of syntax + TimeTicks. The value 'timeStamp' indicates syntax TimeStamp. + The value 'dateAndTime' indicates syntax DateAndTime." + DEFVAL { timeTicks } + ::= { mteTriggerDeltaEntry 3 } + +-- +-- Trigger Existence Table +-- + +mteTriggerExistenceTable OBJECT-TYPE + SYNTAX SEQUENCE OF MteTriggerExistenceEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A table of management event trigger information for existence + triggers." + ::= { mteTrigger 4 } + +mteTriggerExistenceEntry OBJECT-TYPE + SYNTAX MteTriggerExistenceEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Information about a single existence trigger. Entries + automatically exist in this this table for each mteTriggerEntry + that has 'existence' set in mteTriggerTest." + INDEX { mteOwner, IMPLIED mteTriggerName } + ::= { mteTriggerExistenceTable 1 } + +MteTriggerExistenceEntry ::= SEQUENCE { + mteTriggerExistenceTest BITS, + mteTriggerExistenceStartup BITS, + mteTriggerExistenceObjectsOwner SnmpAdminString, + mteTriggerExistenceObjects SnmpAdminString, + mteTriggerExistenceEventOwner SnmpAdminString, + mteTriggerExistenceEvent SnmpAdminString +} + +mteTriggerExistenceTest OBJECT-TYPE + SYNTAX BITS { present(0), absent(1), changed(2) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The type of existence test to perform. The trigger fires + when the object at mteTriggerValueID is seen to go from + present to absent, from absent to present, or to have it's + value changed, depending on which tests are selected: + + present(0) - when this test is selected, the trigger fires + when the mteTriggerValueID object goes from absent to present. + + absent(1) - when this test is selected, the trigger fires + when the mteTriggerValueID object goes from present to absent. + changed(2) - when this test is selected, the trigger fires + the mteTriggerValueID object value changes. + + Once the trigger has fired for either presence or absence it + will not fire again for that state until the object has been + to the other state. " + DEFVAL { { present, absent } } + ::= { mteTriggerExistenceEntry 1 } + +mteTriggerExistenceStartup OBJECT-TYPE + SYNTAX BITS { present(0), absent(1) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Control for whether an event may be triggered when this entry + is first set to 'active' and the test specified by + mteTriggerExistenceTest is true. Setting an option causes + that trigger to fire when its test is true." + DEFVAL { { present, absent } } + ::= { mteTriggerExistenceEntry 2 } + +mteTriggerExistenceObjectsOwner OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE (0..32)) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "To go with mteTriggerExistenceObjects, the mteOwner of a + group of objects from mteObjectsTable." + DEFVAL { ''H } + ::= { mteTriggerExistenceEntry 3 } + +mteTriggerExistenceObjects OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE (0..32)) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The mteObjectsName of a group of objects from + mteObjectsTable. These objects are to be added to any + Notification resulting from the firing of this trigger for + this test. + + A list of objects may also be added based on the overall + trigger, the event or other settings in mteTriggerTest. + + A length of 0 indicates no additional objects." + DEFVAL { ''H } + ::= { mteTriggerExistenceEntry 4 } + +mteTriggerExistenceEventOwner OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE (0..32)) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "To go with mteTriggerExistenceEvent, the mteOwner of an event + entry from the mteEventTable." + DEFVAL { ''H } + ::= { mteTriggerExistenceEntry 5 } + +mteTriggerExistenceEvent OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE (0..32)) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The mteEventName of the event to invoke when mteTriggerType is + 'existence' and this trigger fires. A length of 0 indicates no + event." + DEFVAL { ''H } + ::= { mteTriggerExistenceEntry 6 } + +-- +-- Trigger Boolean Table +-- + +mteTriggerBooleanTable OBJECT-TYPE + SYNTAX SEQUENCE OF MteTriggerBooleanEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A table of management event trigger information for boolean + triggers." + ::= { mteTrigger 5 } + +mteTriggerBooleanEntry OBJECT-TYPE + SYNTAX MteTriggerBooleanEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Information about a single boolean trigger. Entries + automatically exist in this this table for each mteTriggerEntry + that has 'boolean' set in mteTriggerTest." + INDEX { mteOwner, IMPLIED mteTriggerName } + ::= { mteTriggerBooleanTable 1 } + +MteTriggerBooleanEntry ::= SEQUENCE { + mteTriggerBooleanComparison INTEGER, + mteTriggerBooleanValue Integer32, + mteTriggerBooleanStartup TruthValue, + mteTriggerBooleanObjectsOwner SnmpAdminString, + mteTriggerBooleanObjects SnmpAdminString, + mteTriggerBooleanEventOwner SnmpAdminString, + mteTriggerBooleanEvent SnmpAdminString +} + +mteTriggerBooleanComparison OBJECT-TYPE + SYNTAX INTEGER { unequal(1), equal(2), + less(3), lessOrEqual(4), + greater(5), greaterOrEqual(6) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The type of boolean comparison to perform. + + The value at mteTriggerValueID is compared to + mteTriggerBooleanValue, so for example if + mteTriggerBooleanComparison is 'less' the result would be true + if the value at mteTriggerValueID is less than the value of + mteTriggerBooleanValue." + DEFVAL { unequal } + ::= { mteTriggerBooleanEntry 1 } + +mteTriggerBooleanValue OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The value to use for the test specified by + mteTriggerBooleanTest." + DEFVAL { 0 } + ::= { mteTriggerBooleanEntry 2 } + +mteTriggerBooleanStartup OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Control for whether an event may be triggered when this entry + is first set to 'active' or a new instance of the object at + mteTriggerValueID is found and the test specified by + mteTriggerBooleanComparison is true. In that case an event is + triggered if mteTriggerBooleanStartup is 'true'." + DEFVAL { true } + ::= { mteTriggerBooleanEntry 3 } + +mteTriggerBooleanObjectsOwner OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE (0..32)) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "To go with mteTriggerBooleanObjects, the mteOwner of a group + of objects from mteObjectsTable." + DEFVAL { ''H } + ::= { mteTriggerBooleanEntry 4 } + +mteTriggerBooleanObjects OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE (0..32)) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The mteObjectsName of a group of objects from + mteObjectsTable. These objects are to be added to any + Notification resulting from the firing of this trigger for + this test. + + A list of objects may also be added based on the overall + trigger, the event or other settings in mteTriggerTest. + + A length of 0 indicates no additional objects." + DEFVAL { ''H } + ::= { mteTriggerBooleanEntry 5 } + +mteTriggerBooleanEventOwner OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE (0..32)) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "To go with mteTriggerBooleanEvent, the mteOwner of an event + entry from mteEventTable." + DEFVAL { ''H } + ::= { mteTriggerBooleanEntry 6 } + +mteTriggerBooleanEvent OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE (0..32)) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The mteEventName of the event to invoke when mteTriggerType is + 'boolean' and this trigger fires. A length of 0 indicates no + event." + DEFVAL { ''H } + ::= { mteTriggerBooleanEntry 7 } + +-- +-- Trigger Threshold Table +-- + +mteTriggerThresholdTable OBJECT-TYPE + SYNTAX SEQUENCE OF MteTriggerThresholdEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A table of management event trigger information for threshold + triggers." + ::= { mteTrigger 6 } + +mteTriggerThresholdEntry OBJECT-TYPE + SYNTAX MteTriggerThresholdEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Information about a single threshold trigger. Entries + automatically exist in this table for each mteTriggerEntry + that has 'threshold' set in mteTriggerTest." + INDEX { mteOwner, IMPLIED mteTriggerName } + ::= { mteTriggerThresholdTable 1 } + +MteTriggerThresholdEntry ::= SEQUENCE { + mteTriggerThresholdStartup INTEGER, + mteTriggerThresholdRising Integer32, + mteTriggerThresholdFalling Integer32, + mteTriggerThresholdDeltaRising Integer32, + mteTriggerThresholdDeltaFalling Integer32, + mteTriggerThresholdObjectsOwner SnmpAdminString, + mteTriggerThresholdObjects SnmpAdminString, + mteTriggerThresholdRisingEventOwner SnmpAdminString, + mteTriggerThresholdRisingEvent SnmpAdminString, + mteTriggerThresholdFallingEventOwner SnmpAdminString, + mteTriggerThresholdFallingEvent SnmpAdminString, + mteTriggerThresholdDeltaRisingEventOwner SnmpAdminString, + mteTriggerThresholdDeltaRisingEvent SnmpAdminString, + mteTriggerThresholdDeltaFallingEventOwner SnmpAdminString, + mteTriggerThresholdDeltaFallingEvent SnmpAdminString +} + +mteTriggerThresholdStartup OBJECT-TYPE + SYNTAX INTEGER { rising(1), falling(2), risingOrFalling(3) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The event that may be triggered when this entry is first + set to 'active' and a new instance of the object at + mteTriggerValueID is found. If the first sample after this + instance becomes active is greater than or equal to + mteTriggerThresholdRising and mteTriggerThresholdStartup is + equal to 'rising' or 'risingOrFalling', then one + mteTriggerThresholdRisingEvent is triggered for that instance. + If the first sample after this entry becomes active is less + than or equal to mteTriggerThresholdFalling and + mteTriggerThresholdStartup is equal to 'falling' or + 'risingOrFalling', then one mteTriggerThresholdRisingEvent is + triggered for that instance." + DEFVAL { risingOrFalling } + ::= { mteTriggerThresholdEntry 1 } + +mteTriggerThresholdRising OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "A threshold value to check against if mteTriggerType is + 'threshold'. + + When the current sampled value is greater than or equal to + this threshold, and the value at the last sampling interval + was less than this threshold, one + mteTriggerThresholdRisingEvent is triggered. That event is + also triggered if the first sample after this entry becomes + active is greater than or equal to this threshold and + mteTriggerThresholdStartup is equal to 'rising' or + 'risingOrFalling'. + + After a rising event is generated, another such event is not + triggered until the sampled value falls below this threshold + and reaches mteTriggerThresholdFalling." + DEFVAL { 0 } + ::= { mteTriggerThresholdEntry 2 } + +mteTriggerThresholdFalling OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "A threshold value to check against if mteTriggerType is + 'threshold'. + + When the current sampled value is less than or equal to this + threshold, and the value at the last sampling interval was + greater than this threshold, one + mteTriggerThresholdFallingEvent is triggered. That event is + also triggered if the first sample after this entry becomes + active is less than or equal to this threshold and + mteTriggerThresholdStartup is equal to 'falling' or + 'risingOrFalling'. + + After a falling event is generated, another such event is not + triggered until the sampled value rises above this threshold + and reaches mteTriggerThresholdRising." + DEFVAL { 0 } + ::= { mteTriggerThresholdEntry 3 } + +mteTriggerThresholdDeltaRising OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "A threshold value to check against if mteTriggerType is + 'threshold'. + + When the delta value (difference) between the current sampled + value (value(n)) and the previous sampled value (value(n-1)) + is greater than or equal to this threshold, + and the delta value calculated at the last sampling interval + (i.e. value(n-1) - value(n-2)) was less than this threshold, + one mteTriggerThresholdDeltaRisingEvent is triggered. That event + is also triggered if the first delta value calculated after this + entry becomes active, i.e. value(2) - value(1), where value(1) + is the first sample taken of that instance, is greater than or + equal to this threshold. + + After a rising event is generated, another such event is not + triggered until the delta value falls below this threshold and + reaches mteTriggerThresholdDeltaFalling." + DEFVAL { 0 } + ::= { mteTriggerThresholdEntry 4 } + +mteTriggerThresholdDeltaFalling OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "A threshold value to check against if mteTriggerType is + 'threshold'. + + When the delta value (difference) between the current sampled + value (value(n)) and the previous sampled value (value(n-1)) + is less than or equal to this threshold, + and the delta value calculated at the last sampling interval + (i.e. value(n-1) - value(n-2)) was greater than this threshold, + one mteTriggerThresholdDeltaFallingEvent is triggered. That event + is also triggered if the first delta value calculated after this + entry becomes active, i.e. value(2) - value(1), where value(1) + is the first sample taken of that instance, is less than or + equal to this threshold. + + After a falling event is generated, another such event is not + triggered until the delta value falls below this threshold and + reaches mteTriggerThresholdDeltaRising." + DEFVAL { 0 } + ::= { mteTriggerThresholdEntry 5 } + +mteTriggerThresholdObjectsOwner OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE (0..32)) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "To go with mteTriggerThresholdObjects, the mteOwner of a group + of objects from mteObjectsTable." + DEFVAL { ''H } + ::= { mteTriggerThresholdEntry 6 } + +mteTriggerThresholdObjects OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE (0..32)) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The mteObjectsName of a group of objects from + mteObjectsTable. These objects are to be added to any + Notification resulting from the firing of this trigger for + this test. + + A list of objects may also be added based on the overall + + trigger, the event or other settings in mteTriggerTest. + + A length of 0 indicates no additional objects." + DEFVAL { ''H } + ::= { mteTriggerThresholdEntry 7 } + +mteTriggerThresholdRisingEventOwner OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE (0..32)) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "To go with mteTriggerThresholdRisingEvent, the mteOwner of an + event entry from mteEventTable." + DEFVAL { ''H } + ::= { mteTriggerThresholdEntry 8 } + +mteTriggerThresholdRisingEvent OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE (0..32)) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The mteEventName of the event to invoke when mteTriggerType is + 'threshold' and this trigger fires based on + mteTriggerThresholdRising. A length of 0 indicates no event." + DEFVAL { ''H } + ::= { mteTriggerThresholdEntry 9 } + +mteTriggerThresholdFallingEventOwner OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE (0..32)) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "To go with mteTriggerThresholdFallingEvent, the mteOwner of an + event entry from mteEventTable." + DEFVAL { ''H } + ::= { mteTriggerThresholdEntry 10 } + +mteTriggerThresholdFallingEvent OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE (0..32)) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The mteEventName of the event to invoke when mteTriggerType is + 'threshold' and this trigger fires based on + mteTriggerThresholdFalling. A length of 0 indicates no event." + DEFVAL { ''H } + ::= { mteTriggerThresholdEntry 11 } + +mteTriggerThresholdDeltaRisingEventOwner OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE (0..32)) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "To go with mteTriggerThresholdDeltaRisingEvent, the mteOwner + of an event entry from mteEventTable." + DEFVAL { ''H } + ::= { mteTriggerThresholdEntry 12 } + +mteTriggerThresholdDeltaRisingEvent OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE (0..32)) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The mteEventName of the event to invoke when mteTriggerType is + 'threshold' and this trigger fires based on + mteTriggerThresholdDeltaRising. A length of 0 indicates + no event." + DEFVAL { ''H } + ::= { mteTriggerThresholdEntry 13 } + +mteTriggerThresholdDeltaFallingEventOwner OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE (0..32)) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "To go with mteTriggerThresholdDeltaFallingEvent, the mteOwner + of an event entry from mteEventTable." + DEFVAL { ''H } + ::= { mteTriggerThresholdEntry 14 } + +mteTriggerThresholdDeltaFallingEvent OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE (0..32)) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The mteEventName of the event to invoke when mteTriggerType is + 'threshold' and this trigger fires based on + mteTriggerThresholdDeltaFalling. A length of 0 indicates + no event." + DEFVAL { ''H } + ::= { mteTriggerThresholdEntry 15 } + +-- +-- Objects Table +-- + +mteObjectsTable OBJECT-TYPE + SYNTAX SEQUENCE OF MteObjectsEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A table of objects that can be added to notifications based + on the trigger, trigger test, or event, as pointed to by + entries in those tables." + ::= { mteObjects 1 } + +mteObjectsEntry OBJECT-TYPE + SYNTAX MteObjectsEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A group of objects. Applications create and delete entries + using mteObjectsEntryStatus. + + When adding objects to a notification they are added in the + lexical order of their index in this table. Those associated + with a trigger come first, then trigger test, then event." + INDEX { mteOwner, mteObjectsName, mteObjectsIndex } + ::= { mteObjectsTable 1 } + +MteObjectsEntry ::= SEQUENCE { + mteObjectsName SnmpAdminString, + mteObjectsIndex Unsigned32, + mteObjectsID OBJECT IDENTIFIER, + mteObjectsIDWildcard TruthValue, + mteObjectsEntryStatus RowStatus + } + +mteObjectsName OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE (1..32)) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A locally-unique, administratively assigned name for a group + of objects." + ::= { mteObjectsEntry 1 } + +mteObjectsIndex OBJECT-TYPE + SYNTAX Unsigned32 (1..4294967295) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An arbitrary integer for the purpose of identifying + individual objects within a mteObjectsName group. + + Objects within a group are placed in the notification in the + numerical order of this index. + + Groups are placed in the notification in the order of the + selections for overall trigger, trigger test, and event. + Within trigger test they are in the same order as the + numerical values of the bits defined for mteTriggerTest. + + Bad object identifiers or a mismatch between truncating the + identifier and the value of mteDeltaDiscontinuityIDWildcard + result in operation as one would expect when providing the + wrong identifier to a Get operation. The Get will fail or get + the wrong object. If the object is not available it is omitted + from the notification." + ::= { mteObjectsEntry 2 } + +mteObjectsID OBJECT-TYPE + SYNTAX OBJECT IDENTIFIER + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The object identifier of a MIB object to add to a + Notification that results from the firing of a trigger. + + This may be wildcarded by truncating all or part of the + instance portion, in which case the instance portion of the + OID for obtaining this object will be the same as that used + in obtaining the mteTriggerValueID that fired. If such + wildcarding is applied, mteObjectsIDWildcard must be + 'true' and if not it must be 'false'. + + Each instance that fills the wildcard is independent of any + additional instances, that is, wildcarded objects operate + as if there were a separate table entry for each instance + that fills the wildcard without having to actually predict + all possible instances ahead of time." + DEFVAL { zeroDotZero } + ::= { mteObjectsEntry 3 } + +mteObjectsIDWildcard OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "Control for whether mteObjectsID is to be treated as + fully-specified or wildcarded, with 'true' indicating wildcard." + DEFVAL { false } + ::= { mteObjectsEntry 4 } + +mteObjectsEntryStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The control that allows creation and deletion of entries. + Once made active an entry MAY not be modified except to + delete it." + ::= { mteObjectsEntry 5 } + +-- +-- Event Section +-- + +-- Counters + +mteEventFailures OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of times an attempt to invoke an event + has failed. This counts individually for each + attempt in a group of targets or each attempt for a + wildcarded trigger object." + ::= { mteEvent 1 } + +-- +-- Event Table +-- + +mteEventTable OBJECT-TYPE + SYNTAX SEQUENCE OF MteEventEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A table of management event action information." + ::= { mteEvent 2 } + +mteEventEntry OBJECT-TYPE + SYNTAX MteEventEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Information about a single event. Applications create and + delete entries using mteEventEntryStatus." + INDEX { mteOwner, IMPLIED mteEventName } + ::= { mteEventTable 1 } + +MteEventEntry ::= SEQUENCE { + mteEventName SnmpAdminString, + mteEventComment SnmpAdminString, + mteEventActions BITS, + mteEventEnabled TruthValue, + mteEventEntryStatus RowStatus + } + +mteEventName OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE (1..32)) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A locally-unique, administratively assigned name for the + event." + ::= { mteEventEntry 1 } + +mteEventComment OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "A description of the event's function and use." + DEFVAL { ''H } + ::= { mteEventEntry 2 } + +mteEventActions OBJECT-TYPE + SYNTAX BITS { notification(0), set(1) } + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The actions to perform when this event occurs. + + For 'notification', Traps and/or Informs are sent according + to the configuration in the SNMP Notification MIB. + + For 'set', an SNMP Set operation is performed according to + control values in this entry." + DEFVAL { {} } -- No bits set. + ::= { mteEventEntry 3 } + +mteEventEnabled OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "A control to allow an event to be configured but not used. + When the value is 'false' the event does not execute even if + + triggered." + DEFVAL { false } + ::= { mteEventEntry 4 } + +mteEventEntryStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The control that allows creation and deletion of entries. + Once made active an entry MAY not be modified except to + delete it." + ::= { mteEventEntry 5 } + +-- +-- Event Notification Table +-- + +mteEventNotificationTable OBJECT-TYPE + SYNTAX SEQUENCE OF MteEventNotificationEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A table of information about notifications to be sent as a + consequence of management events." + ::= { mteEvent 3 } + +mteEventNotificationEntry OBJECT-TYPE + SYNTAX MteEventNotificationEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Information about a single event's notification. Entries + automatically exist in this this table for each mteEventEntry + that has 'notification' set in mteEventActions." + INDEX { mteOwner, IMPLIED mteEventName } + ::= { mteEventNotificationTable 1 } + +MteEventNotificationEntry ::= SEQUENCE { + mteEventNotification OBJECT IDENTIFIER, + mteEventNotificationObjectsOwner SnmpAdminString, + mteEventNotificationObjects SnmpAdminString + } + +mteEventNotification OBJECT-TYPE + SYNTAX OBJECT IDENTIFIER + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The object identifier from the NOTIFICATION-TYPE for the + notification to use if metEventActions has 'notification' set." + DEFVAL { zeroDotZero } + ::= { mteEventNotificationEntry 1 } + +mteEventNotificationObjectsOwner OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE (0..32)) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "To go with mteEventNotificationObjects, the mteOwner of a + group of objects from mteObjectsTable." + DEFVAL { ''H } + ::= { mteEventNotificationEntry 2 } + +mteEventNotificationObjects OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE (0..32)) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The mteObjectsName of a group of objects from + mteObjectsTable if mteEventActions has 'notification' set. + These objects are to be added to any Notification generated by + this event. + + Objects may also be added based on the trigger that stimulated + the event. + + A length of 0 indicates no additional objects." + DEFVAL { ''H } + ::= { mteEventNotificationEntry 3 } + +-- +-- Event Set Table +-- + +mteEventSetTable OBJECT-TYPE + SYNTAX SEQUENCE OF MteEventSetEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A table of management event action information." + ::= { mteEvent 4 } + +mteEventSetEntry OBJECT-TYPE + SYNTAX MteEventSetEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Information about a single event's set option. Entries + automatically exist in this this table for each mteEventEntry + that has 'set' set in mteEventActions." + INDEX { mteOwner, IMPLIED mteEventName } + ::= { mteEventSetTable 1 } + +MteEventSetEntry ::= SEQUENCE { + mteEventSetObject OBJECT IDENTIFIER, + mteEventSetObjectWildcard TruthValue, + mteEventSetValue Integer32, + mteEventSetTargetTag SnmpTagValue, + mteEventSetContextName SnmpAdminString, + mteEventSetContextNameWildcard TruthValue + } + +mteEventSetObject OBJECT-TYPE + SYNTAX OBJECT IDENTIFIER + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The object identifier from the MIB object to set if + mteEventActions has 'set' set. + + This object identifier may be wildcarded by leaving + sub-identifiers off the end, in which case + nteEventSetObjectWildCard must be 'true'. + + If mteEventSetObject is wildcarded the instance used to set the + object to which it points is the same as the instance from the + value of mteTriggerValueID that triggered the event. + + Each instance that fills the wildcard is independent of any + additional instances, that is, wildcarded objects operate + as if there were a separate table entry for each instance + that fills the wildcard without having to actually predict + all possible instances ahead of time. + + Bad object identifiers or a mismatch between truncating the + identifier and the value of mteSetObjectWildcard + result in operation as one would expect when providing the + wrong identifier to a Set operation. The Set will fail or set + the wrong object. If the value syntax of the destination + object is not correct, the Set fails with the normal SNMP + error code." + DEFVAL { zeroDotZero } + ::= { mteEventSetEntry 1 } + +mteEventSetObjectWildcard OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Control over whether mteEventSetObject is to be treated as + fully-specified or wildcarded, with 'true' indicating wildcard + if mteEventActions has 'set' set." + DEFVAL { false } + ::= { mteEventSetEntry 2 } + +mteEventSetValue OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The value to which to set the object at mteEventSetObject + if mteEventActions has 'set' set." + DEFVAL { 0 } + ::= { mteEventSetEntry 3 } + +mteEventSetTargetTag OBJECT-TYPE + SYNTAX SnmpTagValue + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The tag for the target(s) at which to set the object at + mteEventSetObject to mteEventSetValue if mteEventActions + has 'set' set. + + Systems limited to self management MAY reject a non-zero + length for the value of this object. + + A length of 0 indicates the local system. In this case, + access to the objects indicated by mteEventSetObject is under + the security credentials of the requester that set + mteTriggerEntryStatus to 'active'. Those credentials are the + input parameters for isAccessAllowed from the Architecture for + Describing SNMP Management Frameworks. + + Otherwise access rights are checked according to the security + parameters resulting from the tag." + DEFVAL { ''H } + ::= { mteEventSetEntry 4 } + +mteEventSetContextName OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The management context in which to set mteEventObjectID. + if mteEventActions has 'set' set. + + This may be wildcarded by leaving characters off the end. To + indicate such wildcarding mteEventSetContextNameWildcard must + be 'true'. + + If this context name is wildcarded the value used to complete + the wildcarding of mteTriggerContextName will be appended." + DEFVAL { ''H } + ::= { mteEventSetEntry 5 } + +mteEventSetContextNameWildcard OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Control for whether mteEventSetContextName is to be treated as + fully-specified or wildcarded, with 'true' indicating wildcard + if mteEventActions has 'set' set." + DEFVAL { false } + ::= { mteEventSetEntry 6 } + +-- +-- Notifications +-- + +dismanEventMIBNotificationPrefix OBJECT IDENTIFIER ::= + { dismanEventMIB 2 } +dismanEventMIBNotifications OBJECT IDENTIFIER ::= + { dismanEventMIBNotificationPrefix 0 } +dismanEventMIBNotificationObjects OBJECT IDENTIFIER + ::= { dismanEventMIBNotificationPrefix 1 } + +-- +-- Notification Objects +-- + +mteHotTrigger OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS accessible-for-notify + STATUS current + DESCRIPTION + "The name of the trigger causing the notification." + ::= { dismanEventMIBNotificationObjects 1 } + +mteHotTargetName OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS accessible-for-notify + STATUS current + DESCRIPTION + "The SNMP Target MIB's snmpTargetAddrName related to the + notification." + ::= { dismanEventMIBNotificationObjects 2 } + +mteHotContextName OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS accessible-for-notify + STATUS current + DESCRIPTION + "The context name related to the notification. This MUST be as + fully-qualified as possible, including filling in wildcard + information determined in processing." + ::= { dismanEventMIBNotificationObjects 3 } + +mteHotOID OBJECT-TYPE + SYNTAX OBJECT IDENTIFIER + MAX-ACCESS accessible-for-notify + STATUS current + DESCRIPTION + "The object identifier of the destination object related to the + notification. This MUST be as fully-qualified as possible, + including filling in wildcard information determined in + processing. + + For a trigger-related notification this is from + mteTriggerValueID. + + For a set failure this is from mteEventSetObject." + ::= { dismanEventMIBNotificationObjects 4 } + +mteHotValue OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS accessible-for-notify + STATUS current + DESCRIPTION + "The value of the object at mteTriggerValueID when a + trigger fired." + ::= { dismanEventMIBNotificationObjects 5 } + +mteFailedReason OBJECT-TYPE + SYNTAX FailureReason + MAX-ACCESS accessible-for-notify + STATUS current + DESCRIPTION + "The reason for the failure of an attempt to check for a + trigger condition or set an object in response to an event." + ::= { dismanEventMIBNotificationObjects 6 } + +-- +-- Notifications +-- + +mteTriggerFired NOTIFICATION-TYPE + OBJECTS { mteHotTrigger, + mteHotTargetName, + mteHotContextName, + mteHotOID, + mteHotValue } + STATUS current + DESCRIPTION + "Notification that the trigger indicated by the object + instances has fired, for triggers with mteTriggerType + 'boolean' or 'existence'." + ::= { dismanEventMIBNotifications 1 } + +mteTriggerRising NOTIFICATION-TYPE + OBJECTS { mteHotTrigger, + mteHotTargetName, + mteHotContextName, + mteHotOID, + mteHotValue } + STATUS current + DESCRIPTION + "Notification that the rising threshold was met for triggers + with mteTriggerType 'threshold'." + ::= { dismanEventMIBNotifications 2 } + +mteTriggerFalling NOTIFICATION-TYPE + OBJECTS { mteHotTrigger, + mteHotTargetName, + mteHotContextName, + mteHotOID, + mteHotValue } + STATUS current + DESCRIPTION + "Notification that the falling threshold was met for triggers + with mteTriggerType 'threshold'." + ::= { dismanEventMIBNotifications 3 } + +mteTriggerFailure NOTIFICATION-TYPE + OBJECTS { mteHotTrigger, + mteHotTargetName, + mteHotContextName, + mteHotOID, + mteFailedReason } + STATUS current + DESCRIPTION + "Notification that an attempt to check a trigger has failed. + + The network manager must enable this notification only with + a certain fear and trembling, as it can easily crowd out more + important information. It should be used only to help diagnose + a problem that has appeared in the error counters and can not + be found otherwise." + ::= { dismanEventMIBNotifications 4 } + +mteEventSetFailure NOTIFICATION-TYPE + OBJECTS { mteHotTrigger, + mteHotTargetName, + mteHotContextName, + mteHotOID, + mteFailedReason } + STATUS current + DESCRIPTION + "Notification that an attempt to do a set in response to an + event has failed. + + The network manager must enable this notification only with + a certain fear and trembling, as it can easily crowd out more + important information. It should be used only to help diagnose + a problem that has appeared in the error counters and can not + be found otherwise." + ::= { dismanEventMIBNotifications 5 } + +-- +-- Conformance +-- + +dismanEventMIBConformance OBJECT IDENTIFIER ::= { dismanEventMIB 3 } +dismanEventMIBCompliances OBJECT IDENTIFIER ::= + { dismanEventMIBConformance 1 } +dismanEventMIBGroups OBJECT IDENTIFIER ::= + { dismanEventMIBConformance 2 } + +-- Compliance + +dismanEventMIBCompliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The compliance statement for entities which implement + the Event MIB." + MODULE -- this module + MANDATORY-GROUPS { + dismanEventResourceGroup, + dismanEventTriggerGroup, + dismanEventObjectsGroup, + dismanEventEventGroup, + dismanEventNotificationObjectGroup, + dismanEventNotificationGroup + } + + OBJECT mteTriggerTargetTag + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required, thus limiting + monitoring to the local system or pre-configured + remote systems." + + OBJECT mteEventSetTargetTag + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required, thus limiting + setting to the local system or pre-configured + remote systems." + + OBJECT mteTriggerValueIDWildcard + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required, thus allowing + the system not to implement wildcarding." + + OBJECT mteTriggerContextNameWildcard + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required, thus allowing + the system not to implement wildcarding." + + OBJECT mteObjectsIDWildcard + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required, thus allowing + the system not to implement wildcarding." + + OBJECT mteEventSetContextNameWildcard + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required, thus allowing + the system not to implement wildcarding." + ::= { dismanEventMIBCompliances 1 } + +-- Units of Conformance + +dismanEventResourceGroup OBJECT-GROUP + OBJECTS { + mteResourceSampleMinimum, + mteResourceSampleInstanceMaximum, + mteResourceSampleInstances, + mteResourceSampleInstancesHigh, + mteResourceSampleInstanceLacks + } + STATUS current + DESCRIPTION + "Event resource status and control objects." + ::= { dismanEventMIBGroups 1 } + +dismanEventTriggerGroup OBJECT-GROUP + OBJECTS { + mteTriggerFailures, + mteTriggerComment, + mteTriggerTest, + mteTriggerSampleType, + mteTriggerValueID, + mteTriggerValueIDWildcard, + mteTriggerTargetTag, + mteTriggerContextName, + mteTriggerContextNameWildcard, + mteTriggerFrequency, + mteTriggerObjectsOwner, + mteTriggerObjects, + mteTriggerEnabled, + mteTriggerEntryStatus, + mteTriggerDeltaDiscontinuityID, + mteTriggerDeltaDiscontinuityIDWildcard, + mteTriggerDeltaDiscontinuityIDType, + mteTriggerExistenceTest, + mteTriggerExistenceStartup, + mteTriggerExistenceObjectsOwner, + mteTriggerExistenceObjects, + mteTriggerExistenceEventOwner, + mteTriggerExistenceEvent, + mteTriggerBooleanComparison, + mteTriggerBooleanValue, + mteTriggerBooleanStartup, + mteTriggerBooleanObjectsOwner, + mteTriggerBooleanObjects, + mteTriggerBooleanEventOwner, + mteTriggerBooleanEvent, + mteTriggerThresholdStartup, + mteTriggerThresholdObjectsOwner, + mteTriggerThresholdObjects, + mteTriggerThresholdRising, + mteTriggerThresholdFalling, + mteTriggerThresholdDeltaRising, + mteTriggerThresholdDeltaFalling, + mteTriggerThresholdRisingEventOwner, + mteTriggerThresholdRisingEvent, + mteTriggerThresholdFallingEventOwner, + mteTriggerThresholdFallingEvent, + mteTriggerThresholdDeltaRisingEventOwner, + mteTriggerThresholdDeltaRisingEvent, + mteTriggerThresholdDeltaFallingEventOwner, + mteTriggerThresholdDeltaFallingEvent + } + STATUS current + DESCRIPTION + "Event triggers." + ::= { dismanEventMIBGroups 2 } + +dismanEventObjectsGroup OBJECT-GROUP + OBJECTS { + mteObjectsID, + mteObjectsIDWildcard, + mteObjectsEntryStatus + } + STATUS current + DESCRIPTION + "Supplemental objects." + ::= { dismanEventMIBGroups 3 } + +dismanEventEventGroup OBJECT-GROUP + OBJECTS { + mteEventFailures, + mteEventComment, + mteEventActions, + mteEventEnabled, + mteEventEntryStatus, + mteEventNotification, + mteEventNotificationObjectsOwner, + mteEventNotificationObjects, + mteEventSetObject, + mteEventSetObjectWildcard, + mteEventSetValue, + mteEventSetTargetTag, + mteEventSetContextName, + mteEventSetContextNameWildcard + } + STATUS current + DESCRIPTION + "Events." + ::= { dismanEventMIBGroups 4 } + +dismanEventNotificationObjectGroup OBJECT-GROUP + OBJECTS { + mteHotTrigger, + mteHotTargetName, + mteHotContextName, + mteHotOID, + mteHotValue, + mteFailedReason + } + STATUS current + DESCRIPTION + "Notification objects." + ::= { dismanEventMIBGroups 5 } + +dismanEventNotificationGroup NOTIFICATION-GROUP + NOTIFICATIONS { + mteTriggerFired, + mteTriggerRising, + mteTriggerFalling, + mteTriggerFailure, + mteEventSetFailure + } + STATUS current + DESCRIPTION + "Notifications." + ::= { dismanEventMIBGroups 6 } + +END diff --git a/mibs/DISMAN-EXPRESSION-MIB.txt b/mibs/DISMAN-EXPRESSION-MIB.txt new file mode 100644 index 000000000..f73e5bf5d --- /dev/null +++ b/mibs/DISMAN-EXPRESSION-MIB.txt @@ -0,0 +1,1182 @@ +DISMAN-EXPRESSION-MIB DEFINITIONS ::= BEGIN + +IMPORTS + MODULE-IDENTITY, OBJECT-TYPE, + Integer32, Gauge32, Unsigned32, + Counter32, Counter64, IpAddress, + TimeTicks, mib-2, zeroDotZero FROM SNMPv2-SMI + RowStatus, TruthValue, TimeStamp FROM SNMPv2-TC + sysUpTime FROM SNMPv2-MIB + SnmpAdminString FROM SNMP-FRAMEWORK-MIB + MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF; + +dismanExpressionMIB MODULE-IDENTITY + LAST-UPDATED "200010160000Z" -- 16 October 2000 + ORGANIZATION "IETF Distributed Management Working Group" + CONTACT-INFO "Ramanathan Kavasseri + Cisco Systems, Inc. + 170 West Tasman Drive, + San Jose CA 95134-1706. + Phone: +1 408 527 2446 + Email: ramk@cisco.com" + DESCRIPTION + "The MIB module for defining expressions of MIB objects for + management purposes." +-- Revision History + + REVISION "200010160000Z" -- 16 October 2000 + DESCRIPTION "This is the initial version of this MIB. + Published as RFC 2982" + ::= { mib-2 90 } + +dismanExpressionMIBObjects OBJECT IDENTIFIER ::= + { dismanExpressionMIB 1 } + +expResource OBJECT IDENTIFIER ::= { dismanExpressionMIBObjects 1 } +expDefine OBJECT IDENTIFIER ::= { dismanExpressionMIBObjects 2 } +expValue OBJECT IDENTIFIER ::= { dismanExpressionMIBObjects 3 } + +-- +-- Resource Control +-- + +expResourceDeltaMinimum OBJECT-TYPE + SYNTAX Integer32 (-1 | 1..600) + UNITS "seconds" + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The minimum expExpressionDeltaInterval this system will + accept. A system may use the larger values of this minimum to + lessen the impact of constantly computing deltas. For larger + delta sampling intervals the system samples less often and + suffers less overhead. This object provides a way to enforce + such lower overhead for all expressions created after it is + set. + + The value -1 indicates that expResourceDeltaMinimum is + irrelevant as the system will not accept 'deltaValue' as a + value for expObjectSampleType. + + Unless explicitly resource limited, a system's value for + this object should be 1, allowing as small as a 1 second + interval for ongoing delta sampling. + + Changing this value will not invalidate an existing setting + of expObjectSampleType." + ::= { expResource 1 } + +expResourceDeltaWildcardInstanceMaximum OBJECT-TYPE + SYNTAX Unsigned32 + UNITS "instances" + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "For every instance of a deltaValue object, one dynamic instance + entry is needed for holding the instance value from the previous + sample, i.e. to maintain state. + + This object limits maximum number of dynamic instance entries + this system will support for wildcarded delta objects in + expressions. For a given delta expression, the number of + dynamic instances is the number of values that meet all criteria + to exist times the number of delta values in the expression. + + A value of 0 indicates no preset limit, that is, the limit + is dynamic based on system operation and resources. + + Unless explicitly resource limited, a system's value for + this object should be 0. + + Changing this value will not eliminate or inhibit existing delta + wildcard instance objects but will prevent the creation of more + such objects. + + An attempt to allocate beyond the limit results in expErrorCode + being tooManyWildcardValues for that evaluation attempt." + ::= { expResource 2 } + +expResourceDeltaWildcardInstances OBJECT-TYPE + SYNTAX Gauge32 + UNITS "instances" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of currently active instance entries as + defined for expResourceDeltaWildcardInstanceMaximum." + ::= { expResource 3 } + +expResourceDeltaWildcardInstancesHigh OBJECT-TYPE + SYNTAX Gauge32 + UNITS "instances" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The highest value of expResourceDeltaWildcardInstances + that has occurred since initialization of the managed + system." + ::= { expResource 4 } + +expResourceDeltaWildcardInstanceResourceLacks OBJECT-TYPE + SYNTAX Counter32 + UNITS "instances" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of times this system could not evaluate an + expression because that would have created a value instance in + excess of expResourceDeltaWildcardInstanceMaximum." + ::= { expResource 5 } + +-- + +-- Definition +-- +-- Expression Definition Table +-- + +expExpressionTable OBJECT-TYPE + SYNTAX SEQUENCE OF ExpExpressionEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A table of expression definitions." + ::= { expDefine 1 } + +expExpressionEntry OBJECT-TYPE + SYNTAX ExpExpressionEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Information about a single expression. New expressions + can be created using expExpressionRowStatus. + + To create an expression first create the named entry in this + table. Then use expExpressionName to populate expObjectTable. + For expression evaluation to succeed all related entries in + expExpressionTable and expObjectTable must be 'active'. If + these conditions are not met the corresponding values in + expValue simply are not instantiated. + + Deleting an entry deletes all related entries in expObjectTable + and expErrorTable. + + Because of the relationships among the multiple tables for an + expression (expExpressionTable, expObjectTable, and + expValueTable) and the SNMP rules for independence in setting + object values, it is necessary to do final error checking when + an expression is evaluated, that is, when one of its instances + in expValueTable is read or a delta interval expires. Earlier + checking need not be done and an implementation may not impose + any ordering on the creation of objects related to an + expression. + + To maintain security of MIB information, when creating a new row in + this table, the managed system must record the security credentials + of the requester. These security credentials are the parameters + necessary as inputs to isAccessAllowed from the Architecture for + + Describing SNMP Management Frameworks. When obtaining the objects + that make up the expression, the system must (conceptually) use + isAccessAllowed to ensure that it does not violate security. + + The evaluation of the expression takes place under the + security credentials of the creator of its expExpressionEntry. + + Values of read-write objects in this table may be changed + + at any time." + INDEX { expExpressionOwner, expExpressionName } + ::= { expExpressionTable 1 } + +ExpExpressionEntry ::= SEQUENCE { + expExpressionOwner SnmpAdminString, + expExpressionName SnmpAdminString, + expExpression OCTET STRING, + expExpressionValueType INTEGER, + expExpressionComment SnmpAdminString, + expExpressionDeltaInterval Integer32, + expExpressionPrefix OBJECT IDENTIFIER, + expExpressionErrors Counter32, + expExpressionEntryStatus RowStatus +} + +expExpressionOwner OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE(0..32)) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The owner of this entry. The exact semantics of this + string are subject to the security policy defined by the + security administrator." + ::= { expExpressionEntry 1 } + +expExpressionName OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE (1..32)) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The name of the expression. This is locally unique, within + the scope of an expExpressionOwner." + ::= { expExpressionEntry 2 } + +expExpression OBJECT-TYPE + SYNTAX OCTET STRING (SIZE (1..1024)) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The expression to be evaluated. This object is the same + as a DisplayString (RFC 1903) except for its maximum length. + + Except for the variable names the expression is in ANSI C + syntax. Only the subset of ANSI C operators and functions + listed here is allowed. + + Variables are expressed as a dollar sign ('$') and an + + integer that corresponds to an expObjectIndex. An + example of a valid expression is: + + ($1-$5)*100 + + Expressions must not be recursive, that is although an expression + may use the results of another expression, it must not contain + any variable that is directly or indirectly a result of its own + evaluation. The managed system must check for recursive + expressions. + + The only allowed operators are: + + ( ) + - (unary) + + - * / % + & | ^ << >> ~ + ! && || == != > >= < <= + + Note the parentheses are included for parenthesizing the + expression, not for casting data types. + + The only constant types defined are: + + int (32-bit signed) + long (64-bit signed) + unsigned int + unsigned long + hexadecimal + character + string + oid + + The default type for a positive integer is int unless it is too + large in which case it is long. + + All but oid are as defined for ANSI C. Note that a + hexadecimal constant may end up as a scalar or an array of + 8-bit integers. A string constant is enclosed in double + quotes and may contain back-slashed individual characters + as in ANSI C. + + An oid constant comprises 32-bit, unsigned integers and at + least one period, for example: + + 0. + .0 + 1.3.6.1 + + No additional leading or trailing subidentifiers are automatically + added to an OID constant. The constant is taken as expressed. + + Integer-typed objects are treated as 32- or 64-bit, signed + or unsigned integers, as appropriate. The results of + mixing them are as for ANSI C, including the type of the + result. Note that a 32-bit value is thus promoted to 64 bits + only in an operation with a 64-bit value. There is no + provision for larger values to handle overflow. + + Relative to SNMP data types, a resulting value becomes + unsigned when calculating it uses any unsigned value, + including a counter. To force the final value to be of + data type counter the expression must explicitly use the + counter32() or counter64() function (defined below). + + OCTET STRINGS and OBJECT IDENTIFIERs are treated as + one-dimensioned arrays of unsigned 8-bit integers and + unsigned 32-bit integers, respectively. + + IpAddresses are treated as 32-bit, unsigned integers in + network byte order, that is, the hex version of 255.0.0.0 is + 0xff000000. + + Conditional expressions result in a 32-bit, unsigned integer + of value 0 for false or 1 for true. When an arbitrary value + is used as a boolean 0 is false and non-zero is true. + + Rules for the resulting data type from an operation, based on + the operator: + + For << and >> the result is the same as the left hand operand. + + For &&, ||, ==, !=, <, <=, >, and >= the result is always + Unsigned32. + + For unary - the result is always Integer32. + + For +, -, *, /, %, &, |, and ^ the result is promoted according + to the following rules, in order from most to least preferred: + + If left hand and right hand operands are the same type, + use that. + + If either side is Counter64, use that. + + If either side is IpAddress, use that. + + If either side is TimeTicks, use that. + + If either side is Counter32, use that. + + Otherwise use Unsigned32. + + The following rules say what operators apply with what data + types. Any combination not explicitly defined does not work. + + For all operators any of the following can be the left hand or + right hand operand: Integer32, Counter32, Unsigned32, Counter64. + + The operators +, -, *, /, %, <, <=, >, and >= work with + TimeTicks. + + The operators &, |, and ^ work with IpAddress. + + The operators << and >> work with IpAddress but only as the + left hand operand. + + The + operator performs a concatenation of two OCTET STRINGs or + two OBJECT IDENTIFIERs. + + The operators &, | perform bitwise operations on OCTET STRINGs. + If the OCTET STRING happens to be a DisplayString the results + may be meaningless, but the agent system does not check this as + some such systems do not have this information. + + The operators << and >> perform bitwise operations on OCTET + STRINGs appearing as the left hand operand. + + The only functions defined are: + + counter32 + counter64 + arraySection + stringBegins + stringEnds + stringContains + oidBegins + oidEnds + oidContains + average + maximum + minimum + sum + exists + + The following function definitions indicate their parameters by + naming the data type of the parameter in the parameter's position + in the parameter list. The parameter must be of the type indicated + and generally may be a constant, a MIB object, a function, or an + expression. + + counter32(integer) - wrapped around an integer value counter32 + forces Counter32 as a data type. + + counter64(integer) - similar to counter32 except that the + resulting data type is 'counter64'. + + arraySection(array, integer, integer) - selects a piece of an + array (i.e. part of an OCTET STRING or OBJECT IDENTIFIER). The + integer arguments are in the range 0 to 4,294,967,295. The + first is an initial array index (one-dimensioned) and the second + is an ending array index. A value of 0 indicates first or last + element, respectively. If the first element is larger than the + array length the result is 0 length. If the second integer is + less than or equal to the first, the result is 0 length. If the + second is larger than the array length it indicates last + element. + + stringBegins/Ends/Contains(octetString, octetString) - looks for + the second string (which can be a string constant) in the first + and returns the one-dimensioned arrayindex where the match began. + A return value of 0 indicates no match (i.e. boolean false). + + oidBegins/Ends/Contains(oid, oid) - looks for the second OID + (which can be an OID constant) in the first and returns the + the one-dimensioned index where the match began. A return value + of 0 indicates no match (i.e. boolean false). + + average/maximum/minimum(integer) - calculates the average, + minimum, or maximum value of the integer valued object over + multiple sample times. If the object disappears for any + sample period, the accumulation and the resulting value object + cease to exist until the object reappears at which point the + calculation starts over. + + sum(integerObject*) - sums all available values of the + wildcarded integer object, resulting in an integer scalar. Must + be used with caution as it wraps on overflow with no + notification. + + exists(anyTypeObject) - verifies the object instance exists. A + return value of 0 indicates NoSuchInstance (i.e. boolean + false)." + ::= { expExpressionEntry 3 } + +expExpressionValueType OBJECT-TYPE + SYNTAX INTEGER { counter32(1), unsigned32(2), timeTicks(3), + integer32(4), ipAddress(5), octetString(6), + objectId(7), counter64(8) } + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The type of the expression value. One and only one of the + value objects in expValueTable will be instantiated to match + this type. + + If the result of the expression can not be made into this type, + an invalidOperandType error will occur." + DEFVAL { counter32 } + ::= { expExpressionEntry 4 } + +expExpressionComment OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "A comment to explain the use or meaning of the expression." + DEFVAL { ''H } + ::= { expExpressionEntry 5 } + +expExpressionDeltaInterval OBJECT-TYPE + SYNTAX Integer32 (0..86400) + UNITS "seconds" + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "Sampling interval for objects in this expression with + expObjectSampleType 'deltaValue'. + + This object has no effect if the the expression has no + deltaValue objects. + + A value of 0 indicates no automated sampling. In this case + the delta is the difference from the last time the expression + was evaluated. Note that this is subject to unpredictable + delta times in the face of retries or multiple managers. + + A value greater than zero is the number of seconds between + automated samples. + + Until the delta interval has expired once the delta for the + + object is effectively not instantiated and evaluating + the expression has results as if the object itself were not + instantiated. + + Note that delta values potentially consume large amounts of + system CPU and memory. Delta state and processing must + continue constantly even if the expression is not being used. + That is, the expression is being evaluated every delta interval, + even if no application is reading those values. For wildcarded + objects this can be substantial overhead. + + Note that delta intervals, external expression value sampling + intervals and delta intervals for expressions within other + expressions can have unusual interactions as they are impossible + to synchronize accurately. In general one interval embedded + below another must be enough shorter that the higher sample + sees relatively smooth, predictable behavior. So, for example, + to avoid the higher level getting the same sample twice, the + lower level should sample at least twice as fast as the higher + level does." + DEFVAL { 0 } + ::= { expExpressionEntry 6 } + +expExpressionPrefix OBJECT-TYPE + SYNTAX OBJECT IDENTIFIER + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "An object prefix to assist an application in determining + the instance indexing to use in expValueTable, relieving the + application of the need to scan the expObjectTable to + determine such a prefix. + + See expObjectTable for information on wildcarded objects. + + If the expValueInstance portion of the value OID may + be treated as a scalar (that is, normally, 0) the value of + expExpressionPrefix is zero length, that is, no OID at all. + Note that zero length implies a null OID, not the OID 0.0. + + Otherwise, the value of expExpressionPrefix is the expObjectID + value of any one of the wildcarded objects for the expression. + This is sufficient, as the remainder, that is, the instance + fragment relevant to instancing the values, must be the same for + all wildcarded objects in the expression." + ::= { expExpressionEntry 7 } + +expExpressionErrors OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of errors encountered while evaluating this + expression. + + Note that an object in the expression not being accessible, + is not considered an error. An example of an inaccessible + object is when the object is excluded from the view of the + user whose security credentials are used in the expression + evaluation. In such cases, it is a legitimate condition + that causes the corresponding expression value not to be + instantiated." + ::= { expExpressionEntry 8 } + +expExpressionEntryStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The control that allows creation and deletion of entries." + ::= { expExpressionEntry 9 } + +-- +-- Expression Error Table +-- + +expErrorTable OBJECT-TYPE + SYNTAX SEQUENCE OF ExpErrorEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A table of expression errors." + ::= { expDefine 2 } + +expErrorEntry OBJECT-TYPE + SYNTAX ExpErrorEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Information about errors in processing an expression. + + Entries appear in this table only when there is a matching + expExpressionEntry and then only when there has been an + error for that expression as reflected by the error codes + defined for expErrorCode." + INDEX { expExpressionOwner, expExpressionName } + ::= { expErrorTable 1 } + +ExpErrorEntry ::= SEQUENCE { + expErrorTime TimeStamp, + expErrorIndex Integer32, + expErrorCode INTEGER, + expErrorInstance OBJECT IDENTIFIER +} + +expErrorTime OBJECT-TYPE + SYNTAX TimeStamp + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of sysUpTime the last time an error caused a + failure to evaluate this expression." + ::= { expErrorEntry 1 } + +expErrorIndex OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The one-dimensioned character array index into + expExpression for where the error occurred. The value + zero indicates irrelevance." + ::= { expErrorEntry 2 } + +expErrorCode OBJECT-TYPE + SYNTAX INTEGER { + invalidSyntax(1), + undefinedObjectIndex(2), + unrecognizedOperator(3), + unrecognizedFunction(4), + invalidOperandType(5), + unmatchedParenthesis(6), + tooManyWildcardValues(7), + recursion(8), + deltaTooShort(9), + resourceUnavailable(10), + divideByZero(11) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The error that occurred. In the following explanations the + expected timing of the error is in parentheses. 'S' means + the error occurs on a Set request. 'E' means the error + + occurs on the attempt to evaluate the expression either due to + Get from expValueTable or in ongoing delta processing. + + invalidSyntax the value sent for expExpression is not + valid Expression MIB expression syntax + (S) + undefinedObjectIndex an object reference ($n) in + expExpression does not have a matching + instance in expObjectTable (E) + unrecognizedOperator the value sent for expExpression held an + unrecognized operator (S) + unrecognizedFunction the value sent for expExpression held an + unrecognized function name (S) + invalidOperandType an operand in expExpression is not the + right type for the associated operator + or result (SE) + unmatchedParenthesis the value sent for expExpression is not + correctly parenthesized (S) + tooManyWildcardValues evaluating the expression exceeded the + limit set by + expResourceDeltaWildcardInstanceMaximum + (E) + recursion through some chain of embedded + expressions the expression invokes itself + (E) + deltaTooShort the delta for the next evaluation passed + before the system could evaluate the + present sample (E) + resourceUnavailable some resource, typically dynamic memory, + was unavailable (SE) + divideByZero an attempt to divide by zero occurred + (E) + + For the errors that occur when the attempt is made to set + expExpression Set request fails with the SNMP error code + 'wrongValue'. Such failures refer to the most recent failure to + Set expExpression, not to the present value of expExpression + which must be either unset or syntactically correct. + + Errors that occur during evaluation for a Get* operation return + the SNMP error code 'genErr' except for 'tooManyWildcardValues' + and 'resourceUnavailable' which return the SNMP error code + 'resourceUnavailable'." + ::= { expErrorEntry 3 } + +expErrorInstance OBJECT-TYPE + SYNTAX OBJECT IDENTIFIER + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The expValueInstance being evaluated when the error + occurred. A zero-length indicates irrelevance." + ::= { expErrorEntry 4 } + +-- +-- Object Table +-- + +expObjectTable OBJECT-TYPE + SYNTAX SEQUENCE OF ExpObjectEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A table of object definitions for each expExpression. + + Wildcarding instance IDs: + + It is legal to omit all or part of the instance portion for + some or all of the objects in an expression. (See the + DESCRIPTION of expObjectID for details. However, note that + if more than one object in the same expression is wildcarded + in this way, they all must be objects where that portion of + the instance is the same. In other words, all objects may be + in the same SEQUENCE or in different SEQUENCEs but with the + same semantic index value (e.g., a value of ifIndex) + for the wildcarded portion." + ::= { expDefine 3 } + +expObjectEntry OBJECT-TYPE + SYNTAX ExpObjectEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Information about an object. An application uses + expObjectEntryStatus to create entries in this table while + in the process of defining an expression. + + Values of read-create objects in this table may be + changed at any time." + INDEX { expExpressionOwner, expExpressionName, expObjectIndex } + ::= { expObjectTable 1 } + +ExpObjectEntry ::= SEQUENCE { + expObjectIndex Unsigned32, + expObjectID OBJECT IDENTIFIER, + expObjectIDWildcard TruthValue, + expObjectSampleType INTEGER, + expObjectDeltaDiscontinuityID OBJECT IDENTIFIER, + expObjectDiscontinuityIDWildcard TruthValue, + expObjectDiscontinuityIDType INTEGER, + expObjectConditional OBJECT IDENTIFIER, + expObjectConditionalWildcard TruthValue, + expObjectEntryStatus RowStatus +} + +expObjectIndex OBJECT-TYPE + SYNTAX Unsigned32 (1..4294967295) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Within an expression, a unique, numeric identification for an + object. Prefixed with a dollar sign ('$') this is used to + reference the object in the corresponding expExpression." + ::= { expObjectEntry 1 } + +expObjectID OBJECT-TYPE + SYNTAX OBJECT IDENTIFIER + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The OBJECT IDENTIFIER (OID) of this object. The OID may be + fully qualified, meaning it includes a complete instance + identifier part (e.g., ifInOctets.1 or sysUpTime.0), or it + may not be fully qualified, meaning it may lack all or part + of the instance identifier. If the expObjectID is not fully + qualified, then expObjectWildcard must be set to true(1). + The value of the expression will be multiple + values, as if done for a GetNext sweep of the object. + + An object here may itself be the result of an expression but + recursion is not allowed. + + NOTE: The simplest implementations of this MIB may not allow + wildcards." + ::= { expObjectEntry 2 } + +expObjectIDWildcard OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "A true value indicates the expObjecID of this row is a wildcard + object. False indicates that expObjectID is fully instanced. + If all expObjectWildcard values for a given expression are FALSE, + expExpressionPrefix will reflect a scalar object (i.e. will + be 0.0). + + NOTE: The simplest implementations of this MIB may not allow + wildcards." + DEFVAL { false } + ::= { expObjectEntry 3 } + +expObjectSampleType OBJECT-TYPE + SYNTAX INTEGER { absoluteValue(1), deltaValue(2), + changedValue(3) } + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The method of sampling the selected variable. + + An 'absoluteValue' is simply the present value of the object. + + A 'deltaValue' is the present value minus the previous value, + which was sampled expExpressionDeltaInterval seconds ago. + This is intended primarily for use with SNMP counters, which are + meaningless as an 'absoluteValue', but may be used with any + integer-based value. + + A 'changedValue' is a boolean for whether the present value is + different from the previous value. It is applicable to any data + type and results in an Unsigned32 with value 1 if the object's + value is changed and 0 if not. In all other respects it is as a + 'deltaValue' and all statements and operation regarding delta + values apply to changed values. + + When an expression contains both delta and absolute values + the absolute values are obtained at the end of the delta + period." + DEFVAL { absoluteValue } + ::= { expObjectEntry 4 } + +sysUpTimeInstance OBJECT IDENTIFIER ::= { sysUpTime 0 } + +expObjectDeltaDiscontinuityID OBJECT-TYPE + SYNTAX OBJECT IDENTIFIER + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The OBJECT IDENTIFIER (OID) of a TimeTicks, TimeStamp, or + DateAndTime object that indicates a discontinuity in the value + at expObjectID. + + This object is instantiated only if expObjectSampleType is + 'deltaValue' or 'changedValue'. + + The OID may be for a leaf object (e.g. sysUpTime.0) or may + be wildcarded to match expObjectID. + + This object supports normal checking for a discontinuity in a + counter. Note that if this object does not point to sysUpTime + discontinuity checking must still check sysUpTime for an overall + discontinuity. + + If the object identified is not accessible no discontinuity + check will be made." + DEFVAL { sysUpTimeInstance } + ::= { expObjectEntry 5 } + +expObjectDiscontinuityIDWildcard OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "A true value indicates the expObjectDeltaDiscontinuityID of + this row is a wildcard object. False indicates that + expObjectDeltaDiscontinuityID is fully instanced. + + This object is instantiated only if expObjectSampleType is + 'deltaValue' or 'changedValue'. + + NOTE: The simplest implementations of this MIB may not allow + wildcards." + DEFVAL { false } + ::= { expObjectEntry 6 } + +expObjectDiscontinuityIDType OBJECT-TYPE + SYNTAX INTEGER { timeTicks(1), timeStamp(2), dateAndTime(3) } + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The value 'timeTicks' indicates the expObjectDeltaDiscontinuityID + of this row is of syntax TimeTicks. The value 'timeStamp' indicates + syntax TimeStamp. The value 'dateAndTime indicates syntax + DateAndTime. + + This object is instantiated only if expObjectSampleType is + 'deltaValue' or 'changedValue'." + DEFVAL { timeTicks } + ::= { expObjectEntry 7 } + +expObjectConditional OBJECT-TYPE + SYNTAX OBJECT IDENTIFIER + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The OBJECT IDENTIFIER (OID) of an object that overrides + whether the instance of expObjectID is to be considered + usable. If the value of the object at expObjectConditional + is 0 or not instantiated, the object at expObjectID is + treated as if it is not instantiated. In other words, + expObjectConditional is a filter that controls whether or + not to use the value at expObjectID. + + The OID may be for a leaf object (e.g. sysObjectID.0) or may be + wildcarded to match expObjectID. If expObject is wildcarded and + expObjectID in the same row is not, the wild portion of + expObjectConditional must match the wildcarding of the rest of + the expression. If no object in the expression is wildcarded + but expObjectConditional is, use the lexically first instance + (if any) of expObjectConditional. + + If the value of expObjectConditional is 0.0 operation is + as if the value pointed to by expObjectConditional is a + non-zero (true) value. + + Note that expObjectConditional can not trivially use an object + of syntax TruthValue, since the underlying value is not 0 or 1." + DEFVAL { zeroDotZero } + ::= { expObjectEntry 8 } + + expObjectConditionalWildcard OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "A true value indicates the expObjectConditional of this row is + a wildcard object. False indicates that expObjectConditional is + fully instanced. + + NOTE: The simplest implementations of this MIB may not allow + wildcards." + DEFVAL { false } + ::= { expObjectEntry 9 } + +expObjectEntryStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The control that allows creation/deletion of entries. + + Objects in this table may be changed while + expObjectEntryStatus is in any state." + ::= { expObjectEntry 10 } + +-- +-- Expression Value Table +-- + +expValueTable OBJECT-TYPE + SYNTAX SEQUENCE OF ExpValueEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A table of values from evaluated expressions." + ::= { expValue 1 } + +expValueEntry OBJECT-TYPE + SYNTAX ExpValueEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A single value from an evaluated expression. For a given + instance, only one 'Val' object in the conceptual row will be + instantiated, that is, the one with the appropriate type for + the value. For values that contain no objects of + expObjectSampleType 'deltaValue' or 'changedValue', reading a + value from the table causes the evaluation of the expression + for that value. For those that contain a 'deltaValue' or + 'changedValue' the value read is as of the last sampling + interval. + + If in the attempt to evaluate the expression one or more + of the necessary objects is not available, the corresponding + entry in this table is effectively not instantiated. + + To maintain security of MIB information, when creating a new + row in this table, the managed system must record the security + credentials of the requester. These security credentials are + the parameters necessary as inputs to isAccessAllowed from + [RFC2571]. When obtaining the objects that make up the + expression, the system must (conceptually) use isAccessAllowed to + ensure that it does not violate security. + + The evaluation of that expression takes place under the + + security credentials of the creator of its expExpressionEntry. + + To maintain security of MIB information, expression evaluation must + take place using security credentials for the implied Gets of the + objects in the expression as inputs (conceptually) to + isAccessAllowed from the Architecture for Describing SNMP + Management Frameworks. These are the security credentials of the + creator of the corresponding expExpressionEntry." + INDEX { expExpressionOwner, expExpressionName, + IMPLIED expValueInstance } + ::= { expValueTable 1 } + +ExpValueEntry ::= SEQUENCE { + expValueInstance OBJECT IDENTIFIER, + expValueCounter32Val Counter32, + expValueUnsigned32Val Unsigned32, + expValueTimeTicksVal TimeTicks, + expValueInteger32Val Integer32, + expValueIpAddressVal IpAddress, + expValueOctetStringVal OCTET STRING, + expValueOidVal OBJECT IDENTIFIER, + expValueCounter64Val Counter64 +} + +expValueInstance OBJECT-TYPE + SYNTAX OBJECT IDENTIFIER + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The final instance portion of a value's OID according to + the wildcarding in instances of expObjectID for the + expression. The prefix of this OID fragment is 0.0, + leading to the following behavior. + + If there is no wildcarding, the value is 0.0.0. In other + words, there is one value which standing alone would have + been a scalar with a 0 at the end of its OID. + + If there is wildcarding, the value is 0.0 followed by + a value that the wildcard can take, thus defining one value + instance for each real, possible value of the wildcard. + So, for example, if the wildcard worked out to be an ifIndex, + there is an expValueInstance for each applicable ifIndex." + ::= { expValueEntry 1 } + +expValueCounter32Val OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value when expExpressionValueType is 'counter32'." + ::= { expValueEntry 2 } + +expValueUnsigned32Val OBJECT-TYPE + SYNTAX Unsigned32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value when expExpressionValueType is 'unsigned32'." + ::= { expValueEntry 3 } + +expValueTimeTicksVal OBJECT-TYPE + SYNTAX TimeTicks + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value when expExpressionValueType is 'timeTicks'." + ::= { expValueEntry 4 } + +expValueInteger32Val OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value when expExpressionValueType is 'integer32'." + ::= { expValueEntry 5 } + +expValueIpAddressVal OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value when expExpressionValueType is 'ipAddress'." + ::= { expValueEntry 6 } + +expValueOctetStringVal OBJECT-TYPE + SYNTAX OCTET STRING (SIZE (0..65536)) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value when expExpressionValueType is 'octetString'." + ::= { expValueEntry 7 } + +expValueOidVal OBJECT-TYPE + SYNTAX OBJECT IDENTIFIER + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value when expExpressionValueType is 'objectId'." + ::= { expValueEntry 8 } + +expValueCounter64Val OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value when expExpressionValueType is 'counter64'." + ::= { expValueEntry 9 } + +-- +-- Conformance +-- + +dismanExpressionMIBConformance OBJECT IDENTIFIER ::= + { dismanExpressionMIB 3 } +dismanExpressionMIBCompliances OBJECT IDENTIFIER ::= + { dismanExpressionMIBConformance 1 } +dismanExpressionMIBGroups OBJECT IDENTIFIER ::= + { dismanExpressionMIBConformance 2 } + +-- Compliance + +dismanExpressionMIBCompliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The compliance statement for entities which implement + the Expression MIB." + MODULE -- this module + MANDATORY-GROUPS { + dismanExpressionResourceGroup, + dismanExpressionDefinitionGroup, + dismanExpressionValueGroup + } + + OBJECT expResourceDeltaMinimum + SYNTAX Integer32 (-1 | 60..600) + DESCRIPTION + "Implementation need not allow deltas or it may + implement them and restrict them to higher values." + + OBJECT expObjectSampleType + WRITE-SYNTAX INTEGER { absoluteValue(1) } + DESCRIPTION + "Implementation may disallow deltas calculation or + + change detection." + + OBJECT expObjectIDWildcard + WRITE-SYNTAX INTEGER { false(2) } + DESCRIPTION + "Implementation may allow wildcards." + + OBJECT expObjectDiscontinuityIDWildcard + WRITE-SYNTAX INTEGER { false(2) } + DESCRIPTION + "Implementation need not allow wildcards." + + OBJECT expObjectConditionalWildcard + WRITE-SYNTAX INTEGER { false(2) } + DESCRIPTION + "Implementation need not allow deltas wildcards." + ::= { dismanExpressionMIBCompliances 1 } + +-- Units of Conformance + +dismanExpressionResourceGroup OBJECT-GROUP + OBJECTS { + expResourceDeltaMinimum, + expResourceDeltaWildcardInstanceMaximum, + expResourceDeltaWildcardInstances, + expResourceDeltaWildcardInstancesHigh, + expResourceDeltaWildcardInstanceResourceLacks + } + STATUS current + DESCRIPTION + "Expression definition resource management." + ::= { dismanExpressionMIBGroups 1 } + +dismanExpressionDefinitionGroup OBJECT-GROUP + OBJECTS { + expExpression, + expExpressionValueType, + expExpressionComment, + expExpressionDeltaInterval, + expExpressionPrefix, + expExpressionErrors, + expExpressionEntryStatus, + expErrorTime, + expErrorIndex, + expErrorCode, + expErrorInstance, + expObjectID, + expObjectIDWildcard, + expObjectSampleType, + expObjectDeltaDiscontinuityID, + expObjectDiscontinuityIDWildcard, + expObjectDiscontinuityIDType, + expObjectConditional, + expObjectConditionalWildcard, + expObjectEntryStatus + } + STATUS current + DESCRIPTION + "Expression definition." + ::= { dismanExpressionMIBGroups 2 } + +dismanExpressionValueGroup OBJECT-GROUP + OBJECTS { + expValueCounter32Val, + expValueUnsigned32Val, + expValueTimeTicksVal, + expValueInteger32Val, + expValueIpAddressVal, + expValueOctetStringVal, + expValueOidVal, + expValueCounter64Val + } + STATUS current + DESCRIPTION + "Expression value." + ::= { dismanExpressionMIBGroups 3 } + +END diff --git a/mibs/DISMAN-NSLOOKUP-MIB.txt b/mibs/DISMAN-NSLOOKUP-MIB.txt new file mode 100644 index 000000000..b12ca53dd --- /dev/null +++ b/mibs/DISMAN-NSLOOKUP-MIB.txt @@ -0,0 +1,509 @@ +DISMAN-NSLOOKUP-MIB DEFINITIONS ::= BEGIN + +IMPORTS + MODULE-IDENTITY, OBJECT-TYPE, + Unsigned32, mib-2, Integer32 + FROM SNMPv2-SMI -- RFC2578 + RowStatus + FROM SNMPv2-TC -- RFC2579 + MODULE-COMPLIANCE, OBJECT-GROUP + FROM SNMPv2-CONF -- RFC2580 + SnmpAdminString + FROM SNMP-FRAMEWORK-MIB -- RFC3411 + InetAddressType, InetAddress + FROM INET-ADDRESS-MIB; -- RFC4001 + + lookupMIB MODULE-IDENTITY + LAST-UPDATED "200606130000Z" -- 13 June 2006 + ORGANIZATION "IETF Distributed Management Working Group" + CONTACT-INFO + "Juergen Quittek + + NEC Europe Ltd. + Network Laboratories + Kurfuersten-Anlage 36 + 69115 Heidelberg + Germany + + Phone: +49 6221 4342-115 + Email: quittek@netlab.nec.de" + DESCRIPTION + "The Lookup MIB (DISMAN-NSLOOKUP-MIB) enables determination + of either the name(s) corresponding to a host address or of + the address(es) associated with a host name at a remote + host. + + Copyright (C) The Internet Society (2006). This version of + this MIB module is part of RFC 4560; see the RFC itself for + full legal notices." + + -- Revision history + + REVISION "200606130000Z" -- 13 June 2006 + DESCRIPTION + "Updated version, published as RFC 4560. + - Replaced references to RFC 2575 by RFC 3415 + - Replaced references to RFC 2571 by RFC 3411 + - Replaced references to RFC 2851 by RFC 4001 + - Added value enabled(1) to SYNTAX clause of + lookupCtlOperStatus + - Added lookupMinimumCompliance + - Defined semantics of value 0 for object + lookupPurgeTime + - Added DEFVAL { unknown } to object + lookupCtlTargetAddressType OBJECT-TYPE" + + REVISION "200009210000Z" -- 21 September 2000 + DESCRIPTION + "Initial version, published as RFC 2925." + ::= { mib-2 82 } + + -- Top level structure of the MIB + + lookupObjects OBJECT IDENTIFIER ::= { lookupMIB 1 } + lookupConformance OBJECT IDENTIFIER ::= { lookupMIB 2 } + + -- Simple Object Definitions + + lookupMaxConcurrentRequests OBJECT-TYPE + SYNTAX Unsigned32 + UNITS "requests" + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The maximum number of concurrent active lookup requests + that are allowed within an agent implementation. A value + of 0 for this object implies that there is no limit for + the number of concurrent active requests in effect. + + The limit applies only to new requests being activated. + When a new value is set, the agent will continue processing + all the requests already active, even if their number + exceed the limit just imposed." + DEFVAL { 10 } + ::= { lookupObjects 1 } + + lookupPurgeTime OBJECT-TYPE + SYNTAX Unsigned32 (0..86400) + UNITS "seconds" + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The amount of time to wait before automatically + deleting an entry in the lookupCtlTable and any + dependent lookupResultsTable entries + after the lookup operation represented by a + lookupCtlEntry has been completed. + A lookupCtEntry is considered complete + when its lookupCtlOperStatus object has a + value of completed(3). + + A value of 0 indicates that automatic deletion + of entries is disabled." + DEFVAL { 900 } -- 15 minutes as default + ::= { lookupObjects 2 } + + -- Lookup Control Table + + lookupCtlTable OBJECT-TYPE + SYNTAX SEQUENCE OF LookupCtlEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Defines the Lookup Control Table for providing + the capability of performing a lookup operation + for a symbolic host name or for a host address + from a remote host." + ::= { lookupObjects 3 } + + lookupCtlEntry OBJECT-TYPE + SYNTAX LookupCtlEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Defines an entry in the lookupCtlTable. A + lookupCtlEntry is initially indexed by + lookupCtlOwnerIndex, which is a type of SnmpAdminString, + a textual convention that allows for the use of the SNMPv3 + View-Based Access Control Model (RFC 3415, VACM) + and that also allows a management application to identify + its entries. The second index element, + lookupCtlOperationName, enables the same + lookupCtlOwnerIndex entity to have multiple outstanding + requests. The value of lookupCtlTargetAddressType + determines which lookup function to perform." + INDEX { + lookupCtlOwnerIndex, + lookupCtlOperationName + } + ::= { lookupCtlTable 1 } + + LookupCtlEntry ::= + SEQUENCE { + lookupCtlOwnerIndex SnmpAdminString, + lookupCtlOperationName SnmpAdminString, + lookupCtlTargetAddressType InetAddressType, + lookupCtlTargetAddress InetAddress, + lookupCtlOperStatus INTEGER, + lookupCtlTime Unsigned32, + lookupCtlRc Integer32, + lookupCtlRowStatus RowStatus + } + + lookupCtlOwnerIndex OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE(0..32)) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "To facilitate the provisioning of access control by a + security administrator using the View-Based Access + Control Model (RFC 2575, VACM) for tables in which + multiple users may need to create or + modify entries independently, the initial index is used as + an 'owner index'. Such an initial index has a syntax of + SnmpAdminString and can thus be trivially mapped to a + + securityName or groupName defined in VACM, in + accordance with a security policy. + + When used in conjunction with such a security policy all + entries in the table belonging to a particular user (or + group) will have the same value for this initial index. + For a given user's entries in a particular table, the + object identifiers for the information in these entries + will have the same subidentifiers (except for the + 'column' subidentifier) up to the end of the encoded + owner index. To configure VACM to permit access to this + portion of the table, one would create + vacmViewTreeFamilyTable entries with the value of + vacmViewTreeFamilySubtree including the owner index + portion, and vacmViewTreeFamilyMask 'wildcarding' the + column subidentifier. More elaborate configurations + are possible." + ::= { lookupCtlEntry 1 } + + lookupCtlOperationName OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE(0..32)) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The name of a lookup operation. This is locally unique, + within the scope of an lookupCtlOwnerIndex." + ::= { lookupCtlEntry 2 } + + lookupCtlTargetAddressType OBJECT-TYPE + SYNTAX InetAddressType + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "Specifies the type of address for performing a + lookup operation for a symbolic host name or for a host + address from a remote host. + + Specification of dns(16) as the value for this object + means that a function such as, for example, getaddrinfo() + or gethostbyname() should be performed to return one or + more numeric addresses. Use of a value of either ipv4(1) + or ipv6(2) means that a functions such as, for example, + getnameinfo() or gethostbyaddr() should be used to return + the symbolic names associated with a host." + DEFVAL { unknown } + ::= { lookupCtlEntry 3 } + + lookupCtlTargetAddress OBJECT-TYPE + SYNTAX InetAddress + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "Specifies the address used for a resolver lookup at a + remote host. The corresponding lookupCtlTargetAddressType + objects determines its type, as well as the function + that can be requested. + + A value for this object MUST be set prior to + transitioning its corresponding lookupCtlEntry to + active(1) via lookupCtlRowStatus." + ::= { lookupCtlEntry 4 } + + lookupCtlOperStatus OBJECT-TYPE + SYNTAX INTEGER { + enabled(1), -- operation is active + notStarted(2), -- operation has not started + completed(3) -- operation is done + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Reflects the operational state of an lookupCtlEntry: + + enabled(1) - Operation is active. + notStarted(2) - Operation has not been enabled. + completed(3) - Operation has been completed. + + An operation is automatically enabled(1) when its + lookupCtlRowStatus object is transitioned to active(1) + status. Until this occurs, lookupCtlOperStatus MUST + report a value of notStarted(2). After the lookup + operation is completed (success or failure), the value + for lookupCtlOperStatus MUST be transitioned to + completed(3)." + ::= { lookupCtlEntry 5 } + + lookupCtlTime OBJECT-TYPE + SYNTAX Unsigned32 + UNITS "milliseconds" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Reports the number of milliseconds that a lookup + operation required to be completed at a remote host. + Completed means operation failure as well as + + success." + ::= { lookupCtlEntry 6 } + + lookupCtlRc OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The system-specific return code from a lookup + operation. All implementations MUST return a value + of 0 for this object when the remote lookup + operation succeeds. A non-zero value for this + objects indicates failure. It is recommended that + implementations return the error codes that are + generated by the lookup function used." + ::= { lookupCtlEntry 7 } + + lookupCtlRowStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "This object allows entries to be created and deleted + in the lookupCtlTable. + + A remote lookup operation is started when an + entry in this table is created via an SNMP set + request and the entry is activated. This + occurs by setting the value of this object + to CreateAndGo(4) during row creation or + by setting this object to active(1) after + the row is created. + + A value MUST be specified for lookupCtlTargetAddress + prior to the acceptance of a transition to active(1) state. + A remote lookup operation starts when its entry + first becomes active(1). Transitions in and + out of active(1) state have no effect on the + operational behavior of a remote lookup + operation, with the exception that deletion of + an entry in this table by setting its RowStatus + object to destroy(6) will stop an active + remote lookup operation. + + The operational state of a remote lookup operation + can be determined by examination of its + lookupCtlOperStatus object." + REFERENCE + "See definition of RowStatus in RFC 2579, + 'Textual Conventions for SMIv2.'" + ::= { lookupCtlEntry 8 } + +-- Lookup Results Table + + lookupResultsTable OBJECT-TYPE + SYNTAX SEQUENCE OF LookupResultsEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Defines the Lookup Results Table for providing + the capability of determining the results of a + operation at a remote host. + + One or more entries are added to the + lookupResultsTable when a lookup operation, + as reflected by an lookupCtlEntry, is completed + successfully. All entries related to a + successful lookup operation MUST be added + to the lookupResultsTable at the same time + that the associating lookupCtlOperStatus + object is transitioned to completed(2). + + The number of entries added depends on the + results determined for a particular lookup + operation. All entries associated with an + lookupCtlEntry are removed when the + lookupCtlEntry is deleted. + + A remote host can be multi-homed and have more than one IP + address associated with it (returned by lookup function), + or it can have more than one symbolic name (returned + by lookup function). + + A function such as, for example, getnameinfo() or + gethostbyaddr() is called with a host address as its + parameter and is used primarily to determine a symbolic + name to associate with the host address. Entries in the + lookupResultsTable MUST be made for each host name + returned. If the function identifies an 'official host + name,' then this symbolic name MUST be assigned a + lookupResultsIndex of 1. + + A function such as, for example, getaddrinfo() or + gethostbyname() is called with a symbolic host name and is + used primarily to retrieve a host address. The entries + + MUST be stored in the order that they are retrieved from + the lookup function. lookupResultsIndex 1 MUST be + assigned to the first entry." + ::= { lookupObjects 4 } + + lookupResultsEntry OBJECT-TYPE + SYNTAX LookupResultsEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Defines an entry in the lookupResultsTable. The + first two index elements identify the + lookupCtlEntry that a lookupResultsEntry belongs + to. The third index element selects a single + lookup operation result." + INDEX { + lookupCtlOwnerIndex, + lookupCtlOperationName, + lookupResultsIndex + } + ::= { lookupResultsTable 1 } + + LookupResultsEntry ::= + SEQUENCE { + lookupResultsIndex Unsigned32, + lookupResultsAddressType InetAddressType, + lookupResultsAddress InetAddress + } + + lookupResultsIndex OBJECT-TYPE + SYNTAX Unsigned32 (1..'ffffffff'h) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Entries in the lookupResultsTable are created when + the result of a lookup operation is determined. + + Entries MUST be stored in the lookupResultsTable in + the order that they are retrieved. Values assigned + to lookupResultsIndex MUST start at 1 and increase + consecutively." + ::= { lookupResultsEntry 1 } + + lookupResultsAddressType OBJECT-TYPE + SYNTAX InetAddressType + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Indicates the type of result of a remote lookup + operation. A value of unknown(0) implies either that + the operation hasn't been started or that + it has failed." + ::= { lookupResultsEntry 2 } + + lookupResultsAddress OBJECT-TYPE + SYNTAX InetAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Reflects a result for a remote lookup operation + as per the value of lookupResultsAddressType. + + The address type (InetAddressType) that relates to + this object is specified by the corresponding value + of lookupResultsAddress." + ::= { lookupResultsEntry 3 } + + -- Conformance information + -- Compliance statements + + lookupCompliances OBJECT IDENTIFIER ::= { lookupConformance 1 } + lookupGroups OBJECT IDENTIFIER ::= { lookupConformance 2 } + + -- Compliance statements + + lookupCompliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The compliance statement for SNMP entities that + fully implement the DISMAN-NSLOOKUP-MIB." + MODULE -- this module + MANDATORY-GROUPS { lookupGroup } + + OBJECT lookupMaxConcurrentRequests + MIN-ACCESS read-only + DESCRIPTION + "The agent is not required to support set + operations to this object." + + OBJECT lookupPurgeTime + MIN-ACCESS read-only + DESCRIPTION + "The agent is not required to support a set + operation to this object." + ::= { lookupCompliances 1 } + + lookupMinimumCompliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The minimum compliance statement for SNMP entities + that implement the minimal subset of the + DISMAN-NSLOOKUP-MIB. Implementors might choose this + subset for small devices with limited resources." + MODULE -- this module + MANDATORY-GROUPS { lookupGroup } + + OBJECT lookupMaxConcurrentRequests + MIN-ACCESS read-only + DESCRIPTION + "The agent is not required to support set + operations to this object." + + OBJECT lookupPurgeTime + MIN-ACCESS read-only + DESCRIPTION + "The agent is not required to support a set + operation to this object." + + OBJECT lookupCtlRowStatus + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required. If write access is + not supported, then at least one entry in the + lookupCtlTable MUST be established already when the SNMP + agent starts offering access to the NSLOOKUP-MIB module. + If, in such a case, only a single entry is offered, then + it is RECOMMENDED that this entry use strings with a + length of 0 for both of its two index objects." + ::= { lookupCompliances 2 } + + -- MIB groupings + + lookupGroup OBJECT-GROUP + OBJECTS { + lookupMaxConcurrentRequests, + lookupPurgeTime, + lookupCtlOperStatus, + lookupCtlTargetAddressType, + lookupCtlTargetAddress, + lookupCtlTime, + lookupCtlRc, + lookupCtlRowStatus, + lookupResultsAddressType, + lookupResultsAddress + } + STATUS current + DESCRIPTION + "The group of objects that constitute the remote + Lookup operation." + ::= { lookupGroups 1 } + +END diff --git a/mibs/DISMAN-PING-MIB.txt b/mibs/DISMAN-PING-MIB.txt new file mode 100644 index 000000000..645ff8c7d --- /dev/null +++ b/mibs/DISMAN-PING-MIB.txt @@ -0,0 +1,1561 @@ +DISMAN-PING-MIB DEFINITIONS ::= BEGIN + +IMPORTS + MODULE-IDENTITY, OBJECT-TYPE, Integer32, + Unsigned32, Gauge32, mib-2, + NOTIFICATION-TYPE, OBJECT-IDENTITY + FROM SNMPv2-SMI -- RFC2578 + TEXTUAL-CONVENTION, RowStatus, + StorageType, DateAndTime, TruthValue + FROM SNMPv2-TC -- RFC2579 + MODULE-COMPLIANCE, OBJECT-GROUP, + NOTIFICATION-GROUP + FROM SNMPv2-CONF -- RFC2580 + InterfaceIndexOrZero -- RFC2863 + FROM IF-MIB + SnmpAdminString + FROM SNMP-FRAMEWORK-MIB -- RFC3411 + InetAddressType, InetAddress + FROM INET-ADDRESS-MIB; -- RFC4001 + + pingMIB MODULE-IDENTITY + LAST-UPDATED "200606130000Z" -- 13 June 2006 + ORGANIZATION "IETF Distributed Management Working Group" + CONTACT-INFO + "Juergen Quittek + + NEC Europe Ltd. + Network Laboratories + Kurfuersten-Anlage 36 + 69115 Heidelberg + Germany + + Phone: +49 6221 4342-115 + + Email: quittek@netlab.nec.de" + DESCRIPTION + "The Ping MIB (DISMAN-PING-MIB) provides the capability of + controlling the use of the ping function at a remote + host. + + Copyright (C) The Internet Society (2006). This version of + this MIB module is part of RFC 4560; see the RFC itself for + full legal notices." + + -- Revision history + + REVISION "200606130000Z" -- 13 June 2006 + DESCRIPTION + "Updated version, published as RFC 4560. + - Correctly considered IPv6 in DESCRIPTION + clause of pingCtlDataSize + - Replaced references to RFC 2575 by RFC 3415 + - Replaced references to RFC 2571 by RFC 3411 + - Replaced references to RFC 2851 by RFC 4001 + - Added DEFVAL { {} } to definition of + pingCtlTrapGeneration + - Changed DEFVAL of object pingCtlDescr from + DEFVAL { '00'H } to DEFVAL { ''H } + - Changed DEFVAL of object pingCtlSourceAddressType + from DEFVAL { ipv4 } to DEFVAL { unknown } + - Extended DESCRIPTION clause of pingResultsTable + describing re-initialization of entries + - Changed SYNTAX of pingResultsProbeResponses and + pingResultsSentProbes from Unsigned32 to Gauge32 + - Changed status of pingCompliance to deprecated + - Added pingFullCompliance and pingMinimumCompliance + - Changed status of pingGroup and pingTimeStampGroup + to deprecated + - Added pingMinimumGroup, pingCtlRowStatusGroup, + and pingHistoryGroup" + + REVISION "200009210000Z" -- 21 September 2000 + DESCRIPTION + "Initial version, published as RFC 2925." + ::= { mib-2 80 } + + -- Textual Conventions + + OperationResponseStatus ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "Used to report the result of an operation: + + responseReceived(1) - Operation is completed successfully. + unknown(2) - Operation failed due to unknown error. + internalError(3) - An implementation detected an error + in its own processing that caused an operation + to fail. + requestTimedOut(4) - Operation failed to receive a + valid reply within the time limit imposed on it. + unknownDestinationAddress(5) - Invalid destination + address. + noRouteToTarget(6) - Could not find a route to target. + interfaceInactiveToTarget(7) - The interface to be + used in sending a probe is inactive, and an + alternate route does not exist. + arpFailure(8) - Unable to resolve a target address to a + media-specific address. + maxConcurrentLimitReached(9) - The maximum number of + concurrent active operations would have been exceeded + if the corresponding operation was allowed. + unableToResolveDnsName(10) - The DNS name specified was + unable to be mapped to an IP address. + invalidHostAddress(11) - The IP address for a host + has been determined to be invalid. Examples of this + are broadcast or multicast addresses." + SYNTAX INTEGER { + responseReceived(1), + unknown(2), + internalError(3), + requestTimedOut(4), + unknownDestinationAddress(5), + noRouteToTarget(6), + interfaceInactiveToTarget(7), + arpFailure(8), + maxConcurrentLimitReached(9), + unableToResolveDnsName(10), + invalidHostAddress(11) + } + + -- Top level structure of the MIB + + pingNotifications OBJECT IDENTIFIER ::= { pingMIB 0 } + pingObjects OBJECT IDENTIFIER ::= { pingMIB 1 } + pingConformance OBJECT IDENTIFIER ::= { pingMIB 2 } + + -- The registration node (point) for ping implementation types + + pingImplementationTypeDomains OBJECT IDENTIFIER ::= { pingMIB 3 } + + pingIcmpEcho OBJECT-IDENTITY + STATUS current + DESCRIPTION + "Indicates that an implementation is using the Internet + Control Message Protocol (ICMP) 'ECHO' facility." + ::= { pingImplementationTypeDomains 1 } + + pingUdpEcho OBJECT-IDENTITY + STATUS current + DESCRIPTION + "Indicates that an implementation is using the UDP echo + port (7)." + REFERENCE + "RFC 862, 'Echo Protocol'." + ::= { pingImplementationTypeDomains 2 } + + pingSnmpQuery OBJECT-IDENTITY + STATUS current + DESCRIPTION + "Indicates that an implementation is using an SNMP query + to calculate a round trip time." + ::= { pingImplementationTypeDomains 3 } + + pingTcpConnectionAttempt OBJECT-IDENTITY + STATUS current + DESCRIPTION + "Indicates that an implementation is attempting to + connect to a TCP port in order to calculate a round + trip time." + ::= { pingImplementationTypeDomains 4 } + + -- Simple Object Definitions + + pingMaxConcurrentRequests OBJECT-TYPE + SYNTAX Unsigned32 + UNITS "requests" + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The maximum number of concurrent active ping requests + that are allowed within an agent implementation. A value + of 0 for this object implies that there is no limit for + the number of concurrent active requests in effect. + + The limit applies only to new requests being activated. + When a new value is set, the agent will continue processing + all the requests already active, even if their number + exceeds the limit just imposed." + DEFVAL { 10 } + ::= { pingObjects 1 } + + -- Ping Control Table + + pingCtlTable OBJECT-TYPE + SYNTAX SEQUENCE OF PingCtlEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Defines the ping Control Table for providing, via SNMP, + the capability of performing ping operations at + a remote host. The results of these operations are + stored in the pingResultsTable and the + pingProbeHistoryTable." + ::= { pingObjects 2 } + + pingCtlEntry OBJECT-TYPE + SYNTAX PingCtlEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Defines an entry in the pingCtlTable. The first index + element, pingCtlOwnerIndex, is of type SnmpAdminString, + a textual convention that allows for use of the SNMPv3 + View-Based Access Control Model (RFC 3415, VACM) + and that allows a management application to identify its + entries. The second index, pingCtlTestName (also an + SnmpAdminString), enables the same management + application to have multiple outstanding requests." + INDEX { + pingCtlOwnerIndex, + pingCtlTestName + } + ::= { pingCtlTable 1 } + + PingCtlEntry ::= + SEQUENCE { + pingCtlOwnerIndex SnmpAdminString, + pingCtlTestName SnmpAdminString, + pingCtlTargetAddressType InetAddressType, + pingCtlTargetAddress InetAddress, + pingCtlDataSize Unsigned32, + pingCtlTimeOut Unsigned32, + pingCtlProbeCount Unsigned32, + pingCtlAdminStatus INTEGER, + pingCtlDataFill OCTET STRING, + pingCtlFrequency Unsigned32, + pingCtlMaxRows Unsigned32, + pingCtlStorageType StorageType, + pingCtlTrapGeneration BITS, + pingCtlTrapProbeFailureFilter Unsigned32, + pingCtlTrapTestFailureFilter Unsigned32, + pingCtlType OBJECT IDENTIFIER, + pingCtlDescr SnmpAdminString, + pingCtlSourceAddressType InetAddressType, + pingCtlSourceAddress InetAddress, + pingCtlIfIndex InterfaceIndexOrZero, + pingCtlByPassRouteTable TruthValue, + pingCtlDSField Unsigned32, + pingCtlRowStatus RowStatus + } + + pingCtlOwnerIndex OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE(0..32)) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "To facilitate the provisioning of access control by a + security administrator using the View-Based Access + Control Model (RFC 2575, VACM) for tables in which + multiple users may need to create or + modify entries independently, the initial index is used + as an 'owner index'. Such an initial index has a syntax + of SnmpAdminString and can thus be trivially mapped to a + securityName or groupName defined in VACM, in + accordance with a security policy. + + When used in conjunction with such a security policy, all + entries in the table belonging to a particular user (or + group) will have the same value for this initial index. + For a given user's entries in a particular table, the + object identifiers for the information in these entries + will have the same subidentifiers (except for the 'column' + subidentifier) up to the end of the encoded owner index. + To configure VACM to permit access to this portion of the + table, one would create vacmViewTreeFamilyTable entries + with the value of vacmViewTreeFamilySubtree including + the owner index portion, and vacmViewTreeFamilyMask + 'wildcarding' the column subidentifier. More elaborate + configurations are possible." + ::= { pingCtlEntry 1 } + + pingCtlTestName OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE(0..32)) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The name of the ping test. This is locally unique, within + the scope of a pingCtlOwnerIndex." + ::= { pingCtlEntry 2 } + + pingCtlTargetAddressType OBJECT-TYPE + SYNTAX InetAddressType + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "Specifies the type of host address to be used at a remote + host for performing a ping operation." + DEFVAL { unknown } + ::= { pingCtlEntry 3 } + + pingCtlTargetAddress OBJECT-TYPE + SYNTAX InetAddress + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "Specifies the host address to be used at a remote host for + performing a ping operation. The host address type is + determined by the value of the corresponding + pingCtlTargetAddressType. + + A value for this object MUST be set prior to transitioning + its corresponding pingCtlEntry to active(1) via + pingCtlRowStatus." + DEFVAL { ''H } + ::= { pingCtlEntry 4 } + + pingCtlDataSize OBJECT-TYPE + SYNTAX Unsigned32 (0..65507) + UNITS "octets" + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "Specifies the size of the data portion to be + transmitted in a ping operation, in octets. Whether this + value can be applied depends on the selected + implementation method for performing a ping operation, + indicated by pingCtlType in the same conceptual row. + If the method used allows applying the value contained + + in this object, then it MUST be applied. If the specified + size is not appropriate for the chosen ping method, the + implementation SHOULD use whatever size (appropriate to + the method) is closest to the specified size. + + The maximum value for this object was computed by + subtracting the smallest possible IP header size of + 20 octets (IPv4 header with no options) and the UDP + header size of 8 octets from the maximum IP packet size. + An IP packet has a maximum size of 65535 octets + (excluding IPv6 Jumbograms)." + DEFVAL { 0 } + ::= { pingCtlEntry 5 } + + pingCtlTimeOut OBJECT-TYPE + SYNTAX Unsigned32 (1..60) + UNITS "seconds" + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "Specifies the time-out value, in seconds, for a + remote ping operation." + DEFVAL { 3 } + ::= { pingCtlEntry 6 } + + pingCtlProbeCount OBJECT-TYPE + SYNTAX Unsigned32 (1..15) + UNITS "probes" + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "Specifies the number of times to perform a ping + operation at a remote host as part of a single ping test." + DEFVAL { 1 } + ::= { pingCtlEntry 7 } + + pingCtlAdminStatus OBJECT-TYPE + SYNTAX INTEGER { + enabled(1), -- test should be started + disabled(2) -- test should be stopped + } + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "Reflects the desired state that a pingCtlEntry should be + in: + + enabled(1) - Attempt to activate the test as defined by + this pingCtlEntry. + disabled(2) - Deactivate the test as defined by this + pingCtlEntry. + + Refer to the corresponding pingResultsOperStatus to + determine the operational state of the test defined by + this entry." + DEFVAL { disabled } + ::= { pingCtlEntry 8 } + + pingCtlDataFill OBJECT-TYPE + SYNTAX OCTET STRING (SIZE(0..1024)) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The content of this object is used together with the + corresponding pingCtlDataSize value to determine how to + fill the data portion of a probe packet. The option of + selecting a data fill pattern can be useful when links + are compressed or have data pattern sensitivities. The + contents of pingCtlDataFill should be repeated in a ping + packet when the size of the data portion of the ping + packet is greater than the size of pingCtlDataFill." + DEFVAL { '00'H } + ::= { pingCtlEntry 9 } + + pingCtlFrequency OBJECT-TYPE + SYNTAX Unsigned32 + UNITS "seconds" + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The number of seconds to wait before repeating a ping test + as defined by the value of the various objects in the + corresponding row. + + A single ping test consists of a series of ping probes. + The number of probes is determined by the value of the + corresponding pingCtlProbeCount object. After a single + test is completed the number of seconds as defined by the + value of pingCtlFrequency MUST elapse before the + next ping test is started. + + A value of 0 for this object implies that the test + as defined by the corresponding entry will not be + repeated." + DEFVAL { 0 } + ::= { pingCtlEntry 10 } + + pingCtlMaxRows OBJECT-TYPE + SYNTAX Unsigned32 + UNITS "rows" + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The maximum number of corresponding entries allowed + in the pingProbeHistoryTable. An implementation of this + MIB will remove the oldest corresponding entry in the + pingProbeHistoryTable to allow the addition of an + new entry once the number of corresponding rows in the + pingProbeHistoryTable reaches this value. + + Old entries are not removed when a new test is + started. Entries are added to the pingProbeHistoryTable + until pingCtlMaxRows is reached before entries begin to + be removed. + + A value of 0 for this object disables creation of + pingProbeHistoryTable entries." + DEFVAL { 50 } + ::= { pingCtlEntry 11 } + + pingCtlStorageType OBJECT-TYPE + SYNTAX StorageType + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The storage type for this conceptual row. + Conceptual rows having the value 'permanent' need not + allow write-access to any columnar objects in the row." + DEFVAL { nonVolatile } + ::= { pingCtlEntry 12 } + + pingCtlTrapGeneration OBJECT-TYPE + SYNTAX BITS { + probeFailure(0), + testFailure(1), + testCompletion(2) + } + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The value of this object determines when and whether + to generate a notification for this entry: + + probeFailure(0) - Generate a pingProbeFailed + notification subject to the value of + pingCtlTrapProbeFailureFilter. The object + pingCtlTrapProbeFailureFilter can be used + to specify the number of consecutive probe + failures that are required before a + pingProbeFailed notification can be generated. + testFailure(1) - Generate a pingTestFailed + notification. In this instance the object + pingCtlTrapTestFailureFilter can be used to + determine the number of probe failures that + signal when a test fails. + testCompletion(2) - Generate a pingTestCompleted + notification. + + By default, no bits are set, indicating that + none of the above options is selected." + DEFVAL { {} } -- no bits set. + ::= { pingCtlEntry 13 } + + pingCtlTrapProbeFailureFilter OBJECT-TYPE + SYNTAX Unsigned32 (0..15) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The value of this object is used to determine when + to generate a pingProbeFailed NOTIFICATION. + + Setting BIT probeFailure(0) of object + pingCtlTrapGeneration to '1' implies that a + pingProbeFailed NOTIFICATION is generated only when + + a number of consecutive ping probes equal to the + value of pingCtlTrapProbeFailureFilter fail within + a given ping test. After triggering the notification, + the probe failure counter is reset to zero." + DEFVAL { 1 } + ::= { pingCtlEntry 14 } + + pingCtlTrapTestFailureFilter OBJECT-TYPE + SYNTAX Unsigned32 (0..15) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The value of this object is used to determine when + to generate a pingTestFailed NOTIFICATION. + + Setting BIT testFailure(1) of object + + pingCtlTrapGeneration to '1' implies that a + pingTestFailed NOTIFICATION is generated only when + a number of consecutive ping tests equal to the + value of pingCtlTrapProbeFailureFilter fail. + After triggering the notification, the test failure + counter is reset to zero." + DEFVAL { 1 } + ::= { pingCtlEntry 15 } + + pingCtlType OBJECT-TYPE + SYNTAX OBJECT IDENTIFIER + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The value of this object is used either to report or + to select the implementation method to be used for + calculating a ping response time. The value of this + object MAY be selected from pingImplementationTypeDomains. + + Additional implementation types SHOULD be allocated as + required by implementers of the DISMAN-PING-MIB under + their enterprise-specific registration point and not + beneath pingImplementationTypeDomains." + DEFVAL { pingIcmpEcho } + ::= { pingCtlEntry 16 } + + pingCtlDescr OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The purpose of this object is to provide a + descriptive name of the remote ping test." + DEFVAL { ''H } + ::= { pingCtlEntry 17 } + + pingCtlSourceAddressType OBJECT-TYPE + SYNTAX InetAddressType + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "Specifies the type of the source address, + pingCtlSourceAddress, to be used at a remote host + when a ping operation is performed." + DEFVAL { unknown } + ::= { pingCtlEntry 18 } + + pingCtlSourceAddress OBJECT-TYPE + SYNTAX InetAddress + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "Use the specified IP address (which must be given in + numeric form, not as a hostname) as the source address + in outgoing probe packets. On hosts with more than one + IP address, this option can be used to select the address + to be used. If the IP address is not one of this + machine's interface addresses, an error is returned and + nothing is sent. A zero-length octet string value for + this object disables source address specification. + + The address type (InetAddressType) that relates to + this object is specified by the corresponding value + of pingCtlSourceAddressType." + DEFVAL { ''H } + ::= { pingCtlEntry 19 } + + pingCtlIfIndex OBJECT-TYPE + SYNTAX InterfaceIndexOrZero + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "Setting this object to an interface's ifIndex prior + to starting a remote ping operation directs + the ping probes to be transmitted over the + specified interface. A value of zero for this object + means that this option is not enabled." + DEFVAL { 0 } + ::= { pingCtlEntry 20 } + + pingCtlByPassRouteTable OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The purpose of this object is to enable optional + bypassing the route table. If enabled, the remote + host will bypass the normal routing tables and send + directly to a host on an attached network. If the + host is not on a directly attached network, an + error is returned. This option can be used to perform + the ping operation to a local host through an + interface that has no route defined (e.g., after the + interface was dropped by the routing daemon at the host)." + DEFVAL { false } + ::= { pingCtlEntry 21 } + + pingCtlDSField OBJECT-TYPE + SYNTAX Unsigned32 (0..255) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "Specifies the value to store in the Type of Service + (TOS) octet in the IPv4 header or in the Traffic + Class octet in the IPv6 header, respectively, of the + IP packet used to encapsulate the ping probe. + + The octet to be set in the IP header contains the + Differentiated Services (DS) Field in the six most + significant bits. + + This option can be used to determine what effect an + explicit DS Field setting has on a ping response. + Not all values are legal or meaningful. A value of 0 + means that the function represented by this option is + not supported. DS Field usage is often not supported + by IP implementations, and not all values are supported. + Refer to RFC 2474 and RFC 3260 for guidance on usage of + this field." + REFERENCE + "Refer to RFC 1812 for the definition of the IPv4 TOS + octet and to RFC 2460 for the definition of the IPv6 + Traffic Class octet. Refer to RFC 2474 and RFC 3260 + for the definition of the Differentiated Services Field." + DEFVAL { 0 } + ::= { pingCtlEntry 22 } + + pingCtlRowStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "This object allows entries to be created and deleted + in the pingCtlTable. Deletion of an entry in this + table results in the deletion of all corresponding (same + pingCtlOwnerIndex and pingCtlTestName index values) + pingResultsTable and pingProbeHistoryTable entries. + + A value MUST be specified for pingCtlTargetAddress + prior to acceptance of a transition to active(1) state. + + When a value for pingCtlTargetAddress is set, + the value of object pingCtlRowStatus changes + from notReady(3) to notInService(2). + + Activation of a remote ping operation is controlled + via pingCtlAdminStatus, not by changing + this object's value to active(1). + + Transitions in and out of active(1) state are not + allowed while an entry's pingResultsOperStatus is + active(1), with the exception that deletion of + an entry in this table by setting its RowStatus + object to destroy(6) will stop an active + ping operation. + + The operational state of a ping operation + can be determined by examination of its + pingResultsOperStatus object." + REFERENCE + "See definition of RowStatus in RFC 2579, 'Textual + Conventions for SMIv2.'" + ::= { pingCtlEntry 23 } + +-- Ping Results Table + + pingResultsTable OBJECT-TYPE + SYNTAX SEQUENCE OF PingResultsEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Defines the Ping Results Table for providing + the capability of performing ping operations at + a remote host. The results of these operations are + stored in the pingResultsTable and the pingProbeHistoryTable. + + An entry is added to the pingResultsTable when an + pingCtlEntry is started by successful transition + of its pingCtlAdminStatus object to enabled(1). + + If the object pingCtlAdminStatus already has the value + enabled(1), and if the corresponding pingResultsOperStatus + object has the value completed(3), then successfully writing + enabled(1) to object pingCtlAdminStatus re-initializes the + already existing entry in the pingResultsTable. The values + of objects in the re-initialized entry are the same as the + values of objects in a new entry would be. + + An entry is removed from the pingResultsTable when + its corresponding pingCtlEntry is deleted." + ::= { pingObjects 3 } + + pingResultsEntry OBJECT-TYPE + SYNTAX PingResultsEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Defines an entry in the pingResultsTable. The + pingResultsTable has the same indexing as the + pingCtlTable so that a pingResultsEntry + corresponds to the pingCtlEntry that caused it to + be created." + INDEX { + pingCtlOwnerIndex, + pingCtlTestName + } + ::= { pingResultsTable 1 } + + PingResultsEntry ::= + SEQUENCE { + pingResultsOperStatus INTEGER, + pingResultsIpTargetAddressType InetAddressType, + pingResultsIpTargetAddress InetAddress, + pingResultsMinRtt Unsigned32, + pingResultsMaxRtt Unsigned32, + pingResultsAverageRtt Unsigned32, + pingResultsProbeResponses Gauge32, + pingResultsSentProbes Gauge32, + pingResultsRttSumOfSquares Unsigned32, + pingResultsLastGoodProbe DateAndTime + } + + pingResultsOperStatus OBJECT-TYPE + SYNTAX INTEGER { + enabled(1), -- test is in progress + disabled(2), -- test has stopped + completed(3) -- test is completed + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Reflects the operational state of a pingCtlEntry: + + enabled(1) - Test is active. + disabled(2) - Test has stopped. + completed(3) - Test is completed." + ::= { pingResultsEntry 1 } + + pingResultsIpTargetAddressType OBJECT-TYPE + SYNTAX InetAddressType + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This object indicates the type of address stored + in the corresponding pingResultsIpTargetAddress + object." + DEFVAL { unknown } + ::= { pingResultsEntry 2 } + + pingResultsIpTargetAddress OBJECT-TYPE + SYNTAX InetAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This object reports the IP address associated + with a pingCtlTargetAddress value when the destination + address is specified as a DNS name. The value of + this object should be a zero-length octet string + when a DNS name is not specified or when a + specified DNS name fails to resolve. + + The address type (InetAddressType) that relates to + this object is specified by the corresponding value + of pingResultsIpTargetAddressType." + DEFVAL { ''H } + ::= { pingResultsEntry 3 } + + pingResultsMinRtt OBJECT-TYPE + SYNTAX Unsigned32 + UNITS "milliseconds" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The minimum ping round-trip-time (RTT) received. A value + of 0 for this object implies that no RTT has been received." + ::= { pingResultsEntry 4 } + + pingResultsMaxRtt OBJECT-TYPE + SYNTAX Unsigned32 + UNITS "milliseconds" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The maximum ping round-trip-time (RTT) received. A value + of 0 for this object implies that no RTT has been received." + ::= { pingResultsEntry 5 } + + pingResultsAverageRtt OBJECT-TYPE + SYNTAX Unsigned32 + UNITS "milliseconds" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The current average ping round-trip-time (RTT)." + ::= { pingResultsEntry 6 } + + pingResultsProbeResponses OBJECT-TYPE + SYNTAX Gauge32 + UNITS "responses" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Number of responses received for the corresponding + pingCtlEntry and pingResultsEntry. The value of this object + MUST be reported as 0 when no probe responses have been + received." + ::= { pingResultsEntry 7 } + + pingResultsSentProbes OBJECT-TYPE + SYNTAX Gauge32 + UNITS "probes" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object reflects the number of probes sent + for the corresponding pingCtlEntry and pingResultsEntry. + The value of this object MUST be reported as 0 when no probes + have been sent." + ::= { pingResultsEntry 8 } + + pingResultsRttSumOfSquares OBJECT-TYPE + SYNTAX Unsigned32 + UNITS "milliseconds" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This object contains the sum of the squares for all ping + responses received. Its purpose is to enable standard + deviation calculation. The value of this object MUST + be reported as 0 when no ping responses have been + received." + ::= { pingResultsEntry 9 } + + pingResultsLastGoodProbe OBJECT-TYPE + SYNTAX DateAndTime + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Date and time when the last response was received for + a probe." + ::= { pingResultsEntry 10 } + + -- Ping Probe History Table + + pingProbeHistoryTable OBJECT-TYPE + SYNTAX SEQUENCE OF PingProbeHistoryEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Defines a table for storing the results of ping + operations. The number of entries in this table is + limited per entry in the pingCtlTable by the value + of the corresponding pingCtlMaxRows object. + + An entry in this table is created when the result of + a ping probe is determined. The initial 2 instance + identifier index values identify the pingCtlEntry + that a probe result (pingProbeHistoryEntry) belongs + to. An entry is removed from this table when + its corresponding pingCtlEntry is deleted. + + An implementation of this MIB will remove the oldest + entry in the pingProbeHistoryTable of the + corresponding entry in the pingCtlTable to allow + the addition of an new entry once the number of rows + in the pingProbeHistoryTable reaches the value + specified by pingCtlMaxRows for the corresponding + entry in the pingCtlTable." + ::= { pingObjects 4 } + + pingProbeHistoryEntry OBJECT-TYPE + SYNTAX PingProbeHistoryEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Defines an entry in the pingProbeHistoryTable. + The first two index elements identify the + pingCtlEntry that a pingProbeHistoryEntry belongs + to. The third index element selects a single + probe result." + INDEX { + + pingCtlOwnerIndex, + pingCtlTestName, + pingProbeHistoryIndex + } + ::= { pingProbeHistoryTable 1 } + + PingProbeHistoryEntry ::= + SEQUENCE { + pingProbeHistoryIndex Unsigned32, + pingProbeHistoryResponse Unsigned32, + pingProbeHistoryStatus OperationResponseStatus, + pingProbeHistoryLastRC Integer32, + pingProbeHistoryTime DateAndTime + } + + pingProbeHistoryIndex OBJECT-TYPE + SYNTAX Unsigned32 (1..'ffffffff'h) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An entry in this table is created when the result of + a ping probe is determined. The initial 2 instance + identifier index values identify the pingCtlEntry + that a probe result (pingProbeHistoryEntry) belongs + to. + + An implementation MUST start assigning + pingProbeHistoryIndex values at 1 and wrap after + exceeding the maximum possible value as defined by + the limit of this object ('ffffffff'h)." + ::= { pingProbeHistoryEntry 1 } + + pingProbeHistoryResponse OBJECT-TYPE + SYNTAX Unsigned32 + UNITS "milliseconds" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The amount of time measured in milliseconds from when + a probe was sent to when its response was received or + when it timed out. The value of this object is reported + as 0 when it is not possible to transmit a probe." + ::= { pingProbeHistoryEntry 2 } + + pingProbeHistoryStatus OBJECT-TYPE + SYNTAX OperationResponseStatus + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The result of a particular probe done by a remote host." + ::= { pingProbeHistoryEntry 3 } + + pingProbeHistoryLastRC OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The last implementation-method-specific reply code received. + If the ICMP Echo capability is being used, then a successful + probe ends when an ICMP response is received that contains + the code ICMP_ECHOREPLY(0). The ICMP codes are maintained + by IANA. Standardized ICMP codes are listed at + http://www.iana.org/assignments/icmp-parameters. + The ICMPv6 codes are listed at + http://www.iana.org/assignments/icmpv6-parameters." + ::= { pingProbeHistoryEntry 4 } + + pingProbeHistoryTime OBJECT-TYPE + SYNTAX DateAndTime + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Timestamp for when this probe result was determined." + ::= { pingProbeHistoryEntry 5 } + + -- Notification Definition section + + pingProbeFailed NOTIFICATION-TYPE + OBJECTS { + pingCtlTargetAddressType, + pingCtlTargetAddress, + pingResultsOperStatus, + pingResultsIpTargetAddressType, + pingResultsIpTargetAddress, + pingResultsMinRtt, + pingResultsMaxRtt, + pingResultsAverageRtt, + pingResultsProbeResponses, + pingResultsSentProbes, + pingResultsRttSumOfSquares, + pingResultsLastGoodProbe + } + STATUS current + DESCRIPTION + "Generated when a probe failure is detected, when the + + corresponding pingCtlTrapGeneration object is set to + probeFailure(0), subject to the value of + pingCtlTrapProbeFailureFilter. The object + pingCtlTrapProbeFailureFilter can be used to specify the + number of consecutive probe failures that are required + before this notification can be generated." + ::= { pingNotifications 1 } + + pingTestFailed NOTIFICATION-TYPE + OBJECTS { + pingCtlTargetAddressType, + pingCtlTargetAddress, + pingResultsOperStatus, + pingResultsIpTargetAddressType, + pingResultsIpTargetAddress, + pingResultsMinRtt, + pingResultsMaxRtt, + pingResultsAverageRtt, + pingResultsProbeResponses, + pingResultsSentProbes, + pingResultsRttSumOfSquares, + pingResultsLastGoodProbe + } + STATUS current + DESCRIPTION + "Generated when a ping test is determined to have failed, + when the corresponding pingCtlTrapGeneration object is + set to testFailure(1). In this instance, + pingCtlTrapTestFailureFilter should specify the number of + probes in a test required to have failed in order to + consider the test failed." + ::= { pingNotifications 2 } + + pingTestCompleted NOTIFICATION-TYPE + OBJECTS { + pingCtlTargetAddressType, + pingCtlTargetAddress, + pingResultsOperStatus, + pingResultsIpTargetAddressType, + pingResultsIpTargetAddress, + pingResultsMinRtt, + pingResultsMaxRtt, + pingResultsAverageRtt, + pingResultsProbeResponses, + pingResultsSentProbes, + pingResultsRttSumOfSquares, + pingResultsLastGoodProbe + + } + STATUS current + DESCRIPTION + "Generated at the completion of a ping test when the + corresponding pingCtlTrapGeneration object has the + testCompletion(2) bit set." + ::= { pingNotifications 3 } + + -- Conformance information + + -- Compliance statements + + pingCompliances OBJECT IDENTIFIER ::= { pingConformance 1 } + pingGroups OBJECT IDENTIFIER ::= { pingConformance 2 } + + -- Compliance statements + + pingFullCompliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The compliance statement for SNMP entities that + fully implement the DISMAN-PING-MIB." + MODULE -- this module + MANDATORY-GROUPS { + pingMinimumGroup, + pingCtlRowStatusGroup, + pingHistoryGroup, + pingNotificationsGroup + } + + OBJECT pingMaxConcurrentRequests + MIN-ACCESS read-only + DESCRIPTION + "The agent is not required to support set + operations to this object." + + OBJECT pingCtlStorageType + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required." + + OBJECT pingCtlType + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required. In addition, the only + value that MUST be supported by an implementation is + pingIcmpEcho." + + OBJECT pingCtlSourceAddressType + SYNTAX InetAddressType { unknown(0), ipv4(1), ipv6(2) } + MIN-ACCESS read-only + DESCRIPTION + "Write access to this object is not required by + implementations that are not capable of binding the + send socket with a source address. An implementation + is only required to support IPv4 and IPv6 addresses." + + OBJECT pingCtlSourceAddress + SYNTAX InetAddress (SIZE(0|4|16)) + MIN-ACCESS read-only + DESCRIPTION + "Write access to this object is not required by + implementations that are not capable of binding the + send socket with a source address. An implementation + is only required to support IPv4 and IPv6 addresses." + + OBJECT pingCtlIfIndex + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required. If write access is + not supported, return a 0 as the value of this object. + A value of 0 means that the function represented by + this option is not supported." + + OBJECT pingCtlByPassRouteTable + MIN-ACCESS read-only + DESCRIPTION + "Write access to this object is not required by + implementations that are not capable of its + implementation. The function represented by this + object is implementable if the setsockopt + SOL_SOCKET SO_DONTROUTE option is supported." + + OBJECT pingCtlDSField + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required. If write access is + not supported, return a 0 as the value of this object. + A value of 0 means that the function represented by + this option is not supported." + + OBJECT pingResultsIpTargetAddressType + SYNTAX InetAddressType { unknown(0), ipv4(1), ipv6(2) } + DESCRIPTION + "An implementation is only required to + + support IPv4 and IPv6 addresses." + + OBJECT pingResultsIpTargetAddress + SYNTAX InetAddress (SIZE(0|4|16)) + DESCRIPTION + "An implementation is only required to + support IPv4 and globally unique IPv6 addresses." + + OBJECT pingResultsLastGoodProbe + DESCRIPTION + "This object is mandatory for implementations that have + access to a system clock and that are capable of setting + the values for DateAndTime objects. It is RECOMMENDED + that when this object is not supported its values + be reported as '0000000000000000'H." + + OBJECT pingProbeHistoryTime + DESCRIPTION + "This object is mandatory for implementations that have + access to a system clock and that are capable of setting + the values for DateAndTime objects. It is RECOMMENDED + that when this object is not supported its values + be reported as '0000000000000000'H." + ::= { pingCompliances 2 } + + pingMinimumCompliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The minimum compliance statement for SNMP entities + that implement the minimal subset of the + DISMAN-PING-MIB. Implementors might choose this + subset for small devices with limited resources." + MODULE -- this module + MANDATORY-GROUPS { pingMinimumGroup } + + GROUP pingCtlRowStatusGroup + DESCRIPTION + "A compliant implementation does not have to implement + the pingCtlRowStatusGroup." + + GROUP pingHistoryGroup + DESCRIPTION + "A compliant implementation does not have to implement + the pingHistoryGroup." + + GROUP pingNotificationsGroup + DESCRIPTION + "A compliant implementation does not have to implement + + the pingNotificationsGroup." + + OBJECT pingMaxConcurrentRequests + MIN-ACCESS read-only + DESCRIPTION + "The agent is not required to support set + operations to this object." + + OBJECT pingCtlDataFill + MIN-ACCESS read-only + DESCRIPTION + "The agent is not required to support set + operations to this object." + + OBJECT pingCtlFrequency + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required. If write access is + not supported, return a 0 as the value of this object. + A value of 0 means that the function represented by + this option is not supported." + + OBJECT pingCtlMaxRows + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required. If the + pingHistoryGroup is not implemented, then write + access to this object MUST be disabled, and the object + MUST return a value of 0 when retrieved." + + OBJECT pingCtlStorageType + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required." + + OBJECT pingCtlTrapGeneration + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required. If the + pingNotificationsGroup is not implemented, then write + access to this object MUST be disabled, and the object + MUST return a value with no bit set when retrieved. + No bit set indicates that not notification is + generated." + + OBJECT pingCtlTrapProbeFailureFilter + MIN-ACCESS read-only + DESCRIPTION + "If write access to pingCtlTrapGeneration is not + supported, then write access to this object must also + not be supported. In this case, return 0 as the value + of this object." + + OBJECT pingCtlTrapTestFailureFilter + MIN-ACCESS read-only + DESCRIPTION + "If write access to pingCtlTrapGeneration is not + supported, then write access to this object must also + not be supported. In this case, return 0 as the value + of this object." + + OBJECT pingCtlType + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required. In addition, the only + value that MUST be supported by an implementation is + pingIcmpEcho." + + OBJECT pingCtlDescr + MIN-ACCESS read-only + DESCRIPTION + "The agent is not required to support set + operations to this object." + + OBJECT pingCtlSourceAddressType + SYNTAX InetAddressType { unknown(0), ipv4(1), ipv6(2) } + MIN-ACCESS read-only + DESCRIPTION + "Write access to this object is not required by + implementations that are not capable of binding the + send socket with a source address. An implementation + is only required to support IPv4 and IPv6 addresses." + + OBJECT pingCtlSourceAddress + SYNTAX InetAddress (SIZE(0|4|16)) + MIN-ACCESS read-only + DESCRIPTION + "Write access to this object is not required by + implementations that are not capable of binding the + send socket with a source address. An implementation + is only required to support IPv4 and IPv6 addresses." + + OBJECT pingCtlIfIndex + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required. If write access is + + not supported, return a 0 as the value of this object. + A value of 0 means that the function represented by + this option is not supported." + + OBJECT pingCtlByPassRouteTable + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required. If write access is + not supported, return false(2) as the value of this + object. A value of false(2) means that the function + represented by this option is not supported." + + OBJECT pingCtlDSField + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required. If write access is + not supported, return a 0 as the value of this object. + A value of 0 means that the function represented by + this option is not supported." + + OBJECT pingResultsIpTargetAddressType + SYNTAX InetAddressType { unknown(0), ipv4(1), ipv6(2) } + DESCRIPTION + "An implementation is only required to + support IPv4 and IPv6 addresses." + + OBJECT pingResultsIpTargetAddress + SYNTAX InetAddress (SIZE(0|4|16)) + DESCRIPTION + "An implementation is only required to + support IPv4 and globally unique IPv6 addresses." + + OBJECT pingResultsLastGoodProbe + DESCRIPTION + "This object is mandatory for implementations that have + access to a system clock and that are capable of setting + the values for DateAndTime objects. It is RECOMMENDED + that when this object is not supported its values + be reported as '0000000000000000'H." + + OBJECT pingProbeHistoryTime + DESCRIPTION + "If the pingHistoryGroup is implemented, then this + object is mandatory for implementations that have + access to a system clock and that are capable of setting + the values for DateAndTime objects. It is RECOMMENDED + that when this object is not supported its values + + be reported as '0000000000000000'H." + ::= { pingCompliances 3 } + + pingCompliance MODULE-COMPLIANCE + STATUS deprecated + DESCRIPTION + "The compliance statement for the DISMAN-PING-MIB. This + compliance statement has been deprecated because the + group pingGroup and the pingTimeStampGroup have been + split and deprecated. The pingFullCompliance statement + is semantically identical to the deprecated + pingCompliance statement." + + MODULE -- this module + MANDATORY-GROUPS { + pingGroup, + pingNotificationsGroup + } + GROUP pingTimeStampGroup + DESCRIPTION + "This group is mandatory for implementations that have + access to a system clock and that are capable of setting + the values for DateAndTime objects. It is RECOMMENDED + that when this group is not supported the values + for the objects in this group be reported as + '0000000000000000'H." + + OBJECT pingMaxConcurrentRequests + MIN-ACCESS read-only + DESCRIPTION + "The agent is not required to support set + operations to this object." + + OBJECT pingCtlStorageType + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required. It is also allowed + that implementations support only the volatile + StorageType enumeration." + + OBJECT pingCtlType + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required. In addition, the only + value that MUST be supported by an implementation is + pingIcmpEcho." + + OBJECT pingCtlByPassRouteTable + MIN-ACCESS read-only + DESCRIPTION + "This object is not required by implementations that + are not capable of its implementation. The function + represented by this object is implementable if the + setsockopt SOL_SOCKET SO_DONTROUTE option is + supported." + + OBJECT pingCtlSourceAddressType + SYNTAX InetAddressType { unknown(0), ipv4(1), ipv6(2) } + MIN-ACCESS read-only + DESCRIPTION + "This object is not required by implementations that + are not capable of binding the send socket with a + source address. An implementation is only required to + support IPv4 and IPv6 addresses." + + OBJECT pingCtlSourceAddress + SYNTAX InetAddress (SIZE(0|4|16)) + MIN-ACCESS read-only + DESCRIPTION + "This object is not required by implementations that + are not capable of binding the send socket with a + source address. An implementation is only required to + support IPv4 and globally unique IPv6 addresses." + + OBJECT pingCtlIfIndex + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required. When write access is + not supported, return a 0 as the value of this object. + A value of 0 means that the function represented by + this option is not supported." + + OBJECT pingCtlDSField + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required. When write access is + not supported, return a 0 as the value of this object. + A value of 0 means that the function represented by + this option is not supported." + + OBJECT pingResultsIpTargetAddressType + SYNTAX InetAddressType { unknown(0), ipv4(1), ipv6(2) } + DESCRIPTION + "An implementation is only required to + support IPv4 and IPv6 addresses." + + OBJECT pingResultsIpTargetAddress + SYNTAX InetAddress (SIZE(0|4|16)) + DESCRIPTION + "An implementation is only required to + support IPv4 and globally unique IPv6 addresses." + ::= { pingCompliances 1 } + + -- MIB groupings + + pingMinimumGroup OBJECT-GROUP + OBJECTS { + pingMaxConcurrentRequests, + pingCtlTargetAddressType, + pingCtlTargetAddress, + pingCtlDataSize, + pingCtlTimeOut, + pingCtlProbeCount, + pingCtlAdminStatus, + pingCtlDataFill, + pingCtlFrequency, + pingCtlMaxRows, + pingCtlStorageType, + pingCtlTrapGeneration, + pingCtlTrapProbeFailureFilter, + pingCtlTrapTestFailureFilter, + pingCtlType, + pingCtlDescr, + pingCtlByPassRouteTable, + pingCtlSourceAddressType, + pingCtlSourceAddress, + pingCtlIfIndex, + pingCtlDSField, + pingResultsOperStatus, + pingResultsIpTargetAddressType, + pingResultsIpTargetAddress, + pingResultsMinRtt, + pingResultsMaxRtt, + pingResultsAverageRtt, + pingResultsProbeResponses, + pingResultsSentProbes, + pingResultsRttSumOfSquares, + pingResultsLastGoodProbe + } + STATUS current + DESCRIPTION + "The group of objects that constitute the remote ping + capability." + ::= { pingGroups 4 } + + pingCtlRowStatusGroup OBJECT-GROUP + OBJECTS { + pingCtlRowStatus + } + STATUS current + DESCRIPTION + "The RowStatus object of the pingCtlTable." + ::= { pingGroups 5 } + + pingHistoryGroup OBJECT-GROUP + OBJECTS { + pingProbeHistoryResponse, + pingProbeHistoryStatus, + pingProbeHistoryLastRC, + pingProbeHistoryTime + } + STATUS current + DESCRIPTION + "The group of objects that constitute the history + capability." + ::= { pingGroups 6 } + + pingNotificationsGroup NOTIFICATION-GROUP + NOTIFICATIONS { + pingProbeFailed, + pingTestFailed, + pingTestCompleted + } + STATUS current + DESCRIPTION + "The notification that are required to be supported by + implementations of this MIB." + ::= { pingGroups 3 } + + pingGroup OBJECT-GROUP + OBJECTS { + pingMaxConcurrentRequests, + pingCtlTargetAddressType, + pingCtlTargetAddress, + pingCtlDataSize, + pingCtlTimeOut, + pingCtlProbeCount, + pingCtlAdminStatus, + pingCtlDataFill, + pingCtlFrequency, + pingCtlMaxRows, + pingCtlStorageType, + pingCtlTrapGeneration, + pingCtlTrapProbeFailureFilter, + pingCtlTrapTestFailureFilter, + pingCtlType, + pingCtlDescr, + pingCtlByPassRouteTable, + pingCtlSourceAddressType, + pingCtlSourceAddress, + pingCtlIfIndex, + pingCtlDSField, + pingCtlRowStatus, + pingResultsOperStatus, + pingResultsIpTargetAddressType, + pingResultsIpTargetAddress, + pingResultsMinRtt, + pingResultsMaxRtt, + pingResultsAverageRtt, + pingResultsProbeResponses, + pingResultsSentProbes, + pingResultsRttSumOfSquares, + pingProbeHistoryResponse, + pingProbeHistoryStatus, + pingProbeHistoryLastRC + } + STATUS deprecated + DESCRIPTION + "The group of objects that constitute the remote ping + capability." + ::= { pingGroups 1 } + + pingTimeStampGroup OBJECT-GROUP + + OBJECTS { + pingResultsLastGoodProbe, + pingProbeHistoryTime + } + STATUS deprecated + DESCRIPTION + "The group of DateAndTime objects." + ::= { pingGroups 2 } + +END diff --git a/mibs/DISMAN-SCHEDULE-MIB.txt b/mibs/DISMAN-SCHEDULE-MIB.txt new file mode 100644 index 000000000..239595e94 --- /dev/null +++ b/mibs/DISMAN-SCHEDULE-MIB.txt @@ -0,0 +1,699 @@ +DISMAN-SCHEDULE-MIB DEFINITIONS ::= BEGIN + +IMPORTS + MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, + Integer32, Unsigned32, Counter32, mib-2, zeroDotZero + FROM SNMPv2-SMI + + TEXTUAL-CONVENTION, + DateAndTime, RowStatus, StorageType, VariablePointer + FROM SNMPv2-TC + + MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP + FROM SNMPv2-CONF + + SnmpAdminString + FROM SNMP-FRAMEWORK-MIB; + +schedMIB MODULE-IDENTITY + LAST-UPDATED "200201070000Z" + ORGANIZATION "IETF Distributed Management Working Group" + CONTACT-INFO + "WG EMail: disman@dorothy.bmc.com + Subscribe: disman-request@dorothy.bmc.com + + Chair: Randy Presuhn + BMC Software, Inc. + Postal: Office 1-3141 + 2141 North First Street + San Jose, California 95131 + USA + EMail: rpresuhn@bmc.com + Phone: +1 408 546-1006 + + Editor: David B. Levi + Nortel Networks + Postal: 4401 Great America Parkway + Santa Clara, CA 95052-8185 + USA + EMail: dlevi@nortelnetworks.com + Phone: +1 865 686 0432 + + Editor: Juergen Schoenwaelder + TU Braunschweig + Postal: Bueltenweg 74/75 + 38106 Braunschweig + Germany + EMail: schoenw@ibr.cs.tu-bs.de + Phone: +49 531 391-3283" + DESCRIPTION + "This MIB module defines a MIB which provides mechanisms to + schedule SNMP set operations periodically or at specific + points in time." + REVISION "200201070000Z" + DESCRIPTION + "Revised version, published as RFC 3231. + + This revision introduces a new object type called + schedTriggers. Created new conformance and compliance + statements that take care of the new schedTriggers object. + + Several clarifications have been added to remove ambiguities + that were discovered and reported by implementors." + REVISION "199811171800Z" + DESCRIPTION + "Initial version, published as RFC 2591." + ::= { mib-2 63 } + +-- +-- The various groups defined within this MIB definition: +-- + +schedObjects OBJECT IDENTIFIER ::= { schedMIB 1 } +schedNotifications OBJECT IDENTIFIER ::= { schedMIB 2 } +schedConformance OBJECT IDENTIFIER ::= { schedMIB 3 } + +-- +-- Textual Conventions: +-- + +SnmpPduErrorStatus ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "This TC enumerates the SNMPv1 and SNMPv2 PDU error status + codes as defined in RFC 1157 and RFC 1905. It also adds a + pseudo error status code `noResponse' which indicates a + timeout condition." + SYNTAX INTEGER { + noResponse(-1), + noError(0), + tooBig(1), + noSuchName(2), + badValue(3), + readOnly(4), + genErr(5), + noAccess(6), + wrongType(7), + wrongLength(8), + wrongEncoding(9), + wrongValue(10), + noCreation(11), + inconsistentValue(12), + resourceUnavailable(13), + commitFailed(14), + undoFailed(15), + authorizationError(16), + notWritable(17), + inconsistentName(18) + } + +-- +-- Some scalars which provide information about the local time zone. +-- + +schedLocalTime OBJECT-TYPE + SYNTAX DateAndTime (SIZE (11)) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The local time used by the scheduler. Schedules which + refer to calendar time will use the local time indicated + by this object. An implementation MUST return all 11 bytes + of the DateAndTime textual-convention so that a manager + may retrieve the offset from GMT time." + ::= { schedObjects 1 } + +-- +-- The schedule table which controls the scheduler. +-- + +schedTable OBJECT-TYPE + SYNTAX SEQUENCE OF SchedEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "This table defines scheduled actions triggered by + SNMP set operations." + ::= { schedObjects 2 } + +schedEntry OBJECT-TYPE + SYNTAX SchedEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An entry describing a particular scheduled action. + + Unless noted otherwise, writable objects of this row + can be modified independent of the current value of + schedRowStatus, schedAdminStatus and schedOperStatus. + In particular, it is legal to modify schedInterval + and the objects in the schedCalendarGroup when + schedRowStatus is active and schedAdminStatus and + schedOperStatus are both enabled." + INDEX { schedOwner, schedName } + ::= { schedTable 1 } + +SchedEntry ::= SEQUENCE { + schedOwner SnmpAdminString, + schedName SnmpAdminString, + schedDescr SnmpAdminString, + schedInterval Unsigned32, + schedWeekDay BITS, + schedMonth BITS, + schedDay BITS, + schedHour BITS, + schedMinute BITS, + schedContextName SnmpAdminString, + schedVariable VariablePointer, + schedValue Integer32, + schedType INTEGER, + schedAdminStatus INTEGER, + schedOperStatus INTEGER, + schedFailures Counter32, + schedLastFailure SnmpPduErrorStatus, + schedLastFailed DateAndTime, + schedStorageType StorageType, + schedRowStatus RowStatus, + schedTriggers Counter32 +} + +schedOwner OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE(0..32)) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The owner of this scheduling entry. The exact semantics of + this string are subject to the security policy defined by + + the security administrator." + ::= { schedEntry 1 } + +schedName OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE(1..32)) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The locally-unique, administratively assigned name for this + scheduling entry. This object allows a schedOwner to have + multiple entries in the schedTable." + ::= { schedEntry 2 } + +schedDescr OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The human readable description of the purpose of this + scheduling entry." + DEFVAL { "" } + ::= { schedEntry 3 } + +schedInterval OBJECT-TYPE + SYNTAX Unsigned32 + UNITS "seconds" + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The number of seconds between two action invocations of + a periodic scheduler. Implementations must guarantee + that action invocations will not occur before at least + schedInterval seconds have passed. + + The scheduler must ignore all periodic schedules that + have a schedInterval value of 0. A periodic schedule + with a scheduling interval of 0 seconds will therefore + never invoke an action. + + Implementations may be forced to delay invocations in the + face of local constraints. A scheduled management function + should therefore not rely on the accuracy provided by the + scheduler implementation. + + Note that implementations which maintain a list of pending + activations must re-calculate them when this object is + changed." + DEFVAL { 0 } + ::= { schedEntry 4 } + +schedWeekDay OBJECT-TYPE + SYNTAX BITS { + sunday(0), + monday(1), + tuesday(2), + wednesday(3), + thursday(4), + friday(5), + saturday(6) + } + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The set of weekdays on which the scheduled action should + take place. Setting multiple bits will include several + weekdays in the set of possible weekdays for this schedule. + Setting all bits will cause the scheduler to ignore the + weekday. + + Note that implementations which maintain a list of pending + activations must re-calculate them when this object is + changed." + DEFVAL { {} } + ::= { schedEntry 5 } + +schedMonth OBJECT-TYPE + SYNTAX BITS { + january(0), + february(1), + march(2), + april(3), + may(4), + june(5), + july(6), + august(7), + september(8), + october(9), + november(10), + december(11) + } + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The set of months during which the scheduled action should + take place. Setting multiple bits will include several + months in the set of possible months for this schedule. + + Setting all bits will cause the scheduler to ignore the + month. + + Note that implementations which maintain a list of pending + activations must re-calculate them when this object is + changed." + DEFVAL { {} } + ::= { schedEntry 6 } + +schedDay OBJECT-TYPE + SYNTAX BITS { + d1(0), d2(1), d3(2), d4(3), d5(4), + d6(5), d7(6), d8(7), d9(8), d10(9), + d11(10), d12(11), d13(12), d14(13), d15(14), + d16(15), d17(16), d18(17), d19(18), d20(19), + d21(20), d22(21), d23(22), d24(23), d25(24), + d26(25), d27(26), d28(27), d29(28), d30(29), + d31(30), + r1(31), r2(32), r3(33), r4(34), r5(35), + r6(36), r7(37), r8(38), r9(39), r10(40), + r11(41), r12(42), r13(43), r14(44), r15(45), + r16(46), r17(47), r18(48), r19(49), r20(50), + r21(51), r22(52), r23(53), r24(54), r25(55), + r26(56), r27(57), r28(58), r29(59), r30(60), + r31(61) + } + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The set of days in a month on which a scheduled action + should take place. There are two sets of bits one can + use to define the day within a month: + + Enumerations starting with the letter 'd' indicate a + day in a month relative to the first day of a month. + The first day of the month can therefore be specified + by setting the bit d1(0) and d31(30) means the last + day of a month with 31 days. + + Enumerations starting with the letter 'r' indicate a + day in a month in reverse order, relative to the last + day of a month. The last day in the month can therefore + be specified by setting the bit r1(31) and r31(61) means + the first day of a month with 31 days. + + Setting multiple bits will include several days in the set + of possible days for this schedule. Setting all bits will + cause the scheduler to ignore the day within a month. + + Setting all bits starting with the letter 'd' or the + letter 'r' will also cause the scheduler to ignore the + day within a month. + + Note that implementations which maintain a list of pending + activations must re-calculate them when this object is + changed." + DEFVAL { {} } + ::= { schedEntry 7 } + +schedHour OBJECT-TYPE + SYNTAX BITS { + h0(0), h1(1), h2(2), h3(3), h4(4), + h5(5), h6(6), h7(7), h8(8), h9(9), + h10(10), h11(11), h12(12), h13(13), h14(14), + h15(15), h16(16), h17(17), h18(18), h19(19), + h20(20), h21(21), h22(22), h23(23) + } + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The set of hours within a day during which the scheduled + action should take place. + + Note that implementations which maintain a list of pending + activations must re-calculate them when this object is + changed." + DEFVAL { {} } + ::= { schedEntry 8 } + +schedMinute OBJECT-TYPE + SYNTAX BITS { + m0(0), m1(1), m2(2), m3(3), m4(4), + m5(5), m6(6), m7(7), m8(8), m9(9), + m10(10), m11(11), m12(12), m13(13), m14(14), + m15(15), m16(16), m17(17), m18(18), m19(19), + m20(20), m21(21), m22(22), m23(23), m24(24), + m25(25), m26(26), m27(27), m28(28), m29(29), + m30(30), m31(31), m32(32), m33(33), m34(34), + m35(35), m36(36), m37(37), m38(38), m39(39), + m40(40), m41(41), m42(42), m43(43), m44(44), + m45(45), m46(46), m47(47), m48(48), m49(49), + m50(50), m51(51), m52(52), m53(53), m54(54), + m55(55), m56(56), m57(57), m58(58), m59(59) + } + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The set of minutes within an hour when the scheduled action + should take place. + + Note that implementations which maintain a list of pending + activations must re-calculate them when this object is + changed." + DEFVAL { {} } + ::= { schedEntry 9 } + +schedContextName OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE(0..32)) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The context which contains the local MIB variable pointed + to by schedVariable." + DEFVAL { "" } + ::= { schedEntry 10 } + +schedVariable OBJECT-TYPE + SYNTAX VariablePointer + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "An object identifier pointing to a local MIB variable + which resolves to an ASN.1 primitive type of INTEGER." + DEFVAL { zeroDotZero } + ::= { schedEntry 11 } + +schedValue OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The value which is written to the MIB object pointed to by + schedVariable when the scheduler invokes an action. The + implementation shall enforce the use of access control + rules when performing the set operation on schedVariable. + This is accomplished by calling the isAccessAllowed abstract + service interface as defined in RFC 2571. + + Note that an implementation may choose to issue an SNMP Set + message to the SNMP engine and leave the access control + decision to the normal message processing procedure." + DEFVAL { 0 } + ::= { schedEntry 12 } + +schedType OBJECT-TYPE + SYNTAX INTEGER { + periodic(1), + calendar(2), + oneshot(3) + } + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The type of this schedule. The value periodic(1) indicates + that this entry specifies a periodic schedule. A periodic + schedule is defined by the value of schedInterval. The + values of schedWeekDay, schedMonth, schedDay, schedHour + and schedMinute are ignored. + + The value calendar(2) indicates that this entry describes a + calendar schedule. A calendar schedule is defined by the + values of schedWeekDay, schedMonth, schedDay, schedHour and + schedMinute. The value of schedInterval is ignored. A + calendar schedule will trigger on all local times that + satisfy the bits set in schedWeekDay, schedMonth, schedDay, + schedHour and schedMinute. + + The value oneshot(3) indicates that this entry describes a + one-shot schedule. A one-shot schedule is similar to a + calendar schedule with the additional feature that it + disables itself by changing in the `finished' + schedOperStatus once the schedule triggers an action. + + Note that implementations which maintain a list of pending + activations must re-calculate them when this object is + changed." + DEFVAL { periodic } + ::= { schedEntry 13 } + +schedAdminStatus OBJECT-TYPE + SYNTAX INTEGER { + enabled(1), + disabled(2) + } + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The desired state of the schedule." + DEFVAL { disabled } + ::= { schedEntry 14 } + +schedOperStatus OBJECT-TYPE + SYNTAX INTEGER { + + enabled(1), + disabled(2), + finished(3) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The current operational state of this schedule. The state + enabled(1) indicates this entry is active and that the + scheduler will invoke actions at appropriate times. The + disabled(2) state indicates that this entry is currently + inactive and ignored by the scheduler. The finished(3) + state indicates that the schedule has ended. Schedules + in the finished(3) state are ignored by the scheduler. + A one-shot schedule enters the finished(3) state when it + deactivates itself. + + Note that the operational state must not be enabled(1) + when the schedRowStatus is not active." + ::= { schedEntry 15 } + +schedFailures OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This variable counts the number of failures while invoking + the scheduled action. This counter at most increments once + for a triggered action." + ::= { schedEntry 16 } + +schedLastFailure OBJECT-TYPE + SYNTAX SnmpPduErrorStatus + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The most recent error that occurred during the invocation of + a scheduled action. The value noError(0) is returned + if no errors have occurred yet." + DEFVAL { noError } + ::= { schedEntry 17 } + +schedLastFailed OBJECT-TYPE + SYNTAX DateAndTime + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The date and time when the most recent failure occurred. + + The value '0000000000000000'H is returned if no failure + occurred since the last re-initialization of the scheduler." + DEFVAL { '0000000000000000'H } + ::= { schedEntry 18 } + +schedStorageType OBJECT-TYPE + SYNTAX StorageType + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "This object defines whether this scheduled action is kept + in volatile storage and lost upon reboot or if this row is + backed up by non-volatile or permanent storage. + + Conceptual rows having the value `permanent' must allow + write access to the columnar objects schedDescr, + schedInterval, schedContextName, schedVariable, schedValue, + and schedAdminStatus. If an implementation supports the + schedCalendarGroup, write access must be also allowed to + the columnar objects schedWeekDay, schedMonth, schedDay, + schedHour, schedMinute." + DEFVAL { volatile } + ::= { schedEntry 19 } + +schedRowStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The status of this scheduled action. A control that allows + entries to be added and removed from this table. + + Note that the operational state must change to enabled + when the administrative state is enabled and the row + status changes to active(1). + + Attempts to destroy(6) a row or to set a row + notInService(2) while the operational state is enabled + result in inconsistentValue errors. + + The value of this object has no effect on whether other + objects in this conceptual row can be modified." + ::= { schedEntry 20 } + +schedTriggers OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This variable counts the number of attempts (either + successful or failed) to invoke the scheduled action." + ::= { schedEntry 21 } + +-- +-- Notifications that are emitted to indicate failures. The +-- definition of schedTraps makes notification registrations +-- reversible (see STD 58, RFC 2578). +-- + +schedTraps OBJECT IDENTIFIER ::= { schedNotifications 0 } + +schedActionFailure NOTIFICATION-TYPE + OBJECTS { schedLastFailure, schedLastFailed } + STATUS current + DESCRIPTION + "This notification is generated whenever the invocation of a + scheduled action fails." + ::= { schedTraps 1 } + +-- conformance information + +schedCompliances OBJECT IDENTIFIER ::= { schedConformance 1 } +schedGroups OBJECT IDENTIFIER ::= { schedConformance 2 } + +-- compliance statements + +schedCompliance2 MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The compliance statement for SNMP entities which implement + the scheduling MIB." + MODULE -- this module + MANDATORY-GROUPS { + schedGroup2, schedNotificationsGroup + } + GROUP schedCalendarGroup + DESCRIPTION + "The schedCalendarGroup is mandatory only for those + implementations that support calendar based schedules." + OBJECT schedType + DESCRIPTION + "The values calendar(2) or oneshot(3) are not valid for + implementations that do not implement the + schedCalendarGroup. Such an implementation must return + inconsistentValue error responses for attempts to set + schedAdminStatus to calendar(2) or oneshot(3)." + ::= { schedCompliances 2 } + +schedGroup2 OBJECT-GROUP + OBJECTS { + schedDescr, schedInterval, schedContextName, + schedVariable, schedValue, schedType, + schedAdminStatus, schedOperStatus, schedFailures, + schedLastFailure, schedLastFailed, schedStorageType, + schedRowStatus, schedTriggers + } + STATUS current + DESCRIPTION + "A collection of objects providing scheduling capabilities." + ::= { schedGroups 4 } + +schedCalendarGroup OBJECT-GROUP + OBJECTS { + schedLocalTime, schedWeekDay, schedMonth, + schedDay, schedHour, schedMinute + } + STATUS current + DESCRIPTION + "A collection of objects providing calendar based schedules." + ::= { schedGroups 2 } + +schedNotificationsGroup NOTIFICATION-GROUP + NOTIFICATIONS { + schedActionFailure + } + STATUS current + DESCRIPTION + "The notifications emitted by the scheduler." + ::= { schedGroups 3 } + +-- +-- Deprecated compliance and conformance group definitions +-- from RFC 2591. +-- + +schedCompliance MODULE-COMPLIANCE + STATUS deprecated + DESCRIPTION + "The compliance statement for SNMP entities which implement + the scheduling MIB." + MODULE -- this module + MANDATORY-GROUPS { + schedGroup, schedNotificationsGroup + } + + GROUP schedCalendarGroup + DESCRIPTION + "The schedCalendarGroup is mandatory only for those + implementations that support calendar based schedules." + OBJECT schedType + DESCRIPTION + "The values calendar(2) or oneshot(3) are not valid for + implementations that do not implement the + schedCalendarGroup. Such an implementation must return + inconsistentValue error responses for attempts to set + schedAdminStatus to calendar(2) or oneshot(3)." + ::= { schedCompliances 1 } + +schedGroup OBJECT-GROUP + OBJECTS { + schedDescr, schedInterval, schedContextName, + schedVariable, schedValue, schedType, + schedAdminStatus, schedOperStatus, schedFailures, + schedLastFailure, schedLastFailed, schedStorageType, + schedRowStatus + } + STATUS deprecated + DESCRIPTION + "A collection of objects providing scheduling capabilities." + ::= { schedGroups 1 } + +END diff --git a/mibs/DISMAN-SCRIPT-MIB.txt b/mibs/DISMAN-SCRIPT-MIB.txt new file mode 100644 index 000000000..834f3047f --- /dev/null +++ b/mibs/DISMAN-SCRIPT-MIB.txt @@ -0,0 +1,1764 @@ +DISMAN-SCRIPT-MIB DEFINITIONS ::= BEGIN + +IMPORTS + MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, + Integer32, Unsigned32, mib-2 + FROM SNMPv2-SMI + + RowStatus, TimeInterval, DateAndTime, StorageType, DisplayString + FROM SNMPv2-TC + + MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP + FROM SNMPv2-CONF + + SnmpAdminString + FROM SNMP-FRAMEWORK-MIB; + +scriptMIB MODULE-IDENTITY + LAST-UPDATED "200108210000Z" + ORGANIZATION "IETF Distributed Management Working Group" + CONTACT-INFO + "WG EMail: disman@dorothy.bmc.com + Subscribe: disman-request@dorothy.bmc.com + + Chair: Randy Presuhn + BMC Software, Inc. + + Postal: Office 1-3141 + 2141 North First Street + San Jose, California 95131 + USA + EMail: rpresuhn@bmc.com + Phone: +1 408 546-1006 + + Editor: David B. Levi + Nortel Networks + Postal: 4401 Great America Parkway + Santa Clara, CA 95052-8185 + USA + EMail: dlevi@nortelnetworks.com + Phone: +1 423 686 0432 + + Editor: Juergen Schoenwaelder + TU Braunschweig + Postal: Bueltenweg 74/75 + 38106 Braunschweig + Germany + EMail: schoenw@ibr.cs.tu-bs.de + Phone: +49 531 391-3283" + DESCRIPTION + "This MIB module defines a set of objects that allow to + delegate management scripts to distributed managers." + REVISION "200108210000Z" + DESCRIPTION + "Revised version, published as RFC 3165. + + This revision introduces several new objects: smScriptError, + smScriptLastChange, smLaunchError, smLaunchLastChange, + smLaunchRowExpireTime, smRunResultTime, and smRunErrorTime. + + The following existing objects were updated: the maximum + value of smRunLifeTime now disables the timer, an + autostart value was added to the smLaunchAdminStatus + object, and a new expired state was added to the + smLaunchOperStatus object. + + A new smScriptException notification has been added to + support runtime error notifications. + + Created new conformance and compliance statements that + take care of the new objects and notifications. + + Clarifications have been added in several places to remove + ambiguities or contradictions that were discovered and + reported by implementors." + + REVISION "199902221800Z" + DESCRIPTION + "Initial version, published as RFC 2592." + ::= { mib-2 64 } + +-- +-- The groups defined within this MIB module: +-- + +smObjects OBJECT IDENTIFIER ::= { scriptMIB 1 } +smNotifications OBJECT IDENTIFIER ::= { scriptMIB 2 } +smConformance OBJECT IDENTIFIER ::= { scriptMIB 3 } + +-- +-- Script language and language extensions. +-- +-- This group defines tables which list the languages and the +-- language extensions supported by a Script MIB implementation. +-- Languages are uniquely identified by object identifier values. +-- + +smLangTable OBJECT-TYPE + SYNTAX SEQUENCE OF SmLangEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "This table lists supported script languages." + ::= { smObjects 1 } + +smLangEntry OBJECT-TYPE + SYNTAX SmLangEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An entry describing a particular language." + INDEX { smLangIndex } + ::= { smLangTable 1 } + +SmLangEntry ::= SEQUENCE { + smLangIndex Integer32, + smLangLanguage OBJECT IDENTIFIER, + smLangVersion SnmpAdminString, + smLangVendor OBJECT IDENTIFIER, + smLangRevision SnmpAdminString, + smLangDescr SnmpAdminString +} + +smLangIndex OBJECT-TYPE + SYNTAX Integer32 (1..2147483647) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The locally arbitrary, but unique identifier associated + with this language entry. + + The value is expected to remain constant at least from one + re-initialization of the entity's network management system + to the next re-initialization. + + Note that the data type and the range of this object must + be consistent with the definition of smScriptLanguage." + ::= { smLangEntry 1 } + +smLangLanguage OBJECT-TYPE + SYNTAX OBJECT IDENTIFIER + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The globally unique identification of the language." + ::= { smLangEntry 2 } + +smLangVersion OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE (0..32)) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The version number of the language. The zero-length string + shall be used if the language does not have a version + number. + + It is suggested that the version number consist of one or + more decimal numbers separated by dots, where the first + number is called the major version number." + ::= { smLangEntry 3 } + +smLangVendor OBJECT-TYPE + SYNTAX OBJECT IDENTIFIER + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "An object identifier which identifies the vendor who + provides the implementation of the language. This object + identifier SHALL point to the object identifier directly + below the enterprise object identifier {1 3 6 1 4 1} + allocated for the vendor. The value must be the object + identifier {0 0} if the vendor is not known." + ::= { smLangEntry 4 } + +smLangRevision OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE (0..32)) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The version number of the language implementation. + The value of this object must be an empty string if + version number of the implementation is unknown. + + It is suggested that the value consist of one or more + decimal numbers separated by dots, where the first + number is called the major version number." + ::= { smLangEntry 5 } + +smLangDescr OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "A textual description of the language." + ::= { smLangEntry 6 } + +smExtsnTable OBJECT-TYPE + SYNTAX SEQUENCE OF SmExtsnEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "This table lists supported language extensions." + ::= { smObjects 2 } + +smExtsnEntry OBJECT-TYPE + SYNTAX SmExtsnEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An entry describing a particular language extension." + INDEX { smLangIndex, smExtsnIndex } + ::= { smExtsnTable 1 } + +SmExtsnEntry ::= SEQUENCE { + smExtsnIndex Integer32, + smExtsnExtension OBJECT IDENTIFIER, + smExtsnVersion SnmpAdminString, + smExtsnVendor OBJECT IDENTIFIER, + smExtsnRevision SnmpAdminString, + smExtsnDescr SnmpAdminString +} + +smExtsnIndex OBJECT-TYPE + SYNTAX Integer32 (1..2147483647) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The locally arbitrary, but unique identifier associated + with this language extension entry. + + The value is expected to remain constant at least from one + re-initialization of the entity's network management system + to the next re-initialization." + ::= { smExtsnEntry 1} + +smExtsnExtension OBJECT-TYPE + SYNTAX OBJECT IDENTIFIER + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The globally unique identification of the language + extension." + ::= { smExtsnEntry 2 } + +smExtsnVersion OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE (0..32)) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The version number of the language extension. + It is suggested that the version number consist of one or + more decimal numbers separated by dots, where the first + number is called the major version number." + ::= { smExtsnEntry 3 } + +smExtsnVendor OBJECT-TYPE + SYNTAX OBJECT IDENTIFIER + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "An object identifier which identifies the vendor who + provides the implementation of the extension. The + object identifier value should point to the OID node + directly below the enterprise OID {1 3 6 1 4 1} + allocated for the vendor. The value must by the object + identifier {0 0} if the vendor is not known." + ::= { smExtsnEntry 4 } + +smExtsnRevision OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE (0..32)) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The version number of the extension implementation. + The value of this object must be an empty string if + version number of the implementation is unknown. + + It is suggested that the value consist of one or more + decimal numbers separated by dots, where the first + number is called the major version number." + ::= { smExtsnEntry 5 } + +smExtsnDescr OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "A textual description of the language extension." + ::= { smExtsnEntry 6 } + +-- +-- Scripts known by the Script MIB implementation. +-- +-- This group defines a table which lists all known scripts. +-- Scripts can be added and removed through manipulation of the +-- smScriptTable. +-- + +smScriptObjects OBJECT IDENTIFIER ::= { smObjects 3 } + +smScriptTable OBJECT-TYPE + SYNTAX SEQUENCE OF SmScriptEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "This table lists and describes locally known scripts." + ::= { smScriptObjects 1 } + +smScriptEntry OBJECT-TYPE + SYNTAX SmScriptEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An entry describing a particular script. Every script that + is stored in non-volatile memory is required to appear in + this script table." + INDEX { smScriptOwner, smScriptName } + ::= { smScriptTable 1 } + +SmScriptEntry ::= SEQUENCE { + smScriptOwner SnmpAdminString, + smScriptName SnmpAdminString, + smScriptDescr SnmpAdminString, + smScriptLanguage Integer32, + smScriptSource DisplayString, + smScriptAdminStatus INTEGER, + smScriptOperStatus INTEGER, + smScriptStorageType StorageType, + smScriptRowStatus RowStatus, + smScriptError SnmpAdminString, + smScriptLastChange DateAndTime +} + +smScriptOwner OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE (0..32)) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The manager who owns this row in the smScriptTable." + ::= { smScriptEntry 1 } + +smScriptName OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE (1..32)) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The locally-unique, administratively assigned name for this + script. This object allows an smScriptOwner to have multiple + entries in the smScriptTable. + + This value of this object may be used to derive the name + (e.g. a file name) which is used by the Script MIB + implementation to access the script in non-volatile + storage. The details of this mapping are implementation + specific. However, the mapping needs to ensure that scripts + created by different owners with the same script name do not + map to the same name in non-volatile storage." + ::= { smScriptEntry 2 } + +smScriptDescr OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "A description of the purpose of the script." + ::= { smScriptEntry 3 } + +smScriptLanguage OBJECT-TYPE + SYNTAX Integer32 (0..2147483647) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The value of this object type identifies an entry in the + smLangTable which is used to execute this script. + The special value 0 may be used by hard-wired scripts + that can not be modified and that are executed by + internal functions. + + Set requests to change this object are invalid if the + value of smScriptOperStatus is `enabled' or `compiling' + and will result in an inconsistentValue error. + + Note that the data type and the range of this object must + be consistent with the definition of smLangIndex." + ::= { smScriptEntry 4 } + +smScriptSource OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "This object either contains a reference to the script + source or an empty string. A reference must be given + in the form of a Uniform Resource Locator (URL) as + defined in RFC 2396. The allowed character sets and the + encoding rules defined in RFC 2396 section 2 apply. + + When the smScriptAdminStatus object is set to `enabled', + the Script MIB implementation will `pull' the script + source from the URL contained in this object if the URL + is not empty. + + An empty URL indicates that the script source is loaded + from local storage. The script is read from the smCodeTable + if the value of smScriptStorageType is volatile. Otherwise, + the script is read from non-volatile storage. + + Note: This document does not mandate implementation of any + specific URL scheme. An attempt to load a script from a + nonsupported URL scheme will cause the smScriptOperStatus + to report an `unknownProtocol' error. + + Set requests to change this object are invalid if the + value of smScriptOperStatus is `enabled', `editing', + `retrieving' or `compiling' and will result in an + inconsistentValue error." + DEFVAL { ''H } + ::= { smScriptEntry 5 } + +smScriptAdminStatus OBJECT-TYPE + SYNTAX INTEGER { + enabled(1), + disabled(2), + editing(3) + } + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The value of this object indicates the desired status of + the script. See the definition of smScriptOperStatus for + a description of the values. + + When the smScriptAdminStatus object is set to `enabled' and + the smScriptOperStatus is `disabled' or one of the error + states, the Script MIB implementation will `pull' the script + source from the URL contained in the smScriptSource object + if the URL is not empty." + DEFVAL { disabled } + ::= { smScriptEntry 6 } + +smScriptOperStatus OBJECT-TYPE + SYNTAX INTEGER { + enabled(1), + disabled(2), + editing(3), + retrieving(4), + compiling(5), + noSuchScript(6), + accessDenied(7), + wrongLanguage(8), + wrongVersion(9), + compilationFailed(10), + noResourcesLeft(11), + unknownProtocol(12), + protocolFailure(13), + genericError(14) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The actual status of the script in the runtime system. The + value of this object is only meaningful when the value of + the smScriptRowStatus object is `active'. + + The smScriptOperStatus object may have the following values: + + - `enabled' indicates that the script is available and can + be started by a launch table entry. + + - `disabled' indicates that the script can not be used. + + - `editing' indicates that the script can be modified in the + smCodeTable. + + - `retrieving' indicates that the script is currently being + loaded from non-volatile storage or a remote system. + + - `compiling' indicates that the script is currently being + compiled by the runtime system. + + - `noSuchScript' indicates that the script does not exist + at the smScriptSource. + + - `accessDenied' indicates that the script can not be loaded + from the smScriptSource due to a lack of permissions. + + - `wrongLanguage' indicates that the script can not be + loaded from the smScriptSource because of a language + mismatch. + + - `wrongVersion' indicates that the script can not be loaded + from the smScriptSource because of a language version + mismatch. + + - `compilationFailed' indicates that the compilation failed. + + - `noResourcesLeft' indicates that the runtime system does + not have enough resources to load the script. + + - `unknownProtocol' indicates that the script could not be + loaded from the smScriptSource because the requested + protocol is not supported. + + - `protocolFailure' indicates that the script could not be + loaded from the smScriptSource because of a protocol + failure. + + - `genericError' indicates that the script could not be + + loaded due to an error condition not listed above. + + The `retrieving' and `compiling' states are transient states + which will either lead to one of the error states or the + `enabled' state. The `disabled' and `editing' states are + administrative states which are only reached by explicit + management operations. + + All launch table entries that refer to this script table + entry shall have an smLaunchOperStatus value of `disabled' + when the value of this object is not `enabled'." + DEFVAL { disabled } + ::= { smScriptEntry 7 } + +smScriptStorageType OBJECT-TYPE + SYNTAX StorageType + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "This object defines whether this row and the script + controlled by this row are kept in volatile storage and + lost upon reboot or if this row is backed up by + non-volatile or permanent storage. + + The storage type of this row always complies with the value + of this entry if the value of the corresponding RowStatus + object is `active'. + + However, the storage type of the script controlled by this + row may be different, if the value of this entry is + `non-volatile'. The script controlled by this row is written + into local non-volatile storage if the following condition + becomes true: + + (a) the URL contained in the smScriptSource object is empty + and + (b) the smScriptStorageType is `nonVolatile' + and + (c) the smScriptOperStatus is `enabled' + + Setting this object to `volatile' removes a script from + non-volatile storage if the script controlled by this row + has been in non-volatile storage before. Attempts to set + this object to permanent will always fail with an + inconsistentValue error. + + The value of smScriptStorageType is only meaningful if the + value of the corresponding RowStatus object is `active'. + + If smScriptStorageType has the value permanent(4), then all + objects whose MAX-ACCESS value is read-create must be + writable, with the exception of the smScriptStorageType and + smScriptRowStatus objects, which shall be read-only." + DEFVAL { volatile } + ::= { smScriptEntry 8 } + +smScriptRowStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "A control that allows entries to be added and removed from + this table. + + Changing the smScriptRowStatus from `active' to + `notInService' will remove the associated script from the + runtime system. + + Deleting conceptual rows from this table may affect the + deletion of other resources associated with this row. For + example, a script stored in non-volatile storage may be + removed from non-volatile storage. + + An entry may not exist in the `active' state unless all + required objects in the entry have appropriate values. Rows + that are not complete or not in service are not known by the + script runtime system. + + Attempts to `destroy' a row or to set a row `notInService' + while the smScriptOperStatus is `enabled' will result in an + inconsistentValue error. + + Attempts to `destroy' a row or to set a row `notInService' + where the value of the smScriptStorageType object is + `permanent' or `readOnly' will result in an + inconsistentValue error. + + The value of this object has no effect on whether other + objects in this conceptual row can be modified." + ::= { smScriptEntry 9 } + +smScriptError OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This object contains a descriptive error message if the + + transition into the operational status `enabled' failed. + Implementations must reset the error message to a + zero-length string when a new attempt to change the + script status to `enabled' is started." + DEFVAL { ''H } + ::= { smScriptEntry 10 } + +smScriptLastChange OBJECT-TYPE + SYNTAX DateAndTime + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The date and time when this script table entry was last + modified. The value '0000000000000000'H is returned if + the script table entry has not yet been modified. + + Note that the resetting of smScriptError is not considered + a change of the script table entry." + DEFVAL { '0000000000000000'H } + ::= { smScriptEntry 11 } + +-- +-- Access to script code via SNMP +-- +-- The smCodeTable allows script code to be read and modified +-- via SNMP. +-- + +smCodeTable OBJECT-TYPE + SYNTAX SEQUENCE OF SmCodeEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "This table contains the script code for scripts that are + written via SNMP write operations." + ::= { smScriptObjects 2 } + +smCodeEntry OBJECT-TYPE + SYNTAX SmCodeEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An entry describing a particular fragment of a script." + INDEX { smScriptOwner, smScriptName, smCodeIndex } + ::= { smCodeTable 1 } + +SmCodeEntry ::= SEQUENCE { + smCodeIndex Unsigned32, + smCodeText OCTET STRING, + smCodeRowStatus RowStatus +} + +smCodeIndex OBJECT-TYPE + SYNTAX Unsigned32 (1..4294967295) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The index value identifying this code fragment." + ::= { smCodeEntry 1 } + +smCodeText OBJECT-TYPE + SYNTAX OCTET STRING (SIZE (1..1024)) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The code that makes up a fragment of a script. The format + of this code fragment depends on the script language which + is identified by the associated smScriptLanguage object." + ::= { smCodeEntry 2 } + +smCodeRowStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "A control that allows entries to be added and removed from + this table. + + The value of this object has no effect on whether other + objects in this conceptual row can be modified." + ::= { smCodeEntry 3 } + +-- +-- Script execution. +-- +-- This group defines tables which allow script execution to be +-- initiated, suspended, resumed, and terminated. It also provides +-- a mechanism for keeping a history of recent script executions +-- and their results. +-- + +smRunObjects OBJECT IDENTIFIER ::= { smObjects 4 } + +smLaunchTable OBJECT-TYPE + SYNTAX SEQUENCE OF SmLaunchEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "This table lists and describes scripts that are ready + to be executed together with their parameters." + ::= { smRunObjects 1 } + +smLaunchEntry OBJECT-TYPE + SYNTAX SmLaunchEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An entry describing a particular executable script." + INDEX { smLaunchOwner, smLaunchName } + ::= { smLaunchTable 1 } + +SmLaunchEntry ::= SEQUENCE { + smLaunchOwner SnmpAdminString, + smLaunchName SnmpAdminString, + smLaunchScriptOwner SnmpAdminString, + smLaunchScriptName SnmpAdminString, + smLaunchArgument OCTET STRING, + smLaunchMaxRunning Unsigned32, + smLaunchMaxCompleted Unsigned32, + smLaunchLifeTime TimeInterval, + smLaunchExpireTime TimeInterval, + smLaunchStart Integer32, + smLaunchControl INTEGER, + smLaunchAdminStatus INTEGER, + smLaunchOperStatus INTEGER, + smLaunchRunIndexNext Integer32, + smLaunchStorageType StorageType, + smLaunchRowStatus RowStatus, + smLaunchError SnmpAdminString, + smLaunchLastChange DateAndTime, + smLaunchRowExpireTime TimeInterval +} + +smLaunchOwner OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE (0..32)) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The manager who owns this row in the smLaunchTable. Every + instance of a running script started from a particular entry + in the smLaunchTable (i.e. entries in the smRunTable) will + be owned by the same smLaunchOwner used to index the entry + in the smLaunchTable. This owner is not necessarily the same + as the owner of the script itself (smLaunchScriptOwner)." + ::= { smLaunchEntry 1 } + +smLaunchName OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE (1..32)) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The locally-unique, administratively assigned name for this + launch table entry. This object allows an smLaunchOwner to + have multiple entries in the smLaunchTable. The smLaunchName + is an arbitrary name that must be different from any other + smLaunchTable entries with the same smLaunchOwner but can be + the same as other entries in the smLaunchTable with + different smLaunchOwner values. Note that the value of + smLaunchName is not related in any way to the name of the + script being launched." + ::= { smLaunchEntry 2 } + +smLaunchScriptOwner OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE (0..32)) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The value of this object in combination with the value of + smLaunchScriptName identifies the script that can be + launched from this smLaunchTable entry. Attempts to write + this object will fail with an inconsistentValue error if + the value of smLaunchOperStatus is `enabled'." + ::= { smLaunchEntry 3 } + +smLaunchScriptName OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE (0..32)) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The value of this object in combination with the value of + the smLaunchScriptOwner identifies the script that can be + launched from this smLaunchTable entry. The zero-length + string may be used to point to a non-existing script. + + Attempts to write this object will fail with an + inconsistentValue error if the value of smLaunchOperStatus + is `enabled'." + DEFVAL { ''H } + ::= { smLaunchEntry 4 } + +smLaunchArgument OBJECT-TYPE + SYNTAX OCTET STRING + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The argument supplied to the script. When a script is + invoked, the value of this object is used to initialize + the smRunArgument object." + DEFVAL { ''H } + ::= { smLaunchEntry 5 } + +smLaunchMaxRunning OBJECT-TYPE + SYNTAX Unsigned32 (1..4294967295) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The maximum number of concurrently running scripts that may + be invoked from this entry in the smLaunchTable. Lowering + the current value of this object does not affect any scripts + that are already executing." + DEFVAL { 1 } + ::= { smLaunchEntry 6 } + +smLaunchMaxCompleted OBJECT-TYPE + SYNTAX Unsigned32 (1..4294967295) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The maximum number of finished scripts invoked from this + entry in the smLaunchTable allowed to be retained in the + smRunTable. Whenever the value of this object is changed + and whenever a script terminates, entries in the smRunTable + are deleted if necessary until the number of completed + scripts is smaller than the value of this object. Scripts + whose smRunEndTime value indicates the oldest completion + time are deleted first." + DEFVAL { 1 } + ::= { smLaunchEntry 7 } + +smLaunchLifeTime OBJECT-TYPE + SYNTAX TimeInterval + UNITS "centi-seconds" + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The default maximum amount of time a script launched + from this entry may run. The value of this object is used + to initialize the smRunLifeTime object when a script is + launched. Changing the value of an smLaunchLifeTime + instance does not affect scripts previously launched from + + this entry." + DEFVAL { 360000 } + ::= { smLaunchEntry 8 } + +smLaunchExpireTime OBJECT-TYPE + SYNTAX TimeInterval + UNITS "centi-seconds" + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The default maximum amount of time information about a + script launched from this entry is kept in the smRunTable + after the script has completed execution. The value of + this object is used to initialize the smRunExpireTime + object when a script is launched. Changing the value of an + smLaunchExpireTime instance does not affect scripts + previously launched from this entry." + DEFVAL { 360000 } + ::= { smLaunchEntry 9 } + +smLaunchStart OBJECT-TYPE + SYNTAX Integer32 (0..2147483647) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "This object is used to start the execution of scripts. + When retrieved, the value will be the value of smRunIndex + for the last script that started execution by manipulating + this object. The value will be zero if no script started + execution yet. + + A script is started by setting this object to an unused + smRunIndex value. A new row in the smRunTable will be + created which is indexed by the value supplied by the + set-request in addition to the value of smLaunchOwner and + smLaunchName. An unused value can be obtained by reading + the smLaunchRunIndexNext object. + + Setting this object to the special value 0 will start + the script with a self-generated smRunIndex value. The + consequence is that the script invoker has no reliable + way to determine the smRunIndex value for this script + invocation and that the invoker has therefore no way + to obtain the results from this script invocation. The + special value 0 is however useful for scheduled script + invocations. + + If this object is set, the following checks must be + + performed: + + 1) The value of the smLaunchOperStatus object in this + entry of the smLaunchTable must be `enabled'. + 2) The values of smLaunchScriptOwner and + smLaunchScriptName of this row must identify an + existing entry in the smScriptTable. + 3) The value of smScriptOperStatus of this entry must + be `enabled'. + 4) The principal performing the set operation must have + read access to the script. This must be checked by + calling the isAccessAllowed abstract service interface + defined in RFC 2271 on the row in the smScriptTable + identified by smLaunchScriptOwner and smLaunchScriptName. + The isAccessAllowed abstract service interface must be + called on all columnar objects in the smScriptTable with + a MAX-ACCESS value different than `not-accessible'. The + test fails as soon as a call indicates that access is + not allowed. + 5) If the value provided by the set operation is not 0, + a check must be made that the value is currently not + in use. Otherwise, if the value provided by the set + operation is 0, a suitable unused value must be + generated. + 6) The number of currently executing scripts invoked + from this smLaunchTable entry must be less than + smLaunchMaxRunning. + + Attempts to start a script will fail with an + inconsistentValue error if one of the checks described + above fails. + + Otherwise, if all checks have been passed, a new entry + in the smRunTable will be created indexed by smLaunchOwner, + smLaunchName and the new value for smRunIndex. The value + of smLaunchArgument will be copied into smRunArgument, + the value of smLaunchLifeTime will be copied to + smRunLifeTime, and the value of smLaunchExpireTime + will be copied to smRunExpireTime. + + The smRunStartTime will be set to the current time and + the smRunState will be set to `initializing' before the + script execution is initiated in the appropriate runtime + system. + + Note that the data type and the range of this object must + be consistent with the smRunIndex object. Since this + object might be written from the scheduling MIB, the + + data type Integer32 rather than Unsigned32 is used." + DEFVAL { 0 } + ::= { smLaunchEntry 10 } + +smLaunchControl OBJECT-TYPE + SYNTAX INTEGER { + abort(1), + suspend(2), + resume(3), + nop(4) + } + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "This object is used to request a state change for all + running scripts in the smRunTable that were started from + this row in the smLaunchTable. + + Setting this object to abort(1), suspend(2) or resume(3) + will set the smRunControl object of all applicable rows + in the smRunTable to abort(1), suspend(2) or resume(3) + respectively. The phrase `applicable rows' means the set of + rows which were created from this entry in the smLaunchTable + and whose value of smRunState allows the corresponding + state change as described in the definition of the + smRunControl object. Setting this object to nop(4) has no + effect. + + Attempts to set this object lead to an inconsistentValue + error only if all implicated sets on all the applicable + rows lead to inconsistentValue errors. It is not allowed + to return an inconsistentValue error if at least one state + change on one of the applicable rows was successful." + DEFVAL { nop } + ::= { smLaunchEntry 11 } + +smLaunchAdminStatus OBJECT-TYPE + SYNTAX INTEGER { + enabled(1), + disabled(2), + autostart(3) + } + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The value of this object indicates the desired status of + this launch table entry. The values enabled(1) and + autostart(3) both indicate that the launch table entry + + should transition into the operational enabled(1) state as + soon as the associated script table entry is enabled(1). + + The value autostart(3) further indicates that the script + is started automatically by conceptually writing the + value 0 into the associated smLaunchStart object during + the transition from the `disabled' into the `enabled' + operational state. This is useful for scripts that are + to be launched on system start-up." + DEFVAL { disabled } + ::= { smLaunchEntry 12 } + +smLaunchOperStatus OBJECT-TYPE + SYNTAX INTEGER { + enabled(1), + disabled(2), + expired(3) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object indicates the actual status of + this launch table entry. The smLaunchOperStatus object + may have the following values: + + - `enabled' indicates that the launch table entry is + available and can be used to start scripts. + + - `disabled' indicates that the launch table entry can + not be used to start scripts. + + - `expired' indicates that the launch table entry can + not be used to start scripts and will disappear as + soon as all smRunTable entries associated with this + launch table entry have disappeared. + + The value `enabled' requires that the smLaunchRowStatus + object is active. The value `disabled' requires that there + are no entries in the smRunTable associated with this + smLaunchTable entry." + DEFVAL { disabled } + ::= { smLaunchEntry 13 } + +smLaunchRunIndexNext OBJECT-TYPE + SYNTAX Integer32 (1..2147483647) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This variable is used for creating rows in the smRunTable. + The value of this variable is a currently unused value + for smRunIndex, which can be written into the smLaunchStart + object associated with this row to launch a script. + + The value returned when reading this variable must be unique + for the smLaunchOwner and smLaunchName associated with this + row. Subsequent attempts to read this variable must return + different values. + + This variable will return the special value 0 if no new rows + can be created. + + Note that the data type and the range of this object must be + consistent with the definition of smRunIndex." + ::= { smLaunchEntry 14 } + +smLaunchStorageType OBJECT-TYPE + SYNTAX StorageType + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "This object defines if this row is kept in volatile storage + and lost upon reboot or if this row is backed up by stable + storage. + + The value of smLaunchStorageType is only meaningful if the + value of the corresponding RowStatus object is active. + + If smLaunchStorageType has the value permanent(4), then all + objects whose MAX-ACCESS value is read-create must be + writable, with the exception of the smLaunchStorageType and + smLaunchRowStatus objects, which shall be read-only." + DEFVAL { volatile } + ::= { smLaunchEntry 15 } + +smLaunchRowStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "A control that allows entries to be added and removed from + this table. + + Attempts to `destroy' a row or to set a row `notInService' + while the smLaunchOperStatus is `enabled' will result in + an inconsistentValue error. + + Attempts to `destroy' a row or to set a row `notInService' + where the value of the smLaunchStorageType object is + `permanent' or `readOnly' will result in an + inconsistentValue error. + + The value of this object has no effect on whether other + objects in this conceptual row can be modified." + ::= { smLaunchEntry 16 } + +smLaunchError OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This object contains a descriptive error message if an + attempt to launch a script fails. Implementations must reset + the error message to a zero-length string when a new attempt + to launch a script is started." + DEFVAL { ''H } + ::= { smLaunchEntry 17 } + +smLaunchLastChange OBJECT-TYPE + SYNTAX DateAndTime + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The date and time when this launch table entry was last + modified. The value '0000000000000000'H is returned if + the launch table entry has not yet been modified. + + Note that a change of smLaunchStart, smLaunchControl, + smLaunchRunIndexNext, smLaunchRowExpireTime, or the + resetting of smLaunchError is not considered a change + of this launch table entry." + DEFVAL { '0000000000000000'H } + ::= { smLaunchEntry 18 } + +smLaunchRowExpireTime OBJECT-TYPE + SYNTAX TimeInterval + UNITS "centi-seconds" + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The value of this object specifies how long this row remains + in the `enabled' or `disabled' operational state. The value + reported by this object ticks backwards. When the value + reaches 0, it stops ticking backward and the row is + deleted if there are no smRunTable entries associated with + + this smLaunchTable entry. Otherwise, the smLaunchOperStatus + changes to `expired' and the row deletion is deferred + until there are no smRunTable entries associated with this + smLaunchTable entry. + + The smLaunchRowExpireTime will not tick backwards if it is + set to its maximum value (2147483647). In other words, + setting this object to its maximum value turns the timer + off. + + The value of this object may be set in order to increase + or reduce the remaining time that the launch table entry + may be used. Setting the value to 0 will cause an immediate + row deletion or transition into the `expired' operational + state. + + It is not possible to set this object while the operational + status is `expired'. Attempts to modify this object while + the operational status is `expired' leads to an + inconsistentValue error. + + Note that the timer ticks backwards independent of the + operational state of the launch table entry." + DEFVAL { 2147483647 } + ::= { smLaunchEntry 19 } + +smRunTable OBJECT-TYPE + SYNTAX SEQUENCE OF SmRunEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "This table lists and describes scripts that are currently + running or have been running in the past." + ::= { smRunObjects 2 } + +smRunEntry OBJECT-TYPE + SYNTAX SmRunEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An entry describing a particular running or finished + script." + INDEX { smLaunchOwner, smLaunchName, smRunIndex } + ::= { smRunTable 1 } + +SmRunEntry ::= SEQUENCE { + smRunIndex Integer32, + smRunArgument OCTET STRING, + smRunStartTime DateAndTime, + smRunEndTime DateAndTime, + smRunLifeTime TimeInterval, + smRunExpireTime TimeInterval, + smRunExitCode INTEGER, + smRunResult OCTET STRING, + smRunControl INTEGER, + smRunState INTEGER, + smRunError SnmpAdminString, + smRunResultTime DateAndTime, + smRunErrorTime DateAndTime +} + +smRunIndex OBJECT-TYPE + SYNTAX Integer32 (1..2147483647) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The locally arbitrary, but unique identifier associated + with this running or finished script. This value must be + unique for all rows in the smRunTable with the same + smLaunchOwner and smLaunchName. + + Note that the data type and the range of this object must + be consistent with the definition of smLaunchRunIndexNext + and smLaunchStart." + ::= { smRunEntry 1 } + +smRunArgument OBJECT-TYPE + SYNTAX OCTET STRING + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The argument supplied to the script when it started." + DEFVAL { ''H } + ::= { smRunEntry 2 } + +smRunStartTime OBJECT-TYPE + SYNTAX DateAndTime + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The date and time when the execution started. The value + '0000000000000000'H is returned if the script has not + started yet." + DEFVAL { '0000000000000000'H } + ::= { smRunEntry 3 } + +smRunEndTime OBJECT-TYPE + SYNTAX DateAndTime + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The date and time when the execution terminated. The value + '0000000000000000'H is returned if the script has not + terminated yet." + DEFVAL { '0000000000000000'H } + ::= { smRunEntry 4 } + +smRunLifeTime OBJECT-TYPE + SYNTAX TimeInterval + UNITS "centi-seconds" + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "This object specifies how long the script can execute. + This object returns the remaining time that the script + may run. The object is initialized with the value of the + associated smLaunchLifeTime object and ticks backwards. + The script is aborted immediately when the value reaches 0. + + The value of this object may be set in order to increase or + reduce the remaining time that the script may run. Setting + this value to 0 will abort script execution immediately, + and, if the value of smRunExpireTime is also 0, will remove + this entry from the smRunTable once it has terminated. + + If smRunLifeTime is set to its maximum value (2147483647), + either by a set operation or by its initialization from the + smLaunchLifeTime object, then it will not tick backwards. + A running script with a maximum smRunLifeTime value will + thus never be terminated with a `lifeTimeExceeded' exit + code. + + The value of smRunLifeTime reflects the real-time execution + time as seen by the outside world. The value of this object + will always be 0 for a script that finished execution, that + is smRunState has the value `terminated'. + + The value of smRunLifeTime does not change while a script + is suspended, that is smRunState has the value `suspended'. + Note that this does not affect set operations. It is legal + to modify smRunLifeTime via set operations while a script + is suspended." + ::= { smRunEntry 5 } + +smRunExpireTime OBJECT-TYPE + SYNTAX TimeInterval + UNITS "centi-seconds" + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The value of this object specifies how long this row can + exist in the smRunTable after the script has terminated. + This object returns the remaining time that the row may + exist before it is aged out. The object is initialized with + the value of the associated smLaunchExpireTime object and + ticks backwards. The entry in the smRunTable is destroyed + when the value reaches 0 and the smRunState has the value + `terminated'. + + The value of this object may be set in order to increase or + reduce the remaining time that the row may exist. Setting + the value to 0 will destroy this entry as soon as the + smRunState has the value `terminated'." + ::= { smRunEntry 6 } + +smRunExitCode OBJECT-TYPE + SYNTAX INTEGER { + noError(1), + halted(2), + lifeTimeExceeded(3), + noResourcesLeft(4), + languageError(5), + runtimeError(6), + invalidArgument(7), + securityViolation(8), + genericError(9) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object indicates the reason why a + script finished execution. The smRunExitCode code may have + one of the following values: + + - `noError', which indicates that the script completed + successfully without errors; + + - `halted', which indicates that the script was halted + by a request from an authorized manager; + + - `lifeTimeExceeded', which indicates that the script + exited because a time limit was exceeded; + + - `noResourcesLeft', which indicates that the script + exited because it ran out of resources (e.g. memory); + + - `languageError', which indicates that the script exited + because of a language error (e.g. a syntax error in an + interpreted language); + + - `runtimeError', which indicates that the script exited + due to a runtime error (e.g. a division by zero); + + - `invalidArgument', which indicates that the script could + not be run because of invalid script arguments; + + - `securityViolation', which indicates that the script + exited due to a security violation; + + - `genericError', which indicates that the script exited + for an unspecified reason. + + If the script has not yet begun running, or is currently + running, the value will be `noError'." + DEFVAL { noError } + ::= { smRunEntry 7 } + +smRunResult OBJECT-TYPE + SYNTAX OCTET STRING + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The result value produced by the running script. Note that + the result may change while the script is executing." + DEFVAL { ''H } + ::= { smRunEntry 8 } + +smRunControl OBJECT-TYPE + SYNTAX INTEGER { + abort(1), + suspend(2), + resume(3), + nop(4) + } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The value of this object indicates the desired status of the + script execution defined by this row. + + Setting this object to `abort' will abort execution if the + + value of smRunState is `initializing', `executing', + `suspending', `suspended' or `resuming'. Setting this object + to `abort' when the value of smRunState is `aborting' or + `terminated', or if the implementation can determine that + the attempt to abort the execution would fail, will result + in an inconsistentValue error. + + Setting this object to `suspend' will suspend execution + if the value of smRunState is `executing'. Setting this + object to `suspend' will cause an inconsistentValue error + if the value of smRunState is not `executing' or if the + implementation can determine that the attempt to suspend + the execution would fail. + + Setting this object to `resume' will resume execution + if the value of smRunState is `suspending' or + `suspended'. Setting this object to `resume' will cause an + inconsistentValue error if the value of smRunState is + not `suspended' or if the implementation can determine + that the attempt to resume the execution would fail. + + Setting this object to nop(4) has no effect." + DEFVAL { nop } + ::= { smRunEntry 9 } + +smRunState OBJECT-TYPE + SYNTAX INTEGER { + initializing(1), + executing(2), + suspending(3), + suspended(4), + resuming(5), + aborting(6), + terminated(7) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object indicates the script's execution + state. If the script has been invoked but has not yet + begun execution, the value will be `initializing'. If the + script is running, the value will be `executing'. + + A running script which received a request to suspend + execution first transitions into a temporary `suspending' + state. The temporary `suspending' state changes to + `suspended' when the script has actually been suspended. The + temporary `suspending' state changes back to `executing' if + + the attempt to suspend the running script fails. + + A suspended script which received a request to resume + execution first transitions into a temporary `resuming' + state. The temporary `resuming' state changes to `running' + when the script has actually been resumed. The temporary + `resuming' state changes back to `suspended' if the attempt + to resume the suspended script fails. + + A script which received a request to abort execution but + which is still running first transitions into a temporary + `aborting' state. + + A script which has finished its execution is `terminated'." + ::= { smRunEntry 10 } + +smRunError OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This object contains a descriptive error message if the + script startup or execution raised an abnormal condition. + An implementation must store a descriptive error message + in this object if the script exits with the smRunExitCode + `genericError'." + DEFVAL { ''H } + ::= { smRunEntry 11 } + +smRunResultTime OBJECT-TYPE + SYNTAX DateAndTime + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The date and time when the smRunResult was last updated. + The value '0000000000000000'H is returned if smRunResult + has not yet been updated after the creation of this + smRunTable entry." + DEFVAL { '0000000000000000'H } + ::= { smRunEntry 12 } + +smRunErrorTime OBJECT-TYPE + SYNTAX DateAndTime + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The date and time when the smRunError was last updated. + The value '0000000000000000'H is returned if smRunError + + has not yet been updated after the creation of this + smRunTable entry." + DEFVAL { '0000000000000000'H } + ::= { smRunEntry 13 } + +-- +-- Notifications. The definition of smTraps makes notification +-- registrations reversible (see STD 58, RFC 2578). +-- + +smTraps OBJECT IDENTIFIER ::= { smNotifications 0 } + +smScriptAbort NOTIFICATION-TYPE + OBJECTS { smRunExitCode, smRunEndTime, smRunError } + STATUS current + DESCRIPTION + "This notification is generated whenever a running script + terminates with an smRunExitCode unequal to `noError'." + ::= { smTraps 1 } + +smScriptResult NOTIFICATION-TYPE + OBJECTS { smRunResult } + STATUS current + DESCRIPTION + "This notification can be used by scripts to notify other + management applications about results produced by the + script. + + This notification is not automatically generated by the + Script MIB implementation. It is the responsibility of + the executing script to emit this notification where it + is appropriate to do so." + ::= { smTraps 2 } + +smScriptException NOTIFICATION-TYPE + OBJECTS { smRunError } + STATUS current + DESCRIPTION + "This notification can be used by scripts to notify other + management applications about script errors. + + This notification is not automatically generated by the + Script MIB implementation. It is the responsibility of + the executing script or the runtime system to emit this + notification where it is appropriate to do so." + ::= { smTraps 3 } + +-- conformance information + +smCompliances OBJECT IDENTIFIER ::= { smConformance 1 } +smGroups OBJECT IDENTIFIER ::= { smConformance 2 } + +-- compliance statements + +smCompliance2 MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The compliance statement for SNMP entities which implement + the Script MIB." + MODULE -- this module + MANDATORY-GROUPS { + smLanguageGroup, smScriptGroup2, smLaunchGroup2, + smRunGroup2, smNotificationsGroup2 + } + GROUP smCodeGroup + DESCRIPTION + "The smCodeGroup is mandatory only for those implementations + that support the downloading of scripts via SNMP." + OBJECT smScriptSource + MIN-ACCESS read-only + DESCRIPTION + "The smScriptSource object is read-only for implementations + that are not able to download script code from a URL." + OBJECT smCodeText + DESCRIPTION + "A compliant implementation need only support write access to + the smCodeText object only during row creation." + OBJECT smLaunchArgument + DESCRIPTION + "A compliant implementation has to support a minimum size + for smLaunchArgument of 255 octets." + OBJECT smRunArgument + DESCRIPTION + "A compliant implementation has to support a minimum size + for smRunArgument of 255 octets." + OBJECT smRunResult + DESCRIPTION + "A compliant implementation has to support a minimum size + for smRunResult of 255 octets." + OBJECT smRunState + DESCRIPTION + "A compliant implementation does not have to support script + suspension and the smRunState `suspended'. Such an + implementation will change into the `suspending' state + when the smRunControl is set to `suspend' and remain in this + state until smRunControl is set to `resume' or the script + terminates." + ::= { smCompliances 2 } + +smLanguageGroup OBJECT-GROUP + OBJECTS { + smLangLanguage, smLangVersion, + smLangVendor, smLangRevision, + smLangDescr, smExtsnExtension, + smExtsnVersion, smExtsnVendor, + smExtsnRevision, smExtsnDescr + } + STATUS current + DESCRIPTION + "A collection of objects providing information about the + capabilities of the scripting engine." + ::= { smGroups 1 } + +smScriptGroup2 OBJECT-GROUP + OBJECTS { + smScriptDescr, smScriptLanguage, + smScriptSource, smScriptAdminStatus, + smScriptOperStatus, smScriptStorageType, + smScriptRowStatus, smScriptError, + smScriptLastChange + } + STATUS current + DESCRIPTION + "A collection of objects providing information about + installed scripts." + ::= { smGroups 7 } + +smCodeGroup OBJECT-GROUP + OBJECTS { + smCodeText, smCodeRowStatus + } + STATUS current + DESCRIPTION + "A collection of objects used to download or modify scripts + by using SNMP set requests." + ::= { smGroups 3 } + +smLaunchGroup2 OBJECT-GROUP + OBJECTS { + smLaunchScriptOwner, smLaunchScriptName, + smLaunchArgument, smLaunchMaxRunning, + smLaunchMaxCompleted, smLaunchLifeTime, + smLaunchExpireTime, smLaunchStart, + smLaunchControl, smLaunchAdminStatus, + smLaunchOperStatus, smLaunchRunIndexNext, + smLaunchStorageType, smLaunchRowStatus, + smLaunchError, smLaunchLastChange, + smLaunchRowExpireTime + } + STATUS current + DESCRIPTION + "A collection of objects providing information about scripts + that can be launched." + ::= { smGroups 8 } + +smRunGroup2 OBJECT-GROUP + OBJECTS { + smRunArgument, smRunStartTime, + smRunEndTime, smRunLifeTime, + smRunExpireTime, smRunExitCode, + smRunResult, smRunState, + smRunControl, smRunError, + smRunResultTime, smRunErrorTime + } + STATUS current + DESCRIPTION + "A collection of objects providing information about running + scripts." + ::= { smGroups 9 } + +smNotificationsGroup2 NOTIFICATION-GROUP + NOTIFICATIONS { + smScriptAbort, + smScriptResult, + smScriptException + } + STATUS current + DESCRIPTION + "The notifications emitted by the Script MIB." + ::= { smGroups 10 } + +-- +-- Deprecated compliance and conformance group definitions +-- from RFC 2592. +-- + +smCompliance MODULE-COMPLIANCE + STATUS deprecated + DESCRIPTION + "The compliance statement for SNMP entities which implement + the Script MIB." + MODULE -- this module + MANDATORY-GROUPS { + + smLanguageGroup, smScriptGroup, smLaunchGroup, smRunGroup + } + GROUP smCodeGroup + DESCRIPTION + "The smCodeGroup is mandatory only for those implementations + that support the downloading of scripts via SNMP." + OBJECT smScriptSource + MIN-ACCESS read-only + DESCRIPTION + "The smScriptSource object is read-only for implementations + that are not able to download script code from a URL." + OBJECT smCodeText + DESCRIPTION + "A compliant implementation need only support write access + to the smCodeText object during row creation." + OBJECT smLaunchArgument + DESCRIPTION + "A compliant implementation has to support a minimum size + for smLaunchArgument of 255 octets." + OBJECT smRunArgument + DESCRIPTION + "A compliant implementation has to support a minimum size + for smRunArgument of 255 octets." + OBJECT smRunResult + DESCRIPTION + "A compliant implementation has to support a minimum size + for smRunResult of 255 octets." + OBJECT smRunState + DESCRIPTION + "A compliant implementation does not have to support script + suspension and the smRunState `suspended'. Such an + implementation will change into the `suspending' state + when the smRunControl is set to `suspend' and remain in this + state until smRunControl is set to `resume' or the script + terminates." + ::= { smCompliances 1 } + +smScriptGroup OBJECT-GROUP + OBJECTS { + smScriptDescr, smScriptLanguage, + smScriptSource, smScriptAdminStatus, + smScriptOperStatus, smScriptStorageType, + smScriptRowStatus + } + STATUS deprecated + DESCRIPTION + "A collection of objects providing information about + installed scripts." + ::= { smGroups 2 } + +smLaunchGroup OBJECT-GROUP + OBJECTS { + smLaunchScriptOwner, smLaunchScriptName, + smLaunchArgument, smLaunchMaxRunning, + smLaunchMaxCompleted, smLaunchLifeTime, + smLaunchExpireTime, smLaunchStart, + smLaunchControl, smLaunchAdminStatus, + smLaunchOperStatus, smLaunchRunIndexNext, + smLaunchStorageType, smLaunchRowStatus + } + STATUS deprecated + DESCRIPTION + "A collection of objects providing information about scripts + that can be launched." + ::= { smGroups 4 } + +smRunGroup OBJECT-GROUP + OBJECTS { + smRunArgument, smRunStartTime, + smRunEndTime, smRunLifeTime, + smRunExpireTime, smRunExitCode, + smRunResult, smRunState, + smRunControl, smRunError + } + STATUS deprecated + DESCRIPTION + "A collection of objects providing information about running + scripts." + ::= { smGroups 5 } + +smNotificationsGroup NOTIFICATION-GROUP + NOTIFICATIONS { + smScriptAbort, + smScriptResult + } + STATUS deprecated + DESCRIPTION + "The notifications emitted by the Script MIB." + ::= { smGroups 6 } + +END diff --git a/mibs/DISMAN-TRACEROUTE-MIB.txt b/mibs/DISMAN-TRACEROUTE-MIB.txt new file mode 100644 index 000000000..d207b2455 --- /dev/null +++ b/mibs/DISMAN-TRACEROUTE-MIB.txt @@ -0,0 +1,1850 @@ +DISMAN-TRACEROUTE-MIB DEFINITIONS ::= BEGIN + +IMPORTS + MODULE-IDENTITY, OBJECT-TYPE, Integer32, + Gauge32, Unsigned32, mib-2, + NOTIFICATION-TYPE, + OBJECT-IDENTITY + FROM SNMPv2-SMI -- RFC2578 + RowStatus, StorageType, + TruthValue, DateAndTime + FROM SNMPv2-TC -- RFC2579 + MODULE-COMPLIANCE, OBJECT-GROUP, + NOTIFICATION-GROUP + FROM SNMPv2-CONF -- RFC2580 + SnmpAdminString + FROM SNMP-FRAMEWORK-MIB -- RFC3411 + InterfaceIndexOrZero -- RFC2863 + FROM IF-MIB + InetAddressType, InetAddress + FROM INET-ADDRESS-MIB -- RFC4001 + OperationResponseStatus + FROM DISMAN-PING-MIB; -- RFC4560 + + traceRouteMIB MODULE-IDENTITY + LAST-UPDATED "200606130000Z" -- 13 June 2006 + ORGANIZATION "IETF Distributed Management Working Group" + CONTACT-INFO + "Juergen Quittek + + NEC Europe Ltd. + Network Laboratories + Kurfuersten-Anlage 36 + 69115 Heidelberg + Germany + + Phone: +49 6221 4342-115 + Email: quittek@netlab.nec.de" + DESCRIPTION + "The Traceroute MIB (DISMAN-TRACEROUTE-MIB) provides + access to the traceroute capability at a remote host. + + Copyright (C) The Internet Society (2006). This version of + this MIB module is part of RFC 4560; see the RFC itself for + full legal notices." + + -- Revision history + + REVISION "200606130000Z" -- 13 June 2006 + DESCRIPTION + "Updated version, published as RFC 4560. + - Correctly considered IPv6 in DESCRIPTION clause of + object traceRouteCtlDataSize + - Replaced references to RFC 2575 by RFC 3415 + - Replaced references to RFC 2571 by RFC 3411 + - Replaced references to RFC 2851 by RFC 4001 + - Clarified DESCRIPTION clause of object + traceRouteResultsLastGoodPath + - Changed range of object traceRouteCtlInitialTtl + from (0..255) to (1..255) + - Extended DESCRIPTION clause of traceRouteResultsTable + describing re-initialization of entries + - Changed SYNTAX of traceRouteResultsTestAttempts and + traceRouteResultsTestSuccesses from Unsigned32 to + Gauge32 + - Changed status of traceRouteCompliance to deprecated + - Added traceRouteFullCompliance and + traceRouteMinimumCompliance + - Changed status of traceRouteGroup and + traceRouteTimeStampGroup to deprecated + - Added traceRouteMinimumGroup, + traceRouteCtlRowStatusGroup, and + traceRouteHistoryGroup + - Changed DEFVAL of object + traceRouteCtlTargetAddressType from { ipv4 } + to { unknown } + - Changed DEFVAL of object traceRouteCtlDescr + from { '00'H } to { ''H } + - Added DEFVAL for object traceRouteCtlTrapGeneration + of DEFVAL { { } }" + REVISION "200009210000Z" -- 21 September 2000 + DESCRIPTION + "Initial version, published as RFC 2925." + ::= { mib-2 81 } + + -- Top level structure of the MIB + + traceRouteNotifications OBJECT IDENTIFIER ::= { traceRouteMIB 0 } + traceRouteObjects OBJECT IDENTIFIER ::= { traceRouteMIB 1 } + traceRouteConformance OBJECT IDENTIFIER ::= { traceRouteMIB 2 } + + -- The registration node (point) for traceroute implementation types + + traceRouteImplementationTypeDomains OBJECT IDENTIFIER + ::= { traceRouteMIB 3 } + + traceRouteUsingUdpProbes OBJECT-IDENTITY + STATUS current + DESCRIPTION + "Indicates that an implementation is using UDP probes to + perform the traceroute operation." + ::= { traceRouteImplementationTypeDomains 1 } + + -- Simple Object Definitions + + traceRouteMaxConcurrentRequests OBJECT-TYPE + SYNTAX Unsigned32 + UNITS "requests" + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The maximum number of concurrent active traceroute requests + that are allowed within an agent implementation. A value + of 0 for this object implies that there is no limit for + the number of concurrent active requests in effect. + + The limit applies only to new requests being activated. + When a new value is set, the agent will continue processing + all the requests already active, even if their number + exceeds the limit just imposed." + DEFVAL { 10 } + ::= { traceRouteObjects 1 } + + -- Traceroute Control Table + + traceRouteCtlTable OBJECT-TYPE + SYNTAX SEQUENCE OF TraceRouteCtlEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Defines the Remote Operations Traceroute Control Table for + providing the capability of invoking traceroute from a remote + host. The results of traceroute operations can be stored in + the traceRouteResultsTable, traceRouteProbeHistoryTable, and + the traceRouteHopsTable." + ::= { traceRouteObjects 2 } + + traceRouteCtlEntry OBJECT-TYPE + SYNTAX TraceRouteCtlEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Defines an entry in the traceRouteCtlTable. The first + index element, traceRouteCtlOwnerIndex, is of type + SnmpAdminString, a textual convention that allows for + use of the SNMPv3 View-Based Access Control Model + (RFC 3415, VACM) and that allows a management + application to identify its entries. The second index, + traceRouteCtlTestName (also an SnmpAdminString), + enables the same management application to have + multiple requests outstanding." + INDEX { + traceRouteCtlOwnerIndex, + traceRouteCtlTestName + } + ::= { traceRouteCtlTable 1 } + + TraceRouteCtlEntry ::= + SEQUENCE { + traceRouteCtlOwnerIndex SnmpAdminString, + traceRouteCtlTestName SnmpAdminString, + traceRouteCtlTargetAddressType InetAddressType, + traceRouteCtlTargetAddress InetAddress, + traceRouteCtlByPassRouteTable TruthValue, + traceRouteCtlDataSize Unsigned32, + traceRouteCtlTimeOut Unsigned32, + traceRouteCtlProbesPerHop Unsigned32, + traceRouteCtlPort Unsigned32, + traceRouteCtlMaxTtl Unsigned32, + traceRouteCtlDSField Unsigned32, + traceRouteCtlSourceAddressType InetAddressType, + traceRouteCtlSourceAddress InetAddress, + traceRouteCtlIfIndex InterfaceIndexOrZero, + traceRouteCtlMiscOptions SnmpAdminString, + traceRouteCtlMaxFailures Unsigned32, + traceRouteCtlDontFragment TruthValue, + traceRouteCtlInitialTtl Unsigned32, + traceRouteCtlFrequency Unsigned32, + traceRouteCtlStorageType StorageType, + traceRouteCtlAdminStatus INTEGER, + traceRouteCtlDescr SnmpAdminString, + traceRouteCtlMaxRows Unsigned32, + traceRouteCtlTrapGeneration BITS, + traceRouteCtlCreateHopsEntries TruthValue, + traceRouteCtlType OBJECT IDENTIFIER, + traceRouteCtlRowStatus RowStatus + } + + traceRouteCtlOwnerIndex OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE(0..32)) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "To facilitate the provisioning of access control by a + security administrator using the View-Based Access + Control Model (RFC 3415, VACM) for tables in which + multiple users may need to create or + modify entries independently, the initial index is used as + an 'owner index'. Such an initial index has a syntax of + SnmpAdminString and can thus be trivially mapped to a + securityName or groupName defined in VACM, in + accordance with a security policy. + + When used in conjunction with such a security policy, + all entries in the table belonging to a particular user + (or group) will have the same value for this initial + index. For a given user's entries in a particular + table, the object identifiers for the information in + these entries will have the same subidentifiers (except + for the 'column' subidentifier) up to the end of the + encoded owner index. To configure VACM to permit access + to this portion of the table, one would create + vacmViewTreeFamilyTable entries with the value of + vacmViewTreeFamilySubtree including the owner index + portion, and vacmViewTreeFamilyMask 'wildcarding' the + column subidentifier. More elaborate configurations + are possible." + ::= { traceRouteCtlEntry 1 } + + traceRouteCtlTestName OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE(0..32)) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The name of a traceroute test. This is locally unique, + within the scope of a traceRouteCtlOwnerIndex." + ::= { traceRouteCtlEntry 2 } + + traceRouteCtlTargetAddressType OBJECT-TYPE + SYNTAX InetAddressType + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "Specifies the type of host address to be used on the + traceroute request at the remote host." + DEFVAL { unknown } + ::= { traceRouteCtlEntry 3 } + + traceRouteCtlTargetAddress OBJECT-TYPE + SYNTAX InetAddress + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "Specifies the host address used on the + traceroute request at the remote host. The + host address type can be determined by + examining the value of the corresponding + traceRouteCtlTargetAddressType. + + A value for this object MUST be set prior to + transitioning its corresponding traceRouteCtlEntry to + active(1) via traceRouteCtlRowStatus." + ::= { traceRouteCtlEntry 4 } + + traceRouteCtlByPassRouteTable OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The purpose of this object is to enable optional + bypassing the route table. If enabled, the remote + host will bypass the normal routing tables and send + directly to a host on an attached network. If the + host is not on a directly attached network, an + error is returned. This option can be used to perform + the traceroute operation to a local host through an + interface that has no route defined (e.g., after the + interface was dropped by the routing daemon at the host)." + DEFVAL { false } + ::= { traceRouteCtlEntry 5 } + + traceRouteCtlDataSize OBJECT-TYPE + SYNTAX Unsigned32 (0..65507) + UNITS "octets" + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "Specifies the size of the data portion of a traceroute + request, in octets. If the RECOMMENDED traceroute method + (UDP datagrams as probes) is used, then the value + contained in this object MUST be applied. If another + traceroute method is used for which the specified size + is not appropriate, then the implementation SHOULD use + whatever size (appropriate to the method) is closest to + the specified size. + + The maximum value for this object was computed by + subtracting the smallest possible IP header size of + 20 octets (IPv4 header with no options) and the UDP + header size of 8 octets from the maximum IP packet size. + An IP packet has a maximum size of 65535 octets + (excluding IPv6 Jumbograms)." + DEFVAL { 0 } + ::= { traceRouteCtlEntry 6 } + + traceRouteCtlTimeOut OBJECT-TYPE + SYNTAX Unsigned32 (1..60) + UNITS "seconds" + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "Specifies the time-out value, in seconds, for + a traceroute request." + DEFVAL { 3 } + ::= { traceRouteCtlEntry 7 } + + traceRouteCtlProbesPerHop OBJECT-TYPE + SYNTAX Unsigned32 (1..10) + UNITS "probes" + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "Specifies the number of times to reissue a traceroute + request with the same time-to-live (TTL) value." + DEFVAL { 3 } + ::= { traceRouteCtlEntry 8 } + + traceRouteCtlPort OBJECT-TYPE + SYNTAX Unsigned32 (1..65535) + UNITS "UDP Port" + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "Specifies the (initial) UDP port to send the traceroute + request to. A port needs to be specified that is not in + use at the destination (target) host. The default + value for this object is the IANA assigned port, + 33434, for the traceroute function." + DEFVAL { 33434 } + ::= { traceRouteCtlEntry 9 } + + traceRouteCtlMaxTtl OBJECT-TYPE + SYNTAX Unsigned32 (1..255) + UNITS "time-to-live value" + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "Specifies the maximum time-to-live value." + DEFVAL { 30 } + ::= { traceRouteCtlEntry 10 } + + traceRouteCtlDSField OBJECT-TYPE + SYNTAX Unsigned32 (0..255) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "Specifies the value to store in the Type of Service + (TOS) octet in the IPv4 header or in the Traffic + Class octet in the IPv6 header, respectively, of the + IP packet used to encapsulate the traceroute probe. + + The octet to be set in the IP header contains the + Differentiated Services (DS) Field in the six most + significant bits. + + This option can be used to determine what effect an + explicit DS Field setting has on a traceroute response. + Not all values are legal or meaningful. A value of 0 + means that the function represented by this option is + not supported. DS Field usage is often not supported + by IP implementations, and not all values are supported. + Refer to RFC 2474 and RFC 3260 for guidance on usage of + this field." + REFERENCE + "Refer to RFC 1812 for the definition of the IPv4 TOS + octet and to RFC 2460 for the definition of the IPv6 + Traffic Class octet. Refer to RFC 2474 and RFC 3260 + for the definition of the Differentiated Services Field." + DEFVAL { 0 } + ::= { traceRouteCtlEntry 11 } + + traceRouteCtlSourceAddressType OBJECT-TYPE + SYNTAX InetAddressType + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "Specifies the type of the source address, + traceRouteCtlSourceAddress, to be used at a remote host + when a traceroute operation is performed." + DEFVAL { unknown } + ::= { traceRouteCtlEntry 12 } + + traceRouteCtlSourceAddress OBJECT-TYPE + SYNTAX InetAddress + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "Use the specified IP address (which must be given as an + IP number, not a hostname) as the source address in + outgoing probe packets. On hosts with more than one IP + address, this option can be used to select the address + to be used. If the IP address is not one of this + machine's interface addresses, an error is returned, and + nothing is sent. A zero-length octet string value for + this object disables source address specification. + The address type (InetAddressType) that relates to + this object is specified by the corresponding value + of traceRouteCtlSourceAddressType." + DEFVAL { ''H } + ::= { traceRouteCtlEntry 13 } + + traceRouteCtlIfIndex OBJECT-TYPE + SYNTAX InterfaceIndexOrZero + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "Setting this object to an interface's ifIndex prior + to starting a remote traceroute operation directs + the traceroute probes to be transmitted over the + specified interface. A value of zero for this object + implies that this option is not enabled." + DEFVAL { 0 } + ::= { traceRouteCtlEntry 14 } + + traceRouteCtlMiscOptions OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "Enables an application to specify implementation-dependent + options." + DEFVAL { ''H } + ::= { traceRouteCtlEntry 15 } + + traceRouteCtlMaxFailures OBJECT-TYPE + SYNTAX Unsigned32 (0..255) + UNITS "timeouts" + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The value of this object indicates the maximum number + of consecutive timeouts allowed before a remote traceroute + request is terminated. A value of either 255 (maximum + hop count/possible TTL value) or 0 indicates that the + function of terminating a remote traceroute request when a + specific number of consecutive timeouts are detected is + disabled." + DEFVAL { 5 } + ::= { traceRouteCtlEntry 16 } + + traceRouteCtlDontFragment OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "This object enables setting of the don't fragment flag (DF) + in the IP header for a probe. Use of this object enables + a manual PATH MTU test is performed." + DEFVAL { false } + ::= { traceRouteCtlEntry 17 } + + traceRouteCtlInitialTtl OBJECT-TYPE + SYNTAX Unsigned32 (1..255) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The value of this object specifies the initial TTL value to + use. This enables bypassing the initial (often well known) + portion of a path." + DEFVAL { 1 } + ::= { traceRouteCtlEntry 18 } + + traceRouteCtlFrequency OBJECT-TYPE + SYNTAX Unsigned32 + UNITS "seconds" + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The number of seconds to wait before repeating a + traceroute test, as defined by the value of the + various objects in the corresponding row. + + After a single test is completed the number of seconds + as defined by the value of traceRouteCtlFrequency MUST + elapse before the next traceroute test is started. + + A value of 0 for this object implies that the test + as defined by the corresponding entry will not be + + repeated." + DEFVAL { 0 } + ::= { traceRouteCtlEntry 19 } + + traceRouteCtlStorageType OBJECT-TYPE + SYNTAX StorageType + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The storage type for this conceptual row. + Conceptual rows having the value 'permanent' need not + allow write-access to any columnar objects in the row." + DEFVAL { nonVolatile } + ::= { traceRouteCtlEntry 20 } + + traceRouteCtlAdminStatus OBJECT-TYPE + SYNTAX INTEGER { + + enabled(1), -- operation should be started + disabled(2) -- operation should be stopped + } + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "Reflects the desired state that an traceRouteCtlEntry + should be in: + + enabled(1) - Attempt to activate the test as defined by + this traceRouteCtlEntry. + disabled(2) - Deactivate the test as defined by this + traceRouteCtlEntry. + + Refer to the corresponding traceRouteResultsOperStatus to + determine the operational state of the test defined by + this entry." + DEFVAL { disabled } + ::= { traceRouteCtlEntry 21 } + + traceRouteCtlDescr OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The purpose of this object is to provide a + descriptive name of the remote traceroute + test." + DEFVAL { ''H } + ::= { traceRouteCtlEntry 22 } + + traceRouteCtlMaxRows OBJECT-TYPE + SYNTAX Unsigned32 + UNITS "rows" + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The maximum number of corresponding entries allowed + in the traceRouteProbeHistoryTable. An implementation + of this MIB will remove the oldest corresponding entry + in the traceRouteProbeHistoryTable to allow the + addition of an new entry once the number of + corresponding rows in the traceRouteProbeHistoryTable + reaches this value. + + Old entries are not removed when a new test is + started. Entries are added to the + traceRouteProbeHistoryTable until traceRouteCtlMaxRows + is reached before entries begin to be removed. + A value of 0 for this object disables creation of + traceRouteProbeHistoryTable entries." + DEFVAL { 50 } + ::= { traceRouteCtlEntry 23 } + + traceRouteCtlTrapGeneration OBJECT-TYPE + SYNTAX BITS { + pathChange(0), + testFailure(1), + testCompletion(2) + } + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The value of this object determines when and whether to + generate a notification for this entry: + + pathChange(0) - Generate a traceRoutePathChange + notification when the current path varies from a + previously determined path. + testFailure(1) - Generate a traceRouteTestFailed + notification when the full path to a target + can't be determined. + testCompletion(2) - Generate a traceRouteTestCompleted + notification when the path to a target has been + determined. + + The value of this object defaults to an empty set, + indicating that none of the above options has been + selected." + DEFVAL { { } } + ::= { traceRouteCtlEntry 24 } + + traceRouteCtlCreateHopsEntries OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The current path for a traceroute test is kept in the + traceRouteHopsTable on a per-hop basis when the value of + this object is true(1)." + DEFVAL { false } + ::= { traceRouteCtlEntry 25 } + + traceRouteCtlType OBJECT-TYPE + SYNTAX OBJECT IDENTIFIER + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The value of this object is used either to report or to + select the implementation method to be used for + performing a traceroute operation. The value of this + object may be selected from + traceRouteImplementationTypeDomains. + + Additional implementation types should be allocated as + required by implementers of the DISMAN-TRACEROUTE-MIB + under their enterprise specific registration point, + not beneath traceRouteImplementationTypeDomains." + DEFVAL { traceRouteUsingUdpProbes } + ::= { traceRouteCtlEntry 26 } + + traceRouteCtlRowStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "This object allows entries to be created and deleted + in the traceRouteCtlTable. Deletion of an entry in + this table results in a deletion of all corresponding (same + traceRouteCtlOwnerIndex and traceRouteCtlTestName + index values) traceRouteResultsTable, + traceRouteProbeHistoryTable, and traceRouteHopsTable + entries. + + A value MUST be specified for traceRouteCtlTargetAddress + prior to acceptance of a transition to active(1) state. + + When a value for pingCtlTargetAddress is set, + the value of object pingCtlRowStatus changes + from notReady(3) to notInService(2). + + Activation of a remote traceroute operation is + controlled via traceRouteCtlAdminStatus, and not + by transitioning of this object's value to active(1). + + Transitions in and out of active(1) state are not + allowed while an entry's traceRouteResultsOperStatus + is active(1), with the exception that deletion of + an entry in this table by setting its RowStatus + object to destroy(6) will stop an active + traceroute operation. + + The operational state of an traceroute operation + can be determined by examination of the corresponding + traceRouteResultsOperStatus object." + REFERENCE + "See definition of RowStatus in RFC 2579, 'Textual + Conventions for SMIv2.'" + ::= { traceRouteCtlEntry 27 } + + -- Traceroute Results Table + + traceRouteResultsTable OBJECT-TYPE + SYNTAX SEQUENCE OF TraceRouteResultsEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Defines the Remote Operations Traceroute Results Table for + keeping track of the status of a traceRouteCtlEntry. + + An entry is added to the traceRouteResultsTable when an + traceRouteCtlEntry is started by successful transition + of its traceRouteCtlAdminStatus object to enabled(1). + + If the object traceRouteCtlAdminStatus already has the value + enabled(1), and if the corresponding + traceRouteResultsOperStatus object has the value + completed(3), then successfully writing enabled(1) to the + object traceRouteCtlAdminStatus re-initializes the already + existing entry in the traceRouteResultsTable. The values of + objects in the re-initialized entry are the same as + the values of objects in a new entry would be. + + An entry is removed from the traceRouteResultsTable when + + its corresponding traceRouteCtlEntry is deleted." + ::= { traceRouteObjects 3 } + + traceRouteResultsEntry OBJECT-TYPE + SYNTAX TraceRouteResultsEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Defines an entry in the traceRouteResultsTable. The + traceRouteResultsTable has the same indexing as the + traceRouteCtlTable so that a traceRouteResultsEntry + corresponds to the traceRouteCtlEntry that caused it to + be created." + INDEX { + traceRouteCtlOwnerIndex, + traceRouteCtlTestName + } + ::= { traceRouteResultsTable 1 } + + TraceRouteResultsEntry ::= + SEQUENCE { + traceRouteResultsOperStatus INTEGER, + traceRouteResultsCurHopCount Gauge32, + traceRouteResultsCurProbeCount Gauge32, + traceRouteResultsIpTgtAddrType InetAddressType, + traceRouteResultsIpTgtAddr InetAddress, + traceRouteResultsTestAttempts Gauge32, + traceRouteResultsTestSuccesses Gauge32, + traceRouteResultsLastGoodPath DateAndTime + } + + traceRouteResultsOperStatus OBJECT-TYPE + SYNTAX INTEGER { + enabled(1), -- test is in progress + disabled(2), -- test has stopped + completed(3) -- test is completed + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Reflects the operational state of an traceRouteCtlEntry: + + enabled(1) - Test is active. + disabled(2) - Test has stopped. + completed(3) - Test is completed." + ::= { traceRouteResultsEntry 1 } + + traceRouteResultsCurHopCount OBJECT-TYPE + SYNTAX Gauge32 + UNITS "hops" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Reflects the current TTL value (from 1 to + 255) for a remote traceroute operation. + Maximum TTL value is determined by + traceRouteCtlMaxTtl." + ::= { traceRouteResultsEntry 2 } + + traceRouteResultsCurProbeCount OBJECT-TYPE + SYNTAX Gauge32 + UNITS "probes" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Reflects the current probe count (1..10) for + a remote traceroute operation. The maximum + probe count is determined by + traceRouteCtlProbesPerHop." + ::= { traceRouteResultsEntry 3 } + + traceRouteResultsIpTgtAddrType OBJECT-TYPE + SYNTAX InetAddressType + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This object indicates the type of address stored + in the corresponding traceRouteResultsIpTgtAddr + object." + ::= { traceRouteResultsEntry 4 } + + traceRouteResultsIpTgtAddr OBJECT-TYPE + SYNTAX InetAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This object reports the IP address associated + with a traceRouteCtlTargetAddress value when the + destination address is specified as a DNS name. + The value of this object should be a zero-length + octet string when a DNS name is not specified or + when a specified DNS name fails to resolve." + ::= { traceRouteResultsEntry 5 } + + traceRouteResultsTestAttempts OBJECT-TYPE + SYNTAX Gauge32 + UNITS "tests" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The current number of attempts to determine a path + to a target. The value of this object MUST be started + at 0." + ::= { traceRouteResultsEntry 6 } + + traceRouteResultsTestSuccesses OBJECT-TYPE + SYNTAX Gauge32 + UNITS "tests" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The current number of attempts to determine a path + to a target that have succeeded. The value of this + object MUST be reported as 0 when no attempts have + succeeded." + ::= { traceRouteResultsEntry 7 } + + traceRouteResultsLastGoodPath OBJECT-TYPE + SYNTAX DateAndTime + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The date and time when the last complete path + was determined. A path is complete if responses + were received or timeout occurred for each hop on + the path; i.e., for each TTL value from the value + of the corresponding traceRouteCtlInitialTtl object + up to the end of the path or (if no reply from the + target IP address was received) up to the value of + the corresponding traceRouteCtlMaxTtl object." + ::= { traceRouteResultsEntry 8 } + + -- Trace Route Probe History Table + + traceRouteProbeHistoryTable OBJECT-TYPE + SYNTAX SEQUENCE OF TraceRouteProbeHistoryEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Defines the Remote Operations Traceroute Results Table + for storing the results of a traceroute operation. + + An implementation of this MIB will remove the oldest + + entry in the traceRouteProbeHistoryTable of the + corresponding entry in the traceRouteCtlTable to allow + the addition of a new entry once the number of rows in + the traceRouteProbeHistoryTable reaches the value specified + by traceRouteCtlMaxRows for the corresponding entry in the + traceRouteCtlTable." + ::= { traceRouteObjects 4 } + + traceRouteProbeHistoryEntry OBJECT-TYPE + SYNTAX TraceRouteProbeHistoryEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Defines a table for storing the results of a traceroute + operation. Entries in this table are limited by + the value of the corresponding traceRouteCtlMaxRows + object. + + The first two index elements identify the + traceRouteCtlEntry that a traceRouteProbeHistoryEntry + belongs to. The third index element selects a single + traceroute operation result. The fourth and fifth indexes + select the hop and the probe for a particular + traceroute operation." + INDEX { + traceRouteCtlOwnerIndex, + traceRouteCtlTestName, + traceRouteProbeHistoryIndex, + traceRouteProbeHistoryHopIndex, + traceRouteProbeHistoryProbeIndex + + } + ::= { traceRouteProbeHistoryTable 1 } + + TraceRouteProbeHistoryEntry ::= + SEQUENCE { + traceRouteProbeHistoryIndex Unsigned32, + traceRouteProbeHistoryHopIndex Unsigned32, + traceRouteProbeHistoryProbeIndex Unsigned32, + traceRouteProbeHistoryHAddrType InetAddressType, + traceRouteProbeHistoryHAddr InetAddress, + traceRouteProbeHistoryResponse Unsigned32, + traceRouteProbeHistoryStatus OperationResponseStatus, + traceRouteProbeHistoryLastRC Integer32, + traceRouteProbeHistoryTime DateAndTime + } + + traceRouteProbeHistoryIndex OBJECT-TYPE + SYNTAX Unsigned32 (1..'ffffffff'h) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An entry in this table is created when the result of + a traceroute probe is determined. The initial 2 instance + identifier index values identify the traceRouteCtlEntry + that a probe result (traceRouteProbeHistoryEntry) belongs + to. An entry is removed from this table when + its corresponding traceRouteCtlEntry is deleted. + + An implementation MUST start assigning + traceRouteProbeHistoryIndex values at 1 and wrap after + exceeding the maximum possible value, as defined by the + limit of this object ('ffffffff'h)." + ::= { traceRouteProbeHistoryEntry 1 } + + traceRouteProbeHistoryHopIndex OBJECT-TYPE + SYNTAX Unsigned32 (1..255) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Indicates which hop in a traceroute path the probe's + results are for. The value of this object is initially + determined by the value of traceRouteCtlInitialTtl." + ::= { traceRouteProbeHistoryEntry 2 } + + traceRouteProbeHistoryProbeIndex OBJECT-TYPE + SYNTAX Unsigned32 (1..10) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Indicates the index of a probe for a particular + hop in a traceroute path. The number of probes per + hop is determined by the value of the corresponding + traceRouteCtlProbesPerHop object." + ::= { traceRouteProbeHistoryEntry 3 } + + traceRouteProbeHistoryHAddrType OBJECT-TYPE + SYNTAX InetAddressType + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This objects indicates the type of address stored + in the corresponding traceRouteProbeHistoryHAddr + object." + ::= { traceRouteProbeHistoryEntry 4 } + + traceRouteProbeHistoryHAddr OBJECT-TYPE + SYNTAX InetAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The address of a hop in a traceroute path. This object + is not allowed to be a DNS name. The value of the + corresponding object, traceRouteProbeHistoryHAddrType, + indicates this object's IP address type." + ::= { traceRouteProbeHistoryEntry 5 } + + traceRouteProbeHistoryResponse OBJECT-TYPE + SYNTAX Unsigned32 + UNITS "milliseconds" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The amount of time measured in milliseconds from when + a probe was sent to when its response was received or + when it timed out. The value of this object is reported + as 0 when it is not possible to transmit a probe." + ::= { traceRouteProbeHistoryEntry 6 } + + traceRouteProbeHistoryStatus OBJECT-TYPE + SYNTAX OperationResponseStatus + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The result of a traceroute operation made by a remote + host for a particular probe." + ::= { traceRouteProbeHistoryEntry 7 } + + traceRouteProbeHistoryLastRC OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The last implementation-method-specific reply code received. + + Traceroute is usually implemented by transmitting a series of + probe packets with increasing time-to-live values. A probe + packet is a UDP datagram encapsulated into an IP packet. + Each hop in a path to the target (destination) host rejects + the probe packets (probe's TTL too small, ICMP reply) until + either the maximum TTL is exceeded or the target host is + received." + ::= { traceRouteProbeHistoryEntry 8 } + + traceRouteProbeHistoryTime OBJECT-TYPE + SYNTAX DateAndTime + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Timestamp for when this probe's results were determined." + ::= { traceRouteProbeHistoryEntry 9 } + + -- Traceroute Hop Results Table + + traceRouteHopsTable OBJECT-TYPE + SYNTAX SEQUENCE OF TraceRouteHopsEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Defines the Remote Operations Traceroute Hop Table for + keeping track of the results of traceroute tests on a + per-hop basis." + ::= { traceRouteObjects 5 } + + traceRouteHopsEntry OBJECT-TYPE + SYNTAX TraceRouteHopsEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Defines an entry in the traceRouteHopsTable. + The first two index elements identify the + traceRouteCtlEntry that a traceRouteHopsEntry + belongs to. The third index element, + traceRouteHopsHopIndex, selects a + hop in a traceroute path." + INDEX { + traceRouteCtlOwnerIndex, + traceRouteCtlTestName, + traceRouteHopsHopIndex + } + ::= { traceRouteHopsTable 1 } + + TraceRouteHopsEntry ::= + SEQUENCE { + traceRouteHopsHopIndex Unsigned32, + traceRouteHopsIpTgtAddressType InetAddressType, + traceRouteHopsIpTgtAddress InetAddress, + traceRouteHopsMinRtt Unsigned32, + traceRouteHopsMaxRtt Unsigned32, + traceRouteHopsAverageRtt Unsigned32, + traceRouteHopsRttSumOfSquares Unsigned32, + traceRouteHopsSentProbes Unsigned32, + traceRouteHopsProbeResponses Unsigned32, + traceRouteHopsLastGoodProbe DateAndTime + } + + traceRouteHopsHopIndex OBJECT-TYPE + SYNTAX Unsigned32 (1..'ffffffff'h) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Specifies the hop index for a traceroute hop. Values + for this object with respect to the same + traceRouteCtlOwnerIndex and traceRouteCtlTestName + MUST start at 1 and be given increasing values for + subsequent hops. The value of traceRouteHopsHopIndex is not + necessarily the number of the hop on the traced path. + + The traceRouteHopsTable keeps the current traceroute + path per traceRouteCtlEntry if enabled by + setting the corresponding traceRouteCtlCreateHopsEntries + to true(1). + + All hops (traceRouteHopsTable entries) in a traceroute + path MUST be updated at the same time when a traceroute + operation is completed. Care needs to be applied when a path + either changes or can't be determined. The initial portion + of the path, up to the first hop change, MUST retain the + same traceRouteHopsHopIndex values. The remaining portion + of the path SHOULD be assigned new traceRouteHopsHopIndex + values." + ::= { traceRouteHopsEntry 1 } + + traceRouteHopsIpTgtAddressType OBJECT-TYPE + SYNTAX InetAddressType + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This object indicates the type of address stored + in the corresponding traceRouteHopsIpTgtAddress + object." + ::= { traceRouteHopsEntry 2 } + + traceRouteHopsIpTgtAddress OBJECT-TYPE + SYNTAX InetAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This object reports the IP address associated with + + the hop. A value for this object should be reported + as a numeric IP address, not as a DNS name. + + The address type (InetAddressType) that relates to + this object is specified by the corresponding value + of pingCtlSourceAddressType." + ::= { traceRouteHopsEntry 3 } + + traceRouteHopsMinRtt OBJECT-TYPE + SYNTAX Unsigned32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The minimum traceroute round-trip-time (RTT) received for + this hop. A value of 0 for this object implies that no + RTT has been received." + ::= { traceRouteHopsEntry 4 } + + traceRouteHopsMaxRtt OBJECT-TYPE + SYNTAX Unsigned32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The maximum traceroute round-trip-time (RTT) received for + this hop. A value of 0 for this object implies that no + RTT has been received." + ::= { traceRouteHopsEntry 5 } + + traceRouteHopsAverageRtt OBJECT-TYPE + SYNTAX Unsigned32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The current average traceroute round-trip-time (RTT) for + this hop." + ::= { traceRouteHopsEntry 6 } + + traceRouteHopsRttSumOfSquares OBJECT-TYPE + SYNTAX Unsigned32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This object contains the sum of the squares of all + round-trip-times received for this hop. Its purpose is + to enable standard deviation calculation." + ::= { traceRouteHopsEntry 7 } + + traceRouteHopsSentProbes OBJECT-TYPE + SYNTAX Unsigned32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object reflects the number of probes sent + for this hop during this traceroute test. The value of this + object should start at 0." + ::= { traceRouteHopsEntry 8 } + + traceRouteHopsProbeResponses OBJECT-TYPE + SYNTAX Unsigned32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Number of responses received for this hop during this + traceroute test. This value of this object should start + at 0." + ::= { traceRouteHopsEntry 9 } + + traceRouteHopsLastGoodProbe OBJECT-TYPE + SYNTAX DateAndTime + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Date and time at which the last response was received for a + probe for this hop during this traceroute test." + ::= { traceRouteHopsEntry 10 } + + -- Notification Definition section + + traceRoutePathChange NOTIFICATION-TYPE + OBJECTS { + traceRouteCtlTargetAddressType, + traceRouteCtlTargetAddress, + traceRouteResultsIpTgtAddrType, + traceRouteResultsIpTgtAddr + } + STATUS current + DESCRIPTION + "The path to a target has changed." + ::= { traceRouteNotifications 1 } + + traceRouteTestFailed NOTIFICATION-TYPE + OBJECTS { + traceRouteCtlTargetAddressType, + traceRouteCtlTargetAddress, + traceRouteResultsIpTgtAddrType, + traceRouteResultsIpTgtAddr + + } + STATUS current + DESCRIPTION + "Could not determine the path to a target." + ::= { traceRouteNotifications 2 } + + traceRouteTestCompleted NOTIFICATION-TYPE + OBJECTS { + traceRouteCtlTargetAddressType, + traceRouteCtlTargetAddress, + traceRouteResultsIpTgtAddrType, + traceRouteResultsIpTgtAddr + } + STATUS current + DESCRIPTION + "The path to a target has just been determined." + ::= { traceRouteNotifications 3 } + + -- Conformance information + -- Compliance statements + + traceRouteCompliances OBJECT IDENTIFIER + ::= { traceRouteConformance 1 } + traceRouteGroups OBJECT IDENTIFIER + ::= { traceRouteConformance 2 } + + -- Compliance statements + + traceRouteFullCompliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The compliance statement for SNMP entities that + fully implement the DISMAN-TRACEROUTE-MIB." + MODULE -- this module + MANDATORY-GROUPS { + traceRouteMinimumGroup, + traceRouteCtlRowStatusGroup, + traceRouteHistoryGroup + } + + GROUP traceRouteHopsTableGroup + DESCRIPTION + "This group lists the objects that make up a + traceRouteHopsEntry. Support of the traceRouteHopsTable + is optional." + + GROUP traceRouteNotificationsGroup + DESCRIPTION + "This group defines a collection of optional + notifications." + + OBJECT traceRouteMaxConcurrentRequests + MIN-ACCESS read-only + DESCRIPTION + "The agent is not required to support SET + operations to this object." + + OBJECT traceRouteCtlByPassRouteTable + MIN-ACCESS read-only + DESCRIPTION + "Write access to this object is not required by + implementations that are not capable of its + implementation. The function represented by this + object is implementable if the setsockopt + SOL_SOCKET SO_DONTROUTE option is supported." + + OBJECT traceRouteCtlDSField + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required. If write access is + not supported, return a 0 as the value of this object. + A value of 0 implies that the function represented by + this option is not supported." + + OBJECT traceRouteCtlSourceAddressType + SYNTAX InetAddressType { unknown(0), ipv4(1), ipv6(2) } + MIN-ACCESS read-only + DESCRIPTION + "Write access to this object is not required by + implementations that are not capable of binding the + send socket with a source address. An implementation + is only required to support IPv4 and IPv6 addresses." + + OBJECT traceRouteCtlSourceAddress + SYNTAX InetAddress (SIZE(0|4|16)) + MIN-ACCESS read-only + DESCRIPTION + "Write access to this object is not required by + implementations that are not capable of binding the + send socket with a source address. An implementation + is only required to support IPv4 and IPv6 addresses." + + OBJECT traceRouteCtlIfIndex + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required. If write access is + + not supported, return a 0 as the value of this object. + A value of 0 implies that the function represented by + this option is not supported." + + OBJECT traceRouteCtlMiscOptions + MIN-ACCESS read-only + DESCRIPTION + "Support of this object is optional. If not + supporting, do not allow write access and return a + zero-length octet string as the value of the object." + + OBJECT traceRouteCtlStorageType + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required. It is also allowed + that implementations support only the volatile(2) + StorageType enumeration." + + OBJECT traceRouteCtlType + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required. In addition, the only + value that is RECOMMENDED to be supported by an + implementation is traceRouteUsingUdpProbes." + + OBJECT traceRouteResultsIpTgtAddrType + SYNTAX InetAddressType { unknown(0), ipv4(1), ipv6(2) } + DESCRIPTION + "An implementation should only support IPv4 and + globally unique IPv6 address values for this object." + + OBJECT traceRouteResultsIpTgtAddr + SYNTAX InetAddress (SIZE(0|4|16)) + DESCRIPTION + "An implementation should only support IPv4 and + globally unique IPv6 address values for this object." + + OBJECT traceRouteResultsLastGoodPath + DESCRIPTION + "If the traceRouteHopsTableGroup is implemented, then + this object is mandatory for implementations that have + access to a system clock and that are capable of setting + the values for DateAndTime objects. It is RECOMMENDED + that when this object is not supported its values + be reported as '0000000000000000'H." + + OBJECT traceRouteProbeHistoryHAddrType + SYNTAX InetAddressType { unknown(0), ipv4(1), ipv6(2) } + DESCRIPTION + "An implementation should only support IPv4 and + globally unique IPv6 address values for this object." + + OBJECT traceRouteProbeHistoryHAddr + SYNTAX InetAddress (SIZE(0|4|16)) + DESCRIPTION + "An implementation should only support IPv4 and + globally unique IPv6 address values for this object." + + OBJECT traceRouteProbeHistoryTime + DESCRIPTION + "This object is mandatory for implementations that have + access to a system clock and that are capable of setting + the values for DateAndTime objects. It is RECOMMENDED + that when this object is not supported its values + be reported as '0000000000000000'H." + + OBJECT traceRouteHopsIpTgtAddressType + SYNTAX InetAddressType { unknown(0), ipv4(1), ipv6(2) } + DESCRIPTION + "An implementation should only support IPv4 and + globally unique IPv6 address values for this object." + + OBJECT traceRouteHopsIpTgtAddress + SYNTAX InetAddress (SIZE(0|4|16)) + DESCRIPTION + "An implementation should only support IPv4 and + globally unique IPv6 address values for this object." + + OBJECT traceRouteHopsLastGoodProbe + DESCRIPTION + "This object is mandatory for implementations that have + access to a system clock and that are capable of setting + the values for DateAndTime objects. It is RECOMMENDED + that when this object is not supported its values + be reported as '0000000000000000'H." + ::= { traceRouteCompliances 2 } + + traceRouteMinimumCompliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The minimum compliance statement for SNMP entities + which implement the minimal subset of the + DISMAN-TRACEROUTE-MIB. Implementors might choose this + subset for small devices with limited resources." + MODULE -- this module + + MANDATORY-GROUPS { traceRouteMinimumGroup } + + GROUP traceRouteCtlRowStatusGroup + DESCRIPTION + "A compliant implementation does not have to implement + the traceRouteCtlRowStatusGroup." + + GROUP traceRouteHistoryGroup + DESCRIPTION + "A compliant implementation does not have to implement + the traceRouteHistoryGroup." + + GROUP traceRouteHopsTableGroup + DESCRIPTION + "This group lists the objects that make up a + traceRouteHopsEntry. Support of the traceRouteHopsTable + is optional." + + GROUP traceRouteNotificationsGroup + DESCRIPTION + "This group defines a collection of optional + notifications." + + OBJECT traceRouteMaxConcurrentRequests + MIN-ACCESS read-only + DESCRIPTION + "The agent is not required to support SET + operations to this object." + + OBJECT traceRouteCtlByPassRouteTable + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required. If write access is + not supported, return a false(2) as the value of this + object. A value of false(2) means that the function + represented by this option is not supported." + + OBJECT traceRouteCtlDSField + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required. If write access is + not supported, return a 0 as the value of this object. + A value of 0 implies that the function represented by + this option is not supported." + + OBJECT traceRouteCtlSourceAddressType + SYNTAX InetAddressType { unknown(0), ipv4(1), ipv6(2) } + MIN-ACCESS read-only + DESCRIPTION + "Write access to this object is not required by + implementations that are not capable of binding the + send socket with a source address. An implementation + is only required to support IPv4 and IPv6 addresses." + + OBJECT traceRouteCtlSourceAddress + SYNTAX InetAddress (SIZE(0|4|16)) + MIN-ACCESS read-only + DESCRIPTION + "Write access to this object is not required by + implementations that are not capable of binding the + send socket with a source address. An implementation + is only required to support IPv4 and IPv6 addresses." + + OBJECT traceRouteCtlIfIndex + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required. If write access is + not supported, return a 0 as the value of this object. + A value of 0 implies that the function represented by + this option is not supported." + + OBJECT traceRouteCtlMiscOptions + MIN-ACCESS read-only + DESCRIPTION + "Support of this object is optional. If not + supporting, do not allow write access, and return a + zero-length octet string as the value of the object." + + OBJECT traceRouteCtlDontFragment + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required. If write access is + not supported, return a false(2) as the value of this + object. A value of false(2) means that the function + represented by this option is not supported." + + OBJECT traceRouteCtlInitialTtl + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required. If write access is + not supported, return a 1 as the value of this object." + + OBJECT traceRouteCtlFrequency + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required. If write access is + not supported, return a 0 as the value of this object. + A value of 0 implies that the function represented by + this option is not supported." + + OBJECT traceRouteCtlStorageType + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required. It is also allowed + that implementations support only the volatile(2) + StorageType enumeration." + + OBJECT traceRouteCtlDescr + MIN-ACCESS read-only + DESCRIPTION + "The agent is not required to support set + operations to this object." + + OBJECT traceRouteCtlMaxRows + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required. If the + traceRouteHistoryGroup is not implemented, then write + access to this object MUST be disabled, and the object + MUST return a value of 0 when retrieved." + + OBJECT traceRouteCtlTrapGeneration + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required. If the + traceRouteNotificationsGroup is not implemented, then + write access to this object MUST be disabled, and the + object MUST return a value with no bit set when + retrieved. No bit set indicates that no notification + is generated." + + OBJECT traceRouteCtlCreateHopsEntries + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required. If the + traceRouteHopsTableGroup is not implemented, then + write access to this object MUST be disabled, and the + object MUST return a value of false(2) when retrieved." + + OBJECT traceRouteCtlType + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required. In addition, the only + + value that is RECOMMENDED to be supported by an + implementation is traceRouteUsingUdpProbes." + + OBJECT traceRouteResultsIpTgtAddrType + SYNTAX InetAddressType { unknown(0), ipv4(1), ipv6(2) } + DESCRIPTION + "An implementation should only support IPv4 and + globally unique IPv6 address values for this object." + + OBJECT traceRouteResultsIpTgtAddr + SYNTAX InetAddress (SIZE(0|4|16)) + DESCRIPTION + "An implementation should only support IPv4 and + globally unique IPv6 address values for this object." + + OBJECT traceRouteResultsLastGoodPath + DESCRIPTION + "This object is mandatory for implementations that have + access to a system clock and that are capable of setting + the values for DateAndTime objects. It is RECOMMENDED + that when this object is not supported its values + be reported as '0000000000000000'H." + + OBJECT traceRouteProbeHistoryHAddrType + SYNTAX InetAddressType { unknown(0), ipv4(1), ipv6(2) } + DESCRIPTION + "An implementation should only support IPv4 and + globally unique IPv6 address values for this object." + + OBJECT traceRouteProbeHistoryHAddr + SYNTAX InetAddress (SIZE(0|4|16)) + DESCRIPTION + "An implementation should only support IPv4 and + globally unique IPv6 address values for this object." + + OBJECT traceRouteProbeHistoryTime + DESCRIPTION + "If the traceRouteHistoryGroup is implemented, then + this object is mandatory for implementations that have + access to a system clock and that are capable of setting + the values for DateAndTime objects. It is RECOMMENDED + that when this object is not supported its values + be reported as '0000000000000000'H." + + OBJECT traceRouteHopsIpTgtAddressType + SYNTAX InetAddressType { unknown(0), ipv4(1), ipv6(2) } + DESCRIPTION + "An implementation should only support IPv4 and + + globally unique IPv6 address values for this object." + + OBJECT traceRouteHopsIpTgtAddress + SYNTAX InetAddress (SIZE(0|4|16)) + DESCRIPTION + "An implementation should only support IPv4 and + globally unique IPv6 address values for this object." + + OBJECT traceRouteHopsLastGoodProbe + DESCRIPTION + "If the traceRouteHopsTableGroup is implemented, then + this object is mandatory for implementations that have + access to a system clock and that are capable of setting + the values for DateAndTime objects. It is RECOMMENDED + that when this object is not supported its values + be reported as '0000000000000000'H." + ::= { traceRouteCompliances 3 } + + traceRouteCompliance MODULE-COMPLIANCE + STATUS deprecated + DESCRIPTION + "The compliance statement for the DISMAN-TRACEROUTE-MIB. + This compliance statement has been deprecated because + the traceRouteGroup and the traceRouteTimeStampGroup + have been split and deprecated. The + traceRouteFullCompliance is semantically identical to the + deprecated traceRouteCompliance statement." + MODULE -- this module + MANDATORY-GROUPS { + traceRouteGroup + } + GROUP traceRouteTimeStampGroup + DESCRIPTION + "This group is mandatory for implementations that have + access to a system clock and that are capable of setting + the values for DateAndTime objects." + + GROUP traceRouteNotificationsGroup + DESCRIPTION + "This group defines a collection of optional + notifications." + + GROUP traceRouteHopsTableGroup + DESCRIPTION + "This group lists the objects that make up a + traceRouteHopsEntry. Support of the traceRouteHopsTable + is optional." + + OBJECT traceRouteMaxConcurrentRequests + MIN-ACCESS read-only + DESCRIPTION + "The agent is not required to support SET + operations to this object." + + OBJECT traceRouteCtlByPassRouteTable + MIN-ACCESS read-only + DESCRIPTION + "This object is not required by implementations that + are not capable of its implementation. The function + represented by this object is implementable if the + setsockopt SOL_SOCKET SO_DONTROUTE option is + supported." + + OBJECT traceRouteCtlSourceAddressType + SYNTAX InetAddressType { unknown(0), ipv4(1), ipv6(2) } + MIN-ACCESS read-only + DESCRIPTION + "This object is not required by implementations that + are not capable of binding the send socket with a + source address. An implementation is only required to + support IPv4 and IPv6 addresses." + + OBJECT traceRouteCtlSourceAddress + SYNTAX InetAddress (SIZE(0|4|16)) + MIN-ACCESS read-only + DESCRIPTION + "This object is not required by implementations that + are not capable of binding the send socket with a + source address. An implementation is only required to + support IPv4 and globally unique IPv6 addresses." + + OBJECT traceRouteCtlIfIndex + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required. When write access is + not supported, return a 0 as the value of this object. + A value of 0 implies that the function represented by + this option is not supported." + + OBJECT traceRouteCtlMiscOptions + MIN-ACCESS read-only + DESCRIPTION + "Support of this object is optional. When not + supporting, do not allow write access, and return a + zero-length octet string as the value of the object." + + OBJECT traceRouteCtlStorageType + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required. It is also allowed + that implementations support only the volatile + StorageType enumeration." + + OBJECT traceRouteCtlDSField + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required. When write access is + not supported, return a 0 as the value of this object. + A value of 0 implies that the function represented by + this option is not supported." + + OBJECT traceRouteCtlType + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required. In addition, the only + value that is RECOMMENDED to be supported by an + implementation is traceRouteUsingUdpProbes." + + OBJECT traceRouteResultsIpTgtAddrType + SYNTAX InetAddressType { unknown(0), ipv4(1), ipv6(2) } + DESCRIPTION + "An implementation should only support IPv4 and + globally unique IPv6 address values for this object." + + OBJECT traceRouteResultsIpTgtAddr + SYNTAX InetAddress (SIZE(0|4|16)) + DESCRIPTION + "An implementation should only support IPv4 and + globally unique IPv6 address values for this object." + + OBJECT traceRouteProbeHistoryHAddrType + SYNTAX InetAddressType { unknown(0), ipv4(1), ipv6(2) } + DESCRIPTION + "An implementation should only support IPv4 and + globally unique IPv6 address values for this object." + + OBJECT traceRouteProbeHistoryHAddr + SYNTAX InetAddress (SIZE(0|4|16)) + DESCRIPTION + "An implementation should only support IPv4 and + globally unique IPv6 address values for this object." + + OBJECT traceRouteHopsIpTgtAddressType + SYNTAX InetAddressType { unknown(0), ipv4(1), ipv6(2) } + DESCRIPTION + "An implementation should only support IPv4 and + globally unique IPv6 address values for this object." + + OBJECT traceRouteHopsIpTgtAddress + SYNTAX InetAddress (SIZE(0|4|16)) + DESCRIPTION + "An implementation should only support IPv4 and + globally unique IPv6 address values for this object." + ::= { traceRouteCompliances 1 } + + -- MIB groupings + + traceRouteMinimumGroup OBJECT-GROUP + OBJECTS { + traceRouteMaxConcurrentRequests, + traceRouteCtlTargetAddressType, + traceRouteCtlTargetAddress, + traceRouteCtlByPassRouteTable, + traceRouteCtlDataSize, + traceRouteCtlTimeOut, + traceRouteCtlProbesPerHop, + traceRouteCtlPort, + traceRouteCtlMaxTtl, + traceRouteCtlDSField, + traceRouteCtlSourceAddressType, + traceRouteCtlSourceAddress, + traceRouteCtlIfIndex, + traceRouteCtlMiscOptions, + traceRouteCtlMaxFailures, + traceRouteCtlDontFragment, + traceRouteCtlInitialTtl, + traceRouteCtlFrequency, + traceRouteCtlStorageType, + traceRouteCtlAdminStatus, + traceRouteCtlMaxRows, + traceRouteCtlTrapGeneration, + traceRouteCtlDescr, + traceRouteCtlCreateHopsEntries, + traceRouteCtlType, + traceRouteResultsOperStatus, + traceRouteResultsCurHopCount, + traceRouteResultsCurProbeCount, + traceRouteResultsIpTgtAddrType, + traceRouteResultsIpTgtAddr, + traceRouteResultsTestAttempts, + traceRouteResultsTestSuccesses, + traceRouteResultsLastGoodPath + + } + STATUS current + DESCRIPTION + "The group of objects that constitute the remote traceroute + operation." + ::= { traceRouteGroups 5 } + + traceRouteCtlRowStatusGroup OBJECT-GROUP + OBJECTS { + traceRouteCtlRowStatus + } + STATUS current + DESCRIPTION + "The RowStatus object of the traceRouteCtlTable." + ::= { traceRouteGroups 6 } + + traceRouteHistoryGroup OBJECT-GROUP + OBJECTS { + traceRouteProbeHistoryHAddrType, + traceRouteProbeHistoryHAddr, + traceRouteProbeHistoryResponse, + traceRouteProbeHistoryStatus, + traceRouteProbeHistoryLastRC, + traceRouteProbeHistoryTime + } + STATUS current + DESCRIPTION + "The group of objects that constitute the history + capability." + ::= { traceRouteGroups 7 } + + traceRouteNotificationsGroup NOTIFICATION-GROUP + NOTIFICATIONS { + traceRoutePathChange, + traceRouteTestFailed, + traceRouteTestCompleted + } + STATUS current + DESCRIPTION + "The notifications that are required to be supported by + implementations of this MIB." + ::= { traceRouteGroups 3 } + + traceRouteHopsTableGroup OBJECT-GROUP + OBJECTS { + traceRouteHopsIpTgtAddressType, + traceRouteHopsIpTgtAddress, + traceRouteHopsMinRtt, + traceRouteHopsMaxRtt, + traceRouteHopsAverageRtt, + traceRouteHopsRttSumOfSquares, + traceRouteHopsSentProbes, + traceRouteHopsProbeResponses, + traceRouteHopsLastGoodProbe + } + STATUS current + DESCRIPTION + "The group of objects that constitute the + traceRouteHopsTable." + ::= { traceRouteGroups 4 } + + traceRouteGroup OBJECT-GROUP + OBJECTS { + traceRouteMaxConcurrentRequests, + traceRouteCtlTargetAddressType, + traceRouteCtlTargetAddress, + traceRouteCtlByPassRouteTable, + traceRouteCtlDataSize, + traceRouteCtlTimeOut, + traceRouteCtlProbesPerHop, + traceRouteCtlPort, + traceRouteCtlMaxTtl, + traceRouteCtlDSField, + traceRouteCtlSourceAddressType, + traceRouteCtlSourceAddress, + traceRouteCtlIfIndex, + traceRouteCtlMiscOptions, + traceRouteCtlMaxFailures, + traceRouteCtlDontFragment, + traceRouteCtlInitialTtl, + traceRouteCtlFrequency, + traceRouteCtlStorageType, + traceRouteCtlAdminStatus, + traceRouteCtlMaxRows, + traceRouteCtlTrapGeneration, + traceRouteCtlDescr, + traceRouteCtlCreateHopsEntries, + traceRouteCtlType, + traceRouteCtlRowStatus, + traceRouteResultsOperStatus, + traceRouteResultsCurHopCount, + traceRouteResultsCurProbeCount, + traceRouteResultsIpTgtAddrType, + traceRouteResultsIpTgtAddr, + traceRouteResultsTestAttempts, + traceRouteResultsTestSuccesses, + traceRouteProbeHistoryHAddrType, + traceRouteProbeHistoryHAddr, + traceRouteProbeHistoryResponse, + traceRouteProbeHistoryStatus, + traceRouteProbeHistoryLastRC + } + STATUS deprecated + DESCRIPTION + "The group of objects that constitute the remote traceroute + operation." + ::= { traceRouteGroups 1 } + + traceRouteTimeStampGroup OBJECT-GROUP + OBJECTS { + traceRouteResultsLastGoodPath, + traceRouteProbeHistoryTime + } + STATUS deprecated + DESCRIPTION + "The group of DateAndTime objects." + ::= { traceRouteGroups 2 } + +END diff --git a/mibs/EtherLike-MIB.txt b/mibs/EtherLike-MIB.txt new file mode 100644 index 000000000..dcec7cee4 --- /dev/null +++ b/mibs/EtherLike-MIB.txt @@ -0,0 +1,1862 @@ +EtherLike-MIB DEFINITIONS ::= BEGIN + + IMPORTS + MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, + Integer32, Counter32, Counter64, mib-2, transmission + FROM SNMPv2-SMI + MODULE-COMPLIANCE, OBJECT-GROUP + FROM SNMPv2-CONF + TruthValue + FROM SNMPv2-TC + ifIndex, InterfaceIndex + FROM IF-MIB; + + etherMIB MODULE-IDENTITY + LAST-UPDATED "200309190000Z" -- September 19, 2003 + ORGANIZATION "IETF Ethernet Interfaces and Hub MIB + Working Group" + CONTACT-INFO + "WG E-mail: hubmib@ietf.org + To subscribe: hubmib-request@ietf.org + + Chair: Dan Romascanu + Postal: Avaya Inc. + Atidum Technology Park, Bldg. 3 + Tel Aviv 61131 + Israel + Tel: +972 3 645 8414 + E-mail: dromasca@avaya.com + + Editor: John Flick + Postal: Hewlett-Packard Company + 8000 Foothills Blvd. M/S 5557 + Roseville, CA 95747-5557 + USA + Tel: +1 916 785 4018 + Fax: +1 916 785 1199 + E-mail: johnf@rose.hp.com" + DESCRIPTION "The MIB module to describe generic objects for + ethernet-like network interfaces. + + The following reference is used throughout this + MIB module: + + [IEEE 802.3 Std] refers to: + IEEE Std 802.3, 2002 Edition: 'IEEE Standard + + for Information technology - + Telecommunications and information exchange + between systems - Local and metropolitan + area networks - Specific requirements - + Part 3: Carrier sense multiple access with + collision detection (CSMA/CD) access method + and physical layer specifications', as + amended by IEEE Std 802.3ae-2002: + 'Amendment: Media Access Control (MAC) + Parameters, Physical Layer, and Management + Parameters for 10 Gb/s Operation', August, + 2002. + + Of particular interest is Clause 30, '10 Mb/s, + 100 Mb/s, 1000 Mb/s, and 10 Gb/s Management'. + + Copyright (C) The Internet Society (2003). This + version of this MIB module is part of RFC 3635; + see the RFC itself for full legal notices." + + REVISION "200309190000Z" -- September 19, 2003 + DESCRIPTION "Updated to include support for 10 Gb/sec + interfaces. This resulted in the following + revisions: + + - Updated dot3StatsAlignmentErrors and + dot3StatsSymbolErrors DESCRIPTIONs to + reflect behaviour at 10 Gb/s + - Added dot3StatsRateControlAbility and + dot3RateControlStatus for management + of the Rate Control function in 10 Gb/s + WAN applications + - Added 64-bit versions of all counters + that are used on high-speed ethernet + interfaces + - Added object groups to contain the new + objects + - Deprecated etherStatsBaseGroup and + split into etherStatsBaseGroup2 and + etherStatsHalfDuplexGroup, so that + interfaces which can only operate at + full-duplex do not need to implement + half-duplex-only statistics + - Deprecated dot3Compliance and replaced + it with dot3Compliance2, which includes + the compliance information for the new + object groups + + In addition, the dot3Tests and dot3Errors + object identities have been deprecated, + since there is no longer a standard method + for using them. + + This version published as RFC 3635." + + REVISION "199908240400Z" -- August 24, 1999 + DESCRIPTION "Updated to include support for 1000 Mb/sec + interfaces and full-duplex interfaces. + This version published as RFC 2665." + + REVISION "199806032150Z" -- June 3, 1998 + DESCRIPTION "Updated to include support for 100 Mb/sec + interfaces. + This version published as RFC 2358." + + REVISION "199402030400Z" -- February 3, 1994 + DESCRIPTION "Initial version, published as RFC 1650." + ::= { mib-2 35 } + + etherMIBObjects OBJECT IDENTIFIER ::= { etherMIB 1 } + + dot3 OBJECT IDENTIFIER ::= { transmission 7 } + + -- the Ethernet-like Statistics group + + dot3StatsTable OBJECT-TYPE + SYNTAX SEQUENCE OF Dot3StatsEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "Statistics for a collection of ethernet-like + interfaces attached to a particular system. + There will be one row in this table for each + ethernet-like interface in the system." + ::= { dot3 2 } + + dot3StatsEntry OBJECT-TYPE + SYNTAX Dot3StatsEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "Statistics for a particular interface to an + ethernet-like medium." + INDEX { dot3StatsIndex } + ::= { dot3StatsTable 1 } + + Dot3StatsEntry ::= + SEQUENCE { + + dot3StatsIndex InterfaceIndex, + dot3StatsAlignmentErrors Counter32, + dot3StatsFCSErrors Counter32, + dot3StatsSingleCollisionFrames Counter32, + dot3StatsMultipleCollisionFrames Counter32, + dot3StatsSQETestErrors Counter32, + dot3StatsDeferredTransmissions Counter32, + dot3StatsLateCollisions Counter32, + dot3StatsExcessiveCollisions Counter32, + dot3StatsInternalMacTransmitErrors Counter32, + dot3StatsCarrierSenseErrors Counter32, + dot3StatsFrameTooLongs Counter32, + dot3StatsInternalMacReceiveErrors Counter32, + dot3StatsEtherChipSet OBJECT IDENTIFIER, + dot3StatsSymbolErrors Counter32, + dot3StatsDuplexStatus INTEGER, + dot3StatsRateControlAbility TruthValue, + dot3StatsRateControlStatus INTEGER + } + + dot3StatsIndex OBJECT-TYPE + SYNTAX InterfaceIndex + MAX-ACCESS read-only -- read-only since originally an + -- SMIv1 index + STATUS current + DESCRIPTION "An index value that uniquely identifies an + interface to an ethernet-like medium. The + interface identified by a particular value of + this index is the same interface as identified + by the same value of ifIndex." + REFERENCE "RFC 2863, ifIndex" + ::= { dot3StatsEntry 1 } + + dot3StatsAlignmentErrors OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "A count of frames received on a particular + interface that are not an integral number of + octets in length and do not pass the FCS check. + + The count represented by an instance of this + object is incremented when the alignmentError + status is returned by the MAC service to the + LLC (or other MAC user). Received frames for + which multiple error conditions pertain are, + according to the conventions of IEEE 802.3 + Layer Management, counted exclusively according + + to the error status presented to the LLC. + + This counter does not increment for group + encoding schemes greater than 4 bits per group. + + For interfaces operating at 10 Gb/s, this + counter can roll over in less than 5 minutes if + it is incrementing at its maximum rate. Since + that amount of time could be less than a + management station's poll cycle time, in order + to avoid a loss of information, a management + station is advised to poll the + dot3HCStatsAlignmentErrors object for 10 Gb/s + or faster interfaces. + + Discontinuities in the value of this counter can + occur at re-initialization of the management + system, and at other times as indicated by the + value of ifCounterDiscontinuityTime." + REFERENCE "[IEEE 802.3 Std.], 30.3.1.1.7, + aAlignmentErrors" + ::= { dot3StatsEntry 2 } + + dot3StatsFCSErrors OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "A count of frames received on a particular + interface that are an integral number of octets + in length but do not pass the FCS check. This + count does not include frames received with + frame-too-long or frame-too-short error. + + The count represented by an instance of this + object is incremented when the frameCheckError + status is returned by the MAC service to the + LLC (or other MAC user). Received frames for + which multiple error conditions pertain are, + according to the conventions of IEEE 802.3 + Layer Management, counted exclusively according + to the error status presented to the LLC. + + Note: Coding errors detected by the physical + layer for speeds above 10 Mb/s will cause the + frame to fail the FCS check. + + For interfaces operating at 10 Gb/s, this + counter can roll over in less than 5 minutes if + + it is incrementing at its maximum rate. Since + that amount of time could be less than a + management station's poll cycle time, in order + to avoid a loss of information, a management + station is advised to poll the + dot3HCStatsFCSErrors object for 10 Gb/s or + faster interfaces. + + Discontinuities in the value of this counter can + occur at re-initialization of the management + system, and at other times as indicated by the + value of ifCounterDiscontinuityTime." + REFERENCE "[IEEE 802.3 Std.], 30.3.1.1.6, + aFrameCheckSequenceErrors." + ::= { dot3StatsEntry 3 } + + dot3StatsSingleCollisionFrames OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "A count of frames that are involved in a single + collision, and are subsequently transmitted + successfully. + + A frame that is counted by an instance of this + object is also counted by the corresponding + instance of either the ifOutUcastPkts, + ifOutMulticastPkts, or ifOutBroadcastPkts, + and is not counted by the corresponding + instance of the dot3StatsMultipleCollisionFrames + object. + + This counter does not increment when the + interface is operating in full-duplex mode. + + Discontinuities in the value of this counter can + occur at re-initialization of the management + system, and at other times as indicated by the + value of ifCounterDiscontinuityTime." + REFERENCE "[IEEE 802.3 Std.], 30.3.1.1.3, + aSingleCollisionFrames." + ::= { dot3StatsEntry 4 } + + dot3StatsMultipleCollisionFrames OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "A count of frames that are involved in more + + than one collision and are subsequently + transmitted successfully. + + A frame that is counted by an instance of this + object is also counted by the corresponding + instance of either the ifOutUcastPkts, + ifOutMulticastPkts, or ifOutBroadcastPkts, + and is not counted by the corresponding + instance of the dot3StatsSingleCollisionFrames + object. + + This counter does not increment when the + interface is operating in full-duplex mode. + + Discontinuities in the value of this counter can + occur at re-initialization of the management + system, and at other times as indicated by the + value of ifCounterDiscontinuityTime." + REFERENCE "[IEEE 802.3 Std.], 30.3.1.1.4, + aMultipleCollisionFrames." + ::= { dot3StatsEntry 5 } + + dot3StatsSQETestErrors OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "A count of times that the SQE TEST ERROR + is received on a particular interface. The + SQE TEST ERROR is set in accordance with the + rules for verification of the SQE detection + mechanism in the PLS Carrier Sense Function as + described in IEEE Std. 802.3, 2000 Edition, + section 7.2.4.6. + + This counter does not increment on interfaces + operating at speeds greater than 10 Mb/s, or on + interfaces operating in full-duplex mode. + + Discontinuities in the value of this counter can + occur at re-initialization of the management + system, and at other times as indicated by the + value of ifCounterDiscontinuityTime." + REFERENCE "[IEEE 802.3 Std.], 7.2.4.6, also 30.3.2.1.4, + aSQETestErrors." + ::= { dot3StatsEntry 6 } + + dot3StatsDeferredTransmissions OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "A count of frames for which the first + transmission attempt on a particular interface + is delayed because the medium is busy. + + The count represented by an instance of this + object does not include frames involved in + collisions. + + This counter does not increment when the + interface is operating in full-duplex mode. + + Discontinuities in the value of this counter can + occur at re-initialization of the management + system, and at other times as indicated by the + value of ifCounterDiscontinuityTime." + REFERENCE "[IEEE 802.3 Std.], 30.3.1.1.9, + aFramesWithDeferredXmissions." + ::= { dot3StatsEntry 7 } + + dot3StatsLateCollisions OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "The number of times that a collision is + detected on a particular interface later than + one slotTime into the transmission of a packet. + + A (late) collision included in a count + represented by an instance of this object is + also considered as a (generic) collision for + purposes of other collision-related + statistics. + + This counter does not increment when the + interface is operating in full-duplex mode. + + Discontinuities in the value of this counter can + occur at re-initialization of the management + system, and at other times as indicated by the + value of ifCounterDiscontinuityTime." + REFERENCE "[IEEE 802.3 Std.], 30.3.1.1.10, + aLateCollisions." + ::= { dot3StatsEntry 8 } + + dot3StatsExcessiveCollisions OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "A count of frames for which transmission on a + particular interface fails due to excessive + collisions. + + This counter does not increment when the + interface is operating in full-duplex mode. + + Discontinuities in the value of this counter can + occur at re-initialization of the management + system, and at other times as indicated by the + value of ifCounterDiscontinuityTime." + REFERENCE "[IEEE 802.3 Std.], 30.3.1.1.11, + aFramesAbortedDueToXSColls." + ::= { dot3StatsEntry 9 } + + dot3StatsInternalMacTransmitErrors OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "A count of frames for which transmission on a + particular interface fails due to an internal + MAC sublayer transmit error. A frame is only + counted by an instance of this object if it is + not counted by the corresponding instance of + either the dot3StatsLateCollisions object, the + dot3StatsExcessiveCollisions object, or the + dot3StatsCarrierSenseErrors object. + + The precise meaning of the count represented by + an instance of this object is implementation- + specific. In particular, an instance of this + object may represent a count of transmission + errors on a particular interface that are not + otherwise counted. + + For interfaces operating at 10 Gb/s, this + counter can roll over in less than 5 minutes if + it is incrementing at its maximum rate. Since + that amount of time could be less than a + management station's poll cycle time, in order + to avoid a loss of information, a management + station is advised to poll the + dot3HCStatsInternalMacTransmitErrors object for + 10 Gb/s or faster interfaces. + + Discontinuities in the value of this counter can + + occur at re-initialization of the management + system, and at other times as indicated by the + value of ifCounterDiscontinuityTime." + REFERENCE "[IEEE 802.3 Std.], 30.3.1.1.12, + aFramesLostDueToIntMACXmitError." + ::= { dot3StatsEntry 10 } + + dot3StatsCarrierSenseErrors OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "The number of times that the carrier sense + condition was lost or never asserted when + attempting to transmit a frame on a particular + interface. + + The count represented by an instance of this + object is incremented at most once per + transmission attempt, even if the carrier sense + condition fluctuates during a transmission + attempt. + + This counter does not increment when the + interface is operating in full-duplex mode. + + Discontinuities in the value of this counter can + occur at re-initialization of the management + system, and at other times as indicated by the + value of ifCounterDiscontinuityTime." + REFERENCE "[IEEE 802.3 Std.], 30.3.1.1.13, + aCarrierSenseErrors." + ::= { dot3StatsEntry 11 } + + -- { dot3StatsEntry 12 } is not assigned + + dot3StatsFrameTooLongs OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "A count of frames received on a particular + interface that exceed the maximum permitted + frame size. + + The count represented by an instance of this + object is incremented when the frameTooLong + status is returned by the MAC service to the + LLC (or other MAC user). Received frames for + which multiple error conditions pertain are, + according to the conventions of IEEE 802.3 + Layer Management, counted exclusively according + to the error status presented to the LLC. + + For interfaces operating at 10 Gb/s, this + counter can roll over in less than 80 minutes if + it is incrementing at its maximum rate. Since + that amount of time could be less than a + management station's poll cycle time, in order + to avoid a loss of information, a management + station is advised to poll the + dot3HCStatsFrameTooLongs object for 10 Gb/s + or faster interfaces. + + Discontinuities in the value of this counter can + occur at re-initialization of the management + system, and at other times as indicated by the + value of ifCounterDiscontinuityTime." + REFERENCE "[IEEE 802.3 Std.], 30.3.1.1.25, + aFrameTooLongErrors." + ::= { dot3StatsEntry 13 } + + -- { dot3StatsEntry 14 } is not assigned + + -- { dot3StatsEntry 15 } is not assigned + + dot3StatsInternalMacReceiveErrors OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "A count of frames for which reception on a + particular interface fails due to an internal + MAC sublayer receive error. A frame is only + counted by an instance of this object if it is + not counted by the corresponding instance of + either the dot3StatsFrameTooLongs object, the + dot3StatsAlignmentErrors object, or the + dot3StatsFCSErrors object. + + The precise meaning of the count represented by + an instance of this object is implementation- + specific. In particular, an instance of this + object may represent a count of receive errors + on a particular interface that are not + otherwise counted. + + For interfaces operating at 10 Gb/s, this + counter can roll over in less than 5 minutes if + + it is incrementing at its maximum rate. Since + that amount of time could be less than a + management station's poll cycle time, in order + to avoid a loss of information, a management + station is advised to poll the + dot3HCStatsInternalMacReceiveErrors object for + 10 Gb/s or faster interfaces. + + Discontinuities in the value of this counter can + occur at re-initialization of the management + system, and at other times as indicated by the + value of ifCounterDiscontinuityTime." + REFERENCE "[IEEE 802.3 Std.], 30.3.1.1.15, + aFramesLostDueToIntMACRcvError." + ::= { dot3StatsEntry 16 } + + dot3StatsEtherChipSet OBJECT-TYPE + SYNTAX OBJECT IDENTIFIER + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION "******** THIS OBJECT IS DEPRECATED ******** + + This object contains an OBJECT IDENTIFIER + which identifies the chipset used to + realize the interface. Ethernet-like + interfaces are typically built out of + several different chips. The MIB implementor + is presented with a decision of which chip + to identify via this object. The implementor + should identify the chip which is usually + called the Medium Access Control chip. + If no such chip is easily identifiable, + the implementor should identify the chip + which actually gathers the transmit + and receive statistics and error + indications. This would allow a + manager station to correlate the + statistics and the chip generating + them, giving it the ability to take + into account any known anomalies + in the chip. + + This object has been deprecated. Implementation + feedback indicates that it is of limited use for + debugging network problems in the field, and + the administrative overhead involved in + maintaining a registry of chipset OIDs is not + justified." + ::= { dot3StatsEntry 17 } + + dot3StatsSymbolErrors OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "For an interface operating at 100 Mb/s, the + number of times there was an invalid data symbol + when a valid carrier was present. + + For an interface operating in half-duplex mode + at 1000 Mb/s, the number of times the receiving + media is non-idle (a carrier event) for a period + of time equal to or greater than slotTime, and + during which there was at least one occurrence + of an event that causes the PHY to indicate + 'Data reception error' or 'carrier extend error' + on the GMII. + + For an interface operating in full-duplex mode + at 1000 Mb/s, the number of times the receiving + media is non-idle (a carrier event) for a period + of time equal to or greater than minFrameSize, + and during which there was at least one + occurrence of an event that causes the PHY to + indicate 'Data reception error' on the GMII. + + For an interface operating at 10 Gb/s, the + number of times the receiving media is non-idle + (a carrier event) for a period of time equal to + or greater than minFrameSize, and during which + there was at least one occurrence of an event + that causes the PHY to indicate 'Receive Error' + on the XGMII. + + The count represented by an instance of this + object is incremented at most once per carrier + event, even if multiple symbol errors occur + during the carrier event. This count does + not increment if a collision is present. + + This counter does not increment when the + interface is operating at 10 Mb/s. + + For interfaces operating at 10 Gb/s, this + counter can roll over in less than 5 minutes if + it is incrementing at its maximum rate. Since + that amount of time could be less than a + + management station's poll cycle time, in order + to avoid a loss of information, a management + station is advised to poll the + dot3HCStatsSymbolErrors object for 10 Gb/s + or faster interfaces. + + Discontinuities in the value of this counter can + occur at re-initialization of the management + system, and at other times as indicated by the + value of ifCounterDiscontinuityTime." + REFERENCE "[IEEE 802.3 Std.], 30.3.2.1.5, + aSymbolErrorDuringCarrier." + ::= { dot3StatsEntry 18 } + + dot3StatsDuplexStatus OBJECT-TYPE + SYNTAX INTEGER { + unknown(1), + halfDuplex(2), + fullDuplex(3) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION "The current mode of operation of the MAC + entity. 'unknown' indicates that the current + duplex mode could not be determined. + + Management control of the duplex mode is + accomplished through the MAU MIB. When + an interface does not support autonegotiation, + or when autonegotiation is not enabled, the + duplex mode is controlled using + ifMauDefaultType. When autonegotiation is + supported and enabled, duplex mode is controlled + using ifMauAutoNegAdvertisedBits. In either + case, the currently operating duplex mode is + reflected both in this object and in ifMauType. + + Note that this object provides redundant + information with ifMauType. Normally, redundant + objects are discouraged. However, in this + instance, it allows a management application to + determine the duplex status of an interface + without having to know every possible value of + ifMauType. This was felt to be sufficiently + valuable to justify the redundancy." + REFERENCE "[IEEE 802.3 Std.], 30.3.1.1.32, + aDuplexStatus." + ::= { dot3StatsEntry 19 } + + dot3StatsRateControlAbility OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION "'true' for interfaces operating at speeds above + 1000 Mb/s that support Rate Control through + lowering the average data rate of the MAC + sublayer, with frame granularity, and 'false' + otherwise." + REFERENCE "[IEEE 802.3 Std.], 30.3.1.1.33, + aRateControlAbility." + ::= { dot3StatsEntry 20 } + + dot3StatsRateControlStatus OBJECT-TYPE + SYNTAX INTEGER { + rateControlOff(1), + rateControlOn(2), + unknown(3) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION "The current Rate Control mode of operation of + the MAC sublayer of this interface." + REFERENCE "[IEEE 802.3 Std.], 30.3.1.1.34, + aRateControlStatus." + ::= { dot3StatsEntry 21 } + + -- the Ethernet-like Collision Statistics group + + -- Implementation of this group is optional; it is appropriate + -- for all systems which have the necessary metering + + dot3CollTable OBJECT-TYPE + SYNTAX SEQUENCE OF Dot3CollEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "A collection of collision histograms for a + particular set of interfaces." + REFERENCE "[IEEE 802.3 Std.], 30.3.1.1.30, + aCollisionFrames." + ::= { dot3 5 } + + dot3CollEntry OBJECT-TYPE + SYNTAX Dot3CollEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "A cell in the histogram of per-frame + collisions for a particular interface. An + + instance of this object represents the + frequency of individual MAC frames for which + the transmission (successful or otherwise) on a + particular interface is accompanied by a + particular number of media collisions." + INDEX { ifIndex, dot3CollCount } + ::= { dot3CollTable 1 } + + Dot3CollEntry ::= + SEQUENCE { + dot3CollCount Integer32, + dot3CollFrequencies Counter32 + } + + -- { dot3CollEntry 1 } is no longer in use + + dot3CollCount OBJECT-TYPE + SYNTAX Integer32 (1..16) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "The number of per-frame media collisions for + which a particular collision histogram cell + represents the frequency on a particular + interface." + ::= { dot3CollEntry 2 } + + dot3CollFrequencies OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "A count of individual MAC frames for which the + transmission (successful or otherwise) on a + particular interface occurs after the + frame has experienced exactly the number + of collisions in the associated + dot3CollCount object. + + For example, a frame which is transmitted + on interface 77 after experiencing + exactly 4 collisions would be indicated + by incrementing only dot3CollFrequencies.77.4. + No other instance of dot3CollFrequencies would + be incremented in this example. + + This counter does not increment when the + interface is operating in full-duplex mode. + + Discontinuities in the value of this counter can + + occur at re-initialization of the management + system, and at other times as indicated by the + value of ifCounterDiscontinuityTime." + ::= { dot3CollEntry 3 } + + dot3ControlTable OBJECT-TYPE + SYNTAX SEQUENCE OF Dot3ControlEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "A table of descriptive and status information + about the MAC Control sublayer on the + ethernet-like interfaces attached to a + particular system. There will be one row in + this table for each ethernet-like interface in + the system which implements the MAC Control + sublayer. If some, but not all, of the + ethernet-like interfaces in the system implement + the MAC Control sublayer, there will be fewer + rows in this table than in the dot3StatsTable." + ::= { dot3 9 } + + dot3ControlEntry OBJECT-TYPE + SYNTAX Dot3ControlEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "An entry in the table, containing information + about the MAC Control sublayer on a single + ethernet-like interface." + INDEX { dot3StatsIndex } + ::= { dot3ControlTable 1 } + + Dot3ControlEntry ::= + SEQUENCE { + dot3ControlFunctionsSupported BITS, + dot3ControlInUnknownOpcodes Counter32, + dot3HCControlInUnknownOpcodes Counter64 + } + + dot3ControlFunctionsSupported OBJECT-TYPE + SYNTAX BITS { + pause(0) -- 802.3 flow control + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION "A list of the possible MAC Control functions + implemented for this interface." + REFERENCE "[IEEE 802.3 Std.], 30.3.3.2, + aMACControlFunctionsSupported." + ::= { dot3ControlEntry 1 } + + dot3ControlInUnknownOpcodes OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "A count of MAC Control frames received on this + interface that contain an opcode that is not + supported by this device. + + For interfaces operating at 10 Gb/s, this + counter can roll over in less than 5 minutes if + it is incrementing at its maximum rate. Since + that amount of time could be less than a + management station's poll cycle time, in order + to avoid a loss of information, a management + station is advised to poll the + dot3HCControlInUnknownOpcodes object for 10 Gb/s + or faster interfaces. + + Discontinuities in the value of this counter can + occur at re-initialization of the management + system, and at other times as indicated by the + value of ifCounterDiscontinuityTime." + REFERENCE "[IEEE 802.3 Std.], 30.3.3.5, + aUnsupportedOpcodesReceived" + ::= { dot3ControlEntry 2 } + + dot3HCControlInUnknownOpcodes OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "A count of MAC Control frames received on this + interface that contain an opcode that is not + supported by this device. + + This counter is a 64 bit version of + dot3ControlInUnknownOpcodes. It should be used + on interfaces operating at 10 Gb/s or faster. + + Discontinuities in the value of this counter can + occur at re-initialization of the management + system, and at other times as indicated by the + value of ifCounterDiscontinuityTime." + REFERENCE "[IEEE 802.3 Std.], 30.3.3.5, + aUnsupportedOpcodesReceived" + ::= { dot3ControlEntry 3 } + + dot3PauseTable OBJECT-TYPE + SYNTAX SEQUENCE OF Dot3PauseEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "A table of descriptive and status information + about the MAC Control PAUSE function on the + ethernet-like interfaces attached to a + particular system. There will be one row in + this table for each ethernet-like interface in + the system which supports the MAC Control PAUSE + function (i.e., the 'pause' bit in the + corresponding instance of + dot3ControlFunctionsSupported is set). If some, + but not all, of the ethernet-like interfaces in + the system implement the MAC Control PAUSE + function (for example, if some interfaces only + support half-duplex), there will be fewer rows + in this table than in the dot3StatsTable." + ::= { dot3 10 } + + dot3PauseEntry OBJECT-TYPE + SYNTAX Dot3PauseEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "An entry in the table, containing information + about the MAC Control PAUSE function on a single + ethernet-like interface." + INDEX { dot3StatsIndex } + ::= { dot3PauseTable 1 } + + Dot3PauseEntry ::= + + SEQUENCE { + dot3PauseAdminMode INTEGER, + dot3PauseOperMode INTEGER, + dot3InPauseFrames Counter32, + dot3OutPauseFrames Counter32, + dot3HCInPauseFrames Counter64, + dot3HCOutPauseFrames Counter64 + } + + dot3PauseAdminMode OBJECT-TYPE + SYNTAX INTEGER { + disabled(1), + enabledXmit(2), + enabledRcv(3), + enabledXmitAndRcv(4) + } + MAX-ACCESS read-write + STATUS current + DESCRIPTION "This object is used to configure the default + administrative PAUSE mode for this interface. + + This object represents the + administratively-configured PAUSE mode for this + interface. If auto-negotiation is not enabled + or is not implemented for the active MAU + attached to this interface, the value of this + object determines the operational PAUSE mode + of the interface whenever it is operating in + full-duplex mode. In this case, a set to this + object will force the interface into the + specified mode. + + If auto-negotiation is implemented and enabled + for the MAU attached to this interface, the + PAUSE mode for this interface is determined by + auto-negotiation, and the value of this object + denotes the mode to which the interface will + automatically revert if/when auto-negotiation is + later disabled. Note that when auto-negotiation + is running, administrative control of the PAUSE + mode may be accomplished using the + ifMauAutoNegCapAdvertisedBits object in the + MAU-MIB. + + Note that the value of this object is ignored + when the interface is not operating in + full-duplex mode. + + An attempt to set this object to + 'enabledXmit(2)' or 'enabledRcv(3)' will fail + on interfaces that do not support operation + at greater than 100 Mb/s." + ::= { dot3PauseEntry 1 } + + dot3PauseOperMode OBJECT-TYPE + SYNTAX INTEGER { + disabled(1), + enabledXmit(2), + enabledRcv(3), + enabledXmitAndRcv(4) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION "This object reflects the PAUSE mode currently + + in use on this interface, as determined by + either (1) the result of the auto-negotiation + function or (2) if auto-negotiation is not + enabled or is not implemented for the active MAU + attached to this interface, by the value of + dot3PauseAdminMode. Interfaces operating at + 100 Mb/s or less will never return + 'enabledXmit(2)' or 'enabledRcv(3)'. Interfaces + operating in half-duplex mode will always return + 'disabled(1)'. Interfaces on which + auto-negotiation is enabled but not yet + completed should return the value + 'disabled(1)'." + ::= { dot3PauseEntry 2 } + + dot3InPauseFrames OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "A count of MAC Control frames received on this + interface with an opcode indicating the PAUSE + operation. + + This counter does not increment when the + interface is operating in half-duplex mode. + + For interfaces operating at 10 Gb/s, this + counter can roll over in less than 5 minutes if + it is incrementing at its maximum rate. Since + that amount of time could be less than a + management station's poll cycle time, in order + to avoid a loss of information, a management + station is advised to poll the + dot3HCInPauseFrames object for 10 Gb/s or + faster interfaces. + + Discontinuities in the value of this counter can + occur at re-initialization of the management + system, and at other times as indicated by the + value of ifCounterDiscontinuityTime." + REFERENCE "[IEEE 802.3 Std.], 30.3.4.3, + aPAUSEMACCtrlFramesReceived." + ::= { dot3PauseEntry 3 } + + dot3OutPauseFrames OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "A count of MAC Control frames transmitted on + this interface with an opcode indicating the + PAUSE operation. + + This counter does not increment when the + interface is operating in half-duplex mode. + + For interfaces operating at 10 Gb/s, this + counter can roll over in less than 5 minutes if + it is incrementing at its maximum rate. Since + that amount of time could be less than a + management station's poll cycle time, in order + to avoid a loss of information, a management + station is advised to poll the + dot3HCOutPauseFrames object for 10 Gb/s or + faster interfaces. + + Discontinuities in the value of this counter can + occur at re-initialization of the management + system, and at other times as indicated by the + value of ifCounterDiscontinuityTime." + REFERENCE "[IEEE 802.3 Std.], 30.3.4.2, + aPAUSEMACCtrlFramesTransmitted." + ::= { dot3PauseEntry 4 } + + dot3HCInPauseFrames OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "A count of MAC Control frames received on this + interface with an opcode indicating the PAUSE + operation. + + This counter does not increment when the + interface is operating in half-duplex mode. + + This counter is a 64 bit version of + dot3InPauseFrames. It should be used on + interfaces operating at 10 Gb/s or faster. + + Discontinuities in the value of this counter can + occur at re-initialization of the management + system, and at other times as indicated by the + value of ifCounterDiscontinuityTime." + REFERENCE "[IEEE 802.3 Std.], 30.3.4.3, + aPAUSEMACCtrlFramesReceived." + ::= { dot3PauseEntry 5 } + + dot3HCOutPauseFrames OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "A count of MAC Control frames transmitted on + this interface with an opcode indicating the + PAUSE operation. + + This counter does not increment when the + interface is operating in half-duplex mode. + + This counter is a 64 bit version of + dot3OutPauseFrames. It should be used on + interfaces operating at 10 Gb/s or faster. + + Discontinuities in the value of this counter can + occur at re-initialization of the management + system, and at other times as indicated by the + value of ifCounterDiscontinuityTime." + REFERENCE "[IEEE 802.3 Std.], 30.3.4.2, + aPAUSEMACCtrlFramesTransmitted." + ::= { dot3PauseEntry 6 } + + dot3HCStatsTable OBJECT-TYPE + SYNTAX SEQUENCE OF Dot3HCStatsEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "A table containing 64-bit versions of error + counters from the dot3StatsTable. The 32-bit + versions of these counters may roll over quite + quickly on higher speed ethernet interfaces. + The counters that have 64-bit versions in this + table are the counters that apply to full-duplex + interfaces, since 10 Gb/s and faster + ethernet-like interfaces do not support + half-duplex, and very few 1000 Mb/s + ethernet-like interfaces support half-duplex. + + Entries in this table are recommended for + interfaces capable of operating at 1000 Mb/s or + faster, and are required for interfaces capable + of operating at 10 Gb/s or faster. Lower speed + ethernet-like interfaces do not need entries in + this table, in which case there may be fewer + entries in this table than in the + dot3StatsTable. However, implementations + containing interfaces with a mix of speeds may + choose to implement entries in this table for + + all ethernet-like interfaces." + ::= { dot3 11 } + + dot3HCStatsEntry OBJECT-TYPE + SYNTAX Dot3HCStatsEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "An entry containing 64-bit statistics for a + single ethernet-like interface." + INDEX { dot3StatsIndex } + ::= { dot3HCStatsTable 1 } + + Dot3HCStatsEntry ::= + SEQUENCE { + dot3HCStatsAlignmentErrors Counter64, + dot3HCStatsFCSErrors Counter64, + dot3HCStatsInternalMacTransmitErrors Counter64, + dot3HCStatsFrameTooLongs Counter64, + dot3HCStatsInternalMacReceiveErrors Counter64, + dot3HCStatsSymbolErrors Counter64 + } + + dot3HCStatsAlignmentErrors OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "A count of frames received on a particular + interface that are not an integral number of + octets in length and do not pass the FCS check. + + The count represented by an instance of this + object is incremented when the alignmentError + status is returned by the MAC service to the + LLC (or other MAC user). Received frames for + which multiple error conditions pertain are, + according to the conventions of IEEE 802.3 + Layer Management, counted exclusively according + to the error status presented to the LLC. + + This counter does not increment for group + encoding schemes greater than 4 bits per group. + + This counter is a 64 bit version of + dot3StatsAlignmentErrors. It should be used + on interfaces operating at 10 Gb/s or faster. + + Discontinuities in the value of this counter can + occur at re-initialization of the management + + system, and at other times as indicated by the + value of ifCounterDiscontinuityTime." + REFERENCE "[IEEE 802.3 Std.], 30.3.1.1.7, + aAlignmentErrors" + ::= { dot3HCStatsEntry 1 } + + dot3HCStatsFCSErrors OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "A count of frames received on a particular + interface that are an integral number of octets + in length but do not pass the FCS check. This + count does not include frames received with + frame-too-long or frame-too-short error. + + The count represented by an instance of this + object is incremented when the frameCheckError + status is returned by the MAC service to the + LLC (or other MAC user). Received frames for + which multiple error conditions pertain are, + according to the conventions of IEEE 802.3 + Layer Management, counted exclusively according + to the error status presented to the LLC. + + Note: Coding errors detected by the physical + layer for speeds above 10 Mb/s will cause the + frame to fail the FCS check. + + This counter is a 64 bit version of + dot3StatsFCSErrors. It should be used on + interfaces operating at 10 Gb/s or faster. + + Discontinuities in the value of this counter can + occur at re-initialization of the management + system, and at other times as indicated by the + value of ifCounterDiscontinuityTime." + REFERENCE "[IEEE 802.3 Std.], 30.3.1.1.6, + aFrameCheckSequenceErrors." + ::= { dot3HCStatsEntry 2 } + + dot3HCStatsInternalMacTransmitErrors OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "A count of frames for which transmission on a + particular interface fails due to an internal + MAC sublayer transmit error. A frame is only + + counted by an instance of this object if it is + not counted by the corresponding instance of + either the dot3StatsLateCollisions object, the + dot3StatsExcessiveCollisions object, or the + dot3StatsCarrierSenseErrors object. + + The precise meaning of the count represented by + an instance of this object is implementation- + specific. In particular, an instance of this + object may represent a count of transmission + errors on a particular interface that are not + otherwise counted. + + This counter is a 64 bit version of + dot3StatsInternalMacTransmitErrors. It should + be used on interfaces operating at 10 Gb/s or + faster. + + Discontinuities in the value of this counter can + occur at re-initialization of the management + system, and at other times as indicated by the + value of ifCounterDiscontinuityTime." + REFERENCE "[IEEE 802.3 Std.], 30.3.1.1.12, + aFramesLostDueToIntMACXmitError." + ::= { dot3HCStatsEntry 3 } + + dot3HCStatsFrameTooLongs OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "A count of frames received on a particular + interface that exceed the maximum permitted + frame size. + + The count represented by an instance of this + object is incremented when the frameTooLong + status is returned by the MAC service to the + LLC (or other MAC user). Received frames for + which multiple error conditions pertain are, + according to the conventions of IEEE 802.3 + Layer Management, counted exclusively according + to the error status presented to the LLC. + + This counter is a 64 bit version of + dot3StatsFrameTooLongs. It should be used on + interfaces operating at 10 Gb/s or faster. + + Discontinuities in the value of this counter can + + occur at re-initialization of the management + system, and at other times as indicated by the + value of ifCounterDiscontinuityTime." + REFERENCE "[IEEE 802.3 Std.], 30.3.1.1.25, + aFrameTooLongErrors." + ::= { dot3HCStatsEntry 4 } + + dot3HCStatsInternalMacReceiveErrors OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "A count of frames for which reception on a + particular interface fails due to an internal + MAC sublayer receive error. A frame is only + counted by an instance of this object if it is + not counted by the corresponding instance of + either the dot3StatsFrameTooLongs object, the + dot3StatsAlignmentErrors object, or the + dot3StatsFCSErrors object. + + The precise meaning of the count represented by + an instance of this object is implementation- + specific. In particular, an instance of this + object may represent a count of receive errors + on a particular interface that are not + otherwise counted. + + This counter is a 64 bit version of + dot3StatsInternalMacReceiveErrors. It should be + used on interfaces operating at 10 Gb/s or + faster. + + Discontinuities in the value of this counter can + occur at re-initialization of the management + system, and at other times as indicated by the + value of ifCounterDiscontinuityTime." + REFERENCE "[IEEE 802.3 Std.], 30.3.1.1.15, + aFramesLostDueToIntMACRcvError." + ::= { dot3HCStatsEntry 5 } + + dot3HCStatsSymbolErrors OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "For an interface operating at 100 Mb/s, the + number of times there was an invalid data symbol + when a valid carrier was present. + + For an interface operating in half-duplex mode + at 1000 Mb/s, the number of times the receiving + media is non-idle (a carrier event) for a period + of time equal to or greater than slotTime, and + during which there was at least one occurrence + of an event that causes the PHY to indicate + 'Data reception error' or 'carrier extend error' + on the GMII. + + For an interface operating in full-duplex mode + at 1000 Mb/s, the number of times the receiving + media is non-idle (a carrier event) for a period + of time equal to or greater than minFrameSize, + and during which there was at least one + occurrence of an event that causes the PHY to + indicate 'Data reception error' on the GMII. + + For an interface operating at 10 Gb/s, the + number of times the receiving media is non-idle + (a carrier event) for a period of time equal to + or greater than minFrameSize, and during which + there was at least one occurrence of an event + that causes the PHY to indicate 'Receive Error' + on the XGMII. + + The count represented by an instance of this + object is incremented at most once per carrier + event, even if multiple symbol errors occur + during the carrier event. This count does + not increment if a collision is present. + + This counter is a 64 bit version of + dot3StatsSymbolErrors. It should be used on + interfaces operating at 10 Gb/s or faster. + + Discontinuities in the value of this counter can + occur at re-initialization of the management + system, and at other times as indicated by the + value of ifCounterDiscontinuityTime." + REFERENCE "[IEEE 802.3 Std.], 30.3.2.1.5, + aSymbolErrorDuringCarrier." + ::= { dot3HCStatsEntry 6 } + + -- 802.3 Tests + + dot3Tests OBJECT IDENTIFIER ::= { dot3 6 } + + dot3Errors OBJECT IDENTIFIER ::= { dot3 7 } + + -- TDR Test + + dot3TestTdr OBJECT-IDENTITY + STATUS deprecated + DESCRIPTION "******** THIS IDENTITY IS DEPRECATED ******* + + The Time-Domain Reflectometry (TDR) test is + specific to ethernet-like interfaces of type + 10Base5 and 10Base2. The TDR value may be + useful in determining the approximate distance + to a cable fault. It is advisable to repeat + this test to check for a consistent resulting + TDR value, to verify that there is a fault. + + A TDR test returns as its result the time + interval, measured in 10 MHz ticks or 100 nsec + units, between the start of TDR test + transmission and the subsequent detection of a + collision or deassertion of carrier. On + successful completion of a TDR test, the result + is stored as the value of an appropriate + instance of an appropriate vendor specific MIB + object, and the OBJECT IDENTIFIER of that + instance is stored in the appropriate instance + of the appropriate test result code object + (thereby indicating where the result has been + stored). + + This object identity has been deprecated, since + the ifTestTable in the IF-MIB was deprecated, + and there is no longer a standard mechanism for + initiating an interface test. This left no + standard way of using this object identity." + ::= { dot3Tests 1 } + + -- Loopback Test + + dot3TestLoopBack OBJECT-IDENTITY + STATUS deprecated + DESCRIPTION "******** THIS IDENTITY IS DEPRECATED ******* + + This test configures the MAC chip and executes + an internal loopback test of memory, data paths, + and the MAC chip logic. This loopback test can + only be executed if the interface is offline. + Once the test has completed, the MAC chip should + + be reinitialized for network operation, but it + should remain offline. + + If an error occurs during a test, the + appropriate test result object will be set + to indicate a failure. The two OBJECT + IDENTIFIER values dot3ErrorInitError and + dot3ErrorLoopbackError may be used to provided + more information as values for an appropriate + test result code object. + + This object identity has been deprecated, since + the ifTestTable in the IF-MIB was deprecated, + and there is no longer a standard mechanism for + initiating an interface test. This left no + standard way of using this object identity." + ::= { dot3Tests 2 } + + dot3ErrorInitError OBJECT-IDENTITY + STATUS deprecated + DESCRIPTION "******** THIS IDENTITY IS DEPRECATED ******* + + Couldn't initialize MAC chip for test. + + This object identity has been deprecated, since + the ifTestTable in the IF-MIB was deprecated, + and there is no longer a standard mechanism for + initiating an interface test. This left no + standard way of using this object identity." + ::= { dot3Errors 1 } + + dot3ErrorLoopbackError OBJECT-IDENTITY + STATUS deprecated + DESCRIPTION "******** THIS IDENTITY IS DEPRECATED ******* + + Expected data not received (or not received + correctly) in loopback test. + + This object identity has been deprecated, since + the ifTestTable in the IF-MIB was deprecated, + and there is no longer a standard mechanism for + initiating an interface test. This left no + standard way of using this object identity." + ::= { dot3Errors 2 } + + -- { dot3 8 }, the dot3ChipSets tree, is defined in [RFC2666] + + -- conformance information + + etherConformance OBJECT IDENTIFIER ::= { etherMIB 2 } + + etherGroups OBJECT IDENTIFIER ::= { etherConformance 1 } + etherCompliances OBJECT IDENTIFIER ::= { etherConformance 2 } + + -- compliance statements + + etherCompliance MODULE-COMPLIANCE + STATUS deprecated + DESCRIPTION "******** THIS COMPLIANCE IS DEPRECATED ******** + + The compliance statement for managed network + entities which have ethernet-like network + interfaces. + + This compliance is deprecated and replaced by + dot3Compliance." + + MODULE -- this module + MANDATORY-GROUPS { etherStatsGroup } + + GROUP etherCollisionTableGroup + DESCRIPTION "This group is optional. It is appropriate + for all systems which have the necessary + metering. Implementation in such systems is + highly recommended." + ::= { etherCompliances 1 } + + ether100MbsCompliance MODULE-COMPLIANCE + STATUS deprecated + DESCRIPTION "******** THIS COMPLIANCE IS DEPRECATED ******** + + The compliance statement for managed network + entities which have 100 Mb/sec ethernet-like + network interfaces. + + This compliance is deprecated and replaced by + dot3Compliance." + + MODULE -- this module + MANDATORY-GROUPS { etherStats100MbsGroup } + + GROUP etherCollisionTableGroup + DESCRIPTION "This group is optional. It is appropriate + for all systems which have the necessary + metering. Implementation in such systems is + highly recommended." + ::= { etherCompliances 2 } + + dot3Compliance MODULE-COMPLIANCE + STATUS deprecated + DESCRIPTION "******** THIS COMPLIANCE IS DEPRECATED ******** + + The compliance statement for managed network + entities which have ethernet-like network + interfaces. + + This compliance is deprecated and replaced by + dot3Compliance2." + + MODULE -- this module + MANDATORY-GROUPS { etherStatsBaseGroup } + + GROUP etherDuplexGroup + DESCRIPTION "This group is mandatory for all + ethernet-like network interfaces which are + capable of operating in full-duplex mode. + It is highly recommended for all + ethernet-like network interfaces." + + GROUP etherStatsLowSpeedGroup + DESCRIPTION "This group is mandatory for all + ethernet-like network interfaces which are + capable of operating at 10 Mb/s or slower in + half-duplex mode." + + GROUP etherStatsHighSpeedGroup + DESCRIPTION "This group is mandatory for all + ethernet-like network interfaces which are + capable of operating at 100 Mb/s or faster." + + GROUP etherControlGroup + DESCRIPTION "This group is mandatory for all + ethernet-like network interfaces that + support the MAC Control sublayer." + + GROUP etherControlPauseGroup + DESCRIPTION "This group is mandatory for all + ethernet-like network interfaces that + support the MAC Control PAUSE function." + + GROUP etherCollisionTableGroup + DESCRIPTION "This group is optional. It is appropriate + for all ethernet-like network interfaces + which are capable of operating in + half-duplex mode and have the necessary + metering. Implementation in systems with + + such interfaces is highly recommended." + ::= { etherCompliances 3 } + + dot3Compliance2 MODULE-COMPLIANCE + STATUS current + DESCRIPTION "The compliance statement for managed network + entities which have ethernet-like network + interfaces. + + Note that compliance with this MIB module + requires compliance with the ifCompliance3 + MODULE-COMPLIANCE statement of the IF-MIB + (RFC2863). In addition, compliance with this + MIB module requires compliance with the + mauModIfCompl3 MODULE-COMPLIANCE statement of + the MAU-MIB (RFC3636)." + + MODULE -- this module + MANDATORY-GROUPS { etherStatsBaseGroup2 } + + GROUP etherDuplexGroup + DESCRIPTION "This group is mandatory for all + ethernet-like network interfaces which are + capable of operating in full-duplex mode. + It is highly recommended for all + ethernet-like network interfaces." + + GROUP etherRateControlGroup + DESCRIPTION "This group is mandatory for all + ethernet-like network interfaces which are + capable of operating at speeds faster than + 1000 Mb/s. It is highly recommended for all + ethernet-like network interfaces." + + GROUP etherStatsLowSpeedGroup + DESCRIPTION "This group is mandatory for all + ethernet-like network interfaces which are + capable of operating at 10 Mb/s or slower in + half-duplex mode." + + GROUP etherStatsHighSpeedGroup + DESCRIPTION "This group is mandatory for all + ethernet-like network interfaces which are + capable of operating at 100 Mb/s or faster." + + GROUP etherStatsHalfDuplexGroup + DESCRIPTION "This group is mandatory for all + ethernet-like network interfaces which are + + capable of operating in half-duplex mode." + + GROUP etherHCStatsGroup + DESCRIPTION "This group is mandatory for all + ethernet-like network interfaces which are + capable of operating at 10 Gb/s or faster. + It is recommended for all ethernet-like + network interfaces which are capable of + operating at 1000 Mb/s or faster." + + GROUP etherControlGroup + DESCRIPTION "This group is mandatory for all + ethernet-like network interfaces that + support the MAC Control sublayer." + + GROUP etherHCControlGroup + DESCRIPTION "This group is mandatory for all + ethernet-like network interfaces that + support the MAC Control sublayer and are + capable of operating at 10 Gb/s or faster." + + GROUP etherControlPauseGroup + DESCRIPTION "This group is mandatory for all + ethernet-like network interfaces that + support the MAC Control PAUSE function." + + GROUP etherHCControlPauseGroup + DESCRIPTION "This group is mandatory for all + ethernet-like network interfaces that + support the MAC Control PAUSE function and + are capable of operating at 10 Gb/s or + faster." + + GROUP etherCollisionTableGroup + DESCRIPTION "This group is optional. It is appropriate + for all ethernet-like network interfaces + which are capable of operating in + half-duplex mode and have the necessary + metering. Implementation in systems with + such interfaces is highly recommended." + ::= { etherCompliances 4 } + + -- units of conformance + + etherStatsGroup OBJECT-GROUP + OBJECTS { dot3StatsIndex, + dot3StatsAlignmentErrors, + dot3StatsFCSErrors, + dot3StatsSingleCollisionFrames, + dot3StatsMultipleCollisionFrames, + dot3StatsSQETestErrors, + dot3StatsDeferredTransmissions, + dot3StatsLateCollisions, + dot3StatsExcessiveCollisions, + dot3StatsInternalMacTransmitErrors, + dot3StatsCarrierSenseErrors, + dot3StatsFrameTooLongs, + dot3StatsInternalMacReceiveErrors, + dot3StatsEtherChipSet + } + STATUS deprecated + DESCRIPTION "********* THIS GROUP IS DEPRECATED ********** + + A collection of objects providing information + applicable to all ethernet-like network + interfaces. + + This object group has been deprecated and + replaced by etherStatsBaseGroup and + etherStatsLowSpeedGroup." + ::= { etherGroups 1 } + + etherCollisionTableGroup OBJECT-GROUP + OBJECTS { dot3CollFrequencies + } + STATUS current + DESCRIPTION "A collection of objects providing a histogram + of packets successfully transmitted after + experiencing exactly N collisions." + ::= { etherGroups 2 } + + etherStats100MbsGroup OBJECT-GROUP + OBJECTS { dot3StatsIndex, + dot3StatsAlignmentErrors, + dot3StatsFCSErrors, + dot3StatsSingleCollisionFrames, + dot3StatsMultipleCollisionFrames, + dot3StatsDeferredTransmissions, + dot3StatsLateCollisions, + dot3StatsExcessiveCollisions, + dot3StatsInternalMacTransmitErrors, + dot3StatsCarrierSenseErrors, + dot3StatsFrameTooLongs, + dot3StatsInternalMacReceiveErrors, + dot3StatsEtherChipSet, + dot3StatsSymbolErrors + + } + STATUS deprecated + DESCRIPTION "********* THIS GROUP IS DEPRECATED ********** + + A collection of objects providing information + applicable to 100 Mb/sec ethernet-like network + interfaces. + + This object group has been deprecated and + replaced by etherStatsBaseGroup and + etherStatsHighSpeedGroup." + ::= { etherGroups 3 } + + etherStatsBaseGroup OBJECT-GROUP + OBJECTS { dot3StatsIndex, + dot3StatsAlignmentErrors, + dot3StatsFCSErrors, + dot3StatsSingleCollisionFrames, + dot3StatsMultipleCollisionFrames, + dot3StatsDeferredTransmissions, + dot3StatsLateCollisions, + dot3StatsExcessiveCollisions, + dot3StatsInternalMacTransmitErrors, + dot3StatsCarrierSenseErrors, + dot3StatsFrameTooLongs, + dot3StatsInternalMacReceiveErrors + } + STATUS deprecated + DESCRIPTION "********* THIS GROUP IS DEPRECATED ********** + + A collection of objects providing information + applicable to all ethernet-like network + interfaces. + + This object group has been deprecated and + replaced by etherStatsBaseGroup2 and + etherStatsHalfDuplexGroup, to separate + objects which must be implemented by all + ethernet-like network interfaces from + objects that need only be implemented on + ethernet-like network interfaces that are + capable of half-duplex operation." + ::= { etherGroups 4 } + + etherStatsLowSpeedGroup OBJECT-GROUP + OBJECTS { dot3StatsSQETestErrors } + STATUS current + DESCRIPTION "A collection of objects providing information + + applicable to ethernet-like network interfaces + capable of operating at 10 Mb/s or slower in + half-duplex mode." + ::= { etherGroups 5 } + + etherStatsHighSpeedGroup OBJECT-GROUP + OBJECTS { dot3StatsSymbolErrors } + STATUS current + DESCRIPTION "A collection of objects providing information + applicable to ethernet-like network interfaces + capable of operating at 100 Mb/s or faster." + ::= { etherGroups 6 } + + etherDuplexGroup OBJECT-GROUP + OBJECTS { dot3StatsDuplexStatus } + STATUS current + DESCRIPTION "A collection of objects providing information + about the duplex mode of an ethernet-like + network interface." + ::= { etherGroups 7 } + + etherControlGroup OBJECT-GROUP + OBJECTS { dot3ControlFunctionsSupported, + dot3ControlInUnknownOpcodes + } + STATUS current + DESCRIPTION "A collection of objects providing information + about the MAC Control sublayer on ethernet-like + network interfaces." + ::= { etherGroups 8 } + + etherControlPauseGroup OBJECT-GROUP + OBJECTS { dot3PauseAdminMode, + dot3PauseOperMode, + dot3InPauseFrames, + dot3OutPauseFrames + } + STATUS current + DESCRIPTION "A collection of objects providing information + about and control of the MAC Control PAUSE + function on ethernet-like network interfaces." + ::= { etherGroups 9 } + + etherStatsBaseGroup2 OBJECT-GROUP + OBJECTS { dot3StatsIndex, + dot3StatsAlignmentErrors, + dot3StatsFCSErrors, + dot3StatsInternalMacTransmitErrors, + dot3StatsFrameTooLongs, + dot3StatsInternalMacReceiveErrors + } + STATUS current + DESCRIPTION "A collection of objects providing information + applicable to all ethernet-like network + interfaces." + ::= { etherGroups 10 } + + etherStatsHalfDuplexGroup OBJECT-GROUP + OBJECTS { dot3StatsSingleCollisionFrames, + dot3StatsMultipleCollisionFrames, + dot3StatsDeferredTransmissions, + dot3StatsLateCollisions, + dot3StatsExcessiveCollisions, + dot3StatsCarrierSenseErrors + } + STATUS current + DESCRIPTION "A collection of objects providing information + applicable only to half-duplex ethernet-like + network interfaces." + ::= { etherGroups 11 } + + etherHCStatsGroup OBJECT-GROUP + OBJECTS { dot3HCStatsAlignmentErrors, + dot3HCStatsFCSErrors, + dot3HCStatsInternalMacTransmitErrors, + dot3HCStatsFrameTooLongs, + dot3HCStatsInternalMacReceiveErrors, + dot3HCStatsSymbolErrors + } + STATUS current + DESCRIPTION "A collection of objects providing high-capacity + statistics applicable to higher-speed + ethernet-like network interfaces." + ::= { etherGroups 12 } + + etherHCControlGroup OBJECT-GROUP + OBJECTS { dot3HCControlInUnknownOpcodes } + STATUS current + DESCRIPTION "A collection of objects providing high-capacity + statistics for the MAC Control sublayer on + higher-speed ethernet-like network interfaces." + ::= { etherGroups 13 } + + etherHCControlPauseGroup OBJECT-GROUP + OBJECTS { dot3HCInPauseFrames, + dot3HCOutPauseFrames + + } + STATUS current + DESCRIPTION "A collection of objects providing high-capacity + statistics for the MAC Control PAUSE function on + higher-speed ethernet-like network interfaces." + ::= { etherGroups 14 } + + etherRateControlGroup OBJECT-GROUP + OBJECTS { dot3StatsRateControlAbility, + dot3StatsRateControlStatus + } + STATUS current + DESCRIPTION "A collection of objects providing information + about the Rate Control function on ethernet-like + interfaces." + ::= { etherGroups 15 } + +END diff --git a/mibs/HCNUM-TC.txt b/mibs/HCNUM-TC.txt new file mode 100644 index 000000000..4be3d547e --- /dev/null +++ b/mibs/HCNUM-TC.txt @@ -0,0 +1,118 @@ +HCNUM-TC DEFINITIONS ::= BEGIN + +IMPORTS + MODULE-IDENTITY, mib-2, Counter64 + FROM SNMPv2-SMI + TEXTUAL-CONVENTION + FROM SNMPv2-TC; + +hcnumTC MODULE-IDENTITY + LAST-UPDATED "200006080000Z" + + ORGANIZATION "IETF OPS Area" + CONTACT-INFO + " E-mail: mibs@ops.ietf.org + Subscribe: majordomo@psg.com + with msg body: subscribe mibs + + Andy Bierman + Cisco Systems Inc. + 170 West Tasman Drive + San Jose, CA 95134 USA + +1 408-527-3711 + abierman@cisco.com + + Keith McCloghrie + Cisco Systems Inc. + 170 West Tasman Drive + San Jose, CA 95134 USA + +1 408-526-5260 + kzm@cisco.com + + Randy Presuhn + BMC Software, Inc. + Office 1-3141 + 2141 North First Street + San Jose, California 95131 USA + +1 408 546-1006 + rpresuhn@bmc.com" + DESCRIPTION + "A MIB module containing textual conventions + for high capacity data types. This module + addresses an immediate need for data types not directly + supported in the SMIv2. This short-term solution + is meant to be deprecated as a long-term solution + is deployed." + REVISION "200006080000Z" + DESCRIPTION + "Initial Version of the High Capacity Numbers + MIB module, published as RFC 2856." + ::= { mib-2 78 } + +CounterBasedGauge64 ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "The CounterBasedGauge64 type represents a non-negative + integer, which may increase or decrease, but shall never + exceed a maximum value, nor fall below a minimum value. The + maximum value can not be greater than 2^64-1 + (18446744073709551615 decimal), and the minimum value can + + not be smaller than 0. The value of a CounterBasedGauge64 + has its maximum value whenever the information being modeled + is greater than or equal to its maximum value, and has its + minimum value whenever the information being modeled is + smaller than or equal to its minimum value. If the + information being modeled subsequently decreases below + (increases above) the maximum (minimum) value, the + CounterBasedGauge64 also decreases (increases). + + Note that this TC is not strictly supported in SMIv2, + because the 'always increasing' and 'counter wrap' semantics + associated with the Counter64 base type are not preserved. + It is possible that management applications which rely + solely upon the (Counter64) ASN.1 tag to determine object + semantics will mistakenly operate upon objects of this type + as they would for Counter64 objects. + + This textual convention represents a limited and short-term + solution, and may be deprecated as a long term solution is + defined and deployed to replace it." + SYNTAX Counter64 + +ZeroBasedCounter64 ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "This TC describes an object which counts events with the + following semantics: objects of this type will be set to + zero(0) on creation and will thereafter count appropriate + events, wrapping back to zero(0) when the value 2^64 is + reached. + + Provided that an application discovers the new object within + the minimum time to wrap it can use the initial value as a + delta since it last polled the table of which this object is + part. It is important for a management station to be aware + of this minimum time and the actual time between polls, and + to discard data if the actual time is too long or there is + no defined minimum time. + + Typically this TC is used in tables where the INDEX space is + constantly changing and/or the TimeFilter mechanism is in + use. + + Note that this textual convention does not retain all the + semantics of the Counter64 base type. Specifically, a + Counter64 has an arbitrary initial value, but objects + defined with this TC are required to start at the value + + zero. This behavior is not likely to have any adverse + effects on management applications which are expecting + Counter64 semantics. + + This textual convention represents a limited and short-term + solution, and may be deprecated as a long term solution is + defined and deployed to replace it." + SYNTAX Counter64 + +END diff --git a/mibs/HOST-RESOURCES-MIB.txt b/mibs/HOST-RESOURCES-MIB.txt new file mode 100644 index 000000000..373b9b328 --- /dev/null +++ b/mibs/HOST-RESOURCES-MIB.txt @@ -0,0 +1,1540 @@ +HOST-RESOURCES-MIB DEFINITIONS ::= BEGIN + +IMPORTS +MODULE-IDENTITY, OBJECT-TYPE, mib-2, +Integer32, Counter32, Gauge32, TimeTicks FROM SNMPv2-SMI + +TEXTUAL-CONVENTION, DisplayString, +TruthValue, DateAndTime, AutonomousType FROM SNMPv2-TC + +MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF + +InterfaceIndexOrZero FROM IF-MIB; + +hostResourcesMibModule MODULE-IDENTITY + LAST-UPDATED "200003060000Z" -- 6 March 2000 + ORGANIZATION "IETF Host Resources MIB Working Group" + CONTACT-INFO + "Steve Waldbusser + Postal: Lucent Technologies, Inc. + 1213 Innsbruck Dr. + Sunnyvale, CA 94089 + USA + Phone: 650-318-1251 + Fax: 650-318-1633 + Email: waldbusser@lucent.com + + In addition, the Host Resources MIB mailing list is + dedicated to discussion of this MIB. To join the + mailing list, send a request message to + hostmib-request@andrew.cmu.edu. The mailing list + address is hostmib@andrew.cmu.edu." + DESCRIPTION + "This MIB is for use in managing host systems. The term + `host' is construed to mean any computer that communicates + with other similar computers attached to the internet and + that is directly used by one or more human beings. Although + this MIB does not necessarily apply to devices whose primary + function is communications services (e.g., terminal servers, + routers, bridges, monitoring equipment), such relevance is + not explicitly precluded. This MIB instruments attributes + common to all internet hosts including, for example, both + personal computers and systems that run variants of Unix." + + REVISION "200003060000Z" -- 6 March 2000 + DESCRIPTION + "Clarifications and bug fixes based on implementation + experience. This revision was also reformatted in the SMIv2 + format. The revisions made were: + + New RFC document standards: + Added Copyright notice, updated introduction to SNMP + Framework, updated references section, added reference to + RFC 2119, and added a meaningful Security Considerations + section. + + New IANA considerations section for registration of new types + + Conversion to new SMIv2 syntax for the following types and + macros: + Counter32, Integer32, Gauge32, MODULE-IDENTITY, + OBJECT-TYPE, TEXTUAL-CONVENTION, OBJECT-IDENTITY, + MODULE-COMPLIANCE, OBJECT-GROUP + + Used new Textual Conventions: + TruthValue, DateAndTime, AutonomousType, + InterfaceIndexOrZero + + Fixed typo in hrPrinterStatus. + + Added missing error bits to hrPrinterDetectedErrorState and + clarified confusion resulting from suggested mappings to + hrPrinterStatus. + + Clarified that size of objects of type + InternationalDisplayString is number of octets, not number + of encoded symbols. + + Clarified the use of the following objects based on + implementation experience: + hrSystemInitialLoadDevice, hrSystemInitialLoadParameters, + hrMemorySize, hrStorageSize, hrStorageAllocationFailures, + hrDeviceErrors, hrProcessorLoad, hrNetworkIfIndex, + hrDiskStorageCapacity, hrSWRunStatus, hrSWRunPerfCPU, + and hrSWInstalledDate. + + Clarified implementation technique for hrSWInstalledTable. + + Used new AUGMENTS clause for hrSWRunPerfTable. + + Added Internationalization Considerations section. + +This revision published as RFC2790." + + REVISION "9910202200Z" -- 20 October, 1999 + DESCRIPTION + "The original version of this MIB, published as + RFC1514." + ::= { hrMIBAdminInfo 1 } + +host OBJECT IDENTIFIER ::= { mib-2 25 } + +hrSystem OBJECT IDENTIFIER ::= { host 1 } +hrStorage OBJECT IDENTIFIER ::= { host 2 } +hrDevice OBJECT IDENTIFIER ::= { host 3 } +hrSWRun OBJECT IDENTIFIER ::= { host 4 } +hrSWRunPerf OBJECT IDENTIFIER ::= { host 5 } +hrSWInstalled OBJECT IDENTIFIER ::= { host 6 } +hrMIBAdminInfo OBJECT IDENTIFIER ::= { host 7 } + +-- textual conventions + +KBytes ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "Storage size, expressed in units of 1024 bytes." + SYNTAX Integer32 (0..2147483647) + +ProductID ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "This textual convention is intended to identify the + + manufacturer, model, and version of a specific + hardware or software product. It is suggested that + these OBJECT IDENTIFIERs are allocated such that all + products from a particular manufacturer are registered + under a subtree distinct to that manufacturer. In + addition, all versions of a product should be + registered under a subtree distinct to that product. + With this strategy, a management station may uniquely + determine the manufacturer and/or model of a product + whose productID is unknown to the management station. + Objects of this type may be useful for inventory + purposes or for automatically detecting + incompatibilities or version mismatches between + various hardware and software components on a system. + + For example, the product ID for the ACME 4860 66MHz + clock doubled processor might be: + enterprises.acme.acmeProcessors.a4860DX2.MHz66 + + A software product might be registered as: + enterprises.acme.acmeOperatingSystems.acmeDOS.six(6).one(1) + " + SYNTAX OBJECT IDENTIFIER + +-- unknownProduct will be used for any unknown ProductID +-- unknownProduct OBJECT IDENTIFIER ::= { 0 0 } + +InternationalDisplayString ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "This data type is used to model textual information + in some character set. A network management station + should use a local algorithm to determine which + character set is in use and how it should be + displayed. Note that this character set may be + encoded with more than one octet per symbol, but will + most often be NVT ASCII. When a size clause is + specified for an object of this type, the size refers + to the length in octets, not the number of symbols." + SYNTAX OCTET STRING + +-- The Host Resources System Group + +hrSystemUptime OBJECT-TYPE + SYNTAX TimeTicks + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The amount of time since this host was last + initialized. Note that this is different from + sysUpTime in the SNMPv2-MIB [RFC1907] because + sysUpTime is the uptime of the network management + portion of the system." + ::= { hrSystem 1 } + +hrSystemDate OBJECT-TYPE + SYNTAX DateAndTime + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The host's notion of the local date and time of day." + ::= { hrSystem 2 } + +hrSystemInitialLoadDevice OBJECT-TYPE + SYNTAX Integer32 (1..2147483647) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The index of the hrDeviceEntry for the device from + which this host is configured to load its initial + operating system configuration (i.e., which operating + system code and/or boot parameters). + + Note that writing to this object just changes the + configuration that will be used the next time the + operating system is loaded and does not actually cause + the reload to occur." + ::= { hrSystem 3 } + +hrSystemInitialLoadParameters OBJECT-TYPE + SYNTAX InternationalDisplayString (SIZE (0..128)) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "This object contains the parameters (e.g. a pathname + and parameter) supplied to the load device when + requesting the initial operating system configuration + from that device. + + Note that writing to this object just changes the + configuration that will be used the next time the + operating system is loaded and does not actually cause + the reload to occur." + ::= { hrSystem 4 } + +hrSystemNumUsers OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of user sessions for which this host is + storing state information. A session is a collection + of processes requiring a single act of user + authentication and possibly subject to collective job + control." + ::= { hrSystem 5 } + +hrSystemProcesses OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of process contexts currently loaded or + running on this system." + ::= { hrSystem 6 } + +hrSystemMaxProcesses OBJECT-TYPE + SYNTAX Integer32 (0..2147483647) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The maximum number of process contexts this system + can support. If there is no fixed maximum, the value + should be zero. On systems that have a fixed maximum, + this object can help diagnose failures that occur when + this maximum is reached." + ::= { hrSystem 7 } + +-- The Host Resources Storage Group + +-- Registration point for storage types, for use with hrStorageType. +-- These are defined in the HOST-RESOURCES-TYPES module. +hrStorageTypes OBJECT IDENTIFIER ::= { hrStorage 1 } + +hrMemorySize OBJECT-TYPE + SYNTAX KBytes + UNITS "KBytes" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The amount of physical read-write main memory, + typically RAM, contained by the host." + ::= { hrStorage 2 } + +hrStorageTable OBJECT-TYPE + SYNTAX SEQUENCE OF HrStorageEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The (conceptual) table of logical storage areas on + the host. + + An entry shall be placed in the storage table for each + logical area of storage that is allocated and has + fixed resource limits. The amount of storage + represented in an entity is the amount actually usable + by the requesting entity, and excludes loss due to + formatting or file system reference information. + + These entries are associated with logical storage + areas, as might be seen by an application, rather than + physical storage entities which are typically seen by + an operating system. Storage such as tapes and + floppies without file systems on them are typically + not allocated in chunks by the operating system to + requesting applications, and therefore shouldn't + appear in this table. Examples of valid storage for + this table include disk partitions, file systems, ram + (for some architectures this is further segmented into + regular memory, extended memory, and so on), backing + store for virtual memory (`swap space'). + + This table is intended to be a useful diagnostic for + `out of memory' and `out of buffers' types of + failures. In addition, it can be a useful performance + monitoring tool for tracking memory, disk, or buffer + usage." + ::= { hrStorage 3 } + +hrStorageEntry OBJECT-TYPE + SYNTAX HrStorageEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A (conceptual) entry for one logical storage area on + the host. As an example, an instance of the + hrStorageType object might be named hrStorageType.3" + INDEX { hrStorageIndex } + ::= { hrStorageTable 1 } + +HrStorageEntry ::= SEQUENCE { + hrStorageIndex Integer32, + hrStorageType AutonomousType, + hrStorageDescr DisplayString, + hrStorageAllocationUnits Integer32, + hrStorageSize Integer32, + hrStorageUsed Integer32, + hrStorageAllocationFailures Counter32 + } + +hrStorageIndex OBJECT-TYPE + SYNTAX Integer32 (1..2147483647) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "A unique value for each logical storage area + contained by the host." + ::= { hrStorageEntry 1 } + +hrStorageType OBJECT-TYPE + SYNTAX AutonomousType + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The type of storage represented by this entry." + ::= { hrStorageEntry 2 } + +hrStorageDescr OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "A description of the type and instance of the storage + described by this entry." + ::= { hrStorageEntry 3 } + +hrStorageAllocationUnits OBJECT-TYPE + SYNTAX Integer32 (1..2147483647) + UNITS "Bytes" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The size, in bytes, of the data objects allocated + from this pool. If this entry is monitoring sectors, + blocks, buffers, or packets, for example, this number + will commonly be greater than one. Otherwise this + number will typically be one." + ::= { hrStorageEntry 4 } + +hrStorageSize OBJECT-TYPE + SYNTAX Integer32 (0..2147483647) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The size of the storage represented by this entry, in + units of hrStorageAllocationUnits. This object is + writable to allow remote configuration of the size of + the storage area in those cases where such an + operation makes sense and is possible on the + underlying system. For example, the amount of main + memory allocated to a buffer pool might be modified or + the amount of disk space allocated to virtual memory + might be modified." + ::= { hrStorageEntry 5 } + +hrStorageUsed OBJECT-TYPE + SYNTAX Integer32 (0..2147483647) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The amount of the storage represented by this entry + that is allocated, in units of + hrStorageAllocationUnits." + ::= { hrStorageEntry 6 } + +hrStorageAllocationFailures OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of requests for storage represented by + this entry that could not be honored due to not enough + storage. It should be noted that as this object has a + SYNTAX of Counter32, that it does not have a defined + initial value. However, it is recommended that this + object be initialized to zero, even though management + stations must not depend on such an initialization." + ::= { hrStorageEntry 7 } + +-- The Host Resources Device Group +-- +-- The device group is useful for identifying and diagnosing the +-- devices on a system. The hrDeviceTable contains common +-- information for any type of device. In addition, some devices +-- have device-specific tables for more detailed information. More +-- such tables may be defined in the future for other device types. + +-- Registration point for device types, for use with hrDeviceType. + +-- These are defined in the HOST-RESOURCES-TYPES module. +hrDeviceTypes OBJECT IDENTIFIER ::= { hrDevice 1 } + +hrDeviceTable OBJECT-TYPE + SYNTAX SEQUENCE OF HrDeviceEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The (conceptual) table of devices contained by the + host." + ::= { hrDevice 2 } + +hrDeviceEntry OBJECT-TYPE + SYNTAX HrDeviceEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A (conceptual) entry for one device contained by the + host. As an example, an instance of the hrDeviceType + object might be named hrDeviceType.3" + INDEX { hrDeviceIndex } + ::= { hrDeviceTable 1 } + +HrDeviceEntry ::= SEQUENCE { + hrDeviceIndex Integer32, + hrDeviceType AutonomousType, + hrDeviceDescr DisplayString, + hrDeviceID ProductID, + hrDeviceStatus INTEGER, + hrDeviceErrors Counter32 + } + +hrDeviceIndex OBJECT-TYPE + SYNTAX Integer32 (1..2147483647) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "A unique value for each device contained by the host. + The value for each device must remain constant at + least from one re-initialization of the agent to the + next re-initialization." + ::= { hrDeviceEntry 1 } + +hrDeviceType OBJECT-TYPE + SYNTAX AutonomousType + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "An indication of the type of device. + + If this value is + `hrDeviceProcessor { hrDeviceTypes 3 }' then an entry + exists in the hrProcessorTable which corresponds to + this device. + + If this value is + `hrDeviceNetwork { hrDeviceTypes 4 }', then an entry + exists in the hrNetworkTable which corresponds to this + device. + + If this value is + `hrDevicePrinter { hrDeviceTypes 5 }', then an entry + exists in the hrPrinterTable which corresponds to this + device. + + If this value is + `hrDeviceDiskStorage { hrDeviceTypes 6 }', then an + entry exists in the hrDiskStorageTable which + corresponds to this device." + ::= { hrDeviceEntry 2 } + +hrDeviceDescr OBJECT-TYPE + SYNTAX DisplayString (SIZE (0..64)) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "A textual description of this device, including the + device's manufacturer and revision, and optionally, + its serial number." + ::= { hrDeviceEntry 3 } + +hrDeviceID OBJECT-TYPE + SYNTAX ProductID + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The product ID for this device." + ::= { hrDeviceEntry 4 } + +hrDeviceStatus OBJECT-TYPE + SYNTAX INTEGER { + unknown(1), + running(2), + warning(3), + testing(4), + down(5) + + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The current operational state of the device described + by this row of the table. A value unknown(1) + indicates that the current state of the device is + unknown. running(2) indicates that the device is up + and running and that no unusual error conditions are + known. The warning(3) state indicates that agent has + been informed of an unusual error condition by the + operational software (e.g., a disk device driver) but + that the device is still 'operational'. An example + would be a high number of soft errors on a disk. A + value of testing(4), indicates that the device is not + available for use because it is in the testing state. + The state of down(5) is used only when the agent has + been informed that the device is not available for any + use." + ::= { hrDeviceEntry 5 } + +hrDeviceErrors OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of errors detected on this device. It + should be noted that as this object has a SYNTAX of + Counter32, that it does not have a defined initial + value. However, it is recommended that this object be + initialized to zero, even though management stations + must not depend on such an initialization." + ::= { hrDeviceEntry 6 } + +hrProcessorTable OBJECT-TYPE + SYNTAX SEQUENCE OF HrProcessorEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The (conceptual) table of processors contained by the + host. + + Note that this table is potentially sparse: a + (conceptual) entry exists only if the correspondent + value of the hrDeviceType object is + `hrDeviceProcessor'." + ::= { hrDevice 3 } + +hrProcessorEntry OBJECT-TYPE + SYNTAX HrProcessorEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A (conceptual) entry for one processor contained by + the host. The hrDeviceIndex in the index represents + the entry in the hrDeviceTable that corresponds to the + hrProcessorEntry. + + As an example of how objects in this table are named, + an instance of the hrProcessorFrwID object might be + named hrProcessorFrwID.3" + INDEX { hrDeviceIndex } + ::= { hrProcessorTable 1 } + +HrProcessorEntry ::= SEQUENCE { + hrProcessorFrwID ProductID, + hrProcessorLoad Integer32 + } + +hrProcessorFrwID OBJECT-TYPE + SYNTAX ProductID + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The product ID of the firmware associated with the + processor." + ::= { hrProcessorEntry 1 } + +hrProcessorLoad OBJECT-TYPE + SYNTAX Integer32 (0..100) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The average, over the last minute, of the percentage + of time that this processor was not idle. + Implementations may approximate this one minute + smoothing period if necessary." + ::= { hrProcessorEntry 2 } + +hrNetworkTable OBJECT-TYPE + SYNTAX SEQUENCE OF HrNetworkEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The (conceptual) table of network devices contained + by the host. + + Note that this table is potentially sparse: a + (conceptual) entry exists only if the correspondent + value of the hrDeviceType object is + `hrDeviceNetwork'." + ::= { hrDevice 4 } + +hrNetworkEntry OBJECT-TYPE + SYNTAX HrNetworkEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A (conceptual) entry for one network device contained + by the host. The hrDeviceIndex in the index + represents the entry in the hrDeviceTable that + corresponds to the hrNetworkEntry. + + As an example of how objects in this table are named, + an instance of the hrNetworkIfIndex object might be + named hrNetworkIfIndex.3" + INDEX { hrDeviceIndex } + ::= { hrNetworkTable 1 } + +HrNetworkEntry ::= SEQUENCE { + hrNetworkIfIndex InterfaceIndexOrZero + } + +hrNetworkIfIndex OBJECT-TYPE + SYNTAX InterfaceIndexOrZero + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of ifIndex which corresponds to this + network device. If this device is not represented in + the ifTable, then this value shall be zero." + ::= { hrNetworkEntry 1 } + +hrPrinterTable OBJECT-TYPE + SYNTAX SEQUENCE OF HrPrinterEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The (conceptual) table of printers local to the host. + + Note that this table is potentially sparse: a + (conceptual) entry exists only if the correspondent + value of the hrDeviceType object is + `hrDevicePrinter'." + ::= { hrDevice 5 } + +hrPrinterEntry OBJECT-TYPE + SYNTAX HrPrinterEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A (conceptual) entry for one printer local to the + host. The hrDeviceIndex in the index represents the + entry in the hrDeviceTable that corresponds to the + hrPrinterEntry. + + As an example of how objects in this table are named, + an instance of the hrPrinterStatus object might be + named hrPrinterStatus.3" + INDEX { hrDeviceIndex } + ::= { hrPrinterTable 1 } + +HrPrinterEntry ::= SEQUENCE { + hrPrinterStatus INTEGER, + hrPrinterDetectedErrorState OCTET STRING + } + +hrPrinterStatus OBJECT-TYPE + SYNTAX INTEGER { + other(1), + unknown(2), + idle(3), + printing(4), + warmup(5) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The current status of this printer device." + ::= { hrPrinterEntry 1 } + +hrPrinterDetectedErrorState OBJECT-TYPE + SYNTAX OCTET STRING + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This object represents any error conditions detected + by the printer. The error conditions are encoded as + bits in an octet string, with the following + definitions: + + Condition Bit # + + lowPaper 0 + + noPaper 1 + lowToner 2 + noToner 3 + doorOpen 4 + jammed 5 + offline 6 + serviceRequested 7 + inputTrayMissing 8 + outputTrayMissing 9 + markerSupplyMissing 10 + outputNearFull 11 + outputFull 12 + inputTrayEmpty 13 + overduePreventMaint 14 + + Bits are numbered starting with the most significant + bit of the first byte being bit 0, the least + significant bit of the first byte being bit 7, the + most significant bit of the second byte being bit 8, + and so on. A one bit encodes that the condition was + detected, while a zero bit encodes that the condition + was not detected. + + This object is useful for alerting an operator to + specific warning or error conditions that may occur, + especially those requiring human intervention." + ::= { hrPrinterEntry 2 } + +hrDiskStorageTable OBJECT-TYPE + SYNTAX SEQUENCE OF HrDiskStorageEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The (conceptual) table of long-term storage devices + contained by the host. In particular, disk devices + accessed remotely over a network are not included + here. + + Note that this table is potentially sparse: a + (conceptual) entry exists only if the correspondent + value of the hrDeviceType object is + `hrDeviceDiskStorage'." + ::= { hrDevice 6 } + +hrDiskStorageEntry OBJECT-TYPE + SYNTAX HrDiskStorageEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A (conceptual) entry for one long-term storage device + contained by the host. The hrDeviceIndex in the index + represents the entry in the hrDeviceTable that + corresponds to the hrDiskStorageEntry. As an example, + an instance of the hrDiskStorageCapacity object might + be named hrDiskStorageCapacity.3" + INDEX { hrDeviceIndex } + ::= { hrDiskStorageTable 1 } + +HrDiskStorageEntry ::= SEQUENCE { + hrDiskStorageAccess INTEGER, + hrDiskStorageMedia INTEGER, + hrDiskStorageRemoveble TruthValue, + hrDiskStorageCapacity KBytes + } + +hrDiskStorageAccess OBJECT-TYPE + SYNTAX INTEGER { + readWrite(1), + readOnly(2) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "An indication if this long-term storage device is + readable and writable or only readable. This should + reflect the media type, any write-protect mechanism, + and any device configuration that affects the entire + device." + ::= { hrDiskStorageEntry 1 } + +hrDiskStorageMedia OBJECT-TYPE + SYNTAX INTEGER { + other(1), + unknown(2), + hardDisk(3), + floppyDisk(4), + opticalDiskROM(5), + opticalDiskWORM(6), -- Write Once Read Many + opticalDiskRW(7), + ramDisk(8) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "An indication of the type of media used in this long- + term storage device." + ::= { hrDiskStorageEntry 2 } + +hrDiskStorageRemoveble OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Denotes whether or not the disk media may be removed + from the drive." + ::= { hrDiskStorageEntry 3 } + +hrDiskStorageCapacity OBJECT-TYPE + SYNTAX KBytes + UNITS "KBytes" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total size for this long-term storage device. If + the media is removable and is currently removed, this + value should be zero." + ::= { hrDiskStorageEntry 4 } + +hrPartitionTable OBJECT-TYPE + SYNTAX SEQUENCE OF HrPartitionEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The (conceptual) table of partitions for long-term + storage devices contained by the host. In particular, + partitions accessed remotely over a network are not + included here." + ::= { hrDevice 7 } + +hrPartitionEntry OBJECT-TYPE + SYNTAX HrPartitionEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A (conceptual) entry for one partition. The + hrDeviceIndex in the index represents the entry in the + hrDeviceTable that corresponds to the + hrPartitionEntry. + + As an example of how objects in this table are named, + an instance of the hrPartitionSize object might be + named hrPartitionSize.3.1" + INDEX { hrDeviceIndex, hrPartitionIndex } + ::= { hrPartitionTable 1 } + +HrPartitionEntry ::= SEQUENCE { + hrPartitionIndex Integer32, + hrPartitionLabel InternationalDisplayString, + hrPartitionID OCTET STRING, + hrPartitionSize KBytes, + hrPartitionFSIndex Integer32 + } + +hrPartitionIndex OBJECT-TYPE + SYNTAX Integer32 (1..2147483647) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "A unique value for each partition on this long-term + storage device. The value for each long-term storage + device must remain constant at least from one re- + initialization of the agent to the next re- + initialization." + ::= { hrPartitionEntry 1 } + +hrPartitionLabel OBJECT-TYPE + SYNTAX InternationalDisplayString (SIZE (0..128)) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "A textual description of this partition." + ::= { hrPartitionEntry 2 } + +hrPartitionID OBJECT-TYPE + SYNTAX OCTET STRING + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "A descriptor which uniquely represents this partition + to the responsible operating system. On some systems, + this might take on a binary representation." + ::= { hrPartitionEntry 3 } + +hrPartitionSize OBJECT-TYPE + SYNTAX KBytes + UNITS "KBytes" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The size of this partition." + ::= { hrPartitionEntry 4 } + +hrPartitionFSIndex OBJECT-TYPE + SYNTAX Integer32 (0..2147483647) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The index of the file system mounted on this + partition. If no file system is mounted on this + partition, then this value shall be zero. Note that + multiple partitions may point to one file system, + denoting that that file system resides on those + partitions. Multiple file systems may not reside on + one partition." + ::= { hrPartitionEntry 5 } + +-- The File System Table + +-- Registration point for popular File System types, +-- for use with hrFSType. These are defined in the +-- HOST-RESOURCES-TYPES module. +hrFSTypes OBJECT IDENTIFIER ::= { hrDevice 9 } + +hrFSTable OBJECT-TYPE + SYNTAX SEQUENCE OF HrFSEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The (conceptual) table of file systems local to this + host or remotely mounted from a file server. File + systems that are in only one user's environment on a + multi-user system will not be included in this table." + ::= { hrDevice 8 } + +hrFSEntry OBJECT-TYPE + SYNTAX HrFSEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A (conceptual) entry for one file system local to + this host or remotely mounted from a file server. + File systems that are in only one user's environment + on a multi-user system will not be included in this + table. + + As an example of how objects in this table are named, + an instance of the hrFSMountPoint object might be + named hrFSMountPoint.3" + INDEX { hrFSIndex } + ::= { hrFSTable 1 } + +HrFSEntry ::= SEQUENCE { + hrFSIndex Integer32, + hrFSMountPoint InternationalDisplayString, + hrFSRemoteMountPoint InternationalDisplayString, + hrFSType AutonomousType, + hrFSAccess INTEGER, + hrFSBootable TruthValue, + hrFSStorageIndex Integer32, + hrFSLastFullBackupDate DateAndTime, + hrFSLastPartialBackupDate DateAndTime + } + +hrFSIndex OBJECT-TYPE + SYNTAX Integer32 (1..2147483647) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "A unique value for each file system local to this + host. The value for each file system must remain + constant at least from one re-initialization of the + agent to the next re-initialization." + ::= { hrFSEntry 1 } + +hrFSMountPoint OBJECT-TYPE + SYNTAX InternationalDisplayString (SIZE(0..128)) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The path name of the root of this file system." + ::= { hrFSEntry 2 } + +hrFSRemoteMountPoint OBJECT-TYPE + SYNTAX InternationalDisplayString (SIZE(0..128)) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "A description of the name and/or address of the + server that this file system is mounted from. This + may also include parameters such as the mount point on + the remote file system. If this is not a remote file + system, this string should have a length of zero." + ::= { hrFSEntry 3 } + +hrFSType OBJECT-TYPE + SYNTAX AutonomousType + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object identifies the type of this + file system." + ::= { hrFSEntry 4 } + +hrFSAccess OBJECT-TYPE + SYNTAX INTEGER { + readWrite(1), + readOnly(2) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "An indication if this file system is logically + configured by the operating system to be readable and + writable or only readable. This does not represent + any local access-control policy, except one that is + applied to the file system as a whole." + ::= { hrFSEntry 5 } + +hrFSBootable OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "A flag indicating whether this file system is + bootable." + ::= { hrFSEntry 6 } + +hrFSStorageIndex OBJECT-TYPE + SYNTAX Integer32 (0..2147483647) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The index of the hrStorageEntry that represents + information about this file system. If there is no + such information available, then this value shall be + zero. The relevant storage entry will be useful in + tracking the percent usage of this file system and + diagnosing errors that may occur when it runs out of + space." + ::= { hrFSEntry 7 } + +hrFSLastFullBackupDate OBJECT-TYPE + SYNTAX DateAndTime + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The last date at which this complete file system was + + copied to another storage device for backup. This + information is useful for ensuring that backups are + being performed regularly. + + If this information is not known, then this variable + shall have the value corresponding to January 1, year + 0000, 00:00:00.0, which is encoded as + (hex)'00 00 01 01 00 00 00 00'." + ::= { hrFSEntry 8 } + +hrFSLastPartialBackupDate OBJECT-TYPE + SYNTAX DateAndTime + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The last date at which a portion of this file system + was copied to another storage device for backup. This + information is useful for ensuring that backups are + being performed regularly. + + If this information is not known, then this variable + shall have the value corresponding to January 1, year + 0000, 00:00:00.0, which is encoded as + (hex)'00 00 01 01 00 00 00 00'." + ::= { hrFSEntry 9 } + +-- The Host Resources Running Software Group +-- +-- The hrSWRunTable contains an entry for each distinct piece of +-- software that is running or loaded into physical or virtual +-- memory in preparation for running. This includes the host's +-- operating system, device drivers, and applications. + +hrSWOSIndex OBJECT-TYPE + SYNTAX Integer32 (1..2147483647) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of the hrSWRunIndex for the hrSWRunEntry + that represents the primary operating system running + on this host. This object is useful for quickly and + uniquely identifying that primary operating system." + ::= { hrSWRun 1 } + +hrSWRunTable OBJECT-TYPE + SYNTAX SEQUENCE OF HrSWRunEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The (conceptual) table of software running on the + host." + ::= { hrSWRun 2 } + +hrSWRunEntry OBJECT-TYPE + SYNTAX HrSWRunEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A (conceptual) entry for one piece of software + running on the host Note that because the installed + software table only contains information for software + stored locally on this host, not every piece of + running software will be found in the installed + software table. This is true of software that was + loaded and run from a non-local source, such as a + network-mounted file system. + + As an example of how objects in this table are named, + an instance of the hrSWRunName object might be named + hrSWRunName.1287" + INDEX { hrSWRunIndex } + ::= { hrSWRunTable 1 } + +HrSWRunEntry ::= SEQUENCE { + hrSWRunIndex Integer32, + hrSWRunName InternationalDisplayString, + hrSWRunID ProductID, + hrSWRunPath InternationalDisplayString, + hrSWRunParameters InternationalDisplayString, + hrSWRunType INTEGER, + hrSWRunStatus INTEGER + } + +hrSWRunIndex OBJECT-TYPE + SYNTAX Integer32 (1..2147483647) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "A unique value for each piece of software running on + the host. Wherever possible, this should be the + system's native, unique identification number." + ::= { hrSWRunEntry 1 } + +hrSWRunName OBJECT-TYPE + SYNTAX InternationalDisplayString (SIZE (0..64)) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "A textual description of this running piece of + software, including the manufacturer, revision, and + the name by which it is commonly known. If this + software was installed locally, this should be the + same string as used in the corresponding + hrSWInstalledName." + ::= { hrSWRunEntry 2 } + +hrSWRunID OBJECT-TYPE + SYNTAX ProductID + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The product ID of this running piece of software." + ::= { hrSWRunEntry 3 } + +hrSWRunPath OBJECT-TYPE + SYNTAX InternationalDisplayString (SIZE(0..128)) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "A description of the location on long-term storage + (e.g. a disk drive) from which this software was + loaded." + ::= { hrSWRunEntry 4 } + +hrSWRunParameters OBJECT-TYPE + SYNTAX InternationalDisplayString (SIZE(0..128)) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "A description of the parameters supplied to this + software when it was initially loaded." + ::= { hrSWRunEntry 5 } + +hrSWRunType OBJECT-TYPE + SYNTAX INTEGER { + unknown(1), + operatingSystem(2), + deviceDriver(3), + application(4) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The type of this software." + ::= { hrSWRunEntry 6 } + +hrSWRunStatus OBJECT-TYPE + SYNTAX INTEGER { + running(1), + runnable(2), -- waiting for resource + -- (i.e., CPU, memory, IO) + notRunnable(3), -- loaded but waiting for event + invalid(4) -- not loaded + } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The status of this running piece of software. + Setting this value to invalid(4) shall cause this + software to stop running and to be unloaded. Sets to + other values are not valid." + ::= { hrSWRunEntry 7 } + +-- The Host Resources Running Software Performance Group +-- +-- The hrSWRunPerfTable contains an entry corresponding to +-- each entry in the hrSWRunTable. + +hrSWRunPerfTable OBJECT-TYPE + SYNTAX SEQUENCE OF HrSWRunPerfEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The (conceptual) table of running software + performance metrics." + ::= { hrSWRunPerf 1 } + +hrSWRunPerfEntry OBJECT-TYPE + SYNTAX HrSWRunPerfEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A (conceptual) entry containing software performance + metrics. As an example, an instance of the + hrSWRunPerfCPU object might be named + hrSWRunPerfCPU.1287" + AUGMENTS { hrSWRunEntry } -- This table augments information in + -- the hrSWRunTable. + ::= { hrSWRunPerfTable 1 } + +HrSWRunPerfEntry ::= SEQUENCE { + hrSWRunPerfCPU Integer32, + hrSWRunPerfMem KBytes +} + +hrSWRunPerfCPU OBJECT-TYPE + SYNTAX Integer32 (0..2147483647) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of centi-seconds of the total system's CPU + resources consumed by this process. Note that on a + multi-processor system, this value may increment by + more than one centi-second in one centi-second of real + (wall clock) time." + ::= { hrSWRunPerfEntry 1 } + +hrSWRunPerfMem OBJECT-TYPE + SYNTAX KBytes + UNITS "KBytes" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total amount of real system memory allocated to + this process." + ::= { hrSWRunPerfEntry 2 } + +-- The Host Resources Installed Software Group +-- +-- The hrSWInstalledTable contains an entry for each piece +-- of software installed in long-term storage (e.g. a disk +-- drive) locally on this host. Note that this does not +-- include software loadable remotely from a network +-- server. +-- +-- Different implementations may track software in varying +-- ways. For example, while some implementations may track +-- executable files as distinct pieces of software, other +-- implementations may use other strategies such as keeping +-- track of software "packages" (e.g., related groups of files) +-- or keeping track of system or application "patches". +-- +-- This table is useful for identifying and inventorying +-- software on a host and for diagnosing incompatibility +-- and version mismatch problems between various pieces +-- of hardware and software. + +hrSWInstalledLastChange OBJECT-TYPE + SYNTAX TimeTicks + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of sysUpTime when an entry in the + hrSWInstalledTable was last added, renamed, or + deleted. Because this table is likely to contain many + entries, polling of this object allows a management + station to determine when re-downloading of the table + might be useful." + ::= { hrSWInstalled 1 } + +hrSWInstalledLastUpdateTime OBJECT-TYPE + SYNTAX TimeTicks + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of sysUpTime when the hrSWInstalledTable + was last completely updated. Because caching of this + data will be a popular implementation strategy, + retrieval of this object allows a management station + to obtain a guarantee that no data in this table is + older than the indicated time." + ::= { hrSWInstalled 2 } + +hrSWInstalledTable OBJECT-TYPE + SYNTAX SEQUENCE OF HrSWInstalledEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The (conceptual) table of software installed on this + host." + ::= { hrSWInstalled 3 } + +hrSWInstalledEntry OBJECT-TYPE + SYNTAX HrSWInstalledEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A (conceptual) entry for a piece of software + installed on this host. + + As an example of how objects in this table are named, + an instance of the hrSWInstalledName object might be + named hrSWInstalledName.96" + INDEX { hrSWInstalledIndex } + ::= { hrSWInstalledTable 1 } + +HrSWInstalledEntry ::= SEQUENCE { + hrSWInstalledIndex Integer32, + hrSWInstalledName InternationalDisplayString, + hrSWInstalledID ProductID, + hrSWInstalledType INTEGER, + hrSWInstalledDate DateAndTime +} + +hrSWInstalledIndex OBJECT-TYPE + SYNTAX Integer32 (1..2147483647) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "A unique value for each piece of software installed + on the host. This value shall be in the range from 1 + to the number of pieces of software installed on the + host." + ::= { hrSWInstalledEntry 1 } + +hrSWInstalledName OBJECT-TYPE + SYNTAX InternationalDisplayString (SIZE (0..64)) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "A textual description of this installed piece of + software, including the manufacturer, revision, the + name by which it is commonly known, and optionally, + its serial number." + ::= { hrSWInstalledEntry 2 } + +hrSWInstalledID OBJECT-TYPE + SYNTAX ProductID + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The product ID of this installed piece of software." + ::= { hrSWInstalledEntry 3 } + +hrSWInstalledType OBJECT-TYPE + SYNTAX INTEGER { + unknown(1), + operatingSystem(2), + deviceDriver(3), + application(4) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The type of this software." + ::= { hrSWInstalledEntry 4 } + +hrSWInstalledDate OBJECT-TYPE + SYNTAX DateAndTime + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The last-modification date of this application as it + would appear in a directory listing. + + If this information is not known, then this variable + shall have the value corresponding to January 1, year + 0000, 00:00:00.0, which is encoded as + (hex)'00 00 01 01 00 00 00 00'." + ::= { hrSWInstalledEntry 5 } + +-- Conformance information + +hrMIBCompliances OBJECT IDENTIFIER ::= { hrMIBAdminInfo 2 } +hrMIBGroups OBJECT IDENTIFIER ::= { hrMIBAdminInfo 3 } + +-- Compliance Statements +hrMIBCompliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The requirements for conformance to the Host Resources MIB." + MODULE -- this module + MANDATORY-GROUPS { hrSystemGroup, hrStorageGroup, + hrDeviceGroup } + + OBJECT hrSystemDate + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required." + + OBJECT hrSystemInitialLoadDevice + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required." + + OBJECT hrSystemInitialLoadParameters + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required." + + OBJECT hrStorageSize + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required." + + OBJECT hrFSLastFullBackupDate + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required." + + OBJECT hrFSLastPartialBackupDate + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required." + + GROUP hrSWRunGroup + DESCRIPTION + "The Running Software Group. Implementation + of this group is mandatory only when the + hrSWRunPerfGroup is implemented." + + OBJECT hrSWRunStatus + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required." + + GROUP hrSWRunPerfGroup + DESCRIPTION + "The Running Software Performance Group. + Implementation of this group is at the discretion + of the implementor." + + GROUP hrSWInstalledGroup + DESCRIPTION + "The Installed Software Group. + Implementation of this group is at the discretion + of the implementor." + ::= { hrMIBCompliances 1 } + + hrSystemGroup OBJECT-GROUP + OBJECTS { + hrSystemUptime, hrSystemDate, + hrSystemInitialLoadDevice, + hrSystemInitialLoadParameters, + hrSystemNumUsers, hrSystemProcesses, + hrSystemMaxProcesses + } + STATUS current + DESCRIPTION + "The Host Resources System Group." + ::= { hrMIBGroups 1 } + + hrStorageGroup OBJECT-GROUP + OBJECTS { + hrMemorySize, hrStorageIndex, hrStorageType, + hrStorageDescr, hrStorageAllocationUnits, + hrStorageSize, hrStorageUsed, + hrStorageAllocationFailures + } + STATUS current + DESCRIPTION + "The Host Resources Storage Group." + ::= { hrMIBGroups 2 } + + hrDeviceGroup OBJECT-GROUP + OBJECTS { + hrDeviceIndex, hrDeviceType, hrDeviceDescr, + hrDeviceID, hrDeviceStatus, hrDeviceErrors, + hrProcessorFrwID, hrProcessorLoad, + hrNetworkIfIndex, hrPrinterStatus, + hrPrinterDetectedErrorState, + hrDiskStorageAccess, hrDiskStorageMedia, + hrDiskStorageRemoveble, hrDiskStorageCapacity, + hrPartitionIndex, hrPartitionLabel, + hrPartitionID, hrPartitionSize, + hrPartitionFSIndex, hrFSIndex, hrFSMountPoint, + hrFSRemoteMountPoint, hrFSType, hrFSAccess, + hrFSBootable, hrFSStorageIndex, + hrFSLastFullBackupDate, + hrFSLastPartialBackupDate + } + STATUS current + DESCRIPTION + "The Host Resources Device Group." + ::= { hrMIBGroups 3 } + + hrSWRunGroup OBJECT-GROUP + OBJECTS { + hrSWOSIndex, hrSWRunIndex, hrSWRunName, + hrSWRunID, hrSWRunPath, hrSWRunParameters, + hrSWRunType, hrSWRunStatus + } + STATUS current + DESCRIPTION + "The Host Resources Running Software Group." + ::= { hrMIBGroups 4 } + + hrSWRunPerfGroup OBJECT-GROUP + OBJECTS { hrSWRunPerfCPU, hrSWRunPerfMem } + STATUS current + DESCRIPTION + "The Host Resources Running Software + Performance Group." + ::= { hrMIBGroups 5 } + + hrSWInstalledGroup OBJECT-GROUP + OBJECTS { + hrSWInstalledLastChange, + hrSWInstalledLastUpdateTime, + hrSWInstalledIndex, hrSWInstalledName, + hrSWInstalledID, hrSWInstalledType, + hrSWInstalledDate + } + STATUS current + DESCRIPTION + "The Host Resources Installed Software Group." + ::= { hrMIBGroups 6 } + +END diff --git a/mibs/HOST-RESOURCES-TYPES.txt b/mibs/HOST-RESOURCES-TYPES.txt new file mode 100644 index 000000000..d25bb4032 --- /dev/null +++ b/mibs/HOST-RESOURCES-TYPES.txt @@ -0,0 +1,389 @@ +HOST-RESOURCES-TYPES DEFINITIONS ::= BEGIN + +IMPORTS + MODULE-IDENTITY, OBJECT-IDENTITY FROM SNMPv2-SMI + hrMIBAdminInfo, hrStorage, hrDevice FROM HOST-RESOURCES-MIB; + +hostResourcesTypesModule MODULE-IDENTITY + LAST-UPDATED "200003060000Z" -- 6 March, 2000 + ORGANIZATION "IETF Host Resources MIB Working Group" + CONTACT-INFO + "Steve Waldbusser + Postal: Lucent Technologies, Inc. + 1213 Innsbruck Dr. + Sunnyvale, CA 94089 + USA + Phone: 650-318-1251 + Fax: 650-318-1633 + Email: waldbusser@ins.com + + In addition, the Host Resources MIB mailing list is dedicated + to discussion of this MIB. To join the mailing list, send a + request message to hostmib-request@andrew.cmu.edu. The mailing + list address is hostmib@andrew.cmu.edu." + DESCRIPTION + "This MIB module registers type definitions for + storage types, device types, and file system types. + + After the initial revision, this module will be + maintained by IANA." + REVISION "200003060000Z" -- 6 March 2000 + DESCRIPTION + "The original version of this module, published as RFC + 2790." + ::= { hrMIBAdminInfo 4 } + +-- Registrations for some storage types, for use with hrStorageType +hrStorageTypes OBJECT IDENTIFIER ::= { hrStorage 1 } + +hrStorageOther OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The storage type identifier used when no other defined + type is appropriate." + ::= { hrStorageTypes 1 } + +hrStorageRam OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The storage type identifier used for RAM." + ::= { hrStorageTypes 2 } + +hrStorageVirtualMemory OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The storage type identifier used for virtual memory, + temporary storage of swapped or paged memory." + ::= { hrStorageTypes 3 } + +hrStorageFixedDisk OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The storage type identifier used for non-removable + rigid rotating magnetic storage devices." + ::= { hrStorageTypes 4 } + +hrStorageRemovableDisk OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The storage type identifier used for removable rigid + rotating magnetic storage devices." + ::= { hrStorageTypes 5 } + +hrStorageFloppyDisk OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The storage type identifier used for non-rigid rotating + magnetic storage devices." + ::= { hrStorageTypes 6 } + +hrStorageCompactDisc OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The storage type identifier used for read-only rotating + optical storage devices." + ::= { hrStorageTypes 7 } + +hrStorageRamDisk OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The storage type identifier used for a file system that + is stored in RAM." + ::= { hrStorageTypes 8 } + +hrStorageFlashMemory OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The storage type identifier used for flash memory." + ::= { hrStorageTypes 9 } + +hrStorageNetworkDisk OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The storage type identifier used for a + networked file system." + ::= { hrStorageTypes 10 } + +-- Registrations for some device types, for use with hrDeviceType +hrDeviceTypes OBJECT IDENTIFIER ::= { hrDevice 1 } + +hrDeviceOther OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The device type identifier used when no other defined + type is appropriate." + ::= { hrDeviceTypes 1 } + +hrDeviceUnknown OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The device type identifier used when the device type is + unknown." + ::= { hrDeviceTypes 2 } + +hrDeviceProcessor OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The device type identifier used for a CPU." + ::= { hrDeviceTypes 3 } + +hrDeviceNetwork OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The device type identifier used for a network interface." + ::= { hrDeviceTypes 4 } + +hrDevicePrinter OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The device type identifier used for a printer." + ::= { hrDeviceTypes 5 } + +hrDeviceDiskStorage OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The device type identifier used for a disk drive." + ::= { hrDeviceTypes 6 } + +hrDeviceVideo OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The device type identifier used for a video device." + ::= { hrDeviceTypes 10 } + +hrDeviceAudio OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The device type identifier used for an audio device." + ::= { hrDeviceTypes 11 } + +hrDeviceCoprocessor OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The device type identifier used for a co-processor." + ::= { hrDeviceTypes 12 } + +hrDeviceKeyboard OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The device type identifier used for a keyboard device." + ::= { hrDeviceTypes 13 } + +hrDeviceModem OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The device type identifier used for a modem." + ::= { hrDeviceTypes 14 } + +hrDeviceParallelPort OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The device type identifier used for a parallel port." + ::= { hrDeviceTypes 15 } + +hrDevicePointing OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The device type identifier used for a pointing device + (e.g., a mouse)." + ::= { hrDeviceTypes 16 } + +hrDeviceSerialPort OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The device type identifier used for a serial port." + ::= { hrDeviceTypes 17 } + +hrDeviceTape OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The device type identifier used for a tape storage device." + ::= { hrDeviceTypes 18 } + +hrDeviceClock OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The device type identifier used for a clock device." + ::= { hrDeviceTypes 19 } + +hrDeviceVolatileMemory OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The device type identifier used for a volatile memory + storage device." + ::= { hrDeviceTypes 20 } + +hrDeviceNonVolatileMemory OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The device type identifier used for a non-volatile memory + + storage device." + ::= { hrDeviceTypes 21 } + +-- Registrations for some popular File System types, +-- for use with hrFSType. +hrFSTypes OBJECT IDENTIFIER ::= { hrDevice 9 } + +hrFSOther OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The file system type identifier used when no other + defined type is appropriate." + ::= { hrFSTypes 1 } + +hrFSUnknown OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The file system type identifier used when the type of + file system is unknown." + ::= { hrFSTypes 2 } + +hrFSBerkeleyFFS OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The file system type identifier used for the + Berkeley Fast File System." + ::= { hrFSTypes 3 } + +hrFSSys5FS OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The file system type identifier used for the + System V File System." + ::= { hrFSTypes 4 } + +hrFSFat OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The file system type identifier used for + DOS's FAT file system." + ::= { hrFSTypes 5 } + +hrFSHPFS OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The file system type identifier used for OS/2's + High Performance File System." + ::= { hrFSTypes 6 } + +hrFSHFS OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The file system type identifier used for the + Macintosh Hierarchical File System." + ::= { hrFSTypes 7 } + +hrFSMFS OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The file system type identifier used for the + Macintosh File System." + ::= { hrFSTypes 8 } + +hrFSNTFS OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The file system type identifier used for the + Windows NT File System." + ::= { hrFSTypes 9 } + +hrFSVNode OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The file system type identifier used for the + VNode File System." + ::= { hrFSTypes 10 } + +hrFSJournaled OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The file system type identifier used for the + Journaled File System." + ::= { hrFSTypes 11 } + +hrFSiso9660 OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The file system type identifier used for the + ISO 9660 File System for CD's." + ::= { hrFSTypes 12 } + +hrFSRockRidge OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The file system type identifier used for the + RockRidge File System for CD's." + ::= { hrFSTypes 13 } + +hrFSNFS OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The file system type identifier used for the + NFS File System." + ::= { hrFSTypes 14 } + +hrFSNetware OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The file system type identifier used for the + Netware File System." + ::= { hrFSTypes 15 } + +hrFSAFS OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The file system type identifier used for the + Andrew File System." + ::= { hrFSTypes 16 } + +hrFSDFS OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The file system type identifier used for the + OSF DCE Distributed File System." + ::= { hrFSTypes 17 } + +hrFSAppleshare OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The file system type identifier used for the + AppleShare File System." + ::= { hrFSTypes 18 } + +hrFSRFS OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The file system type identifier used for the + RFS File System." + ::= { hrFSTypes 19 } + +hrFSDGCFS OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The file system type identifier used for the + Data General DGCFS." + ::= { hrFSTypes 20 } + +hrFSBFS OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The file system type identifier used for the + SVR4 Boot File System." + ::= { hrFSTypes 21 } + +hrFSFAT32 OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The file system type identifier used for the + Windows FAT32 File System." + ::= { hrFSTypes 22 } + +hrFSLinuxExt2 OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The file system type identifier used for the + Linux EXT2 File System." + ::= { hrFSTypes 23 } + +END diff --git a/mibs/IF-INVERTED-STACK-MIB.txt b/mibs/IF-INVERTED-STACK-MIB.txt new file mode 100644 index 000000000..eb8797b58 --- /dev/null +++ b/mibs/IF-INVERTED-STACK-MIB.txt @@ -0,0 +1,149 @@ +IF-INVERTED-STACK-MIB DEFINITIONS ::= BEGIN + +IMPORTS + MODULE-IDENTITY, OBJECT-TYPE, mib-2 FROM SNMPv2-SMI + RowStatus FROM SNMPv2-TC + MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF + ifStackGroup2, + ifStackHigherLayer, ifStackLowerLayer FROM IF-MIB; + +ifInvertedStackMIB MODULE-IDENTITY + LAST-UPDATED "200006140000Z" + ORGANIZATION "IETF Interfaces MIB Working Group" + CONTACT-INFO + " Keith McCloghrie + Cisco Systems, Inc. + 170 West Tasman Drive + San Jose, CA 95134-1706 + US + + 408-526-5260 + kzm@cisco.com" + DESCRIPTION + "The MIB module which provides the Inverted Stack Table for + interface sub-layers." + REVISION "200006140000Z" + DESCRIPTION + "Initial revision, published as RFC 2864" + ::= { mib-2 77 } + +ifInvMIBObjects OBJECT IDENTIFIER ::= { ifInvertedStackMIB 1 } + +-- +-- The Inverted Interface Stack Group +-- + +ifInvStackTable OBJECT-TYPE + SYNTAX SEQUENCE OF IfInvStackEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A table containing information on the relationships between + + the multiple sub-layers of network interfaces. In + particular, it contains information on which sub-layers run + 'underneath' which other sub-layers, where each sub-layer + corresponds to a conceptual row in the ifTable. For + example, when the sub-layer with ifIndex value x runs + underneath the sub-layer with ifIndex value y, then this + table contains: + + ifInvStackStatus.x.y=active + + For each ifIndex value, z, which identifies an active + interface, there are always at least two instantiated rows + in this table associated with z. For one of these rows, z + is the value of ifStackHigherLayer; for the other, z is the + value of ifStackLowerLayer. (If z is not involved in + multiplexing, then these are the only two rows associated + with z.) + + For example, two rows exist even for an interface which has + no others stacked on top or below it: + + ifInvStackStatus.z.0=active + ifInvStackStatus.0.z=active + + This table contains exactly the same number of rows as the + ifStackTable, but the rows appear in a different order." + REFERENCE + "ifStackTable of RFC 2863" + ::= { ifInvMIBObjects 1 } + +ifInvStackEntry OBJECT-TYPE + SYNTAX IfInvStackEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Information on a particular relationship between two sub- + layers, specifying that one sub-layer runs underneath the + other sub-layer. Each sub-layer corresponds to a conceptual + row in the ifTable." + INDEX { ifStackLowerLayer, ifStackHigherLayer } + ::= { ifInvStackTable 1 } + +IfInvStackEntry ::= + SEQUENCE { + ifInvStackStatus RowStatus + } + +ifInvStackStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The status of the relationship between two sub-layers. + + An instance of this object exists for each instance of the + ifStackStatus object, and vice versa. For example, if the + variable ifStackStatus.H.L exists, then the variable + ifInvStackStatus.L.H must also exist, and vice versa. In + addition, the two variables always have the same value. + + However, unlike ifStackStatus, the ifInvStackStatus object + is NOT write-able. A network management application wishing + to change a relationship between sub-layers H and L cannot + do so by modifying the value of ifInvStackStatus.L.H, but + must instead modify the value of ifStackStatus.H.L. After + the ifStackTable is modified, the change will be reflected + in this table." + ::= { ifInvStackEntry 1 } + +-- conformance information + +ifInvConformance OBJECT IDENTIFIER ::= { ifInvMIBObjects 2 } + +ifInvGroups OBJECT IDENTIFIER ::= { ifInvConformance 1 } +ifInvCompliances OBJECT IDENTIFIER ::= { ifInvConformance 2 } + +-- compliance statements + +ifInvCompliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The compliance statement for SNMP entities which provide + inverted information on the layering of network interfaces." + + MODULE -- this module + MANDATORY-GROUPS { ifInvStackGroup } + + OBJECT ifInvStackStatus + SYNTAX INTEGER { active(1) } + DESCRIPTION + "Support is only required for 'active'." + + MODULE IF-MIB + MANDATORY-GROUPS { ifStackGroup2 } + ::= { ifInvCompliances 1 } + +-- units of conformance + +ifInvStackGroup OBJECT-GROUP + OBJECTS { ifInvStackStatus } + STATUS current + DESCRIPTION + "A collection of objects providing inverted information on + the layering of MIB-II interfaces." + ::= { ifInvGroups 1 } + +END diff --git a/mibs/IF-MIB.txt b/mibs/IF-MIB.txt new file mode 100644 index 000000000..7704f0c25 --- /dev/null +++ b/mibs/IF-MIB.txt @@ -0,0 +1,1814 @@ +IF-MIB DEFINITIONS ::= BEGIN + +IMPORTS + MODULE-IDENTITY, OBJECT-TYPE, Counter32, Gauge32, Counter64, + Integer32, TimeTicks, mib-2, + NOTIFICATION-TYPE FROM SNMPv2-SMI + TEXTUAL-CONVENTION, DisplayString, + PhysAddress, TruthValue, RowStatus, + TimeStamp, AutonomousType, TestAndIncr FROM SNMPv2-TC + MODULE-COMPLIANCE, OBJECT-GROUP, + NOTIFICATION-GROUP FROM SNMPv2-CONF + snmpTraps FROM SNMPv2-MIB + IANAifType FROM IANAifType-MIB; + +ifMIB MODULE-IDENTITY + LAST-UPDATED "200006140000Z" + ORGANIZATION "IETF Interfaces MIB Working Group" + CONTACT-INFO + " Keith McCloghrie + Cisco Systems, Inc. + 170 West Tasman Drive + San Jose, CA 95134-1706 + US + + 408-526-5260 + kzm@cisco.com" + DESCRIPTION + "The MIB module to describe generic objects for network + interface sub-layers. This MIB is an updated version of + MIB-II's ifTable, and incorporates the extensions defined in + RFC 1229." + + REVISION "200006140000Z" + DESCRIPTION + "Clarifications agreed upon by the Interfaces MIB WG, and + published as RFC 2863." + REVISION "199602282155Z" + DESCRIPTION + "Revisions made by the Interfaces MIB WG, and published in + RFC 2233." + REVISION "199311082155Z" + DESCRIPTION + "Initial revision, published as part of RFC 1573." + ::= { mib-2 31 } + +ifMIBObjects OBJECT IDENTIFIER ::= { ifMIB 1 } + +interfaces OBJECT IDENTIFIER ::= { mib-2 2 } + +-- +-- Textual Conventions +-- + +-- OwnerString has the same semantics as used in RFC 1271 + +OwnerString ::= TEXTUAL-CONVENTION + DISPLAY-HINT "255a" + STATUS deprecated + DESCRIPTION + "This data type is used to model an administratively + assigned name of the owner of a resource. This information + is taken from the NVT ASCII character set. It is suggested + that this name contain one or more of the following: ASCII + form of the manager station's transport address, management + station name (e.g., domain name), network management + personnel's name, location, or phone number. In some cases + the agent itself will be the owner of an entry. In these + cases, this string shall be set to a string starting with + 'agent'." + SYNTAX OCTET STRING (SIZE(0..255)) + +-- InterfaceIndex contains the semantics of ifIndex and should be used +-- for any objects defined in other MIB modules that need these semantics. + +InterfaceIndex ::= TEXTUAL-CONVENTION + DISPLAY-HINT "d" + STATUS current + DESCRIPTION + "A unique value, greater than zero, for each interface or + interface sub-layer in the managed system. It is + recommended that values are assigned contiguously starting + from 1. The value for each interface sub-layer must remain + constant at least from one re-initialization of the entity's + network management system to the next re-initialization." + SYNTAX Integer32 (1..2147483647) + +InterfaceIndexOrZero ::= TEXTUAL-CONVENTION + DISPLAY-HINT "d" + STATUS current + DESCRIPTION + "This textual convention is an extension of the + InterfaceIndex convention. The latter defines a greater + than zero value used to identify an interface or interface + sub-layer in the managed system. This extension permits the + additional value of zero. the value zero is object-specific + and must therefore be defined as part of the description of + any object which uses this syntax. Examples of the usage of + zero might include situations where interface was unknown, + or when none or all interfaces need to be referenced." + SYNTAX Integer32 (0..2147483647) + +ifNumber OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of network interfaces (regardless of their + current state) present on this system." + ::= { interfaces 1 } + +ifTableLastChange OBJECT-TYPE + SYNTAX TimeTicks + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of sysUpTime at the time of the last creation or + deletion of an entry in the ifTable. If the number of + entries has been unchanged since the last re-initialization + of the local network management subsystem, then this object + contains a zero value." + ::= { ifMIBObjects 5 } + +-- the Interfaces table + +-- The Interfaces table contains information on the entity's + +-- interfaces. Each sub-layer below the internetwork-layer +-- of a network interface is considered to be an interface. + +ifTable OBJECT-TYPE + SYNTAX SEQUENCE OF IfEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A list of interface entries. The number of entries is + given by the value of ifNumber." + ::= { interfaces 2 } + +ifEntry OBJECT-TYPE + SYNTAX IfEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An entry containing management information applicable to a + particular interface." + INDEX { ifIndex } + ::= { ifTable 1 } + +IfEntry ::= + SEQUENCE { + ifIndex InterfaceIndex, + ifDescr DisplayString, + ifType IANAifType, + ifMtu Integer32, + ifSpeed Gauge32, + ifPhysAddress PhysAddress, + ifAdminStatus INTEGER, + ifOperStatus INTEGER, + ifLastChange TimeTicks, + ifInOctets Counter32, + ifInUcastPkts Counter32, + ifInNUcastPkts Counter32, -- deprecated + ifInDiscards Counter32, + ifInErrors Counter32, + ifInUnknownProtos Counter32, + ifOutOctets Counter32, + ifOutUcastPkts Counter32, + ifOutNUcastPkts Counter32, -- deprecated + ifOutDiscards Counter32, + ifOutErrors Counter32, + ifOutQLen Gauge32, -- deprecated + ifSpecific OBJECT IDENTIFIER -- deprecated + } + +ifIndex OBJECT-TYPE + SYNTAX InterfaceIndex + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "A unique value, greater than zero, for each interface. It + is recommended that values are assigned contiguously + starting from 1. The value for each interface sub-layer + must remain constant at least from one re-initialization of + the entity's network management system to the next re- + initialization." + ::= { ifEntry 1 } + +ifDescr OBJECT-TYPE + SYNTAX DisplayString (SIZE (0..255)) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "A textual string containing information about the + interface. This string should include the name of the + manufacturer, the product name and the version of the + interface hardware/software." + ::= { ifEntry 2 } + +ifType OBJECT-TYPE + SYNTAX IANAifType + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The type of interface. Additional values for ifType are + assigned by the Internet Assigned Numbers Authority (IANA), + through updating the syntax of the IANAifType textual + convention." + ::= { ifEntry 3 } + +ifMtu OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The size of the largest packet which can be sent/received + on the interface, specified in octets. For interfaces that + are used for transmitting network datagrams, this is the + size of the largest network datagram that can be sent on the + interface." + ::= { ifEntry 4 } + +ifSpeed OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "An estimate of the interface's current bandwidth in bits + per second. For interfaces which do not vary in bandwidth + or for those where no accurate estimation can be made, this + object should contain the nominal bandwidth. If the + bandwidth of the interface is greater than the maximum value + reportable by this object then this object should report its + maximum value (4,294,967,295) and ifHighSpeed must be used + to report the interace's speed. For a sub-layer which has + no concept of bandwidth, this object should be zero." + ::= { ifEntry 5 } + +ifPhysAddress OBJECT-TYPE + SYNTAX PhysAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The interface's address at its protocol sub-layer. For + example, for an 802.x interface, this object normally + contains a MAC address. The interface's media-specific MIB + must define the bit and byte ordering and the format of the + value of this object. For interfaces which do not have such + an address (e.g., a serial line), this object should contain + an octet string of zero length." + ::= { ifEntry 6 } + +ifAdminStatus OBJECT-TYPE + SYNTAX INTEGER { + up(1), -- ready to pass packets + down(2), + testing(3) -- in some test mode + } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The desired state of the interface. The testing(3) state + indicates that no operational packets can be passed. When a + managed system initializes, all interfaces start with + ifAdminStatus in the down(2) state. As a result of either + explicit management action or per configuration information + retained by the managed system, ifAdminStatus is then + changed to either the up(1) or testing(3) states (or remains + in the down(2) state)." + ::= { ifEntry 7 } + +ifOperStatus OBJECT-TYPE + SYNTAX INTEGER { + up(1), -- ready to pass packets + down(2), + testing(3), -- in some test mode + unknown(4), -- status can not be determined + -- for some reason. + dormant(5), + notPresent(6), -- some component is missing + lowerLayerDown(7) -- down due to state of + -- lower-layer interface(s) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The current operational state of the interface. The + testing(3) state indicates that no operational packets can + be passed. If ifAdminStatus is down(2) then ifOperStatus + should be down(2). If ifAdminStatus is changed to up(1) + then ifOperStatus should change to up(1) if the interface is + ready to transmit and receive network traffic; it should + change to dormant(5) if the interface is waiting for + external actions (such as a serial line waiting for an + incoming connection); it should remain in the down(2) state + if and only if there is a fault that prevents it from going + to the up(1) state; it should remain in the notPresent(6) + state if the interface has missing (typically, hardware) + components." + ::= { ifEntry 8 } + +ifLastChange OBJECT-TYPE + SYNTAX TimeTicks + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of sysUpTime at the time the interface entered + its current operational state. If the current state was + entered prior to the last re-initialization of the local + network management subsystem, then this object contains a + zero value." + ::= { ifEntry 9 } + +ifInOctets OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of octets received on the interface, + including framing characters. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ifCounterDiscontinuityTime." + ::= { ifEntry 10 } + +ifInUcastPkts OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of packets, delivered by this sub-layer to a + higher (sub-)layer, which were not addressed to a multicast + or broadcast address at this sub-layer. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ifCounterDiscontinuityTime." + ::= { ifEntry 11 } + +ifInNUcastPkts OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The number of packets, delivered by this sub-layer to a + higher (sub-)layer, which were addressed to a multicast or + broadcast address at this sub-layer. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ifCounterDiscontinuityTime. + + This object is deprecated in favour of ifInMulticastPkts and + ifInBroadcastPkts." + ::= { ifEntry 12 } + +ifInDiscards OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of inbound packets which were chosen to be + discarded even though no errors had been detected to prevent + + their being deliverable to a higher-layer protocol. One + possible reason for discarding such a packet could be to + free up buffer space. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ifCounterDiscontinuityTime." + ::= { ifEntry 13 } + +ifInErrors OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "For packet-oriented interfaces, the number of inbound + packets that contained errors preventing them from being + deliverable to a higher-layer protocol. For character- + oriented or fixed-length interfaces, the number of inbound + transmission units that contained errors preventing them + from being deliverable to a higher-layer protocol. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ifCounterDiscontinuityTime." + ::= { ifEntry 14 } + +ifInUnknownProtos OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "For packet-oriented interfaces, the number of packets + received via the interface which were discarded because of + an unknown or unsupported protocol. For character-oriented + or fixed-length interfaces that support protocol + multiplexing the number of transmission units received via + the interface which were discarded because of an unknown or + unsupported protocol. For any interface that does not + support protocol multiplexing, this counter will always be + 0. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ifCounterDiscontinuityTime." + ::= { ifEntry 15 } + +ifOutOctets OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of octets transmitted out of the + interface, including framing characters. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ifCounterDiscontinuityTime." + ::= { ifEntry 16 } + +ifOutUcastPkts OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of packets that higher-level protocols + requested be transmitted, and which were not addressed to a + multicast or broadcast address at this sub-layer, including + those that were discarded or not sent. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ifCounterDiscontinuityTime." + ::= { ifEntry 17 } + +ifOutNUcastPkts OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The total number of packets that higher-level protocols + requested be transmitted, and which were addressed to a + multicast or broadcast address at this sub-layer, including + those that were discarded or not sent. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ifCounterDiscontinuityTime. + + This object is deprecated in favour of ifOutMulticastPkts + and ifOutBroadcastPkts." + ::= { ifEntry 18 } + +ifOutDiscards OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of outbound packets which were chosen to be + discarded even though no errors had been detected to prevent + their being transmitted. One possible reason for discarding + such a packet could be to free up buffer space. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ifCounterDiscontinuityTime." + ::= { ifEntry 19 } + +ifOutErrors OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "For packet-oriented interfaces, the number of outbound + packets that could not be transmitted because of errors. + For character-oriented or fixed-length interfaces, the + number of outbound transmission units that could not be + transmitted because of errors. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ifCounterDiscontinuityTime." + ::= { ifEntry 20 } + +ifOutQLen OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The length of the output packet queue (in packets)." + ::= { ifEntry 21 } + +ifSpecific OBJECT-TYPE + SYNTAX OBJECT IDENTIFIER + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "A reference to MIB definitions specific to the particular + media being used to realize the interface. It is + + recommended that this value point to an instance of a MIB + object in the media-specific MIB, i.e., that this object + have the semantics associated with the InstancePointer + textual convention defined in RFC 2579. In fact, it is + recommended that the media-specific MIB specify what value + ifSpecific should/can take for values of ifType. If no MIB + definitions specific to the particular media are available, + the value should be set to the OBJECT IDENTIFIER { 0 0 }." + ::= { ifEntry 22 } + +-- +-- Extension to the interface table +-- +-- This table replaces the ifExtnsTable table. +-- + +ifXTable OBJECT-TYPE + SYNTAX SEQUENCE OF IfXEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A list of interface entries. The number of entries is + given by the value of ifNumber. This table contains + additional objects for the interface table." + ::= { ifMIBObjects 1 } + +ifXEntry OBJECT-TYPE + SYNTAX IfXEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An entry containing additional management information + applicable to a particular interface." + AUGMENTS { ifEntry } + ::= { ifXTable 1 } + +IfXEntry ::= + SEQUENCE { + ifName DisplayString, + ifInMulticastPkts Counter32, + ifInBroadcastPkts Counter32, + ifOutMulticastPkts Counter32, + ifOutBroadcastPkts Counter32, + ifHCInOctets Counter64, + ifHCInUcastPkts Counter64, + ifHCInMulticastPkts Counter64, + ifHCInBroadcastPkts Counter64, + ifHCOutOctets Counter64, + ifHCOutUcastPkts Counter64, + ifHCOutMulticastPkts Counter64, + ifHCOutBroadcastPkts Counter64, + ifLinkUpDownTrapEnable INTEGER, + ifHighSpeed Gauge32, + ifPromiscuousMode TruthValue, + ifConnectorPresent TruthValue, + ifAlias DisplayString, + ifCounterDiscontinuityTime TimeStamp + } + +ifName OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The textual name of the interface. The value of this + object should be the name of the interface as assigned by + the local device and should be suitable for use in commands + entered at the device's `console'. This might be a text + name, such as `le0' or a simple port number, such as `1', + depending on the interface naming syntax of the device. If + several entries in the ifTable together represent a single + interface as named by the device, then each will have the + same value of ifName. Note that for an agent which responds + to SNMP queries concerning an interface on some other + (proxied) device, then the value of ifName for such an + interface is the proxied device's local name for it. + + If there is no local name, or this object is otherwise not + applicable, then this object contains a zero-length string." + ::= { ifXEntry 1 } + +ifInMulticastPkts OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of packets, delivered by this sub-layer to a + higher (sub-)layer, which were addressed to a multicast + address at this sub-layer. For a MAC layer protocol, this + includes both Group and Functional addresses. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + + times as indicated by the value of + ifCounterDiscontinuityTime." + ::= { ifXEntry 2 } + +ifInBroadcastPkts OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of packets, delivered by this sub-layer to a + higher (sub-)layer, which were addressed to a broadcast + address at this sub-layer. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ifCounterDiscontinuityTime." + ::= { ifXEntry 3 } + +ifOutMulticastPkts OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of packets that higher-level protocols + requested be transmitted, and which were addressed to a + multicast address at this sub-layer, including those that + were discarded or not sent. For a MAC layer protocol, this + includes both Group and Functional addresses. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ifCounterDiscontinuityTime." + ::= { ifXEntry 4 } + +ifOutBroadcastPkts OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of packets that higher-level protocols + requested be transmitted, and which were addressed to a + broadcast address at this sub-layer, including those that + were discarded or not sent. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + + times as indicated by the value of + ifCounterDiscontinuityTime." + ::= { ifXEntry 5 } + +-- +-- High Capacity Counter objects. These objects are all +-- 64 bit versions of the "basic" ifTable counters. These +-- objects all have the same basic semantics as their 32-bit +-- counterparts, however, their syntax has been extended +-- to 64 bits. +-- + +ifHCInOctets OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of octets received on the interface, + including framing characters. This object is a 64-bit + version of ifInOctets. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ifCounterDiscontinuityTime." + ::= { ifXEntry 6 } + +ifHCInUcastPkts OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of packets, delivered by this sub-layer to a + higher (sub-)layer, which were not addressed to a multicast + or broadcast address at this sub-layer. This object is a + 64-bit version of ifInUcastPkts. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ifCounterDiscontinuityTime." + ::= { ifXEntry 7 } + +ifHCInMulticastPkts OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of packets, delivered by this sub-layer to a + higher (sub-)layer, which were addressed to a multicast + address at this sub-layer. For a MAC layer protocol, this + includes both Group and Functional addresses. This object + is a 64-bit version of ifInMulticastPkts. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ifCounterDiscontinuityTime." + ::= { ifXEntry 8 } + +ifHCInBroadcastPkts OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of packets, delivered by this sub-layer to a + higher (sub-)layer, which were addressed to a broadcast + address at this sub-layer. This object is a 64-bit version + of ifInBroadcastPkts. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ifCounterDiscontinuityTime." + ::= { ifXEntry 9 } + +ifHCOutOctets OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of octets transmitted out of the + interface, including framing characters. This object is a + 64-bit version of ifOutOctets. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ifCounterDiscontinuityTime." + ::= { ifXEntry 10 } + +ifHCOutUcastPkts OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of packets that higher-level protocols + requested be transmitted, and which were not addressed to a + multicast or broadcast address at this sub-layer, including + those that were discarded or not sent. This object is a + 64-bit version of ifOutUcastPkts. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ifCounterDiscontinuityTime." + ::= { ifXEntry 11 } + +ifHCOutMulticastPkts OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of packets that higher-level protocols + requested be transmitted, and which were addressed to a + multicast address at this sub-layer, including those that + were discarded or not sent. For a MAC layer protocol, this + includes both Group and Functional addresses. This object + is a 64-bit version of ifOutMulticastPkts. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ifCounterDiscontinuityTime." + ::= { ifXEntry 12 } + +ifHCOutBroadcastPkts OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of packets that higher-level protocols + requested be transmitted, and which were addressed to a + broadcast address at this sub-layer, including those that + were discarded or not sent. This object is a 64-bit version + of ifOutBroadcastPkts. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ifCounterDiscontinuityTime." + ::= { ifXEntry 13 } + +ifLinkUpDownTrapEnable OBJECT-TYPE + SYNTAX INTEGER { enabled(1), disabled(2) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Indicates whether linkUp/linkDown traps should be generated + for this interface. + + By default, this object should have the value enabled(1) for + interfaces which do not operate on 'top' of any other + interface (as defined in the ifStackTable), and disabled(2) + otherwise." + ::= { ifXEntry 14 } + +ifHighSpeed OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "An estimate of the interface's current bandwidth in units + of 1,000,000 bits per second. If this object reports a + value of `n' then the speed of the interface is somewhere in + the range of `n-500,000' to `n+499,999'. For interfaces + which do not vary in bandwidth or for those where no + accurate estimation can be made, this object should contain + the nominal bandwidth. For a sub-layer which has no concept + of bandwidth, this object should be zero." + ::= { ifXEntry 15 } + +ifPromiscuousMode OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "This object has a value of false(2) if this interface only + accepts packets/frames that are addressed to this station. + This object has a value of true(1) when the station accepts + all packets/frames transmitted on the media. The value + true(1) is only legal on certain types of media. If legal, + setting this object to a value of true(1) may require the + interface to be reset before becoming effective. + + The value of ifPromiscuousMode does not affect the reception + of broadcast and multicast packets/frames by the interface." + ::= { ifXEntry 16 } + +ifConnectorPresent OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This object has the value 'true(1)' if the interface + sublayer has a physical connector and the value 'false(2)' + otherwise." + ::= { ifXEntry 17 } + +ifAlias OBJECT-TYPE + SYNTAX DisplayString (SIZE(0..64)) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "This object is an 'alias' name for the interface as + specified by a network manager, and provides a non-volatile + 'handle' for the interface. + + On the first instantiation of an interface, the value of + ifAlias associated with that interface is the zero-length + string. As and when a value is written into an instance of + ifAlias through a network management set operation, then the + agent must retain the supplied value in the ifAlias instance + associated with the same interface for as long as that + interface remains instantiated, including across all re- + initializations/reboots of the network management system, + including those which result in a change of the interface's + ifIndex value. + + An example of the value which a network manager might store + in this object for a WAN interface is the (Telco's) circuit + number/identifier of the interface. + + Some agents may support write-access only for interfaces + having particular values of ifType. An agent which supports + write access to this object is required to keep the value in + non-volatile storage, but it may limit the length of new + values depending on how much storage is already occupied by + the current values for other interfaces." + ::= { ifXEntry 18 } + +ifCounterDiscontinuityTime OBJECT-TYPE + SYNTAX TimeStamp + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of sysUpTime on the most recent occasion at which + any one or more of this interface's counters suffered a + discontinuity. The relevant counters are the specific + instances associated with this interface of any Counter32 or + + Counter64 object contained in the ifTable or ifXTable. If + no such discontinuities have occurred since the last re- + initialization of the local management subsystem, then this + object contains a zero value." + ::= { ifXEntry 19 } + +-- The Interface Stack Group +-- +-- Implementation of this group is optional, but strongly recommended +-- for all systems +-- + +ifStackTable OBJECT-TYPE + SYNTAX SEQUENCE OF IfStackEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The table containing information on the relationships + between the multiple sub-layers of network interfaces. In + particular, it contains information on which sub-layers run + 'on top of' which other sub-layers, where each sub-layer + corresponds to a conceptual row in the ifTable. For + example, when the sub-layer with ifIndex value x runs over + the sub-layer with ifIndex value y, then this table + contains: + + ifStackStatus.x.y=active + + For each ifIndex value, I, which identifies an active + interface, there are always at least two instantiated rows + in this table associated with I. For one of these rows, I + is the value of ifStackHigherLayer; for the other, I is the + value of ifStackLowerLayer. (If I is not involved in + multiplexing, then these are the only two rows associated + with I.) + + For example, two rows exist even for an interface which has + no others stacked on top or below it: + + ifStackStatus.0.x=active + ifStackStatus.x.0=active " + ::= { ifMIBObjects 2 } + +ifStackEntry OBJECT-TYPE + SYNTAX IfStackEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Information on a particular relationship between two sub- + layers, specifying that one sub-layer runs on 'top' of the + other sub-layer. Each sub-layer corresponds to a conceptual + row in the ifTable." + INDEX { ifStackHigherLayer, ifStackLowerLayer } + ::= { ifStackTable 1 } + +IfStackEntry ::= + SEQUENCE { + ifStackHigherLayer InterfaceIndexOrZero, + ifStackLowerLayer InterfaceIndexOrZero, + ifStackStatus RowStatus + } + +ifStackHigherLayer OBJECT-TYPE + SYNTAX InterfaceIndexOrZero + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The value of ifIndex corresponding to the higher sub-layer + of the relationship, i.e., the sub-layer which runs on 'top' + of the sub-layer identified by the corresponding instance of + ifStackLowerLayer. If there is no higher sub-layer (below + the internetwork layer), then this object has the value 0." + ::= { ifStackEntry 1 } + +ifStackLowerLayer OBJECT-TYPE + SYNTAX InterfaceIndexOrZero + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The value of ifIndex corresponding to the lower sub-layer + of the relationship, i.e., the sub-layer which runs 'below' + the sub-layer identified by the corresponding instance of + ifStackHigherLayer. If there is no lower sub-layer, then + this object has the value 0." + ::= { ifStackEntry 2 } + +ifStackStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The status of the relationship between two sub-layers. + + Changing the value of this object from 'active' to + 'notInService' or 'destroy' will likely have consequences up + and down the interface stack. Thus, write access to this + object is likely to be inappropriate for some types of + interfaces, and many implementations will choose not to + support write-access for any type of interface." + ::= { ifStackEntry 3 } + +ifStackLastChange OBJECT-TYPE + SYNTAX TimeTicks + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of sysUpTime at the time of the last change of + the (whole) interface stack. A change of the interface + stack is defined to be any creation, deletion, or change in + value of any instance of ifStackStatus. If the interface + stack has been unchanged since the last re-initialization of + the local network management subsystem, then this object + contains a zero value." + ::= { ifMIBObjects 6 } + +-- Generic Receive Address Table +-- +-- This group of objects is mandatory for all types of +-- interfaces which can receive packets/frames addressed to +-- more than one address. +-- +-- This table replaces the ifExtnsRcvAddr table. The main +-- difference is that this table makes use of the RowStatus +-- textual convention, while ifExtnsRcvAddr did not. + +ifRcvAddressTable OBJECT-TYPE + SYNTAX SEQUENCE OF IfRcvAddressEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "This table contains an entry for each address (broadcast, + multicast, or uni-cast) for which the system will receive + packets/frames on a particular interface, except as follows: + + - for an interface operating in promiscuous mode, entries + are only required for those addresses for which the system + would receive frames were it not operating in promiscuous + mode. + + - for 802.5 functional addresses, only one entry is + required, for the address which has the functional address + bit ANDed with the bit mask of all functional addresses for + which the interface will accept frames. + + A system is normally able to use any unicast address which + corresponds to an entry in this table as a source address." + ::= { ifMIBObjects 4 } + +ifRcvAddressEntry OBJECT-TYPE + SYNTAX IfRcvAddressEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A list of objects identifying an address for which the + system will accept packets/frames on the particular + interface identified by the index value ifIndex." + INDEX { ifIndex, ifRcvAddressAddress } + ::= { ifRcvAddressTable 1 } + +IfRcvAddressEntry ::= + SEQUENCE { + ifRcvAddressAddress PhysAddress, + ifRcvAddressStatus RowStatus, + ifRcvAddressType INTEGER + } + +ifRcvAddressAddress OBJECT-TYPE + SYNTAX PhysAddress + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An address for which the system will accept packets/frames + on this entry's interface." + ::= { ifRcvAddressEntry 1 } + +ifRcvAddressStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "This object is used to create and delete rows in the + ifRcvAddressTable." + ::= { ifRcvAddressEntry 2 } + +ifRcvAddressType OBJECT-TYPE + SYNTAX INTEGER { + + other(1), + volatile(2), + nonVolatile(3) + } + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "This object has the value nonVolatile(3) for those entries + in the table which are valid and will not be deleted by the + next restart of the managed system. Entries having the + value volatile(2) are valid and exist, but have not been + saved, so that will not exist after the next restart of the + managed system. Entries having the value other(1) are valid + and exist but are not classified as to whether they will + continue to exist after the next restart." + DEFVAL { volatile } + ::= { ifRcvAddressEntry 3 } + +-- definition of interface-related traps. + +linkDown NOTIFICATION-TYPE + OBJECTS { ifIndex, ifAdminStatus, ifOperStatus } + STATUS current + DESCRIPTION + "A linkDown trap signifies that the SNMP entity, acting in + an agent role, has detected that the ifOperStatus object for + one of its communication links is about to enter the down + state from some other state (but not from the notPresent + state). This other state is indicated by the included value + of ifOperStatus." + ::= { snmpTraps 3 } + +linkUp NOTIFICATION-TYPE + OBJECTS { ifIndex, ifAdminStatus, ifOperStatus } + STATUS current + DESCRIPTION + "A linkUp trap signifies that the SNMP entity, acting in an + agent role, has detected that the ifOperStatus object for + one of its communication links left the down state and + transitioned into some other state (but not into the + notPresent state). This other state is indicated by the + included value of ifOperStatus." + ::= { snmpTraps 4 } + +-- conformance information + +ifConformance OBJECT IDENTIFIER ::= { ifMIB 2 } + +ifGroups OBJECT IDENTIFIER ::= { ifConformance 1 } +ifCompliances OBJECT IDENTIFIER ::= { ifConformance 2 } + +-- compliance statements + +ifCompliance3 MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The compliance statement for SNMP entities which have + network interfaces." + + MODULE -- this module + MANDATORY-GROUPS { ifGeneralInformationGroup, + linkUpDownNotificationsGroup } + +-- The groups: +-- ifFixedLengthGroup +-- ifHCFixedLengthGroup +-- ifPacketGroup +-- ifHCPacketGroup +-- ifVHCPacketGroup +-- are mutually exclusive; at most one of these groups is implemented +-- for a particular interface. When any of these groups is implemented +-- for a particular interface, then ifCounterDiscontinuityGroup must +-- also be implemented for that interface. + + GROUP ifFixedLengthGroup + DESCRIPTION + "This group is mandatory for those network interfaces which + are character-oriented or transmit data in fixed-length + transmission units, and for which the value of the + corresponding instance of ifSpeed is less than or equal to + 20,000,000 bits/second." + + GROUP ifHCFixedLengthGroup + DESCRIPTION + "This group is mandatory for those network interfaces which + are character-oriented or transmit data in fixed-length + transmission units, and for which the value of the + corresponding instance of ifSpeed is greater than 20,000,000 + bits/second." + + GROUP ifPacketGroup + DESCRIPTION + "This group is mandatory for those network interfaces which + are packet-oriented, and for which the value of the + corresponding instance of ifSpeed is less than or equal to + 20,000,000 bits/second." + + GROUP ifHCPacketGroup + DESCRIPTION + "This group is mandatory only for those network interfaces + which are packet-oriented and for which the value of the + corresponding instance of ifSpeed is greater than 20,000,000 + bits/second but less than or equal to 650,000,000 + bits/second." + + GROUP ifVHCPacketGroup + DESCRIPTION + "This group is mandatory only for those network interfaces + which are packet-oriented and for which the value of the + corresponding instance of ifSpeed is greater than + 650,000,000 bits/second." + + GROUP ifCounterDiscontinuityGroup + DESCRIPTION + "This group is mandatory for those network interfaces that + are required to maintain counters (i.e., those for which one + of the ifFixedLengthGroup, ifHCFixedLengthGroup, + ifPacketGroup, ifHCPacketGroup, or ifVHCPacketGroup is + mandatory)." + + GROUP ifRcvAddressGroup + DESCRIPTION + "The applicability of this group MUST be defined by the + media-specific MIBs. Media-specific MIBs must define the + exact meaning, use, and semantics of the addresses in this + group." + + OBJECT ifLinkUpDownTrapEnable + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required." + + OBJECT ifPromiscuousMode + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required." + + OBJECT ifAdminStatus + SYNTAX INTEGER { up(1), down(2) } + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required, nor is support for the value + testing(3)." + + OBJECT ifAlias + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required." + ::= { ifCompliances 3 } + +-- units of conformance + +ifGeneralInformationGroup OBJECT-GROUP + OBJECTS { ifIndex, ifDescr, ifType, ifSpeed, ifPhysAddress, + ifAdminStatus, ifOperStatus, ifLastChange, + ifLinkUpDownTrapEnable, ifConnectorPresent, + ifHighSpeed, ifName, ifNumber, ifAlias, + ifTableLastChange } + STATUS current + DESCRIPTION + "A collection of objects providing information applicable to + all network interfaces." + ::= { ifGroups 10 } + +-- the following five groups are mutually exclusive; at most +-- one of these groups is implemented for any interface + +ifFixedLengthGroup OBJECT-GROUP + OBJECTS { ifInOctets, ifOutOctets, ifInUnknownProtos, + ifInErrors, ifOutErrors } + STATUS current + DESCRIPTION + "A collection of objects providing information specific to + non-high speed (non-high speed interfaces transmit and + receive at speeds less than or equal to 20,000,000 + bits/second) character-oriented or fixed-length-transmission + network interfaces." + ::= { ifGroups 2 } + +ifHCFixedLengthGroup OBJECT-GROUP + OBJECTS { ifHCInOctets, ifHCOutOctets, + ifInOctets, ifOutOctets, ifInUnknownProtos, + ifInErrors, ifOutErrors } + STATUS current + DESCRIPTION + "A collection of objects providing information specific to + high speed (greater than 20,000,000 bits/second) character- + oriented or fixed-length-transmission network interfaces." + ::= { ifGroups 3 } + +ifPacketGroup OBJECT-GROUP + OBJECTS { ifInOctets, ifOutOctets, ifInUnknownProtos, + ifInErrors, ifOutErrors, + ifMtu, ifInUcastPkts, ifInMulticastPkts, + ifInBroadcastPkts, ifInDiscards, + ifOutUcastPkts, ifOutMulticastPkts, + ifOutBroadcastPkts, ifOutDiscards, + ifPromiscuousMode } + STATUS current + DESCRIPTION + "A collection of objects providing information specific to + non-high speed (non-high speed interfaces transmit and + receive at speeds less than or equal to 20,000,000 + bits/second) packet-oriented network interfaces." + ::= { ifGroups 4 } + +ifHCPacketGroup OBJECT-GROUP + OBJECTS { ifHCInOctets, ifHCOutOctets, + ifInOctets, ifOutOctets, ifInUnknownProtos, + ifInErrors, ifOutErrors, + ifMtu, ifInUcastPkts, ifInMulticastPkts, + ifInBroadcastPkts, ifInDiscards, + ifOutUcastPkts, ifOutMulticastPkts, + ifOutBroadcastPkts, ifOutDiscards, + ifPromiscuousMode } + STATUS current + DESCRIPTION + "A collection of objects providing information specific to + high speed (greater than 20,000,000 bits/second but less + than or equal to 650,000,000 bits/second) packet-oriented + network interfaces." + ::= { ifGroups 5 } + +ifVHCPacketGroup OBJECT-GROUP + OBJECTS { ifHCInUcastPkts, ifHCInMulticastPkts, + ifHCInBroadcastPkts, ifHCOutUcastPkts, + ifHCOutMulticastPkts, ifHCOutBroadcastPkts, + ifHCInOctets, ifHCOutOctets, + ifInOctets, ifOutOctets, ifInUnknownProtos, + ifInErrors, ifOutErrors, + ifMtu, ifInUcastPkts, ifInMulticastPkts, + ifInBroadcastPkts, ifInDiscards, + ifOutUcastPkts, ifOutMulticastPkts, + ifOutBroadcastPkts, ifOutDiscards, + ifPromiscuousMode } + STATUS current + DESCRIPTION + "A collection of objects providing information specific to + higher speed (greater than 650,000,000 bits/second) packet- + oriented network interfaces." + ::= { ifGroups 6 } + +ifRcvAddressGroup OBJECT-GROUP + OBJECTS { ifRcvAddressStatus, ifRcvAddressType } + STATUS current + DESCRIPTION + "A collection of objects providing information on the + multiple addresses which an interface receives." + ::= { ifGroups 7 } + +ifStackGroup2 OBJECT-GROUP + OBJECTS { ifStackStatus, ifStackLastChange } + STATUS current + DESCRIPTION + "A collection of objects providing information on the + layering of MIB-II interfaces." + ::= { ifGroups 11 } + +ifCounterDiscontinuityGroup OBJECT-GROUP + OBJECTS { ifCounterDiscontinuityTime } + STATUS current + DESCRIPTION + "A collection of objects providing information specific to + interface counter discontinuities." + ::= { ifGroups 13 } + +linkUpDownNotificationsGroup NOTIFICATION-GROUP + NOTIFICATIONS { linkUp, linkDown } + STATUS current + DESCRIPTION + "The notifications which indicate specific changes in the + value of ifOperStatus." + ::= { ifGroups 14 } + +-- Deprecated Definitions - Objects + +-- +-- The Interface Test Table +-- +-- This group of objects is optional. However, a media-specific + +-- MIB may make implementation of this group mandatory. +-- +-- This table replaces the ifExtnsTestTable +-- + +ifTestTable OBJECT-TYPE + SYNTAX SEQUENCE OF IfTestEntry + MAX-ACCESS not-accessible + STATUS deprecated + DESCRIPTION + "This table contains one entry per interface. It defines + objects which allow a network manager to instruct an agent + to test an interface for various faults. Tests for an + interface are defined in the media-specific MIB for that + interface. After invoking a test, the object ifTestResult + can be read to determine the outcome. If an agent can not + perform the test, ifTestResult is set to so indicate. The + object ifTestCode can be used to provide further test- + specific or interface-specific (or even enterprise-specific) + information concerning the outcome of the test. Only one + test can be in progress on each interface at any one time. + If one test is in progress when another test is invoked, the + second test is rejected. Some agents may reject a test when + a prior test is active on another interface. + + Before starting a test, a manager-station must first obtain + 'ownership' of the entry in the ifTestTable for the + interface to be tested. This is accomplished with the + ifTestId and ifTestStatus objects as follows: + + try_again: + get (ifTestId, ifTestStatus) + while (ifTestStatus != notInUse) + /* + * Loop while a test is running or some other + * manager is configuring a test. + */ + short delay + get (ifTestId, ifTestStatus) + } + + /* + * Is not being used right now -- let's compete + * to see who gets it. + */ + lock_value = ifTestId + + if ( set(ifTestId = lock_value, ifTestStatus = inUse, + ifTestOwner = 'my-IP-address') == FAILURE) + /* + * Another manager got the ifTestEntry -- go + * try again + */ + goto try_again; + + /* + * I have the lock + */ + set up any test parameters. + + /* + * This starts the test + */ + set(ifTestType = test_to_run); + + wait for test completion by polling ifTestResult + + when test completes, agent sets ifTestResult + agent also sets ifTestStatus = 'notInUse' + + retrieve any additional test results, and ifTestId + + if (ifTestId == lock_value+1) results are valid + + A manager station first retrieves the value of the + appropriate ifTestId and ifTestStatus objects, periodically + repeating the retrieval if necessary, until the value of + ifTestStatus is 'notInUse'. The manager station then tries + to set the same ifTestId object to the value it just + retrieved, the same ifTestStatus object to 'inUse', and the + corresponding ifTestOwner object to a value indicating + itself. If the set operation succeeds then the manager has + obtained ownership of the ifTestEntry, and the value of the + ifTestId object is incremented by the agent (per the + semantics of TestAndIncr). Failure of the set operation + indicates that some other manager has obtained ownership of + the ifTestEntry. + + Once ownership is obtained, any test parameters can be + setup, and then the test is initiated by setting ifTestType. + On completion of the test, the agent sets ifTestStatus to + 'notInUse'. Once this occurs, the manager can retrieve the + results. In the (rare) event that the invocation of tests + by two network managers were to overlap, then there would be + a possibility that the first test's results might be + overwritten by the second test's results prior to the first + + results being read. This unlikely circumstance can be + detected by a network manager retrieving ifTestId at the + same time as retrieving the test results, and ensuring that + the results are for the desired request. + + If ifTestType is not set within an abnormally long period of + time after ownership is obtained, the agent should time-out + the manager, and reset the value of the ifTestStatus object + back to 'notInUse'. It is suggested that this time-out + period be 5 minutes. + + In general, a management station must not retransmit a + request to invoke a test for which it does not receive a + response; instead, it properly inspects an agent's MIB to + determine if the invocation was successful. Only if the + invocation was unsuccessful, is the invocation request + retransmitted. + + Some tests may require the interface to be taken off-line in + order to execute them, or may even require the agent to + reboot after completion of the test. In these + circumstances, communication with the management station + invoking the test may be lost until after completion of the + test. An agent is not required to support such tests. + However, if such tests are supported, then the agent should + make every effort to transmit a response to the request + which invoked the test prior to losing communication. When + the agent is restored to normal service, the results of the + test are properly made available in the appropriate objects. + Note that this requires that the ifIndex value assigned to + an interface must be unchanged even if the test causes a + reboot. An agent must reject any test for which it cannot, + perhaps due to resource constraints, make available at least + the minimum amount of information after that test + completes." + ::= { ifMIBObjects 3 } + +ifTestEntry OBJECT-TYPE + SYNTAX IfTestEntry + MAX-ACCESS not-accessible + STATUS deprecated + DESCRIPTION + "An entry containing objects for invoking tests on an + interface." + AUGMENTS { ifEntry } + ::= { ifTestTable 1 } + +IfTestEntry ::= + + SEQUENCE { + ifTestId TestAndIncr, + ifTestStatus INTEGER, + ifTestType AutonomousType, + ifTestResult INTEGER, + ifTestCode OBJECT IDENTIFIER, + ifTestOwner OwnerString + } + +ifTestId OBJECT-TYPE + SYNTAX TestAndIncr + MAX-ACCESS read-write + STATUS deprecated + DESCRIPTION + "This object identifies the current invocation of the + interface's test." + ::= { ifTestEntry 1 } + +ifTestStatus OBJECT-TYPE + SYNTAX INTEGER { notInUse(1), inUse(2) } + MAX-ACCESS read-write + STATUS deprecated + DESCRIPTION + "This object indicates whether or not some manager currently + has the necessary 'ownership' required to invoke a test on + this interface. A write to this object is only successful + when it changes its value from 'notInUse(1)' to 'inUse(2)'. + After completion of a test, the agent resets the value back + to 'notInUse(1)'." + ::= { ifTestEntry 2 } + +ifTestType OBJECT-TYPE + SYNTAX AutonomousType + MAX-ACCESS read-write + STATUS deprecated + DESCRIPTION + "A control variable used to start and stop operator- + initiated interface tests. Most OBJECT IDENTIFIER values + assigned to tests are defined elsewhere, in association with + specific types of interface. However, this document assigns + a value for a full-duplex loopback test, and defines the + special meanings of the subject identifier: + + noTest OBJECT IDENTIFIER ::= { 0 0 } + + When the value noTest is written to this object, no action + is taken unless a test is in progress, in which case the + test is aborted. Writing any other value to this object is + + only valid when no test is currently in progress, in which + case the indicated test is initiated. + + When read, this object always returns the most recent value + that ifTestType was set to. If it has not been set since + the last initialization of the network management subsystem + on the agent, a value of noTest is returned." + ::= { ifTestEntry 3 } + +ifTestResult OBJECT-TYPE + SYNTAX INTEGER { + none(1), -- no test yet requested + success(2), + inProgress(3), + notSupported(4), + unAbleToRun(5), -- due to state of system + aborted(6), + failed(7) + } + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "This object contains the result of the most recently + requested test, or the value none(1) if no tests have been + requested since the last reset. Note that this facility + provides no provision for saving the results of one test + when starting another, as could be required if used by + multiple managers concurrently." + ::= { ifTestEntry 4 } + +ifTestCode OBJECT-TYPE + SYNTAX OBJECT IDENTIFIER + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "This object contains a code which contains more specific + information on the test result, for example an error-code + after a failed test. Error codes and other values this + object may take are specific to the type of interface and/or + test. The value may have the semantics of either the + AutonomousType or InstancePointer textual conventions as + defined in RFC 2579. The identifier: + + testCodeUnknown OBJECT IDENTIFIER ::= { 0 0 } + + is defined for use if no additional result code is + available." + ::= { ifTestEntry 5 } + +ifTestOwner OBJECT-TYPE + SYNTAX OwnerString + MAX-ACCESS read-write + STATUS deprecated + DESCRIPTION + "The entity which currently has the 'ownership' required to + invoke a test on this interface." + ::= { ifTestEntry 6 } + +-- Deprecated Definitions - Groups + +ifGeneralGroup OBJECT-GROUP + OBJECTS { ifDescr, ifType, ifSpeed, ifPhysAddress, + ifAdminStatus, ifOperStatus, ifLastChange, + ifLinkUpDownTrapEnable, ifConnectorPresent, + ifHighSpeed, ifName } + STATUS deprecated + DESCRIPTION + "A collection of objects deprecated in favour of + ifGeneralInformationGroup." + ::= { ifGroups 1 } + +ifTestGroup OBJECT-GROUP + OBJECTS { ifTestId, ifTestStatus, ifTestType, + ifTestResult, ifTestCode, ifTestOwner } + STATUS deprecated + DESCRIPTION + "A collection of objects providing the ability to invoke + tests on an interface." + ::= { ifGroups 8 } + +ifStackGroup OBJECT-GROUP + OBJECTS { ifStackStatus } + STATUS deprecated + DESCRIPTION + "The previous collection of objects providing information on + the layering of MIB-II interfaces." + ::= { ifGroups 9 } + +ifOldObjectsGroup OBJECT-GROUP + OBJECTS { ifInNUcastPkts, ifOutNUcastPkts, + ifOutQLen, ifSpecific } + STATUS deprecated + DESCRIPTION + "The collection of objects deprecated from the original MIB- + II interfaces group." + ::= { ifGroups 12 } + +-- Deprecated Definitions - Compliance + +ifCompliance MODULE-COMPLIANCE + STATUS deprecated + DESCRIPTION + "A compliance statement defined in a previous version of + this MIB module, for SNMP entities which have network + interfaces." + + MODULE -- this module + MANDATORY-GROUPS { ifGeneralGroup, ifStackGroup } + + GROUP ifFixedLengthGroup + DESCRIPTION + "This group is mandatory for all network interfaces which + are character-oriented or transmit data in fixed-length + transmission units." + + GROUP ifHCFixedLengthGroup + DESCRIPTION + "This group is mandatory only for those network interfaces + which are character-oriented or transmit data in fixed- + length transmission units, and for which the value of the + corresponding instance of ifSpeed is greater than 20,000,000 + bits/second." + + GROUP ifPacketGroup + DESCRIPTION + "This group is mandatory for all network interfaces which + are packet-oriented." + + GROUP ifHCPacketGroup + DESCRIPTION + "This group is mandatory only for those network interfaces + which are packet-oriented and for which the value of the + corresponding instance of ifSpeed is greater than + 650,000,000 bits/second." + + GROUP ifTestGroup + DESCRIPTION + "This group is optional. Media-specific MIBs which require + interface tests are strongly encouraged to use this group + for invoking tests and reporting results. A medium specific + MIB which has mandatory tests may make implementation of + + this group mandatory." + + GROUP ifRcvAddressGroup + DESCRIPTION + "The applicability of this group MUST be defined by the + media-specific MIBs. Media-specific MIBs must define the + exact meaning, use, and semantics of the addresses in this + group." + + OBJECT ifLinkUpDownTrapEnable + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required." + + OBJECT ifPromiscuousMode + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required." + + OBJECT ifStackStatus + SYNTAX INTEGER { active(1) } -- subset of RowStatus + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required, and only one of the six + enumerated values for the RowStatus textual convention need + be supported, specifically: active(1)." + + OBJECT ifAdminStatus + SYNTAX INTEGER { up(1), down(2) } + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required, nor is support for the value + testing(3)." + ::= { ifCompliances 1 } + +ifCompliance2 MODULE-COMPLIANCE + STATUS deprecated + DESCRIPTION + "A compliance statement defined in a previous version of + this MIB module, for SNMP entities which have network + interfaces." + + MODULE -- this module + MANDATORY-GROUPS { ifGeneralInformationGroup, ifStackGroup2, + ifCounterDiscontinuityGroup } + + GROUP ifFixedLengthGroup + DESCRIPTION + "This group is mandatory for all network interfaces which + are character-oriented or transmit data in fixed-length + transmission units." + + GROUP ifHCFixedLengthGroup + DESCRIPTION + "This group is mandatory only for those network interfaces + which are character-oriented or transmit data in fixed- + length transmission units, and for which the value of the + corresponding instance of ifSpeed is greater than 20,000,000 + bits/second." + + GROUP ifPacketGroup + DESCRIPTION + "This group is mandatory for all network interfaces which + are packet-oriented." + + GROUP ifHCPacketGroup + DESCRIPTION + "This group is mandatory only for those network interfaces + which are packet-oriented and for which the value of the + corresponding instance of ifSpeed is greater than + 650,000,000 bits/second." + + GROUP ifRcvAddressGroup + DESCRIPTION + "The applicability of this group MUST be defined by the + media-specific MIBs. Media-specific MIBs must define the + exact meaning, use, and semantics of the addresses in this + group." + + OBJECT ifLinkUpDownTrapEnable + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required." + + OBJECT ifPromiscuousMode + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required." + + OBJECT ifStackStatus + SYNTAX INTEGER { active(1) } -- subset of RowStatus + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required, and only one of the six + enumerated values for the RowStatus textual convention need + be supported, specifically: active(1)." + + OBJECT ifAdminStatus + SYNTAX INTEGER { up(1), down(2) } + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required, nor is support for the value + testing(3)." + + OBJECT ifAlias + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required." + ::= { ifCompliances 2 } + +END diff --git a/mibs/INET-ADDRESS-MIB.txt b/mibs/INET-ADDRESS-MIB.txt new file mode 100644 index 000000000..a778cba6b --- /dev/null +++ b/mibs/INET-ADDRESS-MIB.txt @@ -0,0 +1,402 @@ +INET-ADDRESS-MIB DEFINITIONS ::= BEGIN + +IMPORTS + MODULE-IDENTITY, mib-2, Unsigned32 FROM SNMPv2-SMI + TEXTUAL-CONVENTION FROM SNMPv2-TC; + +inetAddressMIB MODULE-IDENTITY + LAST-UPDATED "200502040000Z" + ORGANIZATION + "IETF Operations and Management Area" + CONTACT-INFO + "Juergen Schoenwaelder (Editor) + International University Bremen + P.O. Box 750 561 + 28725 Bremen, Germany + + Phone: +49 421 200-3587 + EMail: j.schoenwaelder@iu-bremen.de + + Send comments to <ietfmibs@ops.ietf.org>." + DESCRIPTION + "This MIB module defines textual conventions for + representing Internet addresses. An Internet + address can be an IPv4 address, an IPv6 address, + or a DNS domain name. This module also defines + textual conventions for Internet port numbers, + autonomous system numbers, and the length of an + Internet address prefix. + + Copyright (C) The Internet Society (2005). This version + of this MIB module is part of RFC 4001, see the RFC + itself for full legal notices." + REVISION "200502040000Z" + DESCRIPTION + "Third version, published as RFC 4001. This revision + introduces the InetZoneIndex, InetScopeType, and + InetVersion textual conventions." + REVISION "200205090000Z" + DESCRIPTION + "Second version, published as RFC 3291. This + revision contains several clarifications and + introduces several new textual conventions: + InetAddressPrefixLength, InetPortNumber, + InetAutonomousSystemNumber, InetAddressIPv4z, + and InetAddressIPv6z." + REVISION "200006080000Z" + DESCRIPTION + "Initial version, published as RFC 2851." + ::= { mib-2 76 } + +InetAddressType ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "A value that represents a type of Internet address. + + unknown(0) An unknown address type. This value MUST + be used if the value of the corresponding + InetAddress object is a zero-length string. + It may also be used to indicate an IP address + that is not in one of the formats defined + below. + + ipv4(1) An IPv4 address as defined by the + InetAddressIPv4 textual convention. + + ipv6(2) An IPv6 address as defined by the + InetAddressIPv6 textual convention. + + ipv4z(3) A non-global IPv4 address including a zone + index as defined by the InetAddressIPv4z + textual convention. + + ipv6z(4) A non-global IPv6 address including a zone + index as defined by the InetAddressIPv6z + textual convention. + + dns(16) A DNS domain name as defined by the + InetAddressDNS textual convention. + + Each definition of a concrete InetAddressType value must be + accompanied by a definition of a textual convention for use + with that InetAddressType. + + To support future extensions, the InetAddressType textual + convention SHOULD NOT be sub-typed in object type definitions. + It MAY be sub-typed in compliance statements in order to + require only a subset of these address types for a compliant + implementation. + + Implementations must ensure that InetAddressType objects + and any dependent objects (e.g., InetAddress objects) are + consistent. An inconsistentValue error must be generated + if an attempt to change an InetAddressType object would, + for example, lead to an undefined InetAddress value. In + + particular, InetAddressType/InetAddress pairs must be + changed together if the address type changes (e.g., from + ipv6(2) to ipv4(1))." + SYNTAX INTEGER { + unknown(0), + ipv4(1), + ipv6(2), + ipv4z(3), + ipv6z(4), + dns(16) + } + +InetAddress ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "Denotes a generic Internet address. + + An InetAddress value is always interpreted within the context + of an InetAddressType value. Every usage of the InetAddress + textual convention is required to specify the InetAddressType + object that provides the context. It is suggested that the + InetAddressType object be logically registered before the + object(s) that use the InetAddress textual convention, if + they appear in the same logical row. + + The value of an InetAddress object must always be + consistent with the value of the associated InetAddressType + object. Attempts to set an InetAddress object to a value + inconsistent with the associated InetAddressType + must fail with an inconsistentValue error. + + When this textual convention is used as the syntax of an + index object, there may be issues with the limit of 128 + sub-identifiers specified in SMIv2, STD 58. In this case, + the object definition MUST include a 'SIZE' clause to + limit the number of potential instance sub-identifiers; + otherwise the applicable constraints MUST be stated in + the appropriate conceptual row DESCRIPTION clauses, or + in the surrounding documentation if there is no single + DESCRIPTION clause that is appropriate." + SYNTAX OCTET STRING (SIZE (0..255)) + +InetAddressIPv4 ::= TEXTUAL-CONVENTION + DISPLAY-HINT "1d.1d.1d.1d" + STATUS current + DESCRIPTION + "Represents an IPv4 network address: + + Octets Contents Encoding + 1-4 IPv4 address network-byte order + + The corresponding InetAddressType value is ipv4(1). + + This textual convention SHOULD NOT be used directly in object + definitions, as it restricts addresses to a specific format. + However, if it is used, it MAY be used either on its own or in + conjunction with InetAddressType, as a pair." + SYNTAX OCTET STRING (SIZE (4)) + +InetAddressIPv6 ::= TEXTUAL-CONVENTION + DISPLAY-HINT "2x:2x:2x:2x:2x:2x:2x:2x" + STATUS current + DESCRIPTION + "Represents an IPv6 network address: + + Octets Contents Encoding + 1-16 IPv6 address network-byte order + + The corresponding InetAddressType value is ipv6(2). + + This textual convention SHOULD NOT be used directly in object + definitions, as it restricts addresses to a specific format. + However, if it is used, it MAY be used either on its own or in + conjunction with InetAddressType, as a pair." + SYNTAX OCTET STRING (SIZE (16)) + +InetAddressIPv4z ::= TEXTUAL-CONVENTION + DISPLAY-HINT "1d.1d.1d.1d%4d" + STATUS current + DESCRIPTION + "Represents a non-global IPv4 network address, together + with its zone index: + + Octets Contents Encoding + 1-4 IPv4 address network-byte order + 5-8 zone index network-byte order + + The corresponding InetAddressType value is ipv4z(3). + + The zone index (bytes 5-8) is used to disambiguate identical + address values on nodes that have interfaces attached to + different zones of the same scope. The zone index may contain + the special value 0, which refers to the default zone for each + scope. + + This textual convention SHOULD NOT be used directly in object + + definitions, as it restricts addresses to a specific format. + However, if it is used, it MAY be used either on its own or in + conjunction with InetAddressType, as a pair." + SYNTAX OCTET STRING (SIZE (8)) + +InetAddressIPv6z ::= TEXTUAL-CONVENTION + DISPLAY-HINT "2x:2x:2x:2x:2x:2x:2x:2x%4d" + STATUS current + DESCRIPTION + "Represents a non-global IPv6 network address, together + with its zone index: + + Octets Contents Encoding + 1-16 IPv6 address network-byte order + 17-20 zone index network-byte order + + The corresponding InetAddressType value is ipv6z(4). + + The zone index (bytes 17-20) is used to disambiguate + identical address values on nodes that have interfaces + attached to different zones of the same scope. The zone index + may contain the special value 0, which refers to the default + zone for each scope. + + This textual convention SHOULD NOT be used directly in object + definitions, as it restricts addresses to a specific format. + However, if it is used, it MAY be used either on its own or in + conjunction with InetAddressType, as a pair." + SYNTAX OCTET STRING (SIZE (20)) + +InetAddressDNS ::= TEXTUAL-CONVENTION + DISPLAY-HINT "255a" + STATUS current + DESCRIPTION + "Represents a DNS domain name. The name SHOULD be fully + qualified whenever possible. + + The corresponding InetAddressType is dns(16). + + The DESCRIPTION clause of InetAddress objects that may have + InetAddressDNS values MUST fully describe how (and when) + these names are to be resolved to IP addresses. + + The resolution of an InetAddressDNS value may require to + query multiple DNS records (e.g., A for IPv4 and AAAA for + IPv6). The order of the resolution process and which DNS + record takes precedence depends on the configuration of the + resolver. + + This textual convention SHOULD NOT be used directly in object + definitions, as it restricts addresses to a specific format. + However, if it is used, it MAY be used either on its own or in + conjunction with InetAddressType, as a pair." + SYNTAX OCTET STRING (SIZE (1..255)) + +InetAddressPrefixLength ::= TEXTUAL-CONVENTION + DISPLAY-HINT "d" + STATUS current + DESCRIPTION + "Denotes the length of a generic Internet network address + prefix. A value of n corresponds to an IP address mask + that has n contiguous 1-bits from the most significant + bit (MSB), with all other bits set to 0. + + An InetAddressPrefixLength value is always interpreted within + the context of an InetAddressType value. Every usage of the + InetAddressPrefixLength textual convention is required to + specify the InetAddressType object that provides the + context. It is suggested that the InetAddressType object be + logically registered before the object(s) that use the + InetAddressPrefixLength textual convention, if they appear + in the same logical row. + + InetAddressPrefixLength values larger than + the maximum length of an IP address for a specific + InetAddressType are treated as the maximum significant + value applicable for the InetAddressType. The maximum + significant value is 32 for the InetAddressType + 'ipv4(1)' and 'ipv4z(3)' and 128 for the InetAddressType + 'ipv6(2)' and 'ipv6z(4)'. The maximum significant value + for the InetAddressType 'dns(16)' is 0. + + The value zero is object-specific and must be defined as + part of the description of any object that uses this + syntax. Examples of the usage of zero might include + situations where the Internet network address prefix + is unknown or does not apply. + + The upper bound of the prefix length has been chosen to + be consistent with the maximum size of an InetAddress." + SYNTAX Unsigned32 (0..2040) + +InetPortNumber ::= TEXTUAL-CONVENTION + DISPLAY-HINT "d" + STATUS current + DESCRIPTION + "Represents a 16 bit port number of an Internet transport + + layer protocol. Port numbers are assigned by IANA. A + current list of all assignments is available from + <http://www.iana.org/>. + + The value zero is object-specific and must be defined as + part of the description of any object that uses this + syntax. Examples of the usage of zero might include + situations where a port number is unknown, or when the + value zero is used as a wildcard in a filter." + REFERENCE "STD 6 (RFC 768), STD 7 (RFC 793) and RFC 2960" + SYNTAX Unsigned32 (0..65535) + +InetAutonomousSystemNumber ::= TEXTUAL-CONVENTION + DISPLAY-HINT "d" + STATUS current + DESCRIPTION + "Represents an autonomous system number that identifies an + Autonomous System (AS). An AS is a set of routers under a + single technical administration, using an interior gateway + protocol and common metrics to route packets within the AS, + and using an exterior gateway protocol to route packets to + other ASes'. IANA maintains the AS number space and has + delegated large parts to the regional registries. + + Autonomous system numbers are currently limited to 16 bits + (0..65535). There is, however, work in progress to enlarge the + autonomous system number space to 32 bits. Therefore, this + textual convention uses an Unsigned32 value without a + range restriction in order to support a larger autonomous + system number space." + REFERENCE "RFC 1771, RFC 1930" + SYNTAX Unsigned32 + +InetScopeType ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "Represents a scope type. This textual convention can be used + in cases where a MIB has to represent different scope types + and there is no context information, such as an InetAddress + object, that implicitly defines the scope type. + + Note that not all possible values have been assigned yet, but + they may be assigned in future revisions of this specification. + Applications should therefore be able to deal with values + not yet assigned." + REFERENCE "RFC 3513" + SYNTAX INTEGER { + -- reserved(0), + interfaceLocal(1), + linkLocal(2), + subnetLocal(3), + adminLocal(4), + siteLocal(5), -- site-local unicast addresses + -- have been deprecated by RFC 3879 + -- unassigned(6), + -- unassigned(7), + organizationLocal(8), + -- unassigned(9), + -- unassigned(10), + -- unassigned(11), + -- unassigned(12), + -- unassigned(13), + global(14) + -- reserved(15) + } + +InetZoneIndex ::= TEXTUAL-CONVENTION + DISPLAY-HINT "d" + STATUS current + DESCRIPTION + "A zone index identifies an instance of a zone of a + specific scope. + + The zone index MUST disambiguate identical address + values. For link-local addresses, the zone index will + typically be the interface index (ifIndex as defined in the + IF-MIB) of the interface on which the address is configured. + + The zone index may contain the special value 0, which refers + to the default zone. The default zone may be used in cases + where the valid zone index is not known (e.g., when a + management application has to write a link-local IPv6 + address without knowing the interface index value). The + default zone SHOULD NOT be used as an easy way out in + cases where the zone index for a non-global IPv6 address + is known." + REFERENCE "RFC4007" + SYNTAX Unsigned32 + +InetVersion ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "A value representing a version of the IP protocol. + + unknown(0) An unknown or unspecified version of the IP + protocol. + + ipv4(1) The IPv4 protocol as defined in RFC 791 (STD 5). + + ipv6(2) The IPv6 protocol as defined in RFC 2460. + + Note that this textual convention SHOULD NOT be used to + distinguish different address types associated with IP + protocols. The InetAddressType has been designed for this + purpose." + REFERENCE "RFC 791, RFC 2460" + SYNTAX INTEGER { + unknown(0), + ipv4(1), + ipv6(2) + } +END diff --git a/mibs/IP-FORWARD-MIB.txt b/mibs/IP-FORWARD-MIB.txt new file mode 100644 index 000000000..347b5e004 --- /dev/null +++ b/mibs/IP-FORWARD-MIB.txt @@ -0,0 +1,1277 @@ +IP-FORWARD-MIB DEFINITIONS ::= BEGIN + +IMPORTS + MODULE-IDENTITY, OBJECT-TYPE, + IpAddress, Integer32, Gauge32, + Counter32 FROM SNMPv2-SMI + RowStatus FROM SNMPv2-TC + + MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF + InterfaceIndexOrZero FROM IF-MIB + ip FROM IP-MIB + IANAipRouteProtocol FROM IANA-RTPROTO-MIB + InetAddress, InetAddressType, + InetAddressPrefixLength, + InetAutonomousSystemNumber FROM INET-ADDRESS-MIB; + +ipForward MODULE-IDENTITY + LAST-UPDATED "200602010000Z" + ORGANIZATION + "IETF IPv6 Working Group + http://www.ietf.org/html.charters/ipv6-charter.html" + CONTACT-INFO + "Editor: + Brian Haberman + Johns Hopkins University - Applied Physics Laboratory + Mailstop 17-S442 + 11100 Johns Hopkins Road + Laurel MD, 20723-6099 USA + + Phone: +1-443-778-1319 + Email: brian@innovationslab.net + + Send comments to <ipv6@ietf.org>" + DESCRIPTION + "The MIB module for the management of CIDR multipath IP + Routes. + + Copyright (C) The Internet Society (2006). This version + of this MIB module is a part of RFC 4292; see the RFC + itself for full legal notices." + + REVISION "200602010000Z" + DESCRIPTION + "IPv4/v6 version-independent revision. Minimal changes + were made to the original RFC 2096 MIB to allow easy + upgrade of existing IPv4 implementations to the + version-independent MIB. These changes include: + + Adding inetCidrRouteDiscards as a replacement for the + deprecated ipRoutingDiscards and ipv6DiscardedRoutes + objects. + + Adding a new conformance statement to support the + implementation of the IP Forwarding MIB in a + read-only mode. + + The inetCidrRouteTable replaces the IPv4-specific + ipCidrRouteTable, its related objects, and related + conformance statements. + + Published as RFC 4292." + + REVISION "199609190000Z" + DESCRIPTION + "Revised to support CIDR routes. + Published as RFC 2096." + + REVISION "199207022156Z" + DESCRIPTION + "Initial version, published as RFC 1354." + ::= { ip 24 } + +inetCidrRouteNumber OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of current inetCidrRouteTable entries that + are not invalid." +::= { ipForward 6 } + +inetCidrRouteDiscards OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of valid route entries discarded from the + inetCidrRouteTable. Discarded route entries do not + appear in the inetCidrRouteTable. One possible reason + for discarding an entry would be to free-up buffer space + for other route table entries." + ::= { ipForward 8 } + +-- Inet CIDR Route Table + +-- The Inet CIDR Route Table deprecates and replaces the +-- ipCidrRoute Table currently in the IP Forwarding Table MIB. +-- It adds IP protocol independence. + +inetCidrRouteTable OBJECT-TYPE + SYNTAX SEQUENCE OF InetCidrRouteEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "This entity's IP Routing table." + REFERENCE + "RFC 1213 Section 6.6, The IP Group" + ::= { ipForward 7 } + +inetCidrRouteEntry OBJECT-TYPE + SYNTAX InetCidrRouteEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A particular route to a particular destination, under a + particular policy (as reflected in the + inetCidrRoutePolicy object). + + Dynamically created rows will survive an agent reboot. + + Implementers need to be aware that if the total number + of elements (octets or sub-identifiers) in + inetCidrRouteDest, inetCidrRoutePolicy, and + inetCidrRouteNextHop exceeds 111, then OIDs of column + instances in this table will have more than 128 sub- + identifiers and cannot be accessed using SNMPv1, + SNMPv2c, or SNMPv3." + INDEX { + inetCidrRouteDestType, + inetCidrRouteDest, + inetCidrRoutePfxLen, + inetCidrRoutePolicy, + inetCidrRouteNextHopType, + inetCidrRouteNextHop + } + ::= { inetCidrRouteTable 1 } + +InetCidrRouteEntry ::= SEQUENCE { + inetCidrRouteDestType InetAddressType, + inetCidrRouteDest InetAddress, + inetCidrRoutePfxLen InetAddressPrefixLength, + inetCidrRoutePolicy OBJECT IDENTIFIER, + inetCidrRouteNextHopType InetAddressType, + inetCidrRouteNextHop InetAddress, + inetCidrRouteIfIndex InterfaceIndexOrZero, + inetCidrRouteType INTEGER, + inetCidrRouteProto IANAipRouteProtocol, + inetCidrRouteAge Gauge32, + inetCidrRouteNextHopAS InetAutonomousSystemNumber, + inetCidrRouteMetric1 Integer32, + inetCidrRouteMetric2 Integer32, + inetCidrRouteMetric3 Integer32, + inetCidrRouteMetric4 Integer32, + inetCidrRouteMetric5 Integer32, + inetCidrRouteStatus RowStatus + } + +inetCidrRouteDestType OBJECT-TYPE + SYNTAX InetAddressType + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The type of the inetCidrRouteDest address, as defined + in the InetAddress MIB. + + Only those address types that may appear in an actual + routing table are allowed as values of this object." + REFERENCE "RFC 4001" + ::= { inetCidrRouteEntry 1 } + +inetCidrRouteDest OBJECT-TYPE + SYNTAX InetAddress + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The destination IP address of this route. + + The type of this address is determined by the value of + the inetCidrRouteDestType object. + + The values for the index objects inetCidrRouteDest and + inetCidrRoutePfxLen must be consistent. When the value + of inetCidrRouteDest (excluding the zone index, if one + is present) is x, then the bitwise logical-AND + of x with the value of the mask formed from the + corresponding index object inetCidrRoutePfxLen MUST be + equal to x. If not, then the index pair is not + consistent and an inconsistentName error must be + returned on SET or CREATE requests." + ::= { inetCidrRouteEntry 2 } + +inetCidrRoutePfxLen OBJECT-TYPE + SYNTAX InetAddressPrefixLength + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Indicates the number of leading one bits that form the + mask to be logical-ANDed with the destination address + before being compared to the value in the + + inetCidrRouteDest field. + + The values for the index objects inetCidrRouteDest and + inetCidrRoutePfxLen must be consistent. When the value + of inetCidrRouteDest (excluding the zone index, if one + is present) is x, then the bitwise logical-AND + of x with the value of the mask formed from the + corresponding index object inetCidrRoutePfxLen MUST be + equal to x. If not, then the index pair is not + consistent and an inconsistentName error must be + returned on SET or CREATE requests." + ::= { inetCidrRouteEntry 3 } + +inetCidrRoutePolicy OBJECT-TYPE + SYNTAX OBJECT IDENTIFIER + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "This object is an opaque object without any defined + semantics. Its purpose is to serve as an additional + index that may delineate between multiple entries to + the same destination. The value { 0 0 } shall be used + as the default value for this object." + ::= { inetCidrRouteEntry 4 } + +inetCidrRouteNextHopType OBJECT-TYPE + SYNTAX InetAddressType + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The type of the inetCidrRouteNextHop address, as + defined in the InetAddress MIB. + + Value should be set to unknown(0) for non-remote + routes. + + Only those address types that may appear in an actual + routing table are allowed as values of this object." + REFERENCE "RFC 4001" + ::= { inetCidrRouteEntry 5 } + +inetCidrRouteNextHop OBJECT-TYPE + SYNTAX InetAddress + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "On remote routes, the address of the next system en + + route. For non-remote routes, a zero length string. + + The type of this address is determined by the value of + the inetCidrRouteNextHopType object." + ::= { inetCidrRouteEntry 6 } + +inetCidrRouteIfIndex OBJECT-TYPE + SYNTAX InterfaceIndexOrZero + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The ifIndex value that identifies the local interface + through which the next hop of this route should be + reached. A value of 0 is valid and represents the + scenario where no interface is specified." + ::= { inetCidrRouteEntry 7 } + +inetCidrRouteType OBJECT-TYPE + SYNTAX INTEGER { + other (1), -- not specified by this MIB + reject (2), -- route that discards traffic and + -- returns ICMP notification + local (3), -- local interface + remote (4), -- remote destination + blackhole(5) -- route that discards traffic + -- silently + } + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The type of route. Note that local(3) refers to a + route for which the next hop is the final destination; + remote(4) refers to a route for which the next hop is + not the final destination. + + Routes that do not result in traffic forwarding or + rejection should not be displayed, even if the + implementation keeps them stored internally. + + reject(2) refers to a route that, if matched, discards + the message as unreachable and returns a notification + (e.g., ICMP error) to the message sender. This is used + in some protocols as a means of correctly aggregating + routes. + + blackhole(5) refers to a route that, if matched, + discards the message silently." + ::= { inetCidrRouteEntry 8 } + +inetCidrRouteProto OBJECT-TYPE + SYNTAX IANAipRouteProtocol + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The routing mechanism via which this route was learned. + Inclusion of values for gateway routing protocols is + not intended to imply that hosts should support those + protocols." + ::= { inetCidrRouteEntry 9 } + +inetCidrRouteAge OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of seconds since this route was last updated + or otherwise determined to be correct. Note that no + semantics of 'too old' can be implied, except through + knowledge of the routing protocol by which the route + was learned." + ::= { inetCidrRouteEntry 10 } + +inetCidrRouteNextHopAS OBJECT-TYPE + SYNTAX InetAutonomousSystemNumber + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The Autonomous System Number of the Next Hop. The + semantics of this object are determined by the routing- + protocol specified in the route's inetCidrRouteProto + value. When this object is unknown or not relevant, its + value should be set to zero." + DEFVAL { 0 } + ::= { inetCidrRouteEntry 11 } + +inetCidrRouteMetric1 OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The primary routing metric for this route. The + semantics of this metric are determined by the routing- + protocol specified in the route's inetCidrRouteProto + value. If this metric is not used, its value should be + set to -1." + DEFVAL { -1 } + ::= { inetCidrRouteEntry 12 } + +inetCidrRouteMetric2 OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "An alternate routing metric for this route. The + semantics of this metric are determined by the routing- + protocol specified in the route's inetCidrRouteProto + value. If this metric is not used, its value should be + set to -1." + DEFVAL { -1 } + ::= { inetCidrRouteEntry 13 } + +inetCidrRouteMetric3 OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "An alternate routing metric for this route. The + semantics of this metric are determined by the routing- + protocol specified in the route's inetCidrRouteProto + value. If this metric is not used, its value should be + set to -1." + DEFVAL { -1 } + ::= { inetCidrRouteEntry 14 } + +inetCidrRouteMetric4 OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "An alternate routing metric for this route. The + semantics of this metric are determined by the routing- + protocol specified in the route's inetCidrRouteProto + value. If this metric is not used, its value should be + set to -1." + DEFVAL { -1 } + ::= { inetCidrRouteEntry 15 } + +inetCidrRouteMetric5 OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "An alternate routing metric for this route. The + semantics of this metric are determined by the routing- + + protocol specified in the route's inetCidrRouteProto + value. If this metric is not used, its value should be + set to -1." + DEFVAL { -1 } + ::= { inetCidrRouteEntry 16 } + +inetCidrRouteStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The row status variable, used according to row + installation and removal conventions. + + A row entry cannot be modified when the status is + marked as active(1)." + ::= { inetCidrRouteEntry 17 } + +-- Conformance information + +ipForwardConformance + OBJECT IDENTIFIER ::= { ipForward 5 } + +ipForwardGroups + OBJECT IDENTIFIER ::= { ipForwardConformance 1 } + +ipForwardCompliances + OBJECT IDENTIFIER ::= { ipForwardConformance 2 } + +-- Compliance statements + +ipForwardFullCompliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "When this MIB is implemented for read-create, the + implementation can claim full compliance. + + There are a number of INDEX objects that cannot be + represented in the form of OBJECT clauses in SMIv2, + but for which there are compliance requirements, + expressed in OBJECT clause form in this description: + + -- OBJECT inetCidrRouteDestType + -- SYNTAX InetAddressType (ipv4(1), ipv6(2), + -- ipv4z(3), ipv6z(4)) + -- DESCRIPTION + -- This MIB requires support for global and + -- non-global ipv4 and ipv6 addresses. + + -- + -- OBJECT inetCidrRouteDest + -- SYNTAX InetAddress (SIZE (4 | 8 | 16 | 20)) + -- DESCRIPTION + -- This MIB requires support for global and + -- non-global IPv4 and IPv6 addresses. + -- + -- OBJECT inetCidrRouteNextHopType + -- SYNTAX InetAddressType (unknown(0), ipv4(1), + -- ipv6(2), ipv4z(3) + -- ipv6z(4)) + -- DESCRIPTION + -- This MIB requires support for global and + -- non-global ipv4 and ipv6 addresses. + -- + -- OBJECT inetCidrRouteNextHop + -- SYNTAX InetAddress (SIZE (0 | 4 | 8 | 16 | 20)) + -- DESCRIPTION + -- This MIB requires support for global and + -- non-global IPv4 and IPv6 addresses. + " + + MODULE -- this module + MANDATORY-GROUPS { inetForwardCidrRouteGroup } + + OBJECT inetCidrRouteStatus + SYNTAX RowStatus { active(1), notInService (2) } + WRITE-SYNTAX RowStatus { active(1), notInService (2), + createAndGo(4), destroy(6) } + DESCRIPTION "Support for createAndWait is not required." + ::= { ipForwardCompliances 3 } + +ipForwardReadOnlyCompliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "When this MIB is implemented without support for read- + create (i.e., in read-only mode), the implementation can + claim read-only compliance." + MODULE -- this module + MANDATORY-GROUPS { inetForwardCidrRouteGroup } + + OBJECT inetCidrRouteIfIndex + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required." + + OBJECT inetCidrRouteType + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required." + + OBJECT inetCidrRouteNextHopAS + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required." + + OBJECT inetCidrRouteMetric1 + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required." + + OBJECT inetCidrRouteMetric2 + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required." + + OBJECT inetCidrRouteMetric3 + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required." + + OBJECT inetCidrRouteMetric4 + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required." + + OBJECT inetCidrRouteMetric5 + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required." + + OBJECT inetCidrRouteStatus + SYNTAX RowStatus { active(1) } + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required." + ::= { ipForwardCompliances 4 } + +-- units of conformance + +inetForwardCidrRouteGroup OBJECT-GROUP + OBJECTS { inetCidrRouteDiscards, + inetCidrRouteIfIndex, inetCidrRouteType, + inetCidrRouteProto, inetCidrRouteAge, + inetCidrRouteNextHopAS, inetCidrRouteMetric1, + inetCidrRouteMetric2, inetCidrRouteMetric3, + inetCidrRouteMetric4, inetCidrRouteMetric5, + inetCidrRouteStatus, inetCidrRouteNumber + } + STATUS current + DESCRIPTION + "The IP version-independent CIDR Route Table." + ::= { ipForwardGroups 4 } + +-- Deprecated Objects + +ipCidrRouteNumber OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The number of current ipCidrRouteTable entries that are + not invalid. This object is deprecated in favor of + inetCidrRouteNumber and the inetCidrRouteTable." + ::= { ipForward 3 } + +-- IP CIDR Route Table + +-- The IP CIDR Route Table obsoletes and replaces the ipRoute +-- Table current in MIB-I and MIB-II and the IP Forwarding Table. +-- It adds knowledge of the autonomous system of the next hop, +-- multiple next hops, policy routing, and Classless +-- Inter-Domain Routing. + +ipCidrRouteTable OBJECT-TYPE + SYNTAX SEQUENCE OF IpCidrRouteEntry + MAX-ACCESS not-accessible + STATUS deprecated + DESCRIPTION + "This entity's IP Routing table. This table has been + deprecated in favor of the IP version neutral + inetCidrRouteTable." + REFERENCE + "RFC 1213 Section 6.6, The IP Group" + ::= { ipForward 4 } + +ipCidrRouteEntry OBJECT-TYPE + SYNTAX IpCidrRouteEntry + MAX-ACCESS not-accessible + STATUS deprecated + DESCRIPTION + "A particular route to a particular destination, under a + + particular policy." + INDEX { + ipCidrRouteDest, + ipCidrRouteMask, + ipCidrRouteTos, + ipCidrRouteNextHop + } + ::= { ipCidrRouteTable 1 } + +IpCidrRouteEntry ::= SEQUENCE { + ipCidrRouteDest IpAddress, + ipCidrRouteMask IpAddress, + ipCidrRouteTos Integer32, + ipCidrRouteNextHop IpAddress, + ipCidrRouteIfIndex Integer32, + ipCidrRouteType INTEGER, + ipCidrRouteProto INTEGER, + ipCidrRouteAge Integer32, + ipCidrRouteInfo OBJECT IDENTIFIER, + ipCidrRouteNextHopAS Integer32, + ipCidrRouteMetric1 Integer32, + ipCidrRouteMetric2 Integer32, + ipCidrRouteMetric3 Integer32, + ipCidrRouteMetric4 Integer32, + ipCidrRouteMetric5 Integer32, + ipCidrRouteStatus RowStatus + } + +ipCidrRouteDest OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The destination IP address of this route. + + This object may not take a Multicast (Class D) address + value. + + Any assignment (implicit or otherwise) of an instance + of this object to a value x must be rejected if the + bitwise logical-AND of x with the value of the + corresponding instance of the ipCidrRouteMask object is + not equal to x." + ::= { ipCidrRouteEntry 1 } + +ipCidrRouteMask OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "Indicate the mask to be logical-ANDed with the + destination address before being compared to the value + in the ipCidrRouteDest field. For those systems that + do not support arbitrary subnet masks, an agent + constructs the value of the ipCidrRouteMask by + reference to the IP Address Class. + + Any assignment (implicit or otherwise) of an instance + of this object to a value x must be rejected if the + bitwise logical-AND of x with the value of the + corresponding instance of the ipCidrRouteDest object is + not equal to ipCidrRouteDest." + ::= { ipCidrRouteEntry 2 } + +-- The following convention is included for specification +-- of TOS Field contents. At this time, the Host Requirements +-- and the Router Requirements documents disagree on the width +-- of the TOS field. This mapping describes the Router +-- Requirements mapping, and leaves room to widen the TOS field +-- without impact to fielded systems. + +ipCidrRouteTos OBJECT-TYPE + SYNTAX Integer32 (0..2147483647) + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The policy specifier is the IP TOS Field. The encoding + of IP TOS is as specified by the following convention. + Zero indicates the default path if no more specific + policy applies. + + +-----+-----+-----+-----+-----+-----+-----+-----+ + | | | | + | PRECEDENCE | TYPE OF SERVICE | 0 | + | | | | + +-----+-----+-----+-----+-----+-----+-----+-----+ + + IP TOS IP TOS + Field Policy Field Policy + Contents Code Contents Code + 0 0 0 0 ==> 0 0 0 0 1 ==> 2 + 0 0 1 0 ==> 4 0 0 1 1 ==> 6 + 0 1 0 0 ==> 8 0 1 0 1 ==> 10 + 0 1 1 0 ==> 12 0 1 1 1 ==> 14 + 1 0 0 0 ==> 16 1 0 0 1 ==> 18 + 1 0 1 0 ==> 20 1 0 1 1 ==> 22 + + 1 1 0 0 ==> 24 1 1 0 1 ==> 26 + 1 1 1 0 ==> 28 1 1 1 1 ==> 30" + ::= { ipCidrRouteEntry 3 } + +ipCidrRouteNextHop OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "On remote routes, the address of the next system en + route; Otherwise, 0.0.0.0." + ::= { ipCidrRouteEntry 4 } + +ipCidrRouteIfIndex OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-create + STATUS deprecated + DESCRIPTION + "The ifIndex value that identifies the local interface + through which the next hop of this route should be + reached." + DEFVAL { 0 } + ::= { ipCidrRouteEntry 5 } + +ipCidrRouteType OBJECT-TYPE + SYNTAX INTEGER { + other (1), -- not specified by this MIB + reject (2), -- route that discards traffic + local (3), -- local interface + remote (4) -- remote destination + } + MAX-ACCESS read-create + STATUS deprecated + DESCRIPTION + "The type of route. Note that local(3) refers to a + route for which the next hop is the final destination; + remote(4) refers to a route for which the next hop is + not the final destination. + + Routes that do not result in traffic forwarding or + rejection should not be displayed, even if the + implementation keeps them stored internally. + + reject (2) refers to a route that, if matched, + discards the message as unreachable. This is used in + some protocols as a means of correctly aggregating + routes." + ::= { ipCidrRouteEntry 6 } + +ipCidrRouteProto OBJECT-TYPE + SYNTAX INTEGER { + other (1), -- not specified + local (2), -- local interface + netmgmt (3), -- static route + icmp (4), -- result of ICMP Redirect + + -- the following are all dynamic + -- routing protocols + egp (5), -- Exterior Gateway Protocol + ggp (6), -- Gateway-Gateway Protocol + hello (7), -- FuzzBall HelloSpeak + rip (8), -- Berkeley RIP or RIP-II + isIs (9), -- Dual IS-IS + esIs (10), -- ISO 9542 + ciscoIgrp (11), -- Cisco IGRP + bbnSpfIgp (12), -- BBN SPF IGP + ospf (13), -- Open Shortest Path First + bgp (14), -- Border Gateway Protocol + idpr (15), -- InterDomain Policy Routing + ciscoEigrp (16) -- Cisco EIGRP + } + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The routing mechanism via which this route was learned. + Inclusion of values for gateway routing protocols is + not intended to imply that hosts should support those + protocols." + ::= { ipCidrRouteEntry 7 } + +ipCidrRouteAge OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The number of seconds since this route was last updated + or otherwise determined to be correct. Note that no + semantics of `too old' can be implied, except through + knowledge of the routing protocol by which the route + was learned." + DEFVAL { 0 } + ::= { ipCidrRouteEntry 8 } + +ipCidrRouteInfo OBJECT-TYPE + SYNTAX OBJECT IDENTIFIER + MAX-ACCESS read-create + STATUS deprecated + DESCRIPTION + "A reference to MIB definitions specific to the + particular routing protocol that is responsible for + this route, as determined by the value specified in the + route's ipCidrRouteProto value. If this information is + not present, its value should be set to the OBJECT + IDENTIFIER { 0 0 }, which is a syntactically valid + object identifier, and any implementation conforming to + ASN.1 and the Basic Encoding Rules must be able to + generate and recognize this value." + ::= { ipCidrRouteEntry 9 } + +ipCidrRouteNextHopAS OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-create + STATUS deprecated + DESCRIPTION + "The Autonomous System Number of the Next Hop. The + semantics of this object are determined by the routing- + protocol specified in the route's ipCidrRouteProto + value. When this object is unknown or not relevant, its + value should be set to zero." + DEFVAL { 0 } + ::= { ipCidrRouteEntry 10 } + +ipCidrRouteMetric1 OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-create + STATUS deprecated + DESCRIPTION + "The primary routing metric for this route. The + semantics of this metric are determined by the routing- + protocol specified in the route's ipCidrRouteProto + value. If this metric is not used, its value should be + set to -1." + DEFVAL { -1 } + ::= { ipCidrRouteEntry 11 } + +ipCidrRouteMetric2 OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-create + STATUS deprecated + DESCRIPTION + "An alternate routing metric for this route. The + semantics of this metric are determined by the routing- + protocol specified in the route's ipCidrRouteProto + value. If this metric is not used, its value should be + + set to -1." + DEFVAL { -1 } + ::= { ipCidrRouteEntry 12 } + +ipCidrRouteMetric3 OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-create + STATUS deprecated + DESCRIPTION + "An alternate routing metric for this route. The + semantics of this metric are determined by the routing- + protocol specified in the route's ipCidrRouteProto + value. If this metric is not used, its value should be + set to -1." + DEFVAL { -1 } + ::= { ipCidrRouteEntry 13 } + +ipCidrRouteMetric4 OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-create + STATUS deprecated + DESCRIPTION + "An alternate routing metric for this route. The + semantics of this metric are determined by the routing- + protocol specified in the route's ipCidrRouteProto + value. If this metric is not used, its value should be + set to -1." + DEFVAL { -1 } + ::= { ipCidrRouteEntry 14 } + +ipCidrRouteMetric5 OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-create + STATUS deprecated + DESCRIPTION + "An alternate routing metric for this route. The + semantics of this metric are determined by the routing- + protocol specified in the route's ipCidrRouteProto + value. If this metric is not used, its value should be + set to -1." + DEFVAL { -1 } + ::= { ipCidrRouteEntry 15 } + +ipCidrRouteStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS deprecated + DESCRIPTION + "The row status variable, used according to row + installation and removal conventions." + ::= { ipCidrRouteEntry 16 } + +-- compliance statements + +ipForwardCompliance MODULE-COMPLIANCE + STATUS deprecated + DESCRIPTION + "The compliance statement for SNMPv2 entities that + implement the ipForward MIB. + + This compliance statement has been deprecated and + replaced with ipForwardFullCompliance and + ipForwardReadOnlyCompliance." + + MODULE -- this module + MANDATORY-GROUPS { ipForwardCidrRouteGroup } + ::= { ipForwardCompliances 1 } + +-- units of conformance + +ipForwardCidrRouteGroup OBJECT-GROUP + OBJECTS { ipCidrRouteNumber, + ipCidrRouteDest, ipCidrRouteMask, ipCidrRouteTos, + ipCidrRouteNextHop, ipCidrRouteIfIndex, + ipCidrRouteType, ipCidrRouteProto, ipCidrRouteAge, + ipCidrRouteInfo,ipCidrRouteNextHopAS, + ipCidrRouteMetric1, ipCidrRouteMetric2, + ipCidrRouteMetric3, ipCidrRouteMetric4, + ipCidrRouteMetric5, ipCidrRouteStatus + } + STATUS deprecated + DESCRIPTION + "The CIDR Route Table. + + This group has been deprecated and replaced with + inetForwardCidrRouteGroup." + ::= { ipForwardGroups 3 } + +-- Obsoleted Definitions - Objects + +ipForwardNumber OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS obsolete + DESCRIPTION + "The number of current ipForwardTable entries that are + not invalid." + ::= { ipForward 1 } + +-- IP Forwarding Table + +-- The IP Forwarding Table obsoletes and replaces the ipRoute +-- Table current in MIB-I and MIB-II. It adds knowledge of +-- the autonomous system of the next hop, multiple next hop +-- support, and policy routing support. + +ipForwardTable OBJECT-TYPE + SYNTAX SEQUENCE OF IpForwardEntry + MAX-ACCESS not-accessible + STATUS obsolete + DESCRIPTION + "This entity's IP Routing table." + REFERENCE + "RFC 1213 Section 6.6, The IP Group" + ::= { ipForward 2 } + +ipForwardEntry OBJECT-TYPE + SYNTAX IpForwardEntry + MAX-ACCESS not-accessible + STATUS obsolete + DESCRIPTION + "A particular route to a particular destination, under a + particular policy." + INDEX { + ipForwardDest, + ipForwardProto, + ipForwardPolicy, + ipForwardNextHop + } + ::= { ipForwardTable 1 } + +IpForwardEntry ::= SEQUENCE { + ipForwardDest IpAddress, + ipForwardMask IpAddress, + ipForwardPolicy Integer32, + ipForwardNextHop IpAddress, + ipForwardIfIndex Integer32, + ipForwardType INTEGER, + ipForwardProto INTEGER, + ipForwardAge Integer32, + ipForwardInfo OBJECT IDENTIFIER, + ipForwardNextHopAS Integer32, + ipForwardMetric1 Integer32, + ipForwardMetric2 Integer32, + ipForwardMetric3 Integer32, + ipForwardMetric4 Integer32, + ipForwardMetric5 Integer32 + } + +ipForwardDest OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS obsolete + DESCRIPTION + "The destination IP address of this route. An entry + with a value of 0.0.0.0 is considered a default route. + + This object may not take a Multicast (Class D) address + value. + + Any assignment (implicit or otherwise) of an instance + of this object to a value x must be rejected if the + bitwise logical-AND of x with the value of the + corresponding instance of the ipForwardMask object is + not equal to x." + ::= { ipForwardEntry 1 } + +ipForwardMask OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-create + STATUS obsolete + DESCRIPTION + "Indicate the mask to be logical-ANDed with the + destination address before being compared to the value + in the ipForwardDest field. For those systems that do + not support arbitrary subnet masks, an agent constructs + the value of the ipForwardMask by reference to the IP + Address Class. + + Any assignment (implicit or otherwise) of an instance + of this object to a value x must be rejected if the + bitwise logical-AND of x with the value of the + corresponding instance of the ipForwardDest object is + not equal to ipForwardDest." + DEFVAL { '00000000'H } -- 0.0.0.0 + ::= { ipForwardEntry 2 } + +-- The following convention is included for specification +-- of TOS Field contents. At this time, the Host Requirements +-- and the Router Requirements documents disagree on the width +-- of the TOS field. This mapping describes the Router + +-- Requirements mapping, and leaves room to widen the TOS field +-- without impact to fielded systems. + +ipForwardPolicy OBJECT-TYPE + SYNTAX Integer32 (0..2147483647) + MAX-ACCESS read-only + STATUS obsolete + DESCRIPTION + "The general set of conditions that would cause + the selection of one multipath route (set of + next hops for a given destination) is referred + to as 'policy'. + + Unless the mechanism indicated by ipForwardProto + specifies otherwise, the policy specifier is + the IP TOS Field. The encoding of IP TOS is as + specified by the following convention. Zero + indicates the default path if no more specific + policy applies. + + +-----+-----+-----+-----+-----+-----+-----+-----+ + | | | | + | PRECEDENCE | TYPE OF SERVICE | 0 | + | | | | + +-----+-----+-----+-----+-----+-----+-----+-----+ + + IP TOS IP TOS + Field Policy Field Policy + Contents Code Contents Code + 0 0 0 0 ==> 0 0 0 0 1 ==> 2 + 0 0 1 0 ==> 4 0 0 1 1 ==> 6 + 0 1 0 0 ==> 8 0 1 0 1 ==> 10 + 0 1 1 0 ==> 12 0 1 1 1 ==> 14 + 1 0 0 0 ==> 16 1 0 0 1 ==> 18 + 1 0 1 0 ==> 20 1 0 1 1 ==> 22 + 1 1 0 0 ==> 24 1 1 0 1 ==> 26 + 1 1 1 0 ==> 28 1 1 1 1 ==> 30 + + Protocols defining 'policy' otherwise must either + define a set of values that are valid for + this object or must implement an integer-instanced + policy table for which this object's + value acts as an index." + ::= { ipForwardEntry 3 } + +ipForwardNextHop OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS obsolete + DESCRIPTION + "On remote routes, the address of the next system en + route; otherwise, 0.0.0.0." + ::= { ipForwardEntry 4 } + +ipForwardIfIndex OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-create + STATUS obsolete + DESCRIPTION + "The ifIndex value that identifies the local interface + through which the next hop of this route should be + reached." + DEFVAL { 0 } + ::= { ipForwardEntry 5 } + +ipForwardType OBJECT-TYPE + SYNTAX INTEGER { + other (1), -- not specified by this MIB + invalid (2), -- logically deleted + local (3), -- local interface + remote (4) -- remote destination + } + MAX-ACCESS read-create + STATUS obsolete + DESCRIPTION + "The type of route. Note that local(3) refers to a + route for which the next hop is the final destination; + remote(4) refers to a route for which the next hop is + not the final destination. + + Setting this object to the value invalid(2) has the + effect of invalidating the corresponding entry in the + ipForwardTable object. That is, it effectively + disassociates the destination identified with said + entry from the route identified with said entry. It is + an implementation-specific matter as to whether the + agent removes an invalidated entry from the table. + Accordingly, management stations must be prepared to + receive tabular information from agents that + corresponds to entries not currently in use. Proper + interpretation of such entries requires examination of + the relevant ipForwardType object." + DEFVAL { invalid } + ::= { ipForwardEntry 6 } + +ipForwardProto OBJECT-TYPE + SYNTAX INTEGER { + other (1), -- not specified + local (2), -- local interface + netmgmt (3), -- static route + icmp (4), -- result of ICMP Redirect + + -- the following are all dynamic + -- routing protocols + egp (5), -- Exterior Gateway Protocol + ggp (6), -- Gateway-Gateway Protocol + hello (7), -- FuzzBall HelloSpeak + rip (8), -- Berkeley RIP or RIP-II + is-is (9), -- Dual IS-IS + es-is (10), -- ISO 9542 + ciscoIgrp (11), -- Cisco IGRP + bbnSpfIgp (12), -- BBN SPF IGP + ospf (13), -- Open Shortest Path First + bgp (14), -- Border Gateway Protocol + idpr (15) -- InterDomain Policy Routing + } + MAX-ACCESS read-only + STATUS obsolete + DESCRIPTION + "The routing mechanism via which this route was learned. + Inclusion of values for gateway routing protocols is + not intended to imply that hosts should support those + protocols." + ::= { ipForwardEntry 7 } + +ipForwardAge OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS obsolete + DESCRIPTION + "The number of seconds since this route was last updated + or otherwise determined to be correct. Note that no + semantics of `too old' can be implied except through + knowledge of the routing protocol by which the route + was learned." + DEFVAL { 0 } + ::= { ipForwardEntry 8 } + +ipForwardInfo OBJECT-TYPE + SYNTAX OBJECT IDENTIFIER + MAX-ACCESS read-create + STATUS obsolete + DESCRIPTION + "A reference to MIB definitions specific to the + particular routing protocol that is responsible for + this route, as determined by the value specified in the + route's ipForwardProto value. If this information is + not present, its value should be set to the OBJECT + IDENTIFIER { 0 0 }, which is a syntactically valid + object identifier, and any implementation conforming to + ASN.1 and the Basic Encoding Rules must be able to + generate and recognize this value." + ::= { ipForwardEntry 9 } + +ipForwardNextHopAS OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-create + STATUS obsolete + DESCRIPTION + "The Autonomous System Number of the Next Hop. When + this is unknown or not relevant to the protocol + indicated by ipForwardProto, zero." + DEFVAL { 0 } + ::= { ipForwardEntry 10 } + +ipForwardMetric1 OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-create + STATUS obsolete + DESCRIPTION + "The primary routing metric for this route. The + semantics of this metric are determined by the routing- + protocol specified in the route's ipForwardProto value. + If this metric is not used, its value should be set to + -1." + DEFVAL { -1 } + ::= { ipForwardEntry 11 } + +ipForwardMetric2 OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-create + STATUS obsolete + DESCRIPTION + "An alternate routing metric for this route. The + semantics of this metric are determined by the routing- + protocol specified in the route's ipForwardProto value. + If this metric is not used, its value should be set to + -1." + DEFVAL { -1 } + ::= { ipForwardEntry 12 } + +ipForwardMetric3 OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-create + STATUS obsolete + DESCRIPTION + "An alternate routing metric for this route. The + semantics of this metric are determined by the routing- + protocol specified in the route's ipForwardProto value. + If this metric is not used, its value should be set to + -1." + DEFVAL { -1 } + ::= { ipForwardEntry 13 } + +ipForwardMetric4 OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-create + STATUS obsolete + DESCRIPTION + "An alternate routing metric for this route. The + semantics of this metric are determined by the routing- + protocol specified in the route's ipForwardProto value. + If this metric is not used, its value should be set to + -1." + DEFVAL { -1 } + ::= { ipForwardEntry 14 } + +ipForwardMetric5 OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-create + STATUS obsolete + DESCRIPTION + "An alternate routing metric for this route. The + semantics of this metric are determined by the routing- + protocol specified in the route's ipForwardProto value. + If this metric is not used, its value should be set to + -1." + DEFVAL { -1 } + ::= { ipForwardEntry 15 } + +-- Obsoleted Definitions - Groups +-- compliance statements + +ipForwardOldCompliance MODULE-COMPLIANCE + STATUS obsolete + DESCRIPTION + "The compliance statement for SNMP entities that + implement the ipForward MIB." + + MODULE -- this module + MANDATORY-GROUPS { ipForwardMultiPathGroup } + ::= { ipForwardCompliances 2 } + +ipForwardMultiPathGroup OBJECT-GROUP + OBJECTS { ipForwardNumber, + ipForwardDest, ipForwardMask, ipForwardPolicy, + ipForwardNextHop, ipForwardIfIndex, ipForwardType, + ipForwardProto, ipForwardAge, ipForwardInfo, + ipForwardNextHopAS, + ipForwardMetric1, ipForwardMetric2, ipForwardMetric3, + ipForwardMetric4, ipForwardMetric5 + } + STATUS obsolete + DESCRIPTION + "IP Multipath Route Table." + ::= { ipForwardGroups 2 } + +END diff --git a/mibs/IP-MIB.txt b/mibs/IP-MIB.txt new file mode 100644 index 000000000..fe2db5f23 --- /dev/null +++ b/mibs/IP-MIB.txt @@ -0,0 +1,4993 @@ +IP-MIB DEFINITIONS ::= BEGIN + +IMPORTS + MODULE-IDENTITY, OBJECT-TYPE, + Integer32, Counter32, IpAddress, + mib-2, Unsigned32, Counter64, + zeroDotZero FROM SNMPv2-SMI + PhysAddress, TruthValue, + TimeStamp, RowPointer, + TEXTUAL-CONVENTION, TestAndIncr, + RowStatus, StorageType FROM SNMPv2-TC + MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF + InetAddress, InetAddressType, + InetAddressPrefixLength, + InetVersion, InetZoneIndex FROM INET-ADDRESS-MIB + InterfaceIndex FROM IF-MIB; + +ipMIB MODULE-IDENTITY + LAST-UPDATED "200602020000Z" + ORGANIZATION "IETF IPv6 MIB Revision Team" + CONTACT-INFO + "Editor: + + Shawn A. Routhier + Interworking Labs + 108 Whispering Pines Dr. Suite 235 + Scotts Valley, CA 95066 + USA + EMail: <sar@iwl.com>" + DESCRIPTION + "The MIB module for managing IP and ICMP implementations, but + excluding their management of IP routes. + + Copyright (C) The Internet Society (2006). This version of + this MIB module is part of RFC 4293; see the RFC itself for + full legal notices." + + REVISION "200602020000Z" + DESCRIPTION + "The IP version neutral revision with added IPv6 objects for + ND, default routers, and router advertisements. As well as + being the successor to RFC 2011, this MIB is also the + successor to RFCs 2465 and 2466. Published as RFC 4293." + + REVISION "199411010000Z" + DESCRIPTION + "A separate MIB module (IP-MIB) for IP and ICMP management + objects. Published as RFC 2011." + + REVISION "199103310000Z" + DESCRIPTION + "The initial revision of this MIB module was part of MIB-II, + which was published as RFC 1213." + ::= { mib-2 48} + +-- +-- The textual conventions we define and use in this MIB. +-- + +IpAddressOriginTC ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "The origin of the address. + + manual(2) indicates that the address was manually configured + to a specified address, e.g., by user configuration. + + dhcp(4) indicates an address that was assigned to this + system by a DHCP server. + + linklayer(5) indicates an address created by IPv6 stateless + + auto-configuration. + + random(6) indicates an address chosen by the system at + random, e.g., an IPv4 address within 169.254/16, or an RFC + 3041 privacy address." + SYNTAX INTEGER { + other(1), + manual(2), + dhcp(4), + linklayer(5), + random(6) + } + +IpAddressStatusTC ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "The status of an address. Most of the states correspond to + states from the IPv6 Stateless Address Autoconfiguration + protocol. + + The preferred(1) state indicates that this is a valid + address that can appear as the destination or source address + of a packet. + + The deprecated(2) state indicates that this is a valid but + deprecated address that should no longer be used as a source + address in new communications, but packets addressed to such + an address are processed as expected. + + The invalid(3) state indicates that this isn't a valid + address and it shouldn't appear as the destination or source + address of a packet. + + The inaccessible(4) state indicates that the address is not + accessible because the interface to which this address is + assigned is not operational. + + The unknown(5) state indicates that the status cannot be + determined for some reason. + + The tentative(6) state indicates that the uniqueness of the + address on the link is being verified. Addresses in this + state should not be used for general communication and + should only be used to determine the uniqueness of the + address. + + The duplicate(7) state indicates the address has been + determined to be non-unique on the link and so must not be + + used. + + The optimistic(8) state indicates the address is available + for use, subject to restrictions, while its uniqueness on + a link is being verified. + + In the absence of other information, an IPv4 address is + always preferred(1)." + REFERENCE "RFC 2462" + SYNTAX INTEGER { + preferred(1), + deprecated(2), + invalid(3), + inaccessible(4), + unknown(5), + tentative(6), + duplicate(7), + optimistic(8) + } + +IpAddressPrefixOriginTC ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "The origin of this prefix. + + manual(2) indicates a prefix that was manually configured. + + wellknown(3) indicates a well-known prefix, e.g., 169.254/16 + for IPv4 auto-configuration or fe80::/10 for IPv6 link-local + addresses. Well known prefixes may be assigned by IANA, + the address registries, or by specification in a standards + track RFC. + + dhcp(4) indicates a prefix that was assigned by a DHCP + server. + + routeradv(5) indicates a prefix learned from a router + advertisement. + + Note: while IpAddressOriginTC and IpAddressPrefixOriginTC + are similar, they are not identical. The first defines how + an address was created, while the second defines how a + prefix was found." + SYNTAX INTEGER { + other(1), + manual(2), + wellknown(3), + dhcp(4), + routeradv(5) + } + +Ipv6AddressIfIdentifierTC ::= TEXTUAL-CONVENTION + DISPLAY-HINT "2x:" + STATUS current + DESCRIPTION + "This data type is used to model IPv6 address + interface identifiers. This is a binary string + of up to 8 octets in network byte-order." + SYNTAX OCTET STRING (SIZE (0..8)) + +-- +-- the IP general group +-- some objects that affect all of IPv4 +-- + +ip OBJECT IDENTIFIER ::= { mib-2 4 } + +ipForwarding OBJECT-TYPE + SYNTAX INTEGER { + forwarding(1), -- acting as a router + notForwarding(2) -- NOT acting as a router + } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The indication of whether this entity is acting as an IPv4 + router in respect to the forwarding of datagrams received + by, but not addressed to, this entity. IPv4 routers forward + datagrams. IPv4 hosts do not (except those source-routed + via the host). + + When this object is written, the entity should save the + change to non-volatile storage and restore the object from + non-volatile storage upon re-initialization of the system. + Note: a stronger requirement is not used because this object + was previously defined." + ::= { ip 1 } + +ipDefaultTTL OBJECT-TYPE + SYNTAX Integer32 (1..255) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The default value inserted into the Time-To-Live field of + the IPv4 header of datagrams originated at this entity, + whenever a TTL value is not supplied by the transport layer + + protocol. + + When this object is written, the entity should save the + change to non-volatile storage and restore the object from + non-volatile storage upon re-initialization of the system. + Note: a stronger requirement is not used because this object + was previously defined." + ::= { ip 2 } + +ipReasmTimeout OBJECT-TYPE + SYNTAX Integer32 + UNITS "seconds" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The maximum number of seconds that received fragments are + held while they are awaiting reassembly at this entity." + ::= { ip 13 } + +-- +-- the IPv6 general group +-- Some objects that affect all of IPv6 +-- + +ipv6IpForwarding OBJECT-TYPE + SYNTAX INTEGER { + forwarding(1), -- acting as a router + notForwarding(2) -- NOT acting as a router + } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The indication of whether this entity is acting as an IPv6 + router on any interface in respect to the forwarding of + datagrams received by, but not addressed to, this entity. + IPv6 routers forward datagrams. IPv6 hosts do not (except + those source-routed via the host). + + When this object is written, the entity SHOULD save the + change to non-volatile storage and restore the object from + non-volatile storage upon re-initialization of the system." + ::= { ip 25 } + +ipv6IpDefaultHopLimit OBJECT-TYPE + SYNTAX Integer32 (0..255) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The default value inserted into the Hop Limit field of the + IPv6 header of datagrams originated at this entity whenever + a Hop Limit value is not supplied by the transport layer + protocol. + + When this object is written, the entity SHOULD save the + change to non-volatile storage and restore the object from + non-volatile storage upon re-initialization of the system." + REFERENCE "RFC 2461 Section 6.3.2" + ::= { ip 26 } + +-- +-- IPv4 Interface Table +-- + +ipv4InterfaceTableLastChange OBJECT-TYPE + SYNTAX TimeStamp + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of sysUpTime on the most recent occasion at which + a row in the ipv4InterfaceTable was added or deleted, or + when an ipv4InterfaceReasmMaxSize or an + ipv4InterfaceEnableStatus object was modified. + + If new objects are added to the ipv4InterfaceTable that + require the ipv4InterfaceTableLastChange to be updated when + they are modified, they must specify that requirement in + their description clause." + ::= { ip 27 } + +ipv4InterfaceTable OBJECT-TYPE + SYNTAX SEQUENCE OF Ipv4InterfaceEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The table containing per-interface IPv4-specific + information." + ::= { ip 28 } + +ipv4InterfaceEntry OBJECT-TYPE + SYNTAX Ipv4InterfaceEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An entry containing IPv4-specific information for a specific + interface." + INDEX { ipv4InterfaceIfIndex } + ::= { ipv4InterfaceTable 1 } + +Ipv4InterfaceEntry ::= SEQUENCE { + ipv4InterfaceIfIndex InterfaceIndex, + ipv4InterfaceReasmMaxSize Integer32, + ipv4InterfaceEnableStatus INTEGER, + ipv4InterfaceRetransmitTime Unsigned32 + } + +ipv4InterfaceIfIndex OBJECT-TYPE + SYNTAX InterfaceIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The index value that uniquely identifies the interface to + which this entry is applicable. The interface identified by + a particular value of this index is the same interface as + identified by the same value of the IF-MIB's ifIndex." + ::= { ipv4InterfaceEntry 1 } + +ipv4InterfaceReasmMaxSize OBJECT-TYPE + SYNTAX Integer32 (0..65535) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The size of the largest IPv4 datagram that this entity can + re-assemble from incoming IPv4 fragmented datagrams received + on this interface." + ::= { ipv4InterfaceEntry 2 } + +ipv4InterfaceEnableStatus OBJECT-TYPE + SYNTAX INTEGER { + up(1), + down(2) + } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The indication of whether IPv4 is enabled (up) or disabled + (down) on this interface. This object does not affect the + state of the interface itself, only its connection to an + IPv4 stack. The IF-MIB should be used to control the state + of the interface." + ::= { ipv4InterfaceEntry 3 } + +ipv4InterfaceRetransmitTime OBJECT-TYPE + SYNTAX Unsigned32 + UNITS "milliseconds" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The time between retransmissions of ARP requests to a + neighbor when resolving the address or when probing the + reachability of a neighbor." + REFERENCE "RFC 1122" + DEFVAL { 1000 } + ::= { ipv4InterfaceEntry 4 } + +-- +-- v6 interface table +-- + +ipv6InterfaceTableLastChange OBJECT-TYPE + SYNTAX TimeStamp + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of sysUpTime on the most recent occasion at which + a row in the ipv6InterfaceTable was added or deleted or when + an ipv6InterfaceReasmMaxSize, ipv6InterfaceIdentifier, + ipv6InterfaceEnableStatus, ipv6InterfaceReachableTime, + ipv6InterfaceRetransmitTime, or ipv6InterfaceForwarding + object was modified. + + If new objects are added to the ipv6InterfaceTable that + require the ipv6InterfaceTableLastChange to be updated when + they are modified, they must specify that requirement in + their description clause." + ::= { ip 29 } + +ipv6InterfaceTable OBJECT-TYPE + SYNTAX SEQUENCE OF Ipv6InterfaceEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The table containing per-interface IPv6-specific + information." + ::= { ip 30 } + +ipv6InterfaceEntry OBJECT-TYPE + SYNTAX Ipv6InterfaceEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An entry containing IPv6-specific information for a given + interface." + INDEX { ipv6InterfaceIfIndex } + ::= { ipv6InterfaceTable 1 } + +Ipv6InterfaceEntry ::= SEQUENCE { + ipv6InterfaceIfIndex InterfaceIndex, + ipv6InterfaceReasmMaxSize Unsigned32, + ipv6InterfaceIdentifier Ipv6AddressIfIdentifierTC, + ipv6InterfaceEnableStatus INTEGER, + ipv6InterfaceReachableTime Unsigned32, + ipv6InterfaceRetransmitTime Unsigned32, + ipv6InterfaceForwarding INTEGER + } + +ipv6InterfaceIfIndex OBJECT-TYPE + SYNTAX InterfaceIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The index value that uniquely identifies the interface to + which this entry is applicable. The interface identified by + a particular value of this index is the same interface as + identified by the same value of the IF-MIB's ifIndex." + ::= { ipv6InterfaceEntry 1 } + +ipv6InterfaceReasmMaxSize OBJECT-TYPE + SYNTAX Unsigned32 (1500..65535) + UNITS "octets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The size of the largest IPv6 datagram that this entity can + re-assemble from incoming IPv6 fragmented datagrams received + on this interface." + ::= { ipv6InterfaceEntry 2 } + +ipv6InterfaceIdentifier OBJECT-TYPE + SYNTAX Ipv6AddressIfIdentifierTC + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The Interface Identifier for this interface. The Interface + Identifier is combined with an address prefix to form an + interface address. + + By default, the Interface Identifier is auto-configured + according to the rules of the link type to which this + interface is attached. + + A zero length identifier may be used where appropriate. One + possible example is a loopback interface." + ::= { ipv6InterfaceEntry 3 } + +-- This object ID is reserved as it was used in earlier versions of +-- the MIB module. In theory, OIDs are not assigned until the +-- specification is released as an RFC; however, as some companies +-- may have shipped code based on earlier versions of the MIB, it +-- seems best to reserve this OID. This OID had been +-- ipv6InterfacePhysicalAddress. +-- ::= { ipv6InterfaceEntry 4} + +ipv6InterfaceEnableStatus OBJECT-TYPE + SYNTAX INTEGER { + up(1), + down(2) + } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The indication of whether IPv6 is enabled (up) or disabled + (down) on this interface. This object does not affect the + state of the interface itself, only its connection to an + IPv6 stack. The IF-MIB should be used to control the state + of the interface. + + When this object is written, the entity SHOULD save the + change to non-volatile storage and restore the object from + non-volatile storage upon re-initialization of the system." + ::= { ipv6InterfaceEntry 5 } + +ipv6InterfaceReachableTime OBJECT-TYPE + SYNTAX Unsigned32 + UNITS "milliseconds" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The time a neighbor is considered reachable after receiving + a reachability confirmation." + REFERENCE "RFC 2461, Section 6.3.2" + ::= { ipv6InterfaceEntry 6 } + +ipv6InterfaceRetransmitTime OBJECT-TYPE + SYNTAX Unsigned32 + UNITS "milliseconds" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The time between retransmissions of Neighbor Solicitation + messages to a neighbor when resolving the address or when + probing the reachability of a neighbor." + REFERENCE "RFC 2461, Section 6.3.2" + ::= { ipv6InterfaceEntry 7 } + +ipv6InterfaceForwarding OBJECT-TYPE + SYNTAX INTEGER { + forwarding(1), -- acting as a router + notForwarding(2) -- NOT acting as a router + } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The indication of whether this entity is acting as an IPv6 + router on this interface with respect to the forwarding of + datagrams received by, but not addressed to, this entity. + IPv6 routers forward datagrams. IPv6 hosts do not (except + those source-routed via the host). + + This object is constrained by ipv6IpForwarding and is + ignored if ipv6IpForwarding is set to notForwarding. Those + systems that do not provide per-interface control of the + forwarding function should set this object to forwarding for + all interfaces and allow the ipv6IpForwarding object to + control the forwarding capability. + + When this object is written, the entity SHOULD save the + change to non-volatile storage and restore the object from + non-volatile storage upon re-initialization of the system." + ::= { ipv6InterfaceEntry 8 } + +-- +-- Per-Interface or System-Wide IP statistics. +-- +-- The following two tables, ipSystemStatsTable and ipIfStatsTable, +-- are intended to provide the same counters at different granularities. +-- The ipSystemStatsTable provides system wide counters aggregating +-- the traffic counters for all interfaces for a given address type. +-- The ipIfStatsTable provides the same counters but for specific +-- interfaces rather than as an aggregate. +-- +-- Note well: If a system provides both system-wide and interface- +-- specific values, the system-wide value may not be equal to the sum +-- of the interface-specific values across all interfaces due to e.g., +-- dynamic interface creation/deletion. +-- +-- Note well: Both of these tables contain some items that are + +-- represented by two objects, representing the value in either 32 +-- or 64 bits. For those objects, the 32-bit value MUST be the low +-- order 32 bits of the 64-bit value. Also note that the 32-bit +-- counters must be included when the 64-bit counters are included. + +ipTrafficStats OBJECT IDENTIFIER ::= { ip 31 } + +ipSystemStatsTable OBJECT-TYPE + SYNTAX SEQUENCE OF IpSystemStatsEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The table containing system wide, IP version specific + traffic statistics. This table and the ipIfStatsTable + contain similar objects whose difference is in their + granularity. Where this table contains system wide traffic + statistics, the ipIfStatsTable contains the same statistics + but counted on a per-interface basis." + ::= { ipTrafficStats 1 } + +ipSystemStatsEntry OBJECT-TYPE + SYNTAX IpSystemStatsEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A statistics entry containing system-wide objects for a + particular IP version." + INDEX { ipSystemStatsIPVersion } + ::= { ipSystemStatsTable 1 } + +IpSystemStatsEntry ::= SEQUENCE { + ipSystemStatsIPVersion InetVersion, + ipSystemStatsInReceives Counter32, + ipSystemStatsHCInReceives Counter64, + ipSystemStatsInOctets Counter32, + ipSystemStatsHCInOctets Counter64, + ipSystemStatsInHdrErrors Counter32, + ipSystemStatsInNoRoutes Counter32, + ipSystemStatsInAddrErrors Counter32, + ipSystemStatsInUnknownProtos Counter32, + ipSystemStatsInTruncatedPkts Counter32, + ipSystemStatsInForwDatagrams Counter32, + ipSystemStatsHCInForwDatagrams Counter64, + ipSystemStatsReasmReqds Counter32, + ipSystemStatsReasmOKs Counter32, + ipSystemStatsReasmFails Counter32, + ipSystemStatsInDiscards Counter32, + ipSystemStatsInDelivers Counter32, + ipSystemStatsHCInDelivers Counter64, + ipSystemStatsOutRequests Counter32, + ipSystemStatsHCOutRequests Counter64, + ipSystemStatsOutNoRoutes Counter32, + ipSystemStatsOutForwDatagrams Counter32, + ipSystemStatsHCOutForwDatagrams Counter64, + ipSystemStatsOutDiscards Counter32, + ipSystemStatsOutFragReqds Counter32, + ipSystemStatsOutFragOKs Counter32, + ipSystemStatsOutFragFails Counter32, + ipSystemStatsOutFragCreates Counter32, + ipSystemStatsOutTransmits Counter32, + ipSystemStatsHCOutTransmits Counter64, + ipSystemStatsOutOctets Counter32, + ipSystemStatsHCOutOctets Counter64, + ipSystemStatsInMcastPkts Counter32, + ipSystemStatsHCInMcastPkts Counter64, + ipSystemStatsInMcastOctets Counter32, + ipSystemStatsHCInMcastOctets Counter64, + ipSystemStatsOutMcastPkts Counter32, + ipSystemStatsHCOutMcastPkts Counter64, + ipSystemStatsOutMcastOctets Counter32, + ipSystemStatsHCOutMcastOctets Counter64, + ipSystemStatsInBcastPkts Counter32, + ipSystemStatsHCInBcastPkts Counter64, + ipSystemStatsOutBcastPkts Counter32, + ipSystemStatsHCOutBcastPkts Counter64, + ipSystemStatsDiscontinuityTime TimeStamp, + ipSystemStatsRefreshRate Unsigned32 + } + +ipSystemStatsIPVersion OBJECT-TYPE + SYNTAX InetVersion + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The IP version of this row." + ::= { ipSystemStatsEntry 1 } + +-- This object ID is reserved to allow the IDs for this table's objects +-- to align with the objects in the ipIfStatsTable. +-- ::= { ipSystemStatsEntry 2 } + +ipSystemStatsInReceives OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of input IP datagrams received, including + those received in error. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipSystemStatsDiscontinuityTime." + ::= { ipSystemStatsEntry 3 } + +ipSystemStatsHCInReceives OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of input IP datagrams received, including + those received in error. This object counts the same + datagrams as ipSystemStatsInReceives, but allows for larger + values. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipSystemStatsDiscontinuityTime." + ::= { ipSystemStatsEntry 4 } + +ipSystemStatsInOctets OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of octets received in input IP datagrams, + including those received in error. Octets from datagrams + counted in ipSystemStatsInReceives MUST be counted here. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipSystemStatsDiscontinuityTime." + ::= { ipSystemStatsEntry 5 } + +ipSystemStatsHCInOctets OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of octets received in input IP datagrams, + including those received in error. This object counts the + same octets as ipSystemStatsInOctets, but allows for larger + + values. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipSystemStatsDiscontinuityTime." + ::= { ipSystemStatsEntry 6 } + +ipSystemStatsInHdrErrors OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of input IP datagrams discarded due to errors in + their IP headers, including version number mismatch, other + format errors, hop count exceeded, errors discovered in + processing their IP options, etc. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipSystemStatsDiscontinuityTime." + ::= { ipSystemStatsEntry 7 } + +ipSystemStatsInNoRoutes OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of input IP datagrams discarded because no route + could be found to transmit them to their destination. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipSystemStatsDiscontinuityTime." + ::= { ipSystemStatsEntry 8 } + +ipSystemStatsInAddrErrors OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of input IP datagrams discarded because the IP + address in their IP header's destination field was not a + valid address to be received at this entity. This count + includes invalid addresses (e.g., ::0). For entities + that are not IP routers and therefore do not forward + + datagrams, this counter includes datagrams discarded + because the destination address was not a local address. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipSystemStatsDiscontinuityTime." + ::= { ipSystemStatsEntry 9 } + +ipSystemStatsInUnknownProtos OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of locally-addressed IP datagrams received + successfully but discarded because of an unknown or + unsupported protocol. + + When tracking interface statistics, the counter of the + interface to which these datagrams were addressed is + incremented. This interface might not be the same as the + input interface for some of the datagrams. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipSystemStatsDiscontinuityTime." + ::= { ipSystemStatsEntry 10 } + +ipSystemStatsInTruncatedPkts OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of input IP datagrams discarded because the + datagram frame didn't carry enough data. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipSystemStatsDiscontinuityTime." + ::= { ipSystemStatsEntry 11 } + +ipSystemStatsInForwDatagrams OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of input datagrams for which this entity was not + their final IP destination and for which this entity + attempted to find a route to forward them to that final + destination. In entities that do not act as IP routers, + this counter will include only those datagrams that were + Source-Routed via this entity, and the Source-Route + processing was successful. + + When tracking interface statistics, the counter of the + incoming interface is incremented for each datagram. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipSystemStatsDiscontinuityTime." + ::= { ipSystemStatsEntry 12 } + +ipSystemStatsHCInForwDatagrams OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of input datagrams for which this entity was not + their final IP destination and for which this entity + attempted to find a route to forward them to that final + destination. This object counts the same packets as + ipSystemStatsInForwDatagrams, but allows for larger values. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipSystemStatsDiscontinuityTime." + ::= { ipSystemStatsEntry 13 } + +ipSystemStatsReasmReqds OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of IP fragments received that needed to be + reassembled at this interface. + + When tracking interface statistics, the counter of the + interface to which these fragments were addressed is + incremented. This interface might not be the same as the + input interface for some of the fragments. + + Discontinuities in the value of this counter can occur at + + re-initialization of the management system, and at other + times as indicated by the value of + ipSystemStatsDiscontinuityTime." + ::= { ipSystemStatsEntry 14 } + +ipSystemStatsReasmOKs OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of IP datagrams successfully reassembled. + + When tracking interface statistics, the counter of the + interface to which these datagrams were addressed is + incremented. This interface might not be the same as the + input interface for some of the datagrams. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipSystemStatsDiscontinuityTime." + ::= { ipSystemStatsEntry 15 } + +ipSystemStatsReasmFails OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of failures detected by the IP re-assembly + algorithm (for whatever reason: timed out, errors, etc.). + Note that this is not necessarily a count of discarded IP + fragments since some algorithms (notably the algorithm in + RFC 815) can lose track of the number of fragments by + combining them as they are received. + + When tracking interface statistics, the counter of the + interface to which these fragments were addressed is + incremented. This interface might not be the same as the + input interface for some of the fragments. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipSystemStatsDiscontinuityTime." + ::= { ipSystemStatsEntry 16 } + +ipSystemStatsInDiscards OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of input IP datagrams for which no problems were + encountered to prevent their continued processing, but + were discarded (e.g., for lack of buffer space). Note that + this counter does not include any datagrams discarded while + awaiting re-assembly. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipSystemStatsDiscontinuityTime." + ::= { ipSystemStatsEntry 17 } + +ipSystemStatsInDelivers OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of datagrams successfully delivered to IP + user-protocols (including ICMP). + + When tracking interface statistics, the counter of the + interface to which these datagrams were addressed is + incremented. This interface might not be the same as the + input interface for some of the datagrams. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipSystemStatsDiscontinuityTime." + ::= { ipSystemStatsEntry 18 } + +ipSystemStatsHCInDelivers OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of datagrams successfully delivered to IP + user-protocols (including ICMP). This object counts the + same packets as ipSystemStatsInDelivers, but allows for + larger values. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipSystemStatsDiscontinuityTime." + ::= { ipSystemStatsEntry 19 } + +ipSystemStatsOutRequests OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of IP datagrams that local IP user- + protocols (including ICMP) supplied to IP in requests for + transmission. Note that this counter does not include any + datagrams counted in ipSystemStatsOutForwDatagrams. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipSystemStatsDiscontinuityTime." + ::= { ipSystemStatsEntry 20 } + +ipSystemStatsHCOutRequests OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of IP datagrams that local IP user- + protocols (including ICMP) supplied to IP in requests for + transmission. This object counts the same packets as + ipSystemStatsOutRequests, but allows for larger values. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipSystemStatsDiscontinuityTime." + ::= { ipSystemStatsEntry 21 } + +ipSystemStatsOutNoRoutes OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of locally generated IP datagrams discarded + because no route could be found to transmit them to their + destination. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipSystemStatsDiscontinuityTime." + ::= { ipSystemStatsEntry 22 } + +ipSystemStatsOutForwDatagrams OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of datagrams for which this entity was not their + final IP destination and for which it was successful in + finding a path to their final destination. In entities + that do not act as IP routers, this counter will include + only those datagrams that were Source-Routed via this + entity, and the Source-Route processing was successful. + + When tracking interface statistics, the counter of the + outgoing interface is incremented for a successfully + forwarded datagram. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipSystemStatsDiscontinuityTime." + ::= { ipSystemStatsEntry 23 } + +ipSystemStatsHCOutForwDatagrams OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of datagrams for which this entity was not their + final IP destination and for which it was successful in + finding a path to their final destination. This object + counts the same packets as ipSystemStatsOutForwDatagrams, + but allows for larger values. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipSystemStatsDiscontinuityTime." + ::= { ipSystemStatsEntry 24 } + +ipSystemStatsOutDiscards OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of output IP datagrams for which no problem was + encountered to prevent their transmission to their + destination, but were discarded (e.g., for lack of + buffer space). Note that this counter would include + + datagrams counted in ipSystemStatsOutForwDatagrams if any + such datagrams met this (discretionary) discard criterion. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipSystemStatsDiscontinuityTime." + ::= { ipSystemStatsEntry 25 } + +ipSystemStatsOutFragReqds OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of IP datagrams that would require fragmentation + in order to be transmitted. + + When tracking interface statistics, the counter of the + outgoing interface is incremented for a successfully + fragmented datagram. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipSystemStatsDiscontinuityTime." + ::= { ipSystemStatsEntry 26 } + +ipSystemStatsOutFragOKs OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of IP datagrams that have been successfully + fragmented. + + When tracking interface statistics, the counter of the + outgoing interface is incremented for a successfully + fragmented datagram. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipSystemStatsDiscontinuityTime." + ::= { ipSystemStatsEntry 27 } + +ipSystemStatsOutFragFails OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of IP datagrams that have been discarded because + they needed to be fragmented but could not be. This + includes IPv4 packets that have the DF bit set and IPv6 + packets that are being forwarded and exceed the outgoing + link MTU. + + When tracking interface statistics, the counter of the + outgoing interface is incremented for an unsuccessfully + fragmented datagram. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipSystemStatsDiscontinuityTime." + ::= { ipSystemStatsEntry 28 } + +ipSystemStatsOutFragCreates OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of output datagram fragments that have been + generated as a result of IP fragmentation. + + When tracking interface statistics, the counter of the + outgoing interface is incremented for a successfully + fragmented datagram. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipSystemStatsDiscontinuityTime." + ::= { ipSystemStatsEntry 29 } + +ipSystemStatsOutTransmits OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of IP datagrams that this entity supplied + to the lower layers for transmission. This includes + datagrams generated locally and those forwarded by this + entity. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + + times as indicated by the value of + ipSystemStatsDiscontinuityTime." + ::= { ipSystemStatsEntry 30 } + +ipSystemStatsHCOutTransmits OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of IP datagrams that this entity supplied + to the lower layers for transmission. This object counts + the same datagrams as ipSystemStatsOutTransmits, but allows + for larger values. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipSystemStatsDiscontinuityTime." + ::= { ipSystemStatsEntry 31 } + +ipSystemStatsOutOctets OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of octets in IP datagrams delivered to the + lower layers for transmission. Octets from datagrams + counted in ipSystemStatsOutTransmits MUST be counted here. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipSystemStatsDiscontinuityTime." + ::= { ipSystemStatsEntry 32 } + +ipSystemStatsHCOutOctets OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of octets in IP datagrams delivered to the + lower layers for transmission. This objects counts the same + octets as ipSystemStatsOutOctets, but allows for larger + values. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + + ipSystemStatsDiscontinuityTime." + ::= { ipSystemStatsEntry 33 } + +ipSystemStatsInMcastPkts OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of IP multicast datagrams received. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipSystemStatsDiscontinuityTime." + ::= { ipSystemStatsEntry 34 } + +ipSystemStatsHCInMcastPkts OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of IP multicast datagrams received. This object + counts the same datagrams as ipSystemStatsInMcastPkts but + allows for larger values. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipSystemStatsDiscontinuityTime." + ::= { ipSystemStatsEntry 35 } + +ipSystemStatsInMcastOctets OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of octets received in IP multicast + datagrams. Octets from datagrams counted in + ipSystemStatsInMcastPkts MUST be counted here. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipSystemStatsDiscontinuityTime." + ::= { ipSystemStatsEntry 36 } + +ipSystemStatsHCInMcastOctets OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of octets received in IP multicast + datagrams. This object counts the same octets as + ipSystemStatsInMcastOctets, but allows for larger values. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipSystemStatsDiscontinuityTime." + ::= { ipSystemStatsEntry 37 } + +ipSystemStatsOutMcastPkts OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of IP multicast datagrams transmitted. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipSystemStatsDiscontinuityTime." + ::= { ipSystemStatsEntry 38 } + +ipSystemStatsHCOutMcastPkts OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of IP multicast datagrams transmitted. This + object counts the same datagrams as + ipSystemStatsOutMcastPkts, but allows for larger values. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipSystemStatsDiscontinuityTime." + ::= { ipSystemStatsEntry 39 } + +ipSystemStatsOutMcastOctets OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of octets transmitted in IP multicast + datagrams. Octets from datagrams counted in + + ipSystemStatsOutMcastPkts MUST be counted here. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipSystemStatsDiscontinuityTime." + ::= { ipSystemStatsEntry 40 } + +ipSystemStatsHCOutMcastOctets OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of octets transmitted in IP multicast + datagrams. This object counts the same octets as + ipSystemStatsOutMcastOctets, but allows for larger values. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipSystemStatsDiscontinuityTime." + ::= { ipSystemStatsEntry 41 } + +ipSystemStatsInBcastPkts OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of IP broadcast datagrams received. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipSystemStatsDiscontinuityTime." + ::= { ipSystemStatsEntry 42 } + +ipSystemStatsHCInBcastPkts OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of IP broadcast datagrams received. This object + counts the same datagrams as ipSystemStatsInBcastPkts but + allows for larger values. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + + ipSystemStatsDiscontinuityTime." + ::= { ipSystemStatsEntry 43 } + +ipSystemStatsOutBcastPkts OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of IP broadcast datagrams transmitted. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipSystemStatsDiscontinuityTime." + ::= { ipSystemStatsEntry 44 } + +ipSystemStatsHCOutBcastPkts OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of IP broadcast datagrams transmitted. This + object counts the same datagrams as + ipSystemStatsOutBcastPkts, but allows for larger values. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipSystemStatsDiscontinuityTime." + ::= { ipSystemStatsEntry 45 } + +ipSystemStatsDiscontinuityTime OBJECT-TYPE + SYNTAX TimeStamp + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of sysUpTime on the most recent occasion at which + any one or more of this entry's counters suffered a + discontinuity. + + If no such discontinuities have occurred since the last re- + initialization of the local management subsystem, then this + object contains a zero value." + ::= { ipSystemStatsEntry 46 } + +ipSystemStatsRefreshRate OBJECT-TYPE + SYNTAX Unsigned32 + UNITS "milli-seconds" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The minimum reasonable polling interval for this entry. + This object provides an indication of the minimum amount of + time required to update the counters in this entry." + ::= { ipSystemStatsEntry 47 } + +ipIfStatsTableLastChange OBJECT-TYPE + SYNTAX TimeStamp + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of sysUpTime on the most recent occasion at which + a row in the ipIfStatsTable was added or deleted. + + If new objects are added to the ipIfStatsTable that require + the ipIfStatsTableLastChange to be updated when they are + modified, they must specify that requirement in their + description clause." + ::= { ipTrafficStats 2 } + +ipIfStatsTable OBJECT-TYPE + SYNTAX SEQUENCE OF IpIfStatsEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The table containing per-interface traffic statistics. This + table and the ipSystemStatsTable contain similar objects + whose difference is in their granularity. Where this table + contains per-interface statistics, the ipSystemStatsTable + contains the same statistics, but counted on a system wide + basis." + ::= { ipTrafficStats 3 } + +ipIfStatsEntry OBJECT-TYPE + SYNTAX IpIfStatsEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An interface statistics entry containing objects for a + particular interface and version of IP." + INDEX { ipIfStatsIPVersion, ipIfStatsIfIndex } + ::= { ipIfStatsTable 1 } + +IpIfStatsEntry ::= SEQUENCE { + ipIfStatsIPVersion InetVersion, + ipIfStatsIfIndex InterfaceIndex, + ipIfStatsInReceives Counter32, + ipIfStatsHCInReceives Counter64, + ipIfStatsInOctets Counter32, + ipIfStatsHCInOctets Counter64, + ipIfStatsInHdrErrors Counter32, + ipIfStatsInNoRoutes Counter32, + ipIfStatsInAddrErrors Counter32, + ipIfStatsInUnknownProtos Counter32, + ipIfStatsInTruncatedPkts Counter32, + ipIfStatsInForwDatagrams Counter32, + ipIfStatsHCInForwDatagrams Counter64, + ipIfStatsReasmReqds Counter32, + ipIfStatsReasmOKs Counter32, + ipIfStatsReasmFails Counter32, + ipIfStatsInDiscards Counter32, + ipIfStatsInDelivers Counter32, + ipIfStatsHCInDelivers Counter64, + ipIfStatsOutRequests Counter32, + ipIfStatsHCOutRequests Counter64, + ipIfStatsOutForwDatagrams Counter32, + ipIfStatsHCOutForwDatagrams Counter64, + ipIfStatsOutDiscards Counter32, + ipIfStatsOutFragReqds Counter32, + ipIfStatsOutFragOKs Counter32, + ipIfStatsOutFragFails Counter32, + ipIfStatsOutFragCreates Counter32, + ipIfStatsOutTransmits Counter32, + ipIfStatsHCOutTransmits Counter64, + ipIfStatsOutOctets Counter32, + ipIfStatsHCOutOctets Counter64, + ipIfStatsInMcastPkts Counter32, + ipIfStatsHCInMcastPkts Counter64, + ipIfStatsInMcastOctets Counter32, + ipIfStatsHCInMcastOctets Counter64, + ipIfStatsOutMcastPkts Counter32, + ipIfStatsHCOutMcastPkts Counter64, + ipIfStatsOutMcastOctets Counter32, + ipIfStatsHCOutMcastOctets Counter64, + ipIfStatsInBcastPkts Counter32, + ipIfStatsHCInBcastPkts Counter64, + ipIfStatsOutBcastPkts Counter32, + ipIfStatsHCOutBcastPkts Counter64, + ipIfStatsDiscontinuityTime TimeStamp, + ipIfStatsRefreshRate Unsigned32 + } + +ipIfStatsIPVersion OBJECT-TYPE + SYNTAX InetVersion + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The IP version of this row." + ::= { ipIfStatsEntry 1 } + +ipIfStatsIfIndex OBJECT-TYPE + SYNTAX InterfaceIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The index value that uniquely identifies the interface to + which this entry is applicable. The interface identified by + a particular value of this index is the same interface as + identified by the same value of the IF-MIB's ifIndex." + ::= { ipIfStatsEntry 2 } + +ipIfStatsInReceives OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of input IP datagrams received, including + those received in error. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipIfStatsDiscontinuityTime." + ::= { ipIfStatsEntry 3 } + +ipIfStatsHCInReceives OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of input IP datagrams received, including + those received in error. This object counts the same + datagrams as ipIfStatsInReceives, but allows for larger + values. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipIfStatsDiscontinuityTime." + ::= { ipIfStatsEntry 4 } + +ipIfStatsInOctets OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of octets received in input IP datagrams, + including those received in error. Octets from datagrams + counted in ipIfStatsInReceives MUST be counted here. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipIfStatsDiscontinuityTime." + ::= { ipIfStatsEntry 5 } + +ipIfStatsHCInOctets OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of octets received in input IP datagrams, + including those received in error. This object counts the + same octets as ipIfStatsInOctets, but allows for larger + values. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipIfStatsDiscontinuityTime." + ::= { ipIfStatsEntry 6 } + +ipIfStatsInHdrErrors OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of input IP datagrams discarded due to errors in + their IP headers, including version number mismatch, other + format errors, hop count exceeded, errors discovered in + processing their IP options, etc. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipIfStatsDiscontinuityTime." + ::= { ipIfStatsEntry 7 } + +ipIfStatsInNoRoutes OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of input IP datagrams discarded because no route + could be found to transmit them to their destination. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipIfStatsDiscontinuityTime." + ::= { ipIfStatsEntry 8 } + +ipIfStatsInAddrErrors OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of input IP datagrams discarded because the IP + address in their IP header's destination field was not a + valid address to be received at this entity. This count + includes invalid addresses (e.g., ::0). For entities that + are not IP routers and therefore do not forward datagrams, + this counter includes datagrams discarded because the + destination address was not a local address. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipIfStatsDiscontinuityTime." + ::= { ipIfStatsEntry 9 } + +ipIfStatsInUnknownProtos OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of locally-addressed IP datagrams received + successfully but discarded because of an unknown or + unsupported protocol. + + When tracking interface statistics, the counter of the + interface to which these datagrams were addressed is + incremented. This interface might not be the same as the + input interface for some of the datagrams. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + + ipIfStatsDiscontinuityTime." + ::= { ipIfStatsEntry 10 } + +ipIfStatsInTruncatedPkts OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of input IP datagrams discarded because the + datagram frame didn't carry enough data. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipIfStatsDiscontinuityTime." + ::= { ipIfStatsEntry 11 } + +ipIfStatsInForwDatagrams OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of input datagrams for which this entity was not + their final IP destination and for which this entity + attempted to find a route to forward them to that final + destination. In entities that do not act as IP routers, + this counter will include only those datagrams that were + Source-Routed via this entity, and the Source-Route + processing was successful. + + When tracking interface statistics, the counter of the + incoming interface is incremented for each datagram. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipIfStatsDiscontinuityTime." + ::= { ipIfStatsEntry 12 } + +ipIfStatsHCInForwDatagrams OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of input datagrams for which this entity was not + their final IP destination and for which this entity + attempted to find a route to forward them to that final + destination. This object counts the same packets as + + ipIfStatsInForwDatagrams, but allows for larger values. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipIfStatsDiscontinuityTime." + ::= { ipIfStatsEntry 13 } + +ipIfStatsReasmReqds OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of IP fragments received that needed to be + reassembled at this interface. + + When tracking interface statistics, the counter of the + interface to which these fragments were addressed is + incremented. This interface might not be the same as the + input interface for some of the fragments. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipIfStatsDiscontinuityTime." + ::= { ipIfStatsEntry 14 } + +ipIfStatsReasmOKs OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of IP datagrams successfully reassembled. + + When tracking interface statistics, the counter of the + interface to which these datagrams were addressed is + incremented. This interface might not be the same as the + input interface for some of the datagrams. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipIfStatsDiscontinuityTime." + ::= { ipIfStatsEntry 15 } + +ipIfStatsReasmFails OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of failures detected by the IP re-assembly + algorithm (for whatever reason: timed out, errors, etc.). + Note that this is not necessarily a count of discarded IP + fragments since some algorithms (notably the algorithm in + RFC 815) can lose track of the number of fragments by + combining them as they are received. + + When tracking interface statistics, the counter of the + interface to which these fragments were addressed is + incremented. This interface might not be the same as the + input interface for some of the fragments. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipIfStatsDiscontinuityTime." + ::= { ipIfStatsEntry 16 } + +ipIfStatsInDiscards OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of input IP datagrams for which no problems were + encountered to prevent their continued processing, but + were discarded (e.g., for lack of buffer space). Note that + this counter does not include any datagrams discarded while + awaiting re-assembly. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipIfStatsDiscontinuityTime." + ::= { ipIfStatsEntry 17 } + +ipIfStatsInDelivers OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of datagrams successfully delivered to IP + user-protocols (including ICMP). + + When tracking interface statistics, the counter of the + interface to which these datagrams were addressed is + incremented. This interface might not be the same as the + + input interface for some of the datagrams. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipIfStatsDiscontinuityTime." + ::= { ipIfStatsEntry 18 } + +ipIfStatsHCInDelivers OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of datagrams successfully delivered to IP + user-protocols (including ICMP). This object counts the + same packets as ipIfStatsInDelivers, but allows for larger + values. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipIfStatsDiscontinuityTime." + ::= { ipIfStatsEntry 19 } + +ipIfStatsOutRequests OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of IP datagrams that local IP user- + protocols (including ICMP) supplied to IP in requests for + transmission. Note that this counter does not include any + datagrams counted in ipIfStatsOutForwDatagrams. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipIfStatsDiscontinuityTime." + ::= { ipIfStatsEntry 20 } + +ipIfStatsHCOutRequests OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of IP datagrams that local IP user- + protocols (including ICMP) supplied to IP in requests for + transmission. This object counts the same packets as + + ipIfStatsOutRequests, but allows for larger values. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipIfStatsDiscontinuityTime." + ::= { ipIfStatsEntry 21 } + +-- This object ID is reserved to allow the IDs for this table's objects +-- to align with the objects in the ipSystemStatsTable. +-- ::= {ipIfStatsEntry 22} + +ipIfStatsOutForwDatagrams OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of datagrams for which this entity was not their + final IP destination and for which it was successful in + finding a path to their final destination. In entities + that do not act as IP routers, this counter will include + only those datagrams that were Source-Routed via this + entity, and the Source-Route processing was successful. + + When tracking interface statistics, the counter of the + outgoing interface is incremented for a successfully + forwarded datagram. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipIfStatsDiscontinuityTime." + ::= { ipIfStatsEntry 23 } + +ipIfStatsHCOutForwDatagrams OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of datagrams for which this entity was not their + final IP destination and for which it was successful in + finding a path to their final destination. This object + counts the same packets as ipIfStatsOutForwDatagrams, but + allows for larger values. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + + ipIfStatsDiscontinuityTime." + ::= { ipIfStatsEntry 24 } + +ipIfStatsOutDiscards OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of output IP datagrams for which no problem was + encountered to prevent their transmission to their + destination, but were discarded (e.g., for lack of + buffer space). Note that this counter would include + datagrams counted in ipIfStatsOutForwDatagrams if any such + datagrams met this (discretionary) discard criterion. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipIfStatsDiscontinuityTime." + ::= { ipIfStatsEntry 25 } + +ipIfStatsOutFragReqds OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of IP datagrams that would require fragmentation + in order to be transmitted. + + When tracking interface statistics, the counter of the + outgoing interface is incremented for a successfully + fragmented datagram. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipIfStatsDiscontinuityTime." + ::= { ipIfStatsEntry 26 } + +ipIfStatsOutFragOKs OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of IP datagrams that have been successfully + fragmented. + + When tracking interface statistics, the counter of the + + outgoing interface is incremented for a successfully + fragmented datagram. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipIfStatsDiscontinuityTime." + ::= { ipIfStatsEntry 27 } + +ipIfStatsOutFragFails OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of IP datagrams that have been discarded because + they needed to be fragmented but could not be. This + includes IPv4 packets that have the DF bit set and IPv6 + packets that are being forwarded and exceed the outgoing + link MTU. + + When tracking interface statistics, the counter of the + outgoing interface is incremented for an unsuccessfully + fragmented datagram. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipIfStatsDiscontinuityTime." + ::= { ipIfStatsEntry 28 } + +ipIfStatsOutFragCreates OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of output datagram fragments that have been + generated as a result of IP fragmentation. + + When tracking interface statistics, the counter of the + outgoing interface is incremented for a successfully + fragmented datagram. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipIfStatsDiscontinuityTime." + ::= { ipIfStatsEntry 29 } + +ipIfStatsOutTransmits OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of IP datagrams that this entity supplied + to the lower layers for transmission. This includes + datagrams generated locally and those forwarded by this + entity. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipIfStatsDiscontinuityTime." + ::= { ipIfStatsEntry 30 } + +ipIfStatsHCOutTransmits OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of IP datagrams that this entity supplied + to the lower layers for transmission. This object counts + the same datagrams as ipIfStatsOutTransmits, but allows for + larger values. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipIfStatsDiscontinuityTime." + ::= { ipIfStatsEntry 31 } + +ipIfStatsOutOctets OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of octets in IP datagrams delivered to the + lower layers for transmission. Octets from datagrams + counted in ipIfStatsOutTransmits MUST be counted here. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipIfStatsDiscontinuityTime." + ::= { ipIfStatsEntry 32 } + +ipIfStatsHCOutOctets OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of octets in IP datagrams delivered to the + lower layers for transmission. This objects counts the same + octets as ipIfStatsOutOctets, but allows for larger values. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipIfStatsDiscontinuityTime." + ::= { ipIfStatsEntry 33 } + +ipIfStatsInMcastPkts OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of IP multicast datagrams received. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipIfStatsDiscontinuityTime." + ::= { ipIfStatsEntry 34 } + +ipIfStatsHCInMcastPkts OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of IP multicast datagrams received. This object + counts the same datagrams as ipIfStatsInMcastPkts, but + allows for larger values. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipIfStatsDiscontinuityTime." + ::= { ipIfStatsEntry 35 } + +ipIfStatsInMcastOctets OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of octets received in IP multicast + + datagrams. Octets from datagrams counted in + ipIfStatsInMcastPkts MUST be counted here. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipIfStatsDiscontinuityTime." + ::= { ipIfStatsEntry 36 } + +ipIfStatsHCInMcastOctets OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of octets received in IP multicast + datagrams. This object counts the same octets as + ipIfStatsInMcastOctets, but allows for larger values. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipIfStatsDiscontinuityTime." + ::= { ipIfStatsEntry 37 } + +ipIfStatsOutMcastPkts OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of IP multicast datagrams transmitted. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipIfStatsDiscontinuityTime." + ::= { ipIfStatsEntry 38 } + +ipIfStatsHCOutMcastPkts OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of IP multicast datagrams transmitted. This + object counts the same datagrams as ipIfStatsOutMcastPkts, + but allows for larger values. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + + times as indicated by the value of + ipIfStatsDiscontinuityTime." + ::= { ipIfStatsEntry 39 } + +ipIfStatsOutMcastOctets OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of octets transmitted in IP multicast + datagrams. Octets from datagrams counted in + ipIfStatsOutMcastPkts MUST be counted here. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipIfStatsDiscontinuityTime." + ::= { ipIfStatsEntry 40 } + +ipIfStatsHCOutMcastOctets OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of octets transmitted in IP multicast + datagrams. This object counts the same octets as + ipIfStatsOutMcastOctets, but allows for larger values. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipIfStatsDiscontinuityTime." + ::= { ipIfStatsEntry 41 } + +ipIfStatsInBcastPkts OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of IP broadcast datagrams received. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipIfStatsDiscontinuityTime." + ::= { ipIfStatsEntry 42 } + +ipIfStatsHCInBcastPkts OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of IP broadcast datagrams received. This object + counts the same datagrams as ipIfStatsInBcastPkts, but + allows for larger values. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipIfStatsDiscontinuityTime." + ::= { ipIfStatsEntry 43 } + +ipIfStatsOutBcastPkts OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of IP broadcast datagrams transmitted. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipIfStatsDiscontinuityTime." + ::= { ipIfStatsEntry 44 } + +ipIfStatsHCOutBcastPkts OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of IP broadcast datagrams transmitted. This + object counts the same datagrams as ipIfStatsOutBcastPkts, + but allows for larger values. + + Discontinuities in the value of this counter can occur at + re-initialization of the management system, and at other + times as indicated by the value of + ipIfStatsDiscontinuityTime." + ::= { ipIfStatsEntry 45 } + +ipIfStatsDiscontinuityTime OBJECT-TYPE + SYNTAX TimeStamp + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of sysUpTime on the most recent occasion at which + + any one or more of this entry's counters suffered a + discontinuity. + + If no such discontinuities have occurred since the last re- + initialization of the local management subsystem, then this + object contains a zero value." + ::= { ipIfStatsEntry 46 } + +ipIfStatsRefreshRate OBJECT-TYPE + SYNTAX Unsigned32 + UNITS "milli-seconds" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The minimum reasonable polling interval for this entry. + This object provides an indication of the minimum amount of + time required to update the counters in this entry." + ::= { ipIfStatsEntry 47 } + +-- +-- Internet Address Prefix table +-- + +ipAddressPrefixTable OBJECT-TYPE + SYNTAX SEQUENCE OF IpAddressPrefixEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "This table allows the user to determine the source of an IP + address or set of IP addresses, and allows other tables to + share the information via pointer rather than by copying. + + For example, when the node configures both a unicast and + anycast address for a prefix, the ipAddressPrefix objects + for those addresses will point to a single row in this + table. + + This table primarily provides support for IPv6 prefixes, and + several of the objects are less meaningful for IPv4. The + table continues to allow IPv4 addresses to allow future + flexibility. In order to promote a common configuration, + this document includes suggestions for default values for + IPv4 prefixes. Each of these values may be overridden if an + object is meaningful to the node. + + All prefixes used by this entity should be included in this + table independent of how the entity learned the prefix. + (This table isn't limited to prefixes learned from router + + advertisements.)" + ::= { ip 32 } + +ipAddressPrefixEntry OBJECT-TYPE + SYNTAX IpAddressPrefixEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An entry in the ipAddressPrefixTable." + INDEX { ipAddressPrefixIfIndex, ipAddressPrefixType, + ipAddressPrefixPrefix, ipAddressPrefixLength } + ::= { ipAddressPrefixTable 1 } + +IpAddressPrefixEntry ::= SEQUENCE { + ipAddressPrefixIfIndex InterfaceIndex, + ipAddressPrefixType InetAddressType, + ipAddressPrefixPrefix InetAddress, + ipAddressPrefixLength InetAddressPrefixLength, + ipAddressPrefixOrigin IpAddressPrefixOriginTC, + ipAddressPrefixOnLinkFlag TruthValue, + ipAddressPrefixAutonomousFlag TruthValue, + ipAddressPrefixAdvPreferredLifetime Unsigned32, + ipAddressPrefixAdvValidLifetime Unsigned32 + } + +ipAddressPrefixIfIndex OBJECT-TYPE + SYNTAX InterfaceIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The index value that uniquely identifies the interface on + which this prefix is configured. The interface identified + by a particular value of this index is the same interface as + identified by the same value of the IF-MIB's ifIndex." + ::= { ipAddressPrefixEntry 1 } + +ipAddressPrefixType OBJECT-TYPE + SYNTAX InetAddressType + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The address type of ipAddressPrefix." + ::= { ipAddressPrefixEntry 2 } + +ipAddressPrefixPrefix OBJECT-TYPE + SYNTAX InetAddress + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The address prefix. The address type of this object is + specified in ipAddressPrefixType. The length of this object + is the standard length for objects of that type (4 or 16 + bytes). Any bits after ipAddressPrefixLength must be zero. + + Implementors need to be aware that, if the size of + ipAddressPrefixPrefix exceeds 114 octets, then OIDS of + instances of columns in this row will have more than 128 + sub-identifiers and cannot be accessed using SNMPv1, + SNMPv2c, or SNMPv3." + ::= { ipAddressPrefixEntry 3 } + +ipAddressPrefixLength OBJECT-TYPE + SYNTAX InetAddressPrefixLength + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The prefix length associated with this prefix. + + The value 0 has no special meaning for this object. It + simply refers to address '::/0'." + ::= { ipAddressPrefixEntry 4 } + +ipAddressPrefixOrigin OBJECT-TYPE + SYNTAX IpAddressPrefixOriginTC + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The origin of this prefix." + ::= { ipAddressPrefixEntry 5 } + +ipAddressPrefixOnLinkFlag OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This object has the value 'true(1)', if this prefix can be + used for on-link determination; otherwise, the value is + 'false(2)'. + + The default for IPv4 prefixes is 'true(1)'." + REFERENCE "For IPv6 RFC 2461, especially sections 2 and 4.6.2 and + RFC 2462" + ::= { ipAddressPrefixEntry 6 } + +ipAddressPrefixAutonomousFlag OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Autonomous address configuration flag. When true(1), + indicates that this prefix can be used for autonomous + address configuration (i.e., can be used to form a local + interface address). If false(2), it is not used to auto- + configure a local interface address. + + The default for IPv4 prefixes is 'false(2)'." + REFERENCE "For IPv6 RFC 2461, especially sections 2 and 4.6.2 and + RFC 2462" + ::= { ipAddressPrefixEntry 7 } + +ipAddressPrefixAdvPreferredLifetime OBJECT-TYPE + SYNTAX Unsigned32 + UNITS "seconds" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The remaining length of time, in seconds, that this prefix + will continue to be preferred, i.e., time until deprecation. + + A value of 4,294,967,295 represents infinity. + + The address generated from a deprecated prefix should no + longer be used as a source address in new communications, + but packets received on such an interface are processed as + expected. + + The default for IPv4 prefixes is 4,294,967,295 (infinity)." + REFERENCE "For IPv6 RFC 2461, especially sections 2 and 4.6.2 and + RFC 2462" + ::= { ipAddressPrefixEntry 8 } + +ipAddressPrefixAdvValidLifetime OBJECT-TYPE + SYNTAX Unsigned32 + UNITS "seconds" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The remaining length of time, in seconds, that this prefix + will continue to be valid, i.e., time until invalidation. A + value of 4,294,967,295 represents infinity. + + The address generated from an invalidated prefix should not + appear as the destination or source address of a packet. + + The default for IPv4 prefixes is 4,294,967,295 (infinity)." + REFERENCE "For IPv6 RFC 2461, especially sections 2 and 4.6.2 and + RFC 2462" + ::= { ipAddressPrefixEntry 9 } + +-- +-- Internet Address Table +-- + +ipAddressSpinLock OBJECT-TYPE + SYNTAX TestAndIncr + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "An advisory lock used to allow cooperating SNMP managers to + coordinate their use of the set operation in creating or + modifying rows within this table. + + In order to use this lock to coordinate the use of set + operations, managers should first retrieve + ipAddressTableSpinLock. They should then determine the + appropriate row to create or modify. Finally, they should + issue the appropriate set command, including the retrieved + value of ipAddressSpinLock. If another manager has altered + the table in the meantime, then the value of + ipAddressSpinLock will have changed, and the creation will + fail as it will be specifying an incorrect value for + ipAddressSpinLock. It is suggested, but not required, that + the ipAddressSpinLock be the first var bind for each set of + objects representing a 'row' in a PDU." + ::= { ip 33 } + +ipAddressTable OBJECT-TYPE + SYNTAX SEQUENCE OF IpAddressEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "This table contains addressing information relevant to the + entity's interfaces. + + This table does not contain multicast address information. + Tables for such information should be contained in multicast + specific MIBs, such as RFC 3019. + + While this table is writable, the user will note that + several objects, such as ipAddressOrigin, are not. The + intention in allowing a user to write to this table is to + allow them to add or remove any entry that isn't + + permanent. The user should be allowed to modify objects + and entries when that would not cause inconsistencies + within the table. Allowing write access to objects, such + as ipAddressOrigin, could allow a user to insert an entry + and then label it incorrectly. + + Note well: When including IPv6 link-local addresses in this + table, the entry must use an InetAddressType of 'ipv6z' in + order to differentiate between the possible interfaces." + ::= { ip 34 } + +ipAddressEntry OBJECT-TYPE + SYNTAX IpAddressEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An address mapping for a particular interface." + INDEX { ipAddressAddrType, ipAddressAddr } + ::= { ipAddressTable 1 } + +IpAddressEntry ::= SEQUENCE { + ipAddressAddrType InetAddressType, + ipAddressAddr InetAddress, + ipAddressIfIndex InterfaceIndex, + ipAddressType INTEGER, + ipAddressPrefix RowPointer, + ipAddressOrigin IpAddressOriginTC, + ipAddressStatus IpAddressStatusTC, + ipAddressCreated TimeStamp, + ipAddressLastChanged TimeStamp, + ipAddressRowStatus RowStatus, + ipAddressStorageType StorageType + } + +ipAddressAddrType OBJECT-TYPE + SYNTAX InetAddressType + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The address type of ipAddressAddr." + ::= { ipAddressEntry 1 } + +ipAddressAddr OBJECT-TYPE + SYNTAX InetAddress + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The IP address to which this entry's addressing information + + pertains. The address type of this object is specified in + ipAddressAddrType. + + Implementors need to be aware that if the size of + ipAddressAddr exceeds 116 octets, then OIDS of instances of + columns in this row will have more than 128 sub-identifiers + and cannot be accessed using SNMPv1, SNMPv2c, or SNMPv3." + ::= { ipAddressEntry 2 } + +ipAddressIfIndex OBJECT-TYPE + SYNTAX InterfaceIndex + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The index value that uniquely identifies the interface to + which this entry is applicable. The interface identified by + a particular value of this index is the same interface as + identified by the same value of the IF-MIB's ifIndex." + ::= { ipAddressEntry 3 } + +ipAddressType OBJECT-TYPE + SYNTAX INTEGER { + unicast(1), + anycast(2), + broadcast(3) + } + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The type of address. broadcast(3) is not a valid value for + IPv6 addresses (RFC 3513)." + DEFVAL { unicast } + ::= { ipAddressEntry 4 } + +ipAddressPrefix OBJECT-TYPE + SYNTAX RowPointer + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "A pointer to the row in the prefix table to which this + address belongs. May be { 0 0 } if there is no such row." + DEFVAL { zeroDotZero } + ::= { ipAddressEntry 5 } + +ipAddressOrigin OBJECT-TYPE + SYNTAX IpAddressOriginTC + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The origin of the address." + ::= { ipAddressEntry 6 } + +ipAddressStatus OBJECT-TYPE + SYNTAX IpAddressStatusTC + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The status of the address, describing if the address can be + used for communication. + + In the absence of other information, an IPv4 address is + always preferred(1)." + DEFVAL { preferred } + ::= { ipAddressEntry 7 } + +ipAddressCreated OBJECT-TYPE + SYNTAX TimeStamp + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of sysUpTime at the time this entry was created. + If this entry was created prior to the last re- + initialization of the local network management subsystem, + then this object contains a zero value." + ::= { ipAddressEntry 8 } + +ipAddressLastChanged OBJECT-TYPE + SYNTAX TimeStamp + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of sysUpTime at the time this entry was last + updated. If this entry was updated prior to the last re- + initialization of the local network management subsystem, + then this object contains a zero value." + ::= { ipAddressEntry 9 } + +ipAddressRowStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The status of this conceptual row. + + The RowStatus TC requires that this DESCRIPTION clause + states under which circumstances other objects in this row + + can be modified. The value of this object has no effect on + whether other objects in this conceptual row can be + modified. + + A conceptual row can not be made active until the + ipAddressIfIndex has been set to a valid index." + ::= { ipAddressEntry 10 } + +ipAddressStorageType OBJECT-TYPE + SYNTAX StorageType + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The storage type for this conceptual row. If this object + has a value of 'permanent', then no other objects are + required to be able to be modified." + DEFVAL { volatile } + ::= { ipAddressEntry 11 } + +-- +-- the Internet Address Translation table +-- + +ipNetToPhysicalTable OBJECT-TYPE + SYNTAX SEQUENCE OF IpNetToPhysicalEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The IP Address Translation table used for mapping from IP + addresses to physical addresses. + + The Address Translation tables contain the IP address to + 'physical' address equivalences. Some interfaces do not use + translation tables for determining address equivalences + (e.g., DDN-X.25 has an algorithmic method); if all + interfaces are of this type, then the Address Translation + table is empty, i.e., has zero entries. + + While many protocols may be used to populate this table, ARP + and Neighbor Discovery are the most likely + options." + REFERENCE "RFC 826 and RFC 2461" + ::= { ip 35 } + +ipNetToPhysicalEntry OBJECT-TYPE + SYNTAX IpNetToPhysicalEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Each entry contains one IP address to `physical' address + equivalence." + INDEX { ipNetToPhysicalIfIndex, + ipNetToPhysicalNetAddressType, + ipNetToPhysicalNetAddress } + ::= { ipNetToPhysicalTable 1 } + +IpNetToPhysicalEntry ::= SEQUENCE { + ipNetToPhysicalIfIndex InterfaceIndex, + ipNetToPhysicalNetAddressType InetAddressType, + ipNetToPhysicalNetAddress InetAddress, + ipNetToPhysicalPhysAddress PhysAddress, + ipNetToPhysicalLastUpdated TimeStamp, + ipNetToPhysicalType INTEGER, + ipNetToPhysicalState INTEGER, + ipNetToPhysicalRowStatus RowStatus + } + +ipNetToPhysicalIfIndex OBJECT-TYPE + SYNTAX InterfaceIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The index value that uniquely identifies the interface to + which this entry is applicable. The interface identified by + a particular value of this index is the same interface as + identified by the same value of the IF-MIB's ifIndex." + ::= { ipNetToPhysicalEntry 1 } + +ipNetToPhysicalNetAddressType OBJECT-TYPE + SYNTAX InetAddressType + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The type of ipNetToPhysicalNetAddress." + ::= { ipNetToPhysicalEntry 2 } + +ipNetToPhysicalNetAddress OBJECT-TYPE + SYNTAX InetAddress + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The IP Address corresponding to the media-dependent + `physical' address. The address type of this object is + specified in ipNetToPhysicalAddressType. + + Implementors need to be aware that if the size of + + ipNetToPhysicalNetAddress exceeds 115 octets, then OIDS of + instances of columns in this row will have more than 128 + sub-identifiers and cannot be accessed using SNMPv1, + SNMPv2c, or SNMPv3." + ::= { ipNetToPhysicalEntry 3 } + +ipNetToPhysicalPhysAddress OBJECT-TYPE + SYNTAX PhysAddress (SIZE(0..65535)) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The media-dependent `physical' address. + + As the entries in this table are typically not persistent + when this object is written the entity SHOULD NOT save the + change to non-volatile storage." + ::= { ipNetToPhysicalEntry 4 } + +ipNetToPhysicalLastUpdated OBJECT-TYPE + SYNTAX TimeStamp + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of sysUpTime at the time this entry was last + updated. If this entry was updated prior to the last re- + initialization of the local network management subsystem, + then this object contains a zero value." + ::= { ipNetToPhysicalEntry 5 } + +ipNetToPhysicalType OBJECT-TYPE + SYNTAX INTEGER { + other(1), -- none of the following + invalid(2), -- an invalidated mapping + dynamic(3), + static(4), + local(5) -- local interface + } + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The type of mapping. + + Setting this object to the value invalid(2) has the effect + of invalidating the corresponding entry in the + ipNetToPhysicalTable. That is, it effectively dis- + associates the interface identified with said entry from the + mapping identified with said entry. It is an + implementation-specific matter as to whether the agent + + removes an invalidated entry from the table. Accordingly, + management stations must be prepared to receive tabular + information from agents that corresponds to entries not + currently in use. Proper interpretation of such entries + requires examination of the relevant ipNetToPhysicalType + object. + + The 'dynamic(3)' type indicates that the IP address to + physical addresses mapping has been dynamically resolved + using e.g., IPv4 ARP or the IPv6 Neighbor Discovery + protocol. + + The 'static(4)' type indicates that the mapping has been + statically configured. Both of these refer to entries that + provide mappings for other entities addresses. + + The 'local(5)' type indicates that the mapping is provided + for an entity's own interface address. + + As the entries in this table are typically not persistent + when this object is written the entity SHOULD NOT save the + change to non-volatile storage." + DEFVAL { static } + ::= { ipNetToPhysicalEntry 6 } + +ipNetToPhysicalState OBJECT-TYPE + SYNTAX INTEGER { + reachable(1), -- confirmed reachability + + stale(2), -- unconfirmed reachability + + delay(3), -- waiting for reachability + -- confirmation before entering + -- the probe state + + probe(4), -- actively probing + + invalid(5), -- an invalidated mapping + + unknown(6), -- state can not be determined + -- for some reason. + + incomplete(7) -- address resolution is being + -- performed. + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The Neighbor Unreachability Detection state for the + interface when the address mapping in this entry is used. + If Neighbor Unreachability Detection is not in use (e.g. for + IPv4), this object is always unknown(6)." + REFERENCE "RFC 2461" + ::= { ipNetToPhysicalEntry 7 } + +ipNetToPhysicalRowStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The status of this conceptual row. + + The RowStatus TC requires that this DESCRIPTION clause + states under which circumstances other objects in this row + can be modified. The value of this object has no effect on + whether other objects in this conceptual row can be + modified. + + A conceptual row can not be made active until the + ipNetToPhysicalPhysAddress object has been set. + + Note that if the ipNetToPhysicalType is set to 'invalid', + the managed node may delete the entry independent of the + state of this object." + ::= { ipNetToPhysicalEntry 8 } + +-- +-- The IPv6 Scope Zone Index Table. +-- + +ipv6ScopeZoneIndexTable OBJECT-TYPE + SYNTAX SEQUENCE OF Ipv6ScopeZoneIndexEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The table used to describe IPv6 unicast and multicast scope + zones. + + For those objects that have names rather than numbers, the + names were chosen to coincide with the names used in the + IPv6 address architecture document. " + REFERENCE "Section 2.7 of RFC 4291" + ::= { ip 36 } + +ipv6ScopeZoneIndexEntry OBJECT-TYPE + SYNTAX Ipv6ScopeZoneIndexEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Each entry contains the list of scope identifiers on a given + interface." + INDEX { ipv6ScopeZoneIndexIfIndex } + ::= { ipv6ScopeZoneIndexTable 1 } + +Ipv6ScopeZoneIndexEntry ::= SEQUENCE { + ipv6ScopeZoneIndexIfIndex InterfaceIndex, + ipv6ScopeZoneIndexLinkLocal InetZoneIndex, + ipv6ScopeZoneIndex3 InetZoneIndex, + ipv6ScopeZoneIndexAdminLocal InetZoneIndex, + ipv6ScopeZoneIndexSiteLocal InetZoneIndex, + ipv6ScopeZoneIndex6 InetZoneIndex, + ipv6ScopeZoneIndex7 InetZoneIndex, + ipv6ScopeZoneIndexOrganizationLocal InetZoneIndex, + ipv6ScopeZoneIndex9 InetZoneIndex, + ipv6ScopeZoneIndexA InetZoneIndex, + ipv6ScopeZoneIndexB InetZoneIndex, + ipv6ScopeZoneIndexC InetZoneIndex, + ipv6ScopeZoneIndexD InetZoneIndex + } + +ipv6ScopeZoneIndexIfIndex OBJECT-TYPE + SYNTAX InterfaceIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The index value that uniquely identifies the interface to + which these scopes belong. The interface identified by a + particular value of this index is the same interface as + identified by the same value of the IF-MIB's ifIndex." + ::= { ipv6ScopeZoneIndexEntry 1 } + +ipv6ScopeZoneIndexLinkLocal OBJECT-TYPE + SYNTAX InetZoneIndex + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The zone index for the link-local scope on this interface." + ::= { ipv6ScopeZoneIndexEntry 2 } + +ipv6ScopeZoneIndex3 OBJECT-TYPE + SYNTAX InetZoneIndex + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The zone index for scope 3 on this interface." + ::= { ipv6ScopeZoneIndexEntry 3 } + +ipv6ScopeZoneIndexAdminLocal OBJECT-TYPE + SYNTAX InetZoneIndex + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The zone index for the admin-local scope on this interface." + ::= { ipv6ScopeZoneIndexEntry 4 } + +ipv6ScopeZoneIndexSiteLocal OBJECT-TYPE + SYNTAX InetZoneIndex + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The zone index for the site-local scope on this interface." + ::= { ipv6ScopeZoneIndexEntry 5 } + +ipv6ScopeZoneIndex6 OBJECT-TYPE + SYNTAX InetZoneIndex + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The zone index for scope 6 on this interface." + ::= { ipv6ScopeZoneIndexEntry 6 } + +ipv6ScopeZoneIndex7 OBJECT-TYPE + SYNTAX InetZoneIndex + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The zone index for scope 7 on this interface." + ::= { ipv6ScopeZoneIndexEntry 7 } + +ipv6ScopeZoneIndexOrganizationLocal OBJECT-TYPE + SYNTAX InetZoneIndex + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The zone index for the organization-local scope on this + interface." + ::= { ipv6ScopeZoneIndexEntry 8 } + +ipv6ScopeZoneIndex9 OBJECT-TYPE + SYNTAX InetZoneIndex + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The zone index for scope 9 on this interface." + ::= { ipv6ScopeZoneIndexEntry 9 } + +ipv6ScopeZoneIndexA OBJECT-TYPE + SYNTAX InetZoneIndex + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The zone index for scope A on this interface." + ::= { ipv6ScopeZoneIndexEntry 10 } + +ipv6ScopeZoneIndexB OBJECT-TYPE + SYNTAX InetZoneIndex + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The zone index for scope B on this interface." + ::= { ipv6ScopeZoneIndexEntry 11 } + +ipv6ScopeZoneIndexC OBJECT-TYPE + SYNTAX InetZoneIndex + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The zone index for scope C on this interface." + ::= { ipv6ScopeZoneIndexEntry 12 } + +ipv6ScopeZoneIndexD OBJECT-TYPE + SYNTAX InetZoneIndex + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The zone index for scope D on this interface." + ::= { ipv6ScopeZoneIndexEntry 13 } + +-- +-- The Default Router Table +-- This table simply lists the default routers; for more information +-- about routing tables, see the routing MIBs +-- + +ipDefaultRouterTable OBJECT-TYPE + SYNTAX SEQUENCE OF IpDefaultRouterEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The table used to describe the default routers known to this + + entity." + ::= { ip 37 } + +ipDefaultRouterEntry OBJECT-TYPE + SYNTAX IpDefaultRouterEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Each entry contains information about a default router known + to this entity." + INDEX {ipDefaultRouterAddressType, ipDefaultRouterAddress, + ipDefaultRouterIfIndex} + ::= { ipDefaultRouterTable 1 } + +IpDefaultRouterEntry ::= SEQUENCE { + ipDefaultRouterAddressType InetAddressType, + ipDefaultRouterAddress InetAddress, + ipDefaultRouterIfIndex InterfaceIndex, + ipDefaultRouterLifetime Unsigned32, + ipDefaultRouterPreference INTEGER + } + +ipDefaultRouterAddressType OBJECT-TYPE + SYNTAX InetAddressType + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The address type for this row." + ::= { ipDefaultRouterEntry 1 } + +ipDefaultRouterAddress OBJECT-TYPE + SYNTAX InetAddress + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The IP address of the default router represented by this + row. The address type of this object is specified in + ipDefaultRouterAddressType. + + Implementers need to be aware that if the size of + ipDefaultRouterAddress exceeds 115 octets, then OIDS of + instances of columns in this row will have more than 128 + sub-identifiers and cannot be accessed using SNMPv1, + SNMPv2c, or SNMPv3." + ::= { ipDefaultRouterEntry 2 } + +ipDefaultRouterIfIndex OBJECT-TYPE + SYNTAX InterfaceIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The index value that uniquely identifies the interface by + which the router can be reached. The interface identified + by a particular value of this index is the same interface as + identified by the same value of the IF-MIB's ifIndex." + ::= { ipDefaultRouterEntry 3 } + +ipDefaultRouterLifetime OBJECT-TYPE + SYNTAX Unsigned32 (0..65535) + UNITS "seconds" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The remaining length of time, in seconds, that this router + will continue to be useful as a default router. A value of + zero indicates that it is no longer useful as a default + router. It is left to the implementer of the MIB as to + whether a router with a lifetime of zero is removed from the + list. + + For IPv6, this value should be extracted from the router + advertisement messages." + REFERENCE "For IPv6 RFC 2462 sections 4.2 and 6.3.4" + ::= { ipDefaultRouterEntry 4 } + +ipDefaultRouterPreference OBJECT-TYPE + SYNTAX INTEGER { + reserved (-2), + low (-1), + medium (0), + high (1) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "An indication of preference given to this router as a + default router as described in he Default Router + Preferences document. Treating the value as a + 2 bit signed integer allows for simple arithmetic + comparisons. + + For IPv4 routers or IPv6 routers that are not using the + updated router advertisement format, this object is set to + medium (0)." + REFERENCE "RFC 4291, section 2.1" + ::= { ipDefaultRouterEntry 5 } + +-- +-- Configuration information for constructing router advertisements +-- + +ipv6RouterAdvertSpinLock OBJECT-TYPE + SYNTAX TestAndIncr + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "An advisory lock used to allow cooperating SNMP managers to + coordinate their use of the set operation in creating or + modifying rows within this table. + + In order to use this lock to coordinate the use of set + operations, managers should first retrieve + ipv6RouterAdvertSpinLock. They should then determine the + appropriate row to create or modify. Finally, they should + issue the appropriate set command including the retrieved + value of ipv6RouterAdvertSpinLock. If another manager has + altered the table in the meantime, then the value of + ipv6RouterAdvertSpinLock will have changed and the creation + will fail as it will be specifying an incorrect value for + ipv6RouterAdvertSpinLock. It is suggested, but not + required, that the ipv6RouterAdvertSpinLock be the first var + bind for each set of objects representing a 'row' in a PDU." + ::= { ip 38 } + +ipv6RouterAdvertTable OBJECT-TYPE + SYNTAX SEQUENCE OF Ipv6RouterAdvertEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The table containing information used to construct router + advertisements." + ::= { ip 39 } + +ipv6RouterAdvertEntry OBJECT-TYPE + SYNTAX Ipv6RouterAdvertEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An entry containing information used to construct router + advertisements. + + Information in this table is persistent, and when this + object is written, the entity SHOULD save the change to + non-volatile storage." + INDEX { ipv6RouterAdvertIfIndex } + ::= { ipv6RouterAdvertTable 1 } + +Ipv6RouterAdvertEntry ::= SEQUENCE { + ipv6RouterAdvertIfIndex InterfaceIndex, + ipv6RouterAdvertSendAdverts TruthValue, + ipv6RouterAdvertMaxInterval Unsigned32, + ipv6RouterAdvertMinInterval Unsigned32, + ipv6RouterAdvertManagedFlag TruthValue, + ipv6RouterAdvertOtherConfigFlag TruthValue, + ipv6RouterAdvertLinkMTU Unsigned32, + ipv6RouterAdvertReachableTime Unsigned32, + ipv6RouterAdvertRetransmitTime Unsigned32, + ipv6RouterAdvertCurHopLimit Unsigned32, + ipv6RouterAdvertDefaultLifetime Unsigned32, + ipv6RouterAdvertRowStatus RowStatus + } + +ipv6RouterAdvertIfIndex OBJECT-TYPE + SYNTAX InterfaceIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The index value that uniquely identifies the interface on + which router advertisements constructed with this + information will be transmitted. The interface identified + by a particular value of this index is the same interface as + identified by the same value of the IF-MIB's ifIndex." + ::= { ipv6RouterAdvertEntry 1 } + +ipv6RouterAdvertSendAdverts OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "A flag indicating whether the router sends periodic + router advertisements and responds to router solicitations + on this interface." + REFERENCE "RFC 2461 Section 6.2.1" + DEFVAL { false } + ::= { ipv6RouterAdvertEntry 2 } + +ipv6RouterAdvertMaxInterval OBJECT-TYPE + SYNTAX Unsigned32 (4..1800) + UNITS "seconds" + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The maximum time allowed between sending unsolicited router + + advertisements from this interface." + REFERENCE "RFC 2461 Section 6.2.1" + DEFVAL { 600 } + ::= { ipv6RouterAdvertEntry 3 } + +ipv6RouterAdvertMinInterval OBJECT-TYPE + SYNTAX Unsigned32 (3..1350) + UNITS "seconds" + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The minimum time allowed between sending unsolicited router + advertisements from this interface. + + The default is 0.33 * ipv6RouterAdvertMaxInterval, however, + in the case of a low value for ipv6RouterAdvertMaxInterval, + the minimum value for this object is restricted to 3." + REFERENCE "RFC 2461 Section 6.2.1" + ::= { ipv6RouterAdvertEntry 4 } + +ipv6RouterAdvertManagedFlag OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The true/false value to be placed into the 'managed address + configuration' flag field in router advertisements sent from + this interface." + REFERENCE "RFC 2461 Section 6.2.1" + DEFVAL { false } + ::= { ipv6RouterAdvertEntry 5 } + +ipv6RouterAdvertOtherConfigFlag OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The true/false value to be placed into the 'other stateful + configuration' flag field in router advertisements sent from + this interface." + REFERENCE "RFC 2461 Section 6.2.1" + DEFVAL { false } + ::= { ipv6RouterAdvertEntry 6 } + +ipv6RouterAdvertLinkMTU OBJECT-TYPE + SYNTAX Unsigned32 + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The value to be placed in MTU options sent by the router on + this interface. + + A value of zero indicates that no MTU options are sent." + REFERENCE "RFC 2461 Section 6.2.1" + DEFVAL { 0 } + ::= { ipv6RouterAdvertEntry 7 } + +ipv6RouterAdvertReachableTime OBJECT-TYPE + SYNTAX Unsigned32 (0..3600000) + UNITS "milliseconds" + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The value to be placed in the reachable time field in router + advertisement messages sent from this interface. + + A value of zero in the router advertisement indicates that + the advertisement isn't specifying a value for reachable + time." + REFERENCE "RFC 2461 Section 6.2.1" + DEFVAL { 0 } + ::= { ipv6RouterAdvertEntry 8 } + +ipv6RouterAdvertRetransmitTime OBJECT-TYPE + SYNTAX Unsigned32 + UNITS "milliseconds" + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The value to be placed in the retransmit timer field in + router advertisements sent from this interface. + + A value of zero in the router advertisement indicates that + the advertisement isn't specifying a value for retrans + time." + REFERENCE "RFC 2461 Section 6.2.1" + DEFVAL { 0 } + ::= { ipv6RouterAdvertEntry 9 } + +ipv6RouterAdvertCurHopLimit OBJECT-TYPE + SYNTAX Unsigned32 (0..255) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The default value to be placed in the current hop limit + field in router advertisements sent from this interface. + + The value should be set to the current diameter of the + Internet. + + A value of zero in the router advertisement indicates that + the advertisement isn't specifying a value for curHopLimit. + + The default should be set to the value specified in the IANA + web pages (www.iana.org) at the time of implementation." + REFERENCE "RFC 2461 Section 6.2.1" + ::= { ipv6RouterAdvertEntry 10 } + +ipv6RouterAdvertDefaultLifetime OBJECT-TYPE + SYNTAX Unsigned32 (0|4..9000) + UNITS "seconds" + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The value to be placed in the router lifetime field of + router advertisements sent from this interface. This value + MUST be either 0 or between ipv6RouterAdvertMaxInterval and + 9000 seconds. + + A value of zero indicates that the router is not to be used + as a default router. + + The default is 3 * ipv6RouterAdvertMaxInterval." + REFERENCE "RFC 2461 Section 6.2.1" + ::= { ipv6RouterAdvertEntry 11 } + +ipv6RouterAdvertRowStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The status of this conceptual row. + + As all objects in this conceptual row have default values, a + row can be created and made active by setting this object + appropriately. + + The RowStatus TC requires that this DESCRIPTION clause + states under which circumstances other objects in this row + can be modified. The value of this object has no effect on + whether other objects in this conceptual row can be + modified." + ::= { ipv6RouterAdvertEntry 12 } + +-- + +-- ICMP section +-- + +icmp OBJECT IDENTIFIER ::= { mib-2 5 } + +-- +-- ICMP non-message-specific counters +-- + +-- These object IDs are reserved, as they were used in earlier +-- versions of the MIB module. In theory, OIDs are not assigned +-- until the specification is released as an RFC; however, as some +-- companies may have shipped code based on earlier versions of +-- the MIB, it seems best to reserve these OIDs. +-- ::= { icmp 27 } +-- ::= { icmp 28 } + +icmpStatsTable OBJECT-TYPE + SYNTAX SEQUENCE OF IcmpStatsEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The table of generic system-wide ICMP counters." + ::= { icmp 29 } + +icmpStatsEntry OBJECT-TYPE + SYNTAX IcmpStatsEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A conceptual row in the icmpStatsTable." + INDEX { icmpStatsIPVersion } + ::= { icmpStatsTable 1 } + +IcmpStatsEntry ::= SEQUENCE { + icmpStatsIPVersion InetVersion, + icmpStatsInMsgs Counter32, + icmpStatsInErrors Counter32, + icmpStatsOutMsgs Counter32, + icmpStatsOutErrors Counter32 + } + +icmpStatsIPVersion OBJECT-TYPE + SYNTAX InetVersion + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The IP version of the statistics." + ::= { icmpStatsEntry 1 } + +icmpStatsInMsgs OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of ICMP messages that the entity received. + Note that this counter includes all those counted by + icmpStatsInErrors." + ::= { icmpStatsEntry 2 } + +icmpStatsInErrors OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of ICMP messages that the entity received but + determined as having ICMP-specific errors (bad ICMP + checksums, bad length, etc.)." + ::= { icmpStatsEntry 3 } + +icmpStatsOutMsgs OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of ICMP messages that the entity attempted + to send. Note that this counter includes all those counted + by icmpStatsOutErrors." + ::= { icmpStatsEntry 4 } + +icmpStatsOutErrors OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of ICMP messages that this entity did not send + due to problems discovered within ICMP, such as a lack of + buffers. This value should not include errors discovered + outside the ICMP layer, such as the inability of IP to route + the resultant datagram. In some implementations, there may + be no types of error that contribute to this counter's + value." + ::= { icmpStatsEntry 5 } + +-- +-- per-version, per-message type ICMP counters + +-- + +icmpMsgStatsTable OBJECT-TYPE + SYNTAX SEQUENCE OF IcmpMsgStatsEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The table of system-wide per-version, per-message type ICMP + counters." + ::= { icmp 30 } + +icmpMsgStatsEntry OBJECT-TYPE + SYNTAX IcmpMsgStatsEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A conceptual row in the icmpMsgStatsTable. + + The system should track each ICMP type value, even if that + ICMP type is not supported by the system. However, a + given row need not be instantiated unless a message of that + type has been processed, i.e., the row for + icmpMsgStatsType=X MAY be instantiated before but MUST be + instantiated after the first message with Type=X is + received or transmitted. After receiving or transmitting + any succeeding messages with Type=X, the relevant counter + must be incremented." + INDEX { icmpMsgStatsIPVersion, icmpMsgStatsType } + ::= { icmpMsgStatsTable 1 } + +IcmpMsgStatsEntry ::= SEQUENCE { + icmpMsgStatsIPVersion InetVersion, + icmpMsgStatsType Integer32, + icmpMsgStatsInPkts Counter32, + icmpMsgStatsOutPkts Counter32 + } + +icmpMsgStatsIPVersion OBJECT-TYPE + SYNTAX InetVersion + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The IP version of the statistics." + ::= { icmpMsgStatsEntry 1 } + +icmpMsgStatsType OBJECT-TYPE + SYNTAX Integer32 (0..255) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The ICMP type field of the message type being counted by + this row. + + Note that ICMP message types are scoped by the address type + in use." + REFERENCE "http://www.iana.org/assignments/icmp-parameters and + http://www.iana.org/assignments/icmpv6-parameters" + ::= { icmpMsgStatsEntry 2 } + +icmpMsgStatsInPkts OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of input packets for this AF and type." + ::= { icmpMsgStatsEntry 3 } + +icmpMsgStatsOutPkts OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of output packets for this AF and type." + ::= { icmpMsgStatsEntry 4 } +-- +-- conformance information +-- + +ipMIBConformance OBJECT IDENTIFIER ::= { ipMIB 2 } + +ipMIBCompliances OBJECT IDENTIFIER ::= { ipMIBConformance 1 } +ipMIBGroups OBJECT IDENTIFIER ::= { ipMIBConformance 2 } + +-- compliance statements +ipMIBCompliance2 MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The compliance statement for systems that implement IP - + either IPv4 or IPv6. + + There are a number of INDEX objects that cannot be + represented in the form of OBJECT clauses in SMIv2, but + for which we have the following compliance requirements, + expressed in OBJECT clause form in this description + clause: + + -- OBJECT ipSystemStatsIPVersion + -- SYNTAX InetVersion {ipv4(1), ipv6(2)} + -- DESCRIPTION + -- This MIB requires support for only IPv4 and IPv6 + -- versions. + -- + -- OBJECT ipIfStatsIPVersion + -- SYNTAX InetVersion {ipv4(1), ipv6(2)} + -- DESCRIPTION + -- This MIB requires support for only IPv4 and IPv6 + -- versions. + -- + -- OBJECT icmpStatsIPVersion + -- SYNTAX InetVersion {ipv4(1), ipv6(2)} + -- DESCRIPTION + -- This MIB requires support for only IPv4 and IPv6 + -- versions. + -- + -- OBJECT icmpMsgStatsIPVersion + -- SYNTAX InetVersion {ipv4(1), ipv6(2)} + -- DESCRIPTION + -- This MIB requires support for only IPv4 and IPv6 + -- versions. + -- + -- OBJECT ipAddressPrefixType + -- SYNTAX InetAddressType {ipv4(1), ipv6(2)} + -- DESCRIPTION + -- This MIB requires support for only global IPv4 and + -- IPv6 address types. + -- + -- OBJECT ipAddressPrefixPrefix + -- SYNTAX InetAddress (Size(4 | 16)) + -- DESCRIPTION + -- This MIB requires support for only global IPv4 and + -- IPv6 addresses and so the size can be either 4 or + -- 16 bytes. + -- + -- OBJECT ipAddressAddrType + -- SYNTAX InetAddressType {ipv4(1), ipv6(2), + -- ipv4z(3), ipv6z(4)} + -- DESCRIPTION + -- This MIB requires support for only global and + -- non-global IPv4 and IPv6 address types. + -- + -- OBJECT ipAddressAddr + -- SYNTAX InetAddress (Size(4 | 8 | 16 | 20)) + -- DESCRIPTION + -- This MIB requires support for only global and + + -- non-global IPv4 and IPv6 addresses and so the size + -- can be 4, 8, 16, or 20 bytes. + -- + -- OBJECT ipNetToPhysicalNetAddressType + -- SYNTAX InetAddressType {ipv4(1), ipv6(2), + -- ipv4z(3), ipv6z(4)} + -- DESCRIPTION + -- This MIB requires support for only global and + -- non-global IPv4 and IPv6 address types. + -- + -- OBJECT ipNetToPhysicalNetAddress + -- SYNTAX InetAddress (Size(4 | 8 | 16 | 20)) + -- DESCRIPTION + -- This MIB requires support for only global and + -- non-global IPv4 and IPv6 addresses and so the size + -- can be 4, 8, 16, or 20 bytes. + -- + -- OBJECT ipDefaultRouterAddressType + -- SYNTAX InetAddressType {ipv4(1), ipv6(2), + -- ipv4z(3), ipv6z(4)} + -- DESCRIPTION + -- This MIB requires support for only global and + -- non-global IPv4 and IPv6 address types. + -- + -- OBJECT ipDefaultRouterAddress + -- SYNTAX InetAddress (Size(4 | 8 | 16 | 20)) + -- DESCRIPTION + -- This MIB requires support for only global and + -- non-global IPv4 and IPv6 addresses and so the size + -- can be 4, 8, 16, or 20 bytes." + + MODULE -- this module + + MANDATORY-GROUPS { ipSystemStatsGroup, ipAddressGroup, + ipNetToPhysicalGroup, ipDefaultRouterGroup, + icmpStatsGroup } + + GROUP ipSystemStatsHCOctetGroup + DESCRIPTION + "This group is mandatory for systems that have an aggregate + bandwidth of greater than 20MB. Including this group does + not allow an entity to neglect the 32 bit versions of these + objects." + + GROUP ipSystemStatsHCPacketGroup + DESCRIPTION + "This group is mandatory for systems that have an aggregate + bandwidth of greater than 650MB. Including this group + + does not allow an entity to neglect the 32 bit versions of + these objects." + + GROUP ipIfStatsGroup + DESCRIPTION + "This group is optional for all systems." + + GROUP ipIfStatsHCOctetGroup + DESCRIPTION + "This group is mandatory for systems that include the + ipIfStatsGroup and include links with bandwidths of greater + than 20MB. Including this group does not allow an entity to + neglect the 32 bit versions of these objects." + + GROUP ipIfStatsHCPacketGroup + DESCRIPTION + "This group is mandatory for systems that include the + ipIfStatsGroup and include links with bandwidths of greater + than 650MB. Including this group does not allow an entity + to neglect the 32 bit versions of these objects." + + GROUP ipv4GeneralGroup + DESCRIPTION + "This group is mandatory for all systems supporting IPv4." + + GROUP ipv4IfGroup + DESCRIPTION + "This group is mandatory for all systems supporting IPv4." + + GROUP ipv4SystemStatsGroup + DESCRIPTION + "This group is mandatory for all systems supporting IPv4." + + GROUP ipv4SystemStatsHCPacketGroup + DESCRIPTION + "This group is mandatory for all systems supporting IPv4 and + that have an aggregate bandwidth of greater than 650MB. + Including this group does not allow an entity to neglect the + 32 bit versions of these objects." + + GROUP ipv4IfStatsGroup + DESCRIPTION + "This group is mandatory for all systems supporting IPv4 and + including the ipIfStatsGroup." + + GROUP ipv4IfStatsHCPacketGroup + DESCRIPTION + "This group is mandatory for all systems supporting IPv4 and + + including the ipIfStatsHCPacketGroup. Including this group + does not allow an entity to neglect the 32 bit versions of + these objects." + + GROUP ipv6GeneralGroup2 + DESCRIPTION + "This group is mandatory for all systems supporting IPv6." + + GROUP ipv6IfGroup + DESCRIPTION + "This group is mandatory for all systems supporting IPv6." + + GROUP ipAddressPrefixGroup + DESCRIPTION + "This group is mandatory for all systems supporting IPv6." + + GROUP ipv6ScopeGroup + DESCRIPTION + "This group is mandatory for all systems supporting IPv6." + + GROUP ipv6RouterAdvertGroup + DESCRIPTION + "This group is mandatory for all IPv6 routers." + + GROUP ipLastChangeGroup + DESCRIPTION + "This group is optional for all agents." + + OBJECT ipv6IpForwarding + MIN-ACCESS read-only + DESCRIPTION + "An agent is not required to provide write access to this + object." + + OBJECT ipv6IpDefaultHopLimit + MIN-ACCESS read-only + DESCRIPTION + "An agent is not required to provide write access to this + object." + + OBJECT ipv4InterfaceEnableStatus + MIN-ACCESS read-only + DESCRIPTION + "An agent is not required to provide write access to this + object." + + OBJECT ipv6InterfaceEnableStatus + MIN-ACCESS read-only + DESCRIPTION + "An agent is not required to provide write access to this + object." + + OBJECT ipv6InterfaceForwarding + MIN-ACCESS read-only + DESCRIPTION + "An agent is not required to provide write access to this + object." + + OBJECT ipAddressSpinLock + MIN-ACCESS not-accessible + DESCRIPTION + "An agent is not required to provide write access to this + object. However, if an agent provides write access to any + of the other objects in the ipAddressGroup, it SHOULD + provide write access to this object as well." + + OBJECT ipAddressIfIndex + MIN-ACCESS read-only + DESCRIPTION + "An agent is not required to provide write or create access + to this object." + + OBJECT ipAddressType + MIN-ACCESS read-only + DESCRIPTION + "An agent is not required to provide write or create access + to this object." + + OBJECT ipAddressStatus + MIN-ACCESS read-only + DESCRIPTION + "An agent is not required to provide write or create access + to this object." + + OBJECT ipAddressRowStatus + SYNTAX RowStatus { active(1) } + MIN-ACCESS read-only + DESCRIPTION + "An agent is not required to provide write or create access + to this object." + + OBJECT ipAddressStorageType + MIN-ACCESS read-only + DESCRIPTION + "An agent is not required to provide write or create access + to this object. + + If an agent allows this object to be written or created, it + is not required to allow this object to be set to readOnly, + permanent, or nonVolatile." + + OBJECT ipNetToPhysicalPhysAddress + MIN-ACCESS read-only + DESCRIPTION + "An agent is not required to provide write or create access + to this object." + + OBJECT ipNetToPhysicalType + MIN-ACCESS read-only + DESCRIPTION + "An agent is not required to provide write or create access + to this object." + + OBJECT ipv6RouterAdvertSpinLock + MIN-ACCESS read-only + DESCRIPTION + "An agent is not required to provide write access to this + object. However, if an agent provides write access to + any of the other objects in the ipv6RouterAdvertGroup, it + SHOULD provide write access to this object as well." + + OBJECT ipv6RouterAdvertSendAdverts + MIN-ACCESS read-only + DESCRIPTION + "An agent is not required to provide write access to this + object." + + OBJECT ipv6RouterAdvertMaxInterval + MIN-ACCESS read-only + DESCRIPTION + "An agent is not required to provide write access to this + object." + + OBJECT ipv6RouterAdvertMinInterval + MIN-ACCESS read-only + DESCRIPTION + "An agent is not required to provide write access to this + object." + + OBJECT ipv6RouterAdvertManagedFlag + MIN-ACCESS read-only + DESCRIPTION + "An agent is not required to provide write access to this + object." + + OBJECT ipv6RouterAdvertOtherConfigFlag + MIN-ACCESS read-only + DESCRIPTION + "An agent is not required to provide write access to this + object." + + OBJECT ipv6RouterAdvertLinkMTU + MIN-ACCESS read-only + DESCRIPTION + "An agent is not required to provide write access to this + object." + + OBJECT ipv6RouterAdvertReachableTime + MIN-ACCESS read-only + DESCRIPTION + "An agent is not required to provide write access to this + object." + + OBJECT ipv6RouterAdvertRetransmitTime + MIN-ACCESS read-only + DESCRIPTION + "An agent is not required to provide write access to this + object." + + OBJECT ipv6RouterAdvertCurHopLimit + MIN-ACCESS read-only + DESCRIPTION + "An agent is not required to provide write access to this + object." + + OBJECT ipv6RouterAdvertDefaultLifetime + MIN-ACCESS read-only + DESCRIPTION + "An agent is not required to provide write access to this + object." + + OBJECT ipv6RouterAdvertRowStatus + MIN-ACCESS read-only + DESCRIPTION + "An agent is not required to provide write or create access + to this object." + ::= { ipMIBCompliances 2 } + +-- units of conformance + +ipv4GeneralGroup OBJECT-GROUP + OBJECTS { ipForwarding, ipDefaultTTL, ipReasmTimeout } + STATUS current + DESCRIPTION + "The group of IPv4-specific objects for basic management of + IPv4 entities." + ::= { ipMIBGroups 3 } + +ipv4IfGroup OBJECT-GROUP + OBJECTS { ipv4InterfaceReasmMaxSize, ipv4InterfaceEnableStatus, + ipv4InterfaceRetransmitTime } + STATUS current + DESCRIPTION + "The group of IPv4-specific objects for basic management of + IPv4 interfaces." + ::= { ipMIBGroups 4 } + +ipv6GeneralGroup2 OBJECT-GROUP + OBJECTS { ipv6IpForwarding, ipv6IpDefaultHopLimit } + STATUS current + DESCRIPTION + "The IPv6 group of objects providing for basic management of + IPv6 entities." + ::= { ipMIBGroups 5 } + +ipv6IfGroup OBJECT-GROUP + OBJECTS { ipv6InterfaceReasmMaxSize, ipv6InterfaceIdentifier, + ipv6InterfaceEnableStatus, ipv6InterfaceReachableTime, + ipv6InterfaceRetransmitTime, ipv6InterfaceForwarding } + STATUS current + DESCRIPTION + "The group of IPv6-specific objects for basic management of + IPv6 interfaces." + ::= { ipMIBGroups 6 } + +ipLastChangeGroup OBJECT-GROUP + OBJECTS { ipv4InterfaceTableLastChange, + ipv6InterfaceTableLastChange, + ipIfStatsTableLastChange } + STATUS current + DESCRIPTION + "The last change objects associated with this MIB. These + objects are optional for all agents. They SHOULD be + implemented on agents where it is possible to determine the + proper values. Where it is not possible to determine the + proper values, for example when the tables are split amongst + several sub-agents using AgentX, the agent MUST NOT + implement these objects to return an incorrect or static + value." + ::= { ipMIBGroups 7 } + +ipSystemStatsGroup OBJECT-GROUP + OBJECTS { ipSystemStatsInReceives, + ipSystemStatsInOctets, + ipSystemStatsInHdrErrors, + ipSystemStatsInNoRoutes, + ipSystemStatsInAddrErrors, + ipSystemStatsInUnknownProtos, + ipSystemStatsInTruncatedPkts, + ipSystemStatsInForwDatagrams, + ipSystemStatsReasmReqds, + ipSystemStatsReasmOKs, + ipSystemStatsReasmFails, + ipSystemStatsInDiscards, + ipSystemStatsInDelivers, + ipSystemStatsOutRequests, + ipSystemStatsOutNoRoutes, + ipSystemStatsOutForwDatagrams, + ipSystemStatsOutDiscards, + ipSystemStatsOutFragReqds, + ipSystemStatsOutFragOKs, + ipSystemStatsOutFragFails, + ipSystemStatsOutFragCreates, + ipSystemStatsOutTransmits, + ipSystemStatsOutOctets, + ipSystemStatsInMcastPkts, + ipSystemStatsInMcastOctets, + ipSystemStatsOutMcastPkts, + ipSystemStatsOutMcastOctets, + ipSystemStatsDiscontinuityTime, + ipSystemStatsRefreshRate } + STATUS current + DESCRIPTION + "IP system wide statistics." + ::= { ipMIBGroups 8 } + +ipv4SystemStatsGroup OBJECT-GROUP + OBJECTS { ipSystemStatsInBcastPkts, ipSystemStatsOutBcastPkts } + STATUS current + DESCRIPTION + "IPv4 only system wide statistics." + ::= { ipMIBGroups 9 } + +ipSystemStatsHCOctetGroup OBJECT-GROUP + OBJECTS { ipSystemStatsHCInOctets, + ipSystemStatsHCOutOctets, + ipSystemStatsHCInMcastOctets, + ipSystemStatsHCOutMcastOctets +} + STATUS current + DESCRIPTION + "IP system wide statistics for systems that may overflow the + standard octet counters within 1 hour." + ::= { ipMIBGroups 10 } + +ipSystemStatsHCPacketGroup OBJECT-GROUP + OBJECTS { ipSystemStatsHCInReceives, + ipSystemStatsHCInForwDatagrams, + ipSystemStatsHCInDelivers, + ipSystemStatsHCOutRequests, + ipSystemStatsHCOutForwDatagrams, + ipSystemStatsHCOutTransmits, + ipSystemStatsHCInMcastPkts, + ipSystemStatsHCOutMcastPkts +} + STATUS current + DESCRIPTION + "IP system wide statistics for systems that may overflow the + standard packet counters within 1 hour." + ::= { ipMIBGroups 11 } + +ipv4SystemStatsHCPacketGroup OBJECT-GROUP + OBJECTS { ipSystemStatsHCInBcastPkts, + ipSystemStatsHCOutBcastPkts } + STATUS current + DESCRIPTION + "IPv4 only system wide statistics for systems that may + overflow the standard packet counters within 1 hour." + ::= { ipMIBGroups 12 } + +ipIfStatsGroup OBJECT-GROUP + OBJECTS { ipIfStatsInReceives, ipIfStatsInOctets, + ipIfStatsInHdrErrors, ipIfStatsInNoRoutes, + ipIfStatsInAddrErrors, ipIfStatsInUnknownProtos, + ipIfStatsInTruncatedPkts, ipIfStatsInForwDatagrams, + ipIfStatsReasmReqds, ipIfStatsReasmOKs, + ipIfStatsReasmFails, ipIfStatsInDiscards, + ipIfStatsInDelivers, ipIfStatsOutRequests, + ipIfStatsOutForwDatagrams, ipIfStatsOutDiscards, + ipIfStatsOutFragReqds, ipIfStatsOutFragOKs, + ipIfStatsOutFragFails, ipIfStatsOutFragCreates, + ipIfStatsOutTransmits, ipIfStatsOutOctets, + ipIfStatsInMcastPkts, ipIfStatsInMcastOctets, + ipIfStatsOutMcastPkts, ipIfStatsOutMcastOctets, + ipIfStatsDiscontinuityTime, ipIfStatsRefreshRate } + STATUS current + DESCRIPTION + "IP per-interface statistics." + ::= { ipMIBGroups 13 } + +ipv4IfStatsGroup OBJECT-GROUP + OBJECTS { ipIfStatsInBcastPkts, ipIfStatsOutBcastPkts } + STATUS current + DESCRIPTION + "IPv4 only per-interface statistics." + ::= { ipMIBGroups 14 } + +ipIfStatsHCOctetGroup OBJECT-GROUP + OBJECTS { ipIfStatsHCInOctets, ipIfStatsHCOutOctets, + ipIfStatsHCInMcastOctets, ipIfStatsHCOutMcastOctets } + STATUS current + DESCRIPTION + "IP per-interfaces statistics for systems that include + interfaces that may overflow the standard octet + counters within 1 hour." + ::= { ipMIBGroups 15 } + +ipIfStatsHCPacketGroup OBJECT-GROUP + OBJECTS { ipIfStatsHCInReceives, ipIfStatsHCInForwDatagrams, + ipIfStatsHCInDelivers, ipIfStatsHCOutRequests, + ipIfStatsHCOutForwDatagrams, ipIfStatsHCOutTransmits, + ipIfStatsHCInMcastPkts, ipIfStatsHCOutMcastPkts } + STATUS current + DESCRIPTION + "IP per-interfaces statistics for systems that include + interfaces that may overflow the standard packet counters + within 1 hour." + ::= { ipMIBGroups 16 } + +ipv4IfStatsHCPacketGroup OBJECT-GROUP + OBJECTS { ipIfStatsHCInBcastPkts, ipIfStatsHCOutBcastPkts } + STATUS current + DESCRIPTION + "IPv4 only per-interface statistics for systems that include + interfaces that may overflow the standard packet counters + within 1 hour." + ::= { ipMIBGroups 17 } + +ipAddressPrefixGroup OBJECT-GROUP + OBJECTS { ipAddressPrefixOrigin, + ipAddressPrefixOnLinkFlag, + ipAddressPrefixAutonomousFlag, + ipAddressPrefixAdvPreferredLifetime, + ipAddressPrefixAdvValidLifetime } + STATUS current + DESCRIPTION + "The group of objects for providing information about address + prefixes used by this node." + ::= { ipMIBGroups 18 } + +ipAddressGroup OBJECT-GROUP + OBJECTS { ipAddressSpinLock, ipAddressIfIndex, + ipAddressType, ipAddressPrefix, + ipAddressOrigin, ipAddressStatus, + ipAddressCreated, ipAddressLastChanged, + ipAddressRowStatus, ipAddressStorageType } + STATUS current + DESCRIPTION + "The group of objects for providing information about the + addresses relevant to this entity's interfaces." + ::= { ipMIBGroups 19 } + +ipNetToPhysicalGroup OBJECT-GROUP + OBJECTS { ipNetToPhysicalPhysAddress, ipNetToPhysicalLastUpdated, + ipNetToPhysicalType, ipNetToPhysicalState, + ipNetToPhysicalRowStatus } + STATUS current + DESCRIPTION + "The group of objects for providing information about the + mappings of network address to physical address known to + this node." + ::= { ipMIBGroups 20 } + +ipv6ScopeGroup OBJECT-GROUP + OBJECTS { ipv6ScopeZoneIndexLinkLocal, + ipv6ScopeZoneIndex3, + ipv6ScopeZoneIndexAdminLocal, + ipv6ScopeZoneIndexSiteLocal, + ipv6ScopeZoneIndex6, + ipv6ScopeZoneIndex7, + ipv6ScopeZoneIndexOrganizationLocal, + ipv6ScopeZoneIndex9, + ipv6ScopeZoneIndexA, + ipv6ScopeZoneIndexB, + ipv6ScopeZoneIndexC, + ipv6ScopeZoneIndexD } + STATUS current + DESCRIPTION + "The group of objects for managing IPv6 scope zones." + ::= { ipMIBGroups 21 } + +ipDefaultRouterGroup OBJECT-GROUP + OBJECTS { ipDefaultRouterLifetime, ipDefaultRouterPreference } + STATUS current + DESCRIPTION + "The group of objects for providing information about default + routers known to this node." + ::= { ipMIBGroups 22 } + +ipv6RouterAdvertGroup OBJECT-GROUP + OBJECTS { ipv6RouterAdvertSpinLock, + ipv6RouterAdvertSendAdverts, + ipv6RouterAdvertMaxInterval, + ipv6RouterAdvertMinInterval, + ipv6RouterAdvertManagedFlag, + ipv6RouterAdvertOtherConfigFlag, + ipv6RouterAdvertLinkMTU, + ipv6RouterAdvertReachableTime, + ipv6RouterAdvertRetransmitTime, + ipv6RouterAdvertCurHopLimit, + ipv6RouterAdvertDefaultLifetime, + ipv6RouterAdvertRowStatus +} + STATUS current + DESCRIPTION + "The group of objects for controlling information advertised + by IPv6 routers." + ::= { ipMIBGroups 23 } + +icmpStatsGroup OBJECT-GROUP + OBJECTS {icmpStatsInMsgs, icmpStatsInErrors, + icmpStatsOutMsgs, icmpStatsOutErrors, + icmpMsgStatsInPkts, icmpMsgStatsOutPkts } + STATUS current + DESCRIPTION + "The group of objects providing ICMP statistics." + ::= { ipMIBGroups 24 } + +-- +-- Deprecated objects +-- + +ipInReceives OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The total number of input datagrams received from + interfaces, including those received in error. + + This object has been deprecated, as a new IP version-neutral + + table has been added. It is loosely replaced by + ipSystemStatsInRecieves." + ::= { ip 3 } + +ipInHdrErrors OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The number of input datagrams discarded due to errors in + their IPv4 headers, including bad checksums, version number + mismatch, other format errors, time-to-live exceeded, errors + discovered in processing their IPv4 options, etc. + + This object has been deprecated as a new IP version-neutral + table has been added. It is loosely replaced by + ipSystemStatsInHdrErrors." + ::= { ip 4 } + +ipInAddrErrors OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The number of input datagrams discarded because the IPv4 + address in their IPv4 header's destination field was not a + valid address to be received at this entity. This count + includes invalid addresses (e.g., 0.0.0.0) and addresses of + unsupported Classes (e.g., Class E). For entities which are + not IPv4 routers, and therefore do not forward datagrams, + this counter includes datagrams discarded because the + destination address was not a local address. + + This object has been deprecated, as a new IP version-neutral + table has been added. It is loosely replaced by + ipSystemStatsInAddrErrors." + ::= { ip 5 } + +ipForwDatagrams OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The number of input datagrams for which this entity was not + their final IPv4 destination, as a result of which an + attempt was made to find a route to forward them to that + final destination. In entities which do not act as IPv4 + routers, this counter will include only those packets which + + were Source-Routed via this entity, and the Source-Route + option processing was successful. + + This object has been deprecated, as a new IP version-neutral + table has been added. It is loosely replaced by + ipSystemStatsInForwDatagrams." + ::= { ip 6 } + +ipInUnknownProtos OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The number of locally-addressed datagrams received + successfully but discarded because of an unknown or + unsupported protocol. + + This object has been deprecated, as a new IP version-neutral + table has been added. It is loosely replaced by + ipSystemStatsInUnknownProtos." + ::= { ip 7 } + +ipInDiscards OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The number of input IPv4 datagrams for which no problems + were encountered to prevent their continued processing, but + which were discarded (e.g., for lack of buffer space). Note + that this counter does not include any datagrams discarded + while awaiting re-assembly. + + This object has been deprecated, as a new IP version-neutral + table has been added. It is loosely replaced by + ipSystemStatsInDiscards." + ::= { ip 8 } + +ipInDelivers OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The total number of input datagrams successfully delivered + to IPv4 user-protocols (including ICMP). + + This object has been deprecated as a new IP version neutral + table has been added. It is loosely replaced by + + ipSystemStatsIndelivers." + ::= { ip 9 } + +ipOutRequests OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The total number of IPv4 datagrams which local IPv4 user + protocols (including ICMP) supplied to IPv4 in requests for + transmission. Note that this counter does not include any + datagrams counted in ipForwDatagrams. + + This object has been deprecated, as a new IP version-neutral + table has been added. It is loosely replaced by + ipSystemStatsOutRequests." + ::= { ip 10 } + +ipOutDiscards OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The number of output IPv4 datagrams for which no problem was + encountered to prevent their transmission to their + destination, but which were discarded (e.g., for lack of + buffer space). Note that this counter would include + datagrams counted in ipForwDatagrams if any such packets met + this (discretionary) discard criterion. + + This object has been deprecated, as a new IP version-neutral + table has been added. It is loosely replaced by + ipSystemStatsOutDiscards." + ::= { ip 11 } + +ipOutNoRoutes OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The number of IPv4 datagrams discarded because no route + could be found to transmit them to their destination. Note + that this counter includes any packets counted in + ipForwDatagrams which meet this `no-route' criterion. Note + that this includes any datagrams which a host cannot route + because all of its default routers are down. + + This object has been deprecated, as a new IP version-neutral + + table has been added. It is loosely replaced by + ipSystemStatsOutNoRoutes." + ::= { ip 12 } + +ipReasmReqds OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The number of IPv4 fragments received which needed to be + reassembled at this entity. + + This object has been deprecated, as a new IP version-neutral + table has been added. It is loosely replaced by + ipSystemStatsReasmReqds." + ::= { ip 14 } + +ipReasmOKs OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The number of IPv4 datagrams successfully re-assembled. + + This object has been deprecated, as a new IP version-neutral + table has been added. It is loosely replaced by + ipSystemStatsReasmOKs." + ::= { ip 15 } + +ipReasmFails OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The number of failures detected by the IPv4 re-assembly + algorithm (for whatever reason: timed out, errors, etc). + Note that this is not necessarily a count of discarded IPv4 + fragments since some algorithms (notably the algorithm in + RFC 815) can lose track of the number of fragments by + combining them as they are received. + + This object has been deprecated, as a new IP version-neutral + table has been added. It is loosely replaced by + ipSystemStatsReasmFails." + ::= { ip 16 } + +ipFragOKs OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The number of IPv4 datagrams that have been successfully + fragmented at this entity. + + This object has been deprecated, as a new IP version-neutral + table has been added. It is loosely replaced by + ipSystemStatsOutFragOKs." + ::= { ip 17 } + +ipFragFails OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The number of IPv4 datagrams that have been discarded + because they needed to be fragmented at this entity but + could not be, e.g., because their Don't Fragment flag was + set. + + This object has been deprecated, as a new IP version-neutral + table has been added. It is loosely replaced by + ipSystemStatsOutFragFails." + ::= { ip 18 } + +ipFragCreates OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The number of IPv4 datagram fragments that have been + generated as a result of fragmentation at this entity. + + This object has been deprecated as a new IP version neutral + table has been added. It is loosely replaced by + ipSystemStatsOutFragCreates." + ::= { ip 19 } + +ipRoutingDiscards OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The number of routing entries which were chosen to be + discarded even though they are valid. One possible reason + for discarding such an entry could be to free-up buffer + space for other routing entries. + + This object was defined in pre-IPv6 versions of the IP MIB. + It was implicitly IPv4 only, but the original specifications + did not indicate this protocol restriction. In order to + clarify the specifications, this object has been deprecated + and a similar, but more thoroughly clarified, object has + been added to the IP-FORWARD-MIB." + ::= { ip 23 } + +-- the deprecated IPv4 address table + +ipAddrTable OBJECT-TYPE + SYNTAX SEQUENCE OF IpAddrEntry + MAX-ACCESS not-accessible + STATUS deprecated + DESCRIPTION + "The table of addressing information relevant to this + entity's IPv4 addresses. + + This table has been deprecated, as a new IP version-neutral + table has been added. It is loosely replaced by the + ipAddressTable although several objects that weren't deemed + useful weren't carried forward while another + (ipAdEntReasmMaxSize) was moved to the ipv4InterfaceTable." + ::= { ip 20 } + +ipAddrEntry OBJECT-TYPE + SYNTAX IpAddrEntry + MAX-ACCESS not-accessible + STATUS deprecated + DESCRIPTION + "The addressing information for one of this entity's IPv4 + addresses." + INDEX { ipAdEntAddr } + ::= { ipAddrTable 1 } + +IpAddrEntry ::= SEQUENCE { + ipAdEntAddr IpAddress, + ipAdEntIfIndex INTEGER, + ipAdEntNetMask IpAddress, + ipAdEntBcastAddr INTEGER, + ipAdEntReasmMaxSize INTEGER + } + +ipAdEntAddr OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The IPv4 address to which this entry's addressing + information pertains." + ::= { ipAddrEntry 1 } + +ipAdEntIfIndex OBJECT-TYPE + SYNTAX INTEGER (1..2147483647) + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The index value which uniquely identifies the interface to + which this entry is applicable. The interface identified by + a particular value of this index is the same interface as + identified by the same value of the IF-MIB's ifIndex." + ::= { ipAddrEntry 2 } + +ipAdEntNetMask OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The subnet mask associated with the IPv4 address of this + entry. The value of the mask is an IPv4 address with all + the network bits set to 1 and all the hosts bits set to 0." + ::= { ipAddrEntry 3 } + +ipAdEntBcastAddr OBJECT-TYPE + SYNTAX INTEGER (0..1) + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The value of the least-significant bit in the IPv4 broadcast + address used for sending datagrams on the (logical) + interface associated with the IPv4 address of this entry. + For example, when the Internet standard all-ones broadcast + address is used, the value will be 1. This value applies to + both the subnet and network broadcast addresses used by the + entity on this (logical) interface." + ::= { ipAddrEntry 4 } + +ipAdEntReasmMaxSize OBJECT-TYPE + SYNTAX INTEGER (0..65535) + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The size of the largest IPv4 datagram which this entity can + re-assemble from incoming IPv4 fragmented datagrams received + on this interface." + ::= { ipAddrEntry 5 } + +-- the deprecated IPv4 Address Translation table + +-- The Address Translation tables contain the IpAddress to +-- "physical" address equivalences. Some interfaces do not +-- use translation tables for determining address +-- equivalences (e.g., DDN-X.25 has an algorithmic method); +-- if all interfaces are of this type, then the Address +-- Translation table is empty, i.e., has zero entries. + +ipNetToMediaTable OBJECT-TYPE + SYNTAX SEQUENCE OF IpNetToMediaEntry + MAX-ACCESS not-accessible + STATUS deprecated + DESCRIPTION + "The IPv4 Address Translation table used for mapping from + IPv4 addresses to physical addresses. + + This table has been deprecated, as a new IP version-neutral + table has been added. It is loosely replaced by the + ipNetToPhysicalTable." + ::= { ip 22 } + +ipNetToMediaEntry OBJECT-TYPE + SYNTAX IpNetToMediaEntry + MAX-ACCESS not-accessible + STATUS deprecated + DESCRIPTION + "Each entry contains one IpAddress to `physical' address + equivalence." + INDEX { ipNetToMediaIfIndex, + ipNetToMediaNetAddress } + ::= { ipNetToMediaTable 1 } + +IpNetToMediaEntry ::= SEQUENCE { + ipNetToMediaIfIndex INTEGER, + ipNetToMediaPhysAddress PhysAddress, + ipNetToMediaNetAddress IpAddress, + ipNetToMediaType INTEGER + } + +ipNetToMediaIfIndex OBJECT-TYPE + SYNTAX INTEGER (1..2147483647) + MAX-ACCESS read-create + STATUS deprecated + DESCRIPTION + "The interface on which this entry's equivalence is + effective. The interface identified by a particular value + of this index is the same interface as identified by the + + same value of the IF-MIB's ifIndex. + + This object predates the rule limiting index objects to a + max access value of 'not-accessible' and so continues to use + a value of 'read-create'." + ::= { ipNetToMediaEntry 1 } + +ipNetToMediaPhysAddress OBJECT-TYPE + SYNTAX PhysAddress (SIZE(0..65535)) + MAX-ACCESS read-create + STATUS deprecated + DESCRIPTION + "The media-dependent `physical' address. This object should + return 0 when this entry is in the 'incomplete' state. + + As the entries in this table are typically not persistent + when this object is written the entity should not save the + change to non-volatile storage. Note: a stronger + requirement is not used because this object was previously + defined." + ::= { ipNetToMediaEntry 2 } + +ipNetToMediaNetAddress OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-create + STATUS deprecated + DESCRIPTION + "The IpAddress corresponding to the media-dependent + `physical' address. + + This object predates the rule limiting index objects to a + max access value of 'not-accessible' and so continues to use + a value of 'read-create'." + ::= { ipNetToMediaEntry 3 } + +ipNetToMediaType OBJECT-TYPE + SYNTAX INTEGER { + other(1), -- none of the following + invalid(2), -- an invalidated mapping + dynamic(3), + static(4) + } + MAX-ACCESS read-create + STATUS deprecated + DESCRIPTION + "The type of mapping. + + Setting this object to the value invalid(2) has the effect + + of invalidating the corresponding entry in the + ipNetToMediaTable. That is, it effectively dis-associates + the interface identified with said entry from the mapping + identified with said entry. It is an implementation- + specific matter as to whether the agent removes an + invalidated entry from the table. Accordingly, management + stations must be prepared to receive tabular information + from agents that corresponds to entries not currently in + use. Proper interpretation of such entries requires + examination of the relevant ipNetToMediaType object. + + As the entries in this table are typically not persistent + when this object is written the entity should not save the + change to non-volatile storage. Note: a stronger + requirement is not used because this object was previously + defined." + ::= { ipNetToMediaEntry 4 } + +-- the deprecated ICMP group + +icmpInMsgs OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The total number of ICMP messages which the entity received. + Note that this counter includes all those counted by + icmpInErrors. + + This object has been deprecated, as a new IP version-neutral + table has been added. It is loosely replaced by + icmpStatsInMsgs." + ::= { icmp 1 } + +icmpInErrors OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The number of ICMP messages which the entity received but + determined as having ICMP-specific errors (bad ICMP + checksums, bad length, etc.). + + This object has been deprecated, as a new IP version-neutral + table has been added. It is loosely replaced by + icmpStatsInErrors." + ::= { icmp 2 } + +icmpInDestUnreachs OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The number of ICMP Destination Unreachable messages + received. + + This object has been deprecated, as a new IP version-neutral + table has been added. It is loosely replaced by a column in + the icmpMsgStatsTable." + ::= { icmp 3 } + +icmpInTimeExcds OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The number of ICMP Time Exceeded messages received. + + This object has been deprecated, as a new IP version-neutral + table has been added. It is loosely replaced by a column in + the icmpMsgStatsTable." + ::= { icmp 4 } + +icmpInParmProbs OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The number of ICMP Parameter Problem messages received. + + This object has been deprecated, as a new IP version-neutral + table has been added. It is loosely replaced by a column in + the icmpMsgStatsTable." + ::= { icmp 5 } + +icmpInSrcQuenchs OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The number of ICMP Source Quench messages received. + + This object has been deprecated, as a new IP version-neutral + table has been added. It is loosely replaced by a column in + the icmpMsgStatsTable." + ::= { icmp 6 } + +icmpInRedirects OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The number of ICMP Redirect messages received. + + This object has been deprecated, as a new IP version-neutral + table has been added. It is loosely replaced by a column in + the icmpMsgStatsTable." + ::= { icmp 7 } + +icmpInEchos OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The number of ICMP Echo (request) messages received. + + This object has been deprecated, as a new IP version-neutral + table has been added. It is loosely replaced by a column in + the icmpMsgStatsTable." + ::= { icmp 8 } + +icmpInEchoReps OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The number of ICMP Echo Reply messages received. + + This object has been deprecated, as a new IP version-neutral + table has been added. It is loosely replaced by a column in + the icmpMsgStatsTable." + ::= { icmp 9 } + +icmpInTimestamps OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The number of ICMP Timestamp (request) messages received. + + This object has been deprecated, as a new IP version-neutral + table has been added. It is loosely replaced by a column in + the icmpMsgStatsTable." + ::= { icmp 10 } + +icmpInTimestampReps OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The number of ICMP Timestamp Reply messages received. + + This object has been deprecated, as a new IP version-neutral + table has been added. It is loosely replaced by a column in + the icmpMsgStatsTable." + ::= { icmp 11 } + +icmpInAddrMasks OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The number of ICMP Address Mask Request messages received. + + This object has been deprecated, as a new IP version-neutral + table has been added. It is loosely replaced by a column in + the icmpMsgStatsTable." + ::= { icmp 12 } + +icmpInAddrMaskReps OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The number of ICMP Address Mask Reply messages received. + + This object has been deprecated, as a new IP version-neutral + table has been added. It is loosely replaced by a column in + the icmpMsgStatsTable." + ::= { icmp 13 } + +icmpOutMsgs OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The total number of ICMP messages which this entity + attempted to send. Note that this counter includes all + those counted by icmpOutErrors. + + This object has been deprecated, as a new IP version-neutral + table has been added. It is loosely replaced by + icmpStatsOutMsgs." + ::= { icmp 14 } + +icmpOutErrors OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The number of ICMP messages which this entity did not send + due to problems discovered within ICMP, such as a lack of + buffers. This value should not include errors discovered + outside the ICMP layer, such as the inability of IP to route + the resultant datagram. In some implementations, there may + be no types of error which contribute to this counter's + value. + + This object has been deprecated, as a new IP version-neutral + table has been added. It is loosely replaced by + icmpStatsOutErrors." + ::= { icmp 15 } + +icmpOutDestUnreachs OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The number of ICMP Destination Unreachable messages sent. + + This object has been deprecated, as a new IP version-neutral + table has been added. It is loosely replaced by a column in + the icmpMsgStatsTable." + ::= { icmp 16 } + +icmpOutTimeExcds OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The number of ICMP Time Exceeded messages sent. + + This object has been deprecated, as a new IP version-neutral + table has been added. It is loosely replaced by a column in + the icmpMsgStatsTable." + ::= { icmp 17 } + +icmpOutParmProbs OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The number of ICMP Parameter Problem messages sent. + + This object has been deprecated, as a new IP version-neutral + table has been added. It is loosely replaced by a column in + the icmpMsgStatsTable." + ::= { icmp 18 } + +icmpOutSrcQuenchs OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The number of ICMP Source Quench messages sent. + + This object has been deprecated, as a new IP version-neutral + table has been added. It is loosely replaced by a column in + the icmpMsgStatsTable." + ::= { icmp 19 } + +icmpOutRedirects OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The number of ICMP Redirect messages sent. For a host, this + object will always be zero, since hosts do not send + redirects. + + This object has been deprecated, as a new IP version-neutral + table has been added. It is loosely replaced by a column in + the icmpMsgStatsTable." + ::= { icmp 20 } + +icmpOutEchos OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The number of ICMP Echo (request) messages sent. + + This object has been deprecated, as a new IP version-neutral + table has been added. It is loosely replaced by a column in + the icmpMsgStatsTable." + ::= { icmp 21 } + +icmpOutEchoReps OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The number of ICMP Echo Reply messages sent. + + This object has been deprecated, as a new IP version-neutral + table has been added. It is loosely replaced by a column in + the icmpMsgStatsTable." + ::= { icmp 22 } + +icmpOutTimestamps OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The number of ICMP Timestamp (request) messages sent. + + This object has been deprecated, as a new IP version-neutral + table has been added. It is loosely replaced by a column in + the icmpMsgStatsTable." + ::= { icmp 23 } + +icmpOutTimestampReps OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The number of ICMP Timestamp Reply messages sent. + + This object has been deprecated, as a new IP version-neutral + table has been added. It is loosely replaced by a column in + the icmpMsgStatsTable." + ::= { icmp 24 } + +icmpOutAddrMasks OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The number of ICMP Address Mask Request messages sent. + + This object has been deprecated, as a new IP version-neutral + table has been added. It is loosely replaced by a column in + the icmpMsgStatsTable." + ::= { icmp 25 } + +icmpOutAddrMaskReps OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The number of ICMP Address Mask Reply messages sent. + + This object has been deprecated, as a new IP version-neutral + table has been added. It is loosely replaced by a column in + the icmpMsgStatsTable." + ::= { icmp 26 } + +-- deprecated conformance information +-- deprecated compliance statements + +ipMIBCompliance MODULE-COMPLIANCE + STATUS deprecated + DESCRIPTION + "The compliance statement for systems that implement only + IPv4. For version-independence, this compliance statement + is deprecated in favor of ipMIBCompliance2." + MODULE -- this module + MANDATORY-GROUPS { ipGroup, + icmpGroup } + ::= { ipMIBCompliances 1 } + +-- deprecated units of conformance + +ipGroup OBJECT-GROUP + OBJECTS { ipForwarding, ipDefaultTTL, + ipInReceives, ipInHdrErrors, + ipInAddrErrors, ipForwDatagrams, + ipInUnknownProtos, ipInDiscards, + ipInDelivers, ipOutRequests, + ipOutDiscards, ipOutNoRoutes, + ipReasmTimeout, ipReasmReqds, + ipReasmOKs, ipReasmFails, + ipFragOKs, ipFragFails, + ipFragCreates, ipAdEntAddr, + ipAdEntIfIndex, ipAdEntNetMask, + ipAdEntBcastAddr, ipAdEntReasmMaxSize, + ipNetToMediaIfIndex, ipNetToMediaPhysAddress, + ipNetToMediaNetAddress, ipNetToMediaType, + ipRoutingDiscards +} + STATUS deprecated + DESCRIPTION + "The ip group of objects providing for basic management of IP + entities, exclusive of the management of IP routes. + + As part of the version independence, this group has been + deprecated. " + ::= { ipMIBGroups 1 } + +icmpGroup OBJECT-GROUP + OBJECTS { icmpInMsgs, icmpInErrors, + icmpInDestUnreachs, icmpInTimeExcds, + icmpInParmProbs, icmpInSrcQuenchs, + icmpInRedirects, icmpInEchos, + icmpInEchoReps, icmpInTimestamps, + icmpInTimestampReps, icmpInAddrMasks, + icmpInAddrMaskReps, icmpOutMsgs, + icmpOutErrors, icmpOutDestUnreachs, + icmpOutTimeExcds, icmpOutParmProbs, + icmpOutSrcQuenchs, icmpOutRedirects, + icmpOutEchos, icmpOutEchoReps, + icmpOutTimestamps, icmpOutTimestampReps, + icmpOutAddrMasks, icmpOutAddrMaskReps } + STATUS deprecated + DESCRIPTION + "The icmp group of objects providing ICMP statistics. + + As part of the version independence, this group has been + deprecated. " + ::= { ipMIBGroups 2 } + +END diff --git a/mibs/IPV6-FLOW-LABEL-MIB.txt b/mibs/IPV6-FLOW-LABEL-MIB.txt new file mode 100644 index 000000000..6fb36596b --- /dev/null +++ b/mibs/IPV6-FLOW-LABEL-MIB.txt @@ -0,0 +1,58 @@ +IPV6-FLOW-LABEL-MIB DEFINITIONS ::= BEGIN + +IMPORTS + + MODULE-IDENTITY, mib-2, Integer32 FROM SNMPv2-SMI + TEXTUAL-CONVENTION FROM SNMPv2-TC; + +ipv6FlowLabelMIB MODULE-IDENTITY + + LAST-UPDATED "200308280000Z" -- 28 August 2003 + ORGANIZATION "IETF Operations and Management Area" + CONTACT-INFO "Bert Wijnen (Editor) + Lucent Technologies + Schagen 33 + 3461 GL Linschoten + Netherlands + + Phone: +31 348-407-775 + EMail: bwijnen@lucent.com + + Send comments to <mibs@ops.ietf.org>. + " + DESCRIPTION "This MIB module provides commonly used textual + conventions for IPv6 Flow Labels. + + Copyright (C) The Internet Society (2003). This + version of this MIB module is part of RFC 3595, + see the RFC itself for full legal notices. + " + -- Revision History + + REVISION "200308280000Z" -- 28 August 2003 + DESCRIPTION "Initial version, published as RFC 3595." + ::= { mib-2 103 } + +IPv6FlowLabel ::= TEXTUAL-CONVENTION + DISPLAY-HINT "d" + STATUS current + DESCRIPTION "The flow identifier or Flow Label in an IPv6 + packet header that may be used to discriminate + traffic flows. + " + REFERENCE "Internet Protocol, Version 6 (IPv6) specification, + section 6. RFC 2460. + " + SYNTAX Integer32 (0..1048575) + +IPv6FlowLabelOrAny ::= TEXTUAL-CONVENTION + DISPLAY-HINT "d" + STATUS current + DESCRIPTION "The flow identifier or Flow Label in an IPv6 + packet header that may be used to discriminate + traffic flows. The value of -1 is used to + indicate a wildcard, i.e. any value. + " + SYNTAX Integer32 (-1 | 0..1048575) + +END diff --git a/mibs/IPV6-ICMP-MIB.txt b/mibs/IPV6-ICMP-MIB.txt new file mode 100644 index 000000000..bb66da576 --- /dev/null +++ b/mibs/IPV6-ICMP-MIB.txt @@ -0,0 +1,529 @@ + IPV6-ICMP-MIB DEFINITIONS ::= BEGIN + + IMPORTS + MODULE-IDENTITY, OBJECT-TYPE, + Counter32, mib-2 FROM SNMPv2-SMI + MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF + ipv6IfEntry FROM IPV6-MIB; + + ipv6IcmpMIB MODULE-IDENTITY + LAST-UPDATED "9801082155Z" + ORGANIZATION "IETF IPv6 Working Group" + CONTACT-INFO + " Dimitry Haskin + + Postal: Bay Networks, Inc. + 660 Techology Park Drive. + Billerica, MA 01821 + US + + Tel: +1-978-916-8124 + E-mail: dhaskin@baynetworks.com + + Steve Onishi + + Postal: Bay Networks, Inc. + 3 Federal Street + Billerica, MA 01821 + US + + Tel: +1-978-916-3816 + E-mail: sonishi@baynetworks.com" + DESCRIPTION + "The MIB module for entities implementing + the ICMPv6." + ::= { mib-2 56 } + + -- the ICMPv6 group + + ipv6IcmpMIBObjects OBJECT IDENTIFIER ::= { ipv6IcmpMIB 1 } + + -- Per-interface ICMPv6 statistics table + + ipv6IfIcmpTable OBJECT-TYPE + SYNTAX SEQUENCE OF Ipv6IfIcmpEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "IPv6 ICMP statistics. This table contains statistics + of ICMPv6 messages that are received and sourced by + the entity." + ::= { ipv6IcmpMIBObjects 1 } + + ipv6IfIcmpEntry OBJECT-TYPE + SYNTAX Ipv6IfIcmpEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An ICMPv6 statistics entry containing + objects at a particular IPv6 interface. + + Note that a receiving interface is + the interface to which a given ICMPv6 message + is addressed which may not be necessarily + the input interface for the message. + + Similarly, the sending interface is + the interface that sources a given + ICMP message which is usually but not + necessarily the output interface for the message." + AUGMENTS { ipv6IfEntry } + ::= { ipv6IfIcmpTable 1 } + + Ipv6IfIcmpEntry ::= SEQUENCE { + ipv6IfIcmpInMsgs + Counter32 , + ipv6IfIcmpInErrors + Counter32 , + ipv6IfIcmpInDestUnreachs + Counter32 , + ipv6IfIcmpInAdminProhibs + Counter32 , + ipv6IfIcmpInTimeExcds + Counter32 , + ipv6IfIcmpInParmProblems + Counter32 , + ipv6IfIcmpInPktTooBigs + Counter32 , + ipv6IfIcmpInEchos + Counter32 , + ipv6IfIcmpInEchoReplies + Counter32 , + ipv6IfIcmpInRouterSolicits + Counter32 , + ipv6IfIcmpInRouterAdvertisements + Counter32 , + ipv6IfIcmpInNeighborSolicits + Counter32 , + ipv6IfIcmpInNeighborAdvertisements + Counter32 , + ipv6IfIcmpInRedirects + Counter32 , + ipv6IfIcmpInGroupMembQueries + Counter32 , + ipv6IfIcmpInGroupMembResponses + Counter32 , + ipv6IfIcmpInGroupMembReductions + Counter32 , + ipv6IfIcmpOutMsgs + Counter32 , + ipv6IfIcmpOutErrors + Counter32 , + ipv6IfIcmpOutDestUnreachs + Counter32 , + ipv6IfIcmpOutAdminProhibs + Counter32 , + ipv6IfIcmpOutTimeExcds + Counter32 , + ipv6IfIcmpOutParmProblems + Counter32 , + ipv6IfIcmpOutPktTooBigs + Counter32 , + ipv6IfIcmpOutEchos + Counter32 , + ipv6IfIcmpOutEchoReplies + Counter32 , + ipv6IfIcmpOutRouterSolicits + Counter32 , + ipv6IfIcmpOutRouterAdvertisements + Counter32 , + ipv6IfIcmpOutNeighborSolicits + Counter32 , + ipv6IfIcmpOutNeighborAdvertisements + Counter32 , + ipv6IfIcmpOutRedirects + Counter32 , + ipv6IfIcmpOutGroupMembQueries + Counter32 , + ipv6IfIcmpOutGroupMembResponses + Counter32 , + ipv6IfIcmpOutGroupMembReductions + Counter32 + + } + + ipv6IfIcmpInMsgs OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of ICMP messages received + by the interface which includes all those + counted by ipv6IfIcmpInErrors. Note that this + interface is the interface to which the + ICMP messages were addressed which may not be + necessarily the input interface for the messages." + ::= { ipv6IfIcmpEntry 1 } + + ipv6IfIcmpInErrors OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of ICMP messages which the interface + received but determined as having ICMP-specific + errors (bad ICMP checksums, bad length, etc.)." + ::= { ipv6IfIcmpEntry 2 } + + ipv6IfIcmpInDestUnreachs OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of ICMP Destination Unreachable + messages received by the interface." + ::= { ipv6IfIcmpEntry 3 } + + ipv6IfIcmpInAdminProhibs OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of ICMP destination + unreachable/communication administratively + prohibited messages received by the interface." + ::= { ipv6IfIcmpEntry 4 } + + ipv6IfIcmpInTimeExcds OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of ICMP Time Exceeded messages + received by the interface." + ::= { ipv6IfIcmpEntry 5 } + + ipv6IfIcmpInParmProblems OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of ICMP Parameter Problem messages + received by the interface." + ::= { ipv6IfIcmpEntry 6 } + + ipv6IfIcmpInPktTooBigs OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of ICMP Packet Too Big messages + received by the interface." + ::= { ipv6IfIcmpEntry 7 } + + ipv6IfIcmpInEchos OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of ICMP Echo (request) messages + received by the interface." + ::= { ipv6IfIcmpEntry 8 } + + ipv6IfIcmpInEchoReplies OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of ICMP Echo Reply messages received + by the interface." + ::= { ipv6IfIcmpEntry 9 } + + ipv6IfIcmpInRouterSolicits OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of ICMP Router Solicit messages + received by the interface." + ::= { ipv6IfIcmpEntry 10 } + + ipv6IfIcmpInRouterAdvertisements OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of ICMP Router Advertisement messages + received by the interface." + ::= { ipv6IfIcmpEntry 11 } + + ipv6IfIcmpInNeighborSolicits OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of ICMP Neighbor Solicit messages + received by the interface." + ::= { ipv6IfIcmpEntry 12 } + + ipv6IfIcmpInNeighborAdvertisements OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of ICMP Neighbor Advertisement + messages received by the interface." + ::= { ipv6IfIcmpEntry 13 } + + ipv6IfIcmpInRedirects OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of Redirect messages received + by the interface." + ::= { ipv6IfIcmpEntry 14 } + + ipv6IfIcmpInGroupMembQueries OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of ICMPv6 Group Membership Query + messages received by the interface." + ::= { ipv6IfIcmpEntry 15} + + ipv6IfIcmpInGroupMembResponses OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of ICMPv6 Group Membership Response messages + received by the interface." + ::= { ipv6IfIcmpEntry 16} + + ipv6IfIcmpInGroupMembReductions OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of ICMPv6 Group Membership Reduction messages + received by the interface." + ::= { ipv6IfIcmpEntry 17} + + ipv6IfIcmpOutMsgs OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of ICMP messages which this + interface attempted to send. Note that this counter + includes all those counted by icmpOutErrors." + ::= { ipv6IfIcmpEntry 18 } + + ipv6IfIcmpOutErrors OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of ICMP messages which this interface did + not send due to problems discovered within ICMP + such as a lack of buffers. This value should not + include errors discovered outside the ICMP layer + such as the inability of IPv6 to route the resultant + datagram. In some implementations there may be no + types of error which contribute to this counter's + value." + ::= { ipv6IfIcmpEntry 19 } + + ipv6IfIcmpOutDestUnreachs OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of ICMP Destination Unreachable + + messages sent by the interface." + ::= { ipv6IfIcmpEntry 20 } + + ipv6IfIcmpOutAdminProhibs OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Number of ICMP dest unreachable/communication + administratively prohibited messages sent." + ::= { ipv6IfIcmpEntry 21 } + + ipv6IfIcmpOutTimeExcds OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of ICMP Time Exceeded messages sent + by the interface." + ::= { ipv6IfIcmpEntry 22 } + + ipv6IfIcmpOutParmProblems OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of ICMP Parameter Problem messages + sent by the interface." + ::= { ipv6IfIcmpEntry 23 } + + ipv6IfIcmpOutPktTooBigs OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of ICMP Packet Too Big messages sent + by the interface." + ::= { ipv6IfIcmpEntry 24 } + + ipv6IfIcmpOutEchos OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of ICMP Echo (request) messages sent + by the interface." + ::= { ipv6IfIcmpEntry 25 } + + ipv6IfIcmpOutEchoReplies OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of ICMP Echo Reply messages sent + by the interface." + ::= { ipv6IfIcmpEntry 26 } + + ipv6IfIcmpOutRouterSolicits OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of ICMP Router Solicitation messages + sent by the interface." + ::= { ipv6IfIcmpEntry 27 } + + ipv6IfIcmpOutRouterAdvertisements OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of ICMP Router Advertisement messages + sent by the interface." + ::= { ipv6IfIcmpEntry 28 } + + ipv6IfIcmpOutNeighborSolicits OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of ICMP Neighbor Solicitation + messages sent by the interface." + ::= { ipv6IfIcmpEntry 29 } + + ipv6IfIcmpOutNeighborAdvertisements OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of ICMP Neighbor Advertisement + messages sent by the interface." + ::= { ipv6IfIcmpEntry 30 } + + ipv6IfIcmpOutRedirects OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of Redirect messages sent. For + a host, this object will always be zero, + since hosts do not send redirects." + ::= { ipv6IfIcmpEntry 31 } + + ipv6IfIcmpOutGroupMembQueries OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of ICMPv6 Group Membership Query + messages sent." + ::= { ipv6IfIcmpEntry 32} + + ipv6IfIcmpOutGroupMembResponses OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of ICMPv6 Group Membership Response + messages sent." + ::= { ipv6IfIcmpEntry 33} + + ipv6IfIcmpOutGroupMembReductions OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of ICMPv6 Group Membership Reduction + messages sent." + ::= { ipv6IfIcmpEntry 34} + +-- conformance information + +ipv6IcmpConformance OBJECT IDENTIFIER ::= { ipv6IcmpMIB 2 } + +ipv6IcmpCompliances + OBJECT IDENTIFIER ::= { ipv6IcmpConformance 1 } +ipv6IcmpGroups + OBJECT IDENTIFIER ::= { ipv6IcmpConformance 2 } + +-- compliance statements + +ipv6IcmpCompliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The compliance statement for SNMPv2 entities which + implement ICMPv6." + MODULE -- this module + MANDATORY-GROUPS { ipv6IcmpGroup } + ::= { ipv6IcmpCompliances 1 } + +ipv6IcmpGroup OBJECT-GROUP + OBJECTS { + ipv6IfIcmpInMsgs, + ipv6IfIcmpInErrors, + ipv6IfIcmpInDestUnreachs, + ipv6IfIcmpInAdminProhibs, + ipv6IfIcmpInTimeExcds, + ipv6IfIcmpInParmProblems, + ipv6IfIcmpInPktTooBigs, + ipv6IfIcmpInEchos, + ipv6IfIcmpInEchoReplies, + ipv6IfIcmpInRouterSolicits, + ipv6IfIcmpInRouterAdvertisements, + ipv6IfIcmpInNeighborSolicits, + ipv6IfIcmpInNeighborAdvertisements, + ipv6IfIcmpInRedirects, + ipv6IfIcmpInGroupMembQueries, + ipv6IfIcmpInGroupMembResponses, + ipv6IfIcmpInGroupMembReductions, + ipv6IfIcmpOutMsgs, + ipv6IfIcmpOutErrors, + ipv6IfIcmpOutDestUnreachs, + ipv6IfIcmpOutAdminProhibs, + ipv6IfIcmpOutTimeExcds, + ipv6IfIcmpOutParmProblems, + ipv6IfIcmpOutPktTooBigs, + ipv6IfIcmpOutEchos, + ipv6IfIcmpOutEchoReplies, + ipv6IfIcmpOutRouterSolicits, + ipv6IfIcmpOutRouterAdvertisements, + ipv6IfIcmpOutNeighborSolicits, + ipv6IfIcmpOutNeighborAdvertisements, + ipv6IfIcmpOutRedirects, + ipv6IfIcmpOutGroupMembQueries, + ipv6IfIcmpOutGroupMembResponses, + ipv6IfIcmpOutGroupMembReductions + } + STATUS current + DESCRIPTION + "The ICMPv6 group of objects providing information + specific to ICMPv6." + ::= { ipv6IcmpGroups 1 } + + END diff --git a/mibs/IPV6-MIB.txt b/mibs/IPV6-MIB.txt new file mode 100644 index 000000000..6957af27f --- /dev/null +++ b/mibs/IPV6-MIB.txt @@ -0,0 +1,1443 @@ + IPV6-MIB DEFINITIONS ::= BEGIN + + IMPORTS + MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, + mib-2, Counter32, Unsigned32, Integer32, + Gauge32 FROM SNMPv2-SMI + DisplayString, PhysAddress, TruthValue, TimeStamp, + VariablePointer, RowPointer FROM SNMPv2-TC + MODULE-COMPLIANCE, OBJECT-GROUP, + NOTIFICATION-GROUP FROM SNMPv2-CONF + Ipv6IfIndex, Ipv6Address, Ipv6AddressPrefix, + Ipv6AddressIfIdentifier, + Ipv6IfIndexOrZero FROM IPV6-TC; + + ipv6MIB MODULE-IDENTITY + LAST-UPDATED "9802052155Z" + ORGANIZATION "IETF IPv6 Working Group" + CONTACT-INFO + " Dimitry Haskin + + Postal: Bay Networks, Inc. + 660 Techology Park Drive. + Billerica, MA 01821 + + US + + Tel: +1-978-916-8124 + E-mail: dhaskin@baynetworks.com + + Steve Onishi + + Postal: Bay Networks, Inc. + 3 Federal Street + Billerica, MA 01821 + US + + Tel: +1-978-916-3816 + E-mail: sonishi@baynetworks.com" + DESCRIPTION + "The MIB module for entities implementing the IPv6 + protocol." + ::= { mib-2 55 } + + -- the IPv6 general group + + ipv6MIBObjects OBJECT IDENTIFIER ::= { ipv6MIB 1 } + + ipv6Forwarding OBJECT-TYPE + SYNTAX INTEGER { + forwarding(1), -- acting as a router + + -- NOT acting as + notForwarding(2) -- a router + } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The indication of whether this entity is acting + as an IPv6 router in respect to the forwarding of + datagrams received by, but not addressed to, this + entity. IPv6 routers forward datagrams. IPv6 + hosts do not (except those source-routed via the + host). + + Note that for some managed nodes, this object may + take on only a subset of the values possible. + Accordingly, it is appropriate for an agent to + return a `wrongValue' response if a management + station attempts to change this object to an + inappropriate value." + ::= { ipv6MIBObjects 1 } + + ipv6DefaultHopLimit OBJECT-TYPE + SYNTAX INTEGER(0..255) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The default value inserted into the Hop Limit + field of the IPv6 header of datagrams originated + at this entity, whenever a Hop Limit value is not + supplied by the transport layer protocol." + DEFVAL { 64 } + ::= { ipv6MIBObjects 2 } + +ipv6Interfaces OBJECT-TYPE + SYNTAX Unsigned32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of IPv6 interfaces (regardless of + their current state) present on this system." + ::= { ipv6MIBObjects 3 } + +ipv6IfTableLastChange OBJECT-TYPE + SYNTAX TimeStamp + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of sysUpTime at the time of the last + insertion or removal of an entry in the + ipv6IfTable. If the number of entries has been + unchanged since the last re-initialization of + the local network management subsystem, then this + object contains a zero value." + ::= { ipv6MIBObjects 4 } + +-- the IPv6 Interfaces table + +ipv6IfTable OBJECT-TYPE + SYNTAX SEQUENCE OF Ipv6IfEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The IPv6 Interfaces table contains information + on the entity's internetwork-layer interfaces. + An IPv6 interface constitutes a logical network + layer attachment to the layer immediately below + + IPv6 including internet layer 'tunnels', such as + tunnels over IPv4 or IPv6 itself." + ::= { ipv6MIBObjects 5 } + + ipv6IfEntry OBJECT-TYPE + SYNTAX Ipv6IfEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An interface entry containing objects + about a particular IPv6 interface." + INDEX { ipv6IfIndex } + ::= { ipv6IfTable 1 } + + Ipv6IfEntry ::= SEQUENCE { + ipv6IfIndex Ipv6IfIndex, + ipv6IfDescr DisplayString, + ipv6IfLowerLayer VariablePointer, + ipv6IfEffectiveMtu Unsigned32, + ipv6IfReasmMaxSize Unsigned32, + ipv6IfIdentifier Ipv6AddressIfIdentifier, + ipv6IfIdentifierLength INTEGER, + ipv6IfPhysicalAddress PhysAddress, + ipv6IfAdminStatus INTEGER, + ipv6IfOperStatus INTEGER, + ipv6IfLastChange TimeStamp + } + + ipv6IfIndex OBJECT-TYPE + SYNTAX Ipv6IfIndex + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A unique non-zero value identifying + the particular IPv6 interface." + ::= { ipv6IfEntry 1 } + + ipv6IfDescr OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "A textual string containing information about the + interface. This string may be set by the network + management system." + ::= { ipv6IfEntry 2 } + + ipv6IfLowerLayer OBJECT-TYPE + SYNTAX VariablePointer + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This object identifies the protocol layer over + which this network interface operates. If this + network interface operates over the data-link + layer, then the value of this object refers to an + instance of ifIndex [6]. If this network interface + operates over an IPv4 interface, the value of this + object refers to an instance of ipAdEntAddr [3]. + + If this network interface operates over another + IPv6 interface, the value of this object refers to + an instance of ipv6IfIndex. If this network + interface is not currently operating over an active + protocol layer, then the value of this object + should be set to the OBJECT ID { 0 0 }." + ::= { ipv6IfEntry 3 } + + ipv6IfEffectiveMtu OBJECT-TYPE + SYNTAX Unsigned32 + UNITS "octets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The size of the largest IPv6 packet which can be + sent/received on the interface, specified in + octets." + ::= { ipv6IfEntry 4 } + + ipv6IfReasmMaxSize OBJECT-TYPE + SYNTAX Unsigned32 (0..65535) + UNITS "octets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The size of the largest IPv6 datagram which this + entity can re-assemble from incoming IPv6 fragmented + datagrams received on this interface." + ::= { ipv6IfEntry 5 } + + ipv6IfIdentifier OBJECT-TYPE + SYNTAX Ipv6AddressIfIdentifier + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The Interface Identifier for this interface that + + is (at least) unique on the link this interface is + attached to. The Interface Identifier is combined + with an address prefix to form an interface address. + + By default, the Interface Identifier is autoconfigured + according to the rules of the link type this + interface is attached to." + ::= { ipv6IfEntry 6 } + + ipv6IfIdentifierLength OBJECT-TYPE + SYNTAX INTEGER (0..64) + UNITS "bits" + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The length of the Interface Identifier in bits." + ::= { ipv6IfEntry 7 } + + ipv6IfPhysicalAddress OBJECT-TYPE + SYNTAX PhysAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The interface's physical address. For example, for + an IPv6 interface attached to an 802.x link, this + object normally contains a MAC address. Note that + in some cases this address may differ from the + address of the interface's protocol sub-layer. The + interface's media-specific MIB must define the bit + and byte ordering and the format of the value of + this object. For interfaces which do not have such + an address (e.g., a serial line), this object should + contain an octet string of zero length." + ::= { ipv6IfEntry 8 } + +ipv6IfAdminStatus OBJECT-TYPE + SYNTAX INTEGER { + up(1), -- ready to pass packets + down(2) + } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The desired state of the interface. When a managed + system initializes, all IPv6 interfaces start with + ipv6IfAdminStatus in the down(2) state. As a result + of either explicit management action or per + configuration information retained by the managed + + system, ipv6IfAdminStatus is then changed to + the up(1) state (or remains in the down(2) state)." + ::= { ipv6IfEntry 9 } + +ipv6IfOperStatus OBJECT-TYPE + SYNTAX INTEGER { + up(1), -- ready to pass packets + + down(2), + noIfIdentifier(3), -- no interface identifier + + -- status can not be + -- determined for some + unknown(4), -- reason + + -- some component is + notPresent(5) -- missing + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The current operational state of the interface. + The noIfIdentifier(3) state indicates that no valid + Interface Identifier is assigned to the interface. + This state usually indicates that the link-local + interface address failed Duplicate Address Detection. + If ipv6IfAdminStatus is down(2) then ipv6IfOperStatus + should be down(2). If ipv6IfAdminStatus is changed + to up(1) then ipv6IfOperStatus should change to up(1) + if the interface is ready to transmit and receive + network traffic; it should remain in the down(2) or + noIfIdentifier(3) state if and only if there is a + fault that prevents it from going to the up(1) state; + it should remain in the notPresent(5) state if + the interface has missing (typically, lower layer) + components." + ::= { ipv6IfEntry 10 } + +ipv6IfLastChange OBJECT-TYPE + SYNTAX TimeStamp + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of sysUpTime at the time the interface + entered its current operational state. If the + current state was entered prior to the last + re-initialization of the local network management + + subsystem, then this object contains a zero + value." + ::= { ipv6IfEntry 11 } + + -- IPv6 Interface Statistics table + + ipv6IfStatsTable OBJECT-TYPE + SYNTAX SEQUENCE OF Ipv6IfStatsEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "IPv6 interface traffic statistics." + ::= { ipv6MIBObjects 6 } + + ipv6IfStatsEntry OBJECT-TYPE + SYNTAX Ipv6IfStatsEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An interface statistics entry containing objects + at a particular IPv6 interface." + AUGMENTS { ipv6IfEntry } + ::= { ipv6IfStatsTable 1 } + + Ipv6IfStatsEntry ::= SEQUENCE { + ipv6IfStatsInReceives + Counter32, + ipv6IfStatsInHdrErrors + Counter32, + ipv6IfStatsInTooBigErrors + Counter32, + ipv6IfStatsInNoRoutes + Counter32, + ipv6IfStatsInAddrErrors + Counter32, + ipv6IfStatsInUnknownProtos + Counter32, + ipv6IfStatsInTruncatedPkts + Counter32, + ipv6IfStatsInDiscards + Counter32, + ipv6IfStatsInDelivers + Counter32, + ipv6IfStatsOutForwDatagrams + Counter32, + ipv6IfStatsOutRequests + Counter32, + ipv6IfStatsOutDiscards + + Counter32, + ipv6IfStatsOutFragOKs + Counter32, + ipv6IfStatsOutFragFails + Counter32, + ipv6IfStatsOutFragCreates + Counter32, + ipv6IfStatsReasmReqds + Counter32, + ipv6IfStatsReasmOKs + Counter32, + ipv6IfStatsReasmFails + Counter32, + ipv6IfStatsInMcastPkts + Counter32, + ipv6IfStatsOutMcastPkts + Counter32 + } + + ipv6IfStatsInReceives OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of input datagrams received by + the interface, including those received in error." + ::= { ipv6IfStatsEntry 1 } + + ipv6IfStatsInHdrErrors OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of input datagrams discarded due to + errors in their IPv6 headers, including version + number mismatch, other format errors, hop count + exceeded, errors discovered in processing their + IPv6 options, etc." + ::= { ipv6IfStatsEntry 2 } + + ipv6IfStatsInTooBigErrors OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of input datagrams that could not be + forwarded because their size exceeded the link MTU + of outgoing interface." + ::= { ipv6IfStatsEntry 3 } + + ipv6IfStatsInNoRoutes OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of input datagrams discarded because no + route could be found to transmit them to their + destination." + ::= { ipv6IfStatsEntry 4 } + + ipv6IfStatsInAddrErrors OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of input datagrams discarded because + the IPv6 address in their IPv6 header's destination + field was not a valid address to be received at + this entity. This count includes invalid + addresses (e.g., ::0) and unsupported addresses + (e.g., addresses with unallocated prefixes). For + entities which are not IPv6 routers and therefore + do not forward datagrams, this counter includes + datagrams discarded because the destination address + was not a local address." + ::= { ipv6IfStatsEntry 5 } + + ipv6IfStatsInUnknownProtos OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of locally-addressed datagrams + received successfully but discarded because of an + unknown or unsupported protocol. This counter is + incremented at the interface to which these + datagrams were addressed which might not be + necessarily the input interface for some of + the datagrams." + ::= { ipv6IfStatsEntry 6 } + + ipv6IfStatsInTruncatedPkts OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of input datagrams discarded because + datagram frame didn't carry enough data." + ::= { ipv6IfStatsEntry 7 } + + ipv6IfStatsInDiscards OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of input IPv6 datagrams for which no + problems were encountered to prevent their + continued processing, but which were discarded + (e.g., for lack of buffer space). Note that this + counter does not include any datagrams discarded + while awaiting re-assembly." + ::= { ipv6IfStatsEntry 8 } + + ipv6IfStatsInDelivers OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of datagrams successfully + delivered to IPv6 user-protocols (including ICMP). + This counter is incremented at the interface to + which these datagrams were addressed which might + not be necessarily the input interface for some of + the datagrams." + ::= { ipv6IfStatsEntry 9 } + + ipv6IfStatsOutForwDatagrams OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of output datagrams which this + entity received and forwarded to their final + destinations. In entities which do not act + as IPv6 routers, this counter will include + only those packets which were Source-Routed + via this entity, and the Source-Route + processing was successful. Note that for + a successfully forwarded datagram the counter + of the outgoing interface is incremented." + ::= { ipv6IfStatsEntry 10 } + + ipv6IfStatsOutRequests OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of IPv6 datagrams which local IPv6 + user-protocols (including ICMP) supplied to IPv6 in + requests for transmission. Note that this counter + does not include any datagrams counted in + ipv6IfStatsOutForwDatagrams." + ::= { ipv6IfStatsEntry 11 } + + ipv6IfStatsOutDiscards OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of output IPv6 datagrams for which no + problem was encountered to prevent their + transmission to their destination, but which were + discarded (e.g., for lack of buffer space). Note + that this counter would include datagrams counted + in ipv6IfStatsOutForwDatagrams if any such packets + met this (discretionary) discard criterion." + ::= { ipv6IfStatsEntry 12 } + + ipv6IfStatsOutFragOKs OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of IPv6 datagrams that have been + successfully fragmented at this output interface." + ::= { ipv6IfStatsEntry 13 } + + ipv6IfStatsOutFragFails OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of IPv6 datagrams that have been + discarded because they needed to be fragmented + at this output interface but could not be." + ::= { ipv6IfStatsEntry 14 } + + ipv6IfStatsOutFragCreates OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of output datagram fragments that have + been generated as a result of fragmentation at + this output interface." + ::= { ipv6IfStatsEntry 15 } + + ipv6IfStatsReasmReqds OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of IPv6 fragments received which needed + to be reassembled at this interface. Note that this + counter is incremented at the interface to which + these fragments were addressed which might not + be necessarily the input interface for some of + the fragments." + ::= { ipv6IfStatsEntry 16 } + + ipv6IfStatsReasmOKs OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of IPv6 datagrams successfully + reassembled. Note that this counter is incremented + at the interface to which these datagrams were + addressed which might not be necessarily the input + interface for some of the fragments." + ::= { ipv6IfStatsEntry 17 } + + ipv6IfStatsReasmFails OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of failures detected by the IPv6 re- + assembly algorithm (for whatever reason: timed + out, errors, etc.). Note that this is not + necessarily a count of discarded IPv6 fragments + since some algorithms (notably the algorithm in + RFC 815) can lose track of the number of fragments + by combining them as they are received. + This counter is incremented at the interface to which + these fragments were addressed which might not be + necessarily the input interface for some of the + fragments." + ::= { ipv6IfStatsEntry 18 } + + ipv6IfStatsInMcastPkts OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of multicast packets received + by the interface" + ::= { ipv6IfStatsEntry 19 } + + ipv6IfStatsOutMcastPkts OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of multicast packets transmitted + by the interface" + ::= { ipv6IfStatsEntry 20 } + + -- Address Prefix table + + -- The IPv6 Address Prefix table contains information on + -- the entity's IPv6 Address Prefixes that are associated + -- with IPv6 interfaces. + + ipv6AddrPrefixTable OBJECT-TYPE + SYNTAX SEQUENCE OF Ipv6AddrPrefixEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The list of IPv6 address prefixes of + IPv6 interfaces." + ::= { ipv6MIBObjects 7 } + + ipv6AddrPrefixEntry OBJECT-TYPE + SYNTAX Ipv6AddrPrefixEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An interface entry containing objects of + a particular IPv6 address prefix." + INDEX { ipv6IfIndex, + ipv6AddrPrefix, + ipv6AddrPrefixLength } + ::= { ipv6AddrPrefixTable 1 } + + Ipv6AddrPrefixEntry ::= SEQUENCE { + + ipv6AddrPrefix Ipv6AddressPrefix, + ipv6AddrPrefixLength INTEGER (0..128), + ipv6AddrPrefixOnLinkFlag TruthValue, + ipv6AddrPrefixAutonomousFlag TruthValue, + ipv6AddrPrefixAdvPreferredLifetime Unsigned32, + ipv6AddrPrefixAdvValidLifetime Unsigned32 + } + + ipv6AddrPrefix OBJECT-TYPE + SYNTAX Ipv6AddressPrefix + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The prefix associated with the this interface." + ::= { ipv6AddrPrefixEntry 1 } + + ipv6AddrPrefixLength OBJECT-TYPE + SYNTAX INTEGER (0..128) + UNITS "bits" + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The length of the prefix (in bits)." + ::= { ipv6AddrPrefixEntry 2 } + + ipv6AddrPrefixOnLinkFlag OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This object has the value 'true(1)', if this + prefix can be used for on-link determination + and the value 'false(2)' otherwise." + ::= { ipv6AddrPrefixEntry 3 } + + ipv6AddrPrefixAutonomousFlag OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Autonomous address configuration flag. When + true(1), indicates that this prefix can be used + for autonomous address configuration (i.e. can + be used to form a local interface address). + If false(2), it is not used to autoconfigure + a local interface address." + ::= { ipv6AddrPrefixEntry 4 } + + ipv6AddrPrefixAdvPreferredLifetime OBJECT-TYPE + SYNTAX Unsigned32 + UNITS "seconds" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "It is the length of time in seconds that this + prefix will remain preferred, i.e. time until + deprecation. A value of 4,294,967,295 represents + infinity. + + The address generated from a deprecated prefix + should no longer be used as a source address in + new communications, but packets received on such + an interface are processed as expected." + ::= { ipv6AddrPrefixEntry 5 } + + ipv6AddrPrefixAdvValidLifetime OBJECT-TYPE + SYNTAX Unsigned32 + UNITS "seconds" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "It is the length of time in seconds that this + prefix will remain valid, i.e. time until + invalidation. A value of 4,294,967,295 represents + infinity. + + The address generated from an invalidated prefix + should not appear as the destination or source + address of a packet." + ::= { ipv6AddrPrefixEntry 6 } + + -- the IPv6 Address table + + -- The IPv6 address table contains this node's IPv6 + -- addressing information. + + ipv6AddrTable OBJECT-TYPE + SYNTAX SEQUENCE OF Ipv6AddrEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The table of addressing information relevant to + this node's interface addresses." + ::= { ipv6MIBObjects 8 } + + ipv6AddrEntry OBJECT-TYPE + SYNTAX Ipv6AddrEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The addressing information for one of this + node's interface addresses." + INDEX { ipv6IfIndex, ipv6AddrAddress } + ::= { ipv6AddrTable 1 } + + Ipv6AddrEntry ::= + SEQUENCE { + ipv6AddrAddress Ipv6Address, + ipv6AddrPfxLength INTEGER, + ipv6AddrType INTEGER, + ipv6AddrAnycastFlag TruthValue, + ipv6AddrStatus INTEGER + } + + ipv6AddrAddress OBJECT-TYPE + SYNTAX Ipv6Address + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The IPv6 address to which this entry's addressing + information pertains." + ::= { ipv6AddrEntry 1 } + + ipv6AddrPfxLength OBJECT-TYPE + SYNTAX INTEGER(0..128) + UNITS "bits" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The length of the prefix (in bits) associated with + the IPv6 address of this entry." + ::= { ipv6AddrEntry 2 } + + ipv6AddrType OBJECT-TYPE + SYNTAX INTEGER { + -- address has been formed + -- using stateless + stateless(1), -- autoconfiguration + + -- address has been acquired + -- by stateful means + -- (e.g. DHCPv6, manual + stateful(2), -- configuration) + + -- type can not be determined + unknown(3) -- for some reason. + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The type of address. Note that 'stateless(1)' + refers to an address that was statelessly + autoconfigured; 'stateful(2)' refers to a address + which was acquired by via a stateful protocol + (e.g. DHCPv6, manual configuration)." + ::= { ipv6AddrEntry 3 } + + ipv6AddrAnycastFlag OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This object has the value 'true(1)', if this + address is an anycast address and the value + 'false(2)' otherwise." + ::= { ipv6AddrEntry 4 } + + ipv6AddrStatus OBJECT-TYPE + SYNTAX INTEGER { + preferred(1), + deprecated(2), + invalid(3), + inaccessible(4), + unknown(5) -- status can not be determined + -- for some reason. + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Address status. The preferred(1) state indicates + that this is a valid address that can appear as + the destination or source address of a packet. + The deprecated(2) state indicates that this is + a valid but deprecated address that should no longer + be used as a source address in new communications, + but packets addressed to such an address are + processed as expected. The invalid(3) state indicates + that this is not valid address which should not + + appear as the destination or source address of + a packet. The inaccessible(4) state indicates that + the address is not accessible because the interface + to which this address is assigned is not operational." + ::= { ipv6AddrEntry 5 } + + -- IPv6 Routing objects + + ipv6RouteNumber OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of current ipv6RouteTable entries. + This is primarily to avoid having to read + the table in order to determine this number." + ::= { ipv6MIBObjects 9 } + + ipv6DiscardedRoutes OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of routing entries which were chosen + to be discarded even though they are valid. One + possible reason for discarding such an entry could + be to free-up buffer space for other routing + entries." + ::= { ipv6MIBObjects 10 } + + -- IPv6 Routing table + + ipv6RouteTable OBJECT-TYPE + SYNTAX SEQUENCE OF Ipv6RouteEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "IPv6 Routing table. This table contains + an entry for each valid IPv6 unicast route + that can be used for packet forwarding + determination." + ::= { ipv6MIBObjects 11 } + + ipv6RouteEntry OBJECT-TYPE + SYNTAX Ipv6RouteEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A routing entry." + INDEX { ipv6RouteDest, + ipv6RoutePfxLength, + ipv6RouteIndex } + ::= { ipv6RouteTable 1 } + + Ipv6RouteEntry ::= SEQUENCE { + ipv6RouteDest Ipv6Address, + ipv6RoutePfxLength INTEGER, + ipv6RouteIndex Unsigned32, + ipv6RouteIfIndex Ipv6IfIndexOrZero, + ipv6RouteNextHop Ipv6Address, + ipv6RouteType INTEGER, + ipv6RouteProtocol INTEGER, + ipv6RoutePolicy Integer32, + ipv6RouteAge Unsigned32, + ipv6RouteNextHopRDI Unsigned32, + ipv6RouteMetric Unsigned32, + ipv6RouteWeight Unsigned32, + ipv6RouteInfo RowPointer, + ipv6RouteValid TruthValue + } + + ipv6RouteDest OBJECT-TYPE + SYNTAX Ipv6Address + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The destination IPv6 address of this route. + This object may not take a Multicast address + value." + ::= { ipv6RouteEntry 1 } + + ipv6RoutePfxLength OBJECT-TYPE + SYNTAX INTEGER(0..128) + UNITS "bits" + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Indicates the prefix length of the destination + address." + ::= { ipv6RouteEntry 2 } + + ipv6RouteIndex OBJECT-TYPE + SYNTAX Unsigned32 + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The value which uniquely identifies the route + among the routes to the same network layer + destination. The way this value is chosen is + implementation specific but it must be unique for + ipv6RouteDest/ipv6RoutePfxLength pair and remain + constant for the life of the route." + ::= { ipv6RouteEntry 3 } + + ipv6RouteIfIndex OBJECT-TYPE + SYNTAX Ipv6IfIndexOrZero + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The index value which uniquely identifies the local + interface through which the next hop of this + route should be reached. The interface identified + by a particular value of this index is the same + interface as identified by the same value of + ipv6IfIndex. For routes of the discard type this + value can be zero." + ::= { ipv6RouteEntry 4 } + + ipv6RouteNextHop OBJECT-TYPE + SYNTAX Ipv6Address + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "On remote routes, the address of the next + system en route; otherwise, ::0 + ('00000000000000000000000000000000'H in ASN.1 + string representation)." + ::= { ipv6RouteEntry 5 } + + ipv6RouteType OBJECT-TYPE + SYNTAX INTEGER { + other(1), -- none of the following + + -- an route indicating that + -- packets to destinations + -- matching this route are + discard(2), -- to be discarded + + -- route to directly + local(3), -- connected (sub-)network + + -- route to a remote + + remote(4) -- destination + + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The type of route. Note that 'local(3)' refers + to a route for which the next hop is the final + destination; 'remote(4)' refers to a route for + which the next hop is not the final + destination; 'discard(2)' refers to a route + indicating that packets to destinations matching + this route are to be discarded (sometimes called + black-hole route)." + ::= { ipv6RouteEntry 6 } + + ipv6RouteProtocol OBJECT-TYPE + SYNTAX INTEGER { + other(1), -- none of the following + + -- non-protocol information, + -- e.g., manually configured + local(2), -- entries + + netmgmt(3), -- static route + + -- obtained via Neighbor + -- Discovery protocol, + ndisc(4), -- e.g., result of Redirect + + -- the following are all + -- dynamic routing protocols + rip(5), -- RIPng + ospf(6), -- Open Shortest Path First + bgp(7), -- Border Gateway Protocol + idrp(8), -- InterDomain Routing Protocol + igrp(9) -- InterGateway Routing Protocol + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The routing mechanism via which this route was + learned." + ::= { ipv6RouteEntry 7 } + + ipv6RoutePolicy OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The general set of conditions that would cause the + selection of one multipath route (set of next hops + for a given destination) is referred to as 'policy'. + Unless the mechanism indicated by ipv6RouteProtocol + specified otherwise, the policy specifier is the + 8-bit Traffic Class field of the IPv6 packet header + that is zero extended at the left to a 32-bit value. + + Protocols defining 'policy' otherwise must either + define a set of values which are valid for + this object or must implement an integer- + instanced policy table for which this object's + value acts as an index." + ::= { ipv6RouteEntry 8 } + + ipv6RouteAge OBJECT-TYPE + SYNTAX Unsigned32 + UNITS "seconds" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of seconds since this route was last + updated or otherwise determined to be correct. + Note that no semantics of `too old' can be implied + except through knowledge of the routing protocol + by which the route was learned." + ::= { ipv6RouteEntry 9 } + + ipv6RouteNextHopRDI OBJECT-TYPE + SYNTAX Unsigned32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The Routing Domain ID of the Next Hop. + The semantics of this object are determined by + the routing-protocol specified in the route's + ipv6RouteProtocol value. When this object is + unknown or not relevant its value should be set + to zero." + ::= { ipv6RouteEntry 10 } + + ipv6RouteMetric OBJECT-TYPE + SYNTAX Unsigned32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The routing metric for this route. The + semantics of this metric are determined by the + routing protocol specified in the route's + ipv6RouteProtocol value. When this is unknown + or not relevant to the protocol indicated by + ipv6RouteProtocol, the object value should be + set to its maximum value (4,294,967,295)." + ::= { ipv6RouteEntry 11 } + + ipv6RouteWeight OBJECT-TYPE + SYNTAX Unsigned32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The system internal weight value for this route. + The semantics of this value are determined by + the implementation specific rules. Generally, + within routes with the same ipv6RoutePolicy value, + the lower the weight value the more preferred is + the route." + ::= { ipv6RouteEntry 12 } + + ipv6RouteInfo OBJECT-TYPE + SYNTAX RowPointer + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "A reference to MIB definitions specific to the + particular routing protocol which is responsible + for this route, as determined by the value + specified in the route's ipv6RouteProto value. + If this information is not present, its value + should be set to the OBJECT ID { 0 0 }, + which is a syntactically valid object identifier, + and any implementation conforming to ASN.1 + and the Basic Encoding Rules must be able to + generate and recognize this value." + ::= { ipv6RouteEntry 13 } + + ipv6RouteValid OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Setting this object to the value 'false(2)' has + the effect of invalidating the corresponding entry + in the ipv6RouteTable object. That is, it + effectively disassociates the destination + + identified with said entry from the route + identified with said entry. It is an + implementation-specific matter as to whether the + agent removes an invalidated entry from the table. + Accordingly, management stations must be prepared + to receive tabular information from agents that + corresponds to entries not currently in use. + Proper interpretation of such entries requires + examination of the relevant ipv6RouteValid + object." + DEFVAL { true } + ::= { ipv6RouteEntry 14 } + + -- IPv6 Address Translation table + + ipv6NetToMediaTable OBJECT-TYPE + SYNTAX SEQUENCE OF Ipv6NetToMediaEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The IPv6 Address Translation table used for + mapping from IPv6 addresses to physical addresses. + + The IPv6 address translation table contain the + Ipv6Address to `physical' address equivalencies. + Some interfaces do not use translation tables + for determining address equivalencies; if all + interfaces are of this type, then the Address + Translation table is empty, i.e., has zero + entries." + ::= { ipv6MIBObjects 12 } + + ipv6NetToMediaEntry OBJECT-TYPE + SYNTAX Ipv6NetToMediaEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Each entry contains one IPv6 address to `physical' + address equivalence." + INDEX { ipv6IfIndex, + ipv6NetToMediaNetAddress } + ::= { ipv6NetToMediaTable 1 } + + Ipv6NetToMediaEntry ::= SEQUENCE { + ipv6NetToMediaNetAddress + Ipv6Address, + ipv6NetToMediaPhysAddress + + PhysAddress, + ipv6NetToMediaType + INTEGER, + ipv6IfNetToMediaState + INTEGER, + ipv6IfNetToMediaLastUpdated + TimeStamp, + ipv6NetToMediaValid + TruthValue + } + + ipv6NetToMediaNetAddress OBJECT-TYPE + SYNTAX Ipv6Address + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The IPv6 Address corresponding to + the media-dependent `physical' address." + ::= { ipv6NetToMediaEntry 1 } + + ipv6NetToMediaPhysAddress OBJECT-TYPE + SYNTAX PhysAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The media-dependent `physical' address." + ::= { ipv6NetToMediaEntry 2 } + + ipv6NetToMediaType OBJECT-TYPE + SYNTAX INTEGER { + other(1), -- none of the following + dynamic(2), -- dynamically resolved + static(3), -- statically configured + local(4) -- local interface + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The type of the mapping. The 'dynamic(2)' type + indicates that the IPv6 address to physical + addresses mapping has been dynamically + resolved using the IPv6 Neighbor Discovery + protocol. The static(3)' types indicates that + the mapping has been statically configured. + The local(4) indicates that the mapping is + provided for an entity's own interface address." + ::= { ipv6NetToMediaEntry 3 } + +ipv6IfNetToMediaState OBJECT-TYPE + SYNTAX INTEGER { + reachable(1), -- confirmed reachability + + stale(2), -- unconfirmed reachability + + delay(3), -- waiting for reachability + -- confirmation before entering + -- the probe state + + probe(4), -- actively probing + + invalid(5), -- an invalidated mapping + + unknown(6) -- state can not be determined + -- for some reason. + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The Neighbor Unreachability Detection [8] state + for the interface when the address mapping in + this entry is used." + ::= { ipv6NetToMediaEntry 4 } + +ipv6IfNetToMediaLastUpdated OBJECT-TYPE + SYNTAX TimeStamp + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of sysUpTime at the time this entry + was last updated. If this entry was updated prior + to the last re-initialization of the local network + management subsystem, then this object contains + a zero value." + ::= { ipv6NetToMediaEntry 5 } + + ipv6NetToMediaValid OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Setting this object to the value 'false(2)' has + the effect of invalidating the corresponding entry + in the ipv6NetToMediaTable. That is, it effectively + disassociates the interface identified with said + entry from the mapping identified with said entry. + It is an implementation-specific matter as to + + whether the agent removes an invalidated entry + from the table. Accordingly, management stations + must be prepared to receive tabular information + from agents that corresponds to entries not + currently in use. Proper interpretation of such + entries requires examination of the relevant + ipv6NetToMediaValid object." + DEFVAL { true } + ::= { ipv6NetToMediaEntry 6 } + +-- definition of IPv6-related notifications. +-- Note that we need ipv6NotificationPrefix with the 0 +-- sub-identifier to make this MIB to translate to +-- an SNMPv1 format in a reversible way. For example +-- it is needed for proxies that convert SNMPv1 traps +-- to SNMPv2 notifications without MIB knowledge. + +ipv6Notifications OBJECT IDENTIFIER + ::= { ipv6MIB 2 } +ipv6NotificationPrefix OBJECT IDENTIFIER + ::= { ipv6Notifications 0 } + +ipv6IfStateChange NOTIFICATION-TYPE + OBJECTS { + ipv6IfDescr, + ipv6IfOperStatus -- the new state of the If. + } + STATUS current + DESCRIPTION + "An ipv6IfStateChange notification signifies + that there has been a change in the state of + an ipv6 interface. This notification should + be generated when the interface's operational + status transitions to or from the up(1) state." + ::= { ipv6NotificationPrefix 1 } + +-- conformance information + +ipv6Conformance OBJECT IDENTIFIER ::= { ipv6MIB 3 } + +ipv6Compliances OBJECT IDENTIFIER ::= { ipv6Conformance 1 } +ipv6Groups OBJECT IDENTIFIER ::= { ipv6Conformance 2 } + +-- compliance statements + +ipv6Compliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The compliance statement for SNMPv2 entities which + implement ipv6 MIB." + MODULE -- this module + MANDATORY-GROUPS { ipv6GeneralGroup, + ipv6NotificationGroup } + OBJECT ipv6Forwarding + MIN-ACCESS read-only + DESCRIPTION + "An agent is not required to provide write + access to this object" + OBJECT ipv6DefaultHopLimit + MIN-ACCESS read-only + DESCRIPTION + "An agent is not required to provide write + access to this object" + OBJECT ipv6IfDescr + MIN-ACCESS read-only + DESCRIPTION + "An agent is not required to provide write + access to this object" + OBJECT ipv6IfIdentifier + MIN-ACCESS read-only + DESCRIPTION + "An agent is not required to provide write + access to this object" + OBJECT ipv6IfIdentifierLength + MIN-ACCESS read-only + DESCRIPTION + "An agent is not required to provide write + access to this object" + + OBJECT ipv6IfAdminStatus + MIN-ACCESS read-only + DESCRIPTION + "An agent is not required to provide write + access to this object" + OBJECT ipv6RouteValid + MIN-ACCESS read-only + DESCRIPTION + "An agent is not required to provide write + access to this object" + OBJECT ipv6NetToMediaValid + MIN-ACCESS read-only + DESCRIPTION + "An agent is not required to provide write + + access to this object" + ::= { ipv6Compliances 1 } + +ipv6GeneralGroup OBJECT-GROUP + OBJECTS { ipv6Forwarding, + ipv6DefaultHopLimit, + ipv6Interfaces, + ipv6IfTableLastChange, + ipv6IfDescr, + ipv6IfLowerLayer, + ipv6IfEffectiveMtu, + ipv6IfReasmMaxSize, + ipv6IfIdentifier, + ipv6IfIdentifierLength, + ipv6IfPhysicalAddress, + ipv6IfAdminStatus, + ipv6IfOperStatus, + ipv6IfLastChange, + ipv6IfStatsInReceives, + ipv6IfStatsInHdrErrors, + ipv6IfStatsInTooBigErrors, + ipv6IfStatsInNoRoutes, + ipv6IfStatsInAddrErrors, + ipv6IfStatsInUnknownProtos, + ipv6IfStatsInTruncatedPkts, + ipv6IfStatsInDiscards, + ipv6IfStatsInDelivers, + ipv6IfStatsOutForwDatagrams, + ipv6IfStatsOutRequests, + ipv6IfStatsOutDiscards, + ipv6IfStatsOutFragOKs, + ipv6IfStatsOutFragFails, + ipv6IfStatsOutFragCreates, + ipv6IfStatsReasmReqds, + ipv6IfStatsReasmOKs, + ipv6IfStatsReasmFails, + ipv6IfStatsInMcastPkts, + ipv6IfStatsOutMcastPkts, + ipv6AddrPrefixOnLinkFlag, + ipv6AddrPrefixAutonomousFlag, + ipv6AddrPrefixAdvPreferredLifetime, + ipv6AddrPrefixAdvValidLifetime, + ipv6AddrPfxLength, + ipv6AddrType, + ipv6AddrAnycastFlag, + ipv6AddrStatus, + ipv6RouteNumber, + ipv6DiscardedRoutes, + ipv6RouteIfIndex, + ipv6RouteNextHop, + ipv6RouteType, + ipv6RouteProtocol, + ipv6RoutePolicy, + ipv6RouteAge, + ipv6RouteNextHopRDI, + ipv6RouteMetric, + ipv6RouteWeight, + ipv6RouteInfo, + ipv6RouteValid, + ipv6NetToMediaPhysAddress, + ipv6NetToMediaType, + ipv6IfNetToMediaState, + ipv6IfNetToMediaLastUpdated, + ipv6NetToMediaValid } + STATUS current + DESCRIPTION + "The IPv6 group of objects providing for basic + management of IPv6 entities." + ::= { ipv6Groups 1 } + +ipv6NotificationGroup NOTIFICATION-GROUP + NOTIFICATIONS { ipv6IfStateChange } + STATUS current + DESCRIPTION + "The notification that an IPv6 entity is required + to implement." + ::= { ipv6Groups 2 } + + END diff --git a/mibs/IPV6-TC.txt b/mibs/IPV6-TC.txt new file mode 100644 index 000000000..05e1e7d98 --- /dev/null +++ b/mibs/IPV6-TC.txt @@ -0,0 +1,67 @@ +IPV6-TC DEFINITIONS ::= BEGIN + +IMPORTS + Integer32 FROM SNMPv2-SMI + TEXTUAL-CONVENTION FROM SNMPv2-TC; + +-- definition of textual conventions +Ipv6Address ::= TEXTUAL-CONVENTION + DISPLAY-HINT "2x:" + STATUS current + DESCRIPTION + "This data type is used to model IPv6 addresses. + This is a binary string of 16 octets in network + byte-order." + SYNTAX OCTET STRING (SIZE (16)) + +Ipv6AddressPrefix ::= TEXTUAL-CONVENTION + DISPLAY-HINT "2x:" + STATUS current + DESCRIPTION + "This data type is used to model IPv6 address + prefixes. This is a binary string of up to 16 + octets in network byte-order." + SYNTAX OCTET STRING (SIZE (0..16)) + +Ipv6AddressIfIdentifier ::= TEXTUAL-CONVENTION + DISPLAY-HINT "2x:" + STATUS current + DESCRIPTION + "This data type is used to model IPv6 address + interface identifiers. This is a binary string + of up to 8 octets in network byte-order." + SYNTAX OCTET STRING (SIZE (0..8)) + +Ipv6IfIndex ::= TEXTUAL-CONVENTION + DISPLAY-HINT "d" + STATUS current + DESCRIPTION + "A unique value, greater than zero for each + internetwork-layer interface in the managed + system. It is recommended that values are assigned + contiguously starting from 1. The value for each + internetwork-layer interface must remain constant + at least from one re-initialization of the entity's + network management system to the next + + re-initialization." + SYNTAX Integer32 (1..2147483647) + +Ipv6IfIndexOrZero ::= TEXTUAL-CONVENTION + DISPLAY-HINT "d" + STATUS current + DESCRIPTION + "This textual convention is an extension of the + Ipv6IfIndex convention. The latter defines + a greater than zero value used to identify an IPv6 + interface in the managed system. This extension + permits the additional value of zero. The value + zero is object-specific and must therefore be + defined as part of the description of any object + which uses this syntax. Examples of the usage of + zero might include situations where interface was + unknown, or when none or all interfaces need to be + referenced." + SYNTAX Integer32 (0..2147483647) + +END diff --git a/mibs/IPV6-TCP-MIB.txt b/mibs/IPV6-TCP-MIB.txt new file mode 100644 index 000000000..a2fb857c0 --- /dev/null +++ b/mibs/IPV6-TCP-MIB.txt @@ -0,0 +1,211 @@ +IPV6-TCP-MIB DEFINITIONS ::= BEGIN + +IMPORTS + MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF + MODULE-IDENTITY, OBJECT-TYPE, + mib-2, experimental FROM SNMPv2-SMI + Ipv6Address, Ipv6IfIndexOrZero FROM IPV6-TC; + +ipv6TcpMIB MODULE-IDENTITY + LAST-UPDATED "9801290000Z" + ORGANIZATION "IETF IPv6 MIB Working Group" + CONTACT-INFO + " Mike Daniele + + Postal: Compaq Computer Corporation + 110 Spitbrook Rd + Nashua, NH 03062. + US + + Phone: +1 603 884 1423 + Email: daniele@zk3.dec.com" + DESCRIPTION + "The MIB module for entities implementing TCP over IPv6." + ::= { experimental 86 } + +-- objects specific to TCP for IPv6 + +tcp OBJECT IDENTIFIER ::= { mib-2 6 } + +-- the TCP over IPv6 Connection table + +-- This connection table contains information about this +-- entity's existing TCP connections between IPv6 endpoints. +-- Only connections between IPv6 addresses are contained in +-- this table. This entity's connections between IPv4 +-- endpoints are contained in tcpConnTable. + +ipv6TcpConnTable OBJECT-TYPE + SYNTAX SEQUENCE OF Ipv6TcpConnEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A table containing TCP connection-specific information, + for only those connections whose endpoints are IPv6 addresses." + ::= { tcp 16 } + +ipv6TcpConnEntry OBJECT-TYPE + SYNTAX Ipv6TcpConnEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A conceptual row of the ipv6TcpConnTable containing + information about a particular current TCP connection. + Each row of this table is transient, in that it ceases to + exist when (or soon after) the connection makes the transition + to the CLOSED state. + + Note that conceptual rows in this table require an additional + index object compared to tcpConnTable, since IPv6 addresses + are not guaranteed to be unique on the managed node." + INDEX { ipv6TcpConnLocalAddress, + ipv6TcpConnLocalPort, + ipv6TcpConnRemAddress, + ipv6TcpConnRemPort, + ipv6TcpConnIfIndex } + ::= { ipv6TcpConnTable 1 } + +Ipv6TcpConnEntry ::= + SEQUENCE { ipv6TcpConnLocalAddress Ipv6Address, + ipv6TcpConnLocalPort INTEGER (0..65535), + ipv6TcpConnRemAddress Ipv6Address, + ipv6TcpConnRemPort INTEGER (0..65535), + ipv6TcpConnIfIndex Ipv6IfIndexOrZero, + ipv6TcpConnState INTEGER } + +ipv6TcpConnLocalAddress OBJECT-TYPE + SYNTAX Ipv6Address + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The local IPv6 address for this TCP connection. In + the case of a connection in the listen state which + is willing to accept connections for any IPv6 + address associated with the managed node, the value + ::0 is used." + ::= { ipv6TcpConnEntry 1 } + +ipv6TcpConnLocalPort OBJECT-TYPE + SYNTAX INTEGER (0..65535) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The local port number for this TCP connection." + ::= { ipv6TcpConnEntry 2 } + +ipv6TcpConnRemAddress OBJECT-TYPE + SYNTAX Ipv6Address + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The remote IPv6 address for this TCP connection." + ::= { ipv6TcpConnEntry 3 } + +ipv6TcpConnRemPort OBJECT-TYPE + SYNTAX INTEGER (0..65535) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The remote port number for this TCP connection." + ::= { ipv6TcpConnEntry 4 } + +ipv6TcpConnIfIndex OBJECT-TYPE + SYNTAX Ipv6IfIndexOrZero + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An index object used to disambiguate conceptual rows in + the table, since the connection 4-tuple may not be unique. + + If the connection's remote address (ipv6TcpConnRemAddress) + is a link-local address and the connection's local address + + (ipv6TcpConnLocalAddress) is not a link-local address, this + object identifies a local interface on the same link as + the connection's remote link-local address. + + Otherwise, this object identifies the local interface that + is associated with the ipv6TcpConnLocalAddress for this + TCP connection. If such a local interface cannot be determined, + this object should take on the value 0. (A possible example + of this would be if the value of ipv6TcpConnLocalAddress is ::0.) + + The interface identified by a particular non-0 value of this + index is the same interface as identified by the same value + of ipv6IfIndex. + + The value of this object must remain constant during the life + of the TCP connection." + ::= { ipv6TcpConnEntry 5 } + +ipv6TcpConnState OBJECT-TYPE + SYNTAX INTEGER { + closed(1), + listen(2), + synSent(3), + synReceived(4), + established(5), + finWait1(6), + finWait2(7), + closeWait(8), + lastAck(9), + closing(10), + timeWait(11), + deleteTCB(12) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The state of this TCP connection. + + The only value which may be set by a management station is + deleteTCB(12). Accordingly, it is appropriate for an agent + to return an error response (`badValue' for SNMPv1, 'wrongValue' + for SNMPv2) if a management station attempts to set this + object to any other value. + + If a management station sets this object to the value + deleteTCB(12), then this has the effect of deleting the TCB + (as defined in RFC 793) of the corresponding connection on + the managed node, resulting in immediate termination of the + connection. + + As an implementation-specific option, a RST segment may be + sent from the managed node to the other TCP endpoint (note + however that RST segments are not sent reliably)." + ::= { ipv6TcpConnEntry 6 } + +-- +-- conformance information +-- + +ipv6TcpConformance OBJECT IDENTIFIER ::= { ipv6TcpMIB 2 } + +ipv6TcpCompliances OBJECT IDENTIFIER ::= { ipv6TcpConformance 1 } +ipv6TcpGroups OBJECT IDENTIFIER ::= { ipv6TcpConformance 2 } + +-- compliance statements + +ipv6TcpCompliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The compliance statement for SNMPv2 entities which + implement TCP over IPv6." + MODULE -- this module + MANDATORY-GROUPS { ipv6TcpGroup } + ::= { ipv6TcpCompliances 1 } + +ipv6TcpGroup OBJECT-GROUP + OBJECTS { -- these are defined in this module + -- ipv6TcpConnLocalAddress (not-accessible) + -- ipv6TcpConnLocalPort (not-accessible) + -- ipv6TcpConnRemAddress (not-accessible) + -- ipv6TcpConnRemPort (not-accessible) + -- ipv6TcpConnIfIndex (not-accessible) + ipv6TcpConnState } + STATUS current + DESCRIPTION + "The group of objects providing management of + TCP over IPv6." + ::= { ipv6TcpGroups 1 } + +END diff --git a/mibs/IPV6-UDP-MIB.txt b/mibs/IPV6-UDP-MIB.txt new file mode 100644 index 000000000..6c929eb7f --- /dev/null +++ b/mibs/IPV6-UDP-MIB.txt @@ -0,0 +1,141 @@ +IPV6-UDP-MIB DEFINITIONS ::= BEGIN + +IMPORTS + MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF + MODULE-IDENTITY, OBJECT-TYPE, + mib-2, experimental FROM SNMPv2-SMI + Ipv6Address, Ipv6IfIndexOrZero FROM IPV6-TC; + +ipv6UdpMIB MODULE-IDENTITY + LAST-UPDATED "9801290000Z" + ORGANIZATION "IETF IPv6 MIB Working Group" + CONTACT-INFO + " Mike Daniele + + Postal: Compaq Computer Corporation + 110 Spitbrook Rd + Nashua, NH 03062. + US + + Phone: +1 603 884 1423 + Email: daniele@zk3.dec.com" + DESCRIPTION + "The MIB module for entities implementing UDP over IPv6." + ::= { experimental 87 } + +-- objects specific to UDP for IPv6 + +udp OBJECT IDENTIFIER ::= { mib-2 7 } + +-- the UDP over IPv6 Listener table + +-- This table contains information about this entity's +-- UDP/IPv6 endpoints. Only endpoints utilizing IPv6 addresses +-- are contained in this table. This entity's UDP/IPv4 endpoints +-- are contained in udpTable. + +ipv6UdpTable OBJECT-TYPE + SYNTAX SEQUENCE OF Ipv6UdpEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A table containing UDP listener information for + UDP/IPv6 endpoints." + ::= { udp 6 } + +ipv6UdpEntry OBJECT-TYPE + SYNTAX Ipv6UdpEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Information about a particular current UDP listener. + + Note that conceptual rows in this table require an + additional index object compared to udpTable, since + IPv6 addresses are not guaranteed to be unique on the + managed node." + INDEX { ipv6UdpLocalAddress, + ipv6UdpLocalPort, + ipv6UdpIfIndex } + ::= { ipv6UdpTable 1 } + +Ipv6UdpEntry ::= SEQUENCE { + ipv6UdpLocalAddress Ipv6Address, + ipv6UdpLocalPort INTEGER (0..65535), + ipv6UdpIfIndex Ipv6IfIndexOrZero } + +ipv6UdpLocalAddress OBJECT-TYPE + SYNTAX Ipv6Address + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The local IPv6 address for this UDP listener. + In the case of a UDP listener which is willing + to accept datagrams for any IPv6 address + associated with the managed node, the value ::0 + is used." + ::= { ipv6UdpEntry 1 } + +ipv6UdpLocalPort OBJECT-TYPE + SYNTAX INTEGER (0..65535) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The local port number for this UDP listener." + ::= { ipv6UdpEntry 2 } + +ipv6UdpIfIndex OBJECT-TYPE + SYNTAX Ipv6IfIndexOrZero + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "An index object used to disambiguate conceptual rows in + the table, since the ipv6UdpLocalAddress/ipv6UdpLocalPort + pair may not be unique. + + This object identifies the local interface that is + associated with ipv6UdpLocalAddress for this UDP listener. + If such a local interface cannot be determined, this object + should take on the value 0. (A possible example of this + would be if the value of ipv6UdpLocalAddress is ::0.) + + The interface identified by a particular non-0 value of + this index is the same interface as identified by the same + value of ipv6IfIndex. + + The value of this object must remain constant during + the life of this UDP endpoint." + ::= { ipv6UdpEntry 3 } + +-- +-- conformance information +-- + +ipv6UdpConformance OBJECT IDENTIFIER ::= { ipv6UdpMIB 2 } + +ipv6UdpCompliances OBJECT IDENTIFIER ::= { ipv6UdpConformance 1 } +ipv6UdpGroups OBJECT IDENTIFIER ::= { ipv6UdpConformance 2 } + +-- compliance statements + +ipv6UdpCompliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The compliance statement for SNMPv2 entities which + implement UDP over IPv6." + MODULE -- this module + MANDATORY-GROUPS { ipv6UdpGroup } + ::= { ipv6UdpCompliances 1 } + +ipv6UdpGroup OBJECT-GROUP + OBJECTS { -- these are defined in this module + -- ipv6UdpLocalAddress (not-accessible) + -- ipv6UdpLocalPort (not-accessible) + ipv6UdpIfIndex } + STATUS current + DESCRIPTION + "The group of objects providing management of + UDP over IPv6." + ::= { ipv6UdpGroups 1 } + +END diff --git a/mibs/MTA-MIB.txt b/mibs/MTA-MIB.txt new file mode 100644 index 000000000..29618adc8 --- /dev/null +++ b/mibs/MTA-MIB.txt @@ -0,0 +1,1226 @@ +MTA-MIB DEFINITIONS ::= BEGIN + +IMPORTS + OBJECT-TYPE, Counter32, Gauge32, MODULE-IDENTITY, mib-2 + FROM SNMPv2-SMI + TimeInterval + FROM SNMPv2-TC + MODULE-COMPLIANCE, OBJECT-GROUP + FROM SNMPv2-CONF + SnmpAdminString + FROM SNMP-FRAMEWORK-MIB + applIndex, URLString + FROM NETWORK-SERVICES-MIB; + +mta MODULE-IDENTITY + LAST-UPDATED "200003030000Z" + ORGANIZATION "IETF Mail and Directory Management Working Group" + CONTACT-INFO + " Ned Freed + + Postal: Innosoft International, Inc. + 1050 Lakes Drive + West Covina, CA 91790 + US + + Tel: +1 626 919 3600 + Fax: +1 626 919 3614 + + E-Mail: ned.freed@innosoft.com" + DESCRIPTION + "The MIB module describing Message Transfer Agents (MTAs)" + REVISION "200003030000Z" + DESCRIPTION + "This revision, published in RFC 2789, changes a number of + DisplayStrings to SnmpAdminStrings. Note that this change + + is not strictly supported by SMIv2. However, the alternative + of deprecating the old objects and defining new objects + would have a more adverse impact on backward compatibility + and interoperability, given the particular semantics of + these objects. The defining reference for distinguished + names has also been updated from RFC 1779 to RFC 2253." + REVISION "199905120000Z" + DESCRIPTION + "This revision fixes a number of technical problems found in + previous versions: The conformance groups for different + versions of this MIB have been corrected, the recommendation + that an empty string be returned if the last operation was + successful has been removed from + mtaGroupInboundRejectionReason and + mtaGroupOutboundConnectFailureReason as it conflicts + with the stated purpose of these variables, and the + required mtaStatusCode entry has been added to + MtaGroupErrorEntry. It should be noted that this last + change in no way affects the bits on the wire." + REVISION "199708170000Z" + DESCRIPTION + "This revision, published in RFC 2249, adds the + mtaGroupDescription and mtaGroupURL fields, conversion + operation counters, a group hierarchy description mechanism, + counters for specific errors, oldest message IDs, per-MTA + and per-group loop counters, and a new table for tracking + any errors an MTA encounters." + REVISION "199311280000Z" + DESCRIPTION + "The original version of this MIB was published in RFC 1566" + ::= {mib-2 28} + +mtaTable OBJECT-TYPE + SYNTAX SEQUENCE OF MtaEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The table holding information specific to an MTA." + ::= {mta 1} + +mtaEntry OBJECT-TYPE + SYNTAX MtaEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The entry associated with each MTA." + INDEX {applIndex} + ::= {mtaTable 1} + +MtaEntry ::= SEQUENCE { + mtaReceivedMessages + Counter32, + mtaStoredMessages + Gauge32, + mtaTransmittedMessages + Counter32, + mtaReceivedVolume + Counter32, + mtaStoredVolume + Gauge32, + mtaTransmittedVolume + Counter32, + mtaReceivedRecipients + Counter32, + mtaStoredRecipients + Gauge32, + mtaTransmittedRecipients + Counter32, + mtaSuccessfulConvertedMessages + Counter32, + mtaFailedConvertedMessages + Counter32, + mtaLoopsDetected + Counter32 +} + +mtaReceivedMessages OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of messages received since MTA initialization. + This includes messages transmitted to this MTA from other + MTAs as well as messages that have been submitted to the + MTA directly by end-users or applications." + ::= {mtaEntry 1} + +mtaStoredMessages OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of messages currently stored in the MTA. + This includes messages that are awaiting transmission to + some other MTA or are waiting for delivery to an end-user + or application." + ::= {mtaEntry 2} + +mtaTransmittedMessages OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of messages transmitted since MTA initialization. + This includes messages that were transmitted to some other + MTA or are waiting for delivery to an end-user or + application." + ::= {mtaEntry 3} + +mtaReceivedVolume OBJECT-TYPE + SYNTAX Counter32 + UNITS "K-octets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total volume of messages received since MTA + initialization, measured in kilo-octets. This volume should + include all transferred data that is logically above the mail + transport protocol level. For example, an SMTP-based MTA + should use the number of kilo-octets in the message header + and body, while an X.400-based MTA should use the number of + kilo-octets of P2 data. This includes messages transmitted + to this MTA from other MTAs as well as messages that have + been submitted to the MTA directly by end-users or + applications." + ::= {mtaEntry 4} + +mtaStoredVolume OBJECT-TYPE + SYNTAX Gauge32 + UNITS "K-octets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total volume of messages currently stored in the MTA, + measured in kilo-octets. This volume should include all + stored data that is logically above the mail transport + protocol level. For example, an SMTP-based MTA should + use the number of kilo-octets in the message header and + body, while an X.400-based MTA would use the number of + kilo-octets of P2 data. This includes messages that are + awaiting transmission to some other MTA or are waiting + for delivery to an end-user or application." + ::= {mtaEntry 5} + +mtaTransmittedVolume OBJECT-TYPE + SYNTAX Counter32 + UNITS "K-octets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total volume of messages transmitted since MTA + initialization, measured in kilo-octets. This volume should + include all transferred data that is logically above the mail + transport protocol level. For example, an SMTP-based MTA + should use the number of kilo-octets in the message header + and body, while an X.400-based MTA should use the number of + kilo-octets of P2 data. This includes messages that were + transmitted to some other MTA or are waiting for delivery + to an end-user or application." + ::= {mtaEntry 6} + +mtaReceivedRecipients OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of recipients specified in all messages + received since MTA initialization. Recipients this MTA + has no responsibility for, i.e. inactive envelope + recipients or ones referred to in message headers, + should not be counted even if information about such + recipients is available. This includes messages + transmitted to this MTA from other MTAs as well as + messages that have been submitted to the MTA directly + by end-users or applications." + ::= {mtaEntry 7} + +mtaStoredRecipients OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of recipients specified in all messages + currently stored in the MTA. Recipients this MTA has no + responsibility for, i.e. inactive envelope recipients or + ones referred to in message headers, should not be + counted. This includes messages that are awaiting + transmission to some other MTA or are waiting for + delivery to an end-user or application." + ::= {mtaEntry 8} + +mtaTransmittedRecipients OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of recipients specified in all messages + transmitted since MTA initialization. Recipients this + MTA had no responsibility for, i.e. inactive envelope + recipients or ones referred to in message headers, + should not be counted. This includes messages that were + transmitted to some other MTA or are waiting for + delivery to an end-user or application." + ::= {mtaEntry 9} + +mtaSuccessfulConvertedMessages OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of messages that have been successfully + converted from one form to another since MTA + initialization." + ::= {mtaEntry 10} + +mtaFailedConvertedMessages OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of messages for which an unsuccessful + attempt was made to convert them from one form to + another since MTA initialization." + ::= {mtaEntry 11} + +mtaLoopsDetected OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "A message loop is defined as a situation where the MTA + decides that a given message will never be delivered to + one or more recipients and instead will continue to + loop endlessly through one or more MTAs. This variable + counts the number of times the MTA has detected such a + situation since MTA initialization. Note that the + mechanism MTAs use to detect loops (e.g., trace field + counting, count of references to this MTA in a trace + field, examination of DNS or other directory information, + etc.), the level at which loops are detected (e.g., per + message, per recipient, per directory entry, etc.), and + the handling of a loop once it is detected (e.g., looping + + messages are held, looping messages are bounced or sent + to the postmaster, messages that the MTA knows will loop + won't be accepted, etc.) vary widely from one MTA to the + next and cannot be inferred from this variable." + ::= {mtaEntry 12} + +-- MTAs typically group inbound reception, queue storage, and +-- outbound transmission in some way, rather than accounting for +-- such operations only across the MTA as a whole. In the most +-- extreme case separate information will be maintained for each +-- different entity that receives messages and for each entity +-- the MTA stores messages for and delivers messages to. Other +-- MTAs may elect to treat all reception equally, all queue +-- storage equally, all deliveries equally, or some combination +-- of this. Overlapped groupings are also possible, where an MTA +-- decomposes its traffic in different ways for different +-- purposes. + +-- In any case, a grouping abstraction is an extremely useful for +-- breaking down the activities of an MTA. For purposes of +-- labelling this will be called a "group" in this MIB. + +-- Each group contains all the variables needed to monitor all +-- aspects of an MTA's operation. However, the fact that all +-- groups contain all possible variables does not imply that all +-- groups must use all possible variables. For example, a single +-- group might be used to monitor only one kind of event (inbound +-- processing, outbound processing, or storage). In this sort of +-- configuration any counters that are unused as a result of a +-- given MTA's use of the group construct must be inaccessible; +-- e.g., returning either a noSuchName error (for an SNMPv1 get), +-- or a noSuchInstance exception (for an SNMPv2 get). + +-- Groups can be created at any time after MTA initialization. Once +-- a group is created it should not be deleted or its mtaGroupIndex +-- changed unless the MTA is reinitialized. + +-- Groups are not necessarily mutually exclusive. A given event may +-- be recorded by more than one group, a message may be seen as +-- stored by more than one group, and so on. Groups should be all +-- inclusive, however: if groups are implemented all aspects of an +-- MTA's operation should be registered in at least one group. +-- This freedom lets implementors use different sets of groups to +-- provide different "views" of an MTA. + +-- The possibility of overlap between groups means that summing +-- variables across groups may not produce values equal to those in +-- the mtaTable. mtaTable should always provide accurate information + +-- about the MTA as a whole. + +-- The term "channel" is often used in MTA implementations; channels +-- are usually, but not always, equivalent to a group. However, +-- this MIB does not use the term "channel" because there is no +-- requirement that an MTA supporting this MIB has to map its +-- "channel" abstraction one-to-one onto the MIB's group abstraction. + +-- An MTA may create a group or group of groups at any time. Once +-- created, however, an MTA cannot delete an entry for a group from +-- the group table. Deletion is only allowed when the MTA is +-- reinitialized, and is not required even then. This restriction +-- is imposed so that monitoring agents can rely on group +-- assignments being consistent across multiple query operations. + +-- Groups may be laid out so as to form a hierarchical arrangement, +-- with some groups acting as subgroups for other groups. +-- Alternately, disjoint groups of groups may be used to provide +-- different sorts of "snapshots" of MTA operation. The +-- mtaGroupHierarchy variable provides an indication of how each +-- group fits into the overall arrangement being used. + +-- Note that SNMP also defines and uses term "group". MTA groups are +-- NOT the same as SNMP groups. + +mtaGroupTable OBJECT-TYPE + SYNTAX SEQUENCE OF MtaGroupEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The table holding information specific to each MTA group." + ::= {mta 2} + +mtaGroupEntry OBJECT-TYPE + SYNTAX MtaGroupEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The entry associated with each MTA group." + INDEX {applIndex, mtaGroupIndex} + ::= {mtaGroupTable 1} + +MtaGroupEntry ::= SEQUENCE { + mtaGroupIndex + INTEGER, + mtaGroupReceivedMessages + Counter32, + mtaGroupRejectedMessages + + Counter32, + mtaGroupStoredMessages + Gauge32, + mtaGroupTransmittedMessages + Counter32, + mtaGroupReceivedVolume + Counter32, + mtaGroupStoredVolume + Gauge32, + mtaGroupTransmittedVolume + Counter32, + mtaGroupReceivedRecipients + Counter32, + mtaGroupStoredRecipients + Gauge32, + mtaGroupTransmittedRecipients + Counter32, + mtaGroupOldestMessageStored + TimeInterval, + mtaGroupInboundAssociations + Gauge32, + mtaGroupOutboundAssociations + Gauge32, + mtaGroupAccumulatedInboundAssociations + Counter32, + mtaGroupAccumulatedOutboundAssociations + Counter32, + mtaGroupLastInboundActivity + TimeInterval, + mtaGroupLastOutboundActivity + TimeInterval, + mtaGroupLastOutboundAssociationAttempt + TimeInterval, + mtaGroupRejectedInboundAssociations + Counter32, + mtaGroupFailedOutboundAssociations + Counter32, + mtaGroupInboundRejectionReason + SnmpAdminString, + mtaGroupOutboundConnectFailureReason + SnmpAdminString, + mtaGroupScheduledRetry + TimeInterval, + mtaGroupMailProtocol + OBJECT IDENTIFIER, + mtaGroupName + SnmpAdminString, + mtaGroupSuccessfulConvertedMessages + + Counter32, + mtaGroupFailedConvertedMessages + Counter32, + mtaGroupDescription + SnmpAdminString, + mtaGroupURL + URLString, + mtaGroupCreationTime + TimeInterval, + mtaGroupHierarchy + INTEGER, + mtaGroupOldestMessageId + SnmpAdminString, + mtaGroupLoopsDetected + Counter32 +} + +mtaGroupIndex OBJECT-TYPE + SYNTAX INTEGER (1..2147483647) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The index associated with a group for a given MTA." + ::= {mtaGroupEntry 1} + +mtaGroupReceivedMessages OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of messages received to this group since + group creation." + ::= {mtaGroupEntry 2} + +mtaGroupRejectedMessages OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of messages rejected by this group since + group creation." + ::= {mtaGroupEntry 3} + +mtaGroupStoredMessages OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of messages currently stored in this + group's queue." + ::= {mtaGroupEntry 4} + +mtaGroupTransmittedMessages OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of messages transmitted by this group since + group creation." + ::= {mtaGroupEntry 5} + +mtaGroupReceivedVolume OBJECT-TYPE + SYNTAX Counter32 + UNITS "K-octets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total volume of messages received to this group since + group creation, measured in kilo-octets. This volume + should include all transferred data that is logically above + the mail transport protocol level. For example, an + SMTP-based MTA should use the number of kilo-octets in the + message header and body, while an X.400-based MTA should use + the number of kilo-octets of P2 data." + ::= {mtaGroupEntry 6} + +mtaGroupStoredVolume OBJECT-TYPE + SYNTAX Gauge32 + UNITS "K-octets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total volume of messages currently stored in this + group's queue, measured in kilo-octets. This volume should + include all stored data that is logically above the mail + transport protocol level. For example, an SMTP-based + MTA should use the number of kilo-octets in the message + header and body, while an X.400-based MTA would use the + number of kilo-octets of P2 data." + ::= {mtaGroupEntry 7} + +mtaGroupTransmittedVolume OBJECT-TYPE + SYNTAX Counter32 + UNITS "K-octets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total volume of messages transmitted by this group + since group creation, measured in kilo-octets. This + volume should include all transferred data that is logically + above the mail transport protocol level. For example, an + SMTP-based MTA should use the number of kilo-octets in the + message header and body, while an X.400-based MTA should use + the number of kilo-octets of P2 data." + ::= {mtaGroupEntry 8} + +mtaGroupReceivedRecipients OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of recipients specified in all messages + received to this group since group creation. + Recipients this MTA has no responsibility for should not + be counted." + ::= {mtaGroupEntry 9} + +mtaGroupStoredRecipients OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of recipients specified in all messages + currently stored in this group's queue. Recipients this + MTA has no responsibility for should not be counted." + ::= {mtaGroupEntry 10} + +mtaGroupTransmittedRecipients OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of recipients specified in all messages + transmitted by this group since group creation. + Recipients this MTA had no responsibility for should not + be counted." + ::= {mtaGroupEntry 11} + +mtaGroupOldestMessageStored OBJECT-TYPE + SYNTAX TimeInterval + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Time since the oldest message in this group's queue was + + placed in the queue." + ::= {mtaGroupEntry 12} + +mtaGroupInboundAssociations OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of current associations to the group, where the + group is the responder." + ::= {mtaGroupEntry 13} + +mtaGroupOutboundAssociations OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of current associations to the group, where the + group is the initiator." + ::= {mtaGroupEntry 14} + +mtaGroupAccumulatedInboundAssociations OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of associations to the group since + group creation, where the MTA was the responder." + ::= {mtaGroupEntry 15} + +mtaGroupAccumulatedOutboundAssociations OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of associations from the group since + group creation, where the MTA was the initiator." + ::= {mtaGroupEntry 16} + +mtaGroupLastInboundActivity OBJECT-TYPE + SYNTAX TimeInterval + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Time since the last time that this group had an active + inbound association for purposes of message reception." + ::= {mtaGroupEntry 17} + +mtaGroupLastOutboundActivity OBJECT-TYPE + SYNTAX TimeInterval + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Time since the last time that this group had a + successful outbound association for purposes of + message delivery." + ::= {mtaGroupEntry 18} + +mtaGroupLastOutboundAssociationAttempt OBJECT-TYPE + SYNTAX TimeInterval + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Time since the last time that this group attempted + to make an outbound association for purposes of + message delivery." + ::= {mtaGroupEntry 34} + +mtaGroupRejectedInboundAssociations OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of inbound associations the group has + rejected, since group creation. Rejected associations + are not counted in the accumulated association totals." + ::= {mtaGroupEntry 19} + +mtaGroupFailedOutboundAssociations OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number associations where the group was the + initiator and association establishment has failed, + since group creation. Failed associations are + not counted in the accumulated association totals." + ::= {mtaGroupEntry 20} + +mtaGroupInboundRejectionReason OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The failure reason, if any, for the last association this + group refused to respond to. If no association attempt + + has been made since the MTA was initialized the value + should be 'never'." + ::= {mtaGroupEntry 21} + +mtaGroupOutboundConnectFailureReason OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The failure reason, if any, for the last association attempt + this group initiated. If no association attempt has been + made since the MTA was initialized the value should be + 'never'." + ::= {mtaGroupEntry 22} + +mtaGroupScheduledRetry OBJECT-TYPE + SYNTAX TimeInterval + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The amount of time until this group is next scheduled to + attempt to make an association." + ::= {mtaGroupEntry 23} + +mtaGroupMailProtocol OBJECT-TYPE + SYNTAX OBJECT IDENTIFIER + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "An identification of the protocol being used by this group. + For an group employing OSI protocols, this will be the + Application Context. For Internet applications, OID + values of the form {applTCPProtoID port} or {applUDPProtoID + port} are used for TCP-based and UDP-based protocols, + respectively. In either case 'port' corresponds to the + primary port number being used by the protocol. The + usual IANA procedures may be used to register ports for + new protocols. applTCPProtoID and applUDPProtoID are + defined in the NETWORK-SERVICES-MIB, RFC 2788." + ::= {mtaGroupEntry 24} + +mtaGroupName OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "A descriptive name for the group. If this group connects to + a single remote MTA this should be the name of that MTA. If + + this in turn is an Internet MTA this should be the domain + name. For an OSI MTA it should be the string encoded + distinguished name of the managed object using the format + defined in RFC 2253. For X.400(1984) MTAs which do not + have a Distinguished Name, the RFC 2156 syntax + 'mta in globalid' used in X400-Received: fields can be + used." + ::= {mtaGroupEntry 25} + +mtaGroupSuccessfulConvertedMessages OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of messages that have been successfully + converted from one form to another in this group + since group creation." + ::= {mtaGroupEntry 26} + +mtaGroupFailedConvertedMessages OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of messages for which an unsuccessful + attempt was made to convert them from one form to + another in this group since group creation." + ::= {mtaGroupEntry 27} + +mtaGroupDescription OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "A description of the group's purpose. This information is + intended to identify the group in a status display." + ::= {mtaGroupEntry 28} + +mtaGroupURL OBJECT-TYPE + SYNTAX URLString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "A URL pointing to a description of the group. This + information is intended to identify and briefly describe + the group in a status display." + ::= {mtaGroupEntry 29} + +mtaGroupCreationTime OBJECT-TYPE + SYNTAX TimeInterval + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Time since this group was first created." + ::= {mtaGroupEntry 30} + +mtaGroupHierarchy OBJECT-TYPE + SYNTAX INTEGER (-2147483648..2147483647) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Describes how this group fits into the hierarchy. A + positive value is interpreted as an mtaGroupIndex + value for some other group whose variables include + those of this group (and usually others). A negative + value is interpreted as a group collection code: Groups + with common negative hierarchy values comprise one + particular breakdown of MTA activity as a whole. A + zero value means that this MIB implementation doesn't + implement hierarchy indicators and thus the overall + group hierarchy cannot be determined." + ::= {mtaGroupEntry 31} + +mtaGroupOldestMessageId OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Message ID of the oldest message in the group's queue. + Whenever possible this should be in the form of an + RFC 822 msg-id; X.400 may convert X.400 message + identifiers to this form by following the rules laid + out in RFC2156." + ::= {mtaGroupEntry 32} + +mtaGroupLoopsDetected OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "A message loop is defined as a situation where the MTA + decides that a given message will never be delivered to + one or more recipients and instead will continue to + loop endlessly through one or more MTAs. This variable + counts the number of times the MTA has detected such a + situation in conjunction with something associated with + + this group since group creation. Note that the + mechanism MTAs use to detect loops (e.g., trace field + counting, count of references to this MTA in a trace + field, examination of DNS or other directory information, + etc.), the level at which loops are detected (e.g., per + message, per recipient, per directory entry, etc.), and + the handling of a loop once it is detected (e.g., looping + messages are held, looping messages are bounced or sent + to the postmaster, messages that the MTA knows will loop + won't be accepted, etc.) vary widely from one MTA to the + next and cannot be inferred from this variable." + ::= {mtaGroupEntry 33} + +-- The mtaGroupAssociationTable provides a means of correlating +-- entries in the network services association table with the +-- MTA group responsible for the association. + +mtaGroupAssociationTable OBJECT-TYPE + SYNTAX SEQUENCE OF MtaGroupAssociationEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The table holding information regarding the associations + for each MTA group." + ::= {mta 3} + +mtaGroupAssociationEntry OBJECT-TYPE + SYNTAX MtaGroupAssociationEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The entry holding information regarding the associations + for each MTA group." + INDEX {applIndex, mtaGroupIndex, mtaGroupAssociationIndex} + ::= {mtaGroupAssociationTable 1} + +MtaGroupAssociationEntry ::= SEQUENCE { + mtaGroupAssociationIndex + INTEGER +} + +mtaGroupAssociationIndex OBJECT-TYPE + SYNTAX INTEGER (1..2147483647) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Reference into association table to allow correlation of + this group's active associations with the association table." + ::= {mtaGroupAssociationEntry 1} + +-- The mtaGroupErrorTable gives each group a way of tallying +-- the specific errors it has encountered. The mechanism +-- defined here uses RFC 1893 status codes to identify +-- various specific errors. There are also classes for generic +-- errors of various sorts, and the entire mechanism is also +-- extensible, in that new error codes can be defined at any +-- time. + +mtaGroupErrorTable OBJECT-TYPE + SYNTAX SEQUENCE OF MtaGroupErrorEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The table holding information regarding accumulated errors + for each MTA group." + ::= {mta 5} + +mtaGroupErrorEntry OBJECT-TYPE + SYNTAX MtaGroupErrorEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The entry holding information regarding accumulated + errors for each MTA group." + INDEX {applIndex, mtaGroupIndex, mtaStatusCode} + ::= {mtaGroupErrorTable 1} + +MtaGroupErrorEntry ::= SEQUENCE { + mtaStatusCode + INTEGER (4000000..5999999), + mtaGroupInboundErrorCount + Counter32, + mtaGroupInternalErrorCount + Counter32, + mtaGroupOutboundErrorCount + Counter32 +} + +mtaGroupInboundErrorCount OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Count of the number of errors of a given type that have + been accumulated in association with a particular group + while processing incoming messages. In the case of SMTP + + these will typically be errors reporting by an SMTP + server to the remote client; in the case of X.400 + these will typically be errors encountered while + processing an incoming message." + ::= {mtaGroupErrorEntry 1} + +mtaGroupInternalErrorCount OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Count of the number of errors of a given type that have + been accumulated in association with a particular group + during internal MTA processing." + ::= {mtaGroupErrorEntry 2} + +mtaGroupOutboundErrorCount OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Count of the number of errors of a given type that have + been accumulated in association with a particular group's + outbound connection activities. In the case of an SMTP + client these will typically be errors reported while + attempting to contact or while communicating with the + remote SMTP server. In the case of X.400 these will + typically be errors encountered while constructing + or attempting to deliver an outgoing message." + ::= {mtaGroupErrorEntry 3} + +mtaStatusCode OBJECT-TYPE + SYNTAX INTEGER (4000000..5999999) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An index capable of representing an Enhanced Mail System + Status Code. Enhanced Mail System Status Codes are + defined in RFC 1893. These codes have the form + + class.subject.detail + + Here 'class' is either 2, 4, or 5 and both 'subject' and + 'detail' are integers in the range 0..999. Given a status + code the corresponding index value is defined to be + ((class * 1000) + subject) * 1000 + detail. Both SMTP + error response codes and X.400 reason and diagnostic codes + can be mapped into these codes, resulting in a namespace + + capable of describing most error conditions a mail system + encounters in a generic yet detailed way." + ::= {mtaGroupErrorEntry 4} + +-- Conformance information + +mtaConformance OBJECT IDENTIFIER ::= {mta 4} + +mtaGroups OBJECT IDENTIFIER ::= {mtaConformance 1} +mtaCompliances OBJECT IDENTIFIER ::= {mtaConformance 2} + +-- Compliance statements + +mtaCompliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The compliance statement for RFC 1566 implementations + which support the Mail Monitoring MIB for basic + monitoring of MTAs." + MODULE -- this module + MANDATORY-GROUPS {mtaRFC1566Group} + ::= {mtaCompliances 1} + +mtaAssocCompliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The compliance statement for RFC 1566 implementations + which support the Mail Monitoring MIB for monitoring + of MTAs and their associations." + MODULE -- this module + MANDATORY-GROUPS {mtaRFC1566Group, mtaRFC1566AssocGroup} + ::= {mtaCompliances 2} + +mtaRFC2249Compliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The compliance statement for RFC 2249 implementations + which support the Mail Monitoring MIB for basic + monitoring of MTAs." + MODULE -- this module + MANDATORY-GROUPS {mtaRFC2249Group} + ::= {mtaCompliances 5} + +mtaRFC2249AssocCompliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The compliance statement for RFC 2249 implementations + + which support the Mail Monitoring MIB for monitoring of + MTAs and their associations." + MODULE -- this module + MANDATORY-GROUPS {mtaRFC2249Group, mtaRFC2249AssocGroup} + ::= {mtaCompliances 6} + +mtaRFC2249ErrorCompliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The compliance statement for RFC 2249 implementations + which support the Mail Monitoring MIB for monitoring of + MTAs and detailed errors." + MODULE -- this module + MANDATORY-GROUPS {mtaRFC2249Group, mtaRFC2249ErrorGroup} + ::= {mtaCompliances 7} + +mtaRFC2249FullCompliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The compliance statement for RFC 2249 implementations + which support the full Mail Monitoring MIB for + monitoring of MTAs, associations, and detailed errors." + MODULE -- this module + MANDATORY-GROUPS {mtaRFC2249Group, mtaRFC2249AssocGroup, + mtaRFC2249ErrorGroup} + ::= {mtaCompliances 8} + +mtaRFC2789Compliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The compliance statement for RFC 2789 implementations + which support the Mail Monitoring MIB for basic + monitoring of MTAs." + MODULE -- this module + MANDATORY-GROUPS {mtaRFC2789Group} + ::= {mtaCompliances 9} + +mtaRFC2789AssocCompliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The compliance statement for RFC 2789 implementations + which support the Mail Monitoring MIB for monitoring of + MTAs and their associations." + MODULE -- this module + MANDATORY-GROUPS {mtaRFC2789Group, mtaRFC2789AssocGroup} + ::= {mtaCompliances 10} + +mtaRFC2789ErrorCompliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The compliance statement for RFC 2789 implementations + which support the Mail Monitoring MIB for monitoring of + MTAs and detailed errors." + MODULE -- this module + MANDATORY-GROUPS {mtaRFC2789Group, mtaRFC2789ErrorGroup} + ::= {mtaCompliances 11} + +mtaRFC2789FullCompliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The compliance statement for RFC 2789 implementations + which support the full Mail Monitoring MIB for + monitoring of MTAs, associations, and detailed errors." + MODULE -- this module + MANDATORY-GROUPS {mtaRFC2789Group, mtaRFC2789AssocGroup, + mtaRFC2789ErrorGroup} + ::= {mtaCompliances 12} + +-- Units of conformance + +mtaRFC1566Group OBJECT-GROUP + OBJECTS { + mtaReceivedMessages, mtaStoredMessages, + mtaTransmittedMessages, mtaReceivedVolume, mtaStoredVolume, + mtaTransmittedVolume, mtaReceivedRecipients, + mtaStoredRecipients, mtaTransmittedRecipients, + mtaGroupReceivedMessages, mtaGroupRejectedMessages, + mtaGroupStoredMessages, mtaGroupTransmittedMessages, + mtaGroupReceivedVolume, mtaGroupStoredVolume, + mtaGroupTransmittedVolume, mtaGroupReceivedRecipients, + mtaGroupStoredRecipients, mtaGroupTransmittedRecipients, + mtaGroupOldestMessageStored, mtaGroupInboundAssociations, + mtaGroupOutboundAssociations, + mtaGroupAccumulatedInboundAssociations, + mtaGroupAccumulatedOutboundAssociations, + mtaGroupLastInboundActivity, mtaGroupLastOutboundActivity, + mtaGroupRejectedInboundAssociations, + mtaGroupFailedOutboundAssociations, + mtaGroupInboundRejectionReason, + mtaGroupOutboundConnectFailureReason, + mtaGroupScheduledRetry, mtaGroupMailProtocol, mtaGroupName} + STATUS current + DESCRIPTION + "A collection of objects providing basic monitoring of MTAs. + This is the original set of such objects defined in RFC + 1566." + ::= {mtaGroups 10} + +mtaRFC1566AssocGroup OBJECT-GROUP + OBJECTS { + mtaGroupAssociationIndex} + STATUS current + DESCRIPTION + "A collection of objects providing monitoring of MTA + associations. This is the original set of such objects + defined in RFC 1566." + ::= {mtaGroups 11} + +mtaRFC2249Group OBJECT-GROUP + OBJECTS { + mtaReceivedMessages, mtaStoredMessages, + mtaTransmittedMessages, mtaReceivedVolume, mtaStoredVolume, + mtaTransmittedVolume, mtaReceivedRecipients, + mtaStoredRecipients, mtaTransmittedRecipients, + mtaSuccessfulConvertedMessages, mtaFailedConvertedMessages, + mtaGroupReceivedMessages, mtaGroupRejectedMessages, + mtaGroupStoredMessages, mtaGroupTransmittedMessages, + mtaGroupReceivedVolume, mtaGroupStoredVolume, + mtaGroupTransmittedVolume, mtaGroupReceivedRecipients, + mtaGroupStoredRecipients, mtaGroupTransmittedRecipients, + mtaGroupOldestMessageStored, mtaGroupInboundAssociations, + mtaGroupOutboundAssociations, mtaLoopsDetected, + mtaGroupAccumulatedInboundAssociations, + mtaGroupAccumulatedOutboundAssociations, + mtaGroupLastInboundActivity, mtaGroupLastOutboundActivity, + mtaGroupLastOutboundAssociationAttempt, + mtaGroupRejectedInboundAssociations, + mtaGroupFailedOutboundAssociations, + mtaGroupInboundRejectionReason, + mtaGroupOutboundConnectFailureReason, + mtaGroupScheduledRetry, mtaGroupMailProtocol, mtaGroupName, + mtaGroupSuccessfulConvertedMessages, + mtaGroupFailedConvertedMessages, mtaGroupDescription, + mtaGroupURL, mtaGroupCreationTime, mtaGroupHierarchy, + mtaGroupOldestMessageId, mtaGroupLoopsDetected} + STATUS current + DESCRIPTION + "A collection of objects providing basic monitoring of MTAs. + This group was originally defined in RFC 2249." + ::= {mtaGroups 4} + +mtaRFC2249AssocGroup OBJECT-GROUP + OBJECTS { + mtaGroupAssociationIndex} + STATUS current + DESCRIPTION + "A collection of objects providing monitoring of MTA + associations. This group was originally defined in RFC + 2249." + ::= {mtaGroups 5} + +mtaRFC2249ErrorGroup OBJECT-GROUP + OBJECTS { + mtaGroupInboundErrorCount, mtaGroupInternalErrorCount, + mtaGroupOutboundErrorCount} + STATUS current + DESCRIPTION + "A collection of objects providing monitoring of + detailed MTA errors. This group was originally defined + in RFC 2249." + ::= {mtaGroups 6} + +mtaRFC2789Group OBJECT-GROUP + OBJECTS { + mtaReceivedMessages, mtaStoredMessages, + mtaTransmittedMessages, mtaReceivedVolume, mtaStoredVolume, + mtaTransmittedVolume, mtaReceivedRecipients, + mtaStoredRecipients, mtaTransmittedRecipients, + mtaSuccessfulConvertedMessages, mtaFailedConvertedMessages, + mtaGroupReceivedMessages, mtaGroupRejectedMessages, + mtaGroupStoredMessages, mtaGroupTransmittedMessages, + mtaGroupReceivedVolume, mtaGroupStoredVolume, + mtaGroupTransmittedVolume, mtaGroupReceivedRecipients, + mtaGroupStoredRecipients, mtaGroupTransmittedRecipients, + mtaGroupOldestMessageStored, mtaGroupInboundAssociations, + mtaGroupOutboundAssociations, mtaLoopsDetected, + mtaGroupAccumulatedInboundAssociations, + mtaGroupAccumulatedOutboundAssociations, + mtaGroupLastInboundActivity, mtaGroupLastOutboundActivity, + mtaGroupLastOutboundAssociationAttempt, + mtaGroupRejectedInboundAssociations, + mtaGroupFailedOutboundAssociations, + mtaGroupInboundRejectionReason, + mtaGroupOutboundConnectFailureReason, + mtaGroupScheduledRetry, mtaGroupMailProtocol, mtaGroupName, + mtaGroupSuccessfulConvertedMessages, + mtaGroupFailedConvertedMessages, mtaGroupDescription, + mtaGroupURL, mtaGroupCreationTime, mtaGroupHierarchy, + mtaGroupOldestMessageId, mtaGroupLoopsDetected} + STATUS current + DESCRIPTION + "A collection of objects providing basic monitoring of MTAs. + + This is the appropriate group for RFC 2789." + ::= {mtaGroups 7} + +mtaRFC2789AssocGroup OBJECT-GROUP + OBJECTS { + mtaGroupAssociationIndex} + STATUS current + DESCRIPTION + "A collection of objects providing monitoring of MTA + associations. This is the appropriate group for RFC + 2789 association monitoring." + ::= {mtaGroups 8} + +mtaRFC2789ErrorGroup OBJECT-GROUP + OBJECTS { + mtaGroupInboundErrorCount, mtaGroupInternalErrorCount, + mtaGroupOutboundErrorCount} + STATUS current + DESCRIPTION + "A collection of objects providing monitoring of + detailed MTA errors. This is the appropriate group + for RFC 2789 error monitoring." + ::= {mtaGroups 9} + +END diff --git a/mibs/NETWORK-SERVICES-MIB.txt b/mibs/NETWORK-SERVICES-MIB.txt new file mode 100644 index 000000000..0f2cabecb --- /dev/null +++ b/mibs/NETWORK-SERVICES-MIB.txt @@ -0,0 +1,626 @@ +NETWORK-SERVICES-MIB DEFINITIONS ::= BEGIN + +IMPORTS + OBJECT-TYPE, Counter32, Gauge32, MODULE-IDENTITY, mib-2 + FROM SNMPv2-SMI + TimeStamp, TEXTUAL-CONVENTION + FROM SNMPv2-TC + MODULE-COMPLIANCE, OBJECT-GROUP + FROM SNMPv2-CONF + SnmpAdminString + FROM SNMP-FRAMEWORK-MIB; + +application MODULE-IDENTITY + LAST-UPDATED "200003030000Z" + ORGANIZATION "IETF Mail and Directory Management Working Group" + + CONTACT-INFO + " Ned Freed + + Postal: Innosoft International, Inc. + 1050 Lakes Drive + West Covina, CA 91790 + US + + Tel: +1 626 919 3600 + Fax: +1 626 919 3614 + + E-Mail: ned.freed@innosoft.com" + DESCRIPTION + "The MIB module describing network service applications" + REVISION "200003030000Z" + DESCRIPTION + "This revision, published in RFC 2788, changes a number of + DisplayStrings to SnmpAdminStrings. Note that this change + is not strictly supported by SMIv2. However, the alternative + of deprecating the old objects and defining new objects + would have a more adverse impact on backward compatibility + and interoperability, given the particular semantics of + these objects. The defining reference for distinguished + names has also been updated from RFC 1779 to RFC 2253." + REVISION "199905120000Z" + DESCRIPTION + "This revision fixes a few small technical problems found + in previous versions, mostly in regards to the conformance + groups for different versions of this MIB. No changes have + been made to the objects this MIB defines since RFC 2248." + REVISION "199708170000Z" + DESCRIPTION + "This revision, published in RFC 2248, adds the + applDescription and applURL objects, adds the quiescing + state to the applOperStatus object and renames the MIB + from the APPLICATION-MIB to the NETWORK-SERVICE-MIB." + REVISION "199311280000Z" + DESCRIPTION + "The original version of this MIB was published in RFC 1565" + ::= {mib-2 27} + +-- Textual conventions + +-- DistinguishedName is used to refer to objects in the +-- directory. + +DistinguishedName ::= TEXTUAL-CONVENTION + DISPLAY-HINT "255a" + STATUS current + DESCRIPTION + "A Distinguished Name represented in accordance with + RFC 2253, presented in the UTF-8 charset defined in + RFC 2279." + SYNTAX OCTET STRING (SIZE (0..255)) + +-- Uniform Resource Locators are stored in URLStrings. + +URLString ::= TEXTUAL-CONVENTION + DISPLAY-HINT "255a" + STATUS current + DESCRIPTION + "A Uniform Resource Locator represented in accordance + with RFCs 1738 and 2368, presented in the NVT ASCII + charset defined in RFC 854." + SYNTAX OCTET STRING (SIZE (0..255)) + +-- The basic applTable contains a list of the application +-- entities. + +applTable OBJECT-TYPE + SYNTAX SEQUENCE OF ApplEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The table holding objects which apply to all different + kinds of applications providing network services. + Each network service application capable of being + monitored should have a single entry in this table." + ::= {application 1} + +applEntry OBJECT-TYPE + SYNTAX ApplEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An entry associated with a single network service + application." + INDEX {applIndex} + ::= {applTable 1} + +ApplEntry ::= SEQUENCE { + applIndex + INTEGER, + applName + SnmpAdminString, + applDirectoryName + + DistinguishedName, + applVersion + SnmpAdminString, + applUptime + TimeStamp, + applOperStatus + INTEGER, + applLastChange + TimeStamp, + applInboundAssociations + Gauge32, + applOutboundAssociations + Gauge32, + applAccumulatedInboundAssociations + Counter32, + applAccumulatedOutboundAssociations + Counter32, + applLastInboundActivity + TimeStamp, + applLastOutboundActivity + TimeStamp, + applRejectedInboundAssociations + Counter32, + applFailedOutboundAssociations + Counter32, + applDescription + SnmpAdminString, + applURL + URLString +} + +applIndex OBJECT-TYPE + SYNTAX INTEGER (1..2147483647) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An index to uniquely identify the network service + application. This attribute is the index used for + lexicographic ordering of the table." + ::= {applEntry 1} + +applName OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The name the network service application chooses to be + known by." + ::= {applEntry 2} + +applDirectoryName OBJECT-TYPE + SYNTAX DistinguishedName + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The Distinguished Name of the directory entry where + static information about this application is stored. + An empty string indicates that no information about + the application is available in the directory." + ::= {applEntry 3} + +applVersion OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The version of network service application software. + This field is usually defined by the vendor of the + network service application software." + ::= {applEntry 4} +applUptime OBJECT-TYPE + SYNTAX TimeStamp + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of sysUpTime at the time the network service + application was last initialized. If the application was + last initialized prior to the last initialization of the + network management subsystem, then this object contains + a zero value." + ::= {applEntry 5} + +applOperStatus OBJECT-TYPE + SYNTAX INTEGER { + up(1), + down(2), + halted(3), + congested(4), + restarting(5), + quiescing(6) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Indicates the operational status of the network service + application. 'down' indicates that the network service is + + not available. 'up' indicates that the network service + is operational and available. 'halted' indicates that the + service is operational but not available. 'congested' + indicates that the service is operational but no additional + inbound associations can be accommodated. 'restarting' + indicates that the service is currently unavailable but is + in the process of restarting and will be available soon. + 'quiescing' indicates that service is currently operational + but is in the process of shutting down. Additional inbound + associations may be rejected by applications in the + 'quiescing' state." + ::= {applEntry 6} + +applLastChange OBJECT-TYPE + SYNTAX TimeStamp + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of sysUpTime at the time the network service + application entered its current operational state. If + the current state was entered prior to the last + initialization of the local network management subsystem, + then this object contains a zero value." + ::= {applEntry 7} + +applInboundAssociations OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of current associations to the network service + application, where it is the responder. An inbound + association occurs when another application successfully + connects to this one." + ::= {applEntry 8} + +applOutboundAssociations OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of current associations to the network service + application, where it is the initiator. An outbound + association occurs when this application successfully + connects to another one." + ::= {applEntry 9} + +applAccumulatedInboundAssociations OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of associations to the application entity + since application initialization, where it was the responder." + ::= {applEntry 10} + +applAccumulatedOutboundAssociations OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of associations to the application entity + since application initialization, where it was the initiator." + ::= {applEntry 11} + +applLastInboundActivity OBJECT-TYPE + SYNTAX TimeStamp + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of sysUpTime at the time this application last + had an inbound association. If the last association + occurred prior to the last initialization of the network + subsystem, then this object contains a zero value." + ::= {applEntry 12} + +applLastOutboundActivity OBJECT-TYPE + SYNTAX TimeStamp + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of sysUpTime at the time this application last + had an outbound association. If the last association + occurred prior to the last initialization of the network + subsystem, then this object contains a zero value." + ::= {applEntry 13} + +applRejectedInboundAssociations OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of inbound associations the application + entity has rejected, since application initialization. + Rejected associations are not counted in the accumulated + association totals. Note that this only counts + + associations the application entity has rejected itself; + it does not count rejections that occur at lower layers + of the network. Thus, this counter may not reflect the + true number of failed inbound associations." + ::= {applEntry 14} + +applFailedOutboundAssociations OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number associations where the application entity + is initiator and association establishment has failed, + since application initialization. Failed associations are + not counted in the accumulated association totals." + ::= {applEntry 15} + +applDescription OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "A text description of the application. This information + is intended to identify and briefly describe the + application in a status display." + ::= {applEntry 16} + +applURL OBJECT-TYPE + SYNTAX URLString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "A URL pointing to a description of the application. + This information is intended to identify and describe + the application in a status display." + ::= {applEntry 17} + +-- The assocTable augments the information in the applTable +-- with information about associations. Note that two levels +-- of compliance are specified below, depending on whether +-- association monitoring is mandated. + +assocTable OBJECT-TYPE + SYNTAX SEQUENCE OF AssocEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The table holding a set of all active application + + associations." + ::= {application 2} + +assocEntry OBJECT-TYPE + SYNTAX AssocEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An entry associated with an association for a network + service application." + INDEX {applIndex, assocIndex} + ::= {assocTable 1} + +AssocEntry ::= SEQUENCE { + assocIndex + INTEGER, + assocRemoteApplication + SnmpAdminString, + assocApplicationProtocol + OBJECT IDENTIFIER, + assocApplicationType + INTEGER, + assocDuration + TimeStamp +} + +assocIndex OBJECT-TYPE + SYNTAX INTEGER (1..2147483647) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An index to uniquely identify each association for a network + service application. This attribute is the index that is + used for lexicographic ordering of the table. Note that the + table is also indexed by the applIndex." + ::= {assocEntry 1} + +assocRemoteApplication OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The name of the system running remote network service + application. For an IP-based application this should be + either a domain name or IP address. For an OSI application + it should be the string encoded distinguished name of the + managed object. For X.400(1984) MTAs which do not have a + Distinguished Name, the RFC 2156 syntax 'mta in + + globalid' used in X400-Received: fields can be used. Note, + however, that not all connections an MTA makes are + necessarily to another MTA." + ::= {assocEntry 2} + +assocApplicationProtocol OBJECT-TYPE + SYNTAX OBJECT IDENTIFIER + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "An identification of the protocol being used for the + application. For an OSI Application, this will be the + Application Context. For Internet applications, OID + values of the form {applTCPProtoID port} or {applUDPProtoID + port} are used for TCP-based and UDP-based protocols, + respectively. In either case 'port' corresponds to the + primary port number being used by the protocol. The + usual IANA procedures may be used to register ports for + new protocols." + ::= {assocEntry 3} + +assocApplicationType OBJECT-TYPE + SYNTAX INTEGER { + uainitiator(1), + uaresponder(2), + peerinitiator(3), + peerresponder(4)} + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This indicates whether the remote application is some type of + client making use of this network service (e.g., a Mail User + Agent) or a server acting as a peer. Also indicated is whether + the remote end initiated an incoming connection to the network + service or responded to an outgoing connection made by the + local application. MTAs and messaging gateways are + considered to be peers for the purposes of this variable." + ::= {assocEntry 4} + +assocDuration OBJECT-TYPE + SYNTAX TimeStamp + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of sysUpTime at the time this association was + started. If this association started prior to the last + initialization of the network subsystem, then this + object contains a zero value." + ::= {assocEntry 5} + +-- Conformance information + +applConformance OBJECT IDENTIFIER ::= {application 3} + +applGroups OBJECT IDENTIFIER ::= {applConformance 1} +applCompliances OBJECT IDENTIFIER ::= {applConformance 2} + +-- Compliance statements + +applCompliance MODULE-COMPLIANCE + STATUS obsolete + DESCRIPTION + "The compliance statement for RFC 1565 implementations + which support the Network Services Monitoring MIB + for basic monitoring of network service applications. + This is the basic compliance statement for RFC 1565." + MODULE + MANDATORY-GROUPS {applRFC1565Group} + ::= {applCompliances 1} + +assocCompliance MODULE-COMPLIANCE + STATUS obsolete + DESCRIPTION + "The compliance statement for RFC 1565 implementations + which support the Network Services Monitoring MIB + for basic monitoring of network service applications + and their associations." + MODULE + MANDATORY-GROUPS {applRFC1565Group, assocRFC1565Group} + ::= {applCompliances 2} + +applRFC2248Compliance MODULE-COMPLIANCE + STATUS deprecated + DESCRIPTION + "The compliance statement for RFC 2248 implementations + which support the Network Services Monitoring MIB + for basic monitoring of network service applications." + MODULE + MANDATORY-GROUPS {applRFC2248Group} + ::= {applCompliances 3} + +assocRFC2248Compliance MODULE-COMPLIANCE + STATUS deprecated + DESCRIPTION + "The compliance statement for RFC 2248 implementations + + which support the Network Services Monitoring MIB for + basic monitoring of network service applications and + their associations." + MODULE + MANDATORY-GROUPS {applRFC2248Group, assocRFC2248Group} + ::= {applCompliances 4} + +applRFC2788Compliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The compliance statement for RFC 2788 implementations + which support the Network Services Monitoring MIB + for basic monitoring of network service applications." + MODULE + MANDATORY-GROUPS {applRFC2788Group} + ::= {applCompliances 5} + +assocRFC2788Compliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The compliance statement for RFC 2788 implementations + which support the Network Services Monitoring MIB for + basic monitoring of network service applications and + their associations." + MODULE + MANDATORY-GROUPS {applRFC2788Group, assocRFC2788Group} + ::= {applCompliances 6} + +-- Units of conformance + +applRFC1565Group OBJECT-GROUP + OBJECTS { + applName, applVersion, applUptime, applOperStatus, + applLastChange, applInboundAssociations, + applOutboundAssociations, applAccumulatedInboundAssociations, + applAccumulatedOutboundAssociations, applLastInboundActivity, + applLastOutboundActivity, applRejectedInboundAssociations, + applFailedOutboundAssociations} + STATUS obsolete + DESCRIPTION + "A collection of objects providing basic monitoring of + network service applications. This is the original set + of such objects defined in RFC 1565." + ::= {applGroups 7} + +assocRFC1565Group OBJECT-GROUP + OBJECTS { + + assocRemoteApplication, assocApplicationProtocol, + assocApplicationType, assocDuration} + STATUS obsolete + DESCRIPTION + "A collection of objects providing basic monitoring of + network service applications' associations. This is the + original set of such objects defined in RFC 1565." + ::= {applGroups 2} + +applRFC2248Group OBJECT-GROUP + OBJECTS { + applName, applVersion, applUptime, applOperStatus, + applLastChange, applInboundAssociations, + applOutboundAssociations, applAccumulatedInboundAssociations, + applAccumulatedOutboundAssociations, applLastInboundActivity, + applLastOutboundActivity, applRejectedInboundAssociations, + applFailedOutboundAssociations, applDescription, applURL} + STATUS deprecated + DESCRIPTION + "A collection of objects providing basic monitoring of + network service applications. This group was originally + defined in RFC 2248; note that applDirectoryName is + missing." + ::= {applGroups 3} + +assocRFC2248Group OBJECT-GROUP + OBJECTS { + assocRemoteApplication, assocApplicationProtocol, + assocApplicationType, assocDuration} + STATUS deprecated + DESCRIPTION + "A collection of objects providing basic monitoring of + network service applications' associations. This group + was originally defined by RFC 2248." + ::= {applGroups 4} + +applRFC2788Group OBJECT-GROUP + OBJECTS { + applName, applDirectoryName, applVersion, applUptime, + applOperStatus, applLastChange, applInboundAssociations, + applOutboundAssociations, applAccumulatedInboundAssociations, + applAccumulatedOutboundAssociations, applLastInboundActivity, + applLastOutboundActivity, applRejectedInboundAssociations, + applFailedOutboundAssociations, applDescription, applURL} + STATUS current + DESCRIPTION + "A collection of objects providing basic monitoring of + network service applications. This is the appropriate + + group for RFC 2788 -- it adds the applDirectoryName object + missing in RFC 2248." + ::= {applGroups 5} + +assocRFC2788Group OBJECT-GROUP + OBJECTS { + assocRemoteApplication, assocApplicationProtocol, + assocApplicationType, assocDuration} + STATUS current + DESCRIPTION + "A collection of objects providing basic monitoring of + network service applications' associations. This is + the appropriate group for RFC 2788." + ::= {applGroups 6} + +-- OIDs of the form {applTCPProtoID port} are intended to be used +-- for TCP-based protocols that don't have OIDs assigned by other +-- means. {applUDPProtoID port} serves the same purpose for +-- UDP-based protocols. In either case 'port' corresponds to +-- the primary port number being used by the protocol. For example, +-- assuming no other OID is assigned for SMTP, an OID of +-- {applTCPProtoID 25} could be used, since SMTP is a TCP-based +-- protocol that uses port 25 as its primary port. + +applTCPProtoID OBJECT IDENTIFIER ::= {application 4} +applUDPProtoID OBJECT IDENTIFIER ::= {application 5} + +END diff --git a/mibs/NOTIFICATION-LOG-MIB.txt b/mibs/NOTIFICATION-LOG-MIB.txt new file mode 100644 index 000000000..c7da93465 --- /dev/null +++ b/mibs/NOTIFICATION-LOG-MIB.txt @@ -0,0 +1,753 @@ +NOTIFICATION-LOG-MIB DEFINITIONS ::= BEGIN + +IMPORTS + MODULE-IDENTITY, OBJECT-TYPE, + Integer32, Unsigned32, + TimeTicks, Counter32, Counter64, + IpAddress, Opaque, mib-2 FROM SNMPv2-SMI + TimeStamp, DateAndTime, + StorageType, RowStatus, + TAddress, TDomain FROM SNMPv2-TC + SnmpAdminString, SnmpEngineID FROM SNMP-FRAMEWORK-MIB + MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF; + +notificationLogMIB MODULE-IDENTITY + LAST-UPDATED "200011270000Z" -- 27 November 2000 + ORGANIZATION "IETF Distributed Management Working Group" + CONTACT-INFO "Ramanathan Kavasseri + Cisco Systems, Inc. + 170 West Tasman Drive, + San Jose CA 95134-1706. + Phone: +1 408 527 2446 + Email: ramk@cisco.com" + DESCRIPTION + "The MIB module for logging SNMP Notifications, that is, Traps + + and Informs." +-- Revision History + + REVISION "200011270000Z" -- 27 November 2000 + DESCRIPTION "This is the initial version of this MIB. + Published as RFC 3014" + ::= { mib-2 92 } + +notificationLogMIBObjects OBJECT IDENTIFIER ::= { notificationLogMIB 1 } + +nlmConfig OBJECT IDENTIFIER ::= { notificationLogMIBObjects 1 } +nlmStats OBJECT IDENTIFIER ::= { notificationLogMIBObjects 2 } +nlmLog OBJECT IDENTIFIER ::= { notificationLogMIBObjects 3 } + +-- +-- Configuration Section +-- + +nlmConfigGlobalEntryLimit OBJECT-TYPE + SYNTAX Unsigned32 + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The maximum number of notification entries that may be held + in nlmLogTable for all nlmLogNames added together. A particular + setting does not guarantee that much data can be held. + + If an application changes the limit while there are + Notifications in the log, the oldest Notifications MUST be + discarded to bring the log down to the new limit - thus the + value of nlmConfigGlobalEntryLimit MUST take precedence over + the values of nlmConfigGlobalAgeOut and nlmConfigLogEntryLimit, + even if the Notification being discarded has been present for + fewer minutes than the value of nlmConfigGlobalAgeOut, or if + the named log has fewer entries than that specified in + nlmConfigLogEntryLimit. + + A value of 0 means no limit. + + Please be aware that contention between multiple managers + trying to set this object to different values MAY affect the + reliability and completeness of data seen by each manager." + DEFVAL { 0 } + ::= { nlmConfig 1 } + +nlmConfigGlobalAgeOut OBJECT-TYPE + SYNTAX Unsigned32 + UNITS "minutes" + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The number of minutes a Notification SHOULD be kept in a log + before it is automatically removed. + + If an application changes the value of nlmConfigGlobalAgeOut, + Notifications older than the new time MAY be discarded to meet the + new time. + + A value of 0 means no age out. + + Please be aware that contention between multiple managers + trying to set this object to different values MAY affect the + reliability and completeness of data seen by each manager." + DEFVAL { 1440 } -- 24 hours + ::= { nlmConfig 2 } + +-- +-- Basic Log Configuration Table +-- + +nlmConfigLogTable OBJECT-TYPE + SYNTAX SEQUENCE OF NlmConfigLogEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A table of logging control entries." + ::= { nlmConfig 3 } + +nlmConfigLogEntry OBJECT-TYPE + SYNTAX NlmConfigLogEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A logging control entry. Depending on the entry's storage type + entries may be supplied by the system or created and deleted by + applications using nlmConfigLogEntryStatus." + INDEX { nlmLogName } + ::= { nlmConfigLogTable 1 } + +NlmConfigLogEntry ::= SEQUENCE { + nlmLogName SnmpAdminString, + nlmConfigLogFilterName SnmpAdminString, + nlmConfigLogEntryLimit Unsigned32, + nlmConfigLogAdminStatus INTEGER, + nlmConfigLogOperStatus INTEGER, + nlmConfigLogStorageType StorageType, + nlmConfigLogEntryStatus RowStatus + } + +nlmLogName OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE(0..32)) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The name of the log. + + An implementation may allow multiple named logs, up to some + implementation-specific limit (which may be none). A + zero-length log name is reserved for creation and deletion by + the managed system, and MUST be used as the default log name by + systems that do not support named logs." + ::= { nlmConfigLogEntry 1 } + +nlmConfigLogFilterName OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE(0..32)) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "A value of snmpNotifyFilterProfileName as used as an index + into the snmpNotifyFilterTable in the SNMP Notification MIB, + specifying the locally or remotely originated Notifications + to be filtered out and not logged in this log. + + A zero-length value or a name that does not identify an + existing entry in snmpNotifyFilterTable indicate no + Notifications are to be logged in this log." + DEFVAL { ''H } + ::= { nlmConfigLogEntry 2 } + +nlmConfigLogEntryLimit OBJECT-TYPE + SYNTAX Unsigned32 + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The maximum number of notification entries that can be held in + nlmLogTable for this named log. A particular setting does not + guarantee that that much data can be held. + + If an application changes the limit while there are + Notifications in the log, the oldest Notifications are discarded + to bring the log down to the new limit. + + A value of 0 indicates no limit. + + Please be aware that contention between multiple managers + trying to set this object to different values MAY affect the + reliability and completeness of data seen by each manager." + DEFVAL { 0 } + ::= { nlmConfigLogEntry 3 } + +nlmConfigLogAdminStatus OBJECT-TYPE + SYNTAX INTEGER { enabled(1), disabled(2) } + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "Control to enable or disable the log without otherwise + disturbing the log's entry. + + Please be aware that contention between multiple managers + trying to set this object to different values MAY affect the + reliability and completeness of data seen by each manager." + DEFVAL { enabled } + ::= { nlmConfigLogEntry 4 } + +nlmConfigLogOperStatus OBJECT-TYPE + SYNTAX INTEGER { disabled(1), operational(2), noFilter(3) } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The operational status of this log: + + disabled administratively disabled + + operational administratively enabled and working + + noFilter administratively enabled but either + nlmConfigLogFilterName is zero length + or does not name an existing entry in + snmpNotifyFilterTable" + ::= { nlmConfigLogEntry 5 } + +nlmConfigLogStorageType OBJECT-TYPE + SYNTAX StorageType + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The storage type of this conceptual row." + ::= { nlmConfigLogEntry 6 } + +nlmConfigLogEntryStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "Control for creating and deleting entries. Entries may be + modified while active. + + For non-null-named logs, the managed system records the security + credentials from the request that sets nlmConfigLogStatus + to 'active' and uses that identity to apply access control to + the objects in the Notification to decide if that Notification + may be logged." + ::= { nlmConfigLogEntry 7 } + +-- +-- Statistics Section +-- + +nlmStatsGlobalNotificationsLogged OBJECT-TYPE + SYNTAX Counter32 + UNITS "notifications" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of Notifications put into the nlmLogTable. This + counts a Notification once for each log entry, so a Notification + put into multiple logs is counted multiple times." + ::= { nlmStats 1 } + +nlmStatsGlobalNotificationsBumped OBJECT-TYPE + SYNTAX Counter32 + UNITS "notifications" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of log entries discarded to make room for a new entry + due to lack of resources or the value of nlmConfigGlobalEntryLimit + or nlmConfigLogEntryLimit. This does not include entries discarded + due to the value of nlmConfigGlobalAgeOut." + ::= { nlmStats 2 } + +-- +-- Log Statistics Table +-- + +nlmStatsLogTable OBJECT-TYPE + SYNTAX SEQUENCE OF NlmStatsLogEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A table of Notification log statistics entries." + ::= { nlmStats 3 } + +nlmStatsLogEntry OBJECT-TYPE + SYNTAX NlmStatsLogEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A Notification log statistics entry." + AUGMENTS { nlmConfigLogEntry } + ::= { nlmStatsLogTable 1 } + +NlmStatsLogEntry ::= SEQUENCE { + nlmStatsLogNotificationsLogged Counter32, + nlmStatsLogNotificationsBumped Counter32 +} + +nlmStatsLogNotificationsLogged OBJECT-TYPE + SYNTAX Counter32 + UNITS "notifications" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of Notifications put in this named log." + ::= { nlmStatsLogEntry 1 } + +nlmStatsLogNotificationsBumped OBJECT-TYPE + SYNTAX Counter32 + UNITS "notifications" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of log entries discarded from this named log to make + room for a new entry due to lack of resources or the value of + nlmConfigGlobalEntryLimit or nlmConfigLogEntryLimit. This does not + include entries discarded due to the value of + nlmConfigGlobalAgeOut." + ::= { nlmStatsLogEntry 2 } + +-- +-- Log Section +-- + +-- +-- Log Table + +-- + +nlmLogTable OBJECT-TYPE + SYNTAX SEQUENCE OF NlmLogEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A table of Notification log entries. + + It is an implementation-specific matter whether entries in this + table are preserved across initializations of the management + system. In general one would expect that they are not. + + Note that keeping entries across initializations of the + management system leads to some confusion with counters and + TimeStamps, since both of those are based on sysUpTime, which + resets on management initialization. In this situation, + counters apply only after the reset and nlmLogTime for entries + made before the reset MUST be set to 0." + ::= { nlmLog 1 } + +nlmLogEntry OBJECT-TYPE + SYNTAX NlmLogEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A Notification log entry. + + Entries appear in this table when Notifications occur and pass + filtering by nlmConfigLogFilterName and access control. They are + removed to make way for new entries due to lack of resources or + the values of nlmConfigGlobalEntryLimit, nlmConfigGlobalAgeOut, or + nlmConfigLogEntryLimit. + + If adding an entry would exceed nlmConfigGlobalEntryLimit or system + resources in general, the oldest entry in any log SHOULD be removed + to make room for the new one. + + If adding an entry would exceed nlmConfigLogEntryLimit the oldest + entry in that log SHOULD be removed to make room for the new one. + + Before the managed system puts a locally-generated Notification + into a non-null-named log it assures that the creator of the log + has access to the information in the Notification. If not it + does not log that Notification in that log." + INDEX { nlmLogName, nlmLogIndex } + ::= { nlmLogTable 1 } + +NlmLogEntry ::= SEQUENCE { + nlmLogIndex Unsigned32, + nlmLogTime TimeStamp, + nlmLogDateAndTime DateAndTime, + nlmLogEngineID SnmpEngineID, + nlmLogEngineTAddress TAddress, + nlmLogEngineTDomain TDomain, + nlmLogContextEngineID SnmpEngineID, + nlmLogContextName SnmpAdminString, + nlmLogNotificationID OBJECT IDENTIFIER +} + +nlmLogIndex OBJECT-TYPE + SYNTAX Unsigned32 (1..4294967295) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A monotonically increasing integer for the sole purpose of + indexing entries within the named log. When it reaches the + maximum value, an extremely unlikely event, the agent wraps the + value back to 1." + ::= { nlmLogEntry 1 } + +nlmLogTime OBJECT-TYPE + SYNTAX TimeStamp + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of sysUpTime when the entry was placed in the log. If + the entry occurred before the most recent management system + initialization this object value MUST be set to zero." + ::= { nlmLogEntry 2 } + +nlmLogDateAndTime OBJECT-TYPE + SYNTAX DateAndTime + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The local date and time when the entry was logged, instantiated + only by systems that have date and time capability." + ::= { nlmLogEntry 3 } + +nlmLogEngineID OBJECT-TYPE + SYNTAX SnmpEngineID + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The identification of the SNMP engine at which the Notification + + originated. + + If the log can contain Notifications from only one engine + or the Trap is in SNMPv1 format, this object is a zero-length + string." + ::= { nlmLogEntry 4 } + +nlmLogEngineTAddress OBJECT-TYPE + SYNTAX TAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The transport service address of the SNMP engine from which the + Notification was received, formatted according to the corresponding + value of nlmLogEngineTDomain. This is used to identify the source + of an SNMPv1 trap, since an nlmLogEngineId cannot be extracted + from the SNMPv1 trap pdu. + + This object MUST always be instantiated, even if the log + can contain Notifications from only one engine. + + Please be aware that the nlmLogEngineTAddress may not uniquely + identify the SNMP engine from which the Notification was received. + For example, if an SNMP engine uses DHCP or NAT to obtain + ip addresses, the address it uses may be shared with other + network devices, and hence will not uniquely identify the + SNMP engine." + ::= { nlmLogEntry 5 } + +nlmLogEngineTDomain OBJECT-TYPE + SYNTAX TDomain + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Indicates the kind of transport service by which a Notification + was received from an SNMP engine. nlmLogEngineTAddress contains + the transport service address of the SNMP engine from which + this Notification was received. + + Possible values for this object are presently found in the + Transport Mappings for SNMPv2 document (RFC 1906 [8])." + ::= { nlmLogEntry 6 } + +nlmLogContextEngineID OBJECT-TYPE + SYNTAX SnmpEngineID + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "If the Notification was received in a protocol which has a + contextEngineID element like SNMPv3, this object has that value. + Otherwise its value is a zero-length string." + ::= { nlmLogEntry 7 } + +nlmLogContextName OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The name of the SNMP MIB context from which the Notification came. + For SNMPv1 Traps this is the community string from the Trap." + ::= { nlmLogEntry 8 } + +nlmLogNotificationID OBJECT-TYPE + SYNTAX OBJECT IDENTIFIER + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The NOTIFICATION-TYPE object identifier of the Notification that + occurred." + ::= { nlmLogEntry 9 } + +-- +-- Log Variable Table +-- + +nlmLogVariableTable OBJECT-TYPE + SYNTAX SEQUENCE OF NlmLogVariableEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A table of variables to go with Notification log entries." + ::= { nlmLog 2 } + +nlmLogVariableEntry OBJECT-TYPE + SYNTAX NlmLogVariableEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A Notification log entry variable. + + Entries appear in this table when there are variables in + the varbind list of a Notification in nlmLogTable." + INDEX { nlmLogName, nlmLogIndex, nlmLogVariableIndex } + ::= { nlmLogVariableTable 1 } + +NlmLogVariableEntry ::= SEQUENCE { + + nlmLogVariableIndex Unsigned32, + nlmLogVariableID OBJECT IDENTIFIER, + nlmLogVariableValueType INTEGER, + nlmLogVariableCounter32Val Counter32, + nlmLogVariableUnsigned32Val Unsigned32, + nlmLogVariableTimeTicksVal TimeTicks, + nlmLogVariableInteger32Val Integer32, + nlmLogVariableOctetStringVal OCTET STRING, + nlmLogVariableIpAddressVal IpAddress, + nlmLogVariableOidVal OBJECT IDENTIFIER, + nlmLogVariableCounter64Val Counter64, + nlmLogVariableOpaqueVal Opaque +} + +nlmLogVariableIndex OBJECT-TYPE + SYNTAX Unsigned32 (1..4294967295) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A monotonically increasing integer, starting at 1 for a given + nlmLogIndex, for indexing variables within the logged + Notification." + ::= { nlmLogVariableEntry 1 } + +nlmLogVariableID OBJECT-TYPE + SYNTAX OBJECT IDENTIFIER + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The variable's object identifier." + ::= { nlmLogVariableEntry 2 } + +nlmLogVariableValueType OBJECT-TYPE + SYNTAX INTEGER { counter32(1), unsigned32(2), timeTicks(3), + integer32(4), ipAddress(5), octetString(6), + objectId(7), counter64(8), opaque(9) } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The type of the value. One and only one of the value + objects that follow must be instantiated, based on this type." + ::= { nlmLogVariableEntry 3 } + +nlmLogVariableCounter32Val OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value when nlmLogVariableType is 'counter32'." + ::= { nlmLogVariableEntry 4 } + +nlmLogVariableUnsigned32Val OBJECT-TYPE + SYNTAX Unsigned32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value when nlmLogVariableType is 'unsigned32'." + ::= { nlmLogVariableEntry 5 } + +nlmLogVariableTimeTicksVal OBJECT-TYPE + SYNTAX TimeTicks + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value when nlmLogVariableType is 'timeTicks'." + ::= { nlmLogVariableEntry 6 } + +nlmLogVariableInteger32Val OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value when nlmLogVariableType is 'integer32'." + ::= { nlmLogVariableEntry 7 } + +nlmLogVariableOctetStringVal OBJECT-TYPE + SYNTAX OCTET STRING + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value when nlmLogVariableType is 'octetString'." + ::= { nlmLogVariableEntry 8 } + +nlmLogVariableIpAddressVal OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value when nlmLogVariableType is 'ipAddress'. + Although this seems to be unfriendly for IPv6, we + have to recognize that there are a number of older + MIBs that do contain an IPv4 format address, known + as IpAddress. + + IPv6 addresses are represented using TAddress or + InetAddress, and so the underlying datatype is + + OCTET STRING, and their value would be stored in + the nlmLogVariableOctetStringVal column." + ::= { nlmLogVariableEntry 9 } + +nlmLogVariableOidVal OBJECT-TYPE + SYNTAX OBJECT IDENTIFIER + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value when nlmLogVariableType is 'objectId'." + ::= { nlmLogVariableEntry 10 } + +nlmLogVariableCounter64Val OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value when nlmLogVariableType is 'counter64'." + ::= { nlmLogVariableEntry 11 } + +nlmLogVariableOpaqueVal OBJECT-TYPE + SYNTAX Opaque + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value when nlmLogVariableType is 'opaque'." + ::= { nlmLogVariableEntry 12 } + +-- +-- Conformance +-- + +notificationLogMIBConformance OBJECT IDENTIFIER ::= + { notificationLogMIB 3 } +notificationLogMIBCompliances OBJECT IDENTIFIER ::= + { notificationLogMIBConformance 1 } +notificationLogMIBGroups OBJECT IDENTIFIER ::= + { notificationLogMIBConformance 2 } + +-- Compliance + +notificationLogMIBCompliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The compliance statement for entities which implement + the Notification Log MIB." + MODULE -- this module + + MANDATORY-GROUPS { + notificationLogConfigGroup, + notificationLogStatsGroup, + notificationLogLogGroup + } + + OBJECT nlmConfigGlobalEntryLimit + SYNTAX Unsigned32 (0..4294967295) + MIN-ACCESS read-only + DESCRIPTION + "Implementations may choose a limit and not allow it to be + changed or may enforce an upper or lower bound on the + limit." + + OBJECT nlmConfigLogEntryLimit + SYNTAX Unsigned32 (0..4294967295) + MIN-ACCESS read-only + DESCRIPTION + "Implementations may choose a limit and not allow it to be + changed or may enforce an upper or lower bound on the + limit." + + OBJECT nlmConfigLogEntryStatus + MIN-ACCESS read-only + DESCRIPTION + "Implementations may disallow the creation of named logs." + + GROUP notificationLogDateGroup + DESCRIPTION + "This group is mandatory on systems that keep wall clock + date and time and should not be implemented on systems that + do not have a wall clock date." + ::= { notificationLogMIBCompliances 1 } + +-- Units of Conformance + +notificationLogConfigGroup OBJECT-GROUP + OBJECTS { + nlmConfigGlobalEntryLimit, + nlmConfigGlobalAgeOut, + nlmConfigLogFilterName, + nlmConfigLogEntryLimit, + nlmConfigLogAdminStatus, + nlmConfigLogOperStatus, + nlmConfigLogStorageType, + nlmConfigLogEntryStatus + } + STATUS current + DESCRIPTION + "Notification log configuration management." + ::= { notificationLogMIBGroups 1 } + +notificationLogStatsGroup OBJECT-GROUP + OBJECTS { + nlmStatsGlobalNotificationsLogged, + nlmStatsGlobalNotificationsBumped, + nlmStatsLogNotificationsLogged, + nlmStatsLogNotificationsBumped + } + STATUS current + DESCRIPTION + "Notification log statistics." + ::= { notificationLogMIBGroups 2 } + +notificationLogLogGroup OBJECT-GROUP + OBJECTS { + nlmLogTime, + nlmLogEngineID, + nlmLogEngineTAddress, + nlmLogEngineTDomain, + nlmLogContextEngineID, + nlmLogContextName, + nlmLogNotificationID, + nlmLogVariableID, + nlmLogVariableValueType, + nlmLogVariableCounter32Val, + nlmLogVariableUnsigned32Val, + nlmLogVariableTimeTicksVal, + nlmLogVariableInteger32Val, + nlmLogVariableOctetStringVal, + nlmLogVariableIpAddressVal, + nlmLogVariableOidVal, + nlmLogVariableCounter64Val, + nlmLogVariableOpaqueVal + } + STATUS current + DESCRIPTION + "Notification log data." + ::= { notificationLogMIBGroups 3 } + +notificationLogDateGroup OBJECT-GROUP + OBJECTS { + nlmLogDateAndTime + } + STATUS current + DESCRIPTION + "Conditionally mandatory notification log data. + This group is mandatory on systems that keep wall + clock date and time and should not be implemented + on systems that do not have a wall clock date." + ::= { notificationLogMIBGroups 4 } + +END diff --git a/mibs/OSPF-MIB.txt b/mibs/OSPF-MIB.txt new file mode 100644 index 000000000..de7d03f5e --- /dev/null +++ b/mibs/OSPF-MIB.txt @@ -0,0 +1,2723 @@ +OSPF-MIB DEFINITIONS ::= BEGIN + + IMPORTS + MODULE-IDENTITY, OBJECT-TYPE, Counter32, Gauge32, + Integer32, IpAddress + FROM SNMPv2-SMI + TEXTUAL-CONVENTION, TruthValue, RowStatus + FROM SNMPv2-TC + MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF + mib-2 FROM RFC1213-MIB; + +-- This MIB module uses the extended OBJECT-TYPE macro as +-- defined in [9]. + +ospf MODULE-IDENTITY + LAST-UPDATED "9501201225Z" -- Fri Jan 20 12:25:50 PST 1995 + ORGANIZATION "IETF OSPF Working Group" + CONTACT-INFO + " Fred Baker + Postal: Cisco Systems + 519 Lado Drive + Santa Barbara, California 93111 + Tel: +1 805 681 0115 + E-Mail: fred@cisco.com + + Rob Coltun + Postal: RainbowBridge Communications + Tel: (301) 340-9416 + E-Mail: rcoltun@rainbow-bridge.com" + DESCRIPTION + "The MIB module to describe the OSPF Version 2 + Protocol" + ::= { mib-2 14 } + +-- The Area ID, in OSPF, has the same format as an IP Address, +-- but has the function of defining a summarization point for +-- Link State Advertisements + +AreaID ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "An OSPF Area Identifier." + SYNTAX IpAddress + + +-- The Router ID, in OSPF, has the same format as an IP Address, +-- but identifies the router independent of its IP Address. + +RouterID ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "A OSPF Router Identifier." + SYNTAX IpAddress + + +-- The OSPF Metric is defined as an unsigned value in the range + +Metric ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "The OSPF Internal Metric." + SYNTAX Integer32 (0..'FFFF'h) + +BigMetric ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "The OSPF External Metric." + SYNTAX Integer32 (0..'FFFFFF'h) + +-- Status Values + +Status ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "The status of an interface: 'enabled' indicates that + it is willing to communicate with other OSPF Routers, + while 'disabled' indicates that it is not." + SYNTAX INTEGER { enabled (1), disabled (2) } + +-- Time Durations measured in seconds + +PositiveInteger ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "A positive integer. Values in excess are precluded as + unnecessary and prone to interoperability issues." + SYNTAX Integer32 (0..'7FFFFFFF'h) + +HelloRange ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "The range of intervals on which hello messages are + exchanged." + SYNTAX Integer32 (1..'FFFF'h) + +UpToMaxAge ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "The values that one might find or configure for + variables bounded by the maximum age of an LSA." + SYNTAX Integer32 (0..3600) + + +-- The range of ifIndex + +InterfaceIndex ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "The range of ifIndex." + SYNTAX Integer32 + + +-- Potential Priorities for the Designated Router Election + +DesignatedRouterPriority ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "The values defined for the priority of a system for + becoming the designated router." + SYNTAX Integer32 (0..'FF'h) + +TOSType ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "Type of Service is defined as a mapping to the IP Type of + Service Flags as defined in the IP Forwarding Table MIB + + +-----+-----+-----+-----+-----+-----+-----+-----+ + | | | | + | PRECEDENCE | TYPE OF SERVICE | 0 | + | | | | + +-----+-----+-----+-----+-----+-----+-----+-----+ + + IP TOS IP TOS + Field Policy Field Policy + + Contents Code Contents Code + 0 0 0 0 ==> 0 0 0 0 1 ==> 2 + 0 0 1 0 ==> 4 0 0 1 1 ==> 6 + 0 1 0 0 ==> 8 0 1 0 1 ==> 10 + 0 1 1 0 ==> 12 0 1 1 1 ==> 14 + 1 0 0 0 ==> 16 1 0 0 1 ==> 18 + 1 0 1 0 ==> 20 1 0 1 1 ==> 22 + 1 1 0 0 ==> 24 1 1 0 1 ==> 26 + 1 1 1 0 ==> 28 1 1 1 1 ==> 30 + + The remaining values are left for future definition." + SYNTAX Integer32 (0..30) + + +-- OSPF General Variables + +-- These parameters apply globally to the Router's +-- OSPF Process. + +ospfGeneralGroup OBJECT IDENTIFIER ::= { ospf 1 } + + + ospfRouterId OBJECT-TYPE + SYNTAX RouterID + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "A 32-bit integer uniquely identifying the + router in the Autonomous System. + + By convention, to ensure uniqueness, this + should default to the value of one of the + router's IP interface addresses." + REFERENCE + "OSPF Version 2, C.1 Global parameters" + ::= { ospfGeneralGroup 1 } + + + ospfAdminStat OBJECT-TYPE + SYNTAX Status + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The administrative status of OSPF in the + router. The value 'enabled' denotes that the + OSPF Process is active on at least one inter- + face; 'disabled' disables it on all inter- + faces." + ::= { ospfGeneralGroup 2 } + + ospfVersionNumber OBJECT-TYPE + SYNTAX INTEGER { version2 (2) } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The current version number of the OSPF proto- + col is 2." + REFERENCE + "OSPF Version 2, Title" + ::= { ospfGeneralGroup 3 } + + + ospfAreaBdrRtrStatus OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "A flag to note whether this router is an area + border router." + REFERENCE + "OSPF Version 2, Section 3 Splitting the AS into + Areas" + ::= { ospfGeneralGroup 4 } + + + ospfASBdrRtrStatus OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "A flag to note whether this router is config- + ured as an Autonomous System border router." + REFERENCE + "OSPF Version 2, Section 3.3 Classification of + routers" + ::= { ospfGeneralGroup 5 } + + ospfExternLsaCount OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of external (LS type 5) link-state + advertisements in the link-state database." + REFERENCE + "OSPF Version 2, Appendix A.4.5 AS external link + advertisements" + ::= { ospfGeneralGroup 6 } + + + ospfExternLsaCksumSum OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The 32-bit unsigned sum of the LS checksums of + the external link-state advertisements con- + tained in the link-state database. This sum + can be used to determine if there has been a + change in a router's link state database, and + to compare the link-state database of two + routers." + ::= { ospfGeneralGroup 7 } + + + ospfTOSSupport OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The router's support for type-of-service rout- + ing." + REFERENCE + "OSPF Version 2, Appendix F.1.2 Optional TOS + support" + ::= { ospfGeneralGroup 8 } + + ospfOriginateNewLsas OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of new link-state advertisements + that have been originated. This number is in- + cremented each time the router originates a new + LSA." + ::= { ospfGeneralGroup 9 } + + + ospfRxNewLsas OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of link-state advertisements re- + ceived determined to be new instantiations. + This number does not include newer instantia- + tions of self-originated link-state advertise- + ments." + ::= { ospfGeneralGroup 10 } + + ospfExtLsdbLimit OBJECT-TYPE + SYNTAX Integer32 (-1..'7FFFFFFF'h) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The maximum number of non-default AS- + external-LSAs entries that can be stored in the + link-state database. If the value is -1, then + there is no limit. + + When the number of non-default AS-external-LSAs + in a router's link-state database reaches + ospfExtLsdbLimit, the router enters Overflow- + State. The router never holds more than + ospfExtLsdbLimit non-default AS-external-LSAs + in its database. OspfExtLsdbLimit MUST be set + identically in all routers attached to the OSPF + backbone and/or any regular OSPF area. (i.e., + OSPF stub areas and NSSAs are excluded)." + DEFVAL { -1 } + ::= { ospfGeneralGroup 11 } + + ospfMulticastExtensions OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "A Bit Mask indicating whether the router is + forwarding IP multicast (Class D) datagrams + based on the algorithms defined in the Multi- + cast Extensions to OSPF. + + Bit 0, if set, indicates that the router can + forward IP multicast datagrams in the router's + directly attached areas (called intra-area mul- + ticast routing). + + Bit 1, if set, indicates that the router can + forward IP multicast datagrams between OSPF + areas (called inter-area multicast routing). + + Bit 2, if set, indicates that the router can + forward IP multicast datagrams between Auto- + nomous Systems (called inter-AS multicast rout- + ing). + + Only certain combinations of bit settings are + allowed, namely: 0 (no multicast forwarding is + enabled), 1 (intra-area multicasting only), 3 + (intra-area and inter-area multicasting), 5 + (intra-area and inter-AS multicasting) and 7 + (multicasting everywhere). By default, no mul- + ticast forwarding is enabled." + DEFVAL { 0 } + ::= { ospfGeneralGroup 12 } + + ospfExitOverflowInterval OBJECT-TYPE + SYNTAX PositiveInteger + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The number of seconds that, after entering + OverflowState, a router will attempt to leave + OverflowState. This allows the router to again + originate non-default AS-external-LSAs. When + set to 0, the router will not leave Overflow- + State until restarted." + DEFVAL { 0 } + ::= { ospfGeneralGroup 13 } + + + ospfDemandExtensions OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The router's support for demand routing." + REFERENCE + "OSPF Version 2, Appendix on Demand Routing" + ::= { ospfGeneralGroup 14 } + + +-- The OSPF Area Data Structure contains information +-- regarding the various areas. The interfaces and +-- virtual links are configured as part of these areas. +-- Area 0.0.0.0, by definition, is the Backbone Area + + + ospfAreaTable OBJECT-TYPE + SYNTAX SEQUENCE OF OspfAreaEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Information describing the configured parame- + ters and cumulative statistics of the router's + attached areas." + REFERENCE + "OSPF Version 2, Section 6 The Area Data Struc- + ture" + ::= { ospf 2 } + + + ospfAreaEntry OBJECT-TYPE + SYNTAX OspfAreaEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Information describing the configured parame- + ters and cumulative statistics of one of the + router's attached areas." + INDEX { ospfAreaId } + ::= { ospfAreaTable 1 } + +OspfAreaEntry ::= + SEQUENCE { + ospfAreaId + AreaID, + ospfAuthType + Integer32, + ospfImportAsExtern + INTEGER, + ospfSpfRuns + Counter32, + ospfAreaBdrRtrCount + Gauge32, + ospfAsBdrRtrCount + Gauge32, + ospfAreaLsaCount + Gauge32, + ospfAreaLsaCksumSum + Integer32, + ospfAreaSummary + INTEGER, + ospfAreaStatus + RowStatus + } + + ospfAreaId OBJECT-TYPE + SYNTAX AreaID + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "A 32-bit integer uniquely identifying an area. + Area ID 0.0.0.0 is used for the OSPF backbone." + REFERENCE + "OSPF Version 2, Appendix C.2 Area parameters" + ::= { ospfAreaEntry 1 } + + + ospfAuthType OBJECT-TYPE + SYNTAX Integer32 + -- none (0), + -- simplePassword (1) + -- md5 (2) + -- reserved for specification by IANA (> 2) + MAX-ACCESS read-create + STATUS obsolete + DESCRIPTION + "The authentication type specified for an area. + Additional authentication types may be assigned + locally on a per Area basis." + REFERENCE + "OSPF Version 2, Appendix E Authentication" + DEFVAL { 0 } -- no authentication, by default + ::= { ospfAreaEntry 2 } + + ospfImportAsExtern OBJECT-TYPE + SYNTAX INTEGER { + importExternal (1), + importNoExternal (2), + importNssa (3) + } + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The area's support for importing AS external + link- state advertisements." + REFERENCE + "OSPF Version 2, Appendix C.2 Area parameters" + DEFVAL { importExternal } + ::= { ospfAreaEntry 3 } + + + ospfSpfRuns OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of times that the intra-area route + table has been calculated using this area's + link-state database. This is typically done + using Dijkstra's algorithm." + ::= { ospfAreaEntry 4 } + + + ospfAreaBdrRtrCount OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of area border routers reach- + able within this area. This is initially zero, + and is calculated in each SPF Pass." + ::= { ospfAreaEntry 5 } + + ospfAsBdrRtrCount OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of Autonomous System border + routers reachable within this area. This is + initially zero, and is calculated in each SPF + Pass." + ::= { ospfAreaEntry 6 } + + + ospfAreaLsaCount OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of link-state advertisements + in this area's link-state database, excluding + AS External LSA's." + ::= { ospfAreaEntry 7 } + + + ospfAreaLsaCksumSum OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The 32-bit unsigned sum of the link-state ad- + vertisements' LS checksums contained in this + area's link-state database. This sum excludes + external (LS type 5) link-state advertisements. + The sum can be used to determine if there has + been a change in a router's link state data- + base, and to compare the link-state database of + two routers." + DEFVAL { 0 } + ::= { ospfAreaEntry 8 } + + ospfAreaSummary OBJECT-TYPE + SYNTAX INTEGER { + noAreaSummary (1), + sendAreaSummary (2) + } + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The variable ospfAreaSummary controls the im- + port of summary LSAs into stub areas. It has + no effect on other areas. + + If it is noAreaSummary, the router will neither + originate nor propagate summary LSAs into the + stub area. It will rely entirely on its de- + fault route. + + If it is sendAreaSummary, the router will both + summarize and propagate summary LSAs." + DEFVAL { noAreaSummary } + ::= { ospfAreaEntry 9 } + + + ospfAreaStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "This variable displays the status of the en- + try. Setting it to 'invalid' has the effect of + rendering it inoperative. The internal effect + (row removal) is implementation dependent." + ::= { ospfAreaEntry 10 } + + +-- OSPF Area Default Metric Table + +-- The OSPF Area Default Metric Table describes the metrics +-- that a default Area Border Router will advertise into a +-- Stub area. + + + ospfStubAreaTable OBJECT-TYPE + SYNTAX SEQUENCE OF OspfStubAreaEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The set of metrics that will be advertised by + a default Area Border Router into a stub area." + REFERENCE + "OSPF Version 2, Appendix C.2, Area Parameters" + ::= { ospf 3 } + + + ospfStubAreaEntry OBJECT-TYPE + SYNTAX OspfStubAreaEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The metric for a given Type of Service that + will be advertised by a default Area Border + Router into a stub area." + REFERENCE + "OSPF Version 2, Appendix C.2, Area Parameters" + INDEX { ospfStubAreaId, ospfStubTOS } + ::= { ospfStubAreaTable 1 } + +OspfStubAreaEntry ::= + SEQUENCE { + ospfStubAreaId + AreaID, + ospfStubTOS + TOSType, + ospfStubMetric + BigMetric, + ospfStubStatus + RowStatus, + ospfStubMetricType + INTEGER + } + + ospfStubAreaId OBJECT-TYPE + SYNTAX AreaID + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The 32 bit identifier for the Stub Area. On + creation, this can be derived from the in- + stance." + ::= { ospfStubAreaEntry 1 } + + + ospfStubTOS OBJECT-TYPE + SYNTAX TOSType + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The Type of Service associated with the + metric. On creation, this can be derived from + the instance." + ::= { ospfStubAreaEntry 2 } + + + ospfStubMetric OBJECT-TYPE + SYNTAX BigMetric + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The metric value applied at the indicated type + of service. By default, this equals the least + metric at the type of service among the inter- + faces to other areas." + ::= { ospfStubAreaEntry 3 } + + + ospfStubStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "This variable displays the status of the en- + try. Setting it to 'invalid' has the effect of + rendering it inoperative. The internal effect + (row removal) is implementation dependent." + ::= { ospfStubAreaEntry 4 } + + ospfStubMetricType OBJECT-TYPE + SYNTAX INTEGER { + ospfMetric (1), -- OSPF Metric + comparableCost (2), -- external type 1 + nonComparable (3) -- external type 2 + } + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "This variable displays the type of metric ad- + vertised as a default route." + DEFVAL { ospfMetric } + ::= { ospfStubAreaEntry 5 } + +-- OSPF Link State Database + +-- The Link State Database contains the Link State +-- Advertisements from throughout the areas that the +-- device is attached to. + + + ospfLsdbTable OBJECT-TYPE + SYNTAX SEQUENCE OF OspfLsdbEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The OSPF Process's Link State Database." + REFERENCE + "OSPF Version 2, Section 12 Link State Adver- + tisements" + ::= { ospf 4 } + + + ospfLsdbEntry OBJECT-TYPE + SYNTAX OspfLsdbEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A single Link State Advertisement." + INDEX { ospfLsdbAreaId, ospfLsdbType, + ospfLsdbLsid, ospfLsdbRouterId } + ::= { ospfLsdbTable 1 } + +OspfLsdbEntry ::= + SEQUENCE { + ospfLsdbAreaId + AreaID, + ospfLsdbType + INTEGER, + ospfLsdbLsid + IpAddress, + ospfLsdbRouterId + RouterID, + ospfLsdbSequence + Integer32, + ospfLsdbAge + Integer32, + ospfLsdbChecksum + Integer32, + ospfLsdbAdvertisement + OCTET STRING + } + ospfLsdbAreaId OBJECT-TYPE + SYNTAX AreaID + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The 32 bit identifier of the Area from which + the LSA was received." + REFERENCE + "OSPF Version 2, Appendix C.2 Area parameters" + ::= { ospfLsdbEntry 1 } + +-- External Link State Advertisements are permitted +-- for backward compatibility, but should be displayed in +-- the ospfExtLsdbTable rather than here. + + ospfLsdbType OBJECT-TYPE + SYNTAX INTEGER { + routerLink (1), + networkLink (2), + summaryLink (3), + asSummaryLink (4), + asExternalLink (5), -- but see ospfExtLsdbTable + multicastLink (6), + nssaExternalLink (7) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The type of the link state advertisement. + Each link state type has a separate advertise- + ment format." + REFERENCE + "OSPF Version 2, Appendix A.4.1 The Link State + Advertisement header" + ::= { ospfLsdbEntry 2 } + + ospfLsdbLsid OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The Link State ID is an LS Type Specific field + containing either a Router ID or an IP Address; + it identifies the piece of the routing domain + that is being described by the advertisement." + REFERENCE + "OSPF Version 2, Section 12.1.4 Link State ID" + ::= { ospfLsdbEntry 3 } + ospfLsdbRouterId OBJECT-TYPE + SYNTAX RouterID + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The 32 bit number that uniquely identifies the + originating router in the Autonomous System." + REFERENCE + "OSPF Version 2, Appendix C.1 Global parameters" + ::= { ospfLsdbEntry 4 } + +-- Note that the OSPF Sequence Number is a 32 bit signed +-- integer. It starts with the value '80000001'h, +-- or -'7FFFFFFF'h, and increments until '7FFFFFFF'h +-- Thus, a typical sequence number will be very negative. + + ospfLsdbSequence OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The sequence number field is a signed 32-bit + integer. It is used to detect old and dupli- + cate link state advertisements. The space of + sequence numbers is linearly ordered. The + larger the sequence number the more recent the + advertisement." + REFERENCE + "OSPF Version 2, Section 12.1.6 LS sequence + number" + ::= { ospfLsdbEntry 5 } + + + ospfLsdbAge OBJECT-TYPE + SYNTAX Integer32 -- Should be 0..MaxAge + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This field is the age of the link state adver- + tisement in seconds." + REFERENCE + "OSPF Version 2, Section 12.1.1 LS age" + ::= { ospfLsdbEntry 6 } + + ospfLsdbChecksum OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This field is the checksum of the complete + contents of the advertisement, excepting the + age field. The age field is excepted so that + an advertisement's age can be incremented + without updating the checksum. The checksum + used is the same that is used for ISO connec- + tionless datagrams; it is commonly referred to + as the Fletcher checksum." + REFERENCE + "OSPF Version 2, Section 12.1.7 LS checksum" + ::= { ospfLsdbEntry 7 } + + + ospfLsdbAdvertisement OBJECT-TYPE + SYNTAX OCTET STRING (SIZE (1..65535)) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The entire Link State Advertisement, including + its header." + REFERENCE + "OSPF Version 2, Section 12 Link State Adver- + tisements" + ::= { ospfLsdbEntry 8 } + + +-- Address Range Table + +-- The Address Range Table acts as an adjunct to the Area +-- Table; It describes those Address Range Summaries that +-- are configured to be propagated from an Area to reduce +-- the amount of information about it which is known beyond +-- its borders. + + ospfAreaRangeTable OBJECT-TYPE + SYNTAX SEQUENCE OF OspfAreaRangeEntry + MAX-ACCESS not-accessible + STATUS obsolete + DESCRIPTION + "A range if IP addresses specified by an IP + address/IP network mask pair. For example, + class B address range of X.X.X.X with a network + mask of 255.255.0.0 includes all IP addresses + from X.X.0.0 to X.X.255.255" + REFERENCE + "OSPF Version 2, Appendix C.2 Area parameters" + ::= { ospf 5 } + ospfAreaRangeEntry OBJECT-TYPE + SYNTAX OspfAreaRangeEntry + MAX-ACCESS not-accessible + STATUS obsolete + DESCRIPTION + "A range if IP addresses specified by an IP + address/IP network mask pair. For example, + class B address range of X.X.X.X with a network + mask of 255.255.0.0 includes all IP addresses + from X.X.0.0 to X.X.255.255" + REFERENCE + "OSPF Version 2, Appendix C.2 Area parameters" + INDEX { ospfAreaRangeAreaId, ospfAreaRangeNet } + ::= { ospfAreaRangeTable 1 } + +OspfAreaRangeEntry ::= + SEQUENCE { + ospfAreaRangeAreaId + AreaID, + ospfAreaRangeNet + IpAddress, + ospfAreaRangeMask + IpAddress, + ospfAreaRangeStatus + RowStatus, + ospfAreaRangeEffect + INTEGER + } + + ospfAreaRangeAreaId OBJECT-TYPE + SYNTAX AreaID + MAX-ACCESS read-only + STATUS obsolete + DESCRIPTION + "The Area the Address Range is to be found + within." + REFERENCE + "OSPF Version 2, Appendix C.2 Area parameters" + ::= { ospfAreaRangeEntry 1 } + + + ospfAreaRangeNet OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS obsolete + DESCRIPTION + "The IP Address of the Net or Subnet indicated + by the range." + REFERENCE + "OSPF Version 2, Appendix C.2 Area parameters" + ::= { ospfAreaRangeEntry 2 } + + + ospfAreaRangeMask OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-create + STATUS obsolete + DESCRIPTION + "The Subnet Mask that pertains to the Net or + Subnet." + REFERENCE + "OSPF Version 2, Appendix C.2 Area parameters" + ::= { ospfAreaRangeEntry 3 } + + ospfAreaRangeStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS obsolete + DESCRIPTION + "This variable displays the status of the en- + try. Setting it to 'invalid' has the effect of + rendering it inoperative. The internal effect + (row removal) is implementation dependent." + ::= { ospfAreaRangeEntry 4 } + + + ospfAreaRangeEffect OBJECT-TYPE + SYNTAX INTEGER { + advertiseMatching (1), + doNotAdvertiseMatching (2) + } + MAX-ACCESS read-create + STATUS obsolete + DESCRIPTION + "Subnets subsumed by ranges either trigger the + advertisement of the indicated summary (adver- + tiseMatching), or result in the subnet's not + being advertised at all outside the area." + DEFVAL { advertiseMatching } + ::= { ospfAreaRangeEntry 5 } + + + +-- OSPF Host Table + +-- The Host/Metric Table indicates what hosts are directly +-- attached to the Router, and what metrics and types of +-- service should be advertised for them. + + ospfHostTable OBJECT-TYPE + SYNTAX SEQUENCE OF OspfHostEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The list of Hosts, and their metrics, that the + router will advertise as host routes." + REFERENCE + "OSPF Version 2, Appendix C.6 Host route param- + eters" + ::= { ospf 6 } + + + ospfHostEntry OBJECT-TYPE + SYNTAX OspfHostEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A metric to be advertised, for a given type of + service, when a given host is reachable." + INDEX { ospfHostIpAddress, ospfHostTOS } + ::= { ospfHostTable 1 } + +OspfHostEntry ::= + SEQUENCE { + ospfHostIpAddress + IpAddress, + ospfHostTOS + TOSType, + ospfHostMetric + Metric, + ospfHostStatus + RowStatus, + ospfHostAreaID + AreaID + } + + ospfHostIpAddress OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The IP Address of the Host." + REFERENCE + "OSPF Version 2, Appendix C.6 Host route parame- + ters" + ::= { ospfHostEntry 1 } + + + ospfHostTOS OBJECT-TYPE + SYNTAX TOSType + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The Type of Service of the route being config- + ured." + REFERENCE + "OSPF Version 2, Appendix C.6 Host route parame- + ters" + ::= { ospfHostEntry 2 } + + + ospfHostMetric OBJECT-TYPE + SYNTAX Metric + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The Metric to be advertised." + REFERENCE + "OSPF Version 2, Appendix C.6 Host route parame- + ters" + ::= { ospfHostEntry 3 } + + ospfHostStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "This variable displays the status of the en- + try. Setting it to 'invalid' has the effect of + rendering it inoperative. The internal effect + (row removal) is implementation dependent." + ::= { ospfHostEntry 4 } + + + ospfHostAreaID OBJECT-TYPE + SYNTAX AreaID + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The Area the Host Entry is to be found within. + By default, the area that a subsuming OSPF in- + terface is in, or 0.0.0.0" + REFERENCE + "OSPF Version 2, Appendix C.2 Area parameters" + ::= { ospfHostEntry 5 } + + +-- OSPF Interface Table + +-- The OSPF Interface Table augments the ipAddrTable +-- with OSPF specific information. + + ospfIfTable OBJECT-TYPE + SYNTAX SEQUENCE OF OspfIfEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The OSPF Interface Table describes the inter- + faces from the viewpoint of OSPF." + REFERENCE + "OSPF Version 2, Appendix C.3 Router interface + parameters" + ::= { ospf 7 } + + + ospfIfEntry OBJECT-TYPE + SYNTAX OspfIfEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The OSPF Interface Entry describes one inter- + face from the viewpoint of OSPF." + INDEX { ospfIfIpAddress, ospfAddressLessIf } + ::= { ospfIfTable 1 } + +OspfIfEntry ::= + SEQUENCE { + ospfIfIpAddress + IpAddress, + ospfAddressLessIf + Integer32, + ospfIfAreaId + AreaID, + ospfIfType + INTEGER, + ospfIfAdminStat + Status, + ospfIfRtrPriority + DesignatedRouterPriority, + ospfIfTransitDelay + UpToMaxAge, + ospfIfRetransInterval + UpToMaxAge, + ospfIfHelloInterval + HelloRange, + ospfIfRtrDeadInterval + PositiveInteger, + ospfIfPollInterval + PositiveInteger, + ospfIfState + INTEGER, + ospfIfDesignatedRouter + IpAddress, + ospfIfBackupDesignatedRouter + IpAddress, + ospfIfEvents + Counter32, + ospfIfAuthType + INTEGER, + ospfIfAuthKey + OCTET STRING, + ospfIfStatus + RowStatus, + ospfIfMulticastForwarding + INTEGER, + ospfIfDemand + TruthValue + } + + ospfIfIpAddress OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The IP address of this OSPF interface." + ::= { ospfIfEntry 1 } + + ospfAddressLessIf OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "For the purpose of easing the instancing of + addressed and addressless interfaces; This + variable takes the value 0 on interfaces with + IP Addresses, and the corresponding value of + ifIndex for interfaces having no IP Address." + ::= { ospfIfEntry 2 } + ospfIfAreaId OBJECT-TYPE + SYNTAX AreaID + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "A 32-bit integer uniquely identifying the area + to which the interface connects. Area ID + 0.0.0.0 is used for the OSPF backbone." + DEFVAL { '00000000'H } -- 0.0.0.0 + ::= { ospfIfEntry 3 } + + ospfIfType OBJECT-TYPE + SYNTAX INTEGER { + broadcast (1), + nbma (2), + pointToPoint (3), + pointToMultipoint (5) + } + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The OSPF interface type. + + By way of a default, this field may be intuited + from the corresponding value of ifType. Broad- + cast LANs, such as Ethernet and IEEE 802.5, + take the value 'broadcast', X.25 and similar + technologies take the value 'nbma', and links + that are definitively point to point take the + value 'pointToPoint'." + ::= { ospfIfEntry 4 } + + + ospfIfAdminStat OBJECT-TYPE + SYNTAX Status + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The OSPF interface's administrative status. + The value formed on the interface, and the in- + terface will be advertised as an internal route + to some area. The value 'disabled' denotes + that the interface is external to OSPF." + DEFVAL { enabled } + ::= { ospfIfEntry 5 } + + ospfIfRtrPriority OBJECT-TYPE + SYNTAX DesignatedRouterPriority + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The priority of this interface. Used in + multi-access networks, this field is used in + the designated router election algorithm. The + value 0 signifies that the router is not eligi- + ble to become the designated router on this + particular network. In the event of a tie in + this value, routers will use their Router ID as + a tie breaker." + DEFVAL { 1 } + ::= { ospfIfEntry 6 } + + + ospfIfTransitDelay OBJECT-TYPE + SYNTAX UpToMaxAge + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The estimated number of seconds it takes to + transmit a link state update packet over this + interface." + DEFVAL { 1 } + ::= { ospfIfEntry 7 } + + + ospfIfRetransInterval OBJECT-TYPE + SYNTAX UpToMaxAge + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The number of seconds between link-state ad- + vertisement retransmissions, for adjacencies + belonging to this interface. This value is + also used when retransmitting database descrip- + tion and link-state request packets." + DEFVAL { 5 } + ::= { ospfIfEntry 8 } + + + ospfIfHelloInterval OBJECT-TYPE + SYNTAX HelloRange + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The length of time, in seconds, between the + Hello packets that the router sends on the in- + terface. This value must be the same for all + routers attached to a common network." + DEFVAL { 10 } + ::= { ospfIfEntry 9 } + + + ospfIfRtrDeadInterval OBJECT-TYPE + SYNTAX PositiveInteger + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The number of seconds that a router's Hello + packets have not been seen before it's neigh- + bors declare the router down. This should be + some multiple of the Hello interval. This + value must be the same for all routers attached + to a common network." + DEFVAL { 40 } + ::= { ospfIfEntry 10 } + + + ospfIfPollInterval OBJECT-TYPE + SYNTAX PositiveInteger + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The larger time interval, in seconds, between + the Hello packets sent to an inactive non- + broadcast multi- access neighbor." + DEFVAL { 120 } + ::= { ospfIfEntry 11 } + + + ospfIfState OBJECT-TYPE + SYNTAX INTEGER { + down (1), + loopback (2), + waiting (3), + pointToPoint (4), + designatedRouter (5), + backupDesignatedRouter (6), + otherDesignatedRouter (7) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The OSPF Interface State." + DEFVAL { down } + ::= { ospfIfEntry 12 } + + + ospfIfDesignatedRouter OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The IP Address of the Designated Router." + DEFVAL { '00000000'H } -- 0.0.0.0 + ::= { ospfIfEntry 13 } + + + ospfIfBackupDesignatedRouter OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The IP Address of the Backup Designated + Router." + DEFVAL { '00000000'H } -- 0.0.0.0 + ::= { ospfIfEntry 14 } + + ospfIfEvents OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of times this OSPF interface has + changed its state, or an error has occurred." + ::= { ospfIfEntry 15 } + + + ospfIfAuthKey OBJECT-TYPE + SYNTAX OCTET STRING (SIZE (0..256)) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The Authentication Key. If the Area's Author- + ization Type is simplePassword, and the key + length is shorter than 8 octets, the agent will + left adjust and zero fill to 8 octets. + + Note that unauthenticated interfaces need no + authentication key, and simple password authen- + tication cannot use a key of more than 8 oc- + tets. Larger keys are useful only with authen- + tication mechanisms not specified in this docu- + ment. + + When read, ospfIfAuthKey always returns an Oc- + tet String of length zero." + REFERENCE + "OSPF Version 2, Section 9 The Interface Data + Structure" + DEFVAL { '0000000000000000'H } -- 0.0.0.0.0.0.0.0 + ::= { ospfIfEntry 16 } + + ospfIfStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "This variable displays the status of the en- + try. Setting it to 'invalid' has the effect of + rendering it inoperative. The internal effect + (row removal) is implementation dependent." + ::= { ospfIfEntry 17 } + + + ospfIfMulticastForwarding OBJECT-TYPE + SYNTAX INTEGER { + blocked (1), -- no multicast forwarding + multicast (2), -- using multicast address + unicast (3) -- to each OSPF neighbor + } + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The way multicasts should forwarded on this + interface; not forwarded, forwarded as data + link multicasts, or forwarded as data link uni- + casts. Data link multicasting is not meaning- + ful on point to point and NBMA interfaces, and + setting ospfMulticastForwarding to 0 effective- + ly disables all multicast forwarding." + DEFVAL { blocked } + ::= { ospfIfEntry 18 } + + + ospfIfDemand OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "Indicates whether Demand OSPF procedures (hel- + lo supression to FULL neighbors and setting the + DoNotAge flag on proogated LSAs) should be per- + formed on this interface." + DEFVAL { false } + ::= { ospfIfEntry 19 } + + + ospfIfAuthType OBJECT-TYPE + SYNTAX INTEGER (0..255) + -- none (0), + -- simplePassword (1) + -- md5 (2) + -- reserved for specification by IANA (> 2) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The authentication type specified for an in- + terface. Additional authentication types may + be assigned locally." + REFERENCE + "OSPF Version 2, Appendix E Authentication" + DEFVAL { 0 } -- no authentication, by default + ::= { ospfIfEntry 20 } + + +-- OSPF Interface Metric Table + +-- The Metric Table describes the metrics to be advertised +-- for a specified interface at the various types of service. +-- As such, this table is an adjunct of the OSPF Interface +-- Table. + +-- Types of service, as defined by RFC 791, have the ability +-- to request low delay, high bandwidth, or reliable linkage. + +-- For the purposes of this specification, the measure of +-- bandwidth + +-- Metric = 10^8 / ifSpeed + +-- is the default value. For multiple link interfaces, note +-- that ifSpeed is the sum of the individual link speeds. +-- This yields a number having the following typical values: + +-- Network Type/bit rate Metric + +-- >= 100 MBPS 1 +-- Ethernet/802.3 10 +-- E1 48 +-- T1 (ESF) 65 +-- 64 KBPS 1562 +-- 56 KBPS 1785 +-- 19.2 KBPS 5208 +-- 9.6 KBPS 10416 + +-- Routes that are not specified use the default (TOS 0) metric + + ospfIfMetricTable OBJECT-TYPE + SYNTAX SEQUENCE OF OspfIfMetricEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The TOS metrics for a non-virtual interface + identified by the interface index." + REFERENCE + "OSPF Version 2, Appendix C.3 Router interface + parameters" + ::= { ospf 8 } + + ospfIfMetricEntry OBJECT-TYPE + SYNTAX OspfIfMetricEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A particular TOS metric for a non-virtual in- + terface identified by the interface index." + REFERENCE + "OSPF Version 2, Appendix C.3 Router interface + parameters" + INDEX { ospfIfMetricIpAddress, + ospfIfMetricAddressLessIf, + ospfIfMetricTOS } + ::= { ospfIfMetricTable 1 } + +OspfIfMetricEntry ::= + SEQUENCE { + ospfIfMetricIpAddress + IpAddress, + ospfIfMetricAddressLessIf + Integer32, + ospfIfMetricTOS + TOSType, + ospfIfMetricValue + Metric, + ospfIfMetricStatus + RowStatus + } + + ospfIfMetricIpAddress OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The IP address of this OSPF interface. On row + creation, this can be derived from the in- + stance." + ::= { ospfIfMetricEntry 1 } + + ospfIfMetricAddressLessIf OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "For the purpose of easing the instancing of + addressed and addressless interfaces; This + variable takes the value 0 on interfaces with + IP Addresses, and the value of ifIndex for in- + terfaces having no IP Address. On row crea- + tion, this can be derived from the instance." + ::= { ospfIfMetricEntry 2 } + + + ospfIfMetricTOS OBJECT-TYPE + SYNTAX TOSType + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The type of service metric being referenced. + On row creation, this can be derived from the + instance." + ::= { ospfIfMetricEntry 3 } + + + ospfIfMetricValue OBJECT-TYPE + SYNTAX Metric + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The metric of using this type of service on + this interface. The default value of the TOS 0 + Metric is 10^8 / ifSpeed." + ::= { ospfIfMetricEntry 4 } + + ospfIfMetricStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "This variable displays the status of the en- + try. Setting it to 'invalid' has the effect of + rendering it inoperative. The internal effect + (row removal) is implementation dependent." + ::= { ospfIfMetricEntry 5 } + + +-- OSPF Virtual Interface Table + +-- The Virtual Interface Table describes the virtual +-- links that the OSPF Process is configured to +-- carry on. + + ospfVirtIfTable OBJECT-TYPE + SYNTAX SEQUENCE OF OspfVirtIfEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Information about this router's virtual inter- + faces." + REFERENCE + "OSPF Version 2, Appendix C.4 Virtual link + parameters" + ::= { ospf 9 } + + + ospfVirtIfEntry OBJECT-TYPE + SYNTAX OspfVirtIfEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Information about a single Virtual Interface." + INDEX { ospfVirtIfAreaId, ospfVirtIfNeighbor } + ::= { ospfVirtIfTable 1 } + +OspfVirtIfEntry ::= + SEQUENCE { + ospfVirtIfAreaId + AreaID, + ospfVirtIfNeighbor + RouterID, + ospfVirtIfTransitDelay + UpToMaxAge, + ospfVirtIfRetransInterval + UpToMaxAge, + ospfVirtIfHelloInterval + HelloRange, + ospfVirtIfRtrDeadInterval + PositiveInteger, + ospfVirtIfState + INTEGER, + ospfVirtIfEvents + Counter32, + ospfVirtIfAuthType + INTEGER, + ospfVirtIfAuthKey + OCTET STRING, + ospfVirtIfStatus + RowStatus + } + + ospfVirtIfAreaId OBJECT-TYPE + SYNTAX AreaID + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The Transit Area that the Virtual Link + traverses. By definition, this is not 0.0.0.0" + ::= { ospfVirtIfEntry 1 } + + + ospfVirtIfNeighbor OBJECT-TYPE + SYNTAX RouterID + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The Router ID of the Virtual Neighbor." + ::= { ospfVirtIfEntry 2 } + + + ospfVirtIfTransitDelay OBJECT-TYPE + SYNTAX UpToMaxAge + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The estimated number of seconds it takes to + transmit a link- state update packet over this + interface." + DEFVAL { 1 } + ::= { ospfVirtIfEntry 3 } + + + ospfVirtIfRetransInterval OBJECT-TYPE + SYNTAX UpToMaxAge + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The number of seconds between link-state ad- + vertisement retransmissions, for adjacencies + belonging to this interface. This value is + also used when retransmitting database descrip- + tion and link-state request packets. This + value should be well over the expected round- + trip time." + DEFVAL { 5 } + ::= { ospfVirtIfEntry 4 } + + + ospfVirtIfHelloInterval OBJECT-TYPE + SYNTAX HelloRange + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The length of time, in seconds, between the + Hello packets that the router sends on the in- + terface. This value must be the same for the + virtual neighbor." + DEFVAL { 10 } + ::= { ospfVirtIfEntry 5 } + + + ospfVirtIfRtrDeadInterval OBJECT-TYPE + SYNTAX PositiveInteger + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The number of seconds that a router's Hello + packets have not been seen before it's neigh- + bors declare the router down. This should be + some multiple of the Hello interval. This + value must be the same for the virtual neigh- + bor." + DEFVAL { 60 } + ::= { ospfVirtIfEntry 6 } + + + ospfVirtIfState OBJECT-TYPE + SYNTAX INTEGER { + down (1), -- these use the same encoding + pointToPoint (4) -- as the ospfIfTable + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "OSPF virtual interface states." + DEFVAL { down } + ::= { ospfVirtIfEntry 7 } + + + ospfVirtIfEvents OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of state changes or error events on + this Virtual Link" + ::= { ospfVirtIfEntry 8 } + + + ospfVirtIfAuthKey OBJECT-TYPE + SYNTAX OCTET STRING (SIZE(0..256)) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "If Authentication Type is simplePassword, the + device will left adjust and zero fill to 8 oc- + tets. + + Note that unauthenticated interfaces need no + authentication key, and simple password authen- + tication cannot use a key of more than 8 oc- + tets. Larger keys are useful only with authen- + tication mechanisms not specified in this docu- + ment. + + When read, ospfVifAuthKey always returns a + string of length zero." + REFERENCE + "OSPF Version 2, Section 9 The Interface Data + Structure" + DEFVAL { '0000000000000000'H } -- 0.0.0.0.0.0.0.0 + ::= { ospfVirtIfEntry 9 } + + + ospfVirtIfStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "This variable displays the status of the en- + try. Setting it to 'invalid' has the effect of + rendering it inoperative. The internal effect + (row removal) is implementation dependent." + ::= { ospfVirtIfEntry 10 } + + + ospfVirtIfAuthType OBJECT-TYPE + SYNTAX INTEGER (0..255) + -- none (0), + -- simplePassword (1) + -- md5 (2) + -- reserved for specification by IANA (> 2) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The authentication type specified for a virtu- + al interface. Additional authentication types + may be assigned locally." + REFERENCE + "OSPF Version 2, Appendix E Authentication" + DEFVAL { 0 } -- no authentication, by default + ::= { ospfVirtIfEntry 11 } + + +-- OSPF Neighbor Table + +-- The OSPF Neighbor Table describes all neighbors in +-- the locality of the subject router. + + ospfNbrTable OBJECT-TYPE + SYNTAX SEQUENCE OF OspfNbrEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A table of non-virtual neighbor information." + REFERENCE + "OSPF Version 2, Section 10 The Neighbor Data + Structure" + ::= { ospf 10 } + + + ospfNbrEntry OBJECT-TYPE + SYNTAX OspfNbrEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The information regarding a single neighbor." + REFERENCE + "OSPF Version 2, Section 10 The Neighbor Data + Structure" + INDEX { ospfNbrIpAddr, ospfNbrAddressLessIndex } + ::= { ospfNbrTable 1 } + +OspfNbrEntry ::= + SEQUENCE { + ospfNbrIpAddr + IpAddress, + ospfNbrAddressLessIndex + InterfaceIndex, + ospfNbrRtrId + RouterID, + ospfNbrOptions + Integer32, + ospfNbrPriority + DesignatedRouterPriority, + ospfNbrState + INTEGER, + ospfNbrEvents + Counter32, + ospfNbrLsRetransQLen + Gauge32, + ospfNbmaNbrStatus + RowStatus, + ospfNbmaNbrPermanence + INTEGER, + ospfNbrHelloSuppressed + TruthValue + } + + ospfNbrIpAddr OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The IP address this neighbor is using in its + IP Source Address. Note that, on addressless + links, this will not be 0.0.0.0, but the ad- + dress of another of the neighbor's interfaces." + ::= { ospfNbrEntry 1 } + + + ospfNbrAddressLessIndex OBJECT-TYPE + SYNTAX InterfaceIndex + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "On an interface having an IP Address, zero. + On addressless interfaces, the corresponding + value of ifIndex in the Internet Standard MIB. + On row creation, this can be derived from the + instance." + ::= { ospfNbrEntry 2 } + + + ospfNbrRtrId OBJECT-TYPE + SYNTAX RouterID + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "A 32-bit integer (represented as a type IpAd- + dress) uniquely identifying the neighboring + router in the Autonomous System." + DEFVAL { '00000000'H } -- 0.0.0.0 + ::= { ospfNbrEntry 3 } + + + ospfNbrOptions OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "A Bit Mask corresponding to the neighbor's op- + tions field. + + Bit 0, if set, indicates that the system will + operate on Type of Service metrics other than + TOS 0. If zero, the neighbor will ignore all + metrics except the TOS 0 metric. + + Bit 1, if set, indicates that the associated + area accepts and operates on external informa- + tion; if zero, it is a stub area. + + Bit 2, if set, indicates that the system is ca- + pable of routing IP Multicast datagrams; i.e., + that it implements the Multicast Extensions to + OSPF. + + Bit 3, if set, indicates that the associated + area is an NSSA. These areas are capable of + carrying type 7 external advertisements, which + are translated into type 5 external advertise- + ments at NSSA borders." + REFERENCE + "OSPF Version 2, Section 12.1.2 Options" + DEFVAL { 0 } + ::= { ospfNbrEntry 4 } + + + ospfNbrPriority OBJECT-TYPE + SYNTAX DesignatedRouterPriority + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The priority of this neighbor in the designat- + ed router election algorithm. The value 0 sig- + nifies that the neighbor is not eligible to be- + come the designated router on this particular + network." + DEFVAL { 1 } + ::= { ospfNbrEntry 5 } + + + ospfNbrState OBJECT-TYPE + SYNTAX INTEGER { + down (1), + attempt (2), + init (3), + twoWay (4), + exchangeStart (5), + exchange (6), + loading (7), + full (8) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The State of the relationship with this Neigh- + bor." + REFERENCE + "OSPF Version 2, Section 10.1 Neighbor States" + DEFVAL { down } + ::= { ospfNbrEntry 6 } + + + ospfNbrEvents OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of times this neighbor relationship + has changed state, or an error has occurred." + ::= { ospfNbrEntry 7 } + + + ospfNbrLsRetransQLen OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The current length of the retransmission + queue." + ::= { ospfNbrEntry 8 } + + + ospfNbmaNbrStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "This variable displays the status of the en- + try. Setting it to 'invalid' has the effect of + rendering it inoperative. The internal effect + (row removal) is implementation dependent." + ::= { ospfNbrEntry 9 } + + + ospfNbmaNbrPermanence OBJECT-TYPE + SYNTAX INTEGER { + dynamic (1), -- learned through protocol + permanent (2) -- configured address + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This variable displays the status of the en- + try. 'dynamic' and 'permanent' refer to how + the neighbor became known." + DEFVAL { permanent } + ::= { ospfNbrEntry 10 } + + + ospfNbrHelloSuppressed OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Indicates whether Hellos are being suppressed + to the neighbor" + ::= { ospfNbrEntry 11 } + + +-- OSPF Virtual Neighbor Table + +-- This table describes all virtual neighbors. +-- Since Virtual Links are configured in the +-- virtual interface table, this table is read-only. + + ospfVirtNbrTable OBJECT-TYPE + SYNTAX SEQUENCE OF OspfVirtNbrEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A table of virtual neighbor information." + REFERENCE + "OSPF Version 2, Section 15 Virtual Links" + ::= { ospf 11 } + + + ospfVirtNbrEntry OBJECT-TYPE + SYNTAX OspfVirtNbrEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Virtual neighbor information." + INDEX { ospfVirtNbrArea, ospfVirtNbrRtrId } + ::= { ospfVirtNbrTable 1 } + +OspfVirtNbrEntry ::= + SEQUENCE { + ospfVirtNbrArea + AreaID, + ospfVirtNbrRtrId + RouterID, + ospfVirtNbrIpAddr + IpAddress, + ospfVirtNbrOptions + Integer32, + ospfVirtNbrState + INTEGER, + ospfVirtNbrEvents + Counter32, + ospfVirtNbrLsRetransQLen + Gauge32, + ospfVirtNbrHelloSuppressed + TruthValue + } + + ospfVirtNbrArea OBJECT-TYPE + SYNTAX AreaID + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The Transit Area Identifier." + ::= { ospfVirtNbrEntry 1 } + + + ospfVirtNbrRtrId OBJECT-TYPE + SYNTAX RouterID + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "A 32-bit integer uniquely identifying the + neighboring router in the Autonomous System." + ::= { ospfVirtNbrEntry 2 } + + + ospfVirtNbrIpAddr OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The IP address this Virtual Neighbor is us- + ing." + ::= { ospfVirtNbrEntry 3 } + + + ospfVirtNbrOptions OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "A Bit Mask corresponding to the neighbor's op- + tions field. + + Bit 1, if set, indicates that the system will + operate on Type of Service metrics other than + TOS 0. If zero, the neighbor will ignore all + metrics except the TOS 0 metric. + + Bit 2, if set, indicates that the system is + Network Multicast capable; ie, that it imple- + ments OSPF Multicast Routing." + ::= { ospfVirtNbrEntry 4 } + ospfVirtNbrState OBJECT-TYPE + SYNTAX INTEGER { + down (1), + attempt (2), + init (3), + twoWay (4), + exchangeStart (5), + exchange (6), + loading (7), + full (8) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The state of the Virtual Neighbor Relation- + ship." + ::= { ospfVirtNbrEntry 5 } + + + ospfVirtNbrEvents OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of times this virtual link has + changed its state, or an error has occurred." + ::= { ospfVirtNbrEntry 6 } + + + ospfVirtNbrLsRetransQLen OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The current length of the retransmission + queue." + ::= { ospfVirtNbrEntry 7 } + + + ospfVirtNbrHelloSuppressed OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Indicates whether Hellos are being suppressed + to the neighbor" + ::= { ospfVirtNbrEntry 8 } + +-- OSPF Link State Database, External + +-- The Link State Database contains the Link State +-- Advertisements from throughout the areas that the +-- device is attached to. + +-- This table is identical to the OSPF LSDB Table in +-- format, but contains only External Link State +-- Advertisements. The purpose is to allow external +-- LSAs to be displayed once for the router rather +-- than once in each non-stub area. + + ospfExtLsdbTable OBJECT-TYPE + SYNTAX SEQUENCE OF OspfExtLsdbEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The OSPF Process's Links State Database." + REFERENCE + "OSPF Version 2, Section 12 Link State Adver- + tisements" + ::= { ospf 12 } + + + ospfExtLsdbEntry OBJECT-TYPE + SYNTAX OspfExtLsdbEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A single Link State Advertisement." + INDEX { ospfExtLsdbType, ospfExtLsdbLsid, ospfExtLsdbRouterId } + ::= { ospfExtLsdbTable 1 } + +OspfExtLsdbEntry ::= + SEQUENCE { + ospfExtLsdbType + INTEGER, + ospfExtLsdbLsid + IpAddress, + ospfExtLsdbRouterId + RouterID, + ospfExtLsdbSequence + Integer32, + ospfExtLsdbAge + Integer32, + ospfExtLsdbChecksum + Integer32, + ospfExtLsdbAdvertisement + OCTET STRING + } + + ospfExtLsdbType OBJECT-TYPE + SYNTAX INTEGER { + asExternalLink (5) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The type of the link state advertisement. + Each link state type has a separate advertise- + ment format." + REFERENCE + "OSPF Version 2, Appendix A.4.1 The Link State + Advertisement header" + ::= { ospfExtLsdbEntry 1 } + + + ospfExtLsdbLsid OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The Link State ID is an LS Type Specific field + containing either a Router ID or an IP Address; + it identifies the piece of the routing domain + that is being described by the advertisement." + REFERENCE + "OSPF Version 2, Section 12.1.4 Link State ID" + ::= { ospfExtLsdbEntry 2 } + + + ospfExtLsdbRouterId OBJECT-TYPE + SYNTAX RouterID + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The 32 bit number that uniquely identifies the + originating router in the Autonomous System." + REFERENCE + "OSPF Version 2, Appendix C.1 Global parameters" + ::= { ospfExtLsdbEntry 3 } + +-- Note that the OSPF Sequence Number is a 32 bit signed +-- integer. It starts with the value '80000001'h, +-- or -'7FFFFFFF'h, and increments until '7FFFFFFF'h +-- Thus, a typical sequence number will be very negative. + ospfExtLsdbSequence OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The sequence number field is a signed 32-bit + integer. It is used to detect old and dupli- + cate link state advertisements. The space of + sequence numbers is linearly ordered. The + larger the sequence number the more recent the + advertisement." + REFERENCE + "OSPF Version 2, Section 12.1.6 LS sequence + number" + ::= { ospfExtLsdbEntry 4 } + + + ospfExtLsdbAge OBJECT-TYPE + SYNTAX Integer32 -- Should be 0..MaxAge + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This field is the age of the link state adver- + tisement in seconds." + REFERENCE + "OSPF Version 2, Section 12.1.1 LS age" + ::= { ospfExtLsdbEntry 5 } + + + ospfExtLsdbChecksum OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This field is the checksum of the complete + contents of the advertisement, excepting the + age field. The age field is excepted so that + an advertisement's age can be incremented + without updating the checksum. The checksum + used is the same that is used for ISO connec- + tionless datagrams; it is commonly referred to + as the Fletcher checksum." + REFERENCE + "OSPF Version 2, Section 12.1.7 LS checksum" + ::= { ospfExtLsdbEntry 6 } + + + ospfExtLsdbAdvertisement OBJECT-TYPE + SYNTAX OCTET STRING (SIZE(36)) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The entire Link State Advertisement, including + its header." + REFERENCE + "OSPF Version 2, Section 12 Link State Adver- + tisements" + ::= { ospfExtLsdbEntry 7 } + + +-- OSPF Use of the CIDR Route Table + +ospfRouteGroup OBJECT IDENTIFIER ::= { ospf 13 } + +-- The IP Forwarding Table defines a number of objects for use by +-- the routing protocol to externalize its information. Most of +-- the variables (ipForwardDest, ipForwardMask, ipForwardPolicy, +-- ipForwardNextHop, ipForwardIfIndex, ipForwardType, +-- ipForwardProto, ipForwardAge, and ipForwardNextHopAS) are +-- defined there. + +-- Those that leave some discretion are defined here. + +-- ipCidrRouteProto is, of course, ospf (13). + +-- ipCidrRouteAge is the time since the route was first calculated, +-- as opposed to the time since the last SPF run. + +-- ipCidrRouteInfo is an OBJECT IDENTIFIER for use by the routing +-- protocol. The following values shall be found there depending +-- on the way the route was calculated. + +ospfIntraArea OBJECT IDENTIFIER ::= { ospfRouteGroup 1 } +ospfInterArea OBJECT IDENTIFIER ::= { ospfRouteGroup 2 } +ospfExternalType1 OBJECT IDENTIFIER ::= { ospfRouteGroup 3 } +ospfExternalType2 OBJECT IDENTIFIER ::= { ospfRouteGroup 4 } + +-- ipCidrRouteMetric1 is, by definition, the primary routing +-- metric. Therefore, it should be the metric that route +-- selection is based on. For intra-area and inter-area routes, +-- it is an OSPF metric. For External Type 1 (comparable value) +-- routes, it is an OSPF metric plus the External Metric. For +-- external Type 2 (non-comparable value) routes, it is the +-- external metric. + +-- ipCidrRouteMetric2 is, by definition, a secondary routing +-- metric. Therefore, it should be the metric that breaks a tie +-- among routes having equal metric1 values and the same +-- calculation rule. For intra-area, inter-area routes, and +-- External Type 1 (comparable value) routes, it is unused. For +-- external Type 2 (non-comparable value) routes, it is the metric +-- to the AS border router. + +-- ipCidrRouteMetric3, ipCidrRouteMetric4, and ipCidrRouteMetric5 are +-- unused. + +-- +-- The OSPF Area Aggregate Table +-- +-- This table replaces the OSPF Area Summary Table, being an +-- extension of that for CIDR routers. + + ospfAreaAggregateTable OBJECT-TYPE + SYNTAX SEQUENCE OF OspfAreaAggregateEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A range of IP addresses specified by an IP + address/IP network mask pair. For example, + class B address range of X.X.X.X with a network + mask of 255.255.0.0 includes all IP addresses + from X.X.0.0 to X.X.255.255. Note that if + ranges are configured such that one range sub- + sumes another range (e.g., 10.0.0.0 mask + 255.0.0.0 and 10.1.0.0 mask 255.255.0.0), the + most specific match is the preferred one." + REFERENCE + "OSPF Version 2, Appendix C.2 Area parameters" + ::= { ospf 14 } + + + ospfAreaAggregateEntry OBJECT-TYPE + SYNTAX OspfAreaAggregateEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A range of IP addresses specified by an IP + address/IP network mask pair. For example, + class B address range of X.X.X.X with a network + mask of 255.255.0.0 includes all IP addresses + from X.X.0.0 to X.X.255.255. Note that if + ranges are range configured such that one range + subsumes another range (e.g., 10.0.0.0 mask + 255.0.0.0 and 10.1.0.0 mask 255.255.0.0), the + most specific match is the preferred one." + REFERENCE + "OSPF Version 2, Appendix C.2 Area parameters" + INDEX { ospfAreaAggregateAreaID, ospfAreaAggregateLsdbType, + ospfAreaAggregateNet, ospfAreaAggregateMask } + ::= { ospfAreaAggregateTable 1 } + + +OspfAreaAggregateEntry ::= + SEQUENCE { + ospfAreaAggregateAreaID + AreaID, + ospfAreaAggregateLsdbType + INTEGER, + ospfAreaAggregateNet + IpAddress, + ospfAreaAggregateMask + IpAddress, + ospfAreaAggregateStatus + RowStatus, + ospfAreaAggregateEffect + INTEGER + } + + ospfAreaAggregateAreaID OBJECT-TYPE + SYNTAX AreaID + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The Area the Address Aggregate is to be found + within." + REFERENCE + "OSPF Version 2, Appendix C.2 Area parameters" + ::= { ospfAreaAggregateEntry 1 } + + + ospfAreaAggregateLsdbType OBJECT-TYPE + SYNTAX INTEGER { + summaryLink (3), + nssaExternalLink (7) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The type of the Address Aggregate. This field + specifies the Lsdb type that this Address Ag- + gregate applies to." + REFERENCE + "OSPF Version 2, Appendix A.4.1 The Link State + Advertisement header" + ::= { ospfAreaAggregateEntry 2 } + + + ospfAreaAggregateNet OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The IP Address of the Net or Subnet indicated + by the range." + REFERENCE + "OSPF Version 2, Appendix C.2 Area parameters" + ::= { ospfAreaAggregateEntry 3 } + + + ospfAreaAggregateMask OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The Subnet Mask that pertains to the Net or + Subnet." + REFERENCE + "OSPF Version 2, Appendix C.2 Area parameters" + ::= { ospfAreaAggregateEntry 4 } + + + ospfAreaAggregateStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "This variable displays the status of the en- + try. Setting it to 'invalid' has the effect of + rendering it inoperative. The internal effect + (row removal) is implementation dependent." + ::= { ospfAreaAggregateEntry 5 } + + + ospfAreaAggregateEffect OBJECT-TYPE + SYNTAX INTEGER { + advertiseMatching (1), + doNotAdvertiseMatching (2) + } + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "Subnets subsumed by ranges either trigger the + advertisement of the indicated aggregate (ad- + vertiseMatching), or result in the subnet's not + being advertised at all outside the area." + DEFVAL { advertiseMatching } + ::= { ospfAreaAggregateEntry 6 } + + +-- conformance information + +ospfConformance OBJECT IDENTIFIER ::= { ospf 15 } + +ospfGroups OBJECT IDENTIFIER ::= { ospfConformance 1 } +ospfCompliances OBJECT IDENTIFIER ::= { ospfConformance 2 } + +-- compliance statements + + ospfCompliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The compliance statement " + MODULE -- this module + MANDATORY-GROUPS { + ospfBasicGroup, + ospfAreaGroup, + ospfStubAreaGroup, + ospfIfGroup, + ospfIfMetricGroup, + ospfVirtIfGroup, + ospfNbrGroup, + ospfVirtNbrGroup, + ospfAreaAggregateGroup + } + ::= { ospfCompliances 1 } + + +-- units of conformance + + ospfBasicGroup OBJECT-GROUP + OBJECTS { + ospfRouterId, + ospfAdminStat, + ospfVersionNumber, + ospfAreaBdrRtrStatus, + ospfASBdrRtrStatus, + ospfExternLsaCount, + ospfExternLsaCksumSum, + ospfTOSSupport, + ospfOriginateNewLsas, + ospfRxNewLsas, + ospfExtLsdbLimit, + ospfMulticastExtensions, + ospfExitOverflowInterval, + ospfDemandExtensions + } + STATUS current + DESCRIPTION + "These objects are required for OSPF systems." + ::= { ospfGroups 1 } + + + ospfAreaGroup OBJECT-GROUP + OBJECTS { + ospfAreaId, + ospfImportAsExtern, + ospfSpfRuns, + ospfAreaBdrRtrCount, + ospfAsBdrRtrCount, + ospfAreaLsaCount, + ospfAreaLsaCksumSum, + ospfAreaSummary, + ospfAreaStatus + } + STATUS current + DESCRIPTION + "These objects are required for OSPF systems + supporting areas." + ::= { ospfGroups 2 } + + + ospfStubAreaGroup OBJECT-GROUP + OBJECTS { + ospfStubAreaId, + ospfStubTOS, + ospfStubMetric, + ospfStubStatus, + ospfStubMetricType + } + STATUS current + DESCRIPTION + "These objects are required for OSPF systems + supporting stub areas." + ::= { ospfGroups 3 } + + + ospfLsdbGroup OBJECT-GROUP + OBJECTS { + ospfLsdbAreaId, + ospfLsdbType, + ospfLsdbLsid, + ospfLsdbRouterId, + ospfLsdbSequence, + ospfLsdbAge, + ospfLsdbChecksum, + ospfLsdbAdvertisement + } + STATUS current + DESCRIPTION + "These objects are required for OSPF systems + that display their link state database." + ::= { ospfGroups 4 } + + + ospfAreaRangeGroup OBJECT-GROUP + OBJECTS { + ospfAreaRangeAreaId, + ospfAreaRangeNet, + ospfAreaRangeMask, + ospfAreaRangeStatus, + ospfAreaRangeEffect + } + STATUS obsolete + DESCRIPTION + "These objects are required for non-CIDR OSPF + systems that support multiple areas." + ::= { ospfGroups 5 } + + + ospfHostGroup OBJECT-GROUP + OBJECTS { + ospfHostIpAddress, + ospfHostTOS, + ospfHostMetric, + ospfHostStatus, + ospfHostAreaID + } + STATUS current + DESCRIPTION + "These objects are required for OSPF systems + that support attached hosts." + ::= { ospfGroups 6 } + + + ospfIfGroup OBJECT-GROUP + OBJECTS { + ospfIfIpAddress, + ospfAddressLessIf, + ospfIfAreaId, + ospfIfType, + ospfIfAdminStat, + ospfIfRtrPriority, + ospfIfTransitDelay, + ospfIfRetransInterval, + ospfIfHelloInterval, + ospfIfRtrDeadInterval, + ospfIfPollInterval, + ospfIfState, + ospfIfDesignatedRouter, + ospfIfBackupDesignatedRouter, + ospfIfEvents, + ospfIfAuthType, + ospfIfAuthKey, + ospfIfStatus, + ospfIfMulticastForwarding, + ospfIfDemand + } + STATUS current + DESCRIPTION + "These objects are required for OSPF systems." + ::= { ospfGroups 7 } + + + ospfIfMetricGroup OBJECT-GROUP + OBJECTS { + ospfIfMetricIpAddress, + ospfIfMetricAddressLessIf, + ospfIfMetricTOS, + ospfIfMetricValue, + ospfIfMetricStatus + } + STATUS current + DESCRIPTION + "These objects are required for OSPF systems." + ::= { ospfGroups 8 } + + + ospfVirtIfGroup OBJECT-GROUP + OBJECTS { + ospfVirtIfAreaId, + ospfVirtIfNeighbor, + ospfVirtIfTransitDelay, + ospfVirtIfRetransInterval, + ospfVirtIfHelloInterval, + ospfVirtIfRtrDeadInterval, + ospfVirtIfState, + ospfVirtIfEvents, + ospfVirtIfAuthType, + ospfVirtIfAuthKey, + ospfVirtIfStatus + } + STATUS current + DESCRIPTION + "These objects are required for OSPF systems." + ::= { ospfGroups 9 } + + + ospfNbrGroup OBJECT-GROUP + OBJECTS { + ospfNbrIpAddr, + ospfNbrAddressLessIndex, + ospfNbrRtrId, + ospfNbrOptions, + ospfNbrPriority, + ospfNbrState, + ospfNbrEvents, + ospfNbrLsRetransQLen, + ospfNbmaNbrStatus, + ospfNbmaNbrPermanence, + ospfNbrHelloSuppressed + } + STATUS current + DESCRIPTION + "These objects are required for OSPF systems." + ::= { ospfGroups 10 } + + + ospfVirtNbrGroup OBJECT-GROUP + OBJECTS { + ospfVirtNbrArea, + ospfVirtNbrRtrId, + ospfVirtNbrIpAddr, + ospfVirtNbrOptions, + ospfVirtNbrState, + ospfVirtNbrEvents, + ospfVirtNbrLsRetransQLen, + ospfVirtNbrHelloSuppressed + } + STATUS current + DESCRIPTION + "These objects are required for OSPF systems." + ::= { ospfGroups 11 } + + + ospfExtLsdbGroup OBJECT-GROUP + OBJECTS { + ospfExtLsdbType, + ospfExtLsdbLsid, + ospfExtLsdbRouterId, + ospfExtLsdbSequence, + ospfExtLsdbAge, + ospfExtLsdbChecksum, + ospfExtLsdbAdvertisement + } + STATUS current + DESCRIPTION + "These objects are required for OSPF systems + that display their link state database." + ::= { ospfGroups 12 } + + + ospfAreaAggregateGroup OBJECT-GROUP + OBJECTS { + ospfAreaAggregateAreaID, + ospfAreaAggregateLsdbType, + ospfAreaAggregateNet, + ospfAreaAggregateMask, + ospfAreaAggregateStatus, + ospfAreaAggregateEffect + } + STATUS current + DESCRIPTION + "These objects are required for OSPF systems." + ::= { ospfGroups 13 } + +END diff --git a/mibs/OSPF-TRAP-MIB.txt b/mibs/OSPF-TRAP-MIB.txt new file mode 100644 index 000000000..8a3ab990c --- /dev/null +++ b/mibs/OSPF-TRAP-MIB.txt @@ -0,0 +1,443 @@ +OSPF-TRAP-MIB DEFINITIONS ::= BEGIN + + IMPORTS + MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, IpAddress + FROM SNMPv2-SMI + MODULE-COMPLIANCE, OBJECT-GROUP + FROM SNMPv2-CONF + ospfRouterId, ospfIfIpAddress, ospfAddressLessIf, ospfIfState, + ospfVirtIfAreaId, ospfVirtIfNeighbor, ospfVirtIfState, + ospfNbrIpAddr, ospfNbrAddressLessIndex, ospfNbrRtrId, + ospfNbrState, ospfVirtNbrArea, ospfVirtNbrRtrId, ospfVirtNbrState, + ospfLsdbType, ospfLsdbLsid, ospfLsdbRouterId, ospfLsdbAreaId, + ospfExtLsdbLimit, ospf + FROM OSPF-MIB; + + ospfTrap MODULE-IDENTITY + LAST-UPDATED "9501201225Z" -- Fri Jan 20 12:25:50 PST 1995 + ORGANIZATION "IETF OSPF Working Group" + CONTACT-INFO + " Fred Baker + Postal: Cisco Systems + 519 Lado Drive + Santa Barbara, California 93111 + Tel: +1 805 681 0115 + E-Mail: fred@cisco.com + + Rob Coltun + Postal: RainbowBridge Communications + Tel: (301) 340-9416 + E-Mail: rcoltun@rainbow-bridge.com" + DESCRIPTION + "The MIB module to describe traps for the OSPF + Version 2 Protocol." + ::= { ospf 16 } + +-- Trap Support Objects + +-- The following are support objects for the OSPF traps. + +ospfTrapControl OBJECT IDENTIFIER ::= { ospfTrap 1 } +ospfTraps OBJECT IDENTIFIER ::= { ospfTrap 2 } + + ospfSetTrap OBJECT-TYPE + SYNTAX OCTET STRING (SIZE(4)) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "A four-octet string serving as a bit map for + the trap events defined by the OSPF traps. This + object is used to enable and disable specific + OSPF traps where a 1 in the bit field + represents enabled. The right-most bit (least + significant) represents trap 0." + ::= { ospfTrapControl 1 } + + + ospfConfigErrorType OBJECT-TYPE + SYNTAX INTEGER { + badVersion (1), + areaMismatch (2), + unknownNbmaNbr (3), -- Router is Dr eligible + unknownVirtualNbr (4), + authTypeMismatch(5), + authFailure (6), + netMaskMismatch (7), + helloIntervalMismatch (8), + deadIntervalMismatch (9), + optionMismatch (10) } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Potential types of configuration conflicts. + Used by the ospfConfigError and ospfConfigVir- + tError traps." + ::= { ospfTrapControl 2 } + + + ospfPacketType OBJECT-TYPE + SYNTAX INTEGER { + hello (1), + dbDescript (2), + lsReq (3), + lsUpdate (4), + lsAck (5) } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "OSPF packet types." + ::= { ospfTrapControl 3 } + + + ospfPacketSrc OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The IP address of an inbound packet that can- + not be identified by a neighbor instance." + ::= { ospfTrapControl 4 } + + +-- Traps + + + ospfIfStateChange NOTIFICATION-TYPE + OBJECTS { + ospfRouterId, -- The originator of the trap + ospfIfIpAddress, + ospfAddressLessIf, + ospfIfState -- The new state + } + STATUS current + DESCRIPTION + "An ospfIfStateChange trap signifies that there + has been a change in the state of a non-virtual + OSPF interface. This trap should be generated + when the interface state regresses (e.g., goes + from Dr to Down) or progresses to a terminal + state (i.e., Point-to-Point, DR Other, Dr, or + Backup)." + ::= { ospfTraps 16 } + + + ospfVirtIfStateChange NOTIFICATION-TYPE + OBJECTS { + ospfRouterId, -- The originator of the trap + ospfVirtIfAreaId, + ospfVirtIfNeighbor, + ospfVirtIfState -- The new state + } + STATUS current + DESCRIPTION + "An ospfIfStateChange trap signifies that there + has been a change in the state of an OSPF vir- + tual interface. + This trap should be generated when the inter- + face state regresses (e.g., goes from Point- + to-Point to Down) or progresses to a terminal + state (i.e., Point-to-Point)." + ::= { ospfTraps 1 } + + + ospfNbrStateChange NOTIFICATION-TYPE + OBJECTS { + ospfRouterId, -- The originator of the trap + ospfNbrIpAddr, + ospfNbrAddressLessIndex, + ospfNbrRtrId, + ospfNbrState -- The new state + } + STATUS current + DESCRIPTION + "An ospfNbrStateChange trap signifies that + there has been a change in the state of a non- + virtual OSPF neighbor. This trap should be + generated when the neighbor state regresses + (e.g., goes from Attempt or Full to 1-Way or + Down) or progresses to a terminal state (e.g., + 2-Way or Full). When an neighbor transitions + from or to Full on non-broadcast multi-access + and broadcast networks, the trap should be gen- + erated by the designated router. A designated + router transitioning to Down will be noted by + ospfIfStateChange." + ::= { ospfTraps 2 } + + + ospfVirtNbrStateChange NOTIFICATION-TYPE + OBJECTS { + ospfRouterId, -- The originator of the trap + ospfVirtNbrArea, + ospfVirtNbrRtrId, + ospfVirtNbrState -- The new state + } + STATUS current + DESCRIPTION + "An ospfIfStateChange trap signifies that there + has been a change in the state of an OSPF vir- + tual neighbor. This trap should be generated + when the neighbor state regresses (e.g., goes + from Attempt or Full to 1-Way or Down) or + progresses to a terminal state (e.g., Full)." + ::= { ospfTraps 3 } + ospfIfConfigError NOTIFICATION-TYPE + OBJECTS { + ospfRouterId, -- The originator of the trap + ospfIfIpAddress, + ospfAddressLessIf, + ospfPacketSrc, -- The source IP address + ospfConfigErrorType, -- Type of error + ospfPacketType + } + STATUS current + DESCRIPTION + "An ospfIfConfigError trap signifies that a + packet has been received on a non-virtual in- + terface from a router whose configuration + parameters conflict with this router's confi- + guration parameters. Note that the event op- + tionMismatch should cause a trap only if it + prevents an adjacency from forming." + ::= { ospfTraps 4 } + + + ospfVirtIfConfigError NOTIFICATION-TYPE + OBJECTS { + ospfRouterId, -- The originator of the trap + ospfVirtIfAreaId, + ospfVirtIfNeighbor, + ospfConfigErrorType, -- Type of error + ospfPacketType + } + STATUS current + DESCRIPTION + "An ospfConfigError trap signifies that a pack- + et has been received on a virtual interface + from a router whose configuration parameters + conflict with this router's configuration + parameters. Note that the event optionMismatch + should cause a trap only if it prevents an ad- + jacency from forming." + ::= { ospfTraps 5 } + + + ospfIfAuthFailure NOTIFICATION-TYPE + OBJECTS { + ospfRouterId, -- The originator of the trap + ospfIfIpAddress, + ospfAddressLessIf, + ospfPacketSrc, -- The source IP address + ospfConfigErrorType, -- authTypeMismatch or + -- authFailure + ospfPacketType + } + STATUS current + DESCRIPTION + "An ospfIfAuthFailure trap signifies that a + packet has been received on a non-virtual in- + terface from a router whose authentication key + or authentication type conflicts with this + router's authentication key or authentication + type." + ::= { ospfTraps 6 } + + + ospfVirtIfAuthFailure NOTIFICATION-TYPE + OBJECTS { + ospfRouterId, -- The originator of the trap + ospfVirtIfAreaId, + ospfVirtIfNeighbor, + ospfConfigErrorType, -- authTypeMismatch or + -- authFailure + ospfPacketType + } + STATUS current + DESCRIPTION + "An ospfVirtIfAuthFailure trap signifies that a + packet has been received on a virtual interface + from a router whose authentication key or au- + thentication type conflicts with this router's + authentication key or authentication type." + ::= { ospfTraps 7 } + + + ospfIfRxBadPacket NOTIFICATION-TYPE + OBJECTS { + ospfRouterId, -- The originator of the trap + ospfIfIpAddress, + ospfAddressLessIf, + ospfPacketSrc, -- The source IP address + ospfPacketType + } + STATUS current + DESCRIPTION + "An ospfIfRxBadPacket trap signifies that an + OSPF packet has been received on a non-virtual + interface that cannot be parsed." + ::= { ospfTraps 8 } + + ospfVirtIfRxBadPacket NOTIFICATION-TYPE + OBJECTS { + ospfRouterId, -- The originator of the trap + ospfVirtIfAreaId, + ospfVirtIfNeighbor, + ospfPacketType + } + STATUS current + DESCRIPTION + "An ospfRxBadPacket trap signifies that an OSPF + packet has been received on a virtual interface + that cannot be parsed." + ::= { ospfTraps 9 } + + + ospfTxRetransmit NOTIFICATION-TYPE + OBJECTS { + ospfRouterId, -- The originator of the trap + ospfIfIpAddress, + ospfAddressLessIf, + ospfNbrRtrId, -- Destination + ospfPacketType, + ospfLsdbType, + ospfLsdbLsid, + ospfLsdbRouterId + } + STATUS current + DESCRIPTION + "An ospfTxRetransmit trap signifies than an + OSPF packet has been retransmitted on a non- + virtual interface. All packets that may be re- + transmitted are associated with an LSDB entry. + The LS type, LS ID, and Router ID are used to + identify the LSDB entry." + ::= { ospfTraps 10 } + + + ospfVirtIfTxRetransmit NOTIFICATION-TYPE + OBJECTS { + ospfRouterId, -- The originator of the trap + ospfVirtIfAreaId, + ospfVirtIfNeighbor, + ospfPacketType, + ospfLsdbType, + ospfLsdbLsid, + ospfLsdbRouterId + } + STATUS current + DESCRIPTION + "An ospfTxRetransmit trap signifies than an + OSPF packet has been retransmitted on a virtual + interface. All packets that may be retransmit- + ted are associated with an LSDB entry. The LS + type, LS ID, and Router ID are used to identify + the LSDB entry." + ::= { ospfTraps 11 } + + + ospfOriginateLsa NOTIFICATION-TYPE + OBJECTS { + ospfRouterId, -- The originator of the trap + ospfLsdbAreaId, -- 0.0.0.0 for AS Externals + ospfLsdbType, + ospfLsdbLsid, + ospfLsdbRouterId + } + STATUS current + DESCRIPTION + "An ospfOriginateLsa trap signifies that a new + LSA has been originated by this router. This + trap should not be invoked for simple refreshes + of LSAs (which happesn every 30 minutes), but + instead will only be invoked when an LSA is + (re)originated due to a topology change. Addi- + tionally, this trap does not include LSAs that + are being flushed because they have reached + MaxAge." + ::= { ospfTraps 12 } + + + ospfMaxAgeLsa NOTIFICATION-TYPE + OBJECTS { + ospfRouterId, -- The originator of the trap + ospfLsdbAreaId, -- 0.0.0.0 for AS Externals + ospfLsdbType, + ospfLsdbLsid, + ospfLsdbRouterId + } + STATUS current + DESCRIPTION + "An ospfMaxAgeLsa trap signifies that one of + the LSA in the router's link-state database has + aged to MaxAge." + ::= { ospfTraps 13 } + + + ospfLsdbOverflow NOTIFICATION-TYPE + OBJECTS { + ospfRouterId, -- The originator of the trap + ospfExtLsdbLimit + } + STATUS current + DESCRIPTION + "An ospfLsdbOverflow trap signifies that the + number of LSAs in the router's link-state data- + base has exceeded ospfExtLsdbLimit." + ::= { ospfTraps 14 } + + + ospfLsdbApproachingOverflow NOTIFICATION-TYPE + OBJECTS { + ospfRouterId, -- The originator of the trap + ospfExtLsdbLimit + } + STATUS current + DESCRIPTION + "An ospfLsdbApproachingOverflow trap signifies + that the number of LSAs in the router's link- + state database has exceeded ninety percent of + ospfExtLsdbLimit." + ::= { ospfTraps 15 } + + +-- conformance information + +ospfTrapConformance OBJECT IDENTIFIER ::= { ospfTrap 3 } + +ospfTrapGroups OBJECT IDENTIFIER ::= { ospfTrapConformance 1 } +ospfTrapCompliances OBJECT IDENTIFIER ::= { ospfTrapConformance 2 } + +-- compliance statements + + ospfTrapCompliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The compliance statement " + MODULE -- this module + MANDATORY-GROUPS { ospfTrapControlGroup } + + + GROUP ospfTrapControlGroup + DESCRIPTION + "This group is optional but recommended for all + OSPF systems" + ::= { ospfTrapCompliances 1 } + + +-- units of conformance + + ospfTrapControlGroup OBJECT-GROUP + OBJECTS { + ospfSetTrap, + ospfConfigErrorType, + ospfPacketType, + ospfPacketSrc + } + STATUS current + DESCRIPTION + "These objects are required to control traps + from OSPF systems." + ::= { ospfTrapGroups 1 } + + +END diff --git a/mibs/RFC1155-SMI.txt b/mibs/RFC1155-SMI.txt new file mode 100644 index 000000000..3abc7ffb7 --- /dev/null +++ b/mibs/RFC1155-SMI.txt @@ -0,0 +1,119 @@ +RFC1155-SMI DEFINITIONS ::= BEGIN + +EXPORTS -- EVERYTHING + internet, directory, mgmt, + experimental, private, enterprises, + OBJECT-TYPE, ObjectName, ObjectSyntax, SimpleSyntax, + ApplicationSyntax, NetworkAddress, IpAddress, + Counter, Gauge, TimeTicks, Opaque; + + -- the path to the root + + internet OBJECT IDENTIFIER ::= { iso org(3) dod(6) 1 } + + directory OBJECT IDENTIFIER ::= { internet 1 } + + mgmt OBJECT IDENTIFIER ::= { internet 2 } + + experimental OBJECT IDENTIFIER ::= { internet 3 } + + private OBJECT IDENTIFIER ::= { internet 4 } + enterprises OBJECT IDENTIFIER ::= { private 1 } + + -- definition of object types + + OBJECT-TYPE MACRO ::= + BEGIN + TYPE NOTATION ::= "SYNTAX" type (TYPE ObjectSyntax) + "ACCESS" Access + "STATUS" Status + VALUE NOTATION ::= value (VALUE ObjectName) + + Access ::= "read-only" + | "read-write" + | "write-only" + | "not-accessible" + Status ::= "mandatory" + | "optional" + | "obsolete" + END + + -- names of objects in the MIB + + ObjectName ::= + OBJECT IDENTIFIER + + -- syntax of objects in the MIB + + ObjectSyntax ::= + CHOICE { + simple + SimpleSyntax, + -- note that simple SEQUENCEs are not directly + -- mentioned here to keep things simple (i.e., + -- prevent mis-use). However, application-wide + -- types which are IMPLICITly encoded simple + -- SEQUENCEs may appear in the following CHOICE + + application-wide + ApplicationSyntax + } + + SimpleSyntax ::= + CHOICE { + number + INTEGER, + string + OCTET STRING, + object + OBJECT IDENTIFIER, + empty + NULL + } + + ApplicationSyntax ::= + CHOICE { + address + NetworkAddress, + counter + Counter, + gauge + Gauge, + ticks + TimeTicks, + arbitrary + Opaque + + -- other application-wide types, as they are + -- defined, will be added here + } + + -- application-wide types + + NetworkAddress ::= + CHOICE { + internet + IpAddress + } + + IpAddress ::= + [APPLICATION 0] -- in network-byte order + IMPLICIT OCTET STRING (SIZE (4)) + + Counter ::= + [APPLICATION 1] + IMPLICIT INTEGER (0..4294967295) + + Gauge ::= + [APPLICATION 2] + IMPLICIT INTEGER (0..4294967295) + + TimeTicks ::= + [APPLICATION 3] + IMPLICIT INTEGER (0..4294967295) + + Opaque ::= + [APPLICATION 4] -- arbitrary ASN.1 value, + IMPLICIT OCTET STRING -- "double-wrapped" + + END diff --git a/mibs/RFC1213-MIB.txt b/mibs/RFC1213-MIB.txt new file mode 100644 index 000000000..408ccd796 --- /dev/null +++ b/mibs/RFC1213-MIB.txt @@ -0,0 +1,2613 @@ +RFC1213-MIB DEFINITIONS ::= BEGIN + +IMPORTS + mgmt, NetworkAddress, IpAddress, Counter, Gauge, + TimeTicks + FROM RFC1155-SMI + OBJECT-TYPE + FROM RFC-1212; + +-- This MIB module uses the extended OBJECT-TYPE macro as +-- defined in [14]; + +-- MIB-II (same prefix as MIB-I) + +mib-2 OBJECT IDENTIFIER ::= { mgmt 1 } + +-- textual conventions + +DisplayString ::= + OCTET STRING +-- This data type is used to model textual information taken +-- from the NVT ASCII character set. By convention, objects +-- with this syntax are declared as having + +-- +-- SIZE (0..255) + +PhysAddress ::= + OCTET STRING +-- This data type is used to model media addresses. For many +-- types of media, this will be in a binary representation. +-- For example, an ethernet address would be represented as +-- a string of 6 octets. + +-- groups in MIB-II + +system OBJECT IDENTIFIER ::= { mib-2 1 } + +interfaces OBJECT IDENTIFIER ::= { mib-2 2 } + +at OBJECT IDENTIFIER ::= { mib-2 3 } + +ip OBJECT IDENTIFIER ::= { mib-2 4 } + +icmp OBJECT IDENTIFIER ::= { mib-2 5 } + +tcp OBJECT IDENTIFIER ::= { mib-2 6 } + +udp OBJECT IDENTIFIER ::= { mib-2 7 } + +egp OBJECT IDENTIFIER ::= { mib-2 8 } + +-- historical (some say hysterical) +-- cmot OBJECT IDENTIFIER ::= { mib-2 9 } + +transmission OBJECT IDENTIFIER ::= { mib-2 10 } + +snmp OBJECT IDENTIFIER ::= { mib-2 11 } + +-- the System group + +-- Implementation of the System group is mandatory for all +-- systems. If an agent is not configured to have a value +-- for any of these variables, a string of length 0 is +-- returned. + +sysDescr OBJECT-TYPE + SYNTAX DisplayString (SIZE (0..255)) + ACCESS read-only + STATUS mandatory + DESCRIPTION + "A textual description of the entity. This value + should include the full name and version + identification of the system's hardware type, + software operating-system, and networking + software. It is mandatory that this only contain + printable ASCII characters." + ::= { system 1 } + +sysObjectID OBJECT-TYPE + SYNTAX OBJECT IDENTIFIER + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The vendor's authoritative identification of the + network management subsystem contained in the + entity. This value is allocated within the SMI + enterprises subtree (1.3.6.1.4.1) and provides an + easy and unambiguous means for determining `what + kind of box' is being managed. For example, if + vendor `Flintstones, Inc.' was assigned the + subtree 1.3.6.1.4.1.4242, it could assign the + identifier 1.3.6.1.4.1.4242.1.1 to its `Fred + Router'." + ::= { system 2 } + +sysUpTime OBJECT-TYPE + SYNTAX TimeTicks + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The time (in hundredths of a second) since the + network management portion of the system was last + re-initialized." + ::= { system 3 } + +sysContact OBJECT-TYPE + SYNTAX DisplayString (SIZE (0..255)) + ACCESS read-write + STATUS mandatory + DESCRIPTION + "The textual identification of the contact person + for this managed node, together with information + on how to contact this person." + ::= { system 4 } + +sysName OBJECT-TYPE + SYNTAX DisplayString (SIZE (0..255)) + ACCESS read-write + STATUS mandatory + DESCRIPTION + "An administratively-assigned name for this + managed node. By convention, this is the node's + fully-qualified domain name." + ::= { system 5 } + +sysLocation OBJECT-TYPE + SYNTAX DisplayString (SIZE (0..255)) + ACCESS read-write + STATUS mandatory + DESCRIPTION + "The physical location of this node (e.g., + `telephone closet, 3rd floor')." + ::= { system 6 } + +sysServices OBJECT-TYPE + SYNTAX INTEGER (0..127) + ACCESS read-only + STATUS mandatory + DESCRIPTION + "A value which indicates the set of services that + this entity primarily offers. + + The value is a sum. This sum initially takes the + value zero, Then, for each layer, L, in the range + 1 through 7, that this node performs transactions + for, 2 raised to (L - 1) is added to the sum. For + example, a node which performs primarily routing + functions would have a value of 4 (2^(3-1)). In + contrast, a node which is a host offering + application services would have a value of 72 + (2^(4-1) + 2^(7-1)). Note that in the context of + the Internet suite of protocols, values should be + calculated accordingly: + + layer functionality + 1 physical (e.g., repeaters) + 2 datalink/subnetwork (e.g., bridges) + 3 internet (e.g., IP gateways) + 4 end-to-end (e.g., IP hosts) + 7 applications (e.g., mail relays) + + For systems including OSI protocols, layers 5 and + 6 may also be counted." + ::= { system 7 } + +-- the Interfaces group + +-- Implementation of the Interfaces group is mandatory for +-- all systems. + +ifNumber OBJECT-TYPE + SYNTAX INTEGER + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of network interfaces (regardless of + their current state) present on this system." + ::= { interfaces 1 } + +-- the Interfaces table + +-- The Interfaces table contains information on the entity's +-- interfaces. Each interface is thought of as being +-- attached to a `subnetwork'. Note that this term should +-- not be confused with `subnet' which refers to an +-- addressing partitioning scheme used in the Internet suite +-- of protocols. + +ifTable OBJECT-TYPE + SYNTAX SEQUENCE OF IfEntry + ACCESS not-accessible + STATUS mandatory + DESCRIPTION + "A list of interface entries. The number of + entries is given by the value of ifNumber." + ::= { interfaces 2 } + +ifEntry OBJECT-TYPE + SYNTAX IfEntry + ACCESS not-accessible + STATUS mandatory + DESCRIPTION + "An interface entry containing objects at the + subnetwork layer and below for a particular + interface." + INDEX { ifIndex } + ::= { ifTable 1 } + +IfEntry ::= + SEQUENCE { + ifIndex + INTEGER, + ifDescr + DisplayString, + ifType + INTEGER, + ifMtu + INTEGER, + ifSpeed + Gauge, + ifPhysAddress + PhysAddress, + ifAdminStatus + INTEGER, + ifOperStatus + INTEGER, + ifLastChange + TimeTicks, + ifInOctets + Counter, + ifInUcastPkts + Counter, + ifInNUcastPkts + Counter, + ifInDiscards + Counter, + ifInErrors + Counter, + ifInUnknownProtos + Counter, + ifOutOctets + Counter, + ifOutUcastPkts + Counter, + ifOutNUcastPkts + Counter, + ifOutDiscards + Counter, + ifOutErrors + Counter, + ifOutQLen + Gauge, + ifSpecific + OBJECT IDENTIFIER + } + +ifIndex OBJECT-TYPE + SYNTAX INTEGER + ACCESS read-only + STATUS mandatory + DESCRIPTION + "A unique value for each interface. Its value + ranges between 1 and the value of ifNumber. The + value for each interface must remain constant at + least from one re-initialization of the entity's + network management system to the next re- + initialization." + ::= { ifEntry 1 } + +ifDescr OBJECT-TYPE + SYNTAX DisplayString (SIZE (0..255)) + ACCESS read-only + STATUS mandatory + DESCRIPTION + "A textual string containing information about the + interface. This string should include the name of + the manufacturer, the product name and the version + of the hardware interface." + ::= { ifEntry 2 } + +ifType OBJECT-TYPE + SYNTAX INTEGER { + other(1), -- none of the following + regular1822(2), + hdh1822(3), + ddn-x25(4), + rfc877-x25(5), + ethernet-csmacd(6), + iso88023-csmacd(7), + iso88024-tokenBus(8), + iso88025-tokenRing(9), + iso88026-man(10), + starLan(11), + proteon-10Mbit(12), + proteon-80Mbit(13), + hyperchannel(14), + fddi(15), + lapb(16), + sdlc(17), + ds1(18), -- T-1 + e1(19), -- european equiv. of T-1 + basicISDN(20), + primaryISDN(21), -- proprietary serial + propPointToPointSerial(22), + ppp(23), + softwareLoopback(24), + eon(25), -- CLNP over IP [11] + ethernet-3Mbit(26), + nsip(27), -- XNS over IP + slip(28), -- generic SLIP + ultra(29), -- ULTRA technologies + ds3(30), -- T-3 + sip(31), -- SMDS + frame-relay(32) + } + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The type of interface, distinguished according to + the physical/link protocol(s) immediately `below' + the network layer in the protocol stack." + ::= { ifEntry 3 } + +ifMtu OBJECT-TYPE + SYNTAX INTEGER + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The size of the largest datagram which can be + sent/received on the interface, specified in + octets. For interfaces that are used for + transmitting network datagrams, this is the size + of the largest network datagram that can be sent + on the interface." + ::= { ifEntry 4 } + +ifSpeed OBJECT-TYPE + SYNTAX Gauge + ACCESS read-only + STATUS mandatory + DESCRIPTION + "An estimate of the interface's current bandwidth + in bits per second. For interfaces which do not + vary in bandwidth or for those where no accurate + estimation can be made, this object should contain + the nominal bandwidth." + ::= { ifEntry 5 } + +ifPhysAddress OBJECT-TYPE + SYNTAX PhysAddress + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The interface's address at the protocol layer + immediately `below' the network layer in the + protocol stack. For interfaces which do not have + + such an address (e.g., a serial line), this object + should contain an octet string of zero length." + ::= { ifEntry 6 } + +ifAdminStatus OBJECT-TYPE + SYNTAX INTEGER { + up(1), -- ready to pass packets + down(2), + testing(3) -- in some test mode + } + ACCESS read-write + STATUS mandatory + DESCRIPTION + "The desired state of the interface. The + testing(3) state indicates that no operational + packets can be passed." + ::= { ifEntry 7 } + +ifOperStatus OBJECT-TYPE + SYNTAX INTEGER { + up(1), -- ready to pass packets + down(2), + testing(3) -- in some test mode + } + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The current operational state of the interface. + The testing(3) state indicates that no operational + packets can be passed." + ::= { ifEntry 8 } + +ifLastChange OBJECT-TYPE + SYNTAX TimeTicks + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The value of sysUpTime at the time the interface + entered its current operational state. If the + current state was entered prior to the last re- + initialization of the local network management + subsystem, then this object contains a zero + value." + ::= { ifEntry 9 } + +ifInOctets OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The total number of octets received on the + interface, including framing characters." + ::= { ifEntry 10 } + +ifInUcastPkts OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of subnetwork-unicast packets + delivered to a higher-layer protocol." + ::= { ifEntry 11 } + +ifInNUcastPkts OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of non-unicast (i.e., subnetwork- + broadcast or subnetwork-multicast) packets + delivered to a higher-layer protocol." + ::= { ifEntry 12 } + +ifInDiscards OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of inbound packets which were chosen + to be discarded even though no errors had been + detected to prevent their being deliverable to a + higher-layer protocol. One possible reason for + discarding such a packet could be to free up + buffer space." + ::= { ifEntry 13 } + +ifInErrors OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of inbound packets that contained + errors preventing them from being deliverable to a + higher-layer protocol." + ::= { ifEntry 14 } + +ifInUnknownProtos OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of packets received via the interface + which were discarded because of an unknown or + unsupported protocol." + ::= { ifEntry 15 } + +ifOutOctets OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The total number of octets transmitted out of the + interface, including framing characters." + ::= { ifEntry 16 } + +ifOutUcastPkts OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The total number of packets that higher-level + protocols requested be transmitted to a + subnetwork-unicast address, including those that + were discarded or not sent." + ::= { ifEntry 17 } + +ifOutNUcastPkts OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The total number of packets that higher-level + protocols requested be transmitted to a non- + unicast (i.e., a subnetwork-broadcast or + subnetwork-multicast) address, including those + that were discarded or not sent." + ::= { ifEntry 18 } + +ifOutDiscards OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of outbound packets which were chosen + + to be discarded even though no errors had been + detected to prevent their being transmitted. One + possible reason for discarding such a packet could + be to free up buffer space." + ::= { ifEntry 19 } + +ifOutErrors OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of outbound packets that could not be + transmitted because of errors." + ::= { ifEntry 20 } + +ifOutQLen OBJECT-TYPE + SYNTAX Gauge + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The length of the output packet queue (in + packets)." + ::= { ifEntry 21 } + +ifSpecific OBJECT-TYPE + SYNTAX OBJECT IDENTIFIER + ACCESS read-only + STATUS mandatory + DESCRIPTION + "A reference to MIB definitions specific to the + particular media being used to realize the + interface. For example, if the interface is + realized by an ethernet, then the value of this + object refers to a document defining objects + specific to ethernet. If this information is not + present, its value should be set to the OBJECT + IDENTIFIER { 0 0 }, which is a syntatically valid + object identifier, and any conformant + implementation of ASN.1 and BER must be able to + generate and recognize this value." + ::= { ifEntry 22 } + +-- the Address Translation group + +-- Implementation of the Address Translation group is +-- mandatory for all systems. Note however that this group +-- is deprecated by MIB-II. That is, it is being included + +-- solely for compatibility with MIB-I nodes, and will most +-- likely be excluded from MIB-III nodes. From MIB-II and +-- onwards, each network protocol group contains its own +-- address translation tables. + +-- The Address Translation group contains one table which is +-- the union across all interfaces of the translation tables +-- for converting a NetworkAddress (e.g., an IP address) into +-- a subnetwork-specific address. For lack of a better term, +-- this document refers to such a subnetwork-specific address +-- as a `physical' address. + +-- Examples of such translation tables are: for broadcast +-- media where ARP is in use, the translation table is +-- equivalent to the ARP cache; or, on an X.25 network where +-- non-algorithmic translation to X.121 addresses is +-- required, the translation table contains the +-- NetworkAddress to X.121 address equivalences. + +atTable OBJECT-TYPE + SYNTAX SEQUENCE OF AtEntry + ACCESS not-accessible + STATUS deprecated + DESCRIPTION + "The Address Translation tables contain the + NetworkAddress to `physical' address equivalences. + Some interfaces do not use translation tables for + determining address equivalences (e.g., DDN-X.25 + has an algorithmic method); if all interfaces are + of this type, then the Address Translation table + is empty, i.e., has zero entries." + ::= { at 1 } + +atEntry OBJECT-TYPE + SYNTAX AtEntry + ACCESS not-accessible + STATUS deprecated + DESCRIPTION + "Each entry contains one NetworkAddress to + `physical' address equivalence." + INDEX { atIfIndex, + atNetAddress } + ::= { atTable 1 } + +AtEntry ::= + SEQUENCE { + atIfIndex + INTEGER, + atPhysAddress + PhysAddress, + atNetAddress + NetworkAddress + } + +atIfIndex OBJECT-TYPE + SYNTAX INTEGER + ACCESS read-write + STATUS deprecated + DESCRIPTION + "The interface on which this entry's equivalence + is effective. The interface identified by a + particular value of this index is the same + interface as identified by the same value of + ifIndex." + ::= { atEntry 1 } + +atPhysAddress OBJECT-TYPE + SYNTAX PhysAddress + ACCESS read-write + STATUS deprecated + DESCRIPTION + "The media-dependent `physical' address. + + Setting this object to a null string (one of zero + length) has the effect of invaliding the + corresponding entry in the atTable object. That + is, it effectively dissasociates the interface + identified with said entry from the mapping + identified with said entry. It is an + implementation-specific matter as to whether the + agent removes an invalidated entry from the table. + Accordingly, management stations must be prepared + to receive tabular information from agents that + corresponds to entries not currently in use. + Proper interpretation of such entries requires + examination of the relevant atPhysAddress object." + ::= { atEntry 2 } + +atNetAddress OBJECT-TYPE + SYNTAX NetworkAddress + ACCESS read-write + STATUS deprecated + DESCRIPTION + "The NetworkAddress (e.g., the IP address) + corresponding to the media-dependent `physical' + address." + ::= { atEntry 3 } + +-- the IP group + +-- Implementation of the IP group is mandatory for all +-- systems. + +ipForwarding OBJECT-TYPE + SYNTAX INTEGER { + forwarding(1), -- acting as a gateway + not-forwarding(2) -- NOT acting as a gateway + } + ACCESS read-write + STATUS mandatory + DESCRIPTION + "The indication of whether this entity is acting + as an IP gateway in respect to the forwarding of + datagrams received by, but not addressed to, this + entity. IP gateways forward datagrams. IP hosts + do not (except those source-routed via the host). + + Note that for some managed nodes, this object may + take on only a subset of the values possible. + Accordingly, it is appropriate for an agent to + return a `badValue' response if a management + station attempts to change this object to an + inappropriate value." + ::= { ip 1 } + +ipDefaultTTL OBJECT-TYPE + SYNTAX INTEGER + ACCESS read-write + STATUS mandatory + DESCRIPTION + "The default value inserted into the Time-To-Live + field of the IP header of datagrams originated at + this entity, whenever a TTL value is not supplied + by the transport layer protocol." + ::= { ip 2 } + +ipInReceives OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The total number of input datagrams received from + interfaces, including those received in error." + ::= { ip 3 } + +ipInHdrErrors OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of input datagrams discarded due to + errors in their IP headers, including bad + checksums, version number mismatch, other format + errors, time-to-live exceeded, errors discovered + in processing their IP options, etc." + ::= { ip 4 } + +ipInAddrErrors OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of input datagrams discarded because + the IP address in their IP header's destination + field was not a valid address to be received at + this entity. This count includes invalid + addresses (e.g., 0.0.0.0) and addresses of + unsupported Classes (e.g., Class E). For entities + which are not IP Gateways and therefore do not + forward datagrams, this counter includes datagrams + discarded because the destination address was not + a local address." + ::= { ip 5 } + +ipForwDatagrams OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of input datagrams for which this + entity was not their final IP destination, as a + result of which an attempt was made to find a + route to forward them to that final destination. + In entities which do not act as IP Gateways, this + counter will include only those packets which were + Source-Routed via this entity, and the Source- + Route option processing was successful." + ::= { ip 6 } + +ipInUnknownProtos OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of locally-addressed datagrams + received successfully but discarded because of an + unknown or unsupported protocol." + ::= { ip 7 } + +ipInDiscards OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of input IP datagrams for which no + problems were encountered to prevent their + continued processing, but which were discarded + (e.g., for lack of buffer space). Note that this + counter does not include any datagrams discarded + while awaiting re-assembly." + ::= { ip 8 } + +ipInDelivers OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The total number of input datagrams successfully + delivered to IP user-protocols (including ICMP)." + ::= { ip 9 } + +ipOutRequests OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The total number of IP datagrams which local IP + user-protocols (including ICMP) supplied to IP in + requests for transmission. Note that this counter + does not include any datagrams counted in + ipForwDatagrams." + ::= { ip 10 } + +ipOutDiscards OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of output IP datagrams for which no + + problem was encountered to prevent their + transmission to their destination, but which were + discarded (e.g., for lack of buffer space). Note + that this counter would include datagrams counted + in ipForwDatagrams if any such packets met this + (discretionary) discard criterion." + ::= { ip 11 } + +ipOutNoRoutes OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of IP datagrams discarded because no + route could be found to transmit them to their + destination. Note that this counter includes any + packets counted in ipForwDatagrams which meet this + `no-route' criterion. Note that this includes any + datagarms which a host cannot route because all of + its default gateways are down." + ::= { ip 12 } + +ipReasmTimeout OBJECT-TYPE + SYNTAX INTEGER + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The maximum number of seconds which received + fragments are held while they are awaiting + reassembly at this entity." + ::= { ip 13 } + +ipReasmReqds OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of IP fragments received which needed + to be reassembled at this entity." + ::= { ip 14 } + +ipReasmOKs OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of IP datagrams successfully re- + assembled." + ::= { ip 15 } + +ipReasmFails OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of failures detected by the IP re- + assembly algorithm (for whatever reason: timed + out, errors, etc). Note that this is not + necessarily a count of discarded IP fragments + since some algorithms (notably the algorithm in + RFC 815) can lose track of the number of fragments + by combining them as they are received." + ::= { ip 16 } + +ipFragOKs OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of IP datagrams that have been + successfully fragmented at this entity." + ::= { ip 17 } + +ipFragFails OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of IP datagrams that have been + discarded because they needed to be fragmented at + this entity but could not be, e.g., because their + Don't Fragment flag was set." + ::= { ip 18 } + +ipFragCreates OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of IP datagram fragments that have + been generated as a result of fragmentation at + this entity." + ::= { ip 19 } + +-- the IP address table + +-- The IP address table contains this entity's IP addressing +-- information. + +ipAddrTable OBJECT-TYPE + SYNTAX SEQUENCE OF IpAddrEntry + ACCESS not-accessible + STATUS mandatory + DESCRIPTION + "The table of addressing information relevant to + this entity's IP addresses." + ::= { ip 20 } + +ipAddrEntry OBJECT-TYPE + SYNTAX IpAddrEntry + ACCESS not-accessible + STATUS mandatory + DESCRIPTION + "The addressing information for one of this + entity's IP addresses." + INDEX { ipAdEntAddr } + ::= { ipAddrTable 1 } + +IpAddrEntry ::= + SEQUENCE { + ipAdEntAddr + IpAddress, + ipAdEntIfIndex + INTEGER, + ipAdEntNetMask + IpAddress, + ipAdEntBcastAddr + INTEGER, + ipAdEntReasmMaxSize + INTEGER (0..65535) + } + +ipAdEntAddr OBJECT-TYPE + SYNTAX IpAddress + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The IP address to which this entry's addressing + information pertains." + ::= { ipAddrEntry 1 } + +ipAdEntIfIndex OBJECT-TYPE + SYNTAX INTEGER + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The index value which uniquely identifies the + interface to which this entry is applicable. The + interface identified by a particular value of this + index is the same interface as identified by the + same value of ifIndex." + ::= { ipAddrEntry 2 } + +ipAdEntNetMask OBJECT-TYPE + SYNTAX IpAddress + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The subnet mask associated with the IP address of + this entry. The value of the mask is an IP + address with all the network bits set to 1 and all + the hosts bits set to 0." + ::= { ipAddrEntry 3 } + +ipAdEntBcastAddr OBJECT-TYPE + SYNTAX INTEGER + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The value of the least-significant bit in the IP + broadcast address used for sending datagrams on + the (logical) interface associated with the IP + address of this entry. For example, when the + Internet standard all-ones broadcast address is + used, the value will be 1. This value applies to + both the subnet and network broadcasts addresses + used by the entity on this (logical) interface." + ::= { ipAddrEntry 4 } + +ipAdEntReasmMaxSize OBJECT-TYPE + SYNTAX INTEGER (0..65535) + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The size of the largest IP datagram which this + entity can re-assemble from incoming IP fragmented + datagrams received on this interface." + ::= { ipAddrEntry 5 } + +-- the IP routing table + +-- The IP routing table contains an entry for each route +-- presently known to this entity. + +ipRouteTable OBJECT-TYPE + SYNTAX SEQUENCE OF IpRouteEntry + ACCESS not-accessible + STATUS mandatory + DESCRIPTION + "This entity's IP Routing table." + ::= { ip 21 } + +ipRouteEntry OBJECT-TYPE + SYNTAX IpRouteEntry + ACCESS not-accessible + STATUS mandatory + DESCRIPTION + "A route to a particular destination." + INDEX { ipRouteDest } + ::= { ipRouteTable 1 } + +IpRouteEntry ::= + SEQUENCE { + ipRouteDest + IpAddress, + ipRouteIfIndex + INTEGER, + ipRouteMetric1 + INTEGER, + ipRouteMetric2 + INTEGER, + ipRouteMetric3 + INTEGER, + ipRouteMetric4 + INTEGER, + ipRouteNextHop + IpAddress, + ipRouteType + INTEGER, + ipRouteProto + INTEGER, + ipRouteAge + INTEGER, + ipRouteMask + IpAddress, + ipRouteMetric5 + INTEGER, + ipRouteInfo + OBJECT IDENTIFIER + } + +ipRouteDest OBJECT-TYPE + SYNTAX IpAddress + ACCESS read-write + STATUS mandatory + DESCRIPTION + "The destination IP address of this route. An + entry with a value of 0.0.0.0 is considered a + default route. Multiple routes to a single + destination can appear in the table, but access to + such multiple entries is dependent on the table- + access mechanisms defined by the network + management protocol in use." + ::= { ipRouteEntry 1 } + +ipRouteIfIndex OBJECT-TYPE + SYNTAX INTEGER + ACCESS read-write + STATUS mandatory + DESCRIPTION + "The index value which uniquely identifies the + local interface through which the next hop of this + route should be reached. The interface identified + by a particular value of this index is the same + interface as identified by the same value of + ifIndex." + ::= { ipRouteEntry 2 } + +ipRouteMetric1 OBJECT-TYPE + SYNTAX INTEGER + ACCESS read-write + STATUS mandatory + DESCRIPTION + "The primary routing metric for this route. The + semantics of this metric are determined by the + routing-protocol specified in the route's + ipRouteProto value. If this metric is not used, + its value should be set to -1." + ::= { ipRouteEntry 3 } + +ipRouteMetric2 OBJECT-TYPE + SYNTAX INTEGER + ACCESS read-write + STATUS mandatory + DESCRIPTION + "An alternate routing metric for this route. The + semantics of this metric are determined by the + routing-protocol specified in the route's + ipRouteProto value. If this metric is not used, + its value should be set to -1." + ::= { ipRouteEntry 4 } + +ipRouteMetric3 OBJECT-TYPE + SYNTAX INTEGER + ACCESS read-write + STATUS mandatory + DESCRIPTION + "An alternate routing metric for this route. The + semantics of this metric are determined by the + routing-protocol specified in the route's + ipRouteProto value. If this metric is not used, + its value should be set to -1." + ::= { ipRouteEntry 5 } + +ipRouteMetric4 OBJECT-TYPE + SYNTAX INTEGER + ACCESS read-write + STATUS mandatory + DESCRIPTION + "An alternate routing metric for this route. The + semantics of this metric are determined by the + routing-protocol specified in the route's + ipRouteProto value. If this metric is not used, + its value should be set to -1." + ::= { ipRouteEntry 6 } + +ipRouteNextHop OBJECT-TYPE + SYNTAX IpAddress + ACCESS read-write + STATUS mandatory + DESCRIPTION + "The IP address of the next hop of this route. + (In the case of a route bound to an interface + which is realized via a broadcast media, the value + of this field is the agent's IP address on that + interface.)" + ::= { ipRouteEntry 7 } + +ipRouteType OBJECT-TYPE + SYNTAX INTEGER { + other(1), -- none of the following + + invalid(2), -- an invalidated route + + -- route to directly + direct(3), -- connected (sub-)network + + -- route to a non-local + indirect(4) -- host/network/sub-network + } + ACCESS read-write + STATUS mandatory + DESCRIPTION + "The type of route. Note that the values + direct(3) and indirect(4) refer to the notion of + direct and indirect routing in the IP + architecture. + + Setting this object to the value invalid(2) has + the effect of invalidating the corresponding entry + in the ipRouteTable object. That is, it + effectively dissasociates the destination + identified with said entry from the route + identified with said entry. It is an + implementation-specific matter as to whether the + agent removes an invalidated entry from the table. + Accordingly, management stations must be prepared + to receive tabular information from agents that + corresponds to entries not currently in use. + Proper interpretation of such entries requires + examination of the relevant ipRouteType object." + ::= { ipRouteEntry 8 } + +ipRouteProto OBJECT-TYPE + SYNTAX INTEGER { + other(1), -- none of the following + + -- non-protocol information, + -- e.g., manually configured + local(2), -- entries + + -- set via a network + netmgmt(3), -- management protocol + + -- obtained via ICMP, + icmp(4), -- e.g., Redirect + + -- the remaining values are + -- all gateway routing + -- protocols + egp(5), + ggp(6), + hello(7), + rip(8), + is-is(9), + es-is(10), + ciscoIgrp(11), + bbnSpfIgp(12), + ospf(13), + bgp(14) + } + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The routing mechanism via which this route was + learned. Inclusion of values for gateway routing + protocols is not intended to imply that hosts + should support those protocols." + ::= { ipRouteEntry 9 } + +ipRouteAge OBJECT-TYPE + SYNTAX INTEGER + ACCESS read-write + STATUS mandatory + DESCRIPTION + "The number of seconds since this route was last + updated or otherwise determined to be correct. + Note that no semantics of `too old' can be implied + except through knowledge of the routing protocol + by which the route was learned." + ::= { ipRouteEntry 10 } + +ipRouteMask OBJECT-TYPE + SYNTAX IpAddress + ACCESS read-write + STATUS mandatory + DESCRIPTION + "Indicate the mask to be logical-ANDed with the + destination address before being compared to the + value in the ipRouteDest field. For those systems + that do not support arbitrary subnet masks, an + agent constructs the value of the ipRouteMask by + determining whether the value of the correspondent + ipRouteDest field belong to a class-A, B, or C + network, and then using one of: + + mask network + 255.0.0.0 class-A + 255.255.0.0 class-B + 255.255.255.0 class-C + + If the value of the ipRouteDest is 0.0.0.0 (a + default route), then the mask value is also + 0.0.0.0. It should be noted that all IP routing + subsystems implicitly use this mechanism." + ::= { ipRouteEntry 11 } + +ipRouteMetric5 OBJECT-TYPE + SYNTAX INTEGER + ACCESS read-write + STATUS mandatory + DESCRIPTION + "An alternate routing metric for this route. The + semantics of this metric are determined by the + routing-protocol specified in the route's + ipRouteProto value. If this metric is not used, + its value should be set to -1." + ::= { ipRouteEntry 12 } + +ipRouteInfo OBJECT-TYPE + SYNTAX OBJECT IDENTIFIER + ACCESS read-only + STATUS mandatory + DESCRIPTION + "A reference to MIB definitions specific to the + particular routing protocol which is responsible + for this route, as determined by the value + specified in the route's ipRouteProto value. If + this information is not present, its value should + be set to the OBJECT IDENTIFIER { 0 0 }, which is + a syntatically valid object identifier, and any + conformant implementation of ASN.1 and BER must be + able to generate and recognize this value." + ::= { ipRouteEntry 13 } + +-- the IP Address Translation table + +-- The IP address translation table contain the IpAddress to +-- `physical' address equivalences. Some interfaces do not +-- use translation tables for determining address +-- equivalences (e.g., DDN-X.25 has an algorithmic method); +-- if all interfaces are of this type, then the Address +-- Translation table is empty, i.e., has zero entries. + +ipNetToMediaTable OBJECT-TYPE + SYNTAX SEQUENCE OF IpNetToMediaEntry + ACCESS not-accessible + STATUS mandatory + DESCRIPTION + "The IP Address Translation table used for mapping + from IP addresses to physical addresses." + ::= { ip 22 } + +ipNetToMediaEntry OBJECT-TYPE + SYNTAX IpNetToMediaEntry + ACCESS not-accessible + STATUS mandatory + DESCRIPTION + "Each entry contains one IpAddress to `physical' + address equivalence." + INDEX { ipNetToMediaIfIndex, + ipNetToMediaNetAddress } + ::= { ipNetToMediaTable 1 } + +IpNetToMediaEntry ::= + SEQUENCE { + ipNetToMediaIfIndex + INTEGER, + ipNetToMediaPhysAddress + PhysAddress, + ipNetToMediaNetAddress + IpAddress, + ipNetToMediaType + INTEGER + } + +ipNetToMediaIfIndex OBJECT-TYPE + SYNTAX INTEGER + ACCESS read-write + STATUS mandatory + DESCRIPTION + "The interface on which this entry's equivalence + is effective. The interface identified by a + particular value of this index is the same + interface as identified by the same value of + ifIndex." + ::= { ipNetToMediaEntry 1 } + +ipNetToMediaPhysAddress OBJECT-TYPE + SYNTAX PhysAddress + ACCESS read-write + STATUS mandatory + DESCRIPTION + "The media-dependent `physical' address." + ::= { ipNetToMediaEntry 2 } + +ipNetToMediaNetAddress OBJECT-TYPE + SYNTAX IpAddress + ACCESS read-write + STATUS mandatory + DESCRIPTION + "The IpAddress corresponding to the media- + dependent `physical' address." + ::= { ipNetToMediaEntry 3 } + +ipNetToMediaType OBJECT-TYPE + SYNTAX INTEGER { + other(1), -- none of the following + invalid(2), -- an invalidated mapping + dynamic(3), + static(4) + } + ACCESS read-write + STATUS mandatory + DESCRIPTION + "The type of mapping. + + Setting this object to the value invalid(2) has + the effect of invalidating the corresponding entry + in the ipNetToMediaTable. That is, it effectively + dissasociates the interface identified with said + entry from the mapping identified with said entry. + It is an implementation-specific matter as to + whether the agent removes an invalidated entry + from the table. Accordingly, management stations + must be prepared to receive tabular information + from agents that corresponds to entries not + currently in use. Proper interpretation of such + entries requires examination of the relevant + ipNetToMediaType object." + ::= { ipNetToMediaEntry 4 } + +-- additional IP objects + +ipRoutingDiscards OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of routing entries which were chosen + to be discarded even though they are valid. One + possible reason for discarding such an entry could + be to free-up buffer space for other routing + + entries." + ::= { ip 23 } + +-- the ICMP group + +-- Implementation of the ICMP group is mandatory for all +-- systems. + +icmpInMsgs OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The total number of ICMP messages which the + entity received. Note that this counter includes + all those counted by icmpInErrors." + ::= { icmp 1 } + +icmpInErrors OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of ICMP messages which the entity + received but determined as having ICMP-specific + errors (bad ICMP checksums, bad length, etc.)." + ::= { icmp 2 } + +icmpInDestUnreachs OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of ICMP Destination Unreachable + messages received." + ::= { icmp 3 } + +icmpInTimeExcds OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of ICMP Time Exceeded messages + received." + ::= { icmp 4 } + +icmpInParmProbs OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of ICMP Parameter Problem messages + received." + ::= { icmp 5 } + +icmpInSrcQuenchs OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of ICMP Source Quench messages + received." + ::= { icmp 6 } + +icmpInRedirects OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of ICMP Redirect messages received." + ::= { icmp 7 } + +icmpInEchos OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of ICMP Echo (request) messages + received." + ::= { icmp 8 } + +icmpInEchoReps OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of ICMP Echo Reply messages received." + ::= { icmp 9 } + +icmpInTimestamps OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of ICMP Timestamp (request) messages + received." + ::= { icmp 10 } + +icmpInTimestampReps OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of ICMP Timestamp Reply messages + received." + ::= { icmp 11 } + +icmpInAddrMasks OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of ICMP Address Mask Request messages + received." + ::= { icmp 12 } + +icmpInAddrMaskReps OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of ICMP Address Mask Reply messages + received." + ::= { icmp 13 } + +icmpOutMsgs OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The total number of ICMP messages which this + entity attempted to send. Note that this counter + includes all those counted by icmpOutErrors." + ::= { icmp 14 } + +icmpOutErrors OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of ICMP messages which this entity did + not send due to problems discovered within ICMP + + such as a lack of buffers. This value should not + include errors discovered outside the ICMP layer + such as the inability of IP to route the resultant + datagram. In some implementations there may be no + types of error which contribute to this counter's + value." + ::= { icmp 15 } + +icmpOutDestUnreachs OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of ICMP Destination Unreachable + messages sent." + ::= { icmp 16 } + +icmpOutTimeExcds OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of ICMP Time Exceeded messages sent." + ::= { icmp 17 } + +icmpOutParmProbs OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of ICMP Parameter Problem messages + sent." + ::= { icmp 18 } + +icmpOutSrcQuenchs OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of ICMP Source Quench messages sent." + ::= { icmp 19 } + +icmpOutRedirects OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of ICMP Redirect messages sent. For a + + host, this object will always be zero, since hosts + do not send redirects." + ::= { icmp 20 } + +icmpOutEchos OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of ICMP Echo (request) messages sent." + ::= { icmp 21 } + +icmpOutEchoReps OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of ICMP Echo Reply messages sent." + ::= { icmp 22 } + +icmpOutTimestamps OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of ICMP Timestamp (request) messages + sent." + ::= { icmp 23 } + +icmpOutTimestampReps OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of ICMP Timestamp Reply messages + sent." + ::= { icmp 24 } + +icmpOutAddrMasks OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of ICMP Address Mask Request messages + sent." + ::= { icmp 25 } + +icmpOutAddrMaskReps OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of ICMP Address Mask Reply messages + sent." + ::= { icmp 26 } + +-- the TCP group + +-- Implementation of the TCP group is mandatory for all +-- systems that implement the TCP. + +-- Note that instances of object types that represent +-- information about a particular TCP connection are +-- transient; they persist only as long as the connection +-- in question. + +tcpRtoAlgorithm OBJECT-TYPE + SYNTAX INTEGER { + other(1), -- none of the following + + constant(2), -- a constant rto + rsre(3), -- MIL-STD-1778, Appendix B + vanj(4) -- Van Jacobson's algorithm [10] + } + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The algorithm used to determine the timeout value + used for retransmitting unacknowledged octets." + ::= { tcp 1 } + +tcpRtoMin OBJECT-TYPE + SYNTAX INTEGER + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The minimum value permitted by a TCP + implementation for the retransmission timeout, + measured in milliseconds. More refined semantics + for objects of this type depend upon the algorithm + used to determine the retransmission timeout. In + particular, when the timeout algorithm is rsre(3), + an object of this type has the semantics of the + LBOUND quantity described in RFC 793." + ::= { tcp 2 } + +tcpRtoMax OBJECT-TYPE + SYNTAX INTEGER + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The maximum value permitted by a TCP + implementation for the retransmission timeout, + measured in milliseconds. More refined semantics + for objects of this type depend upon the algorithm + used to determine the retransmission timeout. In + particular, when the timeout algorithm is rsre(3), + an object of this type has the semantics of the + UBOUND quantity described in RFC 793." + ::= { tcp 3 } + +tcpMaxConn OBJECT-TYPE + SYNTAX INTEGER + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The limit on the total number of TCP connections + the entity can support. In entities where the + maximum number of connections is dynamic, this + object should contain the value -1." + ::= { tcp 4 } + +tcpActiveOpens OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of times TCP connections have made a + direct transition to the SYN-SENT state from the + CLOSED state." + ::= { tcp 5 } + +tcpPassiveOpens OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of times TCP connections have made a + direct transition to the SYN-RCVD state from the + LISTEN state." + ::= { tcp 6 } + +tcpAttemptFails OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of times TCP connections have made a + direct transition to the CLOSED state from either + the SYN-SENT state or the SYN-RCVD state, plus the + number of times TCP connections have made a direct + transition to the LISTEN state from the SYN-RCVD + state." + ::= { tcp 7 } + +tcpEstabResets OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of times TCP connections have made a + direct transition to the CLOSED state from either + the ESTABLISHED state or the CLOSE-WAIT state." + ::= { tcp 8 } + +tcpCurrEstab OBJECT-TYPE + SYNTAX Gauge + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of TCP connections for which the + current state is either ESTABLISHED or CLOSE- + WAIT." + ::= { tcp 9 } + +tcpInSegs OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The total number of segments received, including + those received in error. This count includes + segments received on currently established + connections." + ::= { tcp 10 } + +tcpOutSegs OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The total number of segments sent, including + those on current connections but excluding those + containing only retransmitted octets." + ::= { tcp 11 } + +tcpRetransSegs OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The total number of segments retransmitted - that + is, the number of TCP segments transmitted + containing one or more previously transmitted + octets." + ::= { tcp 12 } + +-- the TCP Connection table + +-- The TCP connection table contains information about this +-- entity's existing TCP connections. + +tcpConnTable OBJECT-TYPE + SYNTAX SEQUENCE OF TcpConnEntry + ACCESS not-accessible + STATUS mandatory + DESCRIPTION + "A table containing TCP connection-specific + information." + ::= { tcp 13 } + +tcpConnEntry OBJECT-TYPE + SYNTAX TcpConnEntry + ACCESS not-accessible + STATUS mandatory + DESCRIPTION + "Information about a particular current TCP + connection. An object of this type is transient, + in that it ceases to exist when (or soon after) + the connection makes the transition to the CLOSED + state." + INDEX { tcpConnLocalAddress, + tcpConnLocalPort, + tcpConnRemAddress, + tcpConnRemPort } + ::= { tcpConnTable 1 } + +TcpConnEntry ::= + SEQUENCE { + tcpConnState + INTEGER, + tcpConnLocalAddress + IpAddress, + tcpConnLocalPort + INTEGER (0..65535), + tcpConnRemAddress + IpAddress, + tcpConnRemPort + INTEGER (0..65535) + } + +tcpConnState OBJECT-TYPE + SYNTAX INTEGER { + closed(1), + listen(2), + synSent(3), + synReceived(4), + established(5), + finWait1(6), + finWait2(7), + closeWait(8), + lastAck(9), + closing(10), + timeWait(11), + deleteTCB(12) + } + ACCESS read-write + STATUS mandatory + DESCRIPTION + "The state of this TCP connection. + + The only value which may be set by a management + station is deleteTCB(12). Accordingly, it is + appropriate for an agent to return a `badValue' + response if a management station attempts to set + this object to any other value. + + If a management station sets this object to the + value deleteTCB(12), then this has the effect of + deleting the TCB (as defined in RFC 793) of the + corresponding connection on the managed node, + resulting in immediate termination of the + connection. + + As an implementation-specific option, a RST + + segment may be sent from the managed node to the + other TCP endpoint (note however that RST segments + are not sent reliably)." + ::= { tcpConnEntry 1 } + +tcpConnLocalAddress OBJECT-TYPE + SYNTAX IpAddress + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The local IP address for this TCP connection. In + the case of a connection in the listen state which + is willing to accept connections for any IP + interface associated with the node, the value + 0.0.0.0 is used." + ::= { tcpConnEntry 2 } + +tcpConnLocalPort OBJECT-TYPE + SYNTAX INTEGER (0..65535) + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The local port number for this TCP connection." + ::= { tcpConnEntry 3 } + +tcpConnRemAddress OBJECT-TYPE + SYNTAX IpAddress + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The remote IP address for this TCP connection." + ::= { tcpConnEntry 4 } + +tcpConnRemPort OBJECT-TYPE + SYNTAX INTEGER (0..65535) + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The remote port number for this TCP connection." + ::= { tcpConnEntry 5 } + +-- additional TCP objects + +tcpInErrs OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The total number of segments received in error + (e.g., bad TCP checksums)." + ::= { tcp 14 } + +tcpOutRsts OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of TCP segments sent containing the + RST flag." + ::= { tcp 15 } + +-- the UDP group + +-- Implementation of the UDP group is mandatory for all +-- systems which implement the UDP. + +udpInDatagrams OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The total number of UDP datagrams delivered to + UDP users." + ::= { udp 1 } + +udpNoPorts OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The total number of received UDP datagrams for + which there was no application at the destination + port." + ::= { udp 2 } + +udpInErrors OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of received UDP datagrams that could + not be delivered for reasons other than the lack + of an application at the destination port." + ::= { udp 3 } + +udpOutDatagrams OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The total number of UDP datagrams sent from this + entity." + ::= { udp 4 } + +-- the UDP Listener table + +-- The UDP listener table contains information about this +-- entity's UDP end-points on which a local application is +-- currently accepting datagrams. + +udpTable OBJECT-TYPE + SYNTAX SEQUENCE OF UdpEntry + ACCESS not-accessible + STATUS mandatory + DESCRIPTION + "A table containing UDP listener information." + ::= { udp 5 } + +udpEntry OBJECT-TYPE + SYNTAX UdpEntry + ACCESS not-accessible + STATUS mandatory + DESCRIPTION + "Information about a particular current UDP + listener." + INDEX { udpLocalAddress, udpLocalPort } + ::= { udpTable 1 } + +UdpEntry ::= + SEQUENCE { + udpLocalAddress + IpAddress, + udpLocalPort + INTEGER (0..65535) + } + +udpLocalAddress OBJECT-TYPE + SYNTAX IpAddress + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The local IP address for this UDP listener. In + + the case of a UDP listener which is willing to + accept datagrams for any IP interface associated + with the node, the value 0.0.0.0 is used." + ::= { udpEntry 1 } + +udpLocalPort OBJECT-TYPE + SYNTAX INTEGER (0..65535) + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The local port number for this UDP listener." + ::= { udpEntry 2 } + +-- the EGP group + +-- Implementation of the EGP group is mandatory for all +-- systems which implement the EGP. + +egpInMsgs OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of EGP messages received without + error." + ::= { egp 1 } + +egpInErrors OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of EGP messages received that proved + to be in error." + ::= { egp 2 } + +egpOutMsgs OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The total number of locally generated EGP + messages." + ::= { egp 3 } + +egpOutErrors OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of locally generated EGP messages not + sent due to resource limitations within an EGP + entity." + ::= { egp 4 } + +-- the EGP Neighbor table + +-- The EGP neighbor table contains information about this +-- entity's EGP neighbors. + +egpNeighTable OBJECT-TYPE + SYNTAX SEQUENCE OF EgpNeighEntry + ACCESS not-accessible + STATUS mandatory + DESCRIPTION + "The EGP neighbor table." + ::= { egp 5 } + +egpNeighEntry OBJECT-TYPE + SYNTAX EgpNeighEntry + ACCESS not-accessible + STATUS mandatory + DESCRIPTION + "Information about this entity's relationship with + a particular EGP neighbor." + INDEX { egpNeighAddr } + ::= { egpNeighTable 1 } + +EgpNeighEntry ::= + SEQUENCE { + egpNeighState + INTEGER, + egpNeighAddr + IpAddress, + egpNeighAs + INTEGER, + egpNeighInMsgs + Counter, + egpNeighInErrs + Counter, + egpNeighOutMsgs + Counter, + egpNeighOutErrs + Counter, + egpNeighInErrMsgs + Counter, + egpNeighOutErrMsgs + Counter, + egpNeighStateUps + Counter, + egpNeighStateDowns + Counter, + egpNeighIntervalHello + INTEGER, + egpNeighIntervalPoll + INTEGER, + egpNeighMode + INTEGER, + egpNeighEventTrigger + INTEGER + } + +egpNeighState OBJECT-TYPE + SYNTAX INTEGER { + idle(1), + acquisition(2), + down(3), + up(4), + cease(5) + } + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The EGP state of the local system with respect to + this entry's EGP neighbor. Each EGP state is + represented by a value that is one greater than + the numerical value associated with said state in + RFC 904." + ::= { egpNeighEntry 1 } + +egpNeighAddr OBJECT-TYPE + SYNTAX IpAddress + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The IP address of this entry's EGP neighbor." + ::= { egpNeighEntry 2 } + +egpNeighAs OBJECT-TYPE + SYNTAX INTEGER + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The autonomous system of this EGP peer. Zero + should be specified if the autonomous system + number of the neighbor is not yet known." + ::= { egpNeighEntry 3 } + +egpNeighInMsgs OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of EGP messages received without error + from this EGP peer." + ::= { egpNeighEntry 4 } + +egpNeighInErrs OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of EGP messages received from this EGP + peer that proved to be in error (e.g., bad EGP + checksum)." + ::= { egpNeighEntry 5 } + +egpNeighOutMsgs OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of locally generated EGP messages to + this EGP peer." + ::= { egpNeighEntry 6 } + +egpNeighOutErrs OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of locally generated EGP messages not + sent to this EGP peer due to resource limitations + within an EGP entity." + ::= { egpNeighEntry 7 } + +egpNeighInErrMsgs OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of EGP-defined error messages received + from this EGP peer." + ::= { egpNeighEntry 8 } + +egpNeighOutErrMsgs OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of EGP-defined error messages sent to + this EGP peer." + ::= { egpNeighEntry 9 } + +egpNeighStateUps OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of EGP state transitions to the UP + state with this EGP peer." + ::= { egpNeighEntry 10 } + +egpNeighStateDowns OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of EGP state transitions from the UP + state to any other state with this EGP peer." + ::= { egpNeighEntry 11 } + +egpNeighIntervalHello OBJECT-TYPE + SYNTAX INTEGER + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The interval between EGP Hello command + retransmissions (in hundredths of a second). This + represents the t1 timer as defined in RFC 904." + ::= { egpNeighEntry 12 } + +egpNeighIntervalPoll OBJECT-TYPE + SYNTAX INTEGER + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The interval between EGP poll command + + retransmissions (in hundredths of a second). This + represents the t3 timer as defined in RFC 904." + ::= { egpNeighEntry 13 } + +egpNeighMode OBJECT-TYPE + SYNTAX INTEGER { active(1), passive(2) } + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The polling mode of this EGP entity, either + passive or active." + ::= { egpNeighEntry 14 } + +egpNeighEventTrigger OBJECT-TYPE + SYNTAX INTEGER { start(1), stop(2) } + ACCESS read-write + STATUS mandatory + DESCRIPTION + "A control variable used to trigger operator- + initiated Start and Stop events. When read, this + variable always returns the most recent value that + egpNeighEventTrigger was set to. If it has not + been set since the last initialization of the + network management subsystem on the node, it + returns a value of `stop'. + + When set, this variable causes a Start or Stop + event on the specified neighbor, as specified on + pages 8-10 of RFC 904. Briefly, a Start event + causes an Idle peer to begin neighbor acquisition + and a non-Idle peer to reinitiate neighbor + acquisition. A stop event causes a non-Idle peer + to return to the Idle state until a Start event + occurs, either via egpNeighEventTrigger or + otherwise." + ::= { egpNeighEntry 15 } + +-- additional EGP objects + +egpAs OBJECT-TYPE + SYNTAX INTEGER + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The autonomous system number of this EGP entity." + ::= { egp 6 } + +-- the Transmission group + +-- Based on the transmission media underlying each interface +-- on a system, the corresponding portion of the Transmission +-- group is mandatory for that system. + +-- When Internet-standard definitions for managing +-- transmission media are defined, the transmission group is +-- used to provide a prefix for the names of those objects. + +-- Typically, such definitions reside in the experimental +-- portion of the MIB until they are "proven", then as a +-- part of the Internet standardization process, the +-- definitions are accordingly elevated and a new object +-- identifier, under the transmission group is defined. By +-- convention, the name assigned is: +-- +-- type OBJECT IDENTIFIER ::= { transmission number } +-- +-- where "type" is the symbolic value used for the media in +-- the ifType column of the ifTable object, and "number" is +-- the actual integer value corresponding to the symbol. + +-- the SNMP group + +-- Implementation of the SNMP group is mandatory for all +-- systems which support an SNMP protocol entity. Some of +-- the objects defined below will be zero-valued in those +-- SNMP implementations that are optimized to support only +-- those functions specific to either a management agent or +-- a management station. In particular, it should be +-- observed that the objects below refer to an SNMP entity, +-- and there may be several SNMP entities residing on a +-- managed node (e.g., if the node is hosting acting as +-- a management station). + +snmpInPkts OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The total number of Messages delivered to the + SNMP entity from the transport service." + ::= { snmp 1 } + +snmpOutPkts OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The total number of SNMP Messages which were + passed from the SNMP protocol entity to the + transport service." + ::= { snmp 2 } + +snmpInBadVersions OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The total number of SNMP Messages which were + delivered to the SNMP protocol entity and were for + an unsupported SNMP version." + ::= { snmp 3 } + +snmpInBadCommunityNames OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The total number of SNMP Messages delivered to + the SNMP protocol entity which used a SNMP + community name not known to said entity." + ::= { snmp 4 } + +snmpInBadCommunityUses OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The total number of SNMP Messages delivered to + the SNMP protocol entity which represented an SNMP + operation which was not allowed by the SNMP + community named in the Message." + ::= { snmp 5 } + +snmpInASNParseErrs OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The total number of ASN.1 or BER errors + encountered by the SNMP protocol entity when + decoding received SNMP Messages." + ::= { snmp 6 } + +-- { snmp 7 } is not used + +snmpInTooBigs OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The total number of SNMP PDUs which were + delivered to the SNMP protocol entity and for + which the value of the error-status field is + `tooBig'." + ::= { snmp 8 } + +snmpInNoSuchNames OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The total number of SNMP PDUs which were + delivered to the SNMP protocol entity and for + which the value of the error-status field is + `noSuchName'." + ::= { snmp 9 } + +snmpInBadValues OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The total number of SNMP PDUs which were + delivered to the SNMP protocol entity and for + which the value of the error-status field is + `badValue'." + ::= { snmp 10 } + +snmpInReadOnlys OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The total number valid SNMP PDUs which were + delivered to the SNMP protocol entity and for + which the value of the error-status field is + `readOnly'. It should be noted that it is a + protocol error to generate an SNMP PDU which + contains the value `readOnly' in the error-status + field, as such this object is provided as a means + of detecting incorrect implementations of the + + SNMP." + ::= { snmp 11 } + +snmpInGenErrs OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The total number of SNMP PDUs which were + delivered to the SNMP protocol entity and for + which the value of the error-status field is + `genErr'." + ::= { snmp 12 } + +snmpInTotalReqVars OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The total number of MIB objects which have been + retrieved successfully by the SNMP protocol entity + as the result of receiving valid SNMP Get-Request + and Get-Next PDUs." + ::= { snmp 13 } + +snmpInTotalSetVars OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The total number of MIB objects which have been + altered successfully by the SNMP protocol entity + as the result of receiving valid SNMP Set-Request + PDUs." + ::= { snmp 14 } + +snmpInGetRequests OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The total number of SNMP Get-Request PDUs which + have been accepted and processed by the SNMP + protocol entity." + ::= { snmp 15 } + +snmpInGetNexts OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The total number of SNMP Get-Next PDUs which have + been accepted and processed by the SNMP protocol + entity." + ::= { snmp 16 } + +snmpInSetRequests OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The total number of SNMP Set-Request PDUs which + have been accepted and processed by the SNMP + protocol entity." + ::= { snmp 17 } + +snmpInGetResponses OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The total number of SNMP Get-Response PDUs which + have been accepted and processed by the SNMP + protocol entity." + ::= { snmp 18 } + +snmpInTraps OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The total number of SNMP Trap PDUs which have + been accepted and processed by the SNMP protocol + entity." + ::= { snmp 19 } + +snmpOutTooBigs OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The total number of SNMP PDUs which were + generated by the SNMP protocol entity and for + which the value of the error-status field is + `tooBig.'" + ::= { snmp 20 } + +snmpOutNoSuchNames OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The total number of SNMP PDUs which were + generated by the SNMP protocol entity and for + which the value of the error-status is + `noSuchName'." + ::= { snmp 21 } + +snmpOutBadValues OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The total number of SNMP PDUs which were + generated by the SNMP protocol entity and for + which the value of the error-status field is + `badValue'." + ::= { snmp 22 } + +-- { snmp 23 } is not used + +snmpOutGenErrs OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The total number of SNMP PDUs which were + generated by the SNMP protocol entity and for + which the value of the error-status field is + `genErr'." + ::= { snmp 24 } + +snmpOutGetRequests OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The total number of SNMP Get-Request PDUs which + have been generated by the SNMP protocol entity." + ::= { snmp 25 } + +snmpOutGetNexts OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The total number of SNMP Get-Next PDUs which have + been generated by the SNMP protocol entity." + ::= { snmp 26 } + +snmpOutSetRequests OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The total number of SNMP Set-Request PDUs which + have been generated by the SNMP protocol entity." + ::= { snmp 27 } + +snmpOutGetResponses OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The total number of SNMP Get-Response PDUs which + have been generated by the SNMP protocol entity." + ::= { snmp 28 } + +snmpOutTraps OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The total number of SNMP Trap PDUs which have + been generated by the SNMP protocol entity." + ::= { snmp 29 } + +snmpEnableAuthenTraps OBJECT-TYPE + SYNTAX INTEGER { enabled(1), disabled(2) } + ACCESS read-write + STATUS mandatory + DESCRIPTION + "Indicates whether the SNMP agent process is + permitted to generate authentication-failure + traps. The value of this object overrides any + configuration information; as such, it provides a + means whereby all authentication-failure traps may + be disabled. + + Note that it is strongly recommended that this + object be stored in non-volatile memory so that it + remains constant between re-initializations of the + network management system." + ::= { snmp 30 } + +END diff --git a/mibs/RIPv2-MIB.txt b/mibs/RIPv2-MIB.txt new file mode 100644 index 000000000..6c92fb5f0 --- /dev/null +++ b/mibs/RIPv2-MIB.txt @@ -0,0 +1,530 @@ + RIPv2-MIB DEFINITIONS ::= BEGIN + + IMPORTS + MODULE-IDENTITY, OBJECT-TYPE, Counter32, + TimeTicks, IpAddress FROM SNMPv2-SMI + TEXTUAL-CONVENTION, RowStatus FROM SNMPv2-TC + MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF + mib-2 FROM RFC1213-MIB; + + -- This MIB module uses the extended OBJECT-TYPE macro as + -- defined in [9]. + + rip2 MODULE-IDENTITY + LAST-UPDATED "9407272253Z" -- Wed Jul 27 22:53:04 PDT 1994 + ORGANIZATION "IETF RIP-II Working Group" + CONTACT-INFO + " Fred Baker + Postal: Cisco Systems + 519 Lado Drive + Santa Barbara, California 93111 + Tel: +1 805 681 0115 + E-Mail: fbaker@cisco.com + + Postal: Gary Malkin + Xylogics, Inc. + 53 Third Avenue + Burlington, MA 01803 + + Phone: (617) 272-8140 + EMail: gmalkin@Xylogics.COM" + DESCRIPTION + "The MIB module to describe the RIP2 Version 2 Protocol" + ::= { mib-2 23 } + + -- RIP-2 Management Information Base + + -- the RouteTag type represents the contents of the + -- Route Domain field in the packet header or route entry. + -- The use of the Route Domain is deprecated. + + RouteTag ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "the RouteTag type represents the contents of the Route Domain + field in the packet header or route entry" + SYNTAX OCTET STRING (SIZE (2)) + +--4.1 Global Counters + +-- The RIP-2 Globals Group. +-- Implementation of this group is mandatory for systems +-- which implement RIP-2. + +-- These counters are intended to facilitate debugging quickly +-- changing routes or failing neighbors + +rip2Globals OBJECT IDENTIFIER ::= { rip2 1 } + + rip2GlobalRouteChanges OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of route changes made to the IP Route + Database by RIP. This does not include the refresh + of a route's age." + ::= { rip2Globals 1 } + + rip2GlobalQueries OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of responses sent to RIP queries + from other systems." + ::= { rip2Globals 2 } + +--4.2 RIP Interface Tables + +-- RIP Interfaces Groups +-- Implementation of these Groups is mandatory for systems +-- which implement RIP-2. + +-- The RIP Interface Status Table. + + rip2IfStatTable OBJECT-TYPE + SYNTAX SEQUENCE OF Rip2IfStatEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A list of subnets which require separate + status monitoring in RIP." + ::= { rip2 2 } + + rip2IfStatEntry OBJECT-TYPE + SYNTAX Rip2IfStatEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A Single Routing Domain in a single Subnet." + INDEX { rip2IfStatAddress } + ::= { rip2IfStatTable 1 } + + Rip2IfStatEntry ::= + SEQUENCE { + rip2IfStatAddress + IpAddress, + rip2IfStatRcvBadPackets + Counter32, + rip2IfStatRcvBadRoutes + Counter32, + rip2IfStatSentUpdates + Counter32, + rip2IfStatStatus + RowStatus + } + + rip2IfStatAddress OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The IP Address of this system on the indicated + subnet. For unnumbered interfaces, the value 0.0.0.N, + where the least significant 24 bits (N) is the ifIndex + for the IP Interface in network byte order." + ::= { rip2IfStatEntry 1 } + + rip2IfStatRcvBadPackets OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of RIP response packets received by + the RIP process which were subsequently discarded + for any reason (e.g. a version 0 packet, or an + unknown command type)." + ::= { rip2IfStatEntry 2 } + + rip2IfStatRcvBadRoutes OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of routes, in valid RIP packets, + which were ignored for any reason (e.g. unknown + address family, or invalid metric)." + ::= { rip2IfStatEntry 3 } + + rip2IfStatSentUpdates OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of triggered RIP updates actually + sent on this interface. This explicitly does + NOT include full updates sent containing new + information." + ::= { rip2IfStatEntry 4 } + + rip2IfStatStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "Writing invalid has the effect of deleting + this interface." + ::= { rip2IfStatEntry 5 } + +-- The RIP Interface Configuration Table. + + rip2IfConfTable OBJECT-TYPE + SYNTAX SEQUENCE OF Rip2IfConfEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A list of subnets which require separate + configuration in RIP." + ::= { rip2 3 } + + rip2IfConfEntry OBJECT-TYPE + SYNTAX Rip2IfConfEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A Single Routing Domain in a single Subnet." + INDEX { rip2IfConfAddress } + ::= { rip2IfConfTable 1 } + + Rip2IfConfEntry ::= + SEQUENCE { + rip2IfConfAddress + IpAddress, + rip2IfConfDomain + RouteTag, + rip2IfConfAuthType + INTEGER, + rip2IfConfAuthKey + OCTET STRING (SIZE(0..16)), + rip2IfConfSend + INTEGER, + rip2IfConfReceive + INTEGER, + rip2IfConfDefaultMetric + INTEGER, + rip2IfConfStatus + RowStatus, + rip2IfConfSrcAddress + IpAddress + } + + rip2IfConfAddress OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The IP Address of this system on the indicated + subnet. For unnumbered interfaces, the value 0.0.0.N, + where the least significant 24 bits (N) is the ifIndex + for the IP Interface in network byte order." + ::= { rip2IfConfEntry 1 } + + rip2IfConfDomain OBJECT-TYPE + SYNTAX RouteTag + MAX-ACCESS read-create + STATUS obsolete + DESCRIPTION + "Value inserted into the Routing Domain field + of all RIP packets sent on this interface." + DEFVAL { '0000'h } + ::= { rip2IfConfEntry 2 } + + rip2IfConfAuthType OBJECT-TYPE + SYNTAX INTEGER { + noAuthentication (1), + simplePassword (2), + md5 (3) + } + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The type of Authentication used on this + interface." + DEFVAL { noAuthentication } + ::= { rip2IfConfEntry 3 } + + rip2IfConfAuthKey OBJECT-TYPE + SYNTAX OCTET STRING (SIZE(0..16)) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The value to be used as the Authentication Key + whenever the corresponding instance of + rip2IfConfAuthType has a value other than + noAuthentication. A modification of the corresponding + instance of rip2IfConfAuthType does not modify + the rip2IfConfAuthKey value. If a string shorter + than 16 octets is supplied, it will be left- + justified and padded to 16 octets, on the right, + with nulls (0x00). + + Reading this object always results in an OCTET + STRING of length zero; authentication may not + be bypassed by reading the MIB object." + DEFVAL { ''h } + ::= { rip2IfConfEntry 4 } + + rip2IfConfSend OBJECT-TYPE + SYNTAX INTEGER { + doNotSend (1), + ripVersion1 (2), + rip1Compatible (3), + ripVersion2 (4), + ripV1Demand (5), + ripV2Demand (6) + } + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "What the router sends on this interface. + ripVersion1 implies sending RIP updates compliant + with RFC 1058. rip1Compatible implies + broadcasting RIP-2 updates using RFC 1058 route + subsumption rules. ripVersion2 implies + multicasting RIP-2 updates. ripV1Demand indicates + the use of Demand RIP on a WAN interface under RIP + Version 1 rules. ripV2Demand indicates the use of + Demand RIP on a WAN interface under Version 2 rules." + DEFVAL { rip1Compatible } + ::= { rip2IfConfEntry 5 } + + rip2IfConfReceive OBJECT-TYPE + SYNTAX INTEGER { + rip1 (1), + rip2 (2), + rip1OrRip2 (3), + doNotRecieve (4) + } + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "This indicates which version of RIP updates + are to be accepted. Note that rip2 and + rip1OrRip2 implies reception of multicast + packets." + DEFVAL { rip1OrRip2 } + ::= { rip2IfConfEntry 6 } + + rip2IfConfDefaultMetric OBJECT-TYPE + SYNTAX INTEGER ( 0..15 ) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "This variable indicates the metric that is to + be used for the default route entry in RIP updates + originated on this interface. A value of zero + indicates that no default route should be + originated; in this case, a default route via + another router may be propagated." + ::= { rip2IfConfEntry 7 } + + rip2IfConfStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "Writing invalid has the effect of deleting + this interface." + ::= { rip2IfConfEntry 8 } + + rip2IfConfSrcAddress OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The IP Address this system will use as a source + address on this interface. If it is a numbered + interface, this MUST be the same value as + rip2IfConfAddress. On unnumbered interfaces, + it must be the value of rip2IfConfAddress for + some interface on the system." + ::= { rip2IfConfEntry 9 } + +--4.3 Peer Table + +-- Peer Table + +-- The RIP Peer Group +-- Implementation of this Group is Optional + +-- This group provides information about active peer +-- relationships intended to assist in debugging. An +-- active peer is a router from which a valid RIP +-- updated has been heard in the last 180 seconds. + + rip2PeerTable OBJECT-TYPE + SYNTAX SEQUENCE OF Rip2PeerEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A list of RIP Peers." + ::= { rip2 4 } + + rip2PeerEntry OBJECT-TYPE + SYNTAX Rip2PeerEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Information regarding a single routing peer." + INDEX { rip2PeerAddress, rip2PeerDomain } + ::= { rip2PeerTable 1 } + + Rip2PeerEntry ::= + SEQUENCE { + rip2PeerAddress + IpAddress, + rip2PeerDomain + RouteTag, + rip2PeerLastUpdate + TimeTicks, + rip2PeerVersion + INTEGER, + rip2PeerRcvBadPackets + Counter32, + rip2PeerRcvBadRoutes + Counter32 + } + + rip2PeerAddress OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The IP Address that the peer is using as its source + address. Note that on an unnumbered link, this may + not be a member of any subnet on the system." + ::= { rip2PeerEntry 1 } + + rip2PeerDomain OBJECT-TYPE + SYNTAX RouteTag + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value in the Routing Domain field in RIP + packets received from the peer. As domain suuport + is deprecated, this must be zero." + ::= { rip2PeerEntry 2 } + + rip2PeerLastUpdate OBJECT-TYPE + SYNTAX TimeTicks + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of sysUpTime when the most recent + RIP update was received from this system." + ::= { rip2PeerEntry 3 } + + rip2PeerVersion OBJECT-TYPE + SYNTAX INTEGER ( 0..255 ) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The RIP version number in the header of the + last RIP packet received." + ::= { rip2PeerEntry 4 } + + rip2PeerRcvBadPackets OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of RIP response packets from this + peer discarded as invalid." + ::= { rip2PeerEntry 5 } + + + rip2PeerRcvBadRoutes OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of routes from this peer that were + ignored because the entry format was invalid." + ::= { rip2PeerEntry 6 } + +-- conformance information + +rip2Conformance OBJECT IDENTIFIER ::= { rip2 5 } + +rip2Groups OBJECT IDENTIFIER ::= { rip2Conformance 1 } +rip2Compliances OBJECT IDENTIFIER ::= { rip2Conformance 2 } + +-- compliance statements +rip2Compliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The compliance statement " + MODULE -- this module + MANDATORY-GROUPS { + rip2GlobalGroup, + rip2IfStatGroup, + rip2IfConfGroup, + rip2PeerGroup + } + GROUP rip2GlobalGroup + DESCRIPTION + "This group defines global controls for RIP-II systems." + GROUP rip2IfStatGroup + DESCRIPTION + "This group defines interface statistics for RIP-II systems." + GROUP rip2IfConfGroup + DESCRIPTION + "This group defines interface configuration for RIP-II systems." + GROUP rip2PeerGroup + DESCRIPTION + "This group defines peer information for RIP-II systems." + ::= { rip2Compliances 1 } + +-- units of conformance + +rip2GlobalGroup OBJECT-GROUP + OBJECTS { + rip2GlobalRouteChanges, + rip2GlobalQueries + } + STATUS current + DESCRIPTION + "This group defines global controls for RIP-II systems." + ::= { rip2Groups 1 } +rip2IfStatGroup OBJECT-GROUP + OBJECTS { + rip2IfStatAddress, + rip2IfStatRcvBadPackets, + rip2IfStatRcvBadRoutes, + rip2IfStatSentUpdates, + rip2IfStatStatus + } + STATUS current + DESCRIPTION + "This group defines interface statistics for RIP-II systems." + ::= { rip2Groups 2 } +rip2IfConfGroup OBJECT-GROUP + OBJECTS { + rip2IfConfAddress, + rip2IfConfAuthType, + rip2IfConfAuthKey, + rip2IfConfSend, + rip2IfConfReceive, + rip2IfConfDefaultMetric, + rip2IfConfStatus, + rip2IfConfSrcAddress + } + STATUS current + DESCRIPTION + "This group defines interface configuration for RIP-II systems." + ::= { rip2Groups 3 } +rip2PeerGroup OBJECT-GROUP + OBJECTS { + rip2PeerAddress, + rip2PeerDomain, + rip2PeerLastUpdate, + rip2PeerVersion, + rip2PeerRcvBadPackets, + rip2PeerRcvBadRoutes + } + STATUS current + DESCRIPTION + "This group defines peer information for RIP-II systems." + ::= { rip2Groups 4 } +END diff --git a/mibs/RMON-MIB.txt b/mibs/RMON-MIB.txt new file mode 100644 index 000000000..983c22ef5 --- /dev/null +++ b/mibs/RMON-MIB.txt @@ -0,0 +1,3980 @@ +RMON-MIB DEFINITIONS ::= BEGIN + + IMPORTS + MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, + NOTIFICATION-TYPE, mib-2, Counter32, + Integer32, TimeTicks FROM SNMPv2-SMI + + TEXTUAL-CONVENTION, DisplayString FROM SNMPv2-TC + + MODULE-COMPLIANCE, OBJECT-GROUP, + NOTIFICATION-GROUP FROM SNMPv2-CONF; + +-- Remote Network Monitoring MIB + +rmonMibModule MODULE-IDENTITY + LAST-UPDATED "200005110000Z" -- 11 May, 2000 + ORGANIZATION "IETF RMON MIB Working Group" + CONTACT-INFO + "Steve Waldbusser + Phone: +1-650-948-6500 + Fax: +1-650-745-0671 + Email: waldbusser@nextbeacon.com" + DESCRIPTION + "Remote network monitoring devices, often called + monitors or probes, are instruments that exist for + the purpose of managing a network. This MIB defines + objects for managing remote network monitoring devices." + + REVISION "200005110000Z" -- 11 May, 2000 + DESCRIPTION + "Reformatted into SMIv2 format. + + This version published as RFC 2819." + + REVISION "199502010000Z" -- 1 Feb, 1995 + DESCRIPTION + "Bug fixes, clarifications and minor changes based on + implementation experience, published as RFC1757 [18]. + + Two changes were made to object definitions: + + 1) A new status bit has been defined for the + captureBufferPacketStatus object, indicating that the + packet order within the capture buffer may not be identical to + the packet order as received off the wire. This bit may only + + be used for packets transmitted by the probe. Older NMS + applications can safely ignore this status bit, which might be + used by newer agents. + + 2) The packetMatch trap has been removed. This trap was never + actually 'approved' and was not added to this document along + with the risingAlarm and fallingAlarm traps. The packetMatch + trap could not be throttled, which could cause disruption of + normal network traffic under some circumstances. An NMS should + configure a risingAlarm threshold on the appropriate + channelMatches instance if a trap is desired for a packetMatch + event. Note that logging of packetMatch events is still + supported--only trap generation for such events has been + removed. + + In addition, several clarifications to individual object + definitions have been added to assist agent and NMS + implementors: + + - global definition of 'good packets' and 'bad packets' + + - more detailed text governing conceptual row creation and + modification + + - instructions for probes relating to interface changes and + disruptions + + - clarification of some ethernet counter definitions + + - recommended formula for calculating network utilization + + - clarification of channel and captureBuffer behavior for some + unusual conditions + + - examples of proper instance naming for each table" + + REVISION "199111010000Z" -- 1 Nov, 1991 + DESCRIPTION + "The original version of this MIB, published as RFC1271." + ::= { rmonConformance 8 } + + rmon OBJECT IDENTIFIER ::= { mib-2 16 } + + -- textual conventions + +OwnerString ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "This data type is used to model an administratively + assigned name of the owner of a resource. Implementations + must accept values composed of well-formed NVT ASCII + sequences. In addition, implementations should accept + values composed of well-formed UTF-8 sequences. + + It is suggested that this name contain one or more of + the following: IP address, management station name, + network manager's name, location, or phone number. + In some cases the agent itself will be the owner of + an entry. In these cases, this string shall be set + to a string starting with 'monitor'. + + SNMP access control is articulated entirely in terms + of the contents of MIB views; access to a particular + SNMP object instance depends only upon its presence + or absence in a particular MIB view and never upon + its value or the value of related object instances. + Thus, objects of this type afford resolution of + resource contention only among cooperating + managers; they realize no access control function + with respect to uncooperative parties." + SYNTAX OCTET STRING (SIZE (0..127)) + +EntryStatus ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "The status of a table entry. + + Setting this object to the value invalid(4) has the + effect of invalidating the corresponding entry. + That is, it effectively disassociates the mapping + identified with said entry. + It is an implementation-specific matter as to whether + the agent removes an invalidated entry from the table. + Accordingly, management stations must be prepared to + receive tabular information from agents that corresponds + to entries currently not in use. Proper + interpretation of such entries requires examination + of the relevant EntryStatus object. + + An existing instance of this object cannot be set to + createRequest(2). This object may only be set to + createRequest(2) when this instance is created. When + this object is created, the agent may wish to create + supplemental object instances with default values + to complete a conceptual row in this table. Because the + + creation of these default objects is entirely at the option + of the agent, the manager must not assume that any will be + created, but may make use of any that are created. + Immediately after completing the create operation, the agent + must set this object to underCreation(3). + + When in the underCreation(3) state, an entry is allowed to + exist in a possibly incomplete, possibly inconsistent state, + usually to allow it to be modified in multiple PDUs. When in + this state, an entry is not fully active. + Entries shall exist in the underCreation(3) state until + the management station is finished configuring the entry + and sets this object to valid(1) or aborts, setting this + object to invalid(4). If the agent determines that an + entry has been in the underCreation(3) state for an + abnormally long time, it may decide that the management + station has crashed. If the agent makes this decision, + it may set this object to invalid(4) to reclaim the + entry. A prudent agent will understand that the + management station may need to wait for human input + and will allow for that possibility in its + determination of this abnormally long period. + + An entry in the valid(1) state is fully configured and + consistent and fully represents the configuration or + operation such a row is intended to represent. For + example, it could be a statistical function that is + configured and active, or a filter that is available + in the list of filters processed by the packet capture + process. + + A manager is restricted to changing the state of an entry in + the following ways: + + To: valid createRequest underCreation invalid + From: + valid OK NO OK OK + createRequest N/A N/A N/A N/A + underCreation OK NO OK OK + invalid NO NO NO OK + nonExistent NO OK NO OK + + In the table above, it is not applicable to move the state + from the createRequest state to any other state because the + manager will never find the variable in that state. The + nonExistent state is not a value of the enumeration, rather + it means that the entryStatus variable does not exist at all. + + An agent may allow an entryStatus variable to change state in + additional ways, so long as the semantics of the states are + followed. This allowance is made to ease the implementation of + the agent and is made despite the fact that managers should + never exercise these additional state transitions." + SYNTAX INTEGER { + valid(1), + createRequest(2), + underCreation(3), + invalid(4) + } + + statistics OBJECT IDENTIFIER ::= { rmon 1 } + history OBJECT IDENTIFIER ::= { rmon 2 } + alarm OBJECT IDENTIFIER ::= { rmon 3 } + hosts OBJECT IDENTIFIER ::= { rmon 4 } + hostTopN OBJECT IDENTIFIER ::= { rmon 5 } + matrix OBJECT IDENTIFIER ::= { rmon 6 } + filter OBJECT IDENTIFIER ::= { rmon 7 } + capture OBJECT IDENTIFIER ::= { rmon 8 } + event OBJECT IDENTIFIER ::= { rmon 9 } + rmonConformance OBJECT IDENTIFIER ::= { rmon 20 } + +-- The Ethernet Statistics Group +-- +-- Implementation of the Ethernet Statistics group is optional. +-- Consult the MODULE-COMPLIANCE macro for the authoritative +-- conformance information for this MIB. +-- +-- The ethernet statistics group contains statistics measured by the +-- probe for each monitored interface on this device. These +-- statistics take the form of free running counters that start from +-- zero when a valid entry is created. +-- +-- This group currently has statistics defined only for +-- Ethernet interfaces. Each etherStatsEntry contains statistics +-- for one Ethernet interface. The probe must create one +-- etherStats entry for each monitored Ethernet interface +-- on the device. + +etherStatsTable OBJECT-TYPE + SYNTAX SEQUENCE OF EtherStatsEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A list of Ethernet statistics entries." + ::= { statistics 1 } + +etherStatsEntry OBJECT-TYPE + SYNTAX EtherStatsEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A collection of statistics kept for a particular + Ethernet interface. As an example, an instance of the + etherStatsPkts object might be named etherStatsPkts.1" + INDEX { etherStatsIndex } + ::= { etherStatsTable 1 } + +EtherStatsEntry ::= SEQUENCE { + etherStatsIndex Integer32, + etherStatsDataSource OBJECT IDENTIFIER, + etherStatsDropEvents Counter32, + etherStatsOctets Counter32, + etherStatsPkts Counter32, + etherStatsBroadcastPkts Counter32, + etherStatsMulticastPkts Counter32, + etherStatsCRCAlignErrors Counter32, + etherStatsUndersizePkts Counter32, + etherStatsOversizePkts Counter32, + etherStatsFragments Counter32, + etherStatsJabbers Counter32, + etherStatsCollisions Counter32, + etherStatsPkts64Octets Counter32, + etherStatsPkts65to127Octets Counter32, + etherStatsPkts128to255Octets Counter32, + etherStatsPkts256to511Octets Counter32, + etherStatsPkts512to1023Octets Counter32, + etherStatsPkts1024to1518Octets Counter32, + etherStatsOwner OwnerString, + etherStatsStatus EntryStatus +} + +etherStatsIndex OBJECT-TYPE + SYNTAX Integer32 (1..65535) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of this object uniquely identifies this + etherStats entry." + ::= { etherStatsEntry 1 } + +etherStatsDataSource OBJECT-TYPE + SYNTAX OBJECT IDENTIFIER + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "This object identifies the source of the data that + this etherStats entry is configured to analyze. This + source can be any ethernet interface on this device. + In order to identify a particular interface, this object + shall identify the instance of the ifIndex object, + defined in RFC 2233 [17], for the desired interface. + For example, if an entry were to receive data from + interface #1, this object would be set to ifIndex.1. + + The statistics in this group reflect all packets + on the local network segment attached to the identified + interface. + + An agent may or may not be able to tell if fundamental + changes to the media of the interface have occurred and + necessitate an invalidation of this entry. For example, a + hot-pluggable ethernet card could be pulled out and replaced + by a token-ring card. In such a case, if the agent has such + knowledge of the change, it is recommended that it + invalidate this entry. + + This object may not be modified if the associated + etherStatsStatus object is equal to valid(1)." + ::= { etherStatsEntry 2 } + +etherStatsDropEvents OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of events in which packets + were dropped by the probe due to lack of resources. + Note that this number is not necessarily the number of + packets dropped; it is just the number of times this + condition has been detected." + ::= { etherStatsEntry 3 } + +etherStatsOctets OBJECT-TYPE + SYNTAX Counter32 + UNITS "Octets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of octets of data (including + those in bad packets) received on the + network (excluding framing bits but including + FCS octets). + + This object can be used as a reasonable estimate of + 10-Megabit ethernet utilization. If greater precision is + desired, the etherStatsPkts and etherStatsOctets objects + should be sampled before and after a common interval. The + differences in the sampled values are Pkts and Octets, + respectively, and the number of seconds in the interval is + Interval. These values are used to calculate the Utilization + as follows: + + Pkts * (9.6 + 6.4) + (Octets * .8) + Utilization = ------------------------------------- + Interval * 10,000 + + The result of this equation is the value Utilization which + is the percent utilization of the ethernet segment on a + scale of 0 to 100 percent." + ::= { etherStatsEntry 4 } + +etherStatsPkts OBJECT-TYPE + SYNTAX Counter32 + UNITS "Packets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of packets (including bad packets, + broadcast packets, and multicast packets) received." + ::= { etherStatsEntry 5 } + +etherStatsBroadcastPkts OBJECT-TYPE + SYNTAX Counter32 + UNITS "Packets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of good packets received that were + directed to the broadcast address. Note that this + does not include multicast packets." + ::= { etherStatsEntry 6 } + +etherStatsMulticastPkts OBJECT-TYPE + SYNTAX Counter32 + UNITS "Packets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of good packets received that were + directed to a multicast address. Note that this number + does not include packets directed to the broadcast + + address." + ::= { etherStatsEntry 7 } + +etherStatsCRCAlignErrors OBJECT-TYPE + SYNTAX Counter32 + UNITS "Packets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of packets received that + had a length (excluding framing bits, but + including FCS octets) of between 64 and 1518 + octets, inclusive, but had either a bad + Frame Check Sequence (FCS) with an integral + number of octets (FCS Error) or a bad FCS with + a non-integral number of octets (Alignment Error)." + ::= { etherStatsEntry 8 } + +etherStatsUndersizePkts OBJECT-TYPE + SYNTAX Counter32 + UNITS "Packets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of packets received that were + less than 64 octets long (excluding framing bits, + but including FCS octets) and were otherwise well + formed." + ::= { etherStatsEntry 9 } + +etherStatsOversizePkts OBJECT-TYPE + SYNTAX Counter32 + UNITS "Packets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of packets received that were + longer than 1518 octets (excluding framing bits, + but including FCS octets) and were otherwise + well formed." + ::= { etherStatsEntry 10 } + +etherStatsFragments OBJECT-TYPE + SYNTAX Counter32 + UNITS "Packets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of packets received that were less than + 64 octets in length (excluding framing bits but including + FCS octets) and had either a bad Frame Check Sequence + (FCS) with an integral number of octets (FCS Error) or a + bad FCS with a non-integral number of octets (Alignment + Error). + + Note that it is entirely normal for etherStatsFragments to + increment. This is because it counts both runts (which are + normal occurrences due to collisions) and noise hits." + ::= { etherStatsEntry 11 } + +etherStatsJabbers OBJECT-TYPE + SYNTAX Counter32 + UNITS "Packets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of packets received that were + longer than 1518 octets (excluding framing bits, + but including FCS octets), and had either a bad + Frame Check Sequence (FCS) with an integral number + of octets (FCS Error) or a bad FCS with a non-integral + number of octets (Alignment Error). + + Note that this definition of jabber is different + than the definition in IEEE-802.3 section 8.2.1.5 + (10BASE5) and section 10.3.1.4 (10BASE2). These + documents define jabber as the condition where any + packet exceeds 20 ms. The allowed range to detect + jabber is between 20 ms and 150 ms." + ::= { etherStatsEntry 12 } + +etherStatsCollisions OBJECT-TYPE + SYNTAX Counter32 + UNITS "Collisions" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The best estimate of the total number of collisions + on this Ethernet segment. + + The value returned will depend on the location of the + RMON probe. Section 8.2.1.3 (10BASE-5) and section + 10.3.1.3 (10BASE-2) of IEEE standard 802.3 states that a + station must detect a collision, in the receive mode, if + three or more stations are transmitting simultaneously. A + repeater port must detect a collision when two or more + + stations are transmitting simultaneously. Thus a probe + placed on a repeater port could record more collisions + than a probe connected to a station on the same segment + would. + + Probe location plays a much smaller role when considering + 10BASE-T. 14.2.1.4 (10BASE-T) of IEEE standard 802.3 + defines a collision as the simultaneous presence of signals + on the DO and RD circuits (transmitting and receiving + at the same time). A 10BASE-T station can only detect + collisions when it is transmitting. Thus probes placed on + a station and a repeater, should report the same number of + collisions. + + Note also that an RMON probe inside a repeater should + ideally report collisions between the repeater and one or + more other hosts (transmit collisions as defined by IEEE + 802.3k) plus receiver collisions observed on any coax + segments to which the repeater is connected." + ::= { etherStatsEntry 13 } + +etherStatsPkts64Octets OBJECT-TYPE + SYNTAX Counter32 + UNITS "Packets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of packets (including bad + packets) received that were 64 octets in length + (excluding framing bits but including FCS octets)." + ::= { etherStatsEntry 14 } + +etherStatsPkts65to127Octets OBJECT-TYPE + SYNTAX Counter32 + UNITS "Packets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of packets (including bad + packets) received that were between + 65 and 127 octets in length inclusive + (excluding framing bits but including FCS octets)." + ::= { etherStatsEntry 15 } + +etherStatsPkts128to255Octets OBJECT-TYPE + SYNTAX Counter32 + UNITS "Packets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of packets (including bad + packets) received that were between + 128 and 255 octets in length inclusive + (excluding framing bits but including FCS octets)." + ::= { etherStatsEntry 16 } + +etherStatsPkts256to511Octets OBJECT-TYPE + SYNTAX Counter32 + UNITS "Packets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of packets (including bad + packets) received that were between + 256 and 511 octets in length inclusive + (excluding framing bits but including FCS octets)." + ::= { etherStatsEntry 17 } + +etherStatsPkts512to1023Octets OBJECT-TYPE + SYNTAX Counter32 + UNITS "Packets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of packets (including bad + packets) received that were between + 512 and 1023 octets in length inclusive + (excluding framing bits but including FCS octets)." + ::= { etherStatsEntry 18 } + +etherStatsPkts1024to1518Octets OBJECT-TYPE + SYNTAX Counter32 + UNITS "Packets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of packets (including bad + packets) received that were between + 1024 and 1518 octets in length inclusive + (excluding framing bits but including FCS octets)." + ::= { etherStatsEntry 19 } + +etherStatsOwner OBJECT-TYPE + SYNTAX OwnerString + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The entity that configured this entry and is therefore + using the resources assigned to it." + ::= { etherStatsEntry 20 } + +etherStatsStatus OBJECT-TYPE + SYNTAX EntryStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The status of this etherStats entry." + ::= { etherStatsEntry 21 } + +-- The History Control Group + +-- Implementation of the History Control group is optional. +-- Consult the MODULE-COMPLIANCE macro for the authoritative +-- conformance information for this MIB. +-- +-- The history control group controls the periodic statistical +-- sampling of data from various types of networks. The +-- historyControlTable stores configuration entries that each +-- define an interface, polling period, and other parameters. +-- Once samples are taken, their data is stored in an entry +-- in a media-specific table. Each such entry defines one +-- sample, and is associated with the historyControlEntry that +-- caused the sample to be taken. Each counter in the +-- etherHistoryEntry counts the same event as its similarly-named +-- counterpart in the etherStatsEntry, except that each value here +-- is a cumulative sum during a sampling period. +-- +-- If the probe keeps track of the time of day, it should start +-- the first sample of the history at a time such that +-- when the next hour of the day begins, a sample is +-- started at that instant. This tends to make more +-- user-friendly reports, and enables comparison of reports +-- from different probes that have relatively accurate time +-- of day. +-- +-- The probe is encouraged to add two history control entries +-- per monitored interface upon initialization that describe a short +-- term and a long term polling period. Suggested parameters are 30 +-- seconds for the short term polling period and 30 minutes for +-- the long term period. + +historyControlTable OBJECT-TYPE + SYNTAX SEQUENCE OF HistoryControlEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A list of history control entries." + ::= { history 1 } + +historyControlEntry OBJECT-TYPE + SYNTAX HistoryControlEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A list of parameters that set up a periodic sampling of + statistics. As an example, an instance of the + historyControlInterval object might be named + historyControlInterval.2" + INDEX { historyControlIndex } + ::= { historyControlTable 1 } + +HistoryControlEntry ::= SEQUENCE { + historyControlIndex Integer32, + historyControlDataSource OBJECT IDENTIFIER, + historyControlBucketsRequested Integer32, + historyControlBucketsGranted Integer32, + historyControlInterval Integer32, + historyControlOwner OwnerString, + historyControlStatus EntryStatus +} + +historyControlIndex OBJECT-TYPE + SYNTAX Integer32 (1..65535) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "An index that uniquely identifies an entry in the + historyControl table. Each such entry defines a + set of samples at a particular interval for an + interface on the device." + ::= { historyControlEntry 1 } + +historyControlDataSource OBJECT-TYPE + SYNTAX OBJECT IDENTIFIER + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "This object identifies the source of the data for + which historical data was collected and + placed in a media-specific table on behalf of this + historyControlEntry. This source can be any + interface on this device. In order to identify + + a particular interface, this object shall identify + the instance of the ifIndex object, defined + in RFC 2233 [17], for the desired interface. + For example, if an entry were to receive data from + interface #1, this object would be set to ifIndex.1. + + The statistics in this group reflect all packets + on the local network segment attached to the identified + interface. + + An agent may or may not be able to tell if fundamental + changes to the media of the interface have occurred and + necessitate an invalidation of this entry. For example, a + hot-pluggable ethernet card could be pulled out and replaced + by a token-ring card. In such a case, if the agent has such + knowledge of the change, it is recommended that it + invalidate this entry. + + This object may not be modified if the associated + historyControlStatus object is equal to valid(1)." + ::= { historyControlEntry 2 } + +historyControlBucketsRequested OBJECT-TYPE + SYNTAX Integer32 (1..65535) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The requested number of discrete time intervals + over which data is to be saved in the part of the + media-specific table associated with this + historyControlEntry. + + When this object is created or modified, the probe + should set historyControlBucketsGranted as closely to + this object as is possible for the particular probe + implementation and available resources." + DEFVAL { 50 } + ::= { historyControlEntry 3 } + +historyControlBucketsGranted OBJECT-TYPE + SYNTAX Integer32 (1..65535) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of discrete sampling intervals + over which data shall be saved in the part of + the media-specific table associated with this + historyControlEntry. + + When the associated historyControlBucketsRequested + object is created or modified, the probe + should set this object as closely to the requested + value as is possible for the particular + probe implementation and available resources. The + probe must not lower this value except as a result + of a modification to the associated + historyControlBucketsRequested object. + + There will be times when the actual number of + buckets associated with this entry is less than + the value of this object. In this case, at the + end of each sampling interval, a new bucket will + be added to the media-specific table. + + When the number of buckets reaches the value of + this object and a new bucket is to be added to the + media-specific table, the oldest bucket associated + with this historyControlEntry shall be deleted by + the agent so that the new bucket can be added. + + When the value of this object changes to a value less + than the current value, entries are deleted + from the media-specific table associated with this + historyControlEntry. Enough of the oldest of these + entries shall be deleted by the agent so that their + number remains less than or equal to the new value of + this object. + + When the value of this object changes to a value greater + than the current value, the number of associated media- + specific entries may be allowed to grow." + ::= { historyControlEntry 4 } + +historyControlInterval OBJECT-TYPE + SYNTAX Integer32 (1..3600) + UNITS "Seconds" + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The interval in seconds over which the data is + sampled for each bucket in the part of the + media-specific table associated with this + historyControlEntry. This interval can + be set to any number of seconds between 1 and + 3600 (1 hour). + + Because the counters in a bucket may overflow at their + + maximum value with no indication, a prudent manager will + take into account the possibility of overflow in any of + the associated counters. It is important to consider the + minimum time in which any counter could overflow on a + particular media type and set the historyControlInterval + object to a value less than this interval. This is + typically most important for the 'octets' counter in any + media-specific table. For example, on an Ethernet + network, the etherHistoryOctets counter could overflow + in about one hour at the Ethernet's maximum + utilization. + + This object may not be modified if the associated + historyControlStatus object is equal to valid(1)." + DEFVAL { 1800 } + ::= { historyControlEntry 5 } + +historyControlOwner OBJECT-TYPE + SYNTAX OwnerString + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The entity that configured this entry and is therefore + using the resources assigned to it." + ::= { historyControlEntry 6 } + +historyControlStatus OBJECT-TYPE + SYNTAX EntryStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The status of this historyControl entry. + + Each instance of the media-specific table associated + with this historyControlEntry will be deleted by the agent + if this historyControlEntry is not equal to valid(1)." + ::= { historyControlEntry 7 } + +-- The Ethernet History Group + +-- Implementation of the Ethernet History group is optional. +-- Consult the MODULE-COMPLIANCE macro for the authoritative +-- conformance information for this MIB. +-- +-- The Ethernet History group records periodic statistical samples +-- from a network and stores them for later retrieval. +-- Once samples are taken, their data is stored in an entry +-- in a media-specific table. Each such entry defines one + +-- sample, and is associated with the historyControlEntry that +-- caused the sample to be taken. This group defines the +-- etherHistoryTable, for Ethernet networks. +-- + +etherHistoryTable OBJECT-TYPE + SYNTAX SEQUENCE OF EtherHistoryEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A list of Ethernet history entries." + ::= { history 2 } + +etherHistoryEntry OBJECT-TYPE + SYNTAX EtherHistoryEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An historical sample of Ethernet statistics on a particular + Ethernet interface. This sample is associated with the + historyControlEntry which set up the parameters for + a regular collection of these samples. As an example, an + instance of the etherHistoryPkts object might be named + etherHistoryPkts.2.89" + INDEX { etherHistoryIndex , etherHistorySampleIndex } + ::= { etherHistoryTable 1 } + +EtherHistoryEntry ::= SEQUENCE { + etherHistoryIndex Integer32, + etherHistorySampleIndex Integer32, + etherHistoryIntervalStart TimeTicks, + etherHistoryDropEvents Counter32, + etherHistoryOctets Counter32, + etherHistoryPkts Counter32, + etherHistoryBroadcastPkts Counter32, + etherHistoryMulticastPkts Counter32, + etherHistoryCRCAlignErrors Counter32, + etherHistoryUndersizePkts Counter32, + etherHistoryOversizePkts Counter32, + etherHistoryFragments Counter32, + etherHistoryJabbers Counter32, + etherHistoryCollisions Counter32, + etherHistoryUtilization Integer32 +} + +etherHistoryIndex OBJECT-TYPE + SYNTAX Integer32 (1..65535) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The history of which this entry is a part. The + history identified by a particular value of this + index is the same history as identified + by the same value of historyControlIndex." + ::= { etherHistoryEntry 1 } + +etherHistorySampleIndex OBJECT-TYPE + SYNTAX Integer32 (1..2147483647) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "An index that uniquely identifies the particular + sample this entry represents among all samples + associated with the same historyControlEntry. + This index starts at 1 and increases by one + as each new sample is taken." + ::= { etherHistoryEntry 2 } + +etherHistoryIntervalStart OBJECT-TYPE + SYNTAX TimeTicks + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of sysUpTime at the start of the interval + over which this sample was measured. If the probe + keeps track of the time of day, it should start + the first sample of the history at a time such that + when the next hour of the day begins, a sample is + started at that instant. Note that following this + rule may require the probe to delay collecting the + first sample of the history, as each sample must be + of the same interval. Also note that the sample which + is currently being collected is not accessible in this + table until the end of its interval." + ::= { etherHistoryEntry 3 } + +etherHistoryDropEvents OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of events in which packets + were dropped by the probe due to lack of resources + during this sampling interval. Note that this number + is not necessarily the number of packets dropped, it + is just the number of times this condition has been + + detected." + ::= { etherHistoryEntry 4 } + +etherHistoryOctets OBJECT-TYPE + SYNTAX Counter32 + UNITS "Octets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of octets of data (including + those in bad packets) received on the + network (excluding framing bits but including + FCS octets)." + ::= { etherHistoryEntry 5 } + +etherHistoryPkts OBJECT-TYPE + SYNTAX Counter32 + UNITS "Packets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of packets (including bad packets) + received during this sampling interval." + ::= { etherHistoryEntry 6 } + +etherHistoryBroadcastPkts OBJECT-TYPE + SYNTAX Counter32 + UNITS "Packets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of good packets received during this + sampling interval that were directed to the + broadcast address." + ::= { etherHistoryEntry 7 } + +etherHistoryMulticastPkts OBJECT-TYPE + SYNTAX Counter32 + UNITS "Packets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of good packets received during this + sampling interval that were directed to a + multicast address. Note that this number does not + include packets addressed to the broadcast address." + ::= { etherHistoryEntry 8 } + +etherHistoryCRCAlignErrors OBJECT-TYPE + SYNTAX Counter32 + UNITS "Packets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of packets received during this + sampling interval that had a length (excluding + framing bits but including FCS octets) between + 64 and 1518 octets, inclusive, but had either a bad Frame + Check Sequence (FCS) with an integral number of octets + (FCS Error) or a bad FCS with a non-integral number + of octets (Alignment Error)." + ::= { etherHistoryEntry 9 } + +etherHistoryUndersizePkts OBJECT-TYPE + SYNTAX Counter32 + UNITS "Packets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of packets received during this + sampling interval that were less than 64 octets + long (excluding framing bits but including FCS + octets) and were otherwise well formed." + ::= { etherHistoryEntry 10 } + +etherHistoryOversizePkts OBJECT-TYPE + SYNTAX Counter32 + UNITS "Packets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of packets received during this + sampling interval that were longer than 1518 + octets (excluding framing bits but including + FCS octets) but were otherwise well formed." + ::= { etherHistoryEntry 11 } + +etherHistoryFragments OBJECT-TYPE + SYNTAX Counter32 + UNITS "Packets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of packets received during this + sampling interval that were less than 64 octets in + length (excluding framing bits but including FCS + + octets) had either a bad Frame Check Sequence (FCS) + with an integral number of octets (FCS Error) or a bad + FCS with a non-integral number of octets (Alignment + Error). + + Note that it is entirely normal for etherHistoryFragments to + increment. This is because it counts both runts (which are + normal occurrences due to collisions) and noise hits." + ::= { etherHistoryEntry 12 } + +etherHistoryJabbers OBJECT-TYPE + SYNTAX Counter32 + UNITS "Packets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of packets received during this + sampling interval that were longer than 1518 octets + (excluding framing bits but including FCS octets), + and had either a bad Frame Check Sequence (FCS) + with an integral number of octets (FCS Error) or + a bad FCS with a non-integral number of octets + (Alignment Error). + + Note that this definition of jabber is different + than the definition in IEEE-802.3 section 8.2.1.5 + (10BASE5) and section 10.3.1.4 (10BASE2). These + documents define jabber as the condition where any + packet exceeds 20 ms. The allowed range to detect + jabber is between 20 ms and 150 ms." + ::= { etherHistoryEntry 13 } + +etherHistoryCollisions OBJECT-TYPE + SYNTAX Counter32 + UNITS "Collisions" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The best estimate of the total number of collisions + on this Ethernet segment during this sampling + interval. + + The value returned will depend on the location of the + RMON probe. Section 8.2.1.3 (10BASE-5) and section + 10.3.1.3 (10BASE-2) of IEEE standard 802.3 states that a + station must detect a collision, in the receive mode, if + three or more stations are transmitting simultaneously. A + repeater port must detect a collision when two or more + + stations are transmitting simultaneously. Thus a probe + placed on a repeater port could record more collisions + than a probe connected to a station on the same segment + would. + + Probe location plays a much smaller role when considering + 10BASE-T. 14.2.1.4 (10BASE-T) of IEEE standard 802.3 + defines a collision as the simultaneous presence of signals + on the DO and RD circuits (transmitting and receiving + at the same time). A 10BASE-T station can only detect + collisions when it is transmitting. Thus probes placed on + a station and a repeater, should report the same number of + collisions. + + Note also that an RMON probe inside a repeater should + ideally report collisions between the repeater and one or + more other hosts (transmit collisions as defined by IEEE + 802.3k) plus receiver collisions observed on any coax + segments to which the repeater is connected." + ::= { etherHistoryEntry 14 } + +etherHistoryUtilization OBJECT-TYPE + SYNTAX Integer32 (0..10000) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The best estimate of the mean physical layer + network utilization on this interface during this + sampling interval, in hundredths of a percent." + ::= { etherHistoryEntry 15 } + +-- The Alarm Group + +-- Implementation of the Alarm group is optional. The Alarm Group +-- requires the implementation of the Event group. +-- Consult the MODULE-COMPLIANCE macro for the authoritative +-- conformance information for this MIB. +-- +-- The Alarm group periodically takes statistical samples from +-- variables in the probe and compares them to thresholds that have +-- been configured. The alarm table stores configuration +-- entries that each define a variable, polling period, and +-- threshold parameters. If a sample is found to cross the +-- threshold values, an event is generated. Only variables that +-- resolve to an ASN.1 primitive type of INTEGER (INTEGER, Integer32, +-- Counter32, Counter64, Gauge32, or TimeTicks) may be monitored in +-- this way. +-- + +-- This function has a hysteresis mechanism to limit the generation +-- of events. This mechanism generates one event as a threshold +-- is crossed in the appropriate direction. No more events are +-- generated for that threshold until the opposite threshold is +-- crossed. +-- +-- In the case of a sampling a deltaValue, a probe may implement +-- this mechanism with more precision if it takes a delta sample +-- twice per period, each time comparing the sum of the latest two +-- samples to the threshold. This allows the detection of threshold +-- crossings that span the sampling boundary. Note that this does +-- not require any special configuration of the threshold value. +-- It is suggested that probes implement this more precise algorithm. + +alarmTable OBJECT-TYPE + SYNTAX SEQUENCE OF AlarmEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A list of alarm entries." + ::= { alarm 1 } + +alarmEntry OBJECT-TYPE + SYNTAX AlarmEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A list of parameters that set up a periodic checking + for alarm conditions. For example, an instance of the + alarmValue object might be named alarmValue.8" + INDEX { alarmIndex } + ::= { alarmTable 1 } + +AlarmEntry ::= SEQUENCE { + alarmIndex Integer32, + alarmInterval Integer32, + alarmVariable OBJECT IDENTIFIER, + alarmSampleType INTEGER, + alarmValue Integer32, + alarmStartupAlarm INTEGER, + alarmRisingThreshold Integer32, + alarmFallingThreshold Integer32, + alarmRisingEventIndex Integer32, + alarmFallingEventIndex Integer32, + alarmOwner OwnerString, + alarmStatus EntryStatus +} + +alarmIndex OBJECT-TYPE + SYNTAX Integer32 (1..65535) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "An index that uniquely identifies an entry in the + alarm table. Each such entry defines a + diagnostic sample at a particular interval + for an object on the device." + ::= { alarmEntry 1 } + +alarmInterval OBJECT-TYPE + SYNTAX Integer32 + UNITS "Seconds" + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The interval in seconds over which the data is + sampled and compared with the rising and falling + thresholds. When setting this variable, care + should be taken in the case of deltaValue + sampling - the interval should be set short enough + that the sampled variable is very unlikely to + increase or decrease by more than 2^31 - 1 during + a single sampling interval. + + This object may not be modified if the associated + alarmStatus object is equal to valid(1)." + ::= { alarmEntry 2 } + +alarmVariable OBJECT-TYPE + SYNTAX OBJECT IDENTIFIER + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The object identifier of the particular variable to be + sampled. Only variables that resolve to an ASN.1 primitive + type of INTEGER (INTEGER, Integer32, Counter32, Counter64, + Gauge, or TimeTicks) may be sampled. + + Because SNMP access control is articulated entirely + in terms of the contents of MIB views, no access + control mechanism exists that can restrict the value of + this object to identify only those objects that exist + in a particular MIB view. Because there is thus no + acceptable means of restricting the read access that + could be obtained through the alarm mechanism, the + probe must only grant write access to this object in + + those views that have read access to all objects on + the probe. + + During a set operation, if the supplied variable name is + not available in the selected MIB view, a badValue error + must be returned. If at any time the variable name of + an established alarmEntry is no longer available in the + selected MIB view, the probe must change the status of + this alarmEntry to invalid(4). + + This object may not be modified if the associated + alarmStatus object is equal to valid(1)." + ::= { alarmEntry 3 } + +alarmSampleType OBJECT-TYPE + SYNTAX INTEGER { + absoluteValue(1), + deltaValue(2) + } + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The method of sampling the selected variable and + calculating the value to be compared against the + thresholds. If the value of this object is + absoluteValue(1), the value of the selected variable + will be compared directly with the thresholds at the + end of the sampling interval. If the value of this + object is deltaValue(2), the value of the selected + variable at the last sample will be subtracted from + the current value, and the difference compared with + the thresholds. + + This object may not be modified if the associated + alarmStatus object is equal to valid(1)." + ::= { alarmEntry 4 } + +alarmValue OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of the statistic during the last sampling + period. For example, if the sample type is deltaValue, + this value will be the difference between the samples + at the beginning and end of the period. If the sample + type is absoluteValue, this value will be the sampled + value at the end of the period. + + This is the value that is compared with the rising and + falling thresholds. + + The value during the current sampling period is not + made available until the period is completed and will + remain available until the next period completes." + ::= { alarmEntry 5 } + +alarmStartupAlarm OBJECT-TYPE + SYNTAX INTEGER { + risingAlarm(1), + fallingAlarm(2), + risingOrFallingAlarm(3) + } + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The alarm that may be sent when this entry is first + set to valid. If the first sample after this entry + becomes valid is greater than or equal to the + risingThreshold and alarmStartupAlarm is equal to + risingAlarm(1) or risingOrFallingAlarm(3), then a single + rising alarm will be generated. If the first sample + after this entry becomes valid is less than or equal + to the fallingThreshold and alarmStartupAlarm is equal + to fallingAlarm(2) or risingOrFallingAlarm(3), then a + single falling alarm will be generated. + + This object may not be modified if the associated + alarmStatus object is equal to valid(1)." + ::= { alarmEntry 6 } + +alarmRisingThreshold OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "A threshold for the sampled statistic. When the current + sampled value is greater than or equal to this threshold, + and the value at the last sampling interval was less than + this threshold, a single event will be generated. + A single event will also be generated if the first + sample after this entry becomes valid is greater than or + equal to this threshold and the associated + alarmStartupAlarm is equal to risingAlarm(1) or + risingOrFallingAlarm(3). + + After a rising event is generated, another such event + + will not be generated until the sampled value + falls below this threshold and reaches the + alarmFallingThreshold. + + This object may not be modified if the associated + alarmStatus object is equal to valid(1)." + ::= { alarmEntry 7 } + +alarmFallingThreshold OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "A threshold for the sampled statistic. When the current + sampled value is less than or equal to this threshold, + and the value at the last sampling interval was greater than + this threshold, a single event will be generated. + A single event will also be generated if the first + sample after this entry becomes valid is less than or + equal to this threshold and the associated + alarmStartupAlarm is equal to fallingAlarm(2) or + risingOrFallingAlarm(3). + + After a falling event is generated, another such event + will not be generated until the sampled value + rises above this threshold and reaches the + alarmRisingThreshold. + + This object may not be modified if the associated + alarmStatus object is equal to valid(1)." + ::= { alarmEntry 8 } + +alarmRisingEventIndex OBJECT-TYPE + SYNTAX Integer32 (0..65535) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The index of the eventEntry that is + used when a rising threshold is crossed. The + eventEntry identified by a particular value of + this index is the same as identified by the same value + of the eventIndex object. If there is no + corresponding entry in the eventTable, then + no association exists. In particular, if this value + is zero, no associated event will be generated, as + zero is not a valid event index. + + This object may not be modified if the associated + + alarmStatus object is equal to valid(1)." + ::= { alarmEntry 9 } + +alarmFallingEventIndex OBJECT-TYPE + SYNTAX Integer32 (0..65535) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The index of the eventEntry that is + used when a falling threshold is crossed. The + eventEntry identified by a particular value of + this index is the same as identified by the same value + of the eventIndex object. If there is no + corresponding entry in the eventTable, then + no association exists. In particular, if this value + is zero, no associated event will be generated, as + zero is not a valid event index. + + This object may not be modified if the associated + alarmStatus object is equal to valid(1)." + ::= { alarmEntry 10 } + +alarmOwner OBJECT-TYPE + SYNTAX OwnerString + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The entity that configured this entry and is therefore + using the resources assigned to it." + ::= { alarmEntry 11 } + +alarmStatus OBJECT-TYPE + SYNTAX EntryStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The status of this alarm entry." + ::= { alarmEntry 12 } + +-- The Host Group + +-- Implementation of the Host group is optional. +-- Consult the MODULE-COMPLIANCE macro for the authoritative +-- conformance information for this MIB. +-- +-- The host group discovers new hosts on the network by +-- keeping a list of source and destination MAC Addresses seen +-- in good packets. For each of these addresses, the host group + +-- keeps a set of statistics. The hostControlTable controls +-- which interfaces this function is performed on, and contains +-- some information about the process. On behalf of each +-- hostControlEntry, data is collected on an interface and placed +-- in both the hostTable and the hostTimeTable. If the +-- monitoring device finds itself short of resources, it may +-- delete entries as needed. It is suggested that the device +-- delete the least recently used entries first. + +-- The hostTable contains entries for each address discovered on +-- a particular interface. Each entry contains statistical +-- data about that host. This table is indexed by the +-- MAC address of the host, through which a random access +-- may be achieved. + +-- The hostTimeTable contains data in the same format as the +-- hostTable, and must contain the same set of hosts, but is +-- indexed using hostTimeCreationOrder rather than hostAddress. +-- The hostTimeCreationOrder is an integer which reflects +-- the relative order in which a particular entry was discovered +-- and thus inserted into the table. As this order, and thus +-- the index, is among those entries currently in the table, +-- the index for a particular entry may change if an +-- (earlier) entry is deleted. Thus the association between +-- hostTimeCreationOrder and hostTimeEntry may be broken at +-- any time. + +-- The hostTimeTable has two important uses. The first is the +-- fast download of this potentially large table. Because the +-- index of this table runs from 1 to the size of the table, +-- inclusive, its values are predictable. This allows very +-- efficient packing of variables into SNMP PDU's and allows +-- a table transfer to have multiple packets outstanding. +-- These benefits increase transfer rates tremendously. + +-- The second use of the hostTimeTable is the efficient discovery +-- by the management station of new entries added to the table. +-- After the management station has downloaded the entire table, +-- it knows that new entries will be added immediately after the +-- end of the current table. It can thus detect new entries there +-- and retrieve them easily. + +-- Because the association between hostTimeCreationOrder and +-- hostTimeEntry may be broken at any time, the management +-- station must monitor the related hostControlLastDeleteTime +-- object. When the management station thus detects a deletion, +-- it must assume that any such associations have been broken, +-- and invalidate any it has stored locally. This includes + +-- restarting any download of the hostTimeTable that may have been +-- in progress, as well as rediscovering the end of the +-- hostTimeTable so that it may detect new entries. If the +-- management station does not detect the broken association, +-- it may continue to refer to a particular host by its +-- creationOrder while unwittingly retrieving the data associated +-- with another host entirely. If this happens while downloading +-- the host table, the management station may fail to download +-- all of the entries in the table. + +hostControlTable OBJECT-TYPE + SYNTAX SEQUENCE OF HostControlEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A list of host table control entries." + ::= { hosts 1 } + +hostControlEntry OBJECT-TYPE + SYNTAX HostControlEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A list of parameters that set up the discovery of hosts + on a particular interface and the collection of statistics + about these hosts. For example, an instance of the + hostControlTableSize object might be named + hostControlTableSize.1" + INDEX { hostControlIndex } + ::= { hostControlTable 1 } + +HostControlEntry ::= SEQUENCE { + + hostControlIndex Integer32, + hostControlDataSource OBJECT IDENTIFIER, + hostControlTableSize Integer32, + hostControlLastDeleteTime TimeTicks, + hostControlOwner OwnerString, + hostControlStatus EntryStatus +} + +hostControlIndex OBJECT-TYPE + SYNTAX Integer32 (1..65535) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "An index that uniquely identifies an entry in the + + hostControl table. Each such entry defines + a function that discovers hosts on a particular interface + and places statistics about them in the hostTable and + the hostTimeTable on behalf of this hostControlEntry." + ::= { hostControlEntry 1 } + +hostControlDataSource OBJECT-TYPE + SYNTAX OBJECT IDENTIFIER + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "This object identifies the source of the data for + this instance of the host function. This source + can be any interface on this device. In order + to identify a particular interface, this object shall + identify the instance of the ifIndex object, defined + in RFC 2233 [17], for the desired interface. + For example, if an entry were to receive data from + interface #1, this object would be set to ifIndex.1. + + The statistics in this group reflect all packets + on the local network segment attached to the identified + interface. + + An agent may or may not be able to tell if fundamental + changes to the media of the interface have occurred and + necessitate an invalidation of this entry. For example, a + hot-pluggable ethernet card could be pulled out and replaced + by a token-ring card. In such a case, if the agent has such + knowledge of the change, it is recommended that it + invalidate this entry. + + This object may not be modified if the associated + hostControlStatus object is equal to valid(1)." + ::= { hostControlEntry 2 } + +hostControlTableSize OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of hostEntries in the hostTable and the + hostTimeTable associated with this hostControlEntry." + ::= { hostControlEntry 3 } + +hostControlLastDeleteTime OBJECT-TYPE + SYNTAX TimeTicks + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of sysUpTime when the last entry + was deleted from the portion of the hostTable + associated with this hostControlEntry. If no + deletions have occurred, this value shall be zero." + ::= { hostControlEntry 4 } + +hostControlOwner OBJECT-TYPE + SYNTAX OwnerString + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The entity that configured this entry and is therefore + using the resources assigned to it." + ::= { hostControlEntry 5 } + +hostControlStatus OBJECT-TYPE + SYNTAX EntryStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The status of this hostControl entry. + + If this object is not equal to valid(1), all associated + entries in the hostTable, hostTimeTable, and the + hostTopNTable shall be deleted by the agent." + ::= { hostControlEntry 6 } + +hostTable OBJECT-TYPE + SYNTAX SEQUENCE OF HostEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A list of host entries." + ::= { hosts 2 } + +hostEntry OBJECT-TYPE + SYNTAX HostEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A collection of statistics for a particular host that has + been discovered on an interface of this device. For example, + an instance of the hostOutBroadcastPkts object might be + named hostOutBroadcastPkts.1.6.8.0.32.27.3.176" + INDEX { hostIndex, hostAddress } + ::= { hostTable 1 } + +HostEntry ::= SEQUENCE { + hostAddress OCTET STRING, + hostCreationOrder Integer32, + hostIndex Integer32, + hostInPkts Counter32, + hostOutPkts Counter32, + hostInOctets Counter32, + hostOutOctets Counter32, + hostOutErrors Counter32, + hostOutBroadcastPkts Counter32, + hostOutMulticastPkts Counter32 +} + +hostAddress OBJECT-TYPE + SYNTAX OCTET STRING + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The physical address of this host." + ::= { hostEntry 1 } + +hostCreationOrder OBJECT-TYPE + SYNTAX Integer32 (1..65535) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "An index that defines the relative ordering of + the creation time of hosts captured for a + particular hostControlEntry. This index shall + be between 1 and N, where N is the value of + the associated hostControlTableSize. The ordering + of the indexes is based on the order of each entry's + insertion into the table, in which entries added earlier + have a lower index value than entries added later. + + It is important to note that the order for a + particular entry may change as an (earlier) entry + is deleted from the table. Because this order may + change, management stations should make use of the + hostControlLastDeleteTime variable in the + hostControlEntry associated with the relevant + portion of the hostTable. By observing + this variable, the management station may detect + the circumstances where a previous association + between a value of hostCreationOrder + and a hostEntry may no longer hold." + ::= { hostEntry 2 } + +hostIndex OBJECT-TYPE + SYNTAX Integer32 (1..65535) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The set of collected host statistics of which + this entry is a part. The set of hosts + identified by a particular value of this + index is associated with the hostControlEntry + as identified by the same value of hostControlIndex." + ::= { hostEntry 3 } + +hostInPkts OBJECT-TYPE + SYNTAX Counter32 + UNITS "Packets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of good packets transmitted to this + address since it was added to the hostTable." + ::= { hostEntry 4 } + +hostOutPkts OBJECT-TYPE + SYNTAX Counter32 + UNITS "Packets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of packets, including bad packets, transmitted + by this address since it was added to the hostTable." + ::= { hostEntry 5 } + +hostInOctets OBJECT-TYPE + SYNTAX Counter32 + UNITS "Octets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of octets transmitted to this address since + it was added to the hostTable (excluding framing + bits but including FCS octets), except for those + octets in bad packets." + ::= { hostEntry 6 } + +hostOutOctets OBJECT-TYPE + SYNTAX Counter32 + UNITS "Octets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of octets transmitted by this address since + it was added to the hostTable (excluding framing + bits but including FCS octets), including those + octets in bad packets." + ::= { hostEntry 7 } + +hostOutErrors OBJECT-TYPE + SYNTAX Counter32 + UNITS "Packets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of bad packets transmitted by this address + since this host was added to the hostTable." + ::= { hostEntry 8 } + +hostOutBroadcastPkts OBJECT-TYPE + SYNTAX Counter32 + UNITS "Packets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of good packets transmitted by this + address that were directed to the broadcast address + since this host was added to the hostTable." + ::= { hostEntry 9 } + +hostOutMulticastPkts OBJECT-TYPE + SYNTAX Counter32 + UNITS "Packets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of good packets transmitted by this + address that were directed to a multicast address + since this host was added to the hostTable. + Note that this number does not include packets + directed to the broadcast address." + ::= { hostEntry 10 } + +-- host Time Table + +hostTimeTable OBJECT-TYPE + SYNTAX SEQUENCE OF HostTimeEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A list of time-ordered host table entries." + ::= { hosts 3 } + +hostTimeEntry OBJECT-TYPE + SYNTAX HostTimeEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A collection of statistics for a particular host that has + been discovered on an interface of this device. This + collection includes the relative ordering of the creation + time of this object. For example, an instance of the + hostTimeOutBroadcastPkts object might be named + hostTimeOutBroadcastPkts.1.687" + INDEX { hostTimeIndex, hostTimeCreationOrder } + ::= { hostTimeTable 1 } + +HostTimeEntry ::= SEQUENCE { + hostTimeAddress OCTET STRING, + hostTimeCreationOrder Integer32, + hostTimeIndex Integer32, + hostTimeInPkts Counter32, + hostTimeOutPkts Counter32, + hostTimeInOctets Counter32, + hostTimeOutOctets Counter32, + hostTimeOutErrors Counter32, + hostTimeOutBroadcastPkts Counter32, + hostTimeOutMulticastPkts Counter32 +} + +hostTimeAddress OBJECT-TYPE + SYNTAX OCTET STRING + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The physical address of this host." + ::= { hostTimeEntry 1 } + +hostTimeCreationOrder OBJECT-TYPE + SYNTAX Integer32 (1..65535) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "An index that uniquely identifies an entry in + the hostTime table among those entries associated + with the same hostControlEntry. This index shall + be between 1 and N, where N is the value of + + the associated hostControlTableSize. The ordering + of the indexes is based on the order of each entry's + insertion into the table, in which entries added earlier + have a lower index value than entries added later. + Thus the management station has the ability to + learn of new entries added to this table without + downloading the entire table. + + It is important to note that the index for a + particular entry may change as an (earlier) entry + is deleted from the table. Because this order may + change, management stations should make use of the + hostControlLastDeleteTime variable in the + hostControlEntry associated with the relevant + portion of the hostTimeTable. By observing + this variable, the management station may detect + the circumstances where a download of the table + may have missed entries, and where a previous + association between a value of hostTimeCreationOrder + and a hostTimeEntry may no longer hold." + ::= { hostTimeEntry 2 } + +hostTimeIndex OBJECT-TYPE + SYNTAX Integer32 (1..65535) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The set of collected host statistics of which + this entry is a part. The set of hosts + identified by a particular value of this + index is associated with the hostControlEntry + as identified by the same value of hostControlIndex." + ::= { hostTimeEntry 3 } + +hostTimeInPkts OBJECT-TYPE + SYNTAX Counter32 + UNITS "Packets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of good packets transmitted to this + address since it was added to the hostTimeTable." + ::= { hostTimeEntry 4 } + +hostTimeOutPkts OBJECT-TYPE + SYNTAX Counter32 + UNITS "Packets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of packets, including bad packets, transmitted + by this address since it was added to the hostTimeTable." + ::= { hostTimeEntry 5 } + +hostTimeInOctets OBJECT-TYPE + SYNTAX Counter32 + UNITS "Octets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of octets transmitted to this address since + it was added to the hostTimeTable (excluding framing + bits but including FCS octets), except for those + octets in bad packets." + ::= { hostTimeEntry 6 } + +hostTimeOutOctets OBJECT-TYPE + SYNTAX Counter32 + UNITS "Octets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of octets transmitted by this address since + it was added to the hostTimeTable (excluding framing + bits but including FCS octets), including those + octets in bad packets." + ::= { hostTimeEntry 7 } + +hostTimeOutErrors OBJECT-TYPE + SYNTAX Counter32 + UNITS "Packets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of bad packets transmitted by this address + since this host was added to the hostTimeTable." + ::= { hostTimeEntry 8 } + +hostTimeOutBroadcastPkts OBJECT-TYPE + SYNTAX Counter32 + UNITS "Packets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of good packets transmitted by this + address that were directed to the broadcast address + + since this host was added to the hostTimeTable." + ::= { hostTimeEntry 9 } + +hostTimeOutMulticastPkts OBJECT-TYPE + SYNTAX Counter32 + UNITS "Packets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of good packets transmitted by this + address that were directed to a multicast address + since this host was added to the hostTimeTable. + Note that this number does not include packets directed + to the broadcast address." + ::= { hostTimeEntry 10 } + +-- The Host Top "N" Group + +-- Implementation of the Host Top N group is optional. The Host Top N +-- group requires the implementation of the host group. +-- Consult the MODULE-COMPLIANCE macro for the authoritative +-- conformance information for this MIB. +-- +-- The Host Top N group is used to prepare reports that describe +-- the hosts that top a list ordered by one of their statistics. +-- The available statistics are samples of one of their +-- base statistics, over an interval specified by the management +-- station. Thus, these statistics are rate based. The management +-- station also selects how many such hosts are reported. + +-- The hostTopNControlTable is used to initiate the generation of +-- such a report. The management station may select the parameters +-- of such a report, such as which interface, which statistic, +-- how many hosts, and the start and stop times of the sampling. +-- When the report is prepared, entries are created in the +-- hostTopNTable associated with the relevant hostTopNControlEntry. +-- These entries are static for each report after it has been +-- prepared. + +hostTopNControlTable OBJECT-TYPE + SYNTAX SEQUENCE OF HostTopNControlEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A list of top N host control entries." + ::= { hostTopN 1 } + +hostTopNControlEntry OBJECT-TYPE + SYNTAX HostTopNControlEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A set of parameters that control the creation of a report + of the top N hosts according to several metrics. For + example, an instance of the hostTopNDuration object might + be named hostTopNDuration.3" + INDEX { hostTopNControlIndex } + ::= { hostTopNControlTable 1 } + +HostTopNControlEntry ::= SEQUENCE { + hostTopNControlIndex Integer32, + hostTopNHostIndex Integer32, + hostTopNRateBase INTEGER, + hostTopNTimeRemaining Integer32, + hostTopNDuration Integer32, + hostTopNRequestedSize Integer32, + hostTopNGrantedSize Integer32, + hostTopNStartTime TimeTicks, + hostTopNOwner OwnerString, + hostTopNStatus EntryStatus +} + +hostTopNControlIndex OBJECT-TYPE + SYNTAX Integer32 (1..65535) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "An index that uniquely identifies an entry + in the hostTopNControl table. Each such + entry defines one top N report prepared for + one interface." + ::= { hostTopNControlEntry 1 } + +hostTopNHostIndex OBJECT-TYPE + SYNTAX Integer32 (1..65535) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The host table for which a top N report will be prepared + on behalf of this entry. The host table identified by a + particular value of this index is associated with the same + host table as identified by the same value of + hostIndex. + + This object may not be modified if the associated + hostTopNStatus object is equal to valid(1)." + ::= { hostTopNControlEntry 2 } + +hostTopNRateBase OBJECT-TYPE + SYNTAX INTEGER { + hostTopNInPkts(1), + hostTopNOutPkts(2), + hostTopNInOctets(3), + hostTopNOutOctets(4), + hostTopNOutErrors(5), + hostTopNOutBroadcastPkts(6), + hostTopNOutMulticastPkts(7) + } + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The variable for each host that the hostTopNRate + variable is based upon. + + This object may not be modified if the associated + hostTopNStatus object is equal to valid(1)." + ::= { hostTopNControlEntry 3 } + +hostTopNTimeRemaining OBJECT-TYPE + SYNTAX Integer32 + UNITS "Seconds" + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The number of seconds left in the report currently being + collected. When this object is modified by the management + station, a new collection is started, possibly aborting + a currently running report. The new value is used + as the requested duration of this report, which is + loaded into the associated hostTopNDuration object. + + When this object is set to a non-zero value, any + associated hostTopNEntries shall be made + inaccessible by the monitor. While the value of this + object is non-zero, it decrements by one per second until + it reaches zero. During this time, all associated + hostTopNEntries shall remain inaccessible. At the time + that this object decrements to zero, the report is made + accessible in the hostTopNTable. Thus, the hostTopN + table needs to be created only at the end of the collection + interval." + DEFVAL { 0 } + ::= { hostTopNControlEntry 4 } + +hostTopNDuration OBJECT-TYPE + SYNTAX Integer32 + UNITS "Seconds" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of seconds that this report has collected + during the last sampling interval, or if this + report is currently being collected, the number + of seconds that this report is being collected + during this sampling interval. + + When the associated hostTopNTimeRemaining object is set, + this object shall be set by the probe to the same value + and shall not be modified until the next time + the hostTopNTimeRemaining is set. + + This value shall be zero if no reports have been + requested for this hostTopNControlEntry." + DEFVAL { 0 } + ::= { hostTopNControlEntry 5 } + +hostTopNRequestedSize OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The maximum number of hosts requested for the top N + table. + + When this object is created or modified, the probe + should set hostTopNGrantedSize as closely to this + object as is possible for the particular probe + implementation and available resources." + DEFVAL { 10 } + ::= { hostTopNControlEntry 6 } + +hostTopNGrantedSize OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The maximum number of hosts in the top N table. + + When the associated hostTopNRequestedSize object is + created or modified, the probe should set this + object as closely to the requested value as is possible + for the particular implementation and available + + resources. The probe must not lower this value except + as a result of a set to the associated + hostTopNRequestedSize object. + + Hosts with the highest value of hostTopNRate shall be + placed in this table in decreasing order of this rate + until there is no more room or until there are no more + hosts." + ::= { hostTopNControlEntry 7 } + +hostTopNStartTime OBJECT-TYPE + SYNTAX TimeTicks + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of sysUpTime when this top N report was + last started. In other words, this is the time that + the associated hostTopNTimeRemaining object was + modified to start the requested report." + ::= { hostTopNControlEntry 8 } + +hostTopNOwner OBJECT-TYPE + SYNTAX OwnerString + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The entity that configured this entry and is therefore + using the resources assigned to it." + ::= { hostTopNControlEntry 9 } + +hostTopNStatus OBJECT-TYPE + SYNTAX EntryStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The status of this hostTopNControl entry. + + If this object is not equal to valid(1), all associated + hostTopNEntries shall be deleted by the agent." + ::= { hostTopNControlEntry 10 } + +hostTopNTable OBJECT-TYPE + SYNTAX SEQUENCE OF HostTopNEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A list of top N host entries." + ::= { hostTopN 2 } + +hostTopNEntry OBJECT-TYPE + SYNTAX HostTopNEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A set of statistics for a host that is part of a top N + report. For example, an instance of the hostTopNRate + object might be named hostTopNRate.3.10" + INDEX { hostTopNReport, hostTopNIndex } + ::= { hostTopNTable 1 } + +HostTopNEntry ::= SEQUENCE { + hostTopNReport Integer32, + hostTopNIndex Integer32, + hostTopNAddress OCTET STRING, + hostTopNRate Integer32 +} + +hostTopNReport OBJECT-TYPE + SYNTAX Integer32 (1..65535) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This object identifies the top N report of which + this entry is a part. The set of hosts + identified by a particular value of this + object is part of the same report as identified + by the same value of the hostTopNControlIndex object." + ::= { hostTopNEntry 1 } + +hostTopNIndex OBJECT-TYPE + SYNTAX Integer32 (1..65535) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "An index that uniquely identifies an entry in + the hostTopN table among those in the same report. + This index is between 1 and N, where N is the + number of entries in this table. Increasing values + of hostTopNIndex shall be assigned to entries with + decreasing values of hostTopNRate until index N + is assigned to the entry with the lowest value of + hostTopNRate or there are no more hostTopNEntries." + ::= { hostTopNEntry 2 } + +hostTopNAddress OBJECT-TYPE + SYNTAX OCTET STRING + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The physical address of this host." + ::= { hostTopNEntry 3 } + +hostTopNRate OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The amount of change in the selected variable + during this sampling interval. The selected + variable is this host's instance of the object + selected by hostTopNRateBase." + ::= { hostTopNEntry 4 } + +-- The Matrix Group + +-- Implementation of the Matrix group is optional. +-- Consult the MODULE-COMPLIANCE macro for the authoritative +-- conformance information for this MIB. +-- +-- The Matrix group consists of the matrixControlTable, matrixSDTable +-- and the matrixDSTable. These tables store statistics for a +-- particular conversation between two addresses. As the device +-- detects a new conversation, including those to a non-unicast +-- address, it creates a new entry in both of the matrix tables. +-- It must only create new entries based on information +-- received in good packets. If the monitoring device finds +-- itself short of resources, it may delete entries as needed. +-- It is suggested that the device delete the least recently used +-- entries first. + +matrixControlTable OBJECT-TYPE + SYNTAX SEQUENCE OF MatrixControlEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A list of information entries for the + traffic matrix on each interface." + ::= { matrix 1 } + +matrixControlEntry OBJECT-TYPE + SYNTAX MatrixControlEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Information about a traffic matrix on a particular + + interface. For example, an instance of the + matrixControlLastDeleteTime object might be named + matrixControlLastDeleteTime.1" + INDEX { matrixControlIndex } + ::= { matrixControlTable 1 } + +MatrixControlEntry ::= SEQUENCE { + matrixControlIndex Integer32, + matrixControlDataSource OBJECT IDENTIFIER, + matrixControlTableSize Integer32, + matrixControlLastDeleteTime TimeTicks, + matrixControlOwner OwnerString, + matrixControlStatus EntryStatus +} + +matrixControlIndex OBJECT-TYPE + SYNTAX Integer32 (1..65535) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "An index that uniquely identifies an entry in the + matrixControl table. Each such entry defines + a function that discovers conversations on a particular + interface and places statistics about them in the + matrixSDTable and the matrixDSTable on behalf of this + matrixControlEntry." + ::= { matrixControlEntry 1 } + +matrixControlDataSource OBJECT-TYPE + SYNTAX OBJECT IDENTIFIER + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "This object identifies the source of + the data from which this entry creates a traffic matrix. + This source can be any interface on this device. In + order to identify a particular interface, this object + shall identify the instance of the ifIndex object, + defined in RFC 2233 [17], for the desired + interface. For example, if an entry were to receive data + from interface #1, this object would be set to ifIndex.1. + + The statistics in this group reflect all packets + on the local network segment attached to the identified + interface. + + An agent may or may not be able to tell if fundamental + changes to the media of the interface have occurred and + + necessitate an invalidation of this entry. For example, a + hot-pluggable ethernet card could be pulled out and replaced + by a token-ring card. In such a case, if the agent has such + knowledge of the change, it is recommended that it + invalidate this entry. + + This object may not be modified if the associated + matrixControlStatus object is equal to valid(1)." + ::= { matrixControlEntry 2 } + +matrixControlTableSize OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of matrixSDEntries in the matrixSDTable + for this interface. This must also be the value of + the number of entries in the matrixDSTable for this + interface." + ::= { matrixControlEntry 3 } + +matrixControlLastDeleteTime OBJECT-TYPE + SYNTAX TimeTicks + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of sysUpTime when the last entry + was deleted from the portion of the matrixSDTable + or matrixDSTable associated with this matrixControlEntry. + If no deletions have occurred, this value shall be + zero." + ::= { matrixControlEntry 4 } + +matrixControlOwner OBJECT-TYPE + SYNTAX OwnerString + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The entity that configured this entry and is therefore + using the resources assigned to it." + ::= { matrixControlEntry 5 } + +matrixControlStatus OBJECT-TYPE + SYNTAX EntryStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The status of this matrixControl entry. + + If this object is not equal to valid(1), all associated + entries in the matrixSDTable and the matrixDSTable + shall be deleted by the agent." + ::= { matrixControlEntry 6 } + +matrixSDTable OBJECT-TYPE + SYNTAX SEQUENCE OF MatrixSDEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A list of traffic matrix entries indexed by + source and destination MAC address." + ::= { matrix 2 } + +matrixSDEntry OBJECT-TYPE + SYNTAX MatrixSDEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A collection of statistics for communications between + two addresses on a particular interface. For example, + an instance of the matrixSDPkts object might be named + matrixSDPkts.1.6.8.0.32.27.3.176.6.8.0.32.10.8.113" + INDEX { matrixSDIndex, + matrixSDSourceAddress, matrixSDDestAddress } + ::= { matrixSDTable 1 } + +MatrixSDEntry ::= SEQUENCE { + matrixSDSourceAddress OCTET STRING, + matrixSDDestAddress OCTET STRING, + matrixSDIndex Integer32, + matrixSDPkts Counter32, + matrixSDOctets Counter32, + matrixSDErrors Counter32 +} + +matrixSDSourceAddress OBJECT-TYPE + SYNTAX OCTET STRING + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The source physical address." + ::= { matrixSDEntry 1 } + +matrixSDDestAddress OBJECT-TYPE + SYNTAX OCTET STRING + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The destination physical address." + ::= { matrixSDEntry 2 } + +matrixSDIndex OBJECT-TYPE + SYNTAX Integer32 (1..65535) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The set of collected matrix statistics of which + this entry is a part. The set of matrix statistics + identified by a particular value of this index + is associated with the same matrixControlEntry + as identified by the same value of matrixControlIndex." + ::= { matrixSDEntry 3 } + +matrixSDPkts OBJECT-TYPE + SYNTAX Counter32 + UNITS "Packets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of packets transmitted from the source + address to the destination address (this number includes + bad packets)." + ::= { matrixSDEntry 4 } + +matrixSDOctets OBJECT-TYPE + SYNTAX Counter32 + UNITS "Octets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of octets (excluding framing bits but + including FCS octets) contained in all packets + transmitted from the source address to the + destination address." + ::= { matrixSDEntry 5 } + +matrixSDErrors OBJECT-TYPE + SYNTAX Counter32 + UNITS "Packets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of bad packets transmitted from + the source address to the destination address." + ::= { matrixSDEntry 6 } + +-- Traffic matrix tables from destination to source + +matrixDSTable OBJECT-TYPE + SYNTAX SEQUENCE OF MatrixDSEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A list of traffic matrix entries indexed by + destination and source MAC address." + ::= { matrix 3 } + +matrixDSEntry OBJECT-TYPE + SYNTAX MatrixDSEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A collection of statistics for communications between + two addresses on a particular interface. For example, + an instance of the matrixSDPkts object might be named + matrixSDPkts.1.6.8.0.32.10.8.113.6.8.0.32.27.3.176" + INDEX { matrixDSIndex, + matrixDSDestAddress, matrixDSSourceAddress } + ::= { matrixDSTable 1 } + +MatrixDSEntry ::= SEQUENCE { + matrixDSSourceAddress OCTET STRING, + matrixDSDestAddress OCTET STRING, + matrixDSIndex Integer32, + matrixDSPkts Counter32, + matrixDSOctets Counter32, + matrixDSErrors Counter32 +} + +matrixDSSourceAddress OBJECT-TYPE + SYNTAX OCTET STRING + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The source physical address." + ::= { matrixDSEntry 1 } + +matrixDSDestAddress OBJECT-TYPE + SYNTAX OCTET STRING + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The destination physical address." + ::= { matrixDSEntry 2 } + +matrixDSIndex OBJECT-TYPE + SYNTAX Integer32 (1..65535) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The set of collected matrix statistics of which + this entry is a part. The set of matrix statistics + identified by a particular value of this index + is associated with the same matrixControlEntry + as identified by the same value of matrixControlIndex." + ::= { matrixDSEntry 3 } + +matrixDSPkts OBJECT-TYPE + SYNTAX Counter32 + UNITS "Packets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of packets transmitted from the source + address to the destination address (this number includes + bad packets)." + ::= { matrixDSEntry 4 } + +matrixDSOctets OBJECT-TYPE + SYNTAX Counter32 + UNITS "Octets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of octets (excluding framing bits + but including FCS octets) contained in all packets + transmitted from the source address to the + destination address." + ::= { matrixDSEntry 5 } + +matrixDSErrors OBJECT-TYPE + SYNTAX Counter32 + UNITS "Packets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of bad packets transmitted from + the source address to the destination address." + ::= { matrixDSEntry 6 } + +-- The Filter Group + +-- Implementation of the Filter group is optional. + +-- Consult the MODULE-COMPLIANCE macro for the authoritative +-- conformance information for this MIB. +-- +-- The Filter group allows packets to be captured with an +-- arbitrary filter expression. A logical data and +-- event stream or "channel" is formed by the packets +-- that match the filter expression. +-- +-- This filter mechanism allows the creation of an arbitrary +-- logical expression with which to filter packets. Each +-- filter associated with a channel is OR'ed with the others. +-- Within a filter, any bits checked in the data and status are +-- AND'ed with respect to other bits in the same filter. The +-- NotMask also allows for checking for inequality. Finally, +-- the channelAcceptType object allows for inversion of the +-- whole equation. +-- +-- If a management station wishes to receive a trap to alert it +-- that new packets have been captured and are available for +-- download, it is recommended that it set up an alarm entry that +-- monitors the value of the relevant channelMatches instance. +-- +-- The channel can be turned on or off, and can also +-- generate events when packets pass through it. + +filterTable OBJECT-TYPE + SYNTAX SEQUENCE OF FilterEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A list of packet filter entries." + ::= { filter 1 } + +filterEntry OBJECT-TYPE + SYNTAX FilterEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A set of parameters for a packet filter applied on a + particular interface. As an example, an instance of the + filterPktData object might be named filterPktData.12" + INDEX { filterIndex } + ::= { filterTable 1 } + +FilterEntry ::= SEQUENCE { + filterIndex Integer32, + filterChannelIndex Integer32, + filterPktDataOffset Integer32, + filterPktData OCTET STRING, + filterPktDataMask OCTET STRING, + filterPktDataNotMask OCTET STRING, + filterPktStatus Integer32, + filterPktStatusMask Integer32, + filterPktStatusNotMask Integer32, + filterOwner OwnerString, + filterStatus EntryStatus +} + +filterIndex OBJECT-TYPE + SYNTAX Integer32 (1..65535) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "An index that uniquely identifies an entry + in the filter table. Each such entry defines + one filter that is to be applied to every packet + received on an interface." + ::= { filterEntry 1 } + +filterChannelIndex OBJECT-TYPE + SYNTAX Integer32 (1..65535) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "This object identifies the channel of which this filter + is a part. The filters identified by a particular value + of this object are associated with the same channel as + identified by the same value of the channelIndex object." + ::= { filterEntry 2 } + +filterPktDataOffset OBJECT-TYPE + SYNTAX Integer32 + UNITS "Octets" + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The offset from the beginning of each packet where + a match of packet data will be attempted. This offset + is measured from the point in the physical layer + packet after the framing bits, if any. For example, + in an Ethernet frame, this point is at the beginning of + the destination MAC address. + + This object may not be modified if the associated + filterStatus object is equal to valid(1)." + DEFVAL { 0 } + ::= { filterEntry 3 } + +filterPktData OBJECT-TYPE + SYNTAX OCTET STRING + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The data that is to be matched with the input packet. + For each packet received, this filter and the accompanying + filterPktDataMask and filterPktDataNotMask will be + adjusted for the offset. The only bits relevant to this + match algorithm are those that have the corresponding + filterPktDataMask bit equal to one. The following three + rules are then applied to every packet: + + (1) If the packet is too short and does not have data + corresponding to part of the filterPktData, the packet + will fail this data match. + + (2) For each relevant bit from the packet with the + corresponding filterPktDataNotMask bit set to zero, if + the bit from the packet is not equal to the corresponding + bit from the filterPktData, then the packet will fail + this data match. + + (3) If for every relevant bit from the packet with the + corresponding filterPktDataNotMask bit set to one, the + bit from the packet is equal to the corresponding bit + from the filterPktData, then the packet will fail this + data match. + + Any packets that have not failed any of the three matches + above have passed this data match. In particular, a zero + length filter will match any packet. + + This object may not be modified if the associated + filterStatus object is equal to valid(1)." + ::= { filterEntry 4 } + +filterPktDataMask OBJECT-TYPE + SYNTAX OCTET STRING + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The mask that is applied to the match process. + After adjusting this mask for the offset, only those + bits in the received packet that correspond to bits set + in this mask are relevant for further processing by the + + match algorithm. The offset is applied to filterPktDataMask + in the same way it is applied to the filter. For the + purposes of the matching algorithm, if the associated + filterPktData object is longer than this mask, this mask is + conceptually extended with '1' bits until it reaches the + length of the filterPktData object. + + This object may not be modified if the associated + filterStatus object is equal to valid(1)." + ::= { filterEntry 5 } + +filterPktDataNotMask OBJECT-TYPE + SYNTAX OCTET STRING + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The inversion mask that is applied to the match + process. After adjusting this mask for the offset, + those relevant bits in the received packet that correspond + to bits cleared in this mask must all be equal to their + corresponding bits in the filterPktData object for the packet + to be accepted. In addition, at least one of those relevant + bits in the received packet that correspond to bits set in + this mask must be different to its corresponding bit in the + filterPktData object. + + For the purposes of the matching algorithm, if the associated + filterPktData object is longer than this mask, this mask is + conceptually extended with '0' bits until it reaches the + length of the filterPktData object. + + This object may not be modified if the associated + filterStatus object is equal to valid(1)." + ::= { filterEntry 6 } + +filterPktStatus OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The status that is to be matched with the input packet. + The only bits relevant to this match algorithm are those that + have the corresponding filterPktStatusMask bit equal to one. + The following two rules are then applied to every packet: + + (1) For each relevant bit from the packet status with the + corresponding filterPktStatusNotMask bit set to zero, if + the bit from the packet status is not equal to the + + corresponding bit from the filterPktStatus, then the + packet will fail this status match. + + (2) If for every relevant bit from the packet status with the + corresponding filterPktStatusNotMask bit set to one, the + bit from the packet status is equal to the corresponding + bit from the filterPktStatus, then the packet will fail + this status match. + + Any packets that have not failed either of the two matches + above have passed this status match. In particular, a zero + length status filter will match any packet's status. + + The value of the packet status is a sum. This sum + initially takes the value zero. Then, for each + error, E, that has been discovered in this packet, + 2 raised to a value representing E is added to the sum. + The errors and the bits that represent them are dependent + on the media type of the interface that this channel + is receiving packets from. + + The errors defined for a packet captured off of an + Ethernet interface are as follows: + + bit # Error + 0 Packet is longer than 1518 octets + 1 Packet is shorter than 64 octets + 2 Packet experienced a CRC or Alignment error + + For example, an Ethernet fragment would have a + value of 6 (2^1 + 2^2). + + As this MIB is expanded to new media types, this object + will have other media-specific errors defined. + + For the purposes of this status matching algorithm, if the + packet status is longer than this filterPktStatus object, + this object is conceptually extended with '0' bits until it + reaches the size of the packet status. + + This object may not be modified if the associated + filterStatus object is equal to valid(1)." + ::= { filterEntry 7 } + +filterPktStatusMask OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The mask that is applied to the status match process. + Only those bits in the received packet that correspond to + bits set in this mask are relevant for further processing + by the status match algorithm. For the purposes + of the matching algorithm, if the associated filterPktStatus + object is longer than this mask, this mask is conceptually + extended with '1' bits until it reaches the size of the + filterPktStatus. In addition, if a packet status is longer + than this mask, this mask is conceptually extended with '0' + bits until it reaches the size of the packet status. + + This object may not be modified if the associated + filterStatus object is equal to valid(1)." + ::= { filterEntry 8 } + +filterPktStatusNotMask OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The inversion mask that is applied to the status match + process. Those relevant bits in the received packet status + that correspond to bits cleared in this mask must all be + equal to their corresponding bits in the filterPktStatus + object for the packet to be accepted. In addition, at least + one of those relevant bits in the received packet status + that correspond to bits set in this mask must be different + to its corresponding bit in the filterPktStatus object for + the packet to be accepted. + + For the purposes of the matching algorithm, if the associated + filterPktStatus object or a packet status is longer than this + mask, this mask is conceptually extended with '0' bits until + it reaches the longer of the lengths of the filterPktStatus + object and the packet status. + + This object may not be modified if the associated + filterStatus object is equal to valid(1)." + ::= { filterEntry 9 } + +filterOwner OBJECT-TYPE + SYNTAX OwnerString + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The entity that configured this entry and is therefore + using the resources assigned to it." + ::= { filterEntry 10 } + +filterStatus OBJECT-TYPE + SYNTAX EntryStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The status of this filter entry." + ::= { filterEntry 11 } + +channelTable OBJECT-TYPE + SYNTAX SEQUENCE OF ChannelEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A list of packet channel entries." + ::= { filter 2 } + +channelEntry OBJECT-TYPE + SYNTAX ChannelEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A set of parameters for a packet channel applied on a + particular interface. As an example, an instance of the + channelMatches object might be named channelMatches.3" + INDEX { channelIndex } + ::= { channelTable 1 } + +ChannelEntry ::= SEQUENCE { + channelIndex Integer32, + channelIfIndex Integer32, + channelAcceptType INTEGER, + channelDataControl INTEGER, + channelTurnOnEventIndex Integer32, + channelTurnOffEventIndex Integer32, + channelEventIndex Integer32, + channelEventStatus INTEGER, + channelMatches Counter32, + channelDescription DisplayString, + channelOwner OwnerString, + channelStatus EntryStatus +} + +channelIndex OBJECT-TYPE + SYNTAX Integer32 (1..65535) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "An index that uniquely identifies an entry in the channel + table. Each such entry defines one channel, a logical + data and event stream. + + It is suggested that before creating a channel, an + application should scan all instances of the + filterChannelIndex object to make sure that there are no + pre-existing filters that would be inadvertently be linked + to the channel." + ::= { channelEntry 1 } + +channelIfIndex OBJECT-TYPE + SYNTAX Integer32 (1..65535) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The value of this object uniquely identifies the + interface on this remote network monitoring device to which + the associated filters are applied to allow data into this + channel. The interface identified by a particular value + of this object is the same interface as identified by the + same value of the ifIndex object, defined in RFC 2233 [17]. + + The filters in this group are applied to all packets on + the local network segment attached to the identified + interface. + + An agent may or may not be able to tell if fundamental + changes to the media of the interface have occurred and + necessitate an invalidation of this entry. For example, a + hot-pluggable ethernet card could be pulled out and replaced + by a token-ring card. In such a case, if the agent has such + knowledge of the change, it is recommended that it + invalidate this entry. + + This object may not be modified if the associated + channelStatus object is equal to valid(1)." + ::= { channelEntry 2 } + +channelAcceptType OBJECT-TYPE + SYNTAX INTEGER { + acceptMatched(1), + acceptFailed(2) + } + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "This object controls the action of the filters + associated with this channel. If this object is equal + to acceptMatched(1), packets will be accepted to this + channel if they are accepted by both the packet data and + packet status matches of an associated filter. If + this object is equal to acceptFailed(2), packets will + be accepted to this channel only if they fail either + the packet data match or the packet status match of + each of the associated filters. + + In particular, a channel with no associated filters will + match no packets if set to acceptMatched(1) case and will + match all packets in the acceptFailed(2) case. + + This object may not be modified if the associated + channelStatus object is equal to valid(1)." + ::= { channelEntry 3 } + +channelDataControl OBJECT-TYPE + SYNTAX INTEGER { + on(1), + off(2) + } + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "This object controls the flow of data through this channel. + If this object is on(1), data, status and events flow + through this channel. If this object is off(2), data, + status and events will not flow through this channel." + DEFVAL { off } + ::= { channelEntry 4 } + +channelTurnOnEventIndex OBJECT-TYPE + SYNTAX Integer32 (0..65535) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The value of this object identifies the event + that is configured to turn the associated + channelDataControl from off to on when the event is + generated. The event identified by a particular value + of this object is the same event as identified by the + same value of the eventIndex object. If there is no + corresponding entry in the eventTable, then no + association exists. In fact, if no event is intended + for this channel, channelTurnOnEventIndex must be + set to zero, a non-existent event index. + + This object may not be modified if the associated + channelStatus object is equal to valid(1)." + ::= { channelEntry 5 } + +channelTurnOffEventIndex OBJECT-TYPE + SYNTAX Integer32 (0..65535) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The value of this object identifies the event + that is configured to turn the associated + channelDataControl from on to off when the event is + generated. The event identified by a particular value + of this object is the same event as identified by the + same value of the eventIndex object. If there is no + corresponding entry in the eventTable, then no + association exists. In fact, if no event is intended + for this channel, channelTurnOffEventIndex must be + set to zero, a non-existent event index. + + This object may not be modified if the associated + channelStatus object is equal to valid(1)." + ::= { channelEntry 6 } + +channelEventIndex OBJECT-TYPE + SYNTAX Integer32 (0..65535) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The value of this object identifies the event + that is configured to be generated when the + associated channelDataControl is on and a packet + is matched. The event identified by a particular value + of this object is the same event as identified by the + same value of the eventIndex object. If there is no + corresponding entry in the eventTable, then no + association exists. In fact, if no event is intended + for this channel, channelEventIndex must be + set to zero, a non-existent event index. + + This object may not be modified if the associated + channelStatus object is equal to valid(1)." + ::= { channelEntry 7 } + +channelEventStatus OBJECT-TYPE + SYNTAX INTEGER { + eventReady(1), + eventFired(2), + eventAlwaysReady(3) + } + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The event status of this channel. + + If this channel is configured to generate events + when packets are matched, a means of controlling + the flow of those events is often needed. When + this object is equal to eventReady(1), a single + event may be generated, after which this object + will be set by the probe to eventFired(2). While + in the eventFired(2) state, no events will be + generated until the object is modified to + eventReady(1) (or eventAlwaysReady(3)). The + management station can thus easily respond to a + notification of an event by re-enabling this object. + + If the management station wishes to disable this + flow control and allow events to be generated + at will, this object may be set to + eventAlwaysReady(3). Disabling the flow control + is discouraged as it can result in high network + traffic or other performance problems." + DEFVAL { eventReady } + ::= { channelEntry 8 } + +channelMatches OBJECT-TYPE + SYNTAX Counter32 + UNITS "Packets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of times this channel has matched a packet. + Note that this object is updated even when + channelDataControl is set to off." + ::= { channelEntry 9 } + +channelDescription OBJECT-TYPE + SYNTAX DisplayString (SIZE (0..127)) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "A comment describing this channel." + ::= { channelEntry 10 } + +channelOwner OBJECT-TYPE + SYNTAX OwnerString + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The entity that configured this entry and is therefore + using the resources assigned to it." + ::= { channelEntry 11 } + +channelStatus OBJECT-TYPE + SYNTAX EntryStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The status of this channel entry." + ::= { channelEntry 12 } + +-- The Packet Capture Group + +-- Implementation of the Packet Capture group is optional. The Packet +-- Capture Group requires implementation of the Filter Group. +-- Consult the MODULE-COMPLIANCE macro for the authoritative +-- conformance information for this MIB. +-- +-- The Packet Capture group allows packets to be captured +-- upon a filter match. The bufferControlTable controls +-- the captured packets output from a channel that is +-- associated with it. The captured packets are placed +-- in entries in the captureBufferTable. These entries are +-- associated with the bufferControlEntry on whose behalf they +-- were stored. + +bufferControlTable OBJECT-TYPE + SYNTAX SEQUENCE OF BufferControlEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A list of buffers control entries." + ::= { capture 1 } + +bufferControlEntry OBJECT-TYPE + SYNTAX BufferControlEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A set of parameters that control the collection of a stream + of packets that have matched filters. As an example, an + instance of the bufferControlCaptureSliceSize object might + be named bufferControlCaptureSliceSize.3" + INDEX { bufferControlIndex } + ::= { bufferControlTable 1 } + +BufferControlEntry ::= SEQUENCE { + bufferControlIndex Integer32, + bufferControlChannelIndex Integer32, + bufferControlFullStatus INTEGER, + bufferControlFullAction INTEGER, + bufferControlCaptureSliceSize Integer32, + bufferControlDownloadSliceSize Integer32, + bufferControlDownloadOffset Integer32, + bufferControlMaxOctetsRequested Integer32, + bufferControlMaxOctetsGranted Integer32, + bufferControlCapturedPackets Integer32, + bufferControlTurnOnTime TimeTicks, + bufferControlOwner OwnerString, + bufferControlStatus EntryStatus +} + +bufferControlIndex OBJECT-TYPE + SYNTAX Integer32 (1..65535) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "An index that uniquely identifies an entry + in the bufferControl table. The value of this + index shall never be zero. Each such + entry defines one set of packets that is + captured and controlled by one or more filters." + ::= { bufferControlEntry 1 } + +bufferControlChannelIndex OBJECT-TYPE + SYNTAX Integer32 (1..65535) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "An index that identifies the channel that is the + source of packets for this bufferControl table. + The channel identified by a particular value of this + index is the same as identified by the same value of + the channelIndex object. + + This object may not be modified if the associated + bufferControlStatus object is equal to valid(1)." + ::= { bufferControlEntry 2 } + +bufferControlFullStatus OBJECT-TYPE + SYNTAX INTEGER { + + spaceAvailable(1), + full(2) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This object shows whether the buffer has room to + accept new packets or if it is full. + + If the status is spaceAvailable(1), the buffer is + accepting new packets normally. If the status is + full(2) and the associated bufferControlFullAction + object is wrapWhenFull, the buffer is accepting new + packets by deleting enough of the oldest packets + to make room for new ones as they arrive. Otherwise, + if the status is full(2) and the + bufferControlFullAction object is lockWhenFull, + then the buffer has stopped collecting packets. + + When this object is set to full(2) the probe must + not later set it to spaceAvailable(1) except in the + case of a significant gain in resources such as + an increase of bufferControlOctetsGranted. In + particular, the wrap-mode action of deleting old + packets to make room for newly arrived packets + must not affect the value of this object." + ::= { bufferControlEntry 3 } + +bufferControlFullAction OBJECT-TYPE + SYNTAX INTEGER { + lockWhenFull(1), + wrapWhenFull(2) -- FIFO + } + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "Controls the action of the buffer when it + reaches the full status. When in the lockWhenFull(1) + state and a packet is added to the buffer that + fills the buffer, the bufferControlFullStatus will + be set to full(2) and this buffer will stop capturing + packets." + ::= { bufferControlEntry 4 } + +bufferControlCaptureSliceSize OBJECT-TYPE + SYNTAX Integer32 + UNITS "Octets" + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The maximum number of octets of each packet + that will be saved in this capture buffer. + For example, if a 1500 octet packet is received by + the probe and this object is set to 500, then only + 500 octets of the packet will be stored in the + associated capture buffer. If this variable is set + to 0, the capture buffer will save as many octets + as is possible. + + This object may not be modified if the associated + bufferControlStatus object is equal to valid(1)." + DEFVAL { 100 } + ::= { bufferControlEntry 5 } + +bufferControlDownloadSliceSize OBJECT-TYPE + SYNTAX Integer32 + UNITS "Octets" + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The maximum number of octets of each packet + in this capture buffer that will be returned in + an SNMP retrieval of that packet. For example, + if 500 octets of a packet have been stored in the + associated capture buffer, the associated + bufferControlDownloadOffset is 0, and this + object is set to 100, then the captureBufferPacket + object that contains the packet will contain only + the first 100 octets of the packet. + + A prudent manager will take into account possible + interoperability or fragmentation problems that may + occur if the download slice size is set too large. + In particular, conformant SNMP implementations are not + required to accept messages whose length exceeds 484 + octets, although they are encouraged to support larger + datagrams whenever feasible." + DEFVAL { 100 } + ::= { bufferControlEntry 6 } + +bufferControlDownloadOffset OBJECT-TYPE + SYNTAX Integer32 + UNITS "Octets" + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The offset of the first octet of each packet + in this capture buffer that will be returned in + an SNMP retrieval of that packet. For example, + if 500 octets of a packet have been stored in the + associated capture buffer and this object is set to + 100, then the captureBufferPacket object that + contains the packet will contain bytes starting + 100 octets into the packet." + DEFVAL { 0 } + ::= { bufferControlEntry 7 } + +bufferControlMaxOctetsRequested OBJECT-TYPE + SYNTAX Integer32 + UNITS "Octets" + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The requested maximum number of octets to be + saved in this captureBuffer, including any + implementation-specific overhead. If this variable + is set to -1, the capture buffer will save as many + octets as is possible. + + When this object is created or modified, the probe + should set bufferControlMaxOctetsGranted as closely + to this object as is possible for the particular probe + implementation and available resources. However, if + the object has the special value of -1, the probe + must set bufferControlMaxOctetsGranted to -1." + DEFVAL { -1 } + ::= { bufferControlEntry 8 } + +bufferControlMaxOctetsGranted OBJECT-TYPE + SYNTAX Integer32 + UNITS "Octets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The maximum number of octets that can be + saved in this captureBuffer, including overhead. + If this variable is -1, the capture buffer will save + as many octets as possible. + + When the bufferControlMaxOctetsRequested object is + created or modified, the probe should set this object + as closely to the requested value as is possible for the + particular probe implementation and available resources. + However, if the request object has the special value + + of -1, the probe must set this object to -1. + + The probe must not lower this value except as a result of + a modification to the associated + bufferControlMaxOctetsRequested object. + + When this maximum number of octets is reached + and a new packet is to be added to this + capture buffer and the corresponding + bufferControlFullAction is set to wrapWhenFull(2), + enough of the oldest packets associated with this + capture buffer shall be deleted by the agent so + that the new packet can be added. If the corresponding + bufferControlFullAction is set to lockWhenFull(1), + the new packet shall be discarded. In either case, + the probe must set bufferControlFullStatus to + full(2). + + When the value of this object changes to a value less + than the current value, entries are deleted from + the captureBufferTable associated with this + bufferControlEntry. Enough of the + oldest of these captureBufferEntries shall be + deleted by the agent so that the number of octets + used remains less than or equal to the new value of + this object. + + When the value of this object changes to a value greater + than the current value, the number of associated + captureBufferEntries may be allowed to grow." + ::= { bufferControlEntry 9 } + +bufferControlCapturedPackets OBJECT-TYPE + SYNTAX Integer32 + UNITS "Packets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of packets currently in this captureBuffer." + ::= { bufferControlEntry 10 } + +bufferControlTurnOnTime OBJECT-TYPE + SYNTAX TimeTicks + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of sysUpTime when this capture buffer was + first turned on." + ::= { bufferControlEntry 11 } + +bufferControlOwner OBJECT-TYPE + SYNTAX OwnerString + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The entity that configured this entry and is therefore + using the resources assigned to it." + ::= { bufferControlEntry 12 } + +bufferControlStatus OBJECT-TYPE + SYNTAX EntryStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The status of this buffer Control Entry." + ::= { bufferControlEntry 13 } + +captureBufferTable OBJECT-TYPE + SYNTAX SEQUENCE OF CaptureBufferEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A list of packets captured off of a channel." + ::= { capture 2 } + +captureBufferEntry OBJECT-TYPE + SYNTAX CaptureBufferEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A packet captured off of an attached network. As an + example, an instance of the captureBufferPacketData + object might be named captureBufferPacketData.3.1783" + INDEX { captureBufferControlIndex, captureBufferIndex } + ::= { captureBufferTable 1 } + +CaptureBufferEntry ::= SEQUENCE { + captureBufferControlIndex Integer32, + captureBufferIndex Integer32, + captureBufferPacketID Integer32, + captureBufferPacketData OCTET STRING, + captureBufferPacketLength Integer32, + captureBufferPacketTime Integer32, + captureBufferPacketStatus Integer32 +} + +captureBufferControlIndex OBJECT-TYPE + SYNTAX Integer32 (1..65535) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The index of the bufferControlEntry with which + this packet is associated." + ::= { captureBufferEntry 1 } + +captureBufferIndex OBJECT-TYPE + SYNTAX Integer32 (1..2147483647) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "An index that uniquely identifies an entry + in the captureBuffer table associated with a + particular bufferControlEntry. This index will + start at 1 and increase by one for each new packet + added with the same captureBufferControlIndex. + + Should this value reach 2147483647, the next packet + added with the same captureBufferControlIndex shall + cause this value to wrap around to 1." + ::= { captureBufferEntry 2 } + +captureBufferPacketID OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "An index that describes the order of packets + that are received on a particular interface. + The packetID of a packet captured on an + interface is defined to be greater than the + packetID's of all packets captured previously on + the same interface. As the captureBufferPacketID + object has a maximum positive value of 2^31 - 1, + any captureBufferPacketID object shall have the + value of the associated packet's packetID mod 2^31." + ::= { captureBufferEntry 3 } + +captureBufferPacketData OBJECT-TYPE + SYNTAX OCTET STRING + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The data inside the packet, starting at the beginning + of the packet plus any offset specified in the + + associated bufferControlDownloadOffset, including any + link level headers. The length of the data in this object + is the minimum of the length of the captured packet minus + the offset, the length of the associated + bufferControlCaptureSliceSize minus the offset, and the + associated bufferControlDownloadSliceSize. If this minimum + is less than zero, this object shall have a length of zero." + ::= { captureBufferEntry 4 } + +captureBufferPacketLength OBJECT-TYPE + SYNTAX Integer32 + UNITS "Octets" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The actual length (off the wire) of the packet stored + in this entry, including FCS octets." + ::= { captureBufferEntry 5 } + +captureBufferPacketTime OBJECT-TYPE + SYNTAX Integer32 + UNITS "Milliseconds" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of milliseconds that had passed since + this capture buffer was first turned on when this + packet was captured." + ::= { captureBufferEntry 6 } + +captureBufferPacketStatus OBJECT-TYPE + SYNTAX Integer32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "A value which indicates the error status of this packet. + + The value of this object is defined in the same way as + filterPktStatus. The value is a sum. This sum + initially takes the value zero. Then, for each + error, E, that has been discovered in this packet, + 2 raised to a value representing E is added to the sum. + + The errors defined for a packet captured off of an + Ethernet interface are as follows: + + bit # Error + 0 Packet is longer than 1518 octets + + 1 Packet is shorter than 64 octets + 2 Packet experienced a CRC or Alignment error + 3 First packet in this capture buffer after + it was detected that some packets were + not processed correctly. + 4 Packet's order in buffer is only approximate + (May only be set for packets sent from + the probe) + + For example, an Ethernet fragment would have a + value of 6 (2^1 + 2^2). + + As this MIB is expanded to new media types, this object + will have other media-specific errors defined." + ::= { captureBufferEntry 7 } + +-- The Event Group + +-- Implementation of the Event group is optional. +-- Consult the MODULE-COMPLIANCE macro for the authoritative +-- conformance information for this MIB. +-- +-- The Event group controls the generation and notification +-- of events from this device. Each entry in the eventTable +-- describes the parameters of the event that can be triggered. +-- Each event entry is fired by an associated condition located +-- elsewhere in the MIB. An event entry may also be associated +-- with a function elsewhere in the MIB that will be executed +-- when the event is generated. For example, a channel may +-- be turned on or off by the firing of an event. +-- +-- Each eventEntry may optionally specify that a log entry +-- be created on its behalf whenever the event occurs. +-- Each entry may also specify that notification should +-- occur by way of SNMP trap messages. In this case, the +-- community for the trap message is given in the associated +-- eventCommunity object. The enterprise and specific trap +-- fields of the trap are determined by the condition that +-- triggered the event. Two traps are defined: risingAlarm and +-- fallingAlarm. If the eventTable is triggered by a condition +-- specified elsewhere, the enterprise and specific trap fields +-- must be specified for traps generated for that condition. + +eventTable OBJECT-TYPE + SYNTAX SEQUENCE OF EventEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A list of events to be generated." + ::= { event 1 } + +eventEntry OBJECT-TYPE + SYNTAX EventEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A set of parameters that describe an event to be generated + when certain conditions are met. As an example, an instance + of the eventLastTimeSent object might be named + eventLastTimeSent.6" + INDEX { eventIndex } + ::= { eventTable 1 } + +EventEntry ::= SEQUENCE { + eventIndex Integer32, + eventDescription DisplayString, + eventType INTEGER, + eventCommunity OCTET STRING, + eventLastTimeSent TimeTicks, + eventOwner OwnerString, + eventStatus EntryStatus +} + +eventIndex OBJECT-TYPE + SYNTAX Integer32 (1..65535) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "An index that uniquely identifies an entry in the + event table. Each such entry defines one event that + is to be generated when the appropriate conditions + occur." + ::= { eventEntry 1 } + +eventDescription OBJECT-TYPE + SYNTAX DisplayString (SIZE (0..127)) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "A comment describing this event entry." + ::= { eventEntry 2 } + +eventType OBJECT-TYPE + SYNTAX INTEGER { + none(1), + log(2), + snmptrap(3), -- send an SNMP trap + logandtrap(4) + } + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The type of notification that the probe will make + about this event. In the case of log, an entry is + made in the log table for each event. In the case of + snmp-trap, an SNMP trap is sent to one or more + management stations." + ::= { eventEntry 3 } + +eventCommunity OBJECT-TYPE + SYNTAX OCTET STRING (SIZE (0..127)) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "If an SNMP trap is to be sent, it will be sent to + the SNMP community specified by this octet string." + ::= { eventEntry 4 } + +eventLastTimeSent OBJECT-TYPE + SYNTAX TimeTicks + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of sysUpTime at the time this event + entry last generated an event. If this entry has + not generated any events, this value will be + zero." + ::= { eventEntry 5 } + +eventOwner OBJECT-TYPE + SYNTAX OwnerString + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The entity that configured this entry and is therefore + using the resources assigned to it. + + If this object contains a string starting with 'monitor' + and has associated entries in the log table, all connected + management stations should retrieve those log entries, + as they may have significance to all management stations + connected to this device" + ::= { eventEntry 6 } + +eventStatus OBJECT-TYPE + SYNTAX EntryStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The status of this event entry. + + If this object is not equal to valid(1), all associated + log entries shall be deleted by the agent." + ::= { eventEntry 7 } + +-- +logTable OBJECT-TYPE + SYNTAX SEQUENCE OF LogEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A list of events that have been logged." + ::= { event 2 } + +logEntry OBJECT-TYPE + SYNTAX LogEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A set of data describing an event that has been + logged. For example, an instance of the logDescription + object might be named logDescription.6.47" + INDEX { logEventIndex, logIndex } + ::= { logTable 1 } + +LogEntry ::= SEQUENCE { + logEventIndex Integer32, + logIndex Integer32, + logTime TimeTicks, + logDescription DisplayString +} + +logEventIndex OBJECT-TYPE + SYNTAX Integer32 (1..65535) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The event entry that generated this log + entry. The log identified by a particular + value of this index is associated with the same + eventEntry as identified by the same value + of eventIndex." + ::= { logEntry 1 } + +logIndex OBJECT-TYPE + SYNTAX Integer32 (1..2147483647) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "An index that uniquely identifies an entry + in the log table amongst those generated by the + same eventEntries. These indexes are + assigned beginning with 1 and increase by one + with each new log entry. The association + between values of logIndex and logEntries + is fixed for the lifetime of each logEntry. + The agent may choose to delete the oldest + instances of logEntry as required because of + lack of memory. It is an implementation-specific + matter as to when this deletion may occur." + ::= { logEntry 2 } + +logTime OBJECT-TYPE + SYNTAX TimeTicks + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of sysUpTime when this log entry was created." + ::= { logEntry 3 } + +logDescription OBJECT-TYPE + SYNTAX DisplayString (SIZE (0..255)) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "An implementation dependent description of the + event that activated this log entry." + ::= { logEntry 4 } + +-- Remote Network Monitoring Traps + +rmonEventsV2 OBJECT-IDENTITY + STATUS current + DESCRIPTION "Definition point for RMON notifications." + ::= { rmon 0 } + +risingAlarm NOTIFICATION-TYPE + OBJECTS { alarmIndex, alarmVariable, alarmSampleType, + alarmValue, alarmRisingThreshold } + STATUS current + DESCRIPTION + "The SNMP trap that is generated when an alarm + entry crosses its rising threshold and generates + an event that is configured for sending SNMP + traps." + ::= { rmonEventsV2 1 } + +fallingAlarm NOTIFICATION-TYPE + OBJECTS { alarmIndex, alarmVariable, alarmSampleType, + alarmValue, alarmFallingThreshold } + STATUS current + DESCRIPTION + "The SNMP trap that is generated when an alarm + entry crosses its falling threshold and generates + an event that is configured for sending SNMP + traps." + ::= { rmonEventsV2 2 } + +-- Conformance information + +rmonCompliances OBJECT IDENTIFIER ::= { rmonConformance 9 } +rmonGroups OBJECT IDENTIFIER ::= { rmonConformance 10 } + +-- Compliance Statements +rmonCompliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The requirements for conformance to the RMON MIB. At least + one of the groups in this module must be implemented to + conform to the RMON MIB. Implementations of this MIB + must also implement the system group of MIB-II [16] and the + IF-MIB [17]." + MODULE -- this module + + GROUP rmonEtherStatsGroup + DESCRIPTION + "The RMON Ethernet Statistics Group is optional." + + GROUP rmonHistoryControlGroup + DESCRIPTION + "The RMON History Control Group is optional." + + GROUP rmonEthernetHistoryGroup + DESCRIPTION + "The RMON Ethernet History Group is optional." + + GROUP rmonAlarmGroup + DESCRIPTION + "The RMON Alarm Group is optional." + + GROUP rmonHostGroup + DESCRIPTION + "The RMON Host Group is mandatory when the + rmonHostTopNGroup is implemented." + + GROUP rmonHostTopNGroup + DESCRIPTION + "The RMON Host Top N Group is optional." + + GROUP rmonMatrixGroup + DESCRIPTION + "The RMON Matrix Group is optional." + + GROUP rmonFilterGroup + DESCRIPTION + "The RMON Filter Group is mandatory when the + rmonPacketCaptureGroup is implemented." + + GROUP rmonPacketCaptureGroup + DESCRIPTION + "The RMON Packet Capture Group is optional." + + GROUP rmonEventGroup + DESCRIPTION + "The RMON Event Group is mandatory when the + rmonAlarmGroup is implemented." + ::= { rmonCompliances 1 } + + rmonEtherStatsGroup OBJECT-GROUP + OBJECTS { + etherStatsIndex, etherStatsDataSource, + etherStatsDropEvents, etherStatsOctets, etherStatsPkts, + etherStatsBroadcastPkts, etherStatsMulticastPkts, + etherStatsCRCAlignErrors, etherStatsUndersizePkts, + etherStatsOversizePkts, etherStatsFragments, + etherStatsJabbers, etherStatsCollisions, + etherStatsPkts64Octets, etherStatsPkts65to127Octets, + etherStatsPkts128to255Octets, + etherStatsPkts256to511Octets, + etherStatsPkts512to1023Octets, + etherStatsPkts1024to1518Octets, + etherStatsOwner, etherStatsStatus + } + STATUS current + DESCRIPTION + "The RMON Ethernet Statistics Group." + ::= { rmonGroups 1 } + + rmonHistoryControlGroup OBJECT-GROUP + OBJECTS { + historyControlIndex, historyControlDataSource, + historyControlBucketsRequested, + historyControlBucketsGranted, historyControlInterval, + historyControlOwner, historyControlStatus + } + STATUS current + DESCRIPTION + "The RMON History Control Group." + ::= { rmonGroups 2 } + + rmonEthernetHistoryGroup OBJECT-GROUP + OBJECTS { + etherHistoryIndex, etherHistorySampleIndex, + etherHistoryIntervalStart, etherHistoryDropEvents, + etherHistoryOctets, etherHistoryPkts, + etherHistoryBroadcastPkts, etherHistoryMulticastPkts, + etherHistoryCRCAlignErrors, etherHistoryUndersizePkts, + etherHistoryOversizePkts, etherHistoryFragments, + etherHistoryJabbers, etherHistoryCollisions, + etherHistoryUtilization + } + STATUS current + DESCRIPTION + "The RMON Ethernet History Group." + ::= { rmonGroups 3 } + + rmonAlarmGroup OBJECT-GROUP + OBJECTS { + alarmIndex, alarmInterval, alarmVariable, + alarmSampleType, alarmValue, alarmStartupAlarm, + alarmRisingThreshold, alarmFallingThreshold, + alarmRisingEventIndex, alarmFallingEventIndex, + alarmOwner, alarmStatus + } + STATUS current + DESCRIPTION + "The RMON Alarm Group." + ::= { rmonGroups 4 } + + rmonHostGroup OBJECT-GROUP + OBJECTS { + hostControlIndex, hostControlDataSource, + hostControlTableSize, hostControlLastDeleteTime, + hostControlOwner, hostControlStatus, + hostAddress, hostCreationOrder, hostIndex, + hostInPkts, hostOutPkts, hostInOctets, + hostOutOctets, hostOutErrors, hostOutBroadcastPkts, + hostOutMulticastPkts, hostTimeAddress, + hostTimeCreationOrder, hostTimeIndex, + hostTimeInPkts, hostTimeOutPkts, hostTimeInOctets, + hostTimeOutOctets, hostTimeOutErrors, + hostTimeOutBroadcastPkts, hostTimeOutMulticastPkts + } + STATUS current + DESCRIPTION + "The RMON Host Group." + ::= { rmonGroups 5 } + + rmonHostTopNGroup OBJECT-GROUP + OBJECTS { + hostTopNControlIndex, hostTopNHostIndex, + hostTopNRateBase, hostTopNTimeRemaining, + hostTopNDuration, hostTopNRequestedSize, + hostTopNGrantedSize, hostTopNStartTime, + hostTopNOwner, hostTopNStatus, + hostTopNReport, hostTopNIndex, + hostTopNAddress, hostTopNRate + } + STATUS current + DESCRIPTION + "The RMON Host Top 'N' Group." + ::= { rmonGroups 6 } + + rmonMatrixGroup OBJECT-GROUP + OBJECTS { + matrixControlIndex, matrixControlDataSource, + matrixControlTableSize, matrixControlLastDeleteTime, + matrixControlOwner, matrixControlStatus, + matrixSDSourceAddress, matrixSDDestAddress, + matrixSDIndex, matrixSDPkts, + matrixSDOctets, matrixSDErrors, + matrixDSSourceAddress, matrixDSDestAddress, + matrixDSIndex, matrixDSPkts, + matrixDSOctets, matrixDSErrors + } + STATUS current + DESCRIPTION + "The RMON Matrix Group." + ::= { rmonGroups 7 } + + rmonFilterGroup OBJECT-GROUP + OBJECTS { + + filterIndex, filterChannelIndex, filterPktDataOffset, + filterPktData, filterPktDataMask, + filterPktDataNotMask, filterPktStatus, + filterPktStatusMask, filterPktStatusNotMask, + filterOwner, filterStatus, + channelIndex, channelIfIndex, channelAcceptType, + channelDataControl, channelTurnOnEventIndex, + channelTurnOffEventIndex, channelEventIndex, + channelEventStatus, channelMatches, + channelDescription, channelOwner, channelStatus + } + STATUS current + DESCRIPTION + "The RMON Filter Group." + ::= { rmonGroups 8 } + + rmonPacketCaptureGroup OBJECT-GROUP + OBJECTS { + bufferControlIndex, bufferControlChannelIndex, + bufferControlFullStatus, bufferControlFullAction, + bufferControlCaptureSliceSize, + bufferControlDownloadSliceSize, + bufferControlDownloadOffset, + bufferControlMaxOctetsRequested, + bufferControlMaxOctetsGranted, + bufferControlCapturedPackets, + bufferControlTurnOnTime, + bufferControlOwner, bufferControlStatus, + captureBufferControlIndex, captureBufferIndex, + captureBufferPacketID, captureBufferPacketData, + captureBufferPacketLength, captureBufferPacketTime, + captureBufferPacketStatus + } + STATUS current + DESCRIPTION + "The RMON Packet Capture Group." + ::= { rmonGroups 9 } + + rmonEventGroup OBJECT-GROUP + OBJECTS { + eventIndex, eventDescription, eventType, + eventCommunity, eventLastTimeSent, + eventOwner, eventStatus, + logEventIndex, logIndex, logTime, + logDescription + } + STATUS current + DESCRIPTION + "The RMON Event Group." + ::= { rmonGroups 10 } + + rmonNotificationGroup NOTIFICATION-GROUP + NOTIFICATIONS { risingAlarm, fallingAlarm } + STATUS current + DESCRIPTION + "The RMON Notification Group." + ::= { rmonGroups 11 } +END diff --git a/mibs/SCTP-MIB.txt b/mibs/SCTP-MIB.txt new file mode 100644 index 000000000..9d809d282 --- /dev/null +++ b/mibs/SCTP-MIB.txt @@ -0,0 +1,1342 @@ +SCTP-MIB DEFINITIONS ::= BEGIN + +IMPORTS + MODULE-IDENTITY, OBJECT-TYPE, Integer32, Unsigned32, Gauge32, + Counter32, Counter64, mib-2 + FROM SNMPv2-SMI -- [RFC2578] + TimeStamp, TruthValue + FROM SNMPv2-TC -- [RFC2579] + MODULE-COMPLIANCE, OBJECT-GROUP + FROM SNMPv2-CONF -- [RFC2580] + InetAddressType, InetAddress, InetPortNumber + FROM INET-ADDRESS-MIB; -- [RFC3291] + +sctpMIB MODULE-IDENTITY + LAST-UPDATED "200409020000Z" -- 2nd September 2004 + ORGANIZATION "IETF SIGTRAN Working Group" + CONTACT-INFO + " + WG EMail: sigtran@ietf.org + + Web Page: + http://www.ietf.org/html.charters/sigtran-charter.html + + Chair: Lyndon Ong + Ciena Corporation + 0480 Ridgeview Drive + Cupertino, CA 95014 + USA + Tel: + Email: lyong@ciena.com + + Editors: Maria-Carmen Belinchon + R&D Department + Ericsson Espana S. A. + Via de los Poblados, 13 + 28033 Madrid + Spain + Tel: +34 91 339 3535 + Email: Maria.C.Belinchon@ericsson.com + + Jose-Javier Pastor-Balbas + R&D Department + Ericsson Espana S. A. + Via de los Poblados, 13 + 28033 Madrid + Spain + Tel: +34 91 339 1397 + Email: J.Javier.Pastor@ericsson.com + " + DESCRIPTION + "The MIB module for managing SCTP implementations. + + Copyright (C) The Internet Society (2004). This version of + this MIB module is part of RFC 3873; see the RFC itself for + full legal notices. " + + REVISION "200409020000Z" -- 2nd September 2004 + DESCRIPTION " Initial version, published as RFC 3873" + ::= { mib-2 104 } + +-- the SCTP base variables group + +sctpObjects OBJECT IDENTIFIER ::= { sctpMIB 1 } + +sctpStats OBJECT IDENTIFIER ::= { sctpObjects 1 } +sctpParams OBJECT IDENTIFIER ::= { sctpObjects 2 } + +-- STATISTICS +-- ********** + +-- STATE-RELATED STATISTICS + +sctpCurrEstab OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of associations for which the current state is + either ESTABLISHED, SHUTDOWN-RECEIVED or SHUTDOWN-PENDING." + REFERENCE + "Section 4 in RFC2960 covers the SCTP Association state + diagram." + ::= { sctpStats 1 } + +sctpActiveEstabs OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of times that associations have made a direct + transition to the ESTABLISHED state from the COOKIE-ECHOED + state: COOKIE-ECHOED -> ESTABLISHED. The upper layer initiated + the association attempt." + REFERENCE + "Section 4 in RFC2960 covers the SCTP Association state + diagram." + ::= { sctpStats 2 } + +sctpPassiveEstabs OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of times that associations have made a direct + transition to the ESTABLISHED state from the CLOSED state: + CLOSED -> ESTABLISHED. The remote endpoint initiated the + association attempt." + REFERENCE + "Section 4 in RFC2960 covers the SCTP Association state + diagram." + ::= { sctpStats 3 } + +sctpAborteds OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of times that associations have made a direct + transition to the CLOSED state from any state using the + primitive 'ABORT': AnyState --Abort--> CLOSED. Ungraceful + termination of the association." + REFERENCE + "Section 4 in RFC2960 covers the SCTP Association state + diagram." + ::= { sctpStats 4 } + +sctpShutdowns OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of times that associations have made a direct + transition to the CLOSED state from either the SHUTDOWN-SENT + state or the SHUTDOWN-ACK-SENT state. Graceful termination of + the association." + REFERENCE + "Section 4 in RFC2960 covers the SCTP Association state + diagram." + ::= { sctpStats 5 } + +-- OTHER LAYER STATISTICS + +sctpOutOfBlues OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of out of the blue packets received by the host. + An out of the blue packet is an SCTP packet correctly formed, + including the proper checksum, but for which the receiver was + unable to identify an appropriate association." + REFERENCE + "Section 8.4 in RFC2960 deals with the Out-Of-The-Blue + (OOTB) packet definition and procedures." + ::= { sctpStats 6 } + +sctpChecksumErrors OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of SCTP packets received with an invalid + checksum." + REFERENCE + "The checksum is located at the end of the SCTP packet as per + Section 3.1 in RFC2960. RFC3309 updates SCTP to use a 32 bit + CRC checksum." +::= { sctpStats 7 } + +sctpOutCtrlChunks OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of SCTP control chunks sent (retransmissions are + not included). Control chunks are those chunks different from + DATA." + REFERENCE + "Sections 1.3.5 and 1.4 in RFC2960 refer to control chunk as + those chunks different from those that contain user + information, i.e., DATA chunks." + ::= { sctpStats 8 } + +sctpOutOrderChunks OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of SCTP ordered data chunks sent (retransmissions + are not included)." + REFERENCE + "Section 3.3.1 in RFC2960 defines the ordered data chunk." + ::= { sctpStats 9 } + +sctpOutUnorderChunks OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of SCTP unordered chunks (data chunks in which the + U bit is set to 1) sent (retransmissions are not included)." + REFERENCE + "Section 3.3.1 in RFC2960 defines the unordered data chunk." + ::= { sctpStats 10 } + +sctpInCtrlChunks OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of SCTP control chunks received (no duplicate + chunks included)." + REFERENCE + "Sections 1.3.5 and 1.4 in RFC2960 refer to control chunk as + those chunks different from those that contain user + information, i.e., DATA chunks." + ::= { sctpStats 11 } + +sctpInOrderChunks OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of SCTP ordered data chunks received (no duplicate + chunks included)." + REFERENCE + "Section 3.3.1 in RFC2960 defines the ordered data chunk." + ::= { sctpStats 12 } + +sctpInUnorderChunks OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of SCTP unordered chunks (data chunks in which the + U bit is set to 1) received (no duplicate chunks included)." + REFERENCE + "Section 3.3.1 in RFC2960 defines the unordered data chunk." + ::= { sctpStats 13 } + +sctpFragUsrMsgs OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of user messages that have to be fragmented + because of the MTU." + ::= { sctpStats 14 } + +sctpReasmUsrMsgs OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of user messages reassembled, after conversion + into DATA chunks." + REFERENCE + "Section 6.9 in RFC2960 includes a description of the + reassembly process." + ::= { sctpStats 15 } + +sctpOutSCTPPacks OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of SCTP packets sent. Retransmitted DATA chunks + are included." + ::= { sctpStats 16 } + +sctpInSCTPPacks OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of SCTP packets received. Duplicates are + included." + ::= { sctpStats 17 } + +sctpDiscontinuityTime OBJECT-TYPE + SYNTAX TimeStamp + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of sysUpTime on the most recent occasion at which + any one or more of this general statistics counters suffered a + discontinuity. The relevant counters are the specific + instances associated with this interface of any Counter32 or + Counter64 object contained in the SCTP layer statistics + (defined below sctpStats branch). If no such discontinuities + have occurred since the last re-initialization of the local + management subsystem, then this object contains a zero value." + REFERENCE + "The inclusion of this object is recommended by RFC2578." + ::= { sctpStats 18 } + +-- PROTOCOL GENERAL VARIABLES +-- ************************** + +sctpRtoAlgorithm OBJECT-TYPE + SYNTAX INTEGER { + other(1), -- Other new one. Future use + vanj(2) -- Van Jacobson's algorithm + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The algorithm used to determine the timeout value (T3-rtx) + used for re-transmitting unacknowledged chunks." + REFERENCE + "Section 6.3.1 and 6.3.2 in RFC2960 cover the RTO calculation + and retransmission timer rules." + DEFVAL {vanj} -- vanj(2) + ::= { sctpParams 1 } + +sctpRtoMin OBJECT-TYPE + SYNTAX Unsigned32 + UNITS "milliseconds" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The minimum value permitted by a SCTP implementation for the + retransmission timeout value, measured in milliseconds. More + refined semantics for objects of this type depend upon the + algorithm used to determine the retransmission timeout value. + + A retransmission time value of zero means immediate + retransmission. + + The value of this object has to be lower than or equal to + stcpRtoMax's value." + DEFVAL {1000} -- milliseconds + ::= { sctpParams 2 } + +sctpRtoMax OBJECT-TYPE + SYNTAX Unsigned32 + UNITS "milliseconds" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The maximum value permitted by a SCTP implementation for the + retransmission timeout value, measured in milliseconds. More + refined semantics for objects of this type depend upon the + algorithm used to determine the retransmission timeout value. + + A retransmission time value of zero means immediate re- + transmission. + + The value of this object has to be greater than or equal to + stcpRtoMin's value." + DEFVAL {60000} -- milliseconds + ::= { sctpParams 3 } + +sctpRtoInitial OBJECT-TYPE + SYNTAX Unsigned32 + UNITS "milliseconds" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The initial value for the retransmission timer. + + A retransmission time value of zero means immediate re- + transmission." + DEFVAL {3000} -- milliseconds + ::= { sctpParams 4 } + +sctpMaxAssocs OBJECT-TYPE + SYNTAX Integer32 (-1 | 0..2147483647) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The limit on the total number of associations the entity can + support. In entities where the maximum number of associations + is dynamic, this object should contain the value -1." + ::= { sctpParams 5 } + +sctpValCookieLife OBJECT-TYPE + SYNTAX Unsigned32 + UNITS "milliseconds" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Valid cookie life in the 4-way start-up handshake procedure." + REFERENCE + "Section 5.1.3 in RFC2960 explains the cookie generation + process. Recommended value is per section 14 in RFC2960." + DEFVAL {60000} -- milliseconds + ::= { sctpParams 6 } + +sctpMaxInitRetr OBJECT-TYPE + SYNTAX Unsigned32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The maximum number of retransmissions at the start-up phase + (INIT and COOKIE ECHO chunks). " + REFERENCE + "Section 5.1.4, 5.1.6 in RFC2960 refers to Max.Init.Retransmit + parameter. Recommended value is per section 14 in RFC2960." + DEFVAL {8} -- number of attempts + ::= { sctpParams 7 } + +-- TABLES +-- ****** + +-- the SCTP Association TABLE + +-- The SCTP association table contains information about each +-- association in which the local endpoint is involved. + +sctpAssocTable OBJECT-TYPE + SYNTAX SEQUENCE OF SctpAssocEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A table containing SCTP association-specific information." + ::= { sctpObjects 3 } + +sctpAssocEntry OBJECT-TYPE + SYNTAX SctpAssocEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "General common variables and statistics for the whole + association." + INDEX { sctpAssocId } + ::= { sctpAssocTable 1 } + +SctpAssocEntry ::= SEQUENCE { + sctpAssocId Unsigned32, + sctpAssocRemHostName OCTET STRING, + sctpAssocLocalPort InetPortNumber, + sctpAssocRemPort InetPortNumber, + sctpAssocRemPrimAddrType InetAddressType, + sctpAssocRemPrimAddr InetAddress, + sctpAssocHeartBeatInterval Unsigned32, + sctpAssocState INTEGER, + sctpAssocInStreams Unsigned32, + sctpAssocOutStreams Unsigned32, + sctpAssocMaxRetr Unsigned32, + sctpAssocPrimProcess Unsigned32, + sctpAssocT1expireds Counter32, -- Statistic + sctpAssocT2expireds Counter32, -- Statistic + sctpAssocRtxChunks Counter32, -- Statistic + sctpAssocStartTime TimeStamp, + sctpAssocDiscontinuityTime TimeStamp + } + +sctpAssocId OBJECT-TYPE + SYNTAX Unsigned32 (1..4294967295) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Association Identification. Value identifying the + association. " + ::= { sctpAssocEntry 1 } + +sctpAssocRemHostName OBJECT-TYPE + SYNTAX OCTET STRING (SIZE(0..255)) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The peer's DNS name. This object needs to have the same + format as the encoding in the DNS protocol. This implies that + the domain name can be up to 255 octets long, each octet being + 0<=x<=255 as value with US-ASCII A-Z having a case insensitive + matching. + + If no DNS domain name was received from the peer at init time + (embedded in the INIT or INIT-ACK chunk), this object is + meaningless. In such cases the object MUST contain a zero- + length string value. Otherwise, it contains the remote host + name received at init time." + ::= { sctpAssocEntry 2 } + +sctpAssocLocalPort OBJECT-TYPE + SYNTAX InetPortNumber (1..65535) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The local SCTP port number used for this association." + ::= { sctpAssocEntry 3 } + +sctpAssocRemPort OBJECT-TYPE + SYNTAX InetPortNumber (1..65535) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The remote SCTP port number used for this association." + ::= { sctpAssocEntry 4 } + +sctpAssocRemPrimAddrType OBJECT-TYPE + SYNTAX InetAddressType + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The internet type of primary remote IP address. " + ::= { sctpAssocEntry 5 } + +sctpAssocRemPrimAddr OBJECT-TYPE + SYNTAX InetAddress + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The primary remote IP address. The type of this address is + determined by the value of sctpAssocRemPrimAddrType. + + The client side will know this value after INIT_ACK message + reception, the server side will know this value when sending + INIT_ACK message. However, values will be filled in at + established(4) state." + ::= { sctpAssocEntry 6 } + +sctpAssocHeartBeatInterval OBJECT-TYPE + SYNTAX Unsigned32 + UNITS "milliseconds" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The current heartbeat interval.. + + Zero value means no HeartBeat, even when the concerned + sctpAssocRemAddrHBFlag object is true." + DEFVAL {30000} -- milliseconds + ::= { sctpAssocEntry 7 } + +sctpAssocState OBJECT-TYPE + SYNTAX INTEGER { + closed(1), + cookieWait(2), + cookieEchoed(3), + established(4), + shutdownPending(5), + shutdownSent(6), + shutdownReceived(7), + shutdownAckSent(8), + deleteTCB(9) + } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The state of this SCTP association. + + As in TCP, deleteTCB(9) is the only value that may be set by a + management station. If any other value is received, then the + agent must return a wrongValue error. + + If a management station sets this object to the value + deleteTCB(9), then this has the effect of deleting the TCB (as + defined in SCTP) of the corresponding association on the + managed node, resulting in immediate termination of the + association. + + As an implementation-specific option, an ABORT chunk may be + sent from the managed node to the other SCTP endpoint as a + result of setting the deleteTCB(9) value. The ABORT chunk + implies an ungraceful association shutdown." + REFERENCE + "Section 4 in RFC2960 covers the SCTP Association state + diagram." + ::= { sctpAssocEntry 8 } + +sctpAssocInStreams OBJECT-TYPE + SYNTAX Unsigned32 (1..65535) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Inbound Streams according to the negotiation at association + start up." + REFERENCE + "Section 1.3 in RFC2960 includes a definition of stream. + Section 5.1.1 in RFC2960 covers the streams negotiation + process." + ::= { sctpAssocEntry 9 } + +sctpAssocOutStreams OBJECT-TYPE + SYNTAX Unsigned32 (1..65535) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Outbound Streams according to the negotiation at association + start up. " + REFERENCE + "Section 1.3 in RFC2960 includes a definition of stream. + Section 5.1.1 in RFC2960 covers the streams negotiation + process." + ::= { sctpAssocEntry 10 } + +sctpAssocMaxRetr OBJECT-TYPE + SYNTAX Unsigned32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The maximum number of data retransmissions in the association + context. This value is specific for each association and the + upper layer can change it by calling the appropriate + primitives. This value has to be smaller than the addition of + all the maximum number for all the paths + (sctpAssocRemAddrMaxPathRtx). + + A value of zero value means no retransmissions." + DEFVAL {10} -- number of attempts + ::= { sctpAssocEntry 11 } + +sctpAssocPrimProcess OBJECT-TYPE + SYNTAX Unsigned32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This object identifies the system level process which holds + primary responsibility for the SCTP association. + Wherever possible, this should be the system's native unique + identification number. The special value 0 can be used to + indicate that no primary process is known. + + Note that the value of this object can be used as a pointer + into the swRunTable of the HOST-RESOURCES-MIB(if the value is + smaller than 2147483647) or into the sysApplElmtRunTable of + the SYSAPPL-MIB." + ::= { sctpAssocEntry 12 } + +-- Association Statistics + +sctpAssocT1expireds OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The T1 timer determines how long to wait for an + acknowledgement after sending an INIT or COOKIE-ECHO chunk. + This object reflects the number of times the T1 timer expires + without having received the acknowledgement. + + Discontinuities in the value of this counter can occur at re- + initialization of the management system, and at other times as + indicated by the value of sctpAssocDiscontinuityTime." + REFERENCE + "Section 5 in RFC2960." + ::= { sctpAssocEntry 13 } + +sctpAssocT2expireds OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The T2 timer determines how long to wait for an + acknowledgement after sending a SHUTDOWN or SHUTDOWN-ACK + chunk. This object reflects the number of times that T2- timer + expired. + + Discontinuities in the value of this counter can occur at re- + initialization of the management system, and at other times as + indicated by the value of sctpAssocDiscontinuityTime." +REFERENCE + "Section 9.2 in RFC2960." + ::= { sctpAssocEntry 14 } + +sctpAssocRtxChunks OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "When T3-rtx expires, the DATA chunks that triggered the T3 + timer will be re-sent according with the retransmissions + rules. Every DATA chunk that was included in the SCTP packet + that triggered the T3-rtx timer must be added to the value of + this counter. + + Discontinuities in the value of this counter can occur at re- + initialization of the management system, and at other times as + indicated by the value of sctpAssocDiscontinuityTime." + REFERENCE + "Section 6 in RFC2960 covers the retransmission process and + rules." + ::= { sctpAssocEntry 15 } + +sctpAssocStartTime OBJECT-TYPE + SYNTAX TimeStamp + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of sysUpTime at the time that the association + represented by this row enters the ESTABLISHED state, i.e., + the sctpAssocState object is set to established(4). The + value of this object will be zero: + - before the association enters the established(4) + state, or + + - if the established(4) state was entered prior to + the last re-initialization of the local network management + subsystem." + ::= { sctpAssocEntry 16 } + +sctpAssocDiscontinuityTime OBJECT-TYPE + SYNTAX TimeStamp + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of sysUpTime on the most recent occasion at which + any one or more of this SCTP association counters suffered a + discontinuity. The relevant counters are the specific + instances associated with this interface of any Counter32 or + Counter64 object contained in the sctpAssocTable or + sctpLocalAddrTable or sctpRemAddrTable. If no such + discontinuities have occurred since the last re-initialization + of the local management subsystem, then this object contains a + zero value. " + REFERENCE + "The inclusion of this object is recommended by RFC2578." + ::= { sctpAssocEntry 17 } + +-- Expanded tables: Including Multi-home feature + +-- Local Address TABLE +-- ******************* + +sctpAssocLocalAddrTable OBJECT-TYPE + SYNTAX SEQUENCE OF SctpAssocLocalAddrEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Expanded table of sctpAssocTable based on the AssocId index. + This table shows data related to each local IP address which + is used by this association." + ::= { sctpObjects 4 } + +sctpAssocLocalAddrEntry OBJECT-TYPE + SYNTAX SctpAssocLocalAddrEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Local information about the available addresses. There will + be an entry for every local IP address defined for this + + association. + Implementors need to be aware that if the size of + sctpAssocLocalAddr exceeds 114 octets then OIDs of column + instances in this table will have more than 128 sub- + identifiers and cannot be accessed using SNMPv1, SNMPv2c, or + SNMPv3." + INDEX { sctpAssocId, -- shared index + sctpAssocLocalAddrType, + sctpAssocLocalAddr } + ::= { sctpAssocLocalAddrTable 1 } + +SctpAssocLocalAddrEntry ::= SEQUENCE { + sctpAssocLocalAddrType InetAddressType, + sctpAssocLocalAddr InetAddress, + sctpAssocLocalAddrStartTime TimeStamp + } + +sctpAssocLocalAddrType OBJECT-TYPE + SYNTAX InetAddressType + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Internet type of local IP address used for this association." + ::= { sctpAssocLocalAddrEntry 1 } + +sctpAssocLocalAddr OBJECT-TYPE + SYNTAX InetAddress + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The value of a local IP address available for this + association. The type of this address is determined by the + value of sctpAssocLocalAddrType." + ::= { sctpAssocLocalAddrEntry 2 } + +sctpAssocLocalAddrStartTime OBJECT-TYPE + SYNTAX TimeStamp + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of sysUpTime at the time that this row was + created." + ::= { sctpAssocLocalAddrEntry 3 } + +-- Remote Addresses TABLE +-- ********************** + +sctpAssocRemAddrTable OBJECT-TYPE + SYNTAX SEQUENCE OF SctpAssocRemAddrEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Expanded table of sctpAssocTable based on the AssocId index. + This table shows data related to each remote peer IP address + which is used by this association." + ::= { sctpObjects 5 } + +sctpAssocRemAddrEntry OBJECT-TYPE + SYNTAX SctpAssocRemAddrEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Information about the most important variables for every + remote IP address. There will be an entry for every remote IP + address defined for this association. + + Implementors need to be aware that if the size of + sctpAssocRemAddr exceeds 114 octets then OIDs of column + instances in this table will have more than 128 sub- + identifiers and cannot be accessed using SNMPv1, SNMPv2c, or + SNMPv3." + INDEX { sctpAssocId, -- shared index + sctpAssocRemAddrType, + sctpAssocRemAddr } + ::= { sctpAssocRemAddrTable 1 } + +SctpAssocRemAddrEntry ::= SEQUENCE { + sctpAssocRemAddrType InetAddressType, + sctpAssocRemAddr InetAddress, + sctpAssocRemAddrActive TruthValue, + sctpAssocRemAddrHBActive TruthValue, + sctpAssocRemAddrRTO Unsigned32, + sctpAssocRemAddrMaxPathRtx Unsigned32, + sctpAssocRemAddrRtx Counter32, -- Statistic + sctpAssocRemAddrStartTime TimeStamp + } + +sctpAssocRemAddrType OBJECT-TYPE + SYNTAX InetAddressType + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Internet type of a remote IP address available for this + association." + ::= { sctpAssocRemAddrEntry 1 } + +sctpAssocRemAddr OBJECT-TYPE + SYNTAX InetAddress + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The value of a remote IP address available for this + association. The type of this address is determined by the + value of sctpAssocLocalAddrType." + ::= { sctpAssocRemAddrEntry 2 } + +sctpAssocRemAddrActive OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This object gives information about the reachability of this + specific remote IP address. + + When the object is set to 'true' (1), the remote IP address is + understood as Active. Active means that the threshold of no + answers received from this IP address has not been reached. + + When the object is set to 'false' (2), the remote IP address + is understood as Inactive. Inactive means that either no + heartbeat or any other message was received from this address, + reaching the threshold defined by the protocol." + REFERENCE + "The remote transport states are defined as Active and + Inactive in the SCTP, RFC2960." + ::= { sctpAssocRemAddrEntry 3 } + +sctpAssocRemAddrHBActive OBJECT-TYPE + SYNTAX TruthValue + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "This object indicates whether the optional Heartbeat check + associated to one destination transport address is activated + or not (value equal to true or false, respectively). " + ::= { sctpAssocRemAddrEntry 4 } + +sctpAssocRemAddrRTO OBJECT-TYPE -- T3-rtx- Timer + SYNTAX Unsigned32 + UNITS "milliseconds" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The current Retransmission Timeout. T3-rtx timer as defined + in the protocol SCTP." + REFERENCE + "Section 6.3 in RFC2960 deals with the Retransmission Timer + Management." + ::= { sctpAssocRemAddrEntry 5 } + +sctpAssocRemAddrMaxPathRtx OBJECT-TYPE + SYNTAX Unsigned32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Maximum number of DATA chunks retransmissions allowed to a + remote IP address before it is considered inactive, as defined + in RFC2960." + REFERENCE + "Section 8.2, 8.3 and 14 in RFC2960." + DEFVAL {5} -- number of attempts + ::= { sctpAssocRemAddrEntry 6 } + +-- Remote Address Statistic + +sctpAssocRemAddrRtx OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Number of DATA chunks retransmissions to this specific IP + address. When T3-rtx expires, the DATA chunk that triggered + the T3 timer will be re-sent according to the retransmissions + rules. Every DATA chunk that is included in a SCTP packet and + was transmitted to this specific IP address before, will be + included in this counter. + + Discontinuities in the value of this counter can occur at re- + initialization of the management system, and at other times as + indicated by the value of sctpAssocDiscontinuityTime." + ::= { sctpAssocRemAddrEntry 7 } + +sctpAssocRemAddrStartTime OBJECT-TYPE + SYNTAX TimeStamp + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of sysUpTime at the time that this row was + created." + ::= { sctpAssocRemAddrEntry 8 } + +-- ASSOCIATION INVERSE TABLE +-- ************************* + +-- BY LOCAL PORT + +sctpLookupLocalPortTable OBJECT-TYPE + SYNTAX SEQUENCE OF SctpLookupLocalPortEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "With the use of this table, a list of associations which are + + using the specified local port can be retrieved." + ::= { sctpObjects 6 } + +sctpLookupLocalPortEntry OBJECT-TYPE + SYNTAX SctpLookupLocalPortEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "This table is indexed by local port and association ID. + Specifying a local port, we would get a list of the + associations whose local port is the one specified." + INDEX { sctpAssocLocalPort, + sctpAssocId } + ::= { sctpLookupLocalPortTable 1 } + +SctpLookupLocalPortEntry::= SEQUENCE { + sctpLookupLocalPortStartTime TimeStamp + } + +sctpLookupLocalPortStartTime OBJECT-TYPE + SYNTAX TimeStamp + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of sysUpTime at the time that this row was created. + + As the table will be created after the sctpAssocTable + creation, this value could be equal to the sctpAssocStartTime + object from the main table." + ::= { sctpLookupLocalPortEntry 1 } + +-- BY REMOTE PORT + +sctpLookupRemPortTable OBJECT-TYPE + SYNTAX SEQUENCE OF SctpLookupRemPortEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "With the use of this table, a list of associations which are + using the specified remote port can be got" + ::= { sctpObjects 7 } + +sctpLookupRemPortEntry OBJECT-TYPE + SYNTAX SctpLookupRemPortEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "This table is indexed by remote port and association ID. + Specifying a remote port we would get a list of the + associations whose local port is the one specified " + INDEX { sctpAssocRemPort, + sctpAssocId } + ::= { sctpLookupRemPortTable 1 } + +SctpLookupRemPortEntry::= SEQUENCE { + sctpLookupRemPortStartTime TimeStamp + } + +sctpLookupRemPortStartTime OBJECT-TYPE + SYNTAX TimeStamp + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of sysUpTime at the time that this row was created. + + As the table will be created after the sctpAssocTable + creation, this value could be equal to the sctpAssocStartTime + object from the main table." + ::= { sctpLookupRemPortEntry 1 } + +-- BY REMOTE HOST NAME + +sctpLookupRemHostNameTable OBJECT-TYPE + SYNTAX SEQUENCE OF SctpLookupRemHostNameEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "With the use of this table, a list of associations with that + particular host can be retrieved." + ::= { sctpObjects 8 } + +sctpLookupRemHostNameEntry OBJECT-TYPE + SYNTAX SctpLookupRemHostNameEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "This table is indexed by remote host name and association ID. + Specifying a host name we would get a list of the associations + specifying that host name as the remote one. + + Implementors need to be aware that if the size of + sctpAssocRemHostName exceeds 115 octets then OIDs of column + instances in this table will have more than 128 sub- + identifiers and cannot be accessed using SNMPv1, SNMPv2c, or + SNMPv3." + INDEX { sctpAssocRemHostName, + sctpAssocId } + ::= { sctpLookupRemHostNameTable 1 } + +SctpLookupRemHostNameEntry::= SEQUENCE { + sctpLookupRemHostNameStartTime TimeStamp + } + +sctpLookupRemHostNameStartTime OBJECT-TYPE + SYNTAX TimeStamp + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of sysUpTime at the time that this row was created. + + As the table will be created after the sctpAssocTable + creation, this value could be equal to the sctpAssocStartTime + object from the main table." + ::= { sctpLookupRemHostNameEntry 1 } + +-- BY REMOTE PRIMARY IP ADDRESS + +sctpLookupRemPrimIPAddrTable OBJECT-TYPE + SYNTAX SEQUENCE OF SctpLookupRemPrimIPAddrEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "With the use of this table, a list of associations that have + the specified IP address as primary within the remote set of + active addresses can be retrieved." + ::= { sctpObjects 9 } + +sctpLookupRemPrimIPAddrEntry OBJECT-TYPE + SYNTAX SctpLookupRemPrimIPAddrEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "This table is indexed by primary address and association ID. + Specifying a primary address, we would get a list of the + associations that have the specified remote IP address marked + as primary. + Implementors need to be aware that if the size of + sctpAssocRemPrimAddr exceeds 114 octets then OIDs of column + instances in this table will have more than 128 sub- + identifiers and cannot be accessed using SNMPv1, SNMPv2c, or + SNMPv3." + INDEX { sctpAssocRemPrimAddrType, + sctpAssocRemPrimAddr, + sctpAssocId } + ::= { sctpLookupRemPrimIPAddrTable 1 } + +SctpLookupRemPrimIPAddrEntry::= SEQUENCE { + sctpLookupRemPrimIPAddrStartTime TimeStamp + } + +sctpLookupRemPrimIPAddrStartTime OBJECT-TYPE + SYNTAX TimeStamp + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of SysUpTime at the time that this row was created. + + As the table will be created after the sctpAssocTable + creation, this value could be equal to the sctpAssocStartTime + object from the main table." + ::= { sctpLookupRemPrimIPAddrEntry 1 } + +-- BY REMOTE IP ADDRESS + +sctpLookupRemIPAddrTable OBJECT-TYPE + SYNTAX SEQUENCE OF SctpLookupRemIPAddrEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "With the use of this table, a list of associations that have + the specified IP address as one of the remote ones can be + retrieved. " + ::= { sctpObjects 10 } + +sctpLookupRemIPAddrEntry OBJECT-TYPE + SYNTAX SctpLookupRemIPAddrEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "This table is indexed by a remote IP address and association + ID. Specifying an IP address we would get a list of the + associations that have the specified IP address included + within the set of remote IP addresses." + INDEX { sctpAssocRemAddrType, + sctpAssocRemAddr, + sctpAssocId } + ::= { sctpLookupRemIPAddrTable 1 } + +SctpLookupRemIPAddrEntry::= SEQUENCE { + + sctpLookupRemIPAddrStartTime TimeStamp + } + +sctpLookupRemIPAddrStartTime OBJECT-TYPE + SYNTAX TimeStamp + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of SysUpTime at the time that this row was created. + + As the table will be created after the sctpAssocTable + creation, this value could be equal to the sctpAssocStartTime + object from the main table." + ::= { sctpLookupRemIPAddrEntry 1 } + +-- 4.1 Conformance Information + +sctpMibConformance OBJECT IDENTIFIER ::= { sctpMIB 2 } +sctpMibCompliances OBJECT IDENTIFIER ::= { sctpMibConformance 1 } +sctpMibGroups OBJECT IDENTIFIER ::= { sctpMibConformance 2 } + +-- 4.1.1 Units of conformance + +-- +-- MODULE GROUPS +-- + +sctpLayerParamsGroup OBJECT-GROUP + OBJECTS { sctpRtoAlgorithm, + sctpRtoMin, + sctpRtoMax, + sctpRtoInitial, + sctpMaxAssocs, + sctpValCookieLife, + sctpMaxInitRetr + } + STATUS current + DESCRIPTION + "Common parameters for the SCTP layer, i.e., for all the + associations. They can usually be referred to as configuration + parameters." + ::= { sctpMibGroups 1 } + +sctpStatsGroup OBJECT-GROUP + OBJECTS { sctpCurrEstab, + sctpActiveEstabs, + sctpPassiveEstabs, + sctpAborteds, + sctpShutdowns, + sctpOutOfBlues, + sctpChecksumErrors, + sctpOutCtrlChunks, + sctpOutOrderChunks, + sctpOutUnorderChunks, + sctpInCtrlChunks, + sctpInOrderChunks, + sctpInUnorderChunks, + sctpFragUsrMsgs, + sctpReasmUsrMsgs, + sctpOutSCTPPacks, + sctpInSCTPPacks, + sctpDiscontinuityTime, + sctpAssocT1expireds, + sctpAssocT2expireds, + sctpAssocRtxChunks, + sctpAssocRemAddrRtx + } + STATUS current + DESCRIPTION + "Statistics group. It includes the objects to collect state + changes in the SCTP protocol local layer and flow control + statistics." + ::= { sctpMibGroups 2 } + +sctpPerAssocParamsGroup OBJECT-GROUP + OBJECTS { sctpAssocRemHostName, + sctpAssocLocalPort, + sctpAssocRemPort, + sctpAssocRemPrimAddrType, + sctpAssocRemPrimAddr, + sctpAssocHeartBeatInterval, + sctpAssocState, + sctpAssocInStreams, + sctpAssocOutStreams, + sctpAssocMaxRetr, + sctpAssocPrimProcess, + sctpAssocStartTime, + sctpAssocDiscontinuityTime, + sctpAssocLocalAddrStartTime, + sctpAssocRemAddrActive, + sctpAssocRemAddrHBActive, + sctpAssocRemAddrRTO, + sctpAssocRemAddrMaxPathRtx, + sctpAssocRemAddrStartTime + } + STATUS current + DESCRIPTION + "The SCTP group of objects to manage per-association + parameters. These variables include all the SCTP basic + features." + ::= { sctpMibGroups 3 } + +sctpPerAssocStatsGroup OBJECT-GROUP + OBJECTS + { sctpAssocT1expireds, + sctpAssocT2expireds, + sctpAssocRtxChunks, + sctpAssocRemAddrRtx + } + STATUS current + DESCRIPTION + "Per Association Statistics group. It includes the objects to + collect flow control statistics per association." + ::= { sctpMibGroups 4 } + +sctpInverseGroup OBJECT-GROUP + OBJECTS { sctpLookupLocalPortStartTime, + sctpLookupRemPortStartTime, + sctpLookupRemHostNameStartTime, + sctpLookupRemPrimIPAddrStartTime, + sctpLookupRemIPAddrStartTime + } + STATUS current + DESCRIPTION + "Objects used in the inverse lookup tables." + ::= { sctpMibGroups 5 } + +-- 4.1.2 Compliance Statements + +-- +-- MODULE COMPLIANCES +-- + +sctpMibCompliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The compliance statement for SNMP entities which implement + this SCTP MIB Module. + + There are a number of INDEX objects that cannot be represented + in the form of OBJECT clauses in SMIv2, but for which we have + the following compliance requirements, expressed in OBJECT + clause form in this description clause: + +-- OBJECT sctpAssocLocalAddrType +-- SYNTAX InetAddressType {ipv4(1), ipv6(2)} +-- DESCRIPTION +-- It is only required to have IPv4 and IPv6 addresses without +-- zone indices. +-- The address with zone indices is required if an +-- implementation can connect multiple zones. +-- +-- OBJECT sctpAssocLocalAddr +-- SYNTAX InetAddress (SIZE(4|16)) +-- DESCRIPTION +-- An implementation is only required to support globally +-- unique IPv4 and IPv6 addresses. +-- +-- OBJECT sctpAssocRemAddrType +-- SYNTAX InetAddressType {ipv4(1), ipv6(2)} +-- DESCRIPTION +-- It is only required to have IPv4 and IPv6 addresses without +-- zone indices. +-- The address with zone indices is required if an +-- implementation can connect multiple zones. +-- +-- OBJECT sctpAssocRemAddr +-- SYNTAX InetAddress (SIZE(4|16)) +-- DESCRIPTION +-- An implementation is only required to support globally +-- unique IPv4 and IPv6 addresses. +-- + " -- closes DESCRIPTION clause of MODULE-COMPLIANCE + + MODULE -- this module + + MANDATORY-GROUPS { sctpLayerParamsGroup, + sctpPerAssocParamsGroup, + sctpStatsGroup, + sctpPerAssocStatsGroup + } + + OBJECT sctpAssocRemPrimAddrType + SYNTAX InetAddressType { ipv4(1), + ipv6(2) + } + DESCRIPTION + "It is only required to have IPv4 and IPv6 addresses + without zone indices. + + The address with zone indices is required if an + implementation can connect multiple zones." + + OBJECT sctpAssocRemPrimAddr + SYNTAX InetAddress (SIZE(4|16)) + DESCRIPTION + "An implementation is only required to support globally + unique IPv4 and globally unique IPv6 addresses." + + OBJECT sctpAssocState + WRITE-SYNTAX INTEGER { deleteTCB(9) } + MIN-ACCESS read-only + DESCRIPTION + "Only the deleteTCB(9) value MAY be set by a management + station at most. A read-only option is also considered to + be compliant with this MIB module description." + + GROUP sctpInverseGroup + DESCRIPTION + "Objects used in inverse lookup tables. This should be + implemented, at the discretion of the implementers, for + easier lookups in the association tables" + ::= { sctpMibCompliances 1 } + +END diff --git a/mibs/SMUX-MIB.txt b/mibs/SMUX-MIB.txt new file mode 100644 index 000000000..1fe34552f --- /dev/null +++ b/mibs/SMUX-MIB.txt @@ -0,0 +1,160 @@ +SMUX-MIB DEFINITIONS ::= BEGIN + +IMPORTS + enterprises + FROM RFC1155-SMI + DisplayString + FROM SNMPv2-TC + OBJECT-TYPE + FROM RFC-1212; + +unix OBJECT IDENTIFIER ::= { enterprises 4 } + +smux OBJECT IDENTIFIER ::= { unix 4 } + +smuxPeerTable OBJECT-TYPE + SYNTAX SEQUENCE OF SmuxPeerEntry + ACCESS not-accessible + STATUS mandatory + DESCRIPTION + "The SMUX peer table." + ::= { smux 1 } + +smuxPeerEntry OBJECT-TYPE + SYNTAX SmuxPeerEntry + ACCESS not-accessible + STATUS mandatory + DESCRIPTION + "An entry in the SMUX peer table." + INDEX { smuxPindex } + ::= { smuxPeerTable 1} + +SmuxPeerEntry ::= + SEQUENCE { + smuxPindex + INTEGER, + smuxPidentity + OBJECT IDENTIFIER, + smuxPdescription + DisplayString, + smuxPstatus + INTEGER + } + +smuxPindex OBJECT-TYPE + SYNTAX INTEGER + ACCESS read-only + STATUS mandatory + DESCRIPTION + "An index which uniquely identifies a SMUX peer." + ::= { smuxPeerEntry 1 } + +smuxPidentity OBJECT-TYPE + SYNTAX OBJECT IDENTIFIER + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The authoritative designation for a SMUX peer." + ::= { smuxPeerEntry 2 } + +smuxPdescription OBJECT-TYPE + SYNTAX DisplayString (SIZE (0..255)) + ACCESS read-only + STATUS mandatory + DESCRIPTION + "A human-readable description of a SMUX peer." + ::= { smuxPeerEntry 3 } + +smuxPstatus OBJECT-TYPE + SYNTAX INTEGER { valid(1), invalid(2), connecting(3) } + ACCESS read-write + STATUS mandatory + DESCRIPTION + "The type of SMUX peer. + + Setting this object to the value invalid(2) has + the effect of invaliding the corresponding entry + in the smuxPeerTable. It is an implementation- + specific matter as to whether the agent removes an + invalidated entry from the table. Accordingly, + management stations must be prepared to receive + tabular information from agents that correspond to + entries not currently in use. Proper + interpretation of such entries requires + examination of the relative smuxPstatus object." + ::= { smuxPeerEntry 4 } + +smuxTreeTable OBJECT-TYPE + SYNTAX SEQUENCE OF SmuxTreeEntry + ACCESS not-accessible + STATUS mandatory + DESCRIPTION + "The SMUX tree table." + ::= { smux 2 } + +smuxTreeEntry OBJECT-TYPE + SYNTAX SmuxTreeEntry + ACCESS not-accessible + STATUS mandatory + DESCRIPTION + "An entry in the SMUX tree table." + INDEX { smuxTsubtree, smuxTpriority } + ::= { smuxTreeTable 1} + +SmuxTreeEntry ::= + SEQUENCE { + smuxTsubtree + OBJECT IDENTIFIER, + smuxTpriority + INTEGER, + smuxTindex + INTEGER, + smuxTstatus + INTEGER + } + +smuxTsubtree OBJECT-TYPE + SYNTAX OBJECT IDENTIFIER + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The MIB subtree being exported by a SMUX peer." + ::= { smuxTreeEntry 1 } + +smuxTpriority OBJECT-TYPE + SYNTAX INTEGER (0..'07fffffff'h) + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The SMUX peer's priority when exporting the MIB + subtree." + ::= { smuxTreeEntry 2 } + +smuxTindex OBJECT-TYPE + SYNTAX INTEGER + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The SMUX peer's identity." + ::= { smuxTreeEntry 3 } + +smuxTstatus OBJECT-TYPE + SYNTAX INTEGER { valid(1), invalid(2) } + ACCESS read-write + STATUS mandatory + DESCRIPTION + "The type of SMUX tree. + + Setting this object to the value invalid(2) has + the effect of invaliding the corresponding entry + in the smuxTreeTable. It is an implementation- + specific matter as to whether the agent removes an + invalidated entry from the table. Accordingly, + management stations must be prepared to receive + tabular information from agents that correspond to + entries not currently in use. Proper + interpretation of such entries requires + examination of the relative smuxTstatus object." + ::= { smuxTreeEntry 4 } + +END diff --git a/mibs/SNMP-COMMUNITY-MIB.txt b/mibs/SNMP-COMMUNITY-MIB.txt new file mode 100644 index 000000000..bc3d4d278 --- /dev/null +++ b/mibs/SNMP-COMMUNITY-MIB.txt @@ -0,0 +1,429 @@ +SNMP-COMMUNITY-MIB DEFINITIONS ::= BEGIN + +IMPORTS + IpAddress, + MODULE-IDENTITY, + OBJECT-TYPE, + Integer32, + snmpModules + FROM SNMPv2-SMI + RowStatus, + StorageType + FROM SNMPv2-TC + SnmpAdminString, + SnmpEngineID + FROM SNMP-FRAMEWORK-MIB + SnmpTagValue, + snmpTargetAddrEntry + FROM SNMP-TARGET-MIB + MODULE-COMPLIANCE, + OBJECT-GROUP + FROM SNMPv2-CONF; + +snmpCommunityMIB MODULE-IDENTITY + LAST-UPDATED "200003060000Z" -- 6 Mar 2000, midnight + ORGANIZATION "SNMPv3 Working Group" + CONTACT-INFO "WG-email: snmpv3@lists.tislabs.com + Subscribe: majordomo@lists.tislabs.com + In msg body: subscribe snmpv3 + + Chair: Russ Mundy + TIS Labs at Network Associates + Postal: 3060 Washington Rd + Glenwood MD 21738 + USA + Email: mundy@tislabs.com + Phone: +1-301-854-6889 + + Co-editor: Rob Frye + CoSine Communications + Postal: 1200 Bridge Parkway + Redwood City, CA 94065 + USA + E-mail: rfrye@cosinecom.com + Phone: +1 703 725 1130 + + Co-editor: David B. Levi + Nortel Networks + Postal: 3505 Kesterwood Drive + Knoxville, TN 37918 + E-mail: dlevi@nortelnetworks.com + Phone: +1 423 686 0432 + + Co-editor: Shawn A. Routhier + Integrated Systems Inc. + Postal: 333 North Ave 4th Floor + Wakefield, MA 01880 + E-mail: sar@epilogue.com + Phone: +1 781 245 0804 + + Co-editor: Bert Wijnen + Lucent Technologies + Postal: Schagen 33 + 3461 GL Linschoten + Netherlands + Email: bwijnen@lucent.com + Phone: +31-348-407-775 + " + DESCRIPTION + "This MIB module defines objects to help support coexistence + between SNMPv1, SNMPv2c, and SNMPv3." + REVISION "200003060000Z" -- 6 Mar 2000 + DESCRIPTION "This version published as RFC 2576." + REVISION "199905130000Z" -- 13 May 1999 + DESCRIPTION "The Initial Revision" + ::= { snmpModules 18 } + +-- Administrative assignments **************************************** + +snmpCommunityMIBObjects OBJECT IDENTIFIER ::= { snmpCommunityMIB 1 } +snmpCommunityMIBConformance OBJECT IDENTIFIER ::= { snmpCommunityMIB 2 } + +-- +-- The snmpCommunityTable contains a database of community strings. +-- This table provides mappings between community strings, and the + +-- parameters required for View-based Access Control. +-- + +snmpCommunityTable OBJECT-TYPE + SYNTAX SEQUENCE OF SnmpCommunityEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The table of community strings configured in the SNMP + engine's Local Configuration Datastore (LCD)." + ::= { snmpCommunityMIBObjects 1 } + +snmpCommunityEntry OBJECT-TYPE + SYNTAX SnmpCommunityEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Information about a particular community string." + INDEX { IMPLIED snmpCommunityIndex } + ::= { snmpCommunityTable 1 } + +SnmpCommunityEntry ::= SEQUENCE { + snmpCommunityIndex SnmpAdminString, + snmpCommunityName OCTET STRING, + snmpCommunitySecurityName SnmpAdminString, + snmpCommunityContextEngineID SnmpEngineID, + snmpCommunityContextName SnmpAdminString, + snmpCommunityTransportTag SnmpTagValue, + snmpCommunityStorageType StorageType, + snmpCommunityStatus RowStatus +} + +snmpCommunityIndex OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE(1..32)) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The unique index value of a row in this table." + ::= { snmpCommunityEntry 1 } + +snmpCommunityName OBJECT-TYPE + SYNTAX OCTET STRING + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The community string for which a row in this table + represents a configuration." + ::= { snmpCommunityEntry 2 } + +snmpCommunitySecurityName OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE(1..32)) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "A human readable string representing the corresponding + value of snmpCommunityName in a Security Model + independent format." + ::= { snmpCommunityEntry 3 } + +snmpCommunityContextEngineID OBJECT-TYPE + SYNTAX SnmpEngineID + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The contextEngineID indicating the location of the + context in which management information is accessed + when using the community string specified by the + corresponding instance of snmpCommunityName. + + The default value is the snmpEngineID of the entity in + which this object is instantiated." + ::= { snmpCommunityEntry 4 } + +snmpCommunityContextName OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE(0..32)) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The context in which management information is accessed + when using the community string specified by the corresponding + instance of snmpCommunityName." + DEFVAL { ''H } -- the empty string + ::= { snmpCommunityEntry 5 } + +snmpCommunityTransportTag OBJECT-TYPE + SYNTAX SnmpTagValue + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "This object specifies a set of transport endpoints + from which a command responder application will accept + management requests. If a management request containing + this community is received on a transport endpoint other + than the transport endpoints identified by this object, + the request is deemed unauthentic. + + The transports identified by this object are specified + + in the snmpTargetAddrTable. Entries in that table + whose snmpTargetAddrTagList contains this tag value + are identified. + + If the value of this object has zero-length, transport + endpoints are not checked when authenticating messages + containing this community string." + DEFVAL { ''H } -- the empty string + ::= { snmpCommunityEntry 6 } + +snmpCommunityStorageType OBJECT-TYPE + SYNTAX StorageType + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The storage type for this conceptual row in the + snmpCommunityTable. Conceptual rows having the value + 'permanent' need not allow write-access to any + columnar object in the row." + ::= { snmpCommunityEntry 7 } + +snmpCommunityStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The status of this conceptual row in the snmpCommunityTable. + + An entry in this table is not qualified for activation + until instances of all corresponding columns have been + initialized, either through default values, or through + Set operations. The snmpCommunityName and + snmpCommunitySecurityName objects must be explicitly set. + + There is no restriction on setting columns in this table + when the value of snmpCommunityStatus is active(1)." + ::= { snmpCommunityEntry 8 } + +-- +-- The snmpTargetAddrExtTable +-- + +snmpTargetAddrExtTable OBJECT-TYPE + SYNTAX SEQUENCE OF SnmpTargetAddrExtEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The table of mask and mms values associated with the + + snmpTargetAddrTable. + + The snmpTargetAddrExtTable augments the + snmpTargetAddrTable with a transport address mask value + and a maximum message size value. The transport address + mask allows entries in the snmpTargetAddrTable to define + a set of addresses instead of just a single address. + The maximum message size value allows the maximum + message size of another SNMP entity to be configured for + use in SNMPv1 (and SNMPv2c) transactions, where the + message format does not specify a maximum message size." + ::= { snmpCommunityMIBObjects 2 } + +snmpTargetAddrExtEntry OBJECT-TYPE + SYNTAX SnmpTargetAddrExtEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Information about a particular mask and mms value." + AUGMENTS { snmpTargetAddrEntry } + ::= { snmpTargetAddrExtTable 1 } + +SnmpTargetAddrExtEntry ::= SEQUENCE { + snmpTargetAddrTMask OCTET STRING, + snmpTargetAddrMMS Integer32 +} + +snmpTargetAddrTMask OBJECT-TYPE + SYNTAX OCTET STRING (SIZE (0..255)) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The mask value associated with an entry in the + snmpTargetAddrTable. The value of this object must + have the same length as the corresponding instance of + snmpTargetAddrTAddress, or must have length 0. An + attempt to set it to any other value will result in + an inconsistentValue error. + + The value of this object allows an entry in the + snmpTargetAddrTable to specify multiple addresses. + The mask value is used to select which bits of + a transport address must match bits of the corresponding + instance of snmpTargetAddrTAddress, in order for the + transport address to match a particular entry in the + snmpTargetAddrTable. Bits which are 1 in the mask + value indicate bits in the transport address which + must match bits in the snmpTargetAddrTAddress value. + + Bits which are 0 in the mask indicate bits in the + transport address which need not match. If the + length of the mask is 0, the mask should be treated + as if all its bits were 1 and its length were equal + to the length of the corresponding value of + snmpTargetAddrTable. + + This object may not be modified while the value of the + corresponding instance of snmpTargetAddrRowStatus is + active(1). An attempt to set this object in this case + will result in an inconsistentValue error." + DEFVAL { ''H } + ::= { snmpTargetAddrExtEntry 1 } + +snmpTargetAddrMMS OBJECT-TYPE + SYNTAX Integer32 (0|484..2147483647) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The maximum message size value associated with an entry + in the snmpTargetAddrTable." + DEFVAL { 484 } + ::= { snmpTargetAddrExtEntry 2 } + +-- +-- The snmpTrapAddress and snmpTrapCommunity objects are included +-- in notifications that are forwarded by a proxy, which were +-- originally received as SNMPv1 Trap messages. +-- + +snmpTrapAddress OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS accessible-for-notify + STATUS current + DESCRIPTION + "The value of the agent-addr field of a Trap PDU which + is forwarded by a proxy forwarder application using + an SNMP version other than SNMPv1. The value of this + object SHOULD contain the value of the agent-addr field + from the original Trap PDU as generated by an SNMPv1 + agent." + ::= { snmpCommunityMIBObjects 3 } + +snmpTrapCommunity OBJECT-TYPE + SYNTAX OCTET STRING + MAX-ACCESS accessible-for-notify + STATUS current + DESCRIPTION + "The value of the community string field of an SNMPv1 + message containing a Trap PDU which is forwarded by a + a proxy forwarder application using an SNMP version + other than SNMPv1. The value of this object SHOULD + contain the value of the community string field from + the original SNMPv1 message containing a Trap PDU as + generated by an SNMPv1 agent." + ::= { snmpCommunityMIBObjects 4 } + +-- Conformance Information ******************************************* + +snmpCommunityMIBCompliances OBJECT IDENTIFIER + ::= { snmpCommunityMIBConformance 1 } +snmpCommunityMIBGroups OBJECT IDENTIFIER + ::= { snmpCommunityMIBConformance 2 } + +-- Compliance statements + +snmpCommunityMIBCompliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The compliance statement for SNMP engines which + implement the SNMP-COMMUNITY-MIB." + + MODULE -- this module + MANDATORY-GROUPS { snmpCommunityGroup } + + OBJECT snmpCommunityName + MIN-ACCESS read-only + DESCRIPTION "Write access is not required." + + OBJECT snmpCommunitySecurityName + MIN-ACCESS read-only + DESCRIPTION "Write access is not required." + + OBJECT snmpCommunityContextEngineID + MIN-ACCESS read-only + DESCRIPTION "Write access is not required." + + OBJECT snmpCommunityContextName + MIN-ACCESS read-only + DESCRIPTION "Write access is not required." + + OBJECT snmpCommunityTransportTag + MIN-ACCESS read-only + DESCRIPTION "Write access is not required." + + OBJECT snmpCommunityStorageType + MIN-ACCESS read-only + DESCRIPTION "Write access is not required." + + OBJECT snmpCommunityStatus + MIN-ACCESS read-only + DESCRIPTION "Write access is not required." + ::= { snmpCommunityMIBCompliances 1 } + +snmpProxyTrapForwardCompliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The compliance statement for SNMP engines which + contain a proxy forwarding application which is + capable of forwarding SNMPv1 traps using SNMPv2c + or SNMPv3." + MODULE -- this module + MANDATORY-GROUPS { snmpProxyTrapForwardGroup } + ::= { snmpCommunityMIBCompliances 2 } + +snmpCommunityGroup OBJECT-GROUP + OBJECTS { + snmpCommunityName, + snmpCommunitySecurityName, + snmpCommunityContextEngineID, + snmpCommunityContextName, + snmpCommunityTransportTag, + snmpCommunityStorageType, + snmpCommunityStatus, + snmpTargetAddrTMask, + snmpTargetAddrMMS + } + STATUS current + DESCRIPTION + "A collection of objects providing for configuration + of community strings for SNMPv1 (and SNMPv2c) usage." + ::= { snmpCommunityMIBGroups 1 } + +snmpProxyTrapForwardGroup OBJECT-GROUP + OBJECTS { + snmpTrapAddress, + snmpTrapCommunity + } + STATUS current + DESCRIPTION + "Objects which are used by proxy forwarding applications + when translating traps between SNMP versions. These are + used to preserve SNMPv1-specific information when + + translating to SNMPv2c or SNMPv3." + ::= { snmpCommunityMIBGroups 3 } + +END diff --git a/mibs/SNMP-FRAMEWORK-MIB.txt b/mibs/SNMP-FRAMEWORK-MIB.txt new file mode 100644 index 000000000..aa273c285 --- /dev/null +++ b/mibs/SNMP-FRAMEWORK-MIB.txt @@ -0,0 +1,526 @@ +SNMP-FRAMEWORK-MIB DEFINITIONS ::= BEGIN + +IMPORTS + MODULE-IDENTITY, OBJECT-TYPE, + OBJECT-IDENTITY, + snmpModules FROM SNMPv2-SMI + TEXTUAL-CONVENTION FROM SNMPv2-TC + MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF; + +snmpFrameworkMIB MODULE-IDENTITY + LAST-UPDATED "200210140000Z" + ORGANIZATION "SNMPv3 Working Group" + CONTACT-INFO "WG-EMail: snmpv3@lists.tislabs.com + Subscribe: snmpv3-request@lists.tislabs.com + + Co-Chair: Russ Mundy + Network Associates Laboratories + postal: 15204 Omega Drive, Suite 300 + Rockville, MD 20850-4601 + USA + EMail: mundy@tislabs.com + phone: +1 301-947-7107 + + Co-Chair & + Co-editor: David Harrington + Enterasys Networks + postal: 35 Industrial Way + P. O. Box 5005 + Rochester, New Hampshire 03866-5005 + USA + EMail: dbh@enterasys.com + phone: +1 603-337-2614 + + Co-editor: Randy Presuhn + BMC Software, Inc. + postal: 2141 North First Street + San Jose, California 95131 + USA + EMail: randy_presuhn@bmc.com + phone: +1 408-546-1006 + + Co-editor: Bert Wijnen + Lucent Technologies + postal: Schagen 33 + 3461 GL Linschoten + Netherlands + + EMail: bwijnen@lucent.com + phone: +31 348-680-485 + " + DESCRIPTION "The SNMP Management Architecture MIB + + Copyright (C) The Internet Society (2002). This + version of this MIB module is part of RFC 3411; + see the RFC itself for full legal notices. + " + + REVISION "200210140000Z" -- 14 October 2002 + DESCRIPTION "Changes in this revision: + - Updated various administrative information. + - Corrected some typos. + - Corrected typo in description of SnmpEngineID + that led to range overlap for 127. + - Changed '255a' to '255t' in definition of + SnmpAdminString to align with current SMI. + - Reworded 'reserved' for value zero in + DESCRIPTION of SnmpSecurityModel. + - The algorithm for allocating security models + should give 256 per enterprise block, rather + than 255. + - The example engine ID of 'abcd' is not + legal. Replaced with '800002b804616263'H based + on example enterprise 696, string 'abc'. + - Added clarification that engineID should + persist across re-initializations. + This revision published as RFC 3411. + " + REVISION "199901190000Z" -- 19 January 1999 + DESCRIPTION "Updated editors' addresses, fixed typos. + Published as RFC 2571. + " + REVISION "199711200000Z" -- 20 November 1997 + DESCRIPTION "The initial version, published in RFC 2271. + " + ::= { snmpModules 10 } + + -- Textual Conventions used in the SNMP Management Architecture *** + +SnmpEngineID ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION "An SNMP engine's administratively-unique identifier. + Objects of this type are for identification, not for + addressing, even though it is possible that an + address may have been used in the generation of + a specific value. + + The value for this object may not be all zeros or + all 'ff'H or the empty (zero length) string. + + The initial value for this object may be configured + via an operator console entry or via an algorithmic + function. In the latter case, the following + example algorithm is recommended. + + In cases where there are multiple engines on the + same system, the use of this algorithm is NOT + appropriate, as it would result in all of those + engines ending up with the same ID value. + + 1) The very first bit is used to indicate how the + rest of the data is composed. + + 0 - as defined by enterprise using former methods + that existed before SNMPv3. See item 2 below. + + 1 - as defined by this architecture, see item 3 + below. + + Note that this allows existing uses of the + engineID (also known as AgentID [RFC1910]) to + co-exist with any new uses. + + 2) The snmpEngineID has a length of 12 octets. + + The first four octets are set to the binary + equivalent of the agent's SNMP management + private enterprise number as assigned by the + Internet Assigned Numbers Authority (IANA). + For example, if Acme Networks has been assigned + { enterprises 696 }, the first four octets would + be assigned '000002b8'H. + + The remaining eight octets are determined via + one or more enterprise-specific methods. Such + methods must be designed so as to maximize the + possibility that the value of this object will + be unique in the agent's administrative domain. + For example, it may be the IP address of the SNMP + entity, or the MAC address of one of the + interfaces, with each address suitably padded + with random octets. If multiple methods are + defined, then it is recommended that the first + octet indicate the method being used and the + remaining octets be a function of the method. + + 3) The length of the octet string varies. + + The first four octets are set to the binary + equivalent of the agent's SNMP management + private enterprise number as assigned by the + Internet Assigned Numbers Authority (IANA). + For example, if Acme Networks has been assigned + { enterprises 696 }, the first four octets would + be assigned '000002b8'H. + + The very first bit is set to 1. For example, the + above value for Acme Networks now changes to be + '800002b8'H. + + The fifth octet indicates how the rest (6th and + following octets) are formatted. The values for + the fifth octet are: + + 0 - reserved, unused. + + 1 - IPv4 address (4 octets) + lowest non-special IP address + + 2 - IPv6 address (16 octets) + lowest non-special IP address + + 3 - MAC address (6 octets) + lowest IEEE MAC address, canonical + order + + 4 - Text, administratively assigned + Maximum remaining length 27 + + 5 - Octets, administratively assigned + Maximum remaining length 27 + + 6-127 - reserved, unused + + 128-255 - as defined by the enterprise + Maximum remaining length 27 + " + SYNTAX OCTET STRING (SIZE(5..32)) + +SnmpSecurityModel ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION "An identifier that uniquely identifies a + Security Model of the Security Subsystem within + this SNMP Management Architecture. + + The values for securityModel are allocated as + follows: + + - The zero value does not identify any particular + security model. + + - Values between 1 and 255, inclusive, are reserved + for standards-track Security Models and are + managed by the Internet Assigned Numbers Authority + (IANA). + - Values greater than 255 are allocated to + enterprise-specific Security Models. An + enterprise-specific securityModel value is defined + to be: + + enterpriseID * 256 + security model within + enterprise + + For example, the fourth Security Model defined by + the enterprise whose enterpriseID is 1 would be + 259. + + This scheme for allocation of securityModel + values allows for a maximum of 255 standards- + based Security Models, and for a maximum of + 256 Security Models per enterprise. + + It is believed that the assignment of new + securityModel values will be rare in practice + because the larger the number of simultaneously + utilized Security Models, the larger the + chance that interoperability will suffer. + Consequently, it is believed that such a range + will be sufficient. In the unlikely event that + the standards committee finds this number to be + insufficient over time, an enterprise number + can be allocated to obtain an additional 256 + possible values. + + Note that the most significant bit must be zero; + hence, there are 23 bits allocated for various + organizations to design and define non-standard + + securityModels. This limits the ability to + define new proprietary implementations of Security + Models to the first 8,388,608 enterprises. + + It is worthwhile to note that, in its encoded + form, the securityModel value will normally + require only a single byte since, in practice, + the leftmost bits will be zero for most messages + and sign extension is suppressed by the encoding + rules. + + As of this writing, there are several values + of securityModel defined for use with SNMP or + reserved for use with supporting MIB objects. + They are as follows: + + 0 reserved for 'any' + 1 reserved for SNMPv1 + 2 reserved for SNMPv2c + 3 User-Based Security Model (USM) + " + SYNTAX INTEGER(0 .. 2147483647) + +SnmpMessageProcessingModel ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION "An identifier that uniquely identifies a Message + Processing Model of the Message Processing + Subsystem within this SNMP Management Architecture. + + The values for messageProcessingModel are + allocated as follows: + + - Values between 0 and 255, inclusive, are + reserved for standards-track Message Processing + Models and are managed by the Internet Assigned + Numbers Authority (IANA). + + - Values greater than 255 are allocated to + enterprise-specific Message Processing Models. + An enterprise messageProcessingModel value is + defined to be: + + enterpriseID * 256 + + messageProcessingModel within enterprise + + For example, the fourth Message Processing Model + defined by the enterprise whose enterpriseID + + is 1 would be 259. + + This scheme for allocating messageProcessingModel + values allows for a maximum of 255 standards- + based Message Processing Models, and for a + maximum of 256 Message Processing Models per + enterprise. + + It is believed that the assignment of new + messageProcessingModel values will be rare + in practice because the larger the number of + simultaneously utilized Message Processing Models, + the larger the chance that interoperability + will suffer. It is believed that such a range + will be sufficient. In the unlikely event that + the standards committee finds this number to be + insufficient over time, an enterprise number + can be allocated to obtain an additional 256 + possible values. + + Note that the most significant bit must be zero; + hence, there are 23 bits allocated for various + organizations to design and define non-standard + messageProcessingModels. This limits the ability + to define new proprietary implementations of + Message Processing Models to the first 8,388,608 + enterprises. + + It is worthwhile to note that, in its encoded + form, the messageProcessingModel value will + normally require only a single byte since, in + practice, the leftmost bits will be zero for + most messages and sign extension is suppressed + by the encoding rules. + + As of this writing, there are several values of + messageProcessingModel defined for use with SNMP. + They are as follows: + + 0 reserved for SNMPv1 + 1 reserved for SNMPv2c + 2 reserved for SNMPv2u and SNMPv2* + 3 reserved for SNMPv3 + " + SYNTAX INTEGER(0 .. 2147483647) + +SnmpSecurityLevel ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION "A Level of Security at which SNMP messages can be + sent or with which operations are being processed; + in particular, one of: + + noAuthNoPriv - without authentication and + without privacy, + authNoPriv - with authentication but + without privacy, + authPriv - with authentication and + with privacy. + + These three values are ordered such that + noAuthNoPriv is less than authNoPriv and + authNoPriv is less than authPriv. + " + SYNTAX INTEGER { noAuthNoPriv(1), + authNoPriv(2), + authPriv(3) + } + +SnmpAdminString ::= TEXTUAL-CONVENTION + DISPLAY-HINT "255t" + STATUS current + DESCRIPTION "An octet string containing administrative + information, preferably in human-readable form. + + To facilitate internationalization, this + information is represented using the ISO/IEC + IS 10646-1 character set, encoded as an octet + string using the UTF-8 transformation format + described in [RFC2279]. + + Since additional code points are added by + amendments to the 10646 standard from time + to time, implementations must be prepared to + encounter any code point from 0x00000000 to + 0x7fffffff. Byte sequences that do not + correspond to the valid UTF-8 encoding of a + code point or are outside this range are + prohibited. + + The use of control codes should be avoided. + + When it is necessary to represent a newline, + the control code sequence CR LF should be used. + + The use of leading or trailing white space should + be avoided. + + For code points not directly supported by user + interface hardware or software, an alternative + means of entry and display, such as hexadecimal, + may be provided. + + For information encoded in 7-bit US-ASCII, + the UTF-8 encoding is identical to the + US-ASCII encoding. + + UTF-8 may require multiple bytes to represent a + single character / code point; thus the length + of this object in octets may be different from + the number of characters encoded. Similarly, + size constraints refer to the number of encoded + octets, not the number of characters represented + by an encoding. + + Note that when this TC is used for an object that + is used or envisioned to be used as an index, then + a SIZE restriction MUST be specified so that the + number of sub-identifiers for any object instance + does not exceed the limit of 128, as defined by + [RFC3416]. + + Note that the size of an SnmpAdminString object is + measured in octets, not characters. + " + SYNTAX OCTET STRING (SIZE (0..255)) + +-- Administrative assignments *************************************** + +snmpFrameworkAdmin + OBJECT IDENTIFIER ::= { snmpFrameworkMIB 1 } +snmpFrameworkMIBObjects + OBJECT IDENTIFIER ::= { snmpFrameworkMIB 2 } +snmpFrameworkMIBConformance + OBJECT IDENTIFIER ::= { snmpFrameworkMIB 3 } + +-- the snmpEngine Group ******************************************** + +snmpEngine OBJECT IDENTIFIER ::= { snmpFrameworkMIBObjects 1 } + +snmpEngineID OBJECT-TYPE + SYNTAX SnmpEngineID + MAX-ACCESS read-only + STATUS current + DESCRIPTION "An SNMP engine's administratively-unique identifier. + + This information SHOULD be stored in non-volatile + storage so that it remains constant across + re-initializations of the SNMP engine. + " + ::= { snmpEngine 1 } + +snmpEngineBoots OBJECT-TYPE + SYNTAX INTEGER (1..2147483647) + MAX-ACCESS read-only + STATUS current + DESCRIPTION "The number of times that the SNMP engine has + (re-)initialized itself since snmpEngineID + was last configured. + " + ::= { snmpEngine 2 } + +snmpEngineTime OBJECT-TYPE + SYNTAX INTEGER (0..2147483647) + UNITS "seconds" + MAX-ACCESS read-only + STATUS current + DESCRIPTION "The number of seconds since the value of + the snmpEngineBoots object last changed. + When incrementing this object's value would + cause it to exceed its maximum, + snmpEngineBoots is incremented as if a + re-initialization had occurred, and this + object's value consequently reverts to zero. + " + ::= { snmpEngine 3 } + +snmpEngineMaxMessageSize OBJECT-TYPE + SYNTAX INTEGER (484..2147483647) + MAX-ACCESS read-only + STATUS current + DESCRIPTION "The maximum length in octets of an SNMP message + which this SNMP engine can send or receive and + process, determined as the minimum of the maximum + message size values supported among all of the + transports available to and supported by the engine. + " + ::= { snmpEngine 4 } + +-- Registration Points for Authentication and Privacy Protocols ** + +snmpAuthProtocols OBJECT-IDENTITY + STATUS current + DESCRIPTION "Registration point for standards-track + authentication protocols used in SNMP Management + Frameworks. + " + ::= { snmpFrameworkAdmin 1 } + +snmpPrivProtocols OBJECT-IDENTITY + STATUS current + DESCRIPTION "Registration point for standards-track privacy + protocols used in SNMP Management Frameworks. + " + ::= { snmpFrameworkAdmin 2 } + +-- Conformance information ****************************************** + +snmpFrameworkMIBCompliances + OBJECT IDENTIFIER ::= {snmpFrameworkMIBConformance 1} +snmpFrameworkMIBGroups + OBJECT IDENTIFIER ::= {snmpFrameworkMIBConformance 2} + +-- compliance statements + +snmpFrameworkMIBCompliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION "The compliance statement for SNMP engines which + implement the SNMP Management Framework MIB. + " + MODULE -- this module + MANDATORY-GROUPS { snmpEngineGroup } + ::= { snmpFrameworkMIBCompliances 1 } + +-- units of conformance + +snmpEngineGroup OBJECT-GROUP + OBJECTS { + snmpEngineID, + snmpEngineBoots, + snmpEngineTime, + snmpEngineMaxMessageSize + } + STATUS current + DESCRIPTION "A collection of objects for identifying and + determining the configuration and current timeliness + + values of an SNMP engine. + " + ::= { snmpFrameworkMIBGroups 1 } + +END diff --git a/mibs/SNMP-MPD-MIB.txt b/mibs/SNMP-MPD-MIB.txt new file mode 100644 index 000000000..d4c605b1c --- /dev/null +++ b/mibs/SNMP-MPD-MIB.txt @@ -0,0 +1,145 @@ +SNMP-MPD-MIB DEFINITIONS ::= BEGIN + +IMPORTS + MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF + MODULE-IDENTITY, OBJECT-TYPE, + snmpModules, Counter32 FROM SNMPv2-SMI; + +snmpMPDMIB MODULE-IDENTITY + LAST-UPDATED "200210140000Z" + ORGANIZATION "SNMPv3 Working Group" + CONTACT-INFO "WG-EMail: snmpv3@lists.tislabs.com + Subscribe: snmpv3-request@lists.tislabs.com + + Co-Chair: Russ Mundy + Network Associates Laboratories + postal: 15204 Omega Drive, Suite 300 + Rockville, MD 20850-4601 + USA + + EMail: mundy@tislabs.com + phone: +1 301-947-7107 + + Co-Chair & + Co-editor: David Harrington + Enterasys Networks + postal: 35 Industrial Way + P. O. Box 5005 + Rochester NH 03866-5005 + USA + EMail: dbh@enterasys.com + phone: +1 603-337-2614 + + Co-editor: Jeffrey Case + SNMP Research, Inc. + postal: 3001 Kimberlin Heights Road + Knoxville, TN 37920-9716 + USA + EMail: case@snmp.com + phone: +1 423-573-1434 + + Co-editor: Randy Presuhn + BMC Software, Inc. + postal: 2141 North First Street + San Jose, CA 95131 + USA + EMail: randy_presuhn@bmc.com + phone: +1 408-546-1006 + + Co-editor: Bert Wijnen + Lucent Technologies + postal: Schagen 33 + 3461 GL Linschoten + Netherlands + EMail: bwijnen@lucent.com + phone: +31 348-680-485 + " + DESCRIPTION "The MIB for Message Processing and Dispatching + + Copyright (C) The Internet Society (2002). This + version of this MIB module is part of RFC 3412; + see the RFC itself for full legal notices. + " + REVISION "200210140000Z" -- 14 October 2002 + DESCRIPTION "Updated addresses, published as RFC 3412." + REVISION "199905041636Z" -- 4 May 1999 + DESCRIPTION "Updated addresses, published as RFC 2572." + + REVISION "199709300000Z" -- 30 September 1997 + DESCRIPTION "Original version, published as RFC 2272." + ::= { snmpModules 11 } + +-- Administrative assignments *************************************** + +snmpMPDAdmin OBJECT IDENTIFIER ::= { snmpMPDMIB 1 } +snmpMPDMIBObjects OBJECT IDENTIFIER ::= { snmpMPDMIB 2 } +snmpMPDMIBConformance OBJECT IDENTIFIER ::= { snmpMPDMIB 3 } + +-- Statistics for SNMP Messages ************************************* + +snmpMPDStats OBJECT IDENTIFIER ::= { snmpMPDMIBObjects 1 } + +snmpUnknownSecurityModels OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "The total number of packets received by the SNMP + engine which were dropped because they referenced a + securityModel that was not known to or supported by + the SNMP engine. + " + ::= { snmpMPDStats 1 } + +snmpInvalidMsgs OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "The total number of packets received by the SNMP + engine which were dropped because there were invalid + or inconsistent components in the SNMP message. + " + ::= { snmpMPDStats 2 } + +snmpUnknownPDUHandlers OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "The total number of packets received by the SNMP + engine which were dropped because the PDU contained + in the packet could not be passed to an application + responsible for handling the pduType, e.g. no SNMP + application had registered for the proper + combination of the contextEngineID and the pduType. + " + ::= { snmpMPDStats 3 } + +-- Conformance information ****************************************** + +snmpMPDMIBCompliances OBJECT IDENTIFIER ::= {snmpMPDMIBConformance 1} +snmpMPDMIBGroups OBJECT IDENTIFIER ::= {snmpMPDMIBConformance 2} + +-- Compliance statements + +snmpMPDCompliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION "The compliance statement for SNMP entities which + implement the SNMP-MPD-MIB. + " + MODULE -- this module + MANDATORY-GROUPS { snmpMPDGroup } + ::= { snmpMPDMIBCompliances 1 } + +snmpMPDGroup OBJECT-GROUP + OBJECTS { + snmpUnknownSecurityModels, + snmpInvalidMsgs, + snmpUnknownPDUHandlers + } + STATUS current + DESCRIPTION "A collection of objects providing for remote + monitoring of the SNMP Message Processing and + Dispatching process. + " + ::= { snmpMPDMIBGroups 1 } + +END diff --git a/mibs/SNMP-NOTIFICATION-MIB.txt b/mibs/SNMP-NOTIFICATION-MIB.txt new file mode 100644 index 000000000..0ef06b648 --- /dev/null +++ b/mibs/SNMP-NOTIFICATION-MIB.txt @@ -0,0 +1,589 @@ +SNMP-NOTIFICATION-MIB DEFINITIONS ::= BEGIN + +IMPORTS + MODULE-IDENTITY, + OBJECT-TYPE, + snmpModules + FROM SNMPv2-SMI + + RowStatus, + StorageType + FROM SNMPv2-TC + + SnmpAdminString + FROM SNMP-FRAMEWORK-MIB + + SnmpTagValue, + snmpTargetParamsName + FROM SNMP-TARGET-MIB + + MODULE-COMPLIANCE, + OBJECT-GROUP + FROM SNMPv2-CONF; + +snmpNotificationMIB MODULE-IDENTITY + LAST-UPDATED "200210140000Z" + ORGANIZATION "IETF SNMPv3 Working Group" + CONTACT-INFO + "WG-email: snmpv3@lists.tislabs.com + Subscribe: majordomo@lists.tislabs.com + In message body: subscribe snmpv3 + + Co-Chair: Russ Mundy + Network Associates Laboratories + Postal: 15204 Omega Drive, Suite 300 + Rockville, MD 20850-4601 + USA + EMail: mundy@tislabs.com + Phone: +1 301-947-7107 + + Co-Chair: David Harrington + Enterasys Networks + Postal: 35 Industrial Way + P. O. Box 5004 + Rochester, New Hampshire 03866-5005 + USA + EMail: dbh@enterasys.com + Phone: +1 603-337-2614 + + Co-editor: David B. Levi + Nortel Networks + Postal: 3505 Kesterwood Drive + Knoxville, Tennessee 37918 + EMail: dlevi@nortelnetworks.com + Phone: +1 865 686 0432 + + Co-editor: Paul Meyer + Secure Computing Corporation + Postal: 2675 Long Lake Road + Roseville, Minnesota 55113 + EMail: paul_meyer@securecomputing.com + Phone: +1 651 628 1592 + + Co-editor: Bob Stewart + Retired" + DESCRIPTION + "This MIB module defines MIB objects which provide + mechanisms to remotely configure the parameters + used by an SNMP entity for the generation of + notifications. + + Copyright (C) The Internet Society (2002). This + version of this MIB module is part of RFC 3413; + see the RFC itself for full legal notices. + " + REVISION "200210140000Z" -- 14 October 2002 + DESCRIPTION "Clarifications, published as + RFC 3413." + REVISION "199808040000Z" -- 4 August 1998 + DESCRIPTION "Clarifications, published as + RFC 2573." + REVISION "199707140000Z" -- 14 July 1997 + DESCRIPTION "The initial revision, published as RFC2273." + ::= { snmpModules 13 } + +snmpNotifyObjects OBJECT IDENTIFIER ::= + { snmpNotificationMIB 1 } +snmpNotifyConformance OBJECT IDENTIFIER ::= + { snmpNotificationMIB 3 } + +-- +-- +-- The snmpNotifyObjects group +-- +-- + +snmpNotifyTable OBJECT-TYPE + SYNTAX SEQUENCE OF SnmpNotifyEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "This table is used to select management targets which should + receive notifications, as well as the type of notification + which should be sent to each selected management target." + ::= { snmpNotifyObjects 1 } + +snmpNotifyEntry OBJECT-TYPE + SYNTAX SnmpNotifyEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An entry in this table selects a set of management targets + which should receive notifications, as well as the type of + + notification which should be sent to each selected + management target. + + Entries in the snmpNotifyTable are created and + deleted using the snmpNotifyRowStatus object." + INDEX { IMPLIED snmpNotifyName } + ::= { snmpNotifyTable 1 } + +SnmpNotifyEntry ::= SEQUENCE { + snmpNotifyName SnmpAdminString, + snmpNotifyTag SnmpTagValue, + snmpNotifyType INTEGER, + snmpNotifyStorageType StorageType, + snmpNotifyRowStatus RowStatus +} + +snmpNotifyName OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE(1..32)) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The locally arbitrary, but unique identifier associated + with this snmpNotifyEntry." + ::= { snmpNotifyEntry 1 } + +snmpNotifyTag OBJECT-TYPE + SYNTAX SnmpTagValue + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "This object contains a single tag value which is used + to select entries in the snmpTargetAddrTable. Any entry + in the snmpTargetAddrTable which contains a tag value + which is equal to the value of an instance of this + object is selected. If this object contains a value + of zero length, no entries are selected." + DEFVAL { "" } + ::= { snmpNotifyEntry 2 } + +snmpNotifyType OBJECT-TYPE + SYNTAX INTEGER { + trap(1), + inform(2) + } + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "This object determines the type of notification to + + be generated for entries in the snmpTargetAddrTable + selected by the corresponding instance of + snmpNotifyTag. This value is only used when + generating notifications, and is ignored when + using the snmpTargetAddrTable for other purposes. + + If the value of this object is trap(1), then any + messages generated for selected rows will contain + Unconfirmed-Class PDUs. + + If the value of this object is inform(2), then any + messages generated for selected rows will contain + Confirmed-Class PDUs. + + Note that if an SNMP entity only supports + generation of Unconfirmed-Class PDUs (and not + Confirmed-Class PDUs), then this object may be + read-only." + DEFVAL { trap } + ::= { snmpNotifyEntry 3 } + +snmpNotifyStorageType OBJECT-TYPE + SYNTAX StorageType + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The storage type for this conceptual row. + Conceptual rows having the value 'permanent' need not + allow write-access to any columnar objects in the row." + DEFVAL { nonVolatile } + ::= { snmpNotifyEntry 4 } + +snmpNotifyRowStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The status of this conceptual row. + + To create a row in this table, a manager must + set this object to either createAndGo(4) or + createAndWait(5)." + ::= { snmpNotifyEntry 5 } + +snmpNotifyFilterProfileTable OBJECT-TYPE + SYNTAX SEQUENCE OF SnmpNotifyFilterProfileEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "This table is used to associate a notification filter + profile with a particular set of target parameters." + ::= { snmpNotifyObjects 2 } + +snmpNotifyFilterProfileEntry OBJECT-TYPE + SYNTAX SnmpNotifyFilterProfileEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An entry in this table indicates the name of the filter + profile to be used when generating notifications using + the corresponding entry in the snmpTargetParamsTable. + + Entries in the snmpNotifyFilterProfileTable are created + and deleted using the snmpNotifyFilterProfileRowStatus + object." + INDEX { IMPLIED snmpTargetParamsName } + ::= { snmpNotifyFilterProfileTable 1 } + +SnmpNotifyFilterProfileEntry ::= SEQUENCE { + snmpNotifyFilterProfileName SnmpAdminString, + snmpNotifyFilterProfileStorType StorageType, + snmpNotifyFilterProfileRowStatus RowStatus +} + +snmpNotifyFilterProfileName OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE(1..32)) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The name of the filter profile to be used when generating + notifications using the corresponding entry in the + snmpTargetAddrTable." + ::= { snmpNotifyFilterProfileEntry 1 } + +snmpNotifyFilterProfileStorType OBJECT-TYPE + SYNTAX StorageType + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The storage type for this conceptual row. + Conceptual rows having the value 'permanent' need not + allow write-access to any columnar objects in the row." + DEFVAL { nonVolatile } + ::= { snmpNotifyFilterProfileEntry 2 } + +snmpNotifyFilterProfileRowStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The status of this conceptual row. + + To create a row in this table, a manager must + set this object to either createAndGo(4) or + createAndWait(5). + + Until instances of all corresponding columns are + appropriately configured, the value of the + corresponding instance of the + snmpNotifyFilterProfileRowStatus column is 'notReady'. + + In particular, a newly created row cannot be made + active until the corresponding instance of + snmpNotifyFilterProfileName has been set." + ::= { snmpNotifyFilterProfileEntry 3 } + +snmpNotifyFilterTable OBJECT-TYPE + SYNTAX SEQUENCE OF SnmpNotifyFilterEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The table of filter profiles. Filter profiles are used + to determine whether particular management targets should + receive particular notifications. + + When a notification is generated, it must be compared + with the filters associated with each management target + which is configured to receive notifications, in order to + determine whether it may be sent to each such management + target. + + A more complete discussion of notification filtering + can be found in section 6. of [SNMP-APPL]." + ::= { snmpNotifyObjects 3 } + +snmpNotifyFilterEntry OBJECT-TYPE + SYNTAX SnmpNotifyFilterEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An element of a filter profile. + + Entries in the snmpNotifyFilterTable are created and + deleted using the snmpNotifyFilterRowStatus object." + INDEX { snmpNotifyFilterProfileName, + IMPLIED snmpNotifyFilterSubtree } + ::= { snmpNotifyFilterTable 1 } + +SnmpNotifyFilterEntry ::= SEQUENCE { + snmpNotifyFilterSubtree OBJECT IDENTIFIER, + snmpNotifyFilterMask OCTET STRING, + snmpNotifyFilterType INTEGER, + snmpNotifyFilterStorageType StorageType, + snmpNotifyFilterRowStatus RowStatus +} + +snmpNotifyFilterSubtree OBJECT-TYPE + SYNTAX OBJECT IDENTIFIER + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The MIB subtree which, when combined with the corresponding + instance of snmpNotifyFilterMask, defines a family of + subtrees which are included in or excluded from the + filter profile." + ::= { snmpNotifyFilterEntry 1 } + +snmpNotifyFilterMask OBJECT-TYPE + SYNTAX OCTET STRING (SIZE(0..16)) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The bit mask which, in combination with the corresponding + instance of snmpNotifyFilterSubtree, defines a family of + subtrees which are included in or excluded from the + filter profile. + + Each bit of this bit mask corresponds to a + sub-identifier of snmpNotifyFilterSubtree, with the + most significant bit of the i-th octet of this octet + string value (extended if necessary, see below) + corresponding to the (8*i - 7)-th sub-identifier, and + the least significant bit of the i-th octet of this + octet string corresponding to the (8*i)-th + sub-identifier, where i is in the range 1 through 16. + + Each bit of this bit mask specifies whether or not + the corresponding sub-identifiers must match when + determining if an OBJECT IDENTIFIER matches this + family of filter subtrees; a '1' indicates that an + exact match must occur; a '0' indicates 'wild card', + i.e., any sub-identifier value matches. + + Thus, the OBJECT IDENTIFIER X of an object instance + is contained in a family of filter subtrees if, for + each sub-identifier of the value of + snmpNotifyFilterSubtree, either: + + the i-th bit of snmpNotifyFilterMask is 0, or + + the i-th sub-identifier of X is equal to the i-th + sub-identifier of the value of + snmpNotifyFilterSubtree. + + If the value of this bit mask is M bits long and + there are more than M sub-identifiers in the + corresponding instance of snmpNotifyFilterSubtree, + then the bit mask is extended with 1's to be the + required length. + + Note that when the value of this object is the + zero-length string, this extension rule results in + a mask of all-1's being used (i.e., no 'wild card'), + and the family of filter subtrees is the one + subtree uniquely identified by the corresponding + instance of snmpNotifyFilterSubtree." + DEFVAL { ''H } + ::= { snmpNotifyFilterEntry 2 } + +snmpNotifyFilterType OBJECT-TYPE + SYNTAX INTEGER { + included(1), + excluded(2) + } + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "This object indicates whether the family of filter subtrees + defined by this entry are included in or excluded from a + filter. A more detailed discussion of the use of this + object can be found in section 6. of [SNMP-APPL]." + DEFVAL { included } + ::= { snmpNotifyFilterEntry 3 } + +snmpNotifyFilterStorageType OBJECT-TYPE + SYNTAX StorageType + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The storage type for this conceptual row. + Conceptual rows having the value 'permanent' need not + + allow write-access to any columnar objects in the row." + DEFVAL { nonVolatile } + ::= { snmpNotifyFilterEntry 4 } + +snmpNotifyFilterRowStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The status of this conceptual row. + + To create a row in this table, a manager must + set this object to either createAndGo(4) or + createAndWait(5)." + ::= { snmpNotifyFilterEntry 5 } + +-- +-- +-- Conformance information +-- +-- + +snmpNotifyCompliances OBJECT IDENTIFIER ::= + { snmpNotifyConformance 1 } +snmpNotifyGroups OBJECT IDENTIFIER ::= + { snmpNotifyConformance 2 } + +-- +-- +-- Compliance statements +-- +-- + +snmpNotifyBasicCompliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The compliance statement for minimal SNMP entities which + implement only SNMP Unconfirmed-Class notifications and + read-create operations on only the snmpTargetAddrTable." + MODULE SNMP-TARGET-MIB + MANDATORY-GROUPS { snmpTargetBasicGroup } + + OBJECT snmpTargetParamsMPModel + MIN-ACCESS read-only + DESCRIPTION + "Create/delete/modify access is not required." + + OBJECT snmpTargetParamsSecurityModel + MIN-ACCESS read-only + DESCRIPTION + "Create/delete/modify access is not required." + + OBJECT snmpTargetParamsSecurityName + MIN-ACCESS read-only + DESCRIPTION + "Create/delete/modify access is not required." + + OBJECT snmpTargetParamsSecurityLevel + MIN-ACCESS read-only + DESCRIPTION + "Create/delete/modify access is not required." + + OBJECT snmpTargetParamsStorageType + SYNTAX INTEGER { + readOnly(5) + } + MIN-ACCESS read-only + DESCRIPTION + "Create/delete/modify access is not required. + Support of the values other(1), volatile(2), + nonVolatile(3), and permanent(4) is not required." + + OBJECT snmpTargetParamsRowStatus + SYNTAX INTEGER { + active(1) + } + MIN-ACCESS read-only + DESCRIPTION + "Create/delete/modify access to the + snmpTargetParamsTable is not required. + Support of the values notInService(2), notReady(3), + createAndGo(4), createAndWait(5), and destroy(6) is + not required." + + MODULE -- This Module + MANDATORY-GROUPS { snmpNotifyGroup } + + OBJECT snmpNotifyTag + MIN-ACCESS read-only + DESCRIPTION + "Create/delete/modify access is not required." + + OBJECT snmpNotifyType + SYNTAX INTEGER { + trap(1) + } + MIN-ACCESS read-only + DESCRIPTION + "Create/delete/modify access is not required. + Support of the value notify(2) is not required." + + OBJECT snmpNotifyStorageType + SYNTAX INTEGER { + readOnly(5) + } + MIN-ACCESS read-only + DESCRIPTION + "Create/delete/modify access is not required. + Support of the values other(1), volatile(2), + nonVolatile(3), and permanent(4) is not required." + + OBJECT snmpNotifyRowStatus + SYNTAX INTEGER { + active(1) + } + MIN-ACCESS read-only + DESCRIPTION + "Create/delete/modify access to the + snmpNotifyTable is not required. + Support of the values notInService(2), notReady(3), + createAndGo(4), createAndWait(5), and destroy(6) is + not required." + ::= { snmpNotifyCompliances 1 } + +snmpNotifyBasicFiltersCompliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The compliance statement for SNMP entities which implement + SNMP Unconfirmed-Class notifications with filtering, and + read-create operations on all related tables." + MODULE SNMP-TARGET-MIB + MANDATORY-GROUPS { snmpTargetBasicGroup } + MODULE -- This Module + MANDATORY-GROUPS { snmpNotifyGroup, + snmpNotifyFilterGroup } + ::= { snmpNotifyCompliances 2 } + +snmpNotifyFullCompliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The compliance statement for SNMP entities which either + implement only SNMP Confirmed-Class notifications, or both + SNMP Unconfirmed-Class and Confirmed-Class notifications, + plus filtering and read-create operations on all related + tables." + MODULE SNMP-TARGET-MIB + MANDATORY-GROUPS { snmpTargetBasicGroup, + snmpTargetResponseGroup } + MODULE -- This Module + MANDATORY-GROUPS { snmpNotifyGroup, + snmpNotifyFilterGroup } + ::= { snmpNotifyCompliances 3 } + +snmpNotifyGroup OBJECT-GROUP + OBJECTS { + snmpNotifyTag, + snmpNotifyType, + snmpNotifyStorageType, + snmpNotifyRowStatus + } + STATUS current + DESCRIPTION + "A collection of objects for selecting which management + targets are used for generating notifications, and the + type of notification to be generated for each selected + management target." + ::= { snmpNotifyGroups 1 } + +snmpNotifyFilterGroup OBJECT-GROUP + OBJECTS { + snmpNotifyFilterProfileName, + snmpNotifyFilterProfileStorType, + snmpNotifyFilterProfileRowStatus, + snmpNotifyFilterMask, + snmpNotifyFilterType, + snmpNotifyFilterStorageType, + snmpNotifyFilterRowStatus + } + STATUS current + DESCRIPTION + "A collection of objects providing remote configuration + of notification filters." + ::= { snmpNotifyGroups 2 } + +END diff --git a/mibs/SNMP-PROXY-MIB.txt b/mibs/SNMP-PROXY-MIB.txt new file mode 100644 index 000000000..4a72e8603 --- /dev/null +++ b/mibs/SNMP-PROXY-MIB.txt @@ -0,0 +1,294 @@ +SNMP-PROXY-MIB DEFINITIONS ::= BEGIN + +IMPORTS + MODULE-IDENTITY, + OBJECT-TYPE, + snmpModules + FROM SNMPv2-SMI + + RowStatus, + StorageType + FROM SNMPv2-TC + + SnmpEngineID, + SnmpAdminString + FROM SNMP-FRAMEWORK-MIB + + SnmpTagValue + FROM SNMP-TARGET-MIB + + MODULE-COMPLIANCE, + OBJECT-GROUP + FROM SNMPv2-CONF; + +snmpProxyMIB MODULE-IDENTITY + LAST-UPDATED "200210140000Z" + ORGANIZATION "IETF SNMPv3 Working Group" + CONTACT-INFO + "WG-email: snmpv3@lists.tislabs.com + Subscribe: majordomo@lists.tislabs.com + In message body: subscribe snmpv3 + + Co-Chair: Russ Mundy + Network Associates Laboratories + Postal: 15204 Omega Drive, Suite 300 + Rockville, MD 20850-4601 + USA + EMail: mundy@tislabs.com + Phone: +1 301-947-7107 + + Co-Chair: David Harrington + Enterasys Networks + Postal: 35 Industrial Way + P. O. Box 5004 + Rochester, New Hampshire 03866-5005 + USA + EMail: dbh@enterasys.com + Phone: +1 603-337-2614 + + Co-editor: David B. Levi + Nortel Networks + Postal: 3505 Kesterwood Drive + Knoxville, Tennessee 37918 + EMail: dlevi@nortelnetworks.com + Phone: +1 865 686 0432 + + Co-editor: Paul Meyer + Secure Computing Corporation + Postal: 2675 Long Lake Road + Roseville, Minnesota 55113 + EMail: paul_meyer@securecomputing.com + Phone: +1 651 628 1592 + + Co-editor: Bob Stewart + Retired" + DESCRIPTION + "This MIB module defines MIB objects which provide + mechanisms to remotely configure the parameters + used by a proxy forwarding application. + + Copyright (C) The Internet Society (2002). This + version of this MIB module is part of RFC 3413; + see the RFC itself for full legal notices. + " + REVISION "200210140000Z" -- 14 October 2002 + DESCRIPTION "Clarifications, published as + RFC 3413." + REVISION "199808040000Z" -- 4 August 1998 + DESCRIPTION "Clarifications, published as + RFC 2573." + REVISION "199707140000Z" -- 14 July 1997 + DESCRIPTION "The initial revision, published as RFC2273." + ::= { snmpModules 14 } + +snmpProxyObjects OBJECT IDENTIFIER ::= { snmpProxyMIB 1 } +snmpProxyConformance OBJECT IDENTIFIER ::= { snmpProxyMIB 3 } + +-- + +-- +-- The snmpProxyObjects group +-- +-- + +snmpProxyTable OBJECT-TYPE + SYNTAX SEQUENCE OF SnmpProxyEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The table of translation parameters used by proxy forwarder + applications for forwarding SNMP messages." + ::= { snmpProxyObjects 2 } + +snmpProxyEntry OBJECT-TYPE + SYNTAX SnmpProxyEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A set of translation parameters used by a proxy forwarder + application for forwarding SNMP messages. + + Entries in the snmpProxyTable are created and deleted + using the snmpProxyRowStatus object." + INDEX { IMPLIED snmpProxyName } + ::= { snmpProxyTable 1 } + +SnmpProxyEntry ::= SEQUENCE { + snmpProxyName SnmpAdminString, + snmpProxyType INTEGER, + snmpProxyContextEngineID SnmpEngineID, + snmpProxyContextName SnmpAdminString, + snmpProxyTargetParamsIn SnmpAdminString, + snmpProxySingleTargetOut SnmpAdminString, + snmpProxyMultipleTargetOut SnmpTagValue, + snmpProxyStorageType StorageType, + snmpProxyRowStatus RowStatus +} + +snmpProxyName OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE(1..32)) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The locally arbitrary, but unique identifier associated + with this snmpProxyEntry." + ::= { snmpProxyEntry 1 } + +snmpProxyType OBJECT-TYPE + SYNTAX INTEGER { + read(1), + write(2), + trap(3), + inform(4) + } + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The type of message that may be forwarded using + the translation parameters defined by this entry." + ::= { snmpProxyEntry 2 } + +snmpProxyContextEngineID OBJECT-TYPE + SYNTAX SnmpEngineID + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The contextEngineID contained in messages that + may be forwarded using the translation parameters + defined by this entry." + ::= { snmpProxyEntry 3 } + +snmpProxyContextName OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The contextName contained in messages that may be + forwarded using the translation parameters defined + by this entry. + + This object is optional, and if not supported, the + contextName contained in a message is ignored when + selecting an entry in the snmpProxyTable." + ::= { snmpProxyEntry 4 } + +snmpProxyTargetParamsIn OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "This object selects an entry in the snmpTargetParamsTable. + The selected entry is used to determine which row of the + snmpProxyTable to use for forwarding received messages." + ::= { snmpProxyEntry 5 } + +snmpProxySingleTargetOut OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "This object selects a management target defined in the + snmpTargetAddrTable (in the SNMP-TARGET-MIB). The + selected target is defined by an entry in the + snmpTargetAddrTable whose index value (snmpTargetAddrName) + is equal to this object. + + This object is only used when selection of a single + target is required (i.e. when forwarding an incoming + read or write request)." + ::= { snmpProxyEntry 6 } + +snmpProxyMultipleTargetOut OBJECT-TYPE + SYNTAX SnmpTagValue + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "This object selects a set of management targets defined + in the snmpTargetAddrTable (in the SNMP-TARGET-MIB). + + This object is only used when selection of multiple + targets is required (i.e. when forwarding an incoming + notification)." + ::= { snmpProxyEntry 7 } + +snmpProxyStorageType OBJECT-TYPE + SYNTAX StorageType + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The storage type of this conceptual row. + Conceptual rows having the value 'permanent' need not + allow write-access to any columnar objects in the row." + DEFVAL { nonVolatile } + ::= { snmpProxyEntry 8 } + +snmpProxyRowStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The status of this conceptual row. + + To create a row in this table, a manager must + + set this object to either createAndGo(4) or + createAndWait(5). + + The following objects may not be modified while the + value of this object is active(1): + - snmpProxyType + - snmpProxyContextEngineID + - snmpProxyContextName + - snmpProxyTargetParamsIn + - snmpProxySingleTargetOut + - snmpProxyMultipleTargetOut" + ::= { snmpProxyEntry 9 } + +-- +-- +-- Conformance information +-- +-- + +snmpProxyCompliances OBJECT IDENTIFIER ::= + { snmpProxyConformance 1 } +snmpProxyGroups OBJECT IDENTIFIER ::= + { snmpProxyConformance 2 } + +-- +-- +-- Compliance statements +-- +-- + +snmpProxyCompliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The compliance statement for SNMP entities which include + a proxy forwarding application." + MODULE SNMP-TARGET-MIB + MANDATORY-GROUPS { snmpTargetBasicGroup, + snmpTargetResponseGroup } + MODULE -- This Module + MANDATORY-GROUPS { snmpProxyGroup } + ::= { snmpProxyCompliances 1 } + +snmpProxyGroup OBJECT-GROUP + OBJECTS { + snmpProxyType, + snmpProxyContextEngineID, + snmpProxyContextName, + snmpProxyTargetParamsIn, + snmpProxySingleTargetOut, + snmpProxyMultipleTargetOut, + snmpProxyStorageType, + snmpProxyRowStatus + } + STATUS current + DESCRIPTION + "A collection of objects providing remote configuration of + management target translation parameters for use by + proxy forwarder applications." + ::= { snmpProxyGroups 3 } + +END diff --git a/mibs/SNMP-TARGET-MIB.txt b/mibs/SNMP-TARGET-MIB.txt new file mode 100644 index 000000000..654afdd69 --- /dev/null +++ b/mibs/SNMP-TARGET-MIB.txt @@ -0,0 +1,660 @@ +SNMP-TARGET-MIB DEFINITIONS ::= BEGIN + +IMPORTS + MODULE-IDENTITY, + OBJECT-TYPE, + snmpModules, + Counter32, + Integer32 + FROM SNMPv2-SMI + + TEXTUAL-CONVENTION, + TDomain, + TAddress, + TimeInterval, + RowStatus, + StorageType, + TestAndIncr + FROM SNMPv2-TC + + SnmpSecurityModel, + SnmpMessageProcessingModel, + SnmpSecurityLevel, + SnmpAdminString + FROM SNMP-FRAMEWORK-MIB + + MODULE-COMPLIANCE, + OBJECT-GROUP + FROM SNMPv2-CONF; + +snmpTargetMIB MODULE-IDENTITY + LAST-UPDATED "200210140000Z" + ORGANIZATION "IETF SNMPv3 Working Group" + CONTACT-INFO + "WG-email: snmpv3@lists.tislabs.com + Subscribe: majordomo@lists.tislabs.com + In message body: subscribe snmpv3 + + Co-Chair: Russ Mundy + Network Associates Laboratories + Postal: 15204 Omega Drive, Suite 300 + Rockville, MD 20850-4601 + USA + EMail: mundy@tislabs.com + Phone: +1 301-947-7107 + + Co-Chair: David Harrington + Enterasys Networks + Postal: 35 Industrial Way + P. O. Box 5004 + Rochester, New Hampshire 03866-5005 + USA + EMail: dbh@enterasys.com + Phone: +1 603-337-2614 + + Co-editor: David B. Levi + Nortel Networks + Postal: 3505 Kesterwood Drive + Knoxville, Tennessee 37918 + EMail: dlevi@nortelnetworks.com + Phone: +1 865 686 0432 + + Co-editor: Paul Meyer + Secure Computing Corporation + Postal: 2675 Long Lake Road + + Roseville, Minnesota 55113 + EMail: paul_meyer@securecomputing.com + Phone: +1 651 628 1592 + + Co-editor: Bob Stewart + Retired" + DESCRIPTION + "This MIB module defines MIB objects which provide + mechanisms to remotely configure the parameters used + by an SNMP entity for the generation of SNMP messages. + + Copyright (C) The Internet Society (2002). This + version of this MIB module is part of RFC 3413; + see the RFC itself for full legal notices. + " + REVISION "200210140000Z" -- 14 October 2002 + DESCRIPTION "Fixed DISPLAY-HINTS for UTF-8 strings, fixed hex + value of LF characters, clarified meaning of zero + length tag values, improved tag list examples. + Published as RFC 3413." + REVISION "199808040000Z" -- 4 August 1998 + DESCRIPTION "Clarifications, published as + RFC 2573." + REVISION "199707140000Z" -- 14 July 1997 + DESCRIPTION "The initial revision, published as RFC2273." + ::= { snmpModules 12 } + +snmpTargetObjects OBJECT IDENTIFIER ::= { snmpTargetMIB 1 } +snmpTargetConformance OBJECT IDENTIFIER ::= { snmpTargetMIB 3 } + +SnmpTagValue ::= TEXTUAL-CONVENTION + DISPLAY-HINT "255t" + STATUS current + DESCRIPTION + "An octet string containing a tag value. + Tag values are preferably in human-readable form. + + To facilitate internationalization, this information + is represented using the ISO/IEC IS 10646-1 character + set, encoded as an octet string using the UTF-8 + character encoding scheme described in RFC 2279. + + Since additional code points are added by amendments + to the 10646 standard from time to time, + implementations must be prepared to encounter any code + point from 0x00000000 to 0x7fffffff. + + The use of control codes should be avoided, and certain + + control codes are not allowed as described below. + + For code points not directly supported by user + interface hardware or software, an alternative means + of entry and display, such as hexadecimal, may be + provided. + + For information encoded in 7-bit US-ASCII, the UTF-8 + representation is identical to the US-ASCII encoding. + + Note that when this TC is used for an object that + is used or envisioned to be used as an index, then a + SIZE restriction must be specified so that the number + of sub-identifiers for any object instance does not + exceed the limit of 128, as defined by [RFC1905]. + + An object of this type contains a single tag value + which is used to select a set of entries in a table. + + A tag value is an arbitrary string of octets, but + may not contain a delimiter character. Delimiter + characters are defined to be one of the following: + + - An ASCII space character (0x20). + + - An ASCII TAB character (0x09). + + - An ASCII carriage return (CR) character (0x0D). + + - An ASCII line feed (LF) character (0x0A). + + Delimiter characters are used to separate tag values + in a tag list. An object of this type may only + contain a single tag value, and so delimiter + characters are not allowed in a value of this type. + + Note that a tag value of 0 length means that no tag is + defined. In other words, a tag value of 0 length would + never match anything in a tag list, and would never + select any table entries. + + Some examples of valid tag values are: + + - 'acme' + + - 'router' + + - 'host' + + The use of a tag value to select table entries is + application and MIB specific." + SYNTAX OCTET STRING (SIZE (0..255)) + +SnmpTagList ::= TEXTUAL-CONVENTION + DISPLAY-HINT "255t" + STATUS current + DESCRIPTION + "An octet string containing a list of tag values. + Tag values are preferably in human-readable form. + + To facilitate internationalization, this information + is represented using the ISO/IEC IS 10646-1 character + set, encoded as an octet string using the UTF-8 + character encoding scheme described in RFC 2279. + + Since additional code points are added by amendments + to the 10646 standard from time to time, + implementations must be prepared to encounter any code + point from 0x00000000 to 0x7fffffff. + + The use of control codes should be avoided, except as + described below. + + For code points not directly supported by user + interface hardware or software, an alternative means + of entry and display, such as hexadecimal, may be + provided. + + For information encoded in 7-bit US-ASCII, the UTF-8 + representation is identical to the US-ASCII encoding. + + An object of this type contains a list of tag values + which are used to select a set of entries in a table. + + A tag value is an arbitrary string of octets, but + may not contain a delimiter character. Delimiter + characters are defined to be one of the following: + + - An ASCII space character (0x20). + + - An ASCII TAB character (0x09). + + - An ASCII carriage return (CR) character (0x0D). + + - An ASCII line feed (LF) character (0x0A). + + Delimiter characters are used to separate tag values + + in a tag list. Only a single delimiter character may + occur between two tag values. A tag value may not + have a zero length. These constraints imply certain + restrictions on the contents of this object: + + - There cannot be a leading or trailing delimiter + character. + + - There cannot be multiple adjacent delimiter + characters. + + Some examples of valid tag lists are: + + - '' -- an empty list + + - 'acme' -- list of one tag + + - 'host router bridge' -- list of several tags + + Note that although a tag value may not have a length of + zero, an empty string is still valid. This indicates + an empty list (i.e. there are no tag values in the list). + + The use of the tag list to select table entries is + application and MIB specific. Typically, an application + will provide one or more tag values, and any entry + which contains some combination of these tag values + will be selected." + SYNTAX OCTET STRING (SIZE (0..255)) + +-- +-- +-- The snmpTargetObjects group +-- +-- + +snmpTargetSpinLock OBJECT-TYPE + SYNTAX TestAndIncr + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "This object is used to facilitate modification of table + entries in the SNMP-TARGET-MIB module by multiple + managers. In particular, it is useful when modifying + the value of the snmpTargetAddrTagList object. + + The procedure for modifying the snmpTargetAddrTagList + object is as follows: + + 1. Retrieve the value of snmpTargetSpinLock and + of snmpTargetAddrTagList. + + 2. Generate a new value for snmpTargetAddrTagList. + + 3. Set the value of snmpTargetSpinLock to the + retrieved value, and the value of + snmpTargetAddrTagList to the new value. If + the set fails for the snmpTargetSpinLock + object, go back to step 1." + ::= { snmpTargetObjects 1 } + +snmpTargetAddrTable OBJECT-TYPE + SYNTAX SEQUENCE OF SnmpTargetAddrEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A table of transport addresses to be used in the generation + of SNMP messages." + ::= { snmpTargetObjects 2 } + +snmpTargetAddrEntry OBJECT-TYPE + SYNTAX SnmpTargetAddrEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A transport address to be used in the generation + of SNMP operations. + + Entries in the snmpTargetAddrTable are created and + deleted using the snmpTargetAddrRowStatus object." + INDEX { IMPLIED snmpTargetAddrName } + ::= { snmpTargetAddrTable 1 } + +SnmpTargetAddrEntry ::= SEQUENCE { + snmpTargetAddrName SnmpAdminString, + snmpTargetAddrTDomain TDomain, + snmpTargetAddrTAddress TAddress, + snmpTargetAddrTimeout TimeInterval, + snmpTargetAddrRetryCount Integer32, + snmpTargetAddrTagList SnmpTagList, + snmpTargetAddrParams SnmpAdminString, + snmpTargetAddrStorageType StorageType, + snmpTargetAddrRowStatus RowStatus +} + +snmpTargetAddrName OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE(1..32)) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The locally arbitrary, but unique identifier associated + with this snmpTargetAddrEntry." + ::= { snmpTargetAddrEntry 1 } + +snmpTargetAddrTDomain OBJECT-TYPE + SYNTAX TDomain + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "This object indicates the transport type of the address + contained in the snmpTargetAddrTAddress object." + ::= { snmpTargetAddrEntry 2 } + +snmpTargetAddrTAddress OBJECT-TYPE + SYNTAX TAddress + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "This object contains a transport address. The format of + this address depends on the value of the + snmpTargetAddrTDomain object." + ::= { snmpTargetAddrEntry 3 } + +snmpTargetAddrTimeout OBJECT-TYPE + SYNTAX TimeInterval + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "This object should reflect the expected maximum round + trip time for communicating with the transport address + defined by this row. When a message is sent to this + address, and a response (if one is expected) is not + received within this time period, an implementation + may assume that the response will not be delivered. + + Note that the time interval that an application waits + for a response may actually be derived from the value + of this object. The method for deriving the actual time + interval is implementation dependent. One such method + is to derive the expected round trip time based on a + particular retransmission algorithm and on the number + of timeouts which have occurred. The type of message may + also be considered when deriving expected round trip + times for retransmissions. For example, if a message is + being sent with a securityLevel that indicates both + + authentication and privacy, the derived value may be + increased to compensate for extra processing time spent + during authentication and encryption processing." + DEFVAL { 1500 } + ::= { snmpTargetAddrEntry 4 } + +snmpTargetAddrRetryCount OBJECT-TYPE + SYNTAX Integer32 (0..255) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "This object specifies a default number of retries to be + attempted when a response is not received for a generated + message. An application may provide its own retry count, + in which case the value of this object is ignored." + DEFVAL { 3 } + ::= { snmpTargetAddrEntry 5 } + +snmpTargetAddrTagList OBJECT-TYPE + SYNTAX SnmpTagList + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "This object contains a list of tag values which are + used to select target addresses for a particular + operation." + DEFVAL { "" } + ::= { snmpTargetAddrEntry 6 } + +snmpTargetAddrParams OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE(1..32)) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The value of this object identifies an entry in the + snmpTargetParamsTable. The identified entry + contains SNMP parameters to be used when generating + messages to be sent to this transport address." + ::= { snmpTargetAddrEntry 7 } + +snmpTargetAddrStorageType OBJECT-TYPE + SYNTAX StorageType + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The storage type for this conceptual row. + Conceptual rows having the value 'permanent' need not + allow write-access to any columnar objects in the row." + DEFVAL { nonVolatile } + ::= { snmpTargetAddrEntry 8 } + +snmpTargetAddrRowStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The status of this conceptual row. + + To create a row in this table, a manager must + set this object to either createAndGo(4) or + createAndWait(5). + + Until instances of all corresponding columns are + appropriately configured, the value of the + corresponding instance of the snmpTargetAddrRowStatus + column is 'notReady'. + + In particular, a newly created row cannot be made + active until the corresponding instances of + snmpTargetAddrTDomain, snmpTargetAddrTAddress, and + snmpTargetAddrParams have all been set. + + The following objects may not be modified while the + value of this object is active(1): + - snmpTargetAddrTDomain + - snmpTargetAddrTAddress + An attempt to set these objects while the value of + snmpTargetAddrRowStatus is active(1) will result in + an inconsistentValue error." + ::= { snmpTargetAddrEntry 9 } + +snmpTargetParamsTable OBJECT-TYPE + SYNTAX SEQUENCE OF SnmpTargetParamsEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A table of SNMP target information to be used + in the generation of SNMP messages." + ::= { snmpTargetObjects 3 } + +snmpTargetParamsEntry OBJECT-TYPE + SYNTAX SnmpTargetParamsEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A set of SNMP target information. + + Entries in the snmpTargetParamsTable are created and + deleted using the snmpTargetParamsRowStatus object." + INDEX { IMPLIED snmpTargetParamsName } + ::= { snmpTargetParamsTable 1 } + +SnmpTargetParamsEntry ::= SEQUENCE { + snmpTargetParamsName SnmpAdminString, + snmpTargetParamsMPModel SnmpMessageProcessingModel, + snmpTargetParamsSecurityModel SnmpSecurityModel, + snmpTargetParamsSecurityName SnmpAdminString, + snmpTargetParamsSecurityLevel SnmpSecurityLevel, + snmpTargetParamsStorageType StorageType, + snmpTargetParamsRowStatus RowStatus +} + +snmpTargetParamsName OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE(1..32)) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The locally arbitrary, but unique identifier associated + with this snmpTargetParamsEntry." + ::= { snmpTargetParamsEntry 1 } + +snmpTargetParamsMPModel OBJECT-TYPE + SYNTAX SnmpMessageProcessingModel + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The Message Processing Model to be used when generating + SNMP messages using this entry." + ::= { snmpTargetParamsEntry 2 } + +snmpTargetParamsSecurityModel OBJECT-TYPE + SYNTAX SnmpSecurityModel (1..2147483647) + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The Security Model to be used when generating SNMP + messages using this entry. An implementation may + choose to return an inconsistentValue error if an + attempt is made to set this variable to a value + for a security model which the implementation does + not support." + ::= { snmpTargetParamsEntry 3 } + +snmpTargetParamsSecurityName OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The securityName which identifies the Principal on + whose behalf SNMP messages will be generated using + this entry." + ::= { snmpTargetParamsEntry 4 } + +snmpTargetParamsSecurityLevel OBJECT-TYPE + SYNTAX SnmpSecurityLevel + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The Level of Security to be used when generating + SNMP messages using this entry." + ::= { snmpTargetParamsEntry 5 } + +snmpTargetParamsStorageType OBJECT-TYPE + SYNTAX StorageType + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The storage type for this conceptual row. + Conceptual rows having the value 'permanent' need not + allow write-access to any columnar objects in the row." + DEFVAL { nonVolatile } + ::= { snmpTargetParamsEntry 6 } + +snmpTargetParamsRowStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The status of this conceptual row. + + To create a row in this table, a manager must + set this object to either createAndGo(4) or + createAndWait(5). + + Until instances of all corresponding columns are + appropriately configured, the value of the + corresponding instance of the snmpTargetParamsRowStatus + column is 'notReady'. + + In particular, a newly created row cannot be made + active until the corresponding + snmpTargetParamsMPModel, + snmpTargetParamsSecurityModel, + snmpTargetParamsSecurityName, + and snmpTargetParamsSecurityLevel have all been set. + + The following objects may not be modified while the + value of this object is active(1): + - snmpTargetParamsMPModel + - snmpTargetParamsSecurityModel + - snmpTargetParamsSecurityName + - snmpTargetParamsSecurityLevel + An attempt to set these objects while the value of + snmpTargetParamsRowStatus is active(1) will result in + an inconsistentValue error." + ::= { snmpTargetParamsEntry 7 } + +snmpUnavailableContexts OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of packets received by the SNMP + engine which were dropped because the context + contained in the message was unavailable." + ::= { snmpTargetObjects 4 } + +snmpUnknownContexts OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of packets received by the SNMP + engine which were dropped because the context + contained in the message was unknown." + ::= { snmpTargetObjects 5 } + +-- +-- +-- Conformance information +-- +-- + +snmpTargetCompliances OBJECT IDENTIFIER ::= + { snmpTargetConformance 1 } +snmpTargetGroups OBJECT IDENTIFIER ::= + { snmpTargetConformance 2 } + +-- +-- +-- Compliance statements + +-- +-- + +snmpTargetCommandResponderCompliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The compliance statement for SNMP entities which include + a command responder application." + MODULE -- This Module + MANDATORY-GROUPS { snmpTargetCommandResponderGroup } + ::= { snmpTargetCompliances 1 } + +snmpTargetBasicGroup OBJECT-GROUP + OBJECTS { + snmpTargetSpinLock, + snmpTargetAddrTDomain, + snmpTargetAddrTAddress, + snmpTargetAddrTagList, + snmpTargetAddrParams, + snmpTargetAddrStorageType, + snmpTargetAddrRowStatus, + snmpTargetParamsMPModel, + snmpTargetParamsSecurityModel, + snmpTargetParamsSecurityName, + snmpTargetParamsSecurityLevel, + snmpTargetParamsStorageType, + snmpTargetParamsRowStatus + } + STATUS current + DESCRIPTION + "A collection of objects providing basic remote + configuration of management targets." + ::= { snmpTargetGroups 1 } + +snmpTargetResponseGroup OBJECT-GROUP + OBJECTS { + snmpTargetAddrTimeout, + snmpTargetAddrRetryCount + } + STATUS current + DESCRIPTION + "A collection of objects providing remote configuration + of management targets for applications which generate + SNMP messages for which a response message would be + expected." + ::= { snmpTargetGroups 2 } + +snmpTargetCommandResponderGroup OBJECT-GROUP + + OBJECTS { + snmpUnavailableContexts, + snmpUnknownContexts + } + STATUS current + DESCRIPTION + "A collection of objects required for command responder + applications, used for counting error conditions." + ::= { snmpTargetGroups 3 } + +END diff --git a/mibs/SNMP-USER-BASED-SM-MIB.txt b/mibs/SNMP-USER-BASED-SM-MIB.txt new file mode 100644 index 000000000..3b714030c --- /dev/null +++ b/mibs/SNMP-USER-BASED-SM-MIB.txt @@ -0,0 +1,912 @@ +SNMP-USER-BASED-SM-MIB DEFINITIONS ::= BEGIN + +IMPORTS + MODULE-IDENTITY, OBJECT-TYPE, + OBJECT-IDENTITY, + snmpModules, Counter32 FROM SNMPv2-SMI + TEXTUAL-CONVENTION, TestAndIncr, + RowStatus, RowPointer, + StorageType, AutonomousType FROM SNMPv2-TC + MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF + SnmpAdminString, SnmpEngineID, + snmpAuthProtocols, snmpPrivProtocols FROM SNMP-FRAMEWORK-MIB; + +snmpUsmMIB MODULE-IDENTITY + LAST-UPDATED "200210160000Z" -- 16 Oct 2002, midnight + ORGANIZATION "SNMPv3 Working Group" + CONTACT-INFO "WG-email: snmpv3@lists.tislabs.com + Subscribe: majordomo@lists.tislabs.com + In msg body: subscribe snmpv3 + + Chair: Russ Mundy + Network Associates Laboratories + postal: 15204 Omega Drive, Suite 300 + Rockville, MD 20850-4601 + USA + email: mundy@tislabs.com + + phone: +1 301-947-7107 + + Co-Chair: David Harrington + Enterasys Networks + Postal: 35 Industrial Way + P. O. Box 5004 + Rochester, New Hampshire 03866-5005 + USA + EMail: dbh@enterasys.com + Phone: +1 603-337-2614 + + Co-editor Uri Blumenthal + Lucent Technologies + postal: 67 Whippany Rd. + Whippany, NJ 07981 + USA + email: uri@lucent.com + phone: +1-973-386-2163 + + Co-editor: Bert Wijnen + Lucent Technologies + postal: Schagen 33 + 3461 GL Linschoten + Netherlands + email: bwijnen@lucent.com + phone: +31-348-480-685 + " + DESCRIPTION "The management information definitions for the + SNMP User-based Security Model. + + Copyright (C) The Internet Society (2002). This + version of this MIB module is part of RFC 3414; + see the RFC itself for full legal notices. + " +-- Revision history + + REVISION "200210160000Z" -- 16 Oct 2002, midnight + DESCRIPTION "Changes in this revision: + - Updated references and contact info. + - Clarification to usmUserCloneFrom DESCRIPTION + clause + - Fixed 'command responder' into 'command generator' + in last para of DESCRIPTION clause of + usmUserTable. + This revision published as RFC3414. + " + REVISION "199901200000Z" -- 20 Jan 1999, midnight + DESCRIPTION "Clarifications, published as RFC2574" + + REVISION "199711200000Z" -- 20 Nov 1997, midnight + DESCRIPTION "Initial version, published as RFC2274" + ::= { snmpModules 15 } + +-- Administrative assignments **************************************** + +usmMIBObjects OBJECT IDENTIFIER ::= { snmpUsmMIB 1 } +usmMIBConformance OBJECT IDENTIFIER ::= { snmpUsmMIB 2 } + +-- Identification of Authentication and Privacy Protocols ************ + +usmNoAuthProtocol OBJECT-IDENTITY + STATUS current + DESCRIPTION "No Authentication Protocol." + ::= { snmpAuthProtocols 1 } + +usmHMACMD5AuthProtocol OBJECT-IDENTITY + STATUS current + DESCRIPTION "The HMAC-MD5-96 Digest Authentication Protocol." + REFERENCE "- H. Krawczyk, M. Bellare, R. Canetti HMAC: + Keyed-Hashing for Message Authentication, + RFC2104, Feb 1997. + - Rivest, R., Message Digest Algorithm MD5, RFC1321. + " + ::= { snmpAuthProtocols 2 } + +usmHMACSHAAuthProtocol OBJECT-IDENTITY + STATUS current + DESCRIPTION "The HMAC-SHA-96 Digest Authentication Protocol." + REFERENCE "- H. Krawczyk, M. Bellare, R. Canetti, HMAC: + Keyed-Hashing for Message Authentication, + RFC2104, Feb 1997. + - Secure Hash Algorithm. NIST FIPS 180-1. + " + ::= { snmpAuthProtocols 3 } + +usmNoPrivProtocol OBJECT-IDENTITY + STATUS current + DESCRIPTION "No Privacy Protocol." + ::= { snmpPrivProtocols 1 } + +usmDESPrivProtocol OBJECT-IDENTITY + STATUS current + DESCRIPTION "The CBC-DES Symmetric Encryption Protocol." + REFERENCE "- Data Encryption Standard, National Institute of + Standards and Technology. Federal Information + Processing Standard (FIPS) Publication 46-1. + + Supersedes FIPS Publication 46, + (January, 1977; reaffirmed January, 1988). + + - Data Encryption Algorithm, American National + Standards Institute. ANSI X3.92-1981, + (December, 1980). + + - DES Modes of Operation, National Institute of + Standards and Technology. Federal Information + Processing Standard (FIPS) Publication 81, + (December, 1980). + + - Data Encryption Algorithm - Modes of Operation, + American National Standards Institute. + ANSI X3.106-1983, (May 1983). + " + ::= { snmpPrivProtocols 2 } + +-- Textual Conventions *********************************************** + +KeyChange ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "Every definition of an object with this syntax must identify + a protocol P, a secret key K, and a hash algorithm H + that produces output of L octets. + + The object's value is a manager-generated, partially-random + value which, when modified, causes the value of the secret + key K, to be modified via a one-way function. + + The value of an instance of this object is the concatenation + of two components: first a 'random' component and then a + 'delta' component. + + The lengths of the random and delta components + are given by the corresponding value of the protocol P; + if P requires K to be a fixed length, the length of both the + random and delta components is that fixed length; if P + allows the length of K to be variable up to a particular + maximum length, the length of the random component is that + maximum length and the length of the delta component is any + length less than or equal to that maximum length. + For example, usmHMACMD5AuthProtocol requires K to be a fixed + length of 16 octets and L - of 16 octets. + usmHMACSHAAuthProtocol requires K to be a fixed length of + 20 octets and L - of 20 octets. Other protocols may define + other sizes, as deemed appropriate. + + When a requester wants to change the old key K to a new + key keyNew on a remote entity, the 'random' component is + obtained from either a true random generator, or from a + pseudorandom generator, and the 'delta' component is + computed as follows: + + - a temporary variable is initialized to the existing value + of K; + - if the length of the keyNew is greater than L octets, + then: + - the random component is appended to the value of the + temporary variable, and the result is input to the + the hash algorithm H to produce a digest value, and + the temporary variable is set to this digest value; + - the value of the temporary variable is XOR-ed with + the first (next) L-octets (16 octets in case of MD5) + of the keyNew to produce the first (next) L-octets + (16 octets in case of MD5) of the 'delta' component. + - the above two steps are repeated until the unused + portion of the keyNew component is L octets or less, + - the random component is appended to the value of the + temporary variable, and the result is input to the + hash algorithm H to produce a digest value; + - this digest value, truncated if necessary to be the same + length as the unused portion of the keyNew, is XOR-ed + with the unused portion of the keyNew to produce the + (final portion of the) 'delta' component. + + For example, using MD5 as the hash algorithm H: + + iterations = (lenOfDelta - 1)/16; /* integer division */ + temp = keyOld; + for (i = 0; i < iterations; i++) { + temp = MD5 (temp || random); + delta[i*16 .. (i*16)+15] = + temp XOR keyNew[i*16 .. (i*16)+15]; + } + temp = MD5 (temp || random); + delta[i*16 .. lenOfDelta-1] = + temp XOR keyNew[i*16 .. lenOfDelta-1]; + + The 'random' and 'delta' components are then concatenated as + described above, and the resulting octet string is sent to + the recipient as the new value of an instance of this object. + + At the receiver side, when an instance of this object is set + to a new value, then a new value of K is computed as follows: + + - a temporary variable is initialized to the existing value + of K; + - if the length of the delta component is greater than L + octets, then: + - the random component is appended to the value of the + temporary variable, and the result is input to the + hash algorithm H to produce a digest value, and the + temporary variable is set to this digest value; + - the value of the temporary variable is XOR-ed with + the first (next) L-octets (16 octets in case of MD5) + of the delta component to produce the first (next) + L-octets (16 octets in case of MD5) of the new value + of K. + - the above two steps are repeated until the unused + portion of the delta component is L octets or less, + - the random component is appended to the value of the + temporary variable, and the result is input to the + hash algorithm H to produce a digest value; + - this digest value, truncated if necessary to be the same + length as the unused portion of the delta component, is + XOR-ed with the unused portion of the delta component to + produce the (final portion of the) new value of K. + + For example, using MD5 as the hash algorithm H: + + iterations = (lenOfDelta - 1)/16; /* integer division */ + temp = keyOld; + for (i = 0; i < iterations; i++) { + temp = MD5 (temp || random); + keyNew[i*16 .. (i*16)+15] = + temp XOR delta[i*16 .. (i*16)+15]; + } + temp = MD5 (temp || random); + keyNew[i*16 .. lenOfDelta-1] = + temp XOR delta[i*16 .. lenOfDelta-1]; + + The value of an object with this syntax, whenever it is + retrieved by the management protocol, is always the zero + length string. + + Note that the keyOld and keyNew are the localized keys. + + Note that it is probably wise that when an SNMP entity sends + a SetRequest to change a key, that it keeps a copy of the old + key until it has confirmed that the key change actually + succeeded. + " + SYNTAX OCTET STRING + +-- Statistics for the User-based Security Model ********************** + +usmStats OBJECT IDENTIFIER ::= { usmMIBObjects 1 } + +usmStatsUnsupportedSecLevels OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "The total number of packets received by the SNMP + engine which were dropped because they requested a + securityLevel that was unknown to the SNMP engine + or otherwise unavailable. + " + ::= { usmStats 1 } + +usmStatsNotInTimeWindows OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "The total number of packets received by the SNMP + engine which were dropped because they appeared + outside of the authoritative SNMP engine's window. + " + ::= { usmStats 2 } + +usmStatsUnknownUserNames OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "The total number of packets received by the SNMP + engine which were dropped because they referenced a + user that was not known to the SNMP engine. + " + ::= { usmStats 3 } + +usmStatsUnknownEngineIDs OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "The total number of packets received by the SNMP + engine which were dropped because they referenced an + snmpEngineID that was not known to the SNMP engine. + " + ::= { usmStats 4 } + +usmStatsWrongDigests OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "The total number of packets received by the SNMP + engine which were dropped because they didn't + contain the expected digest value. + " + ::= { usmStats 5 } + +usmStatsDecryptionErrors OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION "The total number of packets received by the SNMP + engine which were dropped because they could not be + decrypted. + " + ::= { usmStats 6 } + +-- The usmUser Group ************************************************ + +usmUser OBJECT IDENTIFIER ::= { usmMIBObjects 2 } + +usmUserSpinLock OBJECT-TYPE + SYNTAX TestAndIncr + MAX-ACCESS read-write + STATUS current + DESCRIPTION "An advisory lock used to allow several cooperating + Command Generator Applications to coordinate their + use of facilities to alter secrets in the + usmUserTable. + " + ::= { usmUser 1 } + +-- The table of valid users for the User-based Security Model ******** + +usmUserTable OBJECT-TYPE + SYNTAX SEQUENCE OF UsmUserEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "The table of users configured in the SNMP engine's + Local Configuration Datastore (LCD). + + To create a new user (i.e., to instantiate a new + conceptual row in this table), it is recommended to + follow this procedure: + + 1) GET(usmUserSpinLock.0) and save in sValue. + + 2) SET(usmUserSpinLock.0=sValue, + usmUserCloneFrom=templateUser, + usmUserStatus=createAndWait) + You should use a template user to clone from + which has the proper auth/priv protocol defined. + + If the new user is to use privacy: + + 3) generate the keyChange value based on the secret + privKey of the clone-from user and the secret key + to be used for the new user. Let us call this + pkcValue. + 4) GET(usmUserSpinLock.0) and save in sValue. + 5) SET(usmUserSpinLock.0=sValue, + usmUserPrivKeyChange=pkcValue + usmUserPublic=randomValue1) + 6) GET(usmUserPulic) and check it has randomValue1. + If not, repeat steps 4-6. + + If the new user will never use privacy: + + 7) SET(usmUserPrivProtocol=usmNoPrivProtocol) + + If the new user is to use authentication: + + 8) generate the keyChange value based on the secret + authKey of the clone-from user and the secret key + to be used for the new user. Let us call this + akcValue. + 9) GET(usmUserSpinLock.0) and save in sValue. + 10) SET(usmUserSpinLock.0=sValue, + usmUserAuthKeyChange=akcValue + usmUserPublic=randomValue2) + 11) GET(usmUserPulic) and check it has randomValue2. + If not, repeat steps 9-11. + + If the new user will never use authentication: + + 12) SET(usmUserAuthProtocol=usmNoAuthProtocol) + + Finally, activate the new user: + + 13) SET(usmUserStatus=active) + + The new user should now be available and ready to be + used for SNMPv3 communication. Note however that access + to MIB data must be provided via configuration of the + SNMP-VIEW-BASED-ACM-MIB. + + The use of usmUserSpinlock is to avoid conflicts with + another SNMP command generator application which may + also be acting on the usmUserTable. + " + ::= { usmUser 2 } + +usmUserEntry OBJECT-TYPE + SYNTAX UsmUserEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "A user configured in the SNMP engine's Local + Configuration Datastore (LCD) for the User-based + Security Model. + " + INDEX { usmUserEngineID, + usmUserName + } + ::= { usmUserTable 1 } + +UsmUserEntry ::= SEQUENCE + { + usmUserEngineID SnmpEngineID, + usmUserName SnmpAdminString, + usmUserSecurityName SnmpAdminString, + usmUserCloneFrom RowPointer, + usmUserAuthProtocol AutonomousType, + usmUserAuthKeyChange KeyChange, + usmUserOwnAuthKeyChange KeyChange, + usmUserPrivProtocol AutonomousType, + usmUserPrivKeyChange KeyChange, + usmUserOwnPrivKeyChange KeyChange, + usmUserPublic OCTET STRING, + usmUserStorageType StorageType, + usmUserStatus RowStatus + } + +usmUserEngineID OBJECT-TYPE + SYNTAX SnmpEngineID + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "An SNMP engine's administratively-unique identifier. + + In a simple agent, this value is always that agent's + own snmpEngineID value. + + The value can also take the value of the snmpEngineID + of a remote SNMP engine with which this user can + communicate. + " + ::= { usmUserEntry 1 } + +usmUserName OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE(1..32)) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "A human readable string representing the name of + the user. + + This is the (User-based Security) Model dependent + security ID. + " + ::= { usmUserEntry 2 } + +usmUserSecurityName OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-only + STATUS current + DESCRIPTION "A human readable string representing the user in + Security Model independent format. + + The default transformation of the User-based Security + Model dependent security ID to the securityName and + vice versa is the identity function so that the + securityName is the same as the userName. + " + ::= { usmUserEntry 3 } + +usmUserCloneFrom OBJECT-TYPE + SYNTAX RowPointer + MAX-ACCESS read-create + STATUS current + DESCRIPTION "A pointer to another conceptual row in this + usmUserTable. The user in this other conceptual + row is called the clone-from user. + + When a new user is created (i.e., a new conceptual + row is instantiated in this table), the privacy and + authentication parameters of the new user must be + cloned from its clone-from user. These parameters are: + - authentication protocol (usmUserAuthProtocol) + - privacy protocol (usmUserPrivProtocol) + They will be copied regardless of what the current + value is. + + Cloning also causes the initial values of the secret + authentication key (authKey) and the secret encryption + + key (privKey) of the new user to be set to the same + values as the corresponding secrets of the clone-from + user to allow the KeyChange process to occur as + required during user creation. + + The first time an instance of this object is set by + a management operation (either at or after its + instantiation), the cloning process is invoked. + Subsequent writes are successful but invoke no + action to be taken by the receiver. + The cloning process fails with an 'inconsistentName' + error if the conceptual row representing the + clone-from user does not exist or is not in an active + state when the cloning process is invoked. + + When this object is read, the ZeroDotZero OID + is returned. + " + ::= { usmUserEntry 4 } + +usmUserAuthProtocol OBJECT-TYPE + SYNTAX AutonomousType + MAX-ACCESS read-create + STATUS current + DESCRIPTION "An indication of whether messages sent on behalf of + this user to/from the SNMP engine identified by + usmUserEngineID, can be authenticated, and if so, + the type of authentication protocol which is used. + + An instance of this object is created concurrently + with the creation of any other object instance for + the same user (i.e., as part of the processing of + the set operation which creates the first object + instance in the same conceptual row). + + If an initial set operation (i.e. at row creation time) + tries to set a value for an unknown or unsupported + protocol, then a 'wrongValue' error must be returned. + + The value will be overwritten/set when a set operation + is performed on the corresponding instance of + usmUserCloneFrom. + + Once instantiated, the value of such an instance of + this object can only be changed via a set operation to + the value of the usmNoAuthProtocol. + + If a set operation tries to change the value of an + + existing instance of this object to any value other + than usmNoAuthProtocol, then an 'inconsistentValue' + error must be returned. + + If a set operation tries to set the value to the + usmNoAuthProtocol while the usmUserPrivProtocol value + in the same row is not equal to usmNoPrivProtocol, + then an 'inconsistentValue' error must be returned. + That means that an SNMP command generator application + must first ensure that the usmUserPrivProtocol is set + to the usmNoPrivProtocol value before it can set + the usmUserAuthProtocol value to usmNoAuthProtocol. + " + DEFVAL { usmNoAuthProtocol } + ::= { usmUserEntry 5 } + +usmUserAuthKeyChange OBJECT-TYPE + SYNTAX KeyChange -- typically (SIZE (0 | 32)) for HMACMD5 + -- typically (SIZE (0 | 40)) for HMACSHA + MAX-ACCESS read-create + STATUS current + DESCRIPTION "An object, which when modified, causes the secret + authentication key used for messages sent on behalf + of this user to/from the SNMP engine identified by + usmUserEngineID, to be modified via a one-way + function. + + The associated protocol is the usmUserAuthProtocol. + The associated secret key is the user's secret + authentication key (authKey). The associated hash + algorithm is the algorithm used by the user's + usmUserAuthProtocol. + + When creating a new user, it is an 'inconsistentName' + error for a set operation to refer to this object + unless it is previously or concurrently initialized + through a set operation on the corresponding instance + of usmUserCloneFrom. + + When the value of the corresponding usmUserAuthProtocol + is usmNoAuthProtocol, then a set is successful, but + effectively is a no-op. + + When this object is read, the zero-length (empty) + string is returned. + + The recommended way to do a key change is as follows: + + 1) GET(usmUserSpinLock.0) and save in sValue. + 2) generate the keyChange value based on the old + (existing) secret key and the new secret key, + let us call this kcValue. + + If you do the key change on behalf of another user: + + 3) SET(usmUserSpinLock.0=sValue, + usmUserAuthKeyChange=kcValue + usmUserPublic=randomValue) + + If you do the key change for yourself: + + 4) SET(usmUserSpinLock.0=sValue, + usmUserOwnAuthKeyChange=kcValue + usmUserPublic=randomValue) + + If you get a response with error-status of noError, + then the SET succeeded and the new key is active. + If you do not get a response, then you can issue a + GET(usmUserPublic) and check if the value is equal + to the randomValue you did send in the SET. If so, then + the key change succeeded and the new key is active + (probably the response got lost). If not, then the SET + request probably never reached the target and so you + can start over with the procedure above. + " + DEFVAL { ''H } -- the empty string + ::= { usmUserEntry 6 } + +usmUserOwnAuthKeyChange OBJECT-TYPE + SYNTAX KeyChange -- typically (SIZE (0 | 32)) for HMACMD5 + -- typically (SIZE (0 | 40)) for HMACSHA + MAX-ACCESS read-create + STATUS current + DESCRIPTION "Behaves exactly as usmUserAuthKeyChange, with one + notable difference: in order for the set operation + to succeed, the usmUserName of the operation + requester must match the usmUserName that + indexes the row which is targeted by this + operation. + In addition, the USM security model must be + used for this operation. + + The idea here is that access to this column can be + public, since it will only allow a user to change + his own secret authentication key (authKey). + Note that this can only be done once the row is active. + + When a set is received and the usmUserName of the + requester is not the same as the umsUserName that + indexes the row which is targeted by this operation, + then a 'noAccess' error must be returned. + + When a set is received and the security model in use + is not USM, then a 'noAccess' error must be returned. + " + DEFVAL { ''H } -- the empty string + ::= { usmUserEntry 7 } + +usmUserPrivProtocol OBJECT-TYPE + SYNTAX AutonomousType + MAX-ACCESS read-create + STATUS current + DESCRIPTION "An indication of whether messages sent on behalf of + this user to/from the SNMP engine identified by + usmUserEngineID, can be protected from disclosure, + and if so, the type of privacy protocol which is used. + + An instance of this object is created concurrently + with the creation of any other object instance for + the same user (i.e., as part of the processing of + the set operation which creates the first object + instance in the same conceptual row). + + If an initial set operation (i.e. at row creation time) + tries to set a value for an unknown or unsupported + protocol, then a 'wrongValue' error must be returned. + + The value will be overwritten/set when a set operation + is performed on the corresponding instance of + usmUserCloneFrom. + + Once instantiated, the value of such an instance of + this object can only be changed via a set operation to + the value of the usmNoPrivProtocol. + + If a set operation tries to change the value of an + existing instance of this object to any value other + than usmNoPrivProtocol, then an 'inconsistentValue' + error must be returned. + + Note that if any privacy protocol is used, then you + must also use an authentication protocol. In other + words, if usmUserPrivProtocol is set to anything else + than usmNoPrivProtocol, then the corresponding instance + of usmUserAuthProtocol cannot have a value of + + usmNoAuthProtocol. If it does, then an + 'inconsistentValue' error must be returned. + " + DEFVAL { usmNoPrivProtocol } + ::= { usmUserEntry 8 } + +usmUserPrivKeyChange OBJECT-TYPE + SYNTAX KeyChange -- typically (SIZE (0 | 32)) for DES + MAX-ACCESS read-create + STATUS current + DESCRIPTION "An object, which when modified, causes the secret + encryption key used for messages sent on behalf + of this user to/from the SNMP engine identified by + usmUserEngineID, to be modified via a one-way + function. + + The associated protocol is the usmUserPrivProtocol. + The associated secret key is the user's secret + privacy key (privKey). The associated hash + algorithm is the algorithm used by the user's + usmUserAuthProtocol. + + When creating a new user, it is an 'inconsistentName' + error for a set operation to refer to this object + unless it is previously or concurrently initialized + through a set operation on the corresponding instance + of usmUserCloneFrom. + + When the value of the corresponding usmUserPrivProtocol + is usmNoPrivProtocol, then a set is successful, but + effectively is a no-op. + + When this object is read, the zero-length (empty) + string is returned. + See the description clause of usmUserAuthKeyChange for + a recommended procedure to do a key change. + " + DEFVAL { ''H } -- the empty string + ::= { usmUserEntry 9 } + +usmUserOwnPrivKeyChange OBJECT-TYPE + SYNTAX KeyChange -- typically (SIZE (0 | 32)) for DES + MAX-ACCESS read-create + STATUS current + DESCRIPTION "Behaves exactly as usmUserPrivKeyChange, with one + notable difference: in order for the Set operation + to succeed, the usmUserName of the operation + requester must match the usmUserName that indexes + + the row which is targeted by this operation. + In addition, the USM security model must be + used for this operation. + + The idea here is that access to this column can be + public, since it will only allow a user to change + his own secret privacy key (privKey). + Note that this can only be done once the row is active. + + When a set is received and the usmUserName of the + requester is not the same as the umsUserName that + indexes the row which is targeted by this operation, + then a 'noAccess' error must be returned. + + When a set is received and the security model in use + is not USM, then a 'noAccess' error must be returned. + " + DEFVAL { ''H } -- the empty string + ::= { usmUserEntry 10 } + +usmUserPublic OBJECT-TYPE + SYNTAX OCTET STRING (SIZE(0..32)) + MAX-ACCESS read-create + STATUS current + DESCRIPTION "A publicly-readable value which can be written as part + of the procedure for changing a user's secret + authentication and/or privacy key, and later read to + determine whether the change of the secret was + effected. + " + DEFVAL { ''H } -- the empty string + ::= { usmUserEntry 11 } + +usmUserStorageType OBJECT-TYPE + SYNTAX StorageType + MAX-ACCESS read-create + STATUS current + DESCRIPTION "The storage type for this conceptual row. + + Conceptual rows having the value 'permanent' must + allow write-access at a minimum to: + + - usmUserAuthKeyChange, usmUserOwnAuthKeyChange + and usmUserPublic for a user who employs + authentication, and + - usmUserPrivKeyChange, usmUserOwnPrivKeyChange + and usmUserPublic for a user who employs + privacy. + + Note that any user who employs authentication or + privacy must allow its secret(s) to be updated and + thus cannot be 'readOnly'. + + If an initial set operation tries to set the value to + 'readOnly' for a user who employs authentication or + privacy, then an 'inconsistentValue' error must be + returned. Note that if the value has been previously + set (implicit or explicit) to any value, then the rules + as defined in the StorageType Textual Convention apply. + + It is an implementation issue to decide if a SET for + a readOnly or permanent row is accepted at all. In some + contexts this may make sense, in others it may not. If + a SET for a readOnly or permanent row is not accepted + at all, then a 'wrongValue' error must be returned. + " + DEFVAL { nonVolatile } + ::= { usmUserEntry 12 } + +usmUserStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION "The status of this conceptual row. + + Until instances of all corresponding columns are + appropriately configured, the value of the + corresponding instance of the usmUserStatus column + is 'notReady'. + + In particular, a newly created row for a user who + employs authentication, cannot be made active until the + corresponding usmUserCloneFrom and usmUserAuthKeyChange + have been set. + + Further, a newly created row for a user who also + employs privacy, cannot be made active until the + usmUserPrivKeyChange has been set. + + The RowStatus TC [RFC2579] requires that this + DESCRIPTION clause states under which circumstances + other objects in this row can be modified: + + The value of this object has no effect on whether + other objects in this conceptual row can be modified, + except for usmUserOwnAuthKeyChange and + usmUserOwnPrivKeyChange. For these 2 objects, the + + value of usmUserStatus MUST be active. + " + ::= { usmUserEntry 13 } + +-- Conformance Information ******************************************* + +usmMIBCompliances OBJECT IDENTIFIER ::= { usmMIBConformance 1 } +usmMIBGroups OBJECT IDENTIFIER ::= { usmMIBConformance 2 } + +-- Compliance statements + +usmMIBCompliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION "The compliance statement for SNMP engines which + implement the SNMP-USER-BASED-SM-MIB. + " + + MODULE -- this module + MANDATORY-GROUPS { usmMIBBasicGroup } + + OBJECT usmUserAuthProtocol + MIN-ACCESS read-only + DESCRIPTION "Write access is not required." + + OBJECT usmUserPrivProtocol + MIN-ACCESS read-only + DESCRIPTION "Write access is not required." + ::= { usmMIBCompliances 1 } + +-- Units of compliance +usmMIBBasicGroup OBJECT-GROUP + OBJECTS { + usmStatsUnsupportedSecLevels, + usmStatsNotInTimeWindows, + usmStatsUnknownUserNames, + usmStatsUnknownEngineIDs, + usmStatsWrongDigests, + usmStatsDecryptionErrors, + usmUserSpinLock, + usmUserSecurityName, + usmUserCloneFrom, + usmUserAuthProtocol, + usmUserAuthKeyChange, + usmUserOwnAuthKeyChange, + usmUserPrivProtocol, + usmUserPrivKeyChange, + usmUserOwnPrivKeyChange, + usmUserPublic, + usmUserStorageType, + usmUserStatus + } + STATUS current + DESCRIPTION "A collection of objects providing for configuration + of an SNMP engine which implements the SNMP + User-based Security Model. + " + ::= { usmMIBGroups 1 } + +END diff --git a/mibs/SNMP-USM-AES-MIB.txt b/mibs/SNMP-USM-AES-MIB.txt new file mode 100644 index 000000000..4c1730219 --- /dev/null +++ b/mibs/SNMP-USM-AES-MIB.txt @@ -0,0 +1,62 @@ +SNMP-USM-AES-MIB DEFINITIONS ::= BEGIN + IMPORTS + MODULE-IDENTITY, OBJECT-IDENTITY, + snmpModules FROM SNMPv2-SMI -- [RFC2578] + snmpPrivProtocols FROM SNMP-FRAMEWORK-MIB; -- [RFC3411] + +snmpUsmAesMIB MODULE-IDENTITY + LAST-UPDATED "200406140000Z" + ORGANIZATION "IETF" + CONTACT-INFO "Uri Blumenthal + Lucent Technologies / Bell Labs + 67 Whippany Rd. + 14D-318 + Whippany, NJ 07981, USA + 973-386-2163 + uri@bell-labs.com + + Fabio Maino + Andiamo Systems, Inc. + 375 East Tasman Drive + San Jose, CA 95134, USA + 408-853-7530 + fmaino@andiamo.com + + Keith McCloghrie + Cisco Systems, Inc. + 170 West Tasman Drive + San Jose, CA 95134-1706, USA + + 408-526-5260 + kzm@cisco.com" + DESCRIPTION "Definitions of Object Identities needed for + the use of AES by SNMP's User-based Security + Model. + + Copyright (C) The Internet Society (2004). + + This version of this MIB module is part of RFC 3826; + see the RFC itself for full legal notices. + Supplementary information may be available on + http://www.ietf.org/copyrights/ianamib.html." + + REVISION "200406140000Z" + DESCRIPTION "Initial version, published as RFC3826" + ::= { snmpModules 20 } + +usmAesCfb128Protocol OBJECT-IDENTITY + STATUS current + DESCRIPTION "The CFB128-AES-128 Privacy Protocol." + REFERENCE "- Specification for the ADVANCED ENCRYPTION + STANDARD. Federal Information Processing + Standard (FIPS) Publication 197. + (November 2001). + + - Dworkin, M., NIST Recommendation for Block + Cipher Modes of Operation, Methods and + Techniques. NIST Special Publication 800-38A + (December 2001). + " + ::= { snmpPrivProtocols 4 } + +END diff --git a/mibs/SNMP-USM-DH-OBJECTS-MIB.txt b/mibs/SNMP-USM-DH-OBJECTS-MIB.txt new file mode 100644 index 000000000..7377425c0 --- /dev/null +++ b/mibs/SNMP-USM-DH-OBJECTS-MIB.txt @@ -0,0 +1,532 @@ +SNMP-USM-DH-OBJECTS-MIB DEFINITIONS ::= BEGIN + +IMPORTS + MODULE-IDENTITY, OBJECT-TYPE, + -- OBJECT-IDENTITY, + experimental, Integer32 + FROM SNMPv2-SMI + TEXTUAL-CONVENTION + FROM SNMPv2-TC + MODULE-COMPLIANCE, OBJECT-GROUP + FROM SNMPv2-CONF + usmUserEntry + FROM SNMP-USER-BASED-SM-MIB + SnmpAdminString + FROM SNMP-FRAMEWORK-MIB; + +snmpUsmDHObjectsMIB MODULE-IDENTITY + LAST-UPDATED "200003060000Z" -- 6 March 2000, Midnight + ORGANIZATION "Excite@Home" + CONTACT-INFO "Author: Mike StJohns + Postal: Excite@Home + 450 Broadway + Redwood City, CA 94063 + Email: stjohns@corp.home.net + Phone: +1-650-556-5368" + DESCRIPTION + "The management information definitions for providing forward + secrecy for key changes for the usmUserTable, and for providing a + method for 'kickstarting' access to the agent via a Diffie-Helman + key agreement." + + REVISION "200003060000Z" + DESCRIPTION + "Initial version published as RFC 2786." + ::= { experimental 101 } -- IANA DHKEY-CHANGE 101 + +-- Administrative assignments + +usmDHKeyObjects OBJECT IDENTIFIER ::= { snmpUsmDHObjectsMIB 1 } +usmDHKeyConformance OBJECT IDENTIFIER ::= { snmpUsmDHObjectsMIB 2 } + +-- Textual conventions + +DHKeyChange ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "Upon initialization, or upon creation of a row containing an + object of this type, and after any successful SET of this value, a + GET of this value returns 'y' where y = g^xa MOD p, and where g is + the base from usmDHParameters, p is the prime from + usmDHParameters, and xa is a new random integer selected by the + agent in the interval 2^(l-1) <= xa < 2^l < p-1. 'l' is the + optional privateValueLength from usmDHParameters in bits. If 'l' + is omitted, then xa (and xr below) is selected in the interval 0 + <= xa < p-1. y is expressed as an OCTET STRING 'PV' of length 'k' + which satisfies + + k + y = SUM 2^(8(k-i)) PV'i + i=1 + + where PV1,...,PVk are the octets of PV from first to last, and + where PV1 <> 0. + + A successful SET consists of the value 'y' expressed as an OCTET + STRING as above concatenated with the value 'z'(expressed as an + OCTET STRING in the same manner as y) where z = g^xr MOD p, where + g, p and l are as above, and where xr is a new random integer + selected by the manager in the interval 2^(l-1) <= xr < 2^l < + p-1. A SET to an object of this type will fail with the error + wrongValue if the current 'y' does not match the 'y' portion of + the value of the varbind for the object. (E.g. GET yout, SET + concat(yin, z), yout <> yin). + + Note that the private values xa and xr are never transmitted from + manager to device or vice versa, only the values y and z. + Obviously, these values must be retained until a successful SET on + the associated object. + + The shared secret 'sk' is calculated at the agent as sk = z^xa MOD + p, and at the manager as sk = y^xr MOD p. + + Each object definition of this type MUST describe how to map from + the shared secret 'sk' to the operational key value used by the + protocols and operations related to the object. In general, if n + bits of key are required, the author suggests using the n + right-most bits of the shared secret as the operational key value." + REFERENCE + "-- Diffie-Hellman Key-Agreement Standard, PKCS #3; + RSA Laboratories, November 1993" + SYNTAX OCTET STRING + +-- Diffie Hellman public values + +usmDHPublicObjects OBJECT IDENTIFIER ::= { usmDHKeyObjects 1 } + +usmDHParameters OBJECT-TYPE + SYNTAX OCTET STRING + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The public Diffie-Hellman parameters for doing a Diffie-Hellman + key agreement for this device. This is encoded as an ASN.1 + DHParameter per PKCS #3, section 9. E.g. + + DHParameter ::= SEQUENCE { + prime INTEGER, -- p + base INTEGER, -- g + privateValueLength INTEGER OPTIONAL } + + Implementors are encouraged to use either the values from + Oakley Group 1 or the values of from Oakley Group 2 as specified + in RFC-2409, The Internet Key Exchange, Section 6.1, 6.2 as the + default for this object. Other values may be used, but the + security properties of those values MUST be well understood and + MUST meet the requirements of PKCS #3 for the selection of + Diffie-Hellman primes. + + In addition, any time usmDHParameters changes, all values of + type DHKeyChange will change and new random numbers MUST be + generated by the agent for each DHKeyChange object." + REFERENCE + "-- Diffie-Hellman Key-Agreement Standard, PKCS #3, + RSA Laboratories, November 1993 + -- The Internet Key Exchange, RFC 2409, November 1998, + Sec 6.1, 6.2" + ::= { usmDHPublicObjects 1 } + +usmDHUserKeyTable OBJECT-TYPE + SYNTAX SEQUENCE OF UsmDHUserKeyEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "This table augments and extends the usmUserTable and provides + 4 objects which exactly mirror the objects in that table with the + textual convention of 'KeyChange'. This extension allows key + changes to be done in a manner where the knowledge of the current + secret plus knowledge of the key change data exchanges (e.g. via + wiretapping) will not reveal the new key." + ::= { usmDHPublicObjects 2 } + +usmDHUserKeyEntry OBJECT-TYPE + SYNTAX UsmDHUserKeyEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A row of DHKeyChange objects which augment or replace the + functionality of the KeyChange objects in the base table row." + AUGMENTS { usmUserEntry } + ::= {usmDHUserKeyTable 1 } + +UsmDHUserKeyEntry ::= SEQUENCE { + usmDHUserAuthKeyChange DHKeyChange, + usmDHUserOwnAuthKeyChange DHKeyChange, + usmDHUserPrivKeyChange DHKeyChange, + usmDHUserOwnPrivKeyChange DHKeyChange + } + +usmDHUserAuthKeyChange OBJECT-TYPE + SYNTAX DHKeyChange + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The object used to change any given user's Authentication Key + using a Diffie-Hellman key exchange. + + The right-most n bits of the shared secret 'sk', where 'n' is the + number of bits required for the protocol defined by + usmUserAuthProtocol, are installed as the operational + authentication key for this row after a successful SET." + ::= { usmDHUserKeyEntry 1 } + +usmDHUserOwnAuthKeyChange OBJECT-TYPE + SYNTAX DHKeyChange + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The object used to change the agents own Authentication Key + using a Diffie-Hellman key exchange. + + The right-most n bits of the shared secret 'sk', where 'n' is the + number of bits required for the protocol defined by + usmUserAuthProtocol, are installed as the operational + authentication key for this row after a successful SET." + ::= { usmDHUserKeyEntry 2 } + +usmDHUserPrivKeyChange OBJECT-TYPE + SYNTAX DHKeyChange + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The object used to change any given user's Privacy Key using + a Diffie-Hellman key exchange. + + The right-most n bits of the shared secret 'sk', where 'n' is the + number of bits required for the protocol defined by + usmUserPrivProtocol, are installed as the operational privacy key + for this row after a successful SET." + ::= { usmDHUserKeyEntry 3 } + +usmDHUserOwnPrivKeyChange OBJECT-TYPE + SYNTAX DHKeyChange + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The object used to change the agent's own Privacy Key using a + Diffie-Hellman key exchange. + + The right-most n bits of the shared secret 'sk', where 'n' is the + number of bits required for the protocol defined by + usmUserPrivProtocol, are installed as the operational privacy key + for this row after a successful SET." + ::= { usmDHUserKeyEntry 4 } + +usmDHKickstartGroup OBJECT IDENTIFIER ::= { usmDHKeyObjects 2 } + +usmDHKickstartTable OBJECT-TYPE + SYNTAX SEQUENCE OF UsmDHKickstartEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A table of mappings between zero or more Diffie-Helman key + agreement values and entries in the usmUserTable. Entries in this + table are created by providing the associated device with a + Diffie-Helman public value and a usmUserName/usmUserSecurityName + pair during initialization. How these values are provided is + outside the scope of this MIB, but could be provided manually, or + through a configuration file. Valid public value/name pairs + result in the creation of a row in this table as well as the + creation of an associated row (with keys derived as indicated) in + the usmUserTable. The actual access the related usmSecurityName + has is dependent on the entries in the VACM tables. In general, + an implementor will specify one or more standard security names + and will provide entries in the VACM tables granting various + levels of access to those names. The actual content of the VACM + + table is beyond the scope of this MIB. + + Note: This table is expected to be readable without authentication + using the usmUserSecurityName 'dhKickstart'. See the conformance + statements for details." + ::= { usmDHKickstartGroup 1 } + +usmDHKickstartEntry OBJECT-TYPE + SYNTAX UsmDHKickstartEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An entry in the usmDHKickstartTable. The agent SHOULD either + delete this entry or mark it as inactive upon a successful SET of + any of the KeyChange-typed objects in the usmUserEntry or upon a + successful SET of any of the DHKeyChange-typed objects in the + usmDhKeyChangeEntry where the related usmSecurityName (e.g. row of + usmUserTable or row of ushDhKeyChangeTable) equals this entry's + usmDhKickstartSecurityName. In otherwords, once you've changed + one or more of the keys for a row in usmUserTable with a + particular security name, the row in this table with that same + security name is no longer useful or meaningful." + INDEX { usmDHKickstartIndex } + ::= {usmDHKickstartTable 1 } + +UsmDHKickstartEntry ::= SEQUENCE { + usmDHKickstartIndex Integer32, + usmDHKickstartMyPublic OCTET STRING, + usmDHKickstartMgrPublic OCTET STRING, + usmDHKickstartSecurityName SnmpAdminString + } + +usmDHKickstartIndex OBJECT-TYPE + SYNTAX Integer32 (1..2147483647) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Index value for this row." + ::= { usmDHKickstartEntry 1 } + +usmDHKickstartMyPublic OBJECT-TYPE + SYNTAX OCTET STRING + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The agent's Diffie-Hellman public value for this row. At + + initialization, the agent generates a random number and derives + its public value from that number. This public value is published + here. This public value 'y' equals g^r MOD p where g is the from + the set of Diffie-Hellman parameters, p is the prime from those + parameters, and r is a random integer selected by the agent in the + interval 2^(l-1) <= r < p-1 < 2^l. If l is unspecified, then r is + a random integer selected in the interval 0 <= r < p-1 + + The public value is expressed as an OCTET STRING 'PV' of length + 'k' which satisfies + + k + y = SUM 2^(8(k-i)) PV'i + i = 1 + + where PV1,...,PVk are the octets of PV from first to last, and + where PV1 != 0. + + The following DH parameters (Oakley group #2, RFC 2409, sec 6.1, + 6.2) are used for this object: + + g = 2 + p = FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 + 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD + EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 + E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED + EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 + FFFFFFFF FFFFFFFF + l=1024 + " + REFERENCE + "-- Diffie-Hellman Key-Agreement Standard, PKCS#3v1.4; + RSA Laboratories, November 1993 + -- The Internet Key Exchange, RFC2409; + Harkins, D., Carrel, D.; November 1998" + ::= { usmDHKickstartEntry 2 } + +usmDHKickstartMgrPublic OBJECT-TYPE + SYNTAX OCTET STRING + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The manager's Diffie-Hellman public value for this row. Note + that this value is not set via the SNMP agent, but may be set via + some out of band method, such as the device's configuration file. + + The manager calculates this value in the same manner and using the + same parameter set as the agent does. E.g. it selects a random + number 'r', calculates y = g^r mod p and provides 'y' as the + public number expressed as an OCTET STRING. See + usmDHKickstartMyPublic for details. + + When this object is set with a valid value during initialization, + a row is created in the usmUserTable with the following values: + + usmUserEngineID localEngineID + usmUserName [value of usmDHKickstartSecurityName] + usmUserSecurityName [value of usmDHKickstartSecurityName] + usmUserCloneFrom ZeroDotZero + usmUserAuthProtocol usmHMACMD5AuthProtocol + usmUserAuthKeyChange -- derived from set value + usmUserOwnAuthKeyChange -- derived from set value + usmUserPrivProtocol usmDESPrivProtocol + usmUserPrivKeyChange -- derived from set value + usmUserOwnPrivKeyChange -- derived from set value + usmUserPublic '' + usmUserStorageType permanent + usmUserStatus active + + A shared secret 'sk' is calculated at the agent as sk = + mgrPublic^r mod p where r is the agents random number and p is the + DH prime from the common parameters. The underlying privacy key + for this row is derived from sk by applying the key derivation + function PBKDF2 defined in PKCS#5v2.0 with a salt of 0xd1310ba6, + and iterationCount of 500, a keyLength of 16 (for + usmDESPrivProtocol), and a prf (pseudo random function) of + 'id-hmacWithSHA1'. The underlying authentication key for this row + is derived from sk by applying the key derivation function PBKDF2 + with a salt of 0x98dfb5ac , an interation count of 500, a + keyLength of 16 (for usmHMAC5AuthProtocol), and a prf of + 'id-hmacWithSHA1'. Note: The salts are the first two words in the + ks0 [key schedule 0] of the BLOWFISH cipher from 'Applied + Cryptography' by Bruce Schnier - they could be any relatively + random string of bits. + + The manager can use its knowledge of its own random number and the + agent's public value to kickstart its access to the agent in a + secure manner. Note that the security of this approach is + directly related to the strength of the authorization security of + the out of band provisioning of the managers public value + (e.g. the configuration file), but is not dependent at all on the + strength of the confidentiality of the out of band provisioning + data." + REFERENCE + "-- Password-Based Cryptography Standard, PKCS#5v2.0; + RSA Laboratories, March 1999 + -- Applied Cryptography, 2nd Ed.; B. Schneier, + Counterpane Systems; John Wiley & Sons, 1996" + ::= { usmDHKickstartEntry 3 } + +usmDHKickstartSecurityName OBJECT-TYPE + SYNTAX SnmpAdminString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The usmUserName and usmUserSecurityName in the usmUserTable + associated with this row. This is provided in the same manner and + at the same time as the usmDHKickstartMgrPublic value - + e.g. possibly manually, or via the device's configuration file." + ::= { usmDHKickstartEntry 4 } + +-- Conformance Information + +usmDHKeyMIBCompliances OBJECT IDENTIFIER ::= { usmDHKeyConformance 1 } +usmDHKeyMIBGroups OBJECT IDENTIFIER ::= { usmDHKeyConformance 2 } + +-- Compliance statements + +usmDHKeyMIBCompliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The compliance statement for this module." + MODULE + GROUP usmDHKeyMIBBasicGroup + DESCRIPTION + "This group MAY be implemented by any agent which + implements the usmUserTable and which wishes to provide the + ability to change user and agent authentication and privacy + keys via Diffie-Hellman key exchanges." + + GROUP usmDHKeyParamGroup + DESCRIPTION + "This group MUST be implemented by any agent which + implements a MIB containing the DHKeyChange Textual + Convention defined in this module." + + GROUP usmDHKeyKickstartGroup + DESCRIPTION + "This group MAY be implemented by any agent which + implements the usmUserTable and which wishes the ability to + populate the USM table based on out-of-band provided DH + ignition values. + + Any agent implementing this group is expected to provide + preinstalled entries in the vacm tables as follows: + + In the usmUserTable: This entry allows access to the + system and dhKickstart groups + + usmUserEngineID localEngineID + usmUserName 'dhKickstart' + usmUserSecurityName 'dhKickstart' + usmUserCloneFrom ZeroDotZero + usmUserAuthProtocol none + usmUserAuthKeyChange '' + usmUserOwnAuthKeyChange '' + usmUserPrivProtocol none + usmUserPrivKeyChange '' + usmUserOwnPrivKeyChange '' + usmUserPublic '' + usmUserStorageType permanent + usmUserStatus active + + In the vacmSecurityToGroupTable: This maps the initial + user into the accessible objects. + + vacmSecurityModel 3 (USM) + vacmSecurityName 'dhKickstart' + vacmGroupName 'dhKickstart' + vacmSecurityToGroupStorageType permanent + vacmSecurityToGroupStatus active + + In the vacmAccessTable: Group name to view name translation. + + vacmGroupName 'dhKickstart' + vacmAccessContextPrefix '' + vacmAccessSecurityModel 3 (USM) + vacmAccessSecurityLevel noAuthNoPriv + vacmAccessContextMatch exact + vacmAccessReadViewName 'dhKickRestricted' + vacmAccessWriteViewName '' + vacmAccessNotifyViewName 'dhKickRestricted' + vacmAccessStorageType permanent + vacmAccessStatus active + + In the vacmViewTreeFamilyTable: Two entries to allow the + initial entry to access the system and kickstart groups. + + vacmViewTreeFamilyViewName 'dhKickRestricted' + vacmViewTreeFamilySubtree 1.3.6.1.2.1.1 (system) + vacmViewTreeFamilyMask '' + + vacmViewTreeFamilyType 1 + vacmViewTreeFamilyStorageType permanent + vacmViewTreeFamilyStatus active + + vacmViewTreeFamilyViewName 'dhKickRestricted' + vacmViewTreeFamilySubtree (usmDHKickstartTable OID) + vacmViewTreeFamilyMask '' + vacmViewTreeFamilyType 1 + vacmViewTreeFamilyStorageType permanent + vacmViewTreeFamilyStatus active + " + + OBJECT usmDHParameters + MIN-ACCESS read-only + DESCRIPTION + "It is compliant to implement this object as read-only for + any device." + ::= { usmDHKeyMIBCompliances 1 } + +-- Units of Compliance + +usmDHKeyMIBBasicGroup OBJECT-GROUP + OBJECTS { + usmDHUserAuthKeyChange, + usmDHUserOwnAuthKeyChange, + usmDHUserPrivKeyChange, + usmDHUserOwnPrivKeyChange + } + STATUS current + DESCRIPTION + "" + ::= { usmDHKeyMIBGroups 1 } + +usmDHKeyParamGroup OBJECT-GROUP + OBJECTS { + usmDHParameters + } + STATUS current + DESCRIPTION + "The mandatory object for all MIBs which use the DHKeyChange + textual convention." + ::= { usmDHKeyMIBGroups 2 } + +usmDHKeyKickstartGroup OBJECT-GROUP + OBJECTS { + usmDHKickstartMyPublic, + usmDHKickstartMgrPublic, + usmDHKickstartSecurityName + } + STATUS current + DESCRIPTION + "The objects used for kickstarting one or more SNMPv3 USM + associations via a configuration file or other out of band, + non-confidential access." + ::= { usmDHKeyMIBGroups 3 } + +END diff --git a/mibs/SNMP-VIEW-BASED-ACM-MIB.txt b/mibs/SNMP-VIEW-BASED-ACM-MIB.txt new file mode 100644 index 000000000..7244ad0af --- /dev/null +++ b/mibs/SNMP-VIEW-BASED-ACM-MIB.txt @@ -0,0 +1,830 @@ +SNMP-VIEW-BASED-ACM-MIB DEFINITIONS ::= BEGIN + +IMPORTS + MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF + MODULE-IDENTITY, OBJECT-TYPE, + snmpModules FROM SNMPv2-SMI + TestAndIncr, + RowStatus, StorageType FROM SNMPv2-TC + SnmpAdminString, + SnmpSecurityLevel, + SnmpSecurityModel FROM SNMP-FRAMEWORK-MIB; + +snmpVacmMIB MODULE-IDENTITY + LAST-UPDATED "200210160000Z" -- 16 Oct 2002, midnight + ORGANIZATION "SNMPv3 Working Group" + CONTACT-INFO "WG-email: snmpv3@lists.tislabs.com + Subscribe: majordomo@lists.tislabs.com + In message body: subscribe snmpv3 + + Co-Chair: Russ Mundy + Network Associates Laboratories + postal: 15204 Omega Drive, Suite 300 + Rockville, MD 20850-4601 + USA + email: mundy@tislabs.com + phone: +1 301-947-7107 + + Co-Chair: David Harrington + Enterasys Networks + Postal: 35 Industrial Way + P. O. Box 5004 + Rochester, New Hampshire 03866-5005 + USA + EMail: dbh@enterasys.com + Phone: +1 603-337-2614 + + Co-editor: Bert Wijnen + Lucent Technologies + postal: Schagen 33 + 3461 GL Linschoten + Netherlands + email: bwijnen@lucent.com + phone: +31-348-480-685 + + Co-editor: Randy Presuhn + BMC Software, Inc. + + postal: 2141 North First Street + San Jose, CA 95131 + USA + email: randy_presuhn@bmc.com + phone: +1 408-546-1006 + + Co-editor: Keith McCloghrie + Cisco Systems, Inc. + postal: 170 West Tasman Drive + San Jose, CA 95134-1706 + USA + email: kzm@cisco.com + phone: +1-408-526-5260 + " + DESCRIPTION "The management information definitions for the + View-based Access Control Model for SNMP. + + Copyright (C) The Internet Society (2002). This + version of this MIB module is part of RFC 3415; + see the RFC itself for full legal notices. + " +-- Revision history + + REVISION "200210160000Z" -- 16 Oct 2002, midnight + DESCRIPTION "Clarifications, published as RFC3415" + + REVISION "199901200000Z" -- 20 Jan 1999, midnight + DESCRIPTION "Clarifications, published as RFC2575" + + REVISION "199711200000Z" -- 20 Nov 1997, midnight + DESCRIPTION "Initial version, published as RFC2275" + ::= { snmpModules 16 } + +-- Administrative assignments **************************************** + +vacmMIBObjects OBJECT IDENTIFIER ::= { snmpVacmMIB 1 } +vacmMIBConformance OBJECT IDENTIFIER ::= { snmpVacmMIB 2 } + +-- Information about Local Contexts ********************************** + +vacmContextTable OBJECT-TYPE + SYNTAX SEQUENCE OF VacmContextEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "The table of locally available contexts. + + This table provides information to SNMP Command + + Generator applications so that they can properly + configure the vacmAccessTable to control access to + all contexts at the SNMP entity. + + This table may change dynamically if the SNMP entity + allows that contexts are added/deleted dynamically + (for instance when its configuration changes). Such + changes would happen only if the management + instrumentation at that SNMP entity recognizes more + (or fewer) contexts. + + The presence of entries in this table and of entries + in the vacmAccessTable are independent. That is, a + context identified by an entry in this table is not + necessarily referenced by any entries in the + vacmAccessTable; and the context(s) referenced by an + entry in the vacmAccessTable does not necessarily + currently exist and thus need not be identified by an + entry in this table. + + This table must be made accessible via the default + context so that Command Responder applications have + a standard way of retrieving the information. + + This table is read-only. It cannot be configured via + SNMP. + " + ::= { vacmMIBObjects 1 } + +vacmContextEntry OBJECT-TYPE + SYNTAX VacmContextEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "Information about a particular context." + INDEX { + vacmContextName + } + ::= { vacmContextTable 1 } + +VacmContextEntry ::= SEQUENCE + { + vacmContextName SnmpAdminString + } + +vacmContextName OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE(0..32)) + MAX-ACCESS read-only + STATUS current + DESCRIPTION "A human readable name identifying a particular + context at a particular SNMP entity. + + The empty contextName (zero length) represents the + default context. + " + ::= { vacmContextEntry 1 } + +-- Information about Groups ****************************************** + +vacmSecurityToGroupTable OBJECT-TYPE + SYNTAX SEQUENCE OF VacmSecurityToGroupEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "This table maps a combination of securityModel and + securityName into a groupName which is used to define + an access control policy for a group of principals. + " + ::= { vacmMIBObjects 2 } + +vacmSecurityToGroupEntry OBJECT-TYPE + SYNTAX VacmSecurityToGroupEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "An entry in this table maps the combination of a + securityModel and securityName into a groupName. + " + INDEX { + vacmSecurityModel, + vacmSecurityName + } + ::= { vacmSecurityToGroupTable 1 } + +VacmSecurityToGroupEntry ::= SEQUENCE + { + vacmSecurityModel SnmpSecurityModel, + vacmSecurityName SnmpAdminString, + vacmGroupName SnmpAdminString, + vacmSecurityToGroupStorageType StorageType, + vacmSecurityToGroupStatus RowStatus + } + +vacmSecurityModel OBJECT-TYPE + SYNTAX SnmpSecurityModel(1..2147483647) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "The Security Model, by which the vacmSecurityName + referenced by this entry is provided. + + Note, this object may not take the 'any' (0) value. + " + ::= { vacmSecurityToGroupEntry 1 } + +vacmSecurityName OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE(1..32)) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "The securityName for the principal, represented in a + Security Model independent format, which is mapped by + this entry to a groupName. + " + ::= { vacmSecurityToGroupEntry 2 } + +vacmGroupName OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE(1..32)) + MAX-ACCESS read-create + STATUS current + DESCRIPTION "The name of the group to which this entry (e.g., the + combination of securityModel and securityName) + belongs. + + This groupName is used as index into the + vacmAccessTable to select an access control policy. + However, a value in this table does not imply that an + instance with the value exists in table vacmAccesTable. + " + ::= { vacmSecurityToGroupEntry 3 } + +vacmSecurityToGroupStorageType OBJECT-TYPE + SYNTAX StorageType + MAX-ACCESS read-create + STATUS current + DESCRIPTION "The storage type for this conceptual row. + Conceptual rows having the value 'permanent' need not + allow write-access to any columnar objects in the row. + " + DEFVAL { nonVolatile } + ::= { vacmSecurityToGroupEntry 4 } + +vacmSecurityToGroupStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION "The status of this conceptual row. + + Until instances of all corresponding columns are + appropriately configured, the value of the + + corresponding instance of the vacmSecurityToGroupStatus + column is 'notReady'. + + In particular, a newly created row cannot be made + active until a value has been set for vacmGroupName. + + The RowStatus TC [RFC2579] requires that this + DESCRIPTION clause states under which circumstances + other objects in this row can be modified: + + The value of this object has no effect on whether + other objects in this conceptual row can be modified. + " + ::= { vacmSecurityToGroupEntry 5 } + +-- Information about Access Rights *********************************** + +vacmAccessTable OBJECT-TYPE + SYNTAX SEQUENCE OF VacmAccessEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "The table of access rights for groups. + + Each entry is indexed by a groupName, a contextPrefix, + a securityModel and a securityLevel. To determine + whether access is allowed, one entry from this table + needs to be selected and the proper viewName from that + entry must be used for access control checking. + + To select the proper entry, follow these steps: + + 1) the set of possible matches is formed by the + intersection of the following sets of entries: + + the set of entries with identical vacmGroupName + the union of these two sets: + - the set with identical vacmAccessContextPrefix + - the set of entries with vacmAccessContextMatch + value of 'prefix' and matching + vacmAccessContextPrefix + intersected with the union of these two sets: + - the set of entries with identical + vacmSecurityModel + - the set of entries with vacmSecurityModel + value of 'any' + intersected with the set of entries with + vacmAccessSecurityLevel value less than or equal + to the requested securityLevel + + 2) if this set has only one member, we're done + otherwise, it comes down to deciding how to weight + the preferences between ContextPrefixes, + SecurityModels, and SecurityLevels as follows: + a) if the subset of entries with securityModel + matching the securityModel in the message is + not empty, then discard the rest. + b) if the subset of entries with + vacmAccessContextPrefix matching the contextName + in the message is not empty, + then discard the rest + c) discard all entries with ContextPrefixes shorter + than the longest one remaining in the set + d) select the entry with the highest securityLevel + + Please note that for securityLevel noAuthNoPriv, all + groups are really equivalent since the assumption that + the securityName has been authenticated does not hold. + " + ::= { vacmMIBObjects 4 } + +vacmAccessEntry OBJECT-TYPE + SYNTAX VacmAccessEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "An access right configured in the Local Configuration + Datastore (LCD) authorizing access to an SNMP context. + + Entries in this table can use an instance value for + object vacmGroupName even if no entry in table + vacmAccessSecurityToGroupTable has a corresponding + value for object vacmGroupName. + " + INDEX { vacmGroupName, + vacmAccessContextPrefix, + vacmAccessSecurityModel, + vacmAccessSecurityLevel + } + ::= { vacmAccessTable 1 } + +VacmAccessEntry ::= SEQUENCE + { + vacmAccessContextPrefix SnmpAdminString, + vacmAccessSecurityModel SnmpSecurityModel, + vacmAccessSecurityLevel SnmpSecurityLevel, + vacmAccessContextMatch INTEGER, + vacmAccessReadViewName SnmpAdminString, + vacmAccessWriteViewName SnmpAdminString, + vacmAccessNotifyViewName SnmpAdminString, + vacmAccessStorageType StorageType, + vacmAccessStatus RowStatus + } + +vacmAccessContextPrefix OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE(0..32)) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "In order to gain the access rights allowed by this + conceptual row, a contextName must match exactly + (if the value of vacmAccessContextMatch is 'exact') + or partially (if the value of vacmAccessContextMatch + is 'prefix') to the value of the instance of this + object. + " + ::= { vacmAccessEntry 1 } + +vacmAccessSecurityModel OBJECT-TYPE + SYNTAX SnmpSecurityModel + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "In order to gain the access rights allowed by this + conceptual row, this securityModel must be in use. + " + ::= { vacmAccessEntry 2 } + +vacmAccessSecurityLevel OBJECT-TYPE + SYNTAX SnmpSecurityLevel + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "The minimum level of security required in order to + gain the access rights allowed by this conceptual + row. A securityLevel of noAuthNoPriv is less than + authNoPriv which in turn is less than authPriv. + + If multiple entries are equally indexed except for + this vacmAccessSecurityLevel index, then the entry + which has the highest value for + vacmAccessSecurityLevel is selected. + " + ::= { vacmAccessEntry 3 } + +vacmAccessContextMatch OBJECT-TYPE + SYNTAX INTEGER + { exact (1), -- exact match of prefix and contextName + prefix (2) -- Only match to the prefix + } + MAX-ACCESS read-create + STATUS current + DESCRIPTION "If the value of this object is exact(1), then all + rows where the contextName exactly matches + vacmAccessContextPrefix are selected. + + If the value of this object is prefix(2), then all + rows where the contextName whose starting octets + exactly match vacmAccessContextPrefix are selected. + This allows for a simple form of wildcarding. + " + DEFVAL { exact } + ::= { vacmAccessEntry 4 } + +vacmAccessReadViewName OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE(0..32)) + MAX-ACCESS read-create + STATUS current + DESCRIPTION "The value of an instance of this object identifies + the MIB view of the SNMP context to which this + conceptual row authorizes read access. + + The identified MIB view is that one for which the + vacmViewTreeFamilyViewName has the same value as the + instance of this object; if the value is the empty + string or if there is no active MIB view having this + value of vacmViewTreeFamilyViewName, then no access + is granted. + " + DEFVAL { ''H } -- the empty string + ::= { vacmAccessEntry 5 } + +vacmAccessWriteViewName OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE(0..32)) + MAX-ACCESS read-create + STATUS current + DESCRIPTION "The value of an instance of this object identifies + the MIB view of the SNMP context to which this + conceptual row authorizes write access. + + The identified MIB view is that one for which the + vacmViewTreeFamilyViewName has the same value as the + instance of this object; if the value is the empty + string or if there is no active MIB view having this + value of vacmViewTreeFamilyViewName, then no access + is granted. + " + DEFVAL { ''H } -- the empty string + ::= { vacmAccessEntry 6 } + +vacmAccessNotifyViewName OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE(0..32)) + MAX-ACCESS read-create + STATUS current + DESCRIPTION "The value of an instance of this object identifies + the MIB view of the SNMP context to which this + conceptual row authorizes access for notifications. + + The identified MIB view is that one for which the + vacmViewTreeFamilyViewName has the same value as the + instance of this object; if the value is the empty + string or if there is no active MIB view having this + value of vacmViewTreeFamilyViewName, then no access + is granted. + " + DEFVAL { ''H } -- the empty string + ::= { vacmAccessEntry 7 } + +vacmAccessStorageType OBJECT-TYPE + SYNTAX StorageType + MAX-ACCESS read-create + STATUS current + DESCRIPTION "The storage type for this conceptual row. + + Conceptual rows having the value 'permanent' need not + allow write-access to any columnar objects in the row. + " + DEFVAL { nonVolatile } + ::= { vacmAccessEntry 8 } + +vacmAccessStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION "The status of this conceptual row. + + The RowStatus TC [RFC2579] requires that this + DESCRIPTION clause states under which circumstances + other objects in this row can be modified: + + The value of this object has no effect on whether + other objects in this conceptual row can be modified. + " + ::= { vacmAccessEntry 9 } + +-- Information about MIB views *************************************** + +-- Support for instance-level granularity is optional. +-- +-- In some implementations, instance-level access control +-- granularity may come at a high performance cost. Managers +-- should avoid requesting such configurations unnecessarily. + +vacmMIBViews OBJECT IDENTIFIER ::= { vacmMIBObjects 5 } + +vacmViewSpinLock OBJECT-TYPE + SYNTAX TestAndIncr + MAX-ACCESS read-write + STATUS current + DESCRIPTION "An advisory lock used to allow cooperating SNMP + Command Generator applications to coordinate their + use of the Set operation in creating or modifying + views. + + When creating a new view or altering an existing + view, it is important to understand the potential + interactions with other uses of the view. The + vacmViewSpinLock should be retrieved. The name of + the view to be created should be determined to be + unique by the SNMP Command Generator application by + consulting the vacmViewTreeFamilyTable. Finally, + the named view may be created (Set), including the + advisory lock. + If another SNMP Command Generator application has + altered the views in the meantime, then the spin + lock's value will have changed, and so this creation + will fail because it will specify the wrong value for + the spin lock. + + Since this is an advisory lock, the use of this lock + is not enforced. + " + ::= { vacmMIBViews 1 } + +vacmViewTreeFamilyTable OBJECT-TYPE + SYNTAX SEQUENCE OF VacmViewTreeFamilyEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "Locally held information about families of subtrees + within MIB views. + + Each MIB view is defined by two sets of view subtrees: + - the included view subtrees, and + - the excluded view subtrees. + Every such view subtree, both the included and the + + excluded ones, is defined in this table. + + To determine if a particular object instance is in + a particular MIB view, compare the object instance's + OBJECT IDENTIFIER with each of the MIB view's active + entries in this table. If none match, then the + object instance is not in the MIB view. If one or + more match, then the object instance is included in, + or excluded from, the MIB view according to the + value of vacmViewTreeFamilyType in the entry whose + value of vacmViewTreeFamilySubtree has the most + sub-identifiers. If multiple entries match and have + the same number of sub-identifiers (when wildcarding + is specified with the value of vacmViewTreeFamilyMask), + then the lexicographically greatest instance of + vacmViewTreeFamilyType determines the inclusion or + exclusion. + + An object instance's OBJECT IDENTIFIER X matches an + active entry in this table when the number of + sub-identifiers in X is at least as many as in the + value of vacmViewTreeFamilySubtree for the entry, + and each sub-identifier in the value of + vacmViewTreeFamilySubtree matches its corresponding + sub-identifier in X. Two sub-identifiers match + either if the corresponding bit of the value of + vacmViewTreeFamilyMask for the entry is zero (the + 'wild card' value), or if they are equal. + + A 'family' of subtrees is the set of subtrees defined + by a particular combination of values of + vacmViewTreeFamilySubtree and vacmViewTreeFamilyMask. + + In the case where no 'wild card' is defined in the + vacmViewTreeFamilyMask, the family of subtrees reduces + to a single subtree. + + When creating or changing MIB views, an SNMP Command + Generator application should utilize the + vacmViewSpinLock to try to avoid collisions. See + DESCRIPTION clause of vacmViewSpinLock. + + When creating MIB views, it is strongly advised that + first the 'excluded' vacmViewTreeFamilyEntries are + created and then the 'included' entries. + + When deleting MIB views, it is strongly advised that + first the 'included' vacmViewTreeFamilyEntries are + + deleted and then the 'excluded' entries. + + If a create for an entry for instance-level access + control is received and the implementation does not + support instance-level granularity, then an + inconsistentName error must be returned. + " + ::= { vacmMIBViews 2 } + +vacmViewTreeFamilyEntry OBJECT-TYPE + SYNTAX VacmViewTreeFamilyEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "Information on a particular family of view subtrees + included in or excluded from a particular SNMP + context's MIB view. + + Implementations must not restrict the number of + families of view subtrees for a given MIB view, + except as dictated by resource constraints on the + overall number of entries in the + vacmViewTreeFamilyTable. + + If no conceptual rows exist in this table for a given + MIB view (viewName), that view may be thought of as + consisting of the empty set of view subtrees. + " + INDEX { vacmViewTreeFamilyViewName, + vacmViewTreeFamilySubtree + } + ::= { vacmViewTreeFamilyTable 1 } + +VacmViewTreeFamilyEntry ::= SEQUENCE + { + vacmViewTreeFamilyViewName SnmpAdminString, + vacmViewTreeFamilySubtree OBJECT IDENTIFIER, + vacmViewTreeFamilyMask OCTET STRING, + vacmViewTreeFamilyType INTEGER, + vacmViewTreeFamilyStorageType StorageType, + vacmViewTreeFamilyStatus RowStatus + } + +vacmViewTreeFamilyViewName OBJECT-TYPE + SYNTAX SnmpAdminString (SIZE(1..32)) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "The human readable name for a family of view subtrees. + " + ::= { vacmViewTreeFamilyEntry 1 } + +vacmViewTreeFamilySubtree OBJECT-TYPE + SYNTAX OBJECT IDENTIFIER + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION "The MIB subtree which when combined with the + corresponding instance of vacmViewTreeFamilyMask + defines a family of view subtrees. + " + ::= { vacmViewTreeFamilyEntry 2 } + +vacmViewTreeFamilyMask OBJECT-TYPE + SYNTAX OCTET STRING (SIZE (0..16)) + MAX-ACCESS read-create + STATUS current + DESCRIPTION "The bit mask which, in combination with the + corresponding instance of vacmViewTreeFamilySubtree, + defines a family of view subtrees. + + Each bit of this bit mask corresponds to a + sub-identifier of vacmViewTreeFamilySubtree, with the + most significant bit of the i-th octet of this octet + string value (extended if necessary, see below) + corresponding to the (8*i - 7)-th sub-identifier, and + the least significant bit of the i-th octet of this + octet string corresponding to the (8*i)-th + sub-identifier, where i is in the range 1 through 16. + + Each bit of this bit mask specifies whether or not + the corresponding sub-identifiers must match when + determining if an OBJECT IDENTIFIER is in this + family of view subtrees; a '1' indicates that an + exact match must occur; a '0' indicates 'wild card', + i.e., any sub-identifier value matches. + + Thus, the OBJECT IDENTIFIER X of an object instance + is contained in a family of view subtrees if, for + each sub-identifier of the value of + vacmViewTreeFamilySubtree, either: + + the i-th bit of vacmViewTreeFamilyMask is 0, or + + the i-th sub-identifier of X is equal to the i-th + sub-identifier of the value of + vacmViewTreeFamilySubtree. + + If the value of this bit mask is M bits long and + + there are more than M sub-identifiers in the + corresponding instance of vacmViewTreeFamilySubtree, + then the bit mask is extended with 1's to be the + required length. + + Note that when the value of this object is the + zero-length string, this extension rule results in + a mask of all-1's being used (i.e., no 'wild card'), + and the family of view subtrees is the one view + subtree uniquely identified by the corresponding + instance of vacmViewTreeFamilySubtree. + + Note that masks of length greater than zero length + do not need to be supported. In this case this + object is made read-only. + " + DEFVAL { ''H } + ::= { vacmViewTreeFamilyEntry 3 } + +vacmViewTreeFamilyType OBJECT-TYPE + SYNTAX INTEGER { included(1), excluded(2) } + MAX-ACCESS read-create + STATUS current + DESCRIPTION "Indicates whether the corresponding instances of + vacmViewTreeFamilySubtree and vacmViewTreeFamilyMask + define a family of view subtrees which is included in + or excluded from the MIB view. + " + DEFVAL { included } + ::= { vacmViewTreeFamilyEntry 4 } + +vacmViewTreeFamilyStorageType OBJECT-TYPE + SYNTAX StorageType + MAX-ACCESS read-create + STATUS current + DESCRIPTION "The storage type for this conceptual row. + + Conceptual rows having the value 'permanent' need not + allow write-access to any columnar objects in the row. + " + DEFVAL { nonVolatile } + ::= { vacmViewTreeFamilyEntry 5 } + +vacmViewTreeFamilyStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION "The status of this conceptual row. + + The RowStatus TC [RFC2579] requires that this + DESCRIPTION clause states under which circumstances + other objects in this row can be modified: + + The value of this object has no effect on whether + other objects in this conceptual row can be modified. + " + ::= { vacmViewTreeFamilyEntry 6 } + +-- Conformance information ******************************************* + +vacmMIBCompliances OBJECT IDENTIFIER ::= { vacmMIBConformance 1 } +vacmMIBGroups OBJECT IDENTIFIER ::= { vacmMIBConformance 2 } + +-- Compliance statements ********************************************* + +vacmMIBCompliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION "The compliance statement for SNMP engines which + implement the SNMP View-based Access Control Model + configuration MIB. + " + MODULE -- this module + MANDATORY-GROUPS { vacmBasicGroup } + + OBJECT vacmAccessContextMatch + MIN-ACCESS read-only + DESCRIPTION "Write access is not required." + + OBJECT vacmAccessReadViewName + MIN-ACCESS read-only + DESCRIPTION "Write access is not required." + + OBJECT vacmAccessWriteViewName + MIN-ACCESS read-only + DESCRIPTION "Write access is not required." + + OBJECT vacmAccessNotifyViewName + MIN-ACCESS read-only + DESCRIPTION "Write access is not required." + + OBJECT vacmAccessStorageType + MIN-ACCESS read-only + DESCRIPTION "Write access is not required." + + OBJECT vacmAccessStatus + MIN-ACCESS read-only + DESCRIPTION "Create/delete/modify access to the + + vacmAccessTable is not required. + " + + OBJECT vacmViewTreeFamilyMask + WRITE-SYNTAX OCTET STRING (SIZE (0)) + MIN-ACCESS read-only + DESCRIPTION "Support for configuration via SNMP of subtree + families using wild-cards is not required. + " + + OBJECT vacmViewTreeFamilyType + MIN-ACCESS read-only + DESCRIPTION "Write access is not required." + + OBJECT vacmViewTreeFamilyStorageType + MIN-ACCESS read-only + DESCRIPTION "Write access is not required." + + OBJECT vacmViewTreeFamilyStatus + MIN-ACCESS read-only + DESCRIPTION "Create/delete/modify access to the + vacmViewTreeFamilyTable is not required. + " + ::= { vacmMIBCompliances 1 } + +-- Units of conformance ********************************************** + +vacmBasicGroup OBJECT-GROUP + OBJECTS { + vacmContextName, + vacmGroupName, + vacmSecurityToGroupStorageType, + vacmSecurityToGroupStatus, + vacmAccessContextMatch, + vacmAccessReadViewName, + vacmAccessWriteViewName, + vacmAccessNotifyViewName, + vacmAccessStorageType, + vacmAccessStatus, + vacmViewSpinLock, + vacmViewTreeFamilyMask, + vacmViewTreeFamilyType, + vacmViewTreeFamilyStorageType, + vacmViewTreeFamilyStatus + } + STATUS current + DESCRIPTION "A collection of objects providing for remote + configuration of an SNMP engine which implements + + the SNMP View-based Access Control Model. + " + ::= { vacmMIBGroups 1 } + +END diff --git a/mibs/SNMPv2-CONF.txt b/mibs/SNMPv2-CONF.txt new file mode 100644 index 000000000..24a1eed95 --- /dev/null +++ b/mibs/SNMPv2-CONF.txt @@ -0,0 +1,322 @@ +SNMPv2-CONF DEFINITIONS ::= BEGIN + +IMPORTS ObjectName, NotificationName, ObjectSyntax + FROM SNMPv2-SMI; + +-- definitions for conformance groups + +OBJECT-GROUP MACRO ::= +BEGIN + TYPE NOTATION ::= + ObjectsPart + "STATUS" Status + "DESCRIPTION" Text + ReferPart + + VALUE NOTATION ::= + value(VALUE OBJECT IDENTIFIER) + + ObjectsPart ::= + "OBJECTS" "{" Objects "}" + Objects ::= + Object + | Objects "," Object + Object ::= + + value(ObjectName) + + Status ::= + "current" + | "deprecated" + | "obsolete" + + ReferPart ::= + "REFERENCE" Text + | empty + + -- a character string as defined in [2] + Text ::= value(IA5String) +END + +-- more definitions for conformance groups + +NOTIFICATION-GROUP MACRO ::= +BEGIN + TYPE NOTATION ::= + NotificationsPart + "STATUS" Status + "DESCRIPTION" Text + ReferPart + + VALUE NOTATION ::= + value(VALUE OBJECT IDENTIFIER) + + NotificationsPart ::= + "NOTIFICATIONS" "{" Notifications "}" + Notifications ::= + Notification + | Notifications "," Notification + Notification ::= + value(NotificationName) + + Status ::= + "current" + | "deprecated" + | "obsolete" + + ReferPart ::= + "REFERENCE" Text + | empty + + -- a character string as defined in [2] + Text ::= value(IA5String) +END + +-- definitions for compliance statements + +MODULE-COMPLIANCE MACRO ::= +BEGIN + TYPE NOTATION ::= + "STATUS" Status + "DESCRIPTION" Text + ReferPart + ModulePart + + VALUE NOTATION ::= + value(VALUE OBJECT IDENTIFIER) + + Status ::= + "current" + | "deprecated" + | "obsolete" + + ReferPart ::= + "REFERENCE" Text + | empty + + ModulePart ::= + Modules + Modules ::= + Module + | Modules Module + Module ::= + -- name of module -- + "MODULE" ModuleName + MandatoryPart + CompliancePart + + ModuleName ::= + -- identifier must start with uppercase letter + identifier ModuleIdentifier + -- must not be empty unless contained + -- in MIB Module + | empty + ModuleIdentifier ::= + value(OBJECT IDENTIFIER) + | empty + + MandatoryPart ::= + "MANDATORY-GROUPS" "{" Groups "}" + | empty + + Groups ::= + + Group + | Groups "," Group + Group ::= + value(OBJECT IDENTIFIER) + + CompliancePart ::= + Compliances + | empty + + Compliances ::= + Compliance + | Compliances Compliance + Compliance ::= + ComplianceGroup + | Object + + ComplianceGroup ::= + "GROUP" value(OBJECT IDENTIFIER) + "DESCRIPTION" Text + + Object ::= + "OBJECT" value(ObjectName) + SyntaxPart + WriteSyntaxPart + AccessPart + "DESCRIPTION" Text + + -- must be a refinement for object's SYNTAX clause + SyntaxPart ::= "SYNTAX" Syntax + | empty + + -- must be a refinement for object's SYNTAX clause + WriteSyntaxPart ::= "WRITE-SYNTAX" Syntax + | empty + + Syntax ::= -- Must be one of the following: + -- a base type (or its refinement), + -- a textual convention (or its refinement), or + -- a BITS pseudo-type + type + | "BITS" "{" NamedBits "}" + + NamedBits ::= NamedBit + | NamedBits "," NamedBit + + NamedBit ::= identifier "(" number ")" -- number is nonnegative + + AccessPart ::= + "MIN-ACCESS" Access + | empty + Access ::= + "not-accessible" + | "accessible-for-notify" + | "read-only" + | "read-write" + | "read-create" + + -- a character string as defined in [2] + Text ::= value(IA5String) +END + +-- definitions for capabilities statements + +AGENT-CAPABILITIES MACRO ::= +BEGIN + TYPE NOTATION ::= + "PRODUCT-RELEASE" Text + "STATUS" Status + "DESCRIPTION" Text + ReferPart + ModulePart + + VALUE NOTATION ::= + value(VALUE OBJECT IDENTIFIER) + + Status ::= + "current" + | "obsolete" + + ReferPart ::= + "REFERENCE" Text + | empty + + ModulePart ::= + Modules + | empty + Modules ::= + Module + | Modules Module + Module ::= + -- name of module -- + "SUPPORTS" ModuleName + "INCLUDES" "{" Groups "}" + VariationPart + + ModuleName ::= + + -- identifier must start with uppercase letter + identifier ModuleIdentifier + ModuleIdentifier ::= + value(OBJECT IDENTIFIER) + | empty + + Groups ::= + Group + | Groups "," Group + Group ::= + value(OBJECT IDENTIFIER) + + VariationPart ::= + Variations + | empty + Variations ::= + Variation + | Variations Variation + + Variation ::= + ObjectVariation + | NotificationVariation + + NotificationVariation ::= + "VARIATION" value(NotificationName) + AccessPart + "DESCRIPTION" Text + + ObjectVariation ::= + "VARIATION" value(ObjectName) + SyntaxPart + WriteSyntaxPart + AccessPart + CreationPart + DefValPart + "DESCRIPTION" Text + + -- must be a refinement for object's SYNTAX clause + SyntaxPart ::= "SYNTAX" Syntax + | empty + + WriteSyntaxPart ::= "WRITE-SYNTAX" Syntax + | empty + + Syntax ::= -- Must be one of the following: + -- a base type (or its refinement), + -- a textual convention (or its refinement), or + -- a BITS pseudo-type + + type + | "BITS" "{" NamedBits "}" + + NamedBits ::= NamedBit + | NamedBits "," NamedBit + + NamedBit ::= identifier "(" number ")" -- number is nonnegative + + AccessPart ::= + "ACCESS" Access + | empty + + Access ::= + "not-implemented" + -- only "not-implemented" for notifications + | "accessible-for-notify" + | "read-only" + | "read-write" + | "read-create" + -- following is for backward-compatibility only + | "write-only" + + CreationPart ::= + "CREATION-REQUIRES" "{" Cells "}" + | empty + Cells ::= + Cell + | Cells "," Cell + Cell ::= + value(ObjectName) + + DefValPart ::= "DEFVAL" "{" Defvalue "}" + | empty + + Defvalue ::= -- must be valid for the object's syntax + -- in this macro's SYNTAX clause, if present, + -- or if not, in object's OBJECT-TYPE macro + value(ObjectSyntax) + | "{" BitsValue "}" + + BitsValue ::= BitNames + | empty + + BitNames ::= BitName + | BitNames "," BitName + + BitName ::= identifier + + -- a character string as defined in [2] + Text ::= value(IA5String) +END + +END diff --git a/mibs/SNMPv2-MIB.txt b/mibs/SNMPv2-MIB.txt new file mode 100644 index 000000000..8c828305e --- /dev/null +++ b/mibs/SNMPv2-MIB.txt @@ -0,0 +1,854 @@ +SNMPv2-MIB DEFINITIONS ::= BEGIN + +IMPORTS + MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, + TimeTicks, Counter32, snmpModules, mib-2 + FROM SNMPv2-SMI + DisplayString, TestAndIncr, TimeStamp + + FROM SNMPv2-TC + MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP + FROM SNMPv2-CONF; + +snmpMIB MODULE-IDENTITY + LAST-UPDATED "200210160000Z" + ORGANIZATION "IETF SNMPv3 Working Group" + CONTACT-INFO + "WG-EMail: snmpv3@lists.tislabs.com + Subscribe: snmpv3-request@lists.tislabs.com + + Co-Chair: Russ Mundy + Network Associates Laboratories + postal: 15204 Omega Drive, Suite 300 + Rockville, MD 20850-4601 + USA + EMail: mundy@tislabs.com + phone: +1 301 947-7107 + + Co-Chair: David Harrington + Enterasys Networks + postal: 35 Industrial Way + P. O. Box 5005 + Rochester, NH 03866-5005 + USA + EMail: dbh@enterasys.com + phone: +1 603 337-2614 + + Editor: Randy Presuhn + BMC Software, Inc. + postal: 2141 North First Street + San Jose, CA 95131 + USA + EMail: randy_presuhn@bmc.com + phone: +1 408 546-1006" + DESCRIPTION + "The MIB module for SNMP entities. + + Copyright (C) The Internet Society (2002). This + version of this MIB module is part of RFC 3418; + see the RFC itself for full legal notices. + " + REVISION "200210160000Z" + DESCRIPTION + "This revision of this MIB module was published as + RFC 3418." + REVISION "199511090000Z" + DESCRIPTION + "This revision of this MIB module was published as + RFC 1907." + REVISION "199304010000Z" + DESCRIPTION + "The initial revision of this MIB module was published + as RFC 1450." + ::= { snmpModules 1 } + +snmpMIBObjects OBJECT IDENTIFIER ::= { snmpMIB 1 } + +-- ::= { snmpMIBObjects 1 } this OID is obsolete +-- ::= { snmpMIBObjects 2 } this OID is obsolete +-- ::= { snmpMIBObjects 3 } this OID is obsolete + +-- the System group +-- +-- a collection of objects common to all managed systems. + +system OBJECT IDENTIFIER ::= { mib-2 1 } + +sysDescr OBJECT-TYPE + SYNTAX DisplayString (SIZE (0..255)) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "A textual description of the entity. This value should + include the full name and version identification of + the system's hardware type, software operating-system, + and networking software." + ::= { system 1 } + +sysObjectID OBJECT-TYPE + SYNTAX OBJECT IDENTIFIER + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The vendor's authoritative identification of the + network management subsystem contained in the entity. + This value is allocated within the SMI enterprises + subtree (1.3.6.1.4.1) and provides an easy and + unambiguous means for determining `what kind of box' is + being managed. For example, if vendor `Flintstones, + Inc.' was assigned the subtree 1.3.6.1.4.1.424242, + it could assign the identifier 1.3.6.1.4.1.424242.1.1 + to its `Fred Router'." + ::= { system 2 } + +sysUpTime OBJECT-TYPE + SYNTAX TimeTicks + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The time (in hundredths of a second) since the + network management portion of the system was last + re-initialized." + ::= { system 3 } + +sysContact OBJECT-TYPE + SYNTAX DisplayString (SIZE (0..255)) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The textual identification of the contact person for + this managed node, together with information on how + to contact this person. If no contact information is + known, the value is the zero-length string." + ::= { system 4 } + +sysName OBJECT-TYPE + SYNTAX DisplayString (SIZE (0..255)) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "An administratively-assigned name for this managed + node. By convention, this is the node's fully-qualified + domain name. If the name is unknown, the value is + the zero-length string." + ::= { system 5 } + +sysLocation OBJECT-TYPE + SYNTAX DisplayString (SIZE (0..255)) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The physical location of this node (e.g., 'telephone + closet, 3rd floor'). If the location is unknown, the + value is the zero-length string." + ::= { system 6 } + +sysServices OBJECT-TYPE + SYNTAX INTEGER (0..127) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "A value which indicates the set of services that this + entity may potentially offer. The value is a sum. + + This sum initially takes the value zero. Then, for + each layer, L, in the range 1 through 7, that this node + performs transactions for, 2 raised to (L - 1) is added + to the sum. For example, a node which performs only + routing functions would have a value of 4 (2^(3-1)). + In contrast, a node which is a host offering application + services would have a value of 72 (2^(4-1) + 2^(7-1)). + Note that in the context of the Internet suite of + protocols, values should be calculated accordingly: + + layer functionality + 1 physical (e.g., repeaters) + 2 datalink/subnetwork (e.g., bridges) + 3 internet (e.g., supports the IP) + 4 end-to-end (e.g., supports the TCP) + 7 applications (e.g., supports the SMTP) + + For systems including OSI protocols, layers 5 and 6 + may also be counted." + ::= { system 7 } + +-- object resource information +-- +-- a collection of objects which describe the SNMP entity's +-- (statically and dynamically configurable) support of +-- various MIB modules. + +sysORLastChange OBJECT-TYPE + SYNTAX TimeStamp + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of sysUpTime at the time of the most recent + change in state or value of any instance of sysORID." + ::= { system 8 } + +sysORTable OBJECT-TYPE + SYNTAX SEQUENCE OF SysOREntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The (conceptual) table listing the capabilities of + the local SNMP application acting as a command + responder with respect to various MIB modules. + SNMP entities having dynamically-configurable support + of MIB modules will have a dynamically-varying number + of conceptual rows." + ::= { system 9 } + +sysOREntry OBJECT-TYPE + SYNTAX SysOREntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An entry (conceptual row) in the sysORTable." + INDEX { sysORIndex } + ::= { sysORTable 1 } + +SysOREntry ::= SEQUENCE { + sysORIndex INTEGER, + sysORID OBJECT IDENTIFIER, + sysORDescr DisplayString, + sysORUpTime TimeStamp +} + +sysORIndex OBJECT-TYPE + SYNTAX INTEGER (1..2147483647) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The auxiliary variable used for identifying instances + of the columnar objects in the sysORTable." + ::= { sysOREntry 1 } + +sysORID OBJECT-TYPE + SYNTAX OBJECT IDENTIFIER + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "An authoritative identification of a capabilities + statement with respect to various MIB modules supported + by the local SNMP application acting as a command + responder." + ::= { sysOREntry 2 } + +sysORDescr OBJECT-TYPE + SYNTAX DisplayString + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "A textual description of the capabilities identified + by the corresponding instance of sysORID." + ::= { sysOREntry 3 } + +sysORUpTime OBJECT-TYPE + SYNTAX TimeStamp + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The value of sysUpTime at the time this conceptual + row was last instantiated." + ::= { sysOREntry 4 } + +-- the SNMP group +-- +-- a collection of objects providing basic instrumentation and +-- control of an SNMP entity. + +snmp OBJECT IDENTIFIER ::= { mib-2 11 } + +snmpInPkts OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of messages delivered to the SNMP + entity from the transport service." + ::= { snmp 1 } + +snmpInBadVersions OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of SNMP messages which were delivered + to the SNMP entity and were for an unsupported SNMP + version." + ::= { snmp 3 } + +snmpInBadCommunityNames OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of community-based SNMP messages (for + example, SNMPv1) delivered to the SNMP entity which + used an SNMP community name not known to said entity. + Also, implementations which authenticate community-based + SNMP messages using check(s) in addition to matching + the community name (for example, by also checking + whether the message originated from a transport address + allowed to use a specified community name) MAY include + in this value the number of messages which failed the + additional check(s). It is strongly RECOMMENDED that + + the documentation for any security model which is used + to authenticate community-based SNMP messages specify + the precise conditions that contribute to this value." + ::= { snmp 4 } + +snmpInBadCommunityUses OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of community-based SNMP messages (for + example, SNMPv1) delivered to the SNMP entity which + represented an SNMP operation that was not allowed for + the SNMP community named in the message. The precise + conditions under which this counter is incremented + (if at all) depend on how the SNMP entity implements + its access control mechanism and how its applications + interact with that access control mechanism. It is + strongly RECOMMENDED that the documentation for any + access control mechanism which is used to control access + to and visibility of MIB instrumentation specify the + precise conditions that contribute to this value." + ::= { snmp 5 } + +snmpInASNParseErrs OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of ASN.1 or BER errors encountered by + the SNMP entity when decoding received SNMP messages." + ::= { snmp 6 } + +snmpEnableAuthenTraps OBJECT-TYPE + SYNTAX INTEGER { enabled(1), disabled(2) } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "Indicates whether the SNMP entity is permitted to + generate authenticationFailure traps. The value of this + object overrides any configuration information; as such, + it provides a means whereby all authenticationFailure + traps may be disabled. + + Note that it is strongly recommended that this object + be stored in non-volatile memory so that it remains + constant across re-initializations of the network + management system." + ::= { snmp 30 } + +snmpSilentDrops OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of Confirmed Class PDUs (such as + GetRequest-PDUs, GetNextRequest-PDUs, + GetBulkRequest-PDUs, SetRequest-PDUs, and + InformRequest-PDUs) delivered to the SNMP entity which + were silently dropped because the size of a reply + containing an alternate Response Class PDU (such as a + Response-PDU) with an empty variable-bindings field + was greater than either a local constraint or the + maximum message size associated with the originator of + the request." + ::= { snmp 31 } + +snmpProxyDrops OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of Confirmed Class PDUs + (such as GetRequest-PDUs, GetNextRequest-PDUs, + GetBulkRequest-PDUs, SetRequest-PDUs, and + InformRequest-PDUs) delivered to the SNMP entity which + were silently dropped because the transmission of + the (possibly translated) message to a proxy target + failed in a manner (other than a time-out) such that + no Response Class PDU (such as a Response-PDU) could + be returned." + ::= { snmp 32 } + +-- information for notifications +-- +-- a collection of objects which allow the SNMP entity, when +-- supporting a notification originator application, +-- to be configured to generate SNMPv2-Trap-PDUs. + +snmpTrap OBJECT IDENTIFIER ::= { snmpMIBObjects 4 } + +snmpTrapOID OBJECT-TYPE + SYNTAX OBJECT IDENTIFIER + MAX-ACCESS accessible-for-notify + STATUS current + DESCRIPTION + "The authoritative identification of the notification + currently being sent. This variable occurs as + the second varbind in every SNMPv2-Trap-PDU and + InformRequest-PDU." + ::= { snmpTrap 1 } + +-- ::= { snmpTrap 2 } this OID is obsolete + +snmpTrapEnterprise OBJECT-TYPE + SYNTAX OBJECT IDENTIFIER + MAX-ACCESS accessible-for-notify + STATUS current + DESCRIPTION + "The authoritative identification of the enterprise + associated with the trap currently being sent. When an + SNMP proxy agent is mapping an RFC1157 Trap-PDU + into a SNMPv2-Trap-PDU, this variable occurs as the + last varbind." + ::= { snmpTrap 3 } + +-- ::= { snmpTrap 4 } this OID is obsolete + +-- well-known traps + +snmpTraps OBJECT IDENTIFIER ::= { snmpMIBObjects 5 } + +coldStart NOTIFICATION-TYPE + STATUS current + DESCRIPTION + "A coldStart trap signifies that the SNMP entity, + supporting a notification originator application, is + reinitializing itself and that its configuration may + have been altered." + ::= { snmpTraps 1 } + +warmStart NOTIFICATION-TYPE + STATUS current + DESCRIPTION + "A warmStart trap signifies that the SNMP entity, + supporting a notification originator application, + is reinitializing itself such that its configuration + is unaltered." + ::= { snmpTraps 2 } + +-- Note the linkDown NOTIFICATION-TYPE ::= { snmpTraps 3 } +-- and the linkUp NOTIFICATION-TYPE ::= { snmpTraps 4 } +-- are defined in RFC 2863 [RFC2863] + +authenticationFailure NOTIFICATION-TYPE + STATUS current + DESCRIPTION + "An authenticationFailure trap signifies that the SNMP + entity has received a protocol message that is not + properly authenticated. While all implementations + of SNMP entities MAY be capable of generating this + trap, the snmpEnableAuthenTraps object indicates + whether this trap will be generated." + ::= { snmpTraps 5 } + +-- Note the egpNeighborLoss notification is defined +-- as { snmpTraps 6 } in RFC 1213 + +-- the set group +-- +-- a collection of objects which allow several cooperating +-- command generator applications to coordinate their use of the +-- set operation. + +snmpSet OBJECT IDENTIFIER ::= { snmpMIBObjects 6 } + +snmpSetSerialNo OBJECT-TYPE + SYNTAX TestAndIncr + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "An advisory lock used to allow several cooperating + command generator applications to coordinate their + use of the SNMP set operation. + + This object is used for coarse-grain coordination. + To achieve fine-grain coordination, one or more similar + objects might be defined within each MIB group, as + appropriate." + ::= { snmpSet 1 } + +-- conformance information + +snmpMIBConformance + OBJECT IDENTIFIER ::= { snmpMIB 2 } + +snmpMIBCompliances + OBJECT IDENTIFIER ::= { snmpMIBConformance 1 } +snmpMIBGroups OBJECT IDENTIFIER ::= { snmpMIBConformance 2 } + +-- compliance statements + +-- ::= { snmpMIBCompliances 1 } this OID is obsolete +snmpBasicCompliance MODULE-COMPLIANCE + STATUS deprecated + DESCRIPTION + "The compliance statement for SNMPv2 entities which + implement the SNMPv2 MIB. + + This compliance statement is replaced by + snmpBasicComplianceRev2." + MODULE -- this module + MANDATORY-GROUPS { snmpGroup, snmpSetGroup, systemGroup, + snmpBasicNotificationsGroup } + + GROUP snmpCommunityGroup + DESCRIPTION + "This group is mandatory for SNMPv2 entities which + support community-based authentication." + ::= { snmpMIBCompliances 2 } + +snmpBasicComplianceRev2 MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The compliance statement for SNMP entities which + implement this MIB module." + MODULE -- this module + MANDATORY-GROUPS { snmpGroup, snmpSetGroup, systemGroup, + snmpBasicNotificationsGroup } + + GROUP snmpCommunityGroup + DESCRIPTION + "This group is mandatory for SNMP entities which + support community-based authentication." + + GROUP snmpWarmStartNotificationGroup + DESCRIPTION + "This group is mandatory for an SNMP entity which + supports command responder applications, and is + able to reinitialize itself such that its + configuration is unaltered." + ::= { snmpMIBCompliances 3 } + +-- units of conformance + +-- ::= { snmpMIBGroups 1 } this OID is obsolete +-- ::= { snmpMIBGroups 2 } this OID is obsolete +-- ::= { snmpMIBGroups 3 } this OID is obsolete + +-- ::= { snmpMIBGroups 4 } this OID is obsolete + +snmpGroup OBJECT-GROUP + OBJECTS { snmpInPkts, + snmpInBadVersions, + snmpInASNParseErrs, + snmpSilentDrops, + snmpProxyDrops, + snmpEnableAuthenTraps } + STATUS current + DESCRIPTION + "A collection of objects providing basic instrumentation + and control of an SNMP entity." + ::= { snmpMIBGroups 8 } + +snmpCommunityGroup OBJECT-GROUP + OBJECTS { snmpInBadCommunityNames, + snmpInBadCommunityUses } + STATUS current + DESCRIPTION + "A collection of objects providing basic instrumentation + of a SNMP entity which supports community-based + authentication." + ::= { snmpMIBGroups 9 } + +snmpSetGroup OBJECT-GROUP + OBJECTS { snmpSetSerialNo } + STATUS current + DESCRIPTION + "A collection of objects which allow several cooperating + command generator applications to coordinate their + use of the set operation." + ::= { snmpMIBGroups 5 } + +systemGroup OBJECT-GROUP + OBJECTS { sysDescr, sysObjectID, sysUpTime, + sysContact, sysName, sysLocation, + sysServices, + sysORLastChange, sysORID, + sysORUpTime, sysORDescr } + STATUS current + DESCRIPTION + "The system group defines objects which are common to all + managed systems." + ::= { snmpMIBGroups 6 } + +snmpBasicNotificationsGroup NOTIFICATION-GROUP + NOTIFICATIONS { coldStart, authenticationFailure } + STATUS current + DESCRIPTION + "The basic notifications implemented by an SNMP entity + supporting command responder applications." + ::= { snmpMIBGroups 7 } + +snmpWarmStartNotificationGroup NOTIFICATION-GROUP + NOTIFICATIONS { warmStart } + STATUS current + DESCRIPTION + "An additional notification for an SNMP entity supporting + command responder applications, if it is able to reinitialize + itself such that its configuration is unaltered." + ::= { snmpMIBGroups 11 } + +snmpNotificationGroup OBJECT-GROUP + OBJECTS { snmpTrapOID, snmpTrapEnterprise } + STATUS current + DESCRIPTION + "These objects are required for entities + which support notification originator applications." + ::= { snmpMIBGroups 12 } + +-- definitions in RFC 1213 made obsolete by the inclusion of a +-- subset of the snmp group in this MIB + +snmpOutPkts OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS obsolete + DESCRIPTION + "The total number of SNMP Messages which were + passed from the SNMP protocol entity to the + transport service." + ::= { snmp 2 } + +-- { snmp 7 } is not used + +snmpInTooBigs OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS obsolete + DESCRIPTION + "The total number of SNMP PDUs which were + delivered to the SNMP protocol entity and for + which the value of the error-status field was + `tooBig'." + ::= { snmp 8 } + +snmpInNoSuchNames OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS obsolete + DESCRIPTION + "The total number of SNMP PDUs which were + delivered to the SNMP protocol entity and for + which the value of the error-status field was + `noSuchName'." + ::= { snmp 9 } + +snmpInBadValues OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS obsolete + DESCRIPTION + "The total number of SNMP PDUs which were + delivered to the SNMP protocol entity and for + which the value of the error-status field was + `badValue'." + ::= { snmp 10 } + +snmpInReadOnlys OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS obsolete + DESCRIPTION + "The total number valid SNMP PDUs which were delivered + to the SNMP protocol entity and for which the value + of the error-status field was `readOnly'. It should + be noted that it is a protocol error to generate an + SNMP PDU which contains the value `readOnly' in the + error-status field, as such this object is provided + as a means of detecting incorrect implementations of + the SNMP." + ::= { snmp 11 } + +snmpInGenErrs OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS obsolete + DESCRIPTION + "The total number of SNMP PDUs which were delivered + to the SNMP protocol entity and for which the value + of the error-status field was `genErr'." + ::= { snmp 12 } + +snmpInTotalReqVars OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS obsolete + DESCRIPTION + "The total number of MIB objects which have been + retrieved successfully by the SNMP protocol entity + as the result of receiving valid SNMP Get-Request + and Get-Next PDUs." + ::= { snmp 13 } + +snmpInTotalSetVars OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS obsolete + DESCRIPTION + "The total number of MIB objects which have been + altered successfully by the SNMP protocol entity as + the result of receiving valid SNMP Set-Request PDUs." + ::= { snmp 14 } + +snmpInGetRequests OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS obsolete + DESCRIPTION + "The total number of SNMP Get-Request PDUs which + have been accepted and processed by the SNMP + protocol entity." + ::= { snmp 15 } + +snmpInGetNexts OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS obsolete + DESCRIPTION + "The total number of SNMP Get-Next PDUs which have been + accepted and processed by the SNMP protocol entity." + ::= { snmp 16 } + +snmpInSetRequests OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS obsolete + DESCRIPTION + "The total number of SNMP Set-Request PDUs which + have been accepted and processed by the SNMP protocol + entity." + ::= { snmp 17 } + +snmpInGetResponses OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS obsolete + DESCRIPTION + "The total number of SNMP Get-Response PDUs which + have been accepted and processed by the SNMP protocol + entity." + ::= { snmp 18 } + +snmpInTraps OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS obsolete + DESCRIPTION + "The total number of SNMP Trap PDUs which have been + accepted and processed by the SNMP protocol entity." + ::= { snmp 19 } + +snmpOutTooBigs OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS obsolete + DESCRIPTION + "The total number of SNMP PDUs which were generated + by the SNMP protocol entity and for which the value + of the error-status field was `tooBig.'" + ::= { snmp 20 } + +snmpOutNoSuchNames OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS obsolete + DESCRIPTION + "The total number of SNMP PDUs which were generated + by the SNMP protocol entity and for which the value + of the error-status was `noSuchName'." + ::= { snmp 21 } + +snmpOutBadValues OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS obsolete + DESCRIPTION + "The total number of SNMP PDUs which were generated + by the SNMP protocol entity and for which the value + of the error-status field was `badValue'." + ::= { snmp 22 } + +-- { snmp 23 } is not used + +snmpOutGenErrs OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS obsolete + DESCRIPTION + "The total number of SNMP PDUs which were generated + by the SNMP protocol entity and for which the value + of the error-status field was `genErr'." + ::= { snmp 24 } + +snmpOutGetRequests OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS obsolete + DESCRIPTION + "The total number of SNMP Get-Request PDUs which + have been generated by the SNMP protocol entity." + ::= { snmp 25 } + +snmpOutGetNexts OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS obsolete + DESCRIPTION + "The total number of SNMP Get-Next PDUs which have + been generated by the SNMP protocol entity." + ::= { snmp 26 } + +snmpOutSetRequests OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS obsolete + DESCRIPTION + "The total number of SNMP Set-Request PDUs which + have been generated by the SNMP protocol entity." + ::= { snmp 27 } + +snmpOutGetResponses OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS obsolete + DESCRIPTION + "The total number of SNMP Get-Response PDUs which + have been generated by the SNMP protocol entity." + ::= { snmp 28 } + +snmpOutTraps OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS obsolete + DESCRIPTION + "The total number of SNMP Trap PDUs which have + been generated by the SNMP protocol entity." + ::= { snmp 29 } + +snmpObsoleteGroup OBJECT-GROUP + OBJECTS { snmpOutPkts, snmpInTooBigs, snmpInNoSuchNames, + snmpInBadValues, snmpInReadOnlys, snmpInGenErrs, + snmpInTotalReqVars, snmpInTotalSetVars, + snmpInGetRequests, snmpInGetNexts, snmpInSetRequests, + snmpInGetResponses, snmpInTraps, snmpOutTooBigs, + snmpOutNoSuchNames, snmpOutBadValues, + snmpOutGenErrs, snmpOutGetRequests, snmpOutGetNexts, + snmpOutSetRequests, snmpOutGetResponses, snmpOutTraps + } + STATUS obsolete + DESCRIPTION + "A collection of objects from RFC 1213 made obsolete + by this MIB module." + ::= { snmpMIBGroups 10 } + +END diff --git a/mibs/SNMPv2-SMI.txt b/mibs/SNMPv2-SMI.txt new file mode 100644 index 000000000..1c01e1dfc --- /dev/null +++ b/mibs/SNMPv2-SMI.txt @@ -0,0 +1,344 @@ +SNMPv2-SMI DEFINITIONS ::= BEGIN + +-- the path to the root + +org OBJECT IDENTIFIER ::= { iso 3 } -- "iso" = 1 +dod OBJECT IDENTIFIER ::= { org 6 } +internet OBJECT IDENTIFIER ::= { dod 1 } + +directory OBJECT IDENTIFIER ::= { internet 1 } + +mgmt OBJECT IDENTIFIER ::= { internet 2 } +mib-2 OBJECT IDENTIFIER ::= { mgmt 1 } +transmission OBJECT IDENTIFIER ::= { mib-2 10 } + +experimental OBJECT IDENTIFIER ::= { internet 3 } + +private OBJECT IDENTIFIER ::= { internet 4 } +enterprises OBJECT IDENTIFIER ::= { private 1 } + +security OBJECT IDENTIFIER ::= { internet 5 } + +snmpV2 OBJECT IDENTIFIER ::= { internet 6 } + +-- transport domains +snmpDomains OBJECT IDENTIFIER ::= { snmpV2 1 } + +-- transport proxies +snmpProxys OBJECT IDENTIFIER ::= { snmpV2 2 } + +-- module identities +snmpModules OBJECT IDENTIFIER ::= { snmpV2 3 } + +-- Extended UTCTime, to allow dates with four-digit years +-- (Note that this definition of ExtUTCTime is not to be IMPORTed +-- by MIB modules.) +ExtUTCTime ::= OCTET STRING(SIZE(11 | 13)) + -- format is YYMMDDHHMMZ or YYYYMMDDHHMMZ + + -- where: YY - last two digits of year (only years + -- between 1900-1999) + -- YYYY - last four digits of the year (any year) + -- MM - month (01 through 12) + -- DD - day of month (01 through 31) + -- HH - hours (00 through 23) + -- MM - minutes (00 through 59) + -- Z - denotes GMT (the ASCII character Z) + -- + -- For example, "9502192015Z" and "199502192015Z" represent + -- 8:15pm GMT on 19 February 1995. Years after 1999 must use + -- the four digit year format. Years 1900-1999 may use the + -- two or four digit format. + +-- definitions for information modules + +MODULE-IDENTITY MACRO ::= +BEGIN + TYPE NOTATION ::= + "LAST-UPDATED" value(Update ExtUTCTime) + "ORGANIZATION" Text + "CONTACT-INFO" Text + "DESCRIPTION" Text + RevisionPart + + VALUE NOTATION ::= + value(VALUE OBJECT IDENTIFIER) + + RevisionPart ::= + Revisions + | empty + Revisions ::= + Revision + | Revisions Revision + Revision ::= + "REVISION" value(Update ExtUTCTime) + "DESCRIPTION" Text + + -- a character string as defined in section 3.1.1 + Text ::= value(IA5String) +END + +OBJECT-IDENTITY MACRO ::= +BEGIN + TYPE NOTATION ::= + "STATUS" Status + "DESCRIPTION" Text + + ReferPart + + VALUE NOTATION ::= + value(VALUE OBJECT IDENTIFIER) + + Status ::= + "current" + | "deprecated" + | "obsolete" + + ReferPart ::= + "REFERENCE" Text + | empty + + -- a character string as defined in section 3.1.1 + Text ::= value(IA5String) +END + +-- names of objects +-- (Note that these definitions of ObjectName and NotificationName +-- are not to be IMPORTed by MIB modules.) + +ObjectName ::= + OBJECT IDENTIFIER + +NotificationName ::= + OBJECT IDENTIFIER + +-- syntax of objects + +-- the "base types" defined here are: +-- 3 built-in ASN.1 types: INTEGER, OCTET STRING, OBJECT IDENTIFIER +-- 8 application-defined types: Integer32, IpAddress, Counter32, +-- Gauge32, Unsigned32, TimeTicks, Opaque, and Counter64 + +ObjectSyntax ::= + CHOICE { + simple + SimpleSyntax, + -- note that SEQUENCEs for conceptual tables and + -- rows are not mentioned here... + + application-wide + ApplicationSyntax + } + +-- built-in ASN.1 types + +SimpleSyntax ::= + CHOICE { + -- INTEGERs with a more restrictive range + -- may also be used + integer-value -- includes Integer32 + INTEGER (-2147483648..2147483647), + -- OCTET STRINGs with a more restrictive size + -- may also be used + string-value + OCTET STRING (SIZE (0..65535)), + objectID-value + OBJECT IDENTIFIER + } + +-- indistinguishable from INTEGER, but never needs more than +-- 32-bits for a two's complement representation +Integer32 ::= + INTEGER (-2147483648..2147483647) + +-- application-wide types + +ApplicationSyntax ::= + CHOICE { + ipAddress-value + IpAddress, + counter-value + Counter32, + timeticks-value + TimeTicks, + arbitrary-value + Opaque, + big-counter-value + Counter64, + unsigned-integer-value -- includes Gauge32 + Unsigned32 + } + +-- in network-byte order + +-- (this is a tagged type for historical reasons) +IpAddress ::= + [APPLICATION 0] + IMPLICIT OCTET STRING (SIZE (4)) + +-- this wraps +Counter32 ::= + [APPLICATION 1] + IMPLICIT INTEGER (0..4294967295) + +-- this doesn't wrap +Gauge32 ::= + [APPLICATION 2] + IMPLICIT INTEGER (0..4294967295) + +-- an unsigned 32-bit quantity +-- indistinguishable from Gauge32 +Unsigned32 ::= + [APPLICATION 2] + IMPLICIT INTEGER (0..4294967295) + +-- hundredths of seconds since an epoch +TimeTicks ::= + [APPLICATION 3] + IMPLICIT INTEGER (0..4294967295) + +-- for backward-compatibility only +Opaque ::= + [APPLICATION 4] + IMPLICIT OCTET STRING + +-- for counters that wrap in less than one hour with only 32 bits +Counter64 ::= + [APPLICATION 6] + IMPLICIT INTEGER (0..18446744073709551615) + +-- definition for objects + +OBJECT-TYPE MACRO ::= +BEGIN + TYPE NOTATION ::= + "SYNTAX" Syntax + UnitsPart + "MAX-ACCESS" Access + "STATUS" Status + "DESCRIPTION" Text + ReferPart + + IndexPart + DefValPart + + VALUE NOTATION ::= + value(VALUE ObjectName) + + Syntax ::= -- Must be one of the following: + -- a base type (or its refinement), + -- a textual convention (or its refinement), or + -- a BITS pseudo-type + type + | "BITS" "{" NamedBits "}" + + NamedBits ::= NamedBit + | NamedBits "," NamedBit + + NamedBit ::= identifier "(" number ")" -- number is nonnegative + + UnitsPart ::= + "UNITS" Text + | empty + + Access ::= + "not-accessible" + | "accessible-for-notify" + | "read-only" + | "read-write" + | "read-create" + + Status ::= + "current" + | "deprecated" + | "obsolete" + + ReferPart ::= + "REFERENCE" Text + | empty + + IndexPart ::= + "INDEX" "{" IndexTypes "}" + | "AUGMENTS" "{" Entry "}" + | empty + IndexTypes ::= + IndexType + | IndexTypes "," IndexType + IndexType ::= + "IMPLIED" Index + | Index + + Index ::= + -- use the SYNTAX value of the + -- correspondent OBJECT-TYPE invocation + value(ObjectName) + Entry ::= + -- use the INDEX value of the + -- correspondent OBJECT-TYPE invocation + value(ObjectName) + + DefValPart ::= "DEFVAL" "{" Defvalue "}" + | empty + + Defvalue ::= -- must be valid for the type specified in + -- SYNTAX clause of same OBJECT-TYPE macro + value(ObjectSyntax) + | "{" BitsValue "}" + + BitsValue ::= BitNames + | empty + + BitNames ::= BitName + | BitNames "," BitName + + BitName ::= identifier + + -- a character string as defined in section 3.1.1 + Text ::= value(IA5String) +END + +-- definitions for notifications + +NOTIFICATION-TYPE MACRO ::= +BEGIN + TYPE NOTATION ::= + ObjectsPart + "STATUS" Status + "DESCRIPTION" Text + ReferPart + + VALUE NOTATION ::= + value(VALUE NotificationName) + + ObjectsPart ::= + "OBJECTS" "{" Objects "}" + | empty + Objects ::= + Object + + | Objects "," Object + Object ::= + value(ObjectName) + + Status ::= + "current" + | "deprecated" + | "obsolete" + + ReferPart ::= + "REFERENCE" Text + | empty + + -- a character string as defined in section 3.1.1 + Text ::= value(IA5String) +END + +-- definitions of administrative identifiers + +zeroDotZero OBJECT-IDENTITY + STATUS current + DESCRIPTION + "A value used for null identifiers." + ::= { 0 0 } + +END diff --git a/mibs/SNMPv2-TC.txt b/mibs/SNMPv2-TC.txt new file mode 100644 index 000000000..860bf71ee --- /dev/null +++ b/mibs/SNMPv2-TC.txt @@ -0,0 +1,772 @@ +SNMPv2-TC DEFINITIONS ::= BEGIN + +IMPORTS + TimeTicks FROM SNMPv2-SMI; + +-- definition of textual conventions + +TEXTUAL-CONVENTION MACRO ::= + +BEGIN + TYPE NOTATION ::= + DisplayPart + "STATUS" Status + "DESCRIPTION" Text + ReferPart + "SYNTAX" Syntax + + VALUE NOTATION ::= + value(VALUE Syntax) -- adapted ASN.1 + + DisplayPart ::= + "DISPLAY-HINT" Text + | empty + + Status ::= + "current" + | "deprecated" + | "obsolete" + + ReferPart ::= + "REFERENCE" Text + | empty + + -- a character string as defined in [2] + Text ::= value(IA5String) + + Syntax ::= -- Must be one of the following: + -- a base type (or its refinement), or + -- a BITS pseudo-type + type + | "BITS" "{" NamedBits "}" + + NamedBits ::= NamedBit + | NamedBits "," NamedBit + + NamedBit ::= identifier "(" number ")" -- number is nonnegative + +END + +DisplayString ::= TEXTUAL-CONVENTION + DISPLAY-HINT "255a" + STATUS current + DESCRIPTION + "Represents textual information taken from the NVT ASCII + + character set, as defined in pages 4, 10-11 of RFC 854. + + To summarize RFC 854, the NVT ASCII repertoire specifies: + + - the use of character codes 0-127 (decimal) + + - the graphics characters (32-126) are interpreted as + US ASCII + + - NUL, LF, CR, BEL, BS, HT, VT and FF have the special + meanings specified in RFC 854 + + - the other 25 codes have no standard interpretation + + - the sequence 'CR LF' means newline + + - the sequence 'CR NUL' means carriage-return + + - an 'LF' not preceded by a 'CR' means moving to the + same column on the next line. + + - the sequence 'CR x' for any x other than LF or NUL is + illegal. (Note that this also means that a string may + end with either 'CR LF' or 'CR NUL', but not with CR.) + + Any object defined using this syntax may not exceed 255 + characters in length." + SYNTAX OCTET STRING (SIZE (0..255)) + +PhysAddress ::= TEXTUAL-CONVENTION + DISPLAY-HINT "1x:" + STATUS current + DESCRIPTION + "Represents media- or physical-level addresses." + SYNTAX OCTET STRING + +MacAddress ::= TEXTUAL-CONVENTION + DISPLAY-HINT "1x:" + STATUS current + DESCRIPTION + "Represents an 802 MAC address represented in the + `canonical' order defined by IEEE 802.1a, i.e., as if it + were transmitted least significant bit first, even though + 802.5 (in contrast to other 802.x protocols) requires MAC + addresses to be transmitted most significant bit first." + SYNTAX OCTET STRING (SIZE (6)) + +TruthValue ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "Represents a boolean value." + SYNTAX INTEGER { true(1), false(2) } + +TestAndIncr ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "Represents integer-valued information used for atomic + operations. When the management protocol is used to specify + that an object instance having this syntax is to be + modified, the new value supplied via the management protocol + must precisely match the value presently held by the + instance. If not, the management protocol set operation + fails with an error of `inconsistentValue'. Otherwise, if + the current value is the maximum value of 2^31-1 (2147483647 + decimal), then the value held by the instance is wrapped to + zero; otherwise, the value held by the instance is + incremented by one. (Note that regardless of whether the + management protocol set operation succeeds, the variable- + binding in the request and response PDUs are identical.) + + The value of the ACCESS clause for objects having this + syntax is either `read-write' or `read-create'. When an + instance of a columnar object having this syntax is created, + any value may be supplied via the management protocol. + + When the network management portion of the system is re- + initialized, the value of every object instance having this + syntax must either be incremented from its value prior to + the re-initialization, or (if the value prior to the re- + initialization is unknown) be set to a pseudo-randomly + generated value." + SYNTAX INTEGER (0..2147483647) + +AutonomousType ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "Represents an independently extensible type identification + value. It may, for example, indicate a particular sub-tree + with further MIB definitions, or define a particular type of + protocol or hardware." + SYNTAX OBJECT IDENTIFIER + +InstancePointer ::= TEXTUAL-CONVENTION + STATUS obsolete + DESCRIPTION + "A pointer to either a specific instance of a MIB object or + a conceptual row of a MIB table in the managed device. In + the latter case, by convention, it is the name of the + particular instance of the first accessible columnar object + in the conceptual row. + + The two uses of this textual convention are replaced by + VariablePointer and RowPointer, respectively." + SYNTAX OBJECT IDENTIFIER + +VariablePointer ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "A pointer to a specific object instance. For example, + sysContact.0 or ifInOctets.3." + SYNTAX OBJECT IDENTIFIER + +RowPointer ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "Represents a pointer to a conceptual row. The value is the + name of the instance of the first accessible columnar object + in the conceptual row. + + For example, ifIndex.3 would point to the 3rd row in the + ifTable (note that if ifIndex were not-accessible, then + ifDescr.3 would be used instead)." + SYNTAX OBJECT IDENTIFIER + +RowStatus ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "The RowStatus textual convention is used to manage the + creation and deletion of conceptual rows, and is used as the + value of the SYNTAX clause for the status column of a + conceptual row (as described in Section 7.7.1 of [2].) + + The status column has six defined values: + + - `active', which indicates that the conceptual row is + available for use by the managed device; + + - `notInService', which indicates that the conceptual + row exists in the agent, but is unavailable for use by + the managed device (see NOTE below); 'notInService' has + no implication regarding the internal consistency of + the row, availability of resources, or consistency with + the current state of the managed device; + + - `notReady', which indicates that the conceptual row + exists in the agent, but is missing information + necessary in order to be available for use by the + managed device (i.e., one or more required columns in + the conceptual row have not been instanciated); + + - `createAndGo', which is supplied by a management + station wishing to create a new instance of a + conceptual row and to have its status automatically set + to active, making it available for use by the managed + device; + + - `createAndWait', which is supplied by a management + station wishing to create a new instance of a + conceptual row (but not make it available for use by + the managed device); and, + - `destroy', which is supplied by a management station + wishing to delete all of the instances associated with + an existing conceptual row. + + Whereas five of the six values (all except `notReady') may + be specified in a management protocol set operation, only + three values will be returned in response to a management + protocol retrieval operation: `notReady', `notInService' or + `active'. That is, when queried, an existing conceptual row + has only three states: it is either available for use by + the managed device (the status column has value `active'); + it is not available for use by the managed device, though + the agent has sufficient information to attempt to make it + so (the status column has value `notInService'); or, it is + not available for use by the managed device, and an attempt + to make it so would fail because the agent has insufficient + information (the state column has value `notReady'). + + NOTE WELL + + This textual convention may be used for a MIB table, + irrespective of whether the values of that table's + conceptual rows are able to be modified while it is + active, or whether its conceptual rows must be taken + out of service in order to be modified. That is, it is + the responsibility of the DESCRIPTION clause of the + status column to specify whether the status column must + not be `active' in order for the value of some other + column of the same conceptual row to be modified. If + such a specification is made, affected columns may be + changed by an SNMP set PDU if the RowStatus would not + be equal to `active' either immediately before or after + processing the PDU. In other words, if the PDU also + contained a varbind that would change the RowStatus + value, the column in question may be changed if the + RowStatus was not equal to `active' as the PDU was + received, or if the varbind sets the status to a value + other than 'active'. + + Also note that whenever any elements of a row exist, the + RowStatus column must also exist. + + To summarize the effect of having a conceptual row with a + status column having a SYNTAX clause value of RowStatus, + consider the following state diagram: + + STATE + +--------------+-----------+-------------+------------- + | A | B | C | D + | |status col.|status column| + |status column | is | is |status column + ACTION |does not exist| notReady | notInService| is active +--------------+--------------+-----------+-------------+------------- +set status |noError ->D|inconsist- |inconsistent-|inconsistent- +column to | or | entValue| Value| Value +createAndGo |inconsistent- | | | + | Value| | | +--------------+--------------+-----------+-------------+------------- +set status |noError see 1|inconsist- |inconsistent-|inconsistent- +column to | or | entValue| Value| Value +createAndWait |wrongValue | | | +--------------+--------------+-----------+-------------+------------- +set status |inconsistent- |inconsist- |noError |noError +column to | Value| entValue| | +active | | | | + | | or | | + | | | | + | |see 2 ->D|see 8 ->D| ->D +--------------+--------------+-----------+-------------+------------- +set status |inconsistent- |inconsist- |noError |noError ->C +column to | Value| entValue| | +notInService | | | | + | | or | | or + | | | | + | |see 3 ->C| ->C|see 6 +--------------+--------------+-----------+-------------+------------- +set status |noError |noError |noError |noError ->A +column to | | | | or +destroy | ->A| ->A| ->A|see 7 +--------------+--------------+-----------+-------------+------------- +set any other |see 4 |noError |noError |see 5 +column to some| | | | +value | | see 1| ->C| ->D +--------------+--------------+-----------+-------------+------------- + + (1) goto B or C, depending on information available to the + agent. + + (2) if other variable bindings included in the same PDU, + provide values for all columns which are missing but + required, and all columns have acceptable values, then + return noError and goto D. + + (3) if other variable bindings included in the same PDU, + provide legal values for all columns which are missing but + required, then return noError and goto C. + + (4) at the discretion of the agent, the return value may be + either: + + inconsistentName: because the agent does not choose to + create such an instance when the corresponding + RowStatus instance does not exist, or + + inconsistentValue: if the supplied value is + inconsistent with the state of some other MIB object's + value, or + + noError: because the agent chooses to create the + instance. + + If noError is returned, then the instance of the status + column must also be created, and the new state is B or C, + depending on the information available to the agent. If + inconsistentName or inconsistentValue is returned, the row + remains in state A. + + (5) depending on the MIB definition for the column/table, + either noError or inconsistentValue may be returned. + + (6) the return value can indicate one of the following + errors: + + wrongValue: because the agent does not support + notInService (e.g., an agent which does not support + createAndWait), or + + inconsistentValue: because the agent is unable to take + the row out of service at this time, perhaps because it + is in use and cannot be de-activated. + + (7) the return value can indicate the following error: + + inconsistentValue: because the agent is unable to + remove the row at this time, perhaps because it is in + use and cannot be de-activated. + + (8) the transition to D can fail, e.g., if the values of the + conceptual row are inconsistent, then the error code would + be inconsistentValue. + + NOTE: Other processing of (this and other varbinds of) the + set request may result in a response other than noError + being returned, e.g., wrongValue, noCreation, etc. + + Conceptual Row Creation + + There are four potential interactions when creating a + conceptual row: selecting an instance-identifier which is + not in use; creating the conceptual row; initializing any + objects for which the agent does not supply a default; and, + making the conceptual row available for use by the managed + device. + + Interaction 1: Selecting an Instance-Identifier + + The algorithm used to select an instance-identifier varies + for each conceptual row. In some cases, the instance- + identifier is semantically significant, e.g., the + destination address of a route, and a management station + selects the instance-identifier according to the semantics. + + In other cases, the instance-identifier is used solely to + distinguish conceptual rows, and a management station + without specific knowledge of the conceptual row might + examine the instances present in order to determine an + unused instance-identifier. (This approach may be used, but + it is often highly sub-optimal; however, it is also a + questionable practice for a naive management station to + attempt conceptual row creation.) + + Alternately, the MIB module which defines the conceptual row + might provide one or more objects which provide assistance + in determining an unused instance-identifier. For example, + if the conceptual row is indexed by an integer-value, then + an object having an integer-valued SYNTAX clause might be + defined for such a purpose, allowing a management station to + issue a management protocol retrieval operation. In order + to avoid unnecessary collisions between competing management + stations, `adjacent' retrievals of this object should be + different. + + Finally, the management station could select a pseudo-random + number to use as the index. In the event that this index + + was already in use and an inconsistentValue was returned in + response to the management protocol set operation, the + management station should simply select a new pseudo-random + number and retry the operation. + + A MIB designer should choose between the two latter + algorithms based on the size of the table (and therefore the + efficiency of each algorithm). For tables in which a large + number of entries are expected, it is recommended that a MIB + object be defined that returns an acceptable index for + creation. For tables with small numbers of entries, it is + recommended that the latter pseudo-random index mechanism be + used. + + Interaction 2: Creating the Conceptual Row + + Once an unused instance-identifier has been selected, the + management station determines if it wishes to create and + activate the conceptual row in one transaction or in a + negotiated set of interactions. + + Interaction 2a: Creating and Activating the Conceptual Row + + The management station must first determine the column + requirements, i.e., it must determine those columns for + which it must or must not provide values. Depending on the + complexity of the table and the management station's + knowledge of the agent's capabilities, this determination + can be made locally by the management station. Alternately, + the management station issues a management protocol get + operation to examine all columns in the conceptual row that + it wishes to create. In response, for each column, there + are three possible outcomes: + + - a value is returned, indicating that some other + management station has already created this conceptual + row. We return to interaction 1. + + - the exception `noSuchInstance' is returned, + indicating that the agent implements the object-type + associated with this column, and that this column in at + least one conceptual row would be accessible in the MIB + view used by the retrieval were it to exist. For those + columns to which the agent provides read-create access, + the `noSuchInstance' exception tells the management + station that it should supply a value for this column + when the conceptual row is to be created. + + - the exception `noSuchObject' is returned, indicating + that the agent does not implement the object-type + associated with this column or that there is no + conceptual row for which this column would be + accessible in the MIB view used by the retrieval. As + such, the management station can not issue any + management protocol set operations to create an + instance of this column. + + Once the column requirements have been determined, a + management protocol set operation is accordingly issued. + This operation also sets the new instance of the status + column to `createAndGo'. + + When the agent processes the set operation, it verifies that + it has sufficient information to make the conceptual row + available for use by the managed device. The information + available to the agent is provided by two sources: the + management protocol set operation which creates the + conceptual row, and, implementation-specific defaults + supplied by the agent (note that an agent must provide + implementation-specific defaults for at least those objects + which it implements as read-only). If there is sufficient + information available, then the conceptual row is created, a + `noError' response is returned, the status column is set to + `active', and no further interactions are necessary (i.e., + interactions 3 and 4 are skipped). If there is insufficient + information, then the conceptual row is not created, and the + set operation fails with an error of `inconsistentValue'. + On this error, the management station can issue a management + protocol retrieval operation to determine if this was + because it failed to specify a value for a required column, + or, because the selected instance of the status column + already existed. In the latter case, we return to + interaction 1. In the former case, the management station + can re-issue the set operation with the additional + information, or begin interaction 2 again using + `createAndWait' in order to negotiate creation of the + conceptual row. + + NOTE WELL + + Regardless of the method used to determine the column + requirements, it is possible that the management + station might deem a column necessary when, in fact, + the agent will not allow that particular columnar + instance to be created or written. In this case, the + management protocol set operation will fail with an + error such as `noCreation' or `notWritable'. In this + case, the management station decides whether it needs + to be able to set a value for that particular columnar + instance. If not, the management station re-issues the + management protocol set operation, but without setting + a value for that particular columnar instance; + otherwise, the management station aborts the row + creation algorithm. + + Interaction 2b: Negotiating the Creation of the Conceptual + Row + + The management station issues a management protocol set + operation which sets the desired instance of the status + column to `createAndWait'. If the agent is unwilling to + process a request of this sort, the set operation fails with + an error of `wrongValue'. (As a consequence, such an agent + must be prepared to accept a single management protocol set + operation, i.e., interaction 2a above, containing all of the + columns indicated by its column requirements.) Otherwise, + the conceptual row is created, a `noError' response is + returned, and the status column is immediately set to either + `notInService' or `notReady', depending on whether it has + sufficient information to (attempt to) make the conceptual + row available for use by the managed device. If there is + sufficient information available, then the status column is + set to `notInService'; otherwise, if there is insufficient + information, then the status column is set to `notReady'. + Regardless, we proceed to interaction 3. + + Interaction 3: Initializing non-defaulted Objects + + The management station must now determine the column + requirements. It issues a management protocol get operation + to examine all columns in the created conceptual row. In + the response, for each column, there are three possible + outcomes: + + - a value is returned, indicating that the agent + implements the object-type associated with this column + and had sufficient information to provide a value. For + those columns to which the agent provides read-create + access (and for which the agent allows their values to + be changed after their creation), a value return tells + the management station that it may issue additional + management protocol set operations, if it desires, in + order to change the value associated with this column. + + - the exception `noSuchInstance' is returned, + indicating that the agent implements the object-type + associated with this column, and that this column in at + least one conceptual row would be accessible in the MIB + view used by the retrieval were it to exist. However, + the agent does not have sufficient information to + provide a value, and until a value is provided, the + conceptual row may not be made available for use by the + managed device. For those columns to which the agent + provides read-create access, the `noSuchInstance' + exception tells the management station that it must + issue additional management protocol set operations, in + order to provide a value associated with this column. + + - the exception `noSuchObject' is returned, indicating + that the agent does not implement the object-type + associated with this column or that there is no + conceptual row for which this column would be + accessible in the MIB view used by the retrieval. As + such, the management station can not issue any + management protocol set operations to create an + instance of this column. + + If the value associated with the status column is + `notReady', then the management station must first deal with + all `noSuchInstance' columns, if any. Having done so, the + value of the status column becomes `notInService', and we + proceed to interaction 4. + + Interaction 4: Making the Conceptual Row Available + + Once the management station is satisfied with the values + associated with the columns of the conceptual row, it issues + a management protocol set operation to set the status column + to `active'. If the agent has sufficient information to + make the conceptual row available for use by the managed + device, the management protocol set operation succeeds (a + `noError' response is returned). Otherwise, the management + protocol set operation fails with an error of + `inconsistentValue'. + + NOTE WELL + + A conceptual row having a status column with value + `notInService' or `notReady' is unavailable to the + managed device. As such, it is possible for the + managed device to create its own instances during the + time between the management protocol set operation + which sets the status column to `createAndWait' and the + management protocol set operation which sets the status + column to `active'. In this case, when the management + protocol set operation is issued to set the status + column to `active', the values held in the agent + supersede those used by the managed device. + + If the management station is prevented from setting the + status column to `active' (e.g., due to management station + or network failure) the conceptual row will be left in the + `notInService' or `notReady' state, consuming resources + indefinitely. The agent must detect conceptual rows that + have been in either state for an abnormally long period of + time and remove them. It is the responsibility of the + DESCRIPTION clause of the status column to indicate what an + abnormally long period of time would be. This period of + time should be long enough to allow for human response time + (including `think time') between the creation of the + conceptual row and the setting of the status to `active'. + In the absence of such information in the DESCRIPTION + clause, it is suggested that this period be approximately 5 + minutes in length. This removal action applies not only to + newly-created rows, but also to previously active rows which + are set to, and left in, the notInService state for a + prolonged period exceeding that which is considered normal + for such a conceptual row. + + Conceptual Row Suspension + + When a conceptual row is `active', the management station + may issue a management protocol set operation which sets the + instance of the status column to `notInService'. If the + agent is unwilling to do so, the set operation fails with an + error of `wrongValue' or `inconsistentValue'. Otherwise, + the conceptual row is taken out of service, and a `noError' + response is returned. It is the responsibility of the + DESCRIPTION clause of the status column to indicate under + what circumstances the status column should be taken out of + service (e.g., in order for the value of some other column + of the same conceptual row to be modified). + + Conceptual Row Deletion + + For deletion of conceptual rows, a management protocol set + operation is issued which sets the instance of the status + column to `destroy'. This request may be made regardless of + the current value of the status column (e.g., it is possible + to delete conceptual rows which are either `notReady', + `notInService' or `active'.) If the operation succeeds, + then all instances associated with the conceptual row are + immediately removed." + SYNTAX INTEGER { + -- the following two values are states: + -- these values may be read or written + active(1), + notInService(2), + -- the following value is a state: + -- this value may be read, but not written + notReady(3), + -- the following three values are + -- actions: these values may be written, + -- but are never read + createAndGo(4), + createAndWait(5), + destroy(6) + } + +TimeStamp ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "The value of the sysUpTime object at which a specific + occurrence happened. The specific occurrence must be + + defined in the description of any object defined using this + type. + + If sysUpTime is reset to zero as a result of a re- + initialization of the network management (sub)system, then + the values of all TimeStamp objects are also reset. + However, after approximately 497 days without a re- + initialization, the sysUpTime object will reach 2^^32-1 and + then increment around to zero; in this case, existing values + of TimeStamp objects do not change. This can lead to + ambiguities in the value of TimeStamp objects." + SYNTAX TimeTicks + +TimeInterval ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "A period of time, measured in units of 0.01 seconds." + SYNTAX INTEGER (0..2147483647) + +DateAndTime ::= TEXTUAL-CONVENTION + DISPLAY-HINT "2d-1d-1d,1d:1d:1d.1d,1a1d:1d" + STATUS current + DESCRIPTION + "A date-time specification. + + field octets contents range + ----- ------ -------- ----- + 1 1-2 year* 0..65536 + 2 3 month 1..12 + 3 4 day 1..31 + 4 5 hour 0..23 + 5 6 minutes 0..59 + 6 7 seconds 0..60 + (use 60 for leap-second) + 7 8 deci-seconds 0..9 + 8 9 direction from UTC '+' / '-' + 9 10 hours from UTC* 0..13 + 10 11 minutes from UTC 0..59 + + * Notes: + - the value of year is in network-byte order + - daylight saving time in New Zealand is +13 + + For example, Tuesday May 26, 1992 at 1:30:15 PM EDT would be + displayed as: + + 1992-5-26,13:30:15.0,-4:0 + + Note that if only local time is known, then timezone + information (fields 8-10) is not present." + SYNTAX OCTET STRING (SIZE (8 | 11)) + +StorageType ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "Describes the memory realization of a conceptual row. A + row which is volatile(2) is lost upon reboot. A row which + is either nonVolatile(3), permanent(4) or readOnly(5), is + backed up by stable storage. A row which is permanent(4) + can be changed but not deleted. A row which is readOnly(5) + cannot be changed nor deleted. + + If the value of an object with this syntax is either + permanent(4) or readOnly(5), it cannot be written. + Conversely, if the value is either other(1), volatile(2) or + nonVolatile(3), it cannot be modified to be permanent(4) or + readOnly(5). (All illegal modifications result in a + 'wrongValue' error.) + + Every usage of this textual convention is required to + specify the columnar objects which a permanent(4) row must + at a minimum allow to be writable." + SYNTAX INTEGER { + other(1), -- eh? + volatile(2), -- e.g., in RAM + nonVolatile(3), -- e.g., in NVRAM + permanent(4), -- e.g., partially in ROM + readOnly(5) -- e.g., completely in ROM + } + +TDomain ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "Denotes a kind of transport service. + + Some possible values, such as snmpUDPDomain, are defined in + the SNMPv2-TM MIB module. Other possible values are defined + in other MIB modules." + REFERENCE "The SNMPv2-TM MIB module is defined in RFC 1906." + SYNTAX OBJECT IDENTIFIER + +TAddress ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "Denotes a transport service address. + + A TAddress value is always interpreted within the context of a + TDomain value. Thus, each definition of a TDomain value must + be accompanied by a definition of a textual convention for use + with that TDomain. Some possible textual conventions, such as + SnmpUDPAddress for snmpUDPDomain, are defined in the SNMPv2-TM + MIB module. Other possible textual conventions are defined in + other MIB modules." + REFERENCE "The SNMPv2-TM MIB module is defined in RFC 1906." + SYNTAX OCTET STRING (SIZE (1..255)) + +END diff --git a/mibs/SNMPv2-TM.txt b/mibs/SNMPv2-TM.txt new file mode 100644 index 000000000..949f99c7e --- /dev/null +++ b/mibs/SNMPv2-TM.txt @@ -0,0 +1,176 @@ +SNMPv2-TM DEFINITIONS ::= BEGIN + +IMPORTS + MODULE-IDENTITY, OBJECT-IDENTITY, + snmpModules, snmpDomains, snmpProxys + FROM SNMPv2-SMI + TEXTUAL-CONVENTION + FROM SNMPv2-TC; + +snmpv2tm MODULE-IDENTITY + LAST-UPDATED "200210160000Z" + ORGANIZATION "IETF SNMPv3 Working Group" + CONTACT-INFO + "WG-EMail: snmpv3@lists.tislabs.com + Subscribe: snmpv3-request@lists.tislabs.com + + Co-Chair: Russ Mundy + Network Associates Laboratories + postal: 15204 Omega Drive, Suite 300 + Rockville, MD 20850-4601 + USA + EMail: mundy@tislabs.com + phone: +1 301 947-7107 + + Co-Chair: David Harrington + Enterasys Networks + postal: 35 Industrial Way + P. O. Box 5005 + Rochester, NH 03866-5005 + USA + EMail: dbh@enterasys.com + phone: +1 603 337-2614 + + Editor: Randy Presuhn + BMC Software, Inc. + postal: 2141 North First Street + San Jose, CA 95131 + USA + EMail: randy_presuhn@bmc.com + phone: +1 408 546-1006" + DESCRIPTION + "The MIB module for SNMP transport mappings. + + Copyright (C) The Internet Society (2002). This + version of this MIB module is part of RFC 3417; + see the RFC itself for full legal notices. + " + REVISION "200210160000Z" + DESCRIPTION + "Clarifications, published as RFC 3417." + REVISION "199601010000Z" + DESCRIPTION + "Clarifications, published as RFC 1906." + REVISION "199304010000Z" + DESCRIPTION + "The initial version, published as RFC 1449." + ::= { snmpModules 19 } + +-- SNMP over UDP over IPv4 + +snmpUDPDomain OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The SNMP over UDP over IPv4 transport domain. + The corresponding transport address is of type + SnmpUDPAddress." + ::= { snmpDomains 1 } + +SnmpUDPAddress ::= TEXTUAL-CONVENTION + DISPLAY-HINT "1d.1d.1d.1d/2d" + STATUS current + DESCRIPTION + "Represents a UDP over IPv4 address: + + octets contents encoding + 1-4 IP-address network-byte order + 5-6 UDP-port network-byte order + " + SYNTAX OCTET STRING (SIZE (6)) + +-- SNMP over OSI + +snmpCLNSDomain OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The SNMP over CLNS transport domain. + The corresponding transport address is of type + SnmpOSIAddress." + ::= { snmpDomains 2 } + +snmpCONSDomain OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The SNMP over CONS transport domain. + The corresponding transport address is of type + SnmpOSIAddress." + ::= { snmpDomains 3 } + +SnmpOSIAddress ::= TEXTUAL-CONVENTION + DISPLAY-HINT "*1x:/1x:" + STATUS current + DESCRIPTION + "Represents an OSI transport-address: + + octets contents encoding + 1 length of NSAP 'n' as an unsigned-integer + (either 0 or from 3 to 20) + 2..(n+1) NSAP concrete binary representation + (n+2)..m TSEL string of (up to 64) octets + " + SYNTAX OCTET STRING (SIZE (1 | 4..85)) + +-- SNMP over DDP + +snmpDDPDomain OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The SNMP over DDP transport domain. The corresponding + transport address is of type SnmpNBPAddress." + ::= { snmpDomains 4 } + +SnmpNBPAddress ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "Represents an NBP name: + + octets contents encoding + 1 length of object 'n' as an unsigned integer + 2..(n+1) object string of (up to 32) octets + n+2 length of type 'p' as an unsigned integer + (n+3)..(n+2+p) type string of (up to 32) octets + n+3+p length of zone 'q' as an unsigned integer + (n+4+p)..(n+3+p+q) zone string of (up to 32) octets + + For comparison purposes, strings are + case-insensitive. All strings may contain any octet + other than 255 (hex ff)." + SYNTAX OCTET STRING (SIZE (3..99)) + +-- SNMP over IPX + +snmpIPXDomain OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The SNMP over IPX transport domain. The corresponding + transport address is of type SnmpIPXAddress." + ::= { snmpDomains 5 } + +SnmpIPXAddress ::= TEXTUAL-CONVENTION + DISPLAY-HINT "4x.1x:1x:1x:1x:1x:1x.2d" + STATUS current + DESCRIPTION + "Represents an IPX address: + + octets contents encoding + 1-4 network-number network-byte order + 5-10 physical-address network-byte order + 11-12 socket-number network-byte order + " + SYNTAX OCTET STRING (SIZE (12)) + +-- for proxy to SNMPv1 (RFC 1157) + +rfc1157Proxy OBJECT IDENTIFIER ::= { snmpProxys 1 } + +rfc1157Domain OBJECT-IDENTITY + STATUS deprecated + DESCRIPTION + "The transport domain for SNMPv1 over UDP over IPv4. + The corresponding transport address is of type + SnmpUDPAddress." + ::= { rfc1157Proxy 1 } + +-- ::= { rfc1157Proxy 2 } this OID is obsolete + +END diff --git a/mibs/SOURCE-ROUTING-MIB.txt b/mibs/SOURCE-ROUTING-MIB.txt new file mode 100644 index 000000000..988b1b0e8 --- /dev/null +++ b/mibs/SOURCE-ROUTING-MIB.txt @@ -0,0 +1,452 @@ +SOURCE-ROUTING-MIB DEFINITIONS ::= BEGIN + +IMPORTS + Counter, Gauge + FROM RFC1155-SMI + dot1dBridge, dot1dSr + FROM BRIDGE-MIB + OBJECT-TYPE + FROM RFC-1212; + +-- groups in the SR MIB + +-- dot1dSr is imported from the Bridge MIB + +dot1dPortPair OBJECT IDENTIFIER ::= { dot1dBridge 10 } + +-- the dot1dSr group + +-- this group is implemented by those bridges that +-- support the source route bridging mode, including Source +-- Routing and SRT bridges. + +dot1dSrPortTable OBJECT-TYPE + SYNTAX SEQUENCE OF Dot1dSrPortEntry + ACCESS not-accessible + STATUS mandatory + DESCRIPTION + "A table that contains information about every + port that is associated with this source route + bridge." + ::= { dot1dSr 1 } + +dot1dSrPortEntry OBJECT-TYPE + SYNTAX Dot1dSrPortEntry + ACCESS not-accessible + STATUS mandatory + DESCRIPTION + "A list of information for each port of a source + route bridge." + INDEX { dot1dSrPort } + + ::= { dot1dSrPortTable 1 } + +Dot1dSrPortEntry ::= + SEQUENCE { + dot1dSrPort + INTEGER, + dot1dSrPortHopCount + INTEGER, + dot1dSrPortLocalSegment + INTEGER, + dot1dSrPortBridgeNum + INTEGER, + dot1dSrPortTargetSegment + INTEGER, + dot1dSrPortLargestFrame + INTEGER, + dot1dSrPortSTESpanMode + INTEGER, + dot1dSrPortSpecInFrames + Counter, + dot1dSrPortSpecOutFrames + Counter, + dot1dSrPortApeInFrames + Counter, + dot1dSrPortApeOutFrames + Counter, + dot1dSrPortSteInFrames + Counter, + dot1dSrPortSteOutFrames + Counter, + dot1dSrPortSegmentMismatchDiscards + Counter, + dot1dSrPortDuplicateSegmentDiscards + Counter, + dot1dSrPortHopCountExceededDiscards + Counter, + dot1dSrPortDupLanIdOrTreeErrors + Counter, + dot1dSrPortLanIdMismatches + Counter + } + +dot1dSrPort OBJECT-TYPE + SYNTAX INTEGER (1..65535) + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The port number of the port for which this entry + + contains Source Route management information." + ::= { dot1dSrPortEntry 1 } + +dot1dSrPortHopCount OBJECT-TYPE + SYNTAX INTEGER + ACCESS read-write + STATUS mandatory + DESCRIPTION + "The maximum number of routing descriptors allowed + in an All Paths or Spanning Tree Explorer frames." + ::= { dot1dSrPortEntry 2 } + +dot1dSrPortLocalSegment OBJECT-TYPE + SYNTAX INTEGER + ACCESS read-write + STATUS mandatory + DESCRIPTION + "The segment number that uniquely identifies the + segment to which this port is connected. Current + source routing protocols limit this value to the + range: 0 through 4095. (The value 0 is used by + some management applications for special test + cases.) A value of 65535 signifies that no segment + number is assigned to this port." + ::= { dot1dSrPortEntry 3 } + +dot1dSrPortBridgeNum OBJECT-TYPE + SYNTAX INTEGER + ACCESS read-write + STATUS mandatory + DESCRIPTION + "A bridge number uniquely identifies a bridge when + more than one bridge is used to span the same two + segments. Current source routing protocols limit + this value to the range: 0 through 15. A value of + 65535 signifies that no bridge number is assigned + to this bridge." + ::= { dot1dSrPortEntry 4 } + +dot1dSrPortTargetSegment OBJECT-TYPE + SYNTAX INTEGER + ACCESS read-write + STATUS mandatory + DESCRIPTION + "The segment number that corresponds to the target + segment this port is considered to be connected to + by the bridge. Current source routing protocols + limit this value to the range: 0 through 4095. + + (The value 0 is used by some management + applications for special test cases.) A value of + 65535 signifies that no target segment is assigned + to this port." + ::= { dot1dSrPortEntry 5 } + +-- It would be nice if we could use ifMtu as the size of the +-- largest frame, but we can't because ifMtu is defined to be +-- the size that the (inter-)network layer can use which can +-- differ from the MAC layer (especially if several layers of +-- encapsulation are used). + +dot1dSrPortLargestFrame OBJECT-TYPE + SYNTAX INTEGER + ACCESS read-write + STATUS mandatory + DESCRIPTION + "The maximum size of the INFO field (LLC and + above) that this port can send/receive. It does + not include any MAC level (framing) octets. The + value of this object is used by this bridge to + determine whether a modification of the + LargestFrame (LF, see [14]) field of the Routing + Control field of the Routing Information Field is + necessary. + + 64 valid values are defined by the IEEE 802.5M SRT + Addendum: 516, 635, 754, 873, 993, 1112, 1231, + 1350, 1470, 1542, 1615, 1688, 1761, 1833, 1906, + 1979, 2052, 2345, 2638, 2932, 3225, 3518, 3812, + 4105, 4399, 4865, 5331, 5798, 6264, 6730, 7197, + 7663, 8130, 8539, 8949, 9358, 9768, 10178, 10587, + 10997, 11407, 12199, 12992, 13785, 14578, 15370, + 16163, 16956, 17749, 20730, 23711, 26693, 29674, + 32655, 35637, 38618, 41600, 44591, 47583, 50575, + 53567, 56559, 59551, and 65535. + + An illegal value will not be accepted by the + bridge." + ::= { dot1dSrPortEntry 6 } + +dot1dSrPortSTESpanMode OBJECT-TYPE + SYNTAX INTEGER { + auto-span(1), + disabled(2), + forced(3) + } + ACCESS read-write + STATUS mandatory + DESCRIPTION + "Determines how this port behaves when presented + with a Spanning Tree Explorer frame. The value + 'disabled(2)' indicates that the port will not + accept or send Spanning Tree Explorer packets; any + STE packets received will be silently discarded. + The value 'forced(3)' indicates the port will + always accept and propagate Spanning Tree Explorer + frames. This allows a manually configured + Spanning Tree for this class of packet to be + configured. Note that unlike transparent + bridging, this is not catastrophic to the network + if there are loops. The value 'auto-span(1)' can + only be returned by a bridge that both implements + the Spanning Tree Protocol and has use of the + protocol enabled on this port. The behavior of the + port for Spanning Tree Explorer frames is + determined by the state of dot1dStpPortState. If + the port is in the 'forwarding' state, the frame + will be accepted or propagated. Otherwise, it + will be silently discarded." + ::= { dot1dSrPortEntry 7 } + +dot1dSrPortSpecInFrames OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of Specifically Routed frames, also + referred to as Source Routed Frames, that have + been received from this port's segment." + ::= { dot1dSrPortEntry 8 } + +dot1dSrPortSpecOutFrames OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of Specifically Routed frames, also + referred to as Source Routed Frames, that this + port has transmitted on its segment." + ::= { dot1dSrPortEntry 9 } + +dot1dSrPortApeInFrames OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of All Paths Explorer frames, also + referred to as All Routes Explorer frames, that + have been received by this port from its segment." + ::= { dot1dSrPortEntry 10 } + +dot1dSrPortApeOutFrames OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of all Paths Explorer Frames, also + referred to as All Routes Explorer frames, that + have been transmitted by this port on its + segment." + ::= { dot1dSrPortEntry 11 } + +dot1dSrPortSteInFrames OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of spanning tree explorer frames that + have been received by this port from its segment." + ::= { dot1dSrPortEntry 12 } + +dot1dSrPortSteOutFrames OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of spanning tree explorer frames that + have been transmitted by this port on its + segment." + ::= { dot1dSrPortEntry 13 } + +dot1dSrPortSegmentMismatchDiscards OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of explorer frames that have been + discarded by this port because the routing + descriptor field contained an invalid adjacent + segment value." + ::= { dot1dSrPortEntry 14 } + +dot1dSrPortDuplicateSegmentDiscards OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of frames that have been discarded by + this port because the routing descriptor field + contained a duplicate segment identifier." + ::= { dot1dSrPortEntry 15 } + +dot1dSrPortHopCountExceededDiscards OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of explorer frames that have been + discarded by this port because the Routing + Information Field has exceeded the maximum route + descriptor length." + ::= { dot1dSrPortEntry 16 } + +dot1dSrPortDupLanIdOrTreeErrors OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of duplicate LAN IDs or Tree errors. + This helps in detection of problems in networks + containing older IBM Source Routing Bridges." + ::= { dot1dSrPortEntry 17 } + +dot1dSrPortLanIdMismatches OBJECT-TYPE + SYNTAX Counter + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The number of ARE and STE frames that were + discarded because the last LAN ID in the routing + information field did not equal the LAN-in ID. + This error can occur in implementations which do + only a LAN-in ID and Bridge Number check instead + of a LAN-in ID, Bridge Number, and LAN-out ID + check before they forward broadcast frames." + ::= { dot1dSrPortEntry 18 } + +-- scalar object in dot1dSr + +dot1dSrBridgeLfMode OBJECT-TYPE + SYNTAX INTEGER { + mode3(1), + mode6(2) + } + ACCESS read-write + STATUS mandatory + DESCRIPTION + "Indicates whether the bridge operates using older + 3 bit length negotiation fields or the newer 6 bit + length field in its RIF." + ::= { dot1dSr 2 } + +-- The Port-Pair Database + +-- Implementation of this group is optional. + +-- This group is implemented by those bridges that support +-- the direct multiport model of the source route bridging +-- mode as defined in the IEEE 802.5 SRT Addendum to +-- 802.1d. + +-- Bridges implementing this group may report 65535 for +-- dot1dSrPortBridgeNumber and dot1dSrPortTargetSegment, +-- indicating that those objects are not applicable. + +dot1dPortPairTableSize OBJECT-TYPE + SYNTAX Gauge + ACCESS read-only + STATUS mandatory + DESCRIPTION + "The total number of entries in the Bridge Port + Pair Database." + ::= { dot1dPortPair 1 } + +-- the Bridge Port-Pair table + +-- this table represents port pairs within a bridge forming +-- a unique bridge path, as defined in the IEEE 802.5M SRT +-- Addendum. + +dot1dPortPairTable OBJECT-TYPE + SYNTAX SEQUENCE OF Dot1dPortPairEntry + ACCESS not-accessible + STATUS mandatory + DESCRIPTION + "A table that contains information about every + + port pair database entity associated with this + source routing bridge." + ::= { dot1dPortPair 2 } + +dot1dPortPairEntry OBJECT-TYPE + SYNTAX Dot1dPortPairEntry + ACCESS not-accessible + STATUS mandatory + DESCRIPTION + "A list of information for each port pair entity + of a bridge." + INDEX { dot1dPortPairLowPort, dot1dPortPairHighPort } + ::= { dot1dPortPairTable 1 } + +Dot1dPortPairEntry ::= + SEQUENCE { + dot1dPortPairLowPort + INTEGER, + dot1dPortPairHighPort + INTEGER, + dot1dPortPairBridgeNum + INTEGER, + dot1dPortPairBridgeState + INTEGER + } + +dot1dPortPairLowPort OBJECT-TYPE + SYNTAX INTEGER (1..65535) + ACCESS read-write + STATUS mandatory + DESCRIPTION + "The port number of the lower numbered port for + which this entry contains port pair database + information." + ::= { dot1dPortPairEntry 1 } + +dot1dPortPairHighPort OBJECT-TYPE + SYNTAX INTEGER (1..65535) + ACCESS read-write + STATUS mandatory + DESCRIPTION + "The port number of the higher numbered port for + which this entry contains port pair database + information." + ::= { dot1dPortPairEntry 2 } + +dot1dPortPairBridgeNum OBJECT-TYPE + SYNTAX INTEGER + + ACCESS read-write + STATUS mandatory + DESCRIPTION + "A bridge number that uniquely identifies the path + provided by this source routing bridge between the + segments connected to dot1dPortPairLowPort and + dot1dPortPairHighPort. The purpose of bridge + number is to disambiguate between multiple paths + connecting the same two LANs." + ::= { dot1dPortPairEntry 3 } + +dot1dPortPairBridgeState OBJECT-TYPE + SYNTAX INTEGER { + enabled(1), + disabled(2), + invalid(3) + } + ACCESS read-write + STATUS mandatory + DESCRIPTION + "The state of dot1dPortPairBridgeNum. Writing + 'invalid(3)' to this object removes the + corresponding entry." + ::= { dot1dPortPairEntry 4 } + +END diff --git a/mibs/TCP-MIB.txt b/mibs/TCP-MIB.txt new file mode 100644 index 000000000..50e7f5752 --- /dev/null +++ b/mibs/TCP-MIB.txt @@ -0,0 +1,785 @@ +TCP-MIB DEFINITIONS ::= BEGIN + +IMPORTS + MODULE-IDENTITY, OBJECT-TYPE, Integer32, Unsigned32, + Gauge32, Counter32, Counter64, IpAddress, mib-2 + FROM SNMPv2-SMI + MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF + InetAddress, InetAddressType, + InetPortNumber FROM INET-ADDRESS-MIB; + +tcpMIB MODULE-IDENTITY + LAST-UPDATED "200502180000Z" -- 18 February 2005 + ORGANIZATION + "IETF IPv6 MIB Revision Team + http://www.ietf.org/html.charters/ipv6-charter.html" + CONTACT-INFO + "Rajiv Raghunarayan (editor) + + Cisco Systems Inc. + 170 West Tasman Drive + San Jose, CA 95134 + + Phone: +1 408 853 9612 + Email: <raraghun@cisco.com> + + Send comments to <ipv6@ietf.org>" + DESCRIPTION + "The MIB module for managing TCP implementations. + + Copyright (C) The Internet Society (2005). This version + of this MIB module is a part of RFC 4022; see the RFC + itself for full legal notices." + REVISION "200502180000Z" -- 18 February 2005 + DESCRIPTION + "IP version neutral revision, published as RFC 4022." + REVISION "9411010000Z" + DESCRIPTION + "Initial SMIv2 version, published as RFC 2012." + REVISION "9103310000Z" + DESCRIPTION + "The initial revision of this MIB module was part of + MIB-II." + ::= { mib-2 49 } + +-- the TCP base variables group + +tcp OBJECT IDENTIFIER ::= { mib-2 6 } + +-- Scalars + +tcpRtoAlgorithm OBJECT-TYPE + SYNTAX INTEGER { + other(1), -- none of the following + constant(2), -- a constant rto + rsre(3), -- MIL-STD-1778, Appendix B + vanj(4), -- Van Jacobson's algorithm + rfc2988(5) -- RFC 2988 + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The algorithm used to determine the timeout value used for + retransmitting unacknowledged octets." + ::= { tcp 1 } + +tcpRtoMin OBJECT-TYPE + SYNTAX Integer32 (0..2147483647) + UNITS "milliseconds" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The minimum value permitted by a TCP implementation for + the retransmission timeout, measured in milliseconds. + More refined semantics for objects of this type depend + on the algorithm used to determine the retransmission + timeout; in particular, the IETF standard algorithm + rfc2988(5) provides a minimum value." + ::= { tcp 2 } + +tcpRtoMax OBJECT-TYPE + SYNTAX Integer32 (0..2147483647) + UNITS "milliseconds" + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The maximum value permitted by a TCP implementation for + the retransmission timeout, measured in milliseconds. + More refined semantics for objects of this type depend + on the algorithm used to determine the retransmission + timeout; in particular, the IETF standard algorithm + rfc2988(5) provides an upper bound (as part of an + adaptive backoff algorithm)." + ::= { tcp 3 } + +tcpMaxConn OBJECT-TYPE + SYNTAX Integer32 (-1 | 0..2147483647) + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The limit on the total number of TCP connections the entity + can support. In entities where the maximum number of + connections is dynamic, this object should contain the + value -1." + ::= { tcp 4 } + +tcpActiveOpens OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of times that TCP connections have made a direct + transition to the SYN-SENT state from the CLOSED state. + + Discontinuities in the value of this counter are + indicated via discontinuities in the value of sysUpTime." + ::= { tcp 5 } + +tcpPassiveOpens OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of times TCP connections have made a direct + transition to the SYN-RCVD state from the LISTEN state. + + Discontinuities in the value of this counter are + indicated via discontinuities in the value of sysUpTime." + ::= { tcp 6 } + +tcpAttemptFails OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of times that TCP connections have made a direct + transition to the CLOSED state from either the SYN-SENT + state or the SYN-RCVD state, plus the number of times that + TCP connections have made a direct transition to the + LISTEN state from the SYN-RCVD state. + + Discontinuities in the value of this counter are + indicated via discontinuities in the value of sysUpTime." + ::= { tcp 7 } + +tcpEstabResets OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of times that TCP connections have made a direct + transition to the CLOSED state from either the ESTABLISHED + state or the CLOSE-WAIT state. + + Discontinuities in the value of this counter are + indicated via discontinuities in the value of sysUpTime." + ::= { tcp 8 } + +tcpCurrEstab OBJECT-TYPE + SYNTAX Gauge32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of TCP connections for which the current state + is either ESTABLISHED or CLOSE-WAIT." + ::= { tcp 9 } + +tcpInSegs OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of segments received, including those + received in error. This count includes segments received + on currently established connections. + + Discontinuities in the value of this counter are + indicated via discontinuities in the value of sysUpTime." + ::= { tcp 10 } + +tcpOutSegs OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of segments sent, including those on + current connections but excluding those containing only + retransmitted octets. + + Discontinuities in the value of this counter are + indicated via discontinuities in the value of sysUpTime." + ::= { tcp 11 } + +tcpRetransSegs OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of segments retransmitted; that is, the + number of TCP segments transmitted containing one or more + previously transmitted octets. + + Discontinuities in the value of this counter are + indicated via discontinuities in the value of sysUpTime." + ::= { tcp 12 } + +tcpInErrs OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of segments received in error (e.g., bad + TCP checksums). + + Discontinuities in the value of this counter are + indicated via discontinuities in the value of sysUpTime." + ::= { tcp 14 } + +tcpOutRsts OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of TCP segments sent containing the RST flag. + + Discontinuities in the value of this counter are + indicated via discontinuities in the value of sysUpTime." + ::= { tcp 15 } + +-- { tcp 16 } was used to represent the ipv6TcpConnTable in RFC 2452, +-- which has since been obsoleted. It MUST not be used. + +tcpHCInSegs OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of segments received, including those + received in error. This count includes segments received + + on currently established connections. This object is + the 64-bit equivalent of tcpInSegs. + + Discontinuities in the value of this counter are + indicated via discontinuities in the value of sysUpTime." + ::= { tcp 17 } + +tcpHCOutSegs OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of segments sent, including those on + current connections but excluding those containing only + retransmitted octets. This object is the 64-bit + equivalent of tcpOutSegs. + + Discontinuities in the value of this counter are + indicated via discontinuities in the value of sysUpTime." + ::= { tcp 18 } + +-- The TCP Connection table + +tcpConnectionTable OBJECT-TYPE + SYNTAX SEQUENCE OF TcpConnectionEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A table containing information about existing TCP + connections. Note that unlike earlier TCP MIBs, there + is a separate table for connections in the LISTEN state." + ::= { tcp 19 } + +tcpConnectionEntry OBJECT-TYPE + SYNTAX TcpConnectionEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A conceptual row of the tcpConnectionTable containing + information about a particular current TCP connection. + Each row of this table is transient in that it ceases to + exist when (or soon after) the connection makes the + transition to the CLOSED state." + INDEX { tcpConnectionLocalAddressType, + tcpConnectionLocalAddress, + tcpConnectionLocalPort, + tcpConnectionRemAddressType, + tcpConnectionRemAddress, + tcpConnectionRemPort } + ::= { tcpConnectionTable 1 } + +TcpConnectionEntry ::= SEQUENCE { + tcpConnectionLocalAddressType InetAddressType, + tcpConnectionLocalAddress InetAddress, + tcpConnectionLocalPort InetPortNumber, + tcpConnectionRemAddressType InetAddressType, + tcpConnectionRemAddress InetAddress, + tcpConnectionRemPort InetPortNumber, + tcpConnectionState INTEGER, + tcpConnectionProcess Unsigned32 + } + +tcpConnectionLocalAddressType OBJECT-TYPE + SYNTAX InetAddressType + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The address type of tcpConnectionLocalAddress." + ::= { tcpConnectionEntry 1 } + +tcpConnectionLocalAddress OBJECT-TYPE + SYNTAX InetAddress + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The local IP address for this TCP connection. The type + of this address is determined by the value of + tcpConnectionLocalAddressType. + + As this object is used in the index for the + tcpConnectionTable, implementors should be + careful not to create entries that would result in OIDs + with more than 128 subidentifiers; otherwise the information + cannot be accessed by using SNMPv1, SNMPv2c, or SNMPv3." + ::= { tcpConnectionEntry 2 } + +tcpConnectionLocalPort OBJECT-TYPE + SYNTAX InetPortNumber + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The local port number for this TCP connection." + ::= { tcpConnectionEntry 3 } + +tcpConnectionRemAddressType OBJECT-TYPE + SYNTAX InetAddressType + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The address type of tcpConnectionRemAddress." + ::= { tcpConnectionEntry 4 } + +tcpConnectionRemAddress OBJECT-TYPE + SYNTAX InetAddress + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The remote IP address for this TCP connection. The type + of this address is determined by the value of + tcpConnectionRemAddressType. + + As this object is used in the index for the + tcpConnectionTable, implementors should be + careful not to create entries that would result in OIDs + with more than 128 subidentifiers; otherwise the information + cannot be accessed by using SNMPv1, SNMPv2c, or SNMPv3." + ::= { tcpConnectionEntry 5 } + +tcpConnectionRemPort OBJECT-TYPE + SYNTAX InetPortNumber + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The remote port number for this TCP connection." + ::= { tcpConnectionEntry 6 } + +tcpConnectionState OBJECT-TYPE + SYNTAX INTEGER { + closed(1), + listen(2), + synSent(3), + synReceived(4), + established(5), + finWait1(6), + finWait2(7), + closeWait(8), + lastAck(9), + closing(10), + timeWait(11), + deleteTCB(12) + } + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The state of this TCP connection. + + The value listen(2) is included only for parallelism to the + old tcpConnTable and should not be used. A connection in + LISTEN state should be present in the tcpListenerTable. + + The only value that may be set by a management station is + deleteTCB(12). Accordingly, it is appropriate for an agent + to return a `badValue' response if a management station + attempts to set this object to any other value. + + If a management station sets this object to the value + deleteTCB(12), then the TCB (as defined in [RFC793]) of + the corresponding connection on the managed node is + deleted, resulting in immediate termination of the + connection. + + As an implementation-specific option, a RST segment may be + sent from the managed node to the other TCP endpoint (note, + however, that RST segments are not sent reliably)." + ::= { tcpConnectionEntry 7 } + +tcpConnectionProcess OBJECT-TYPE + SYNTAX Unsigned32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The system's process ID for the process associated with + this connection, or zero if there is no such process. This + value is expected to be the same as HOST-RESOURCES-MIB:: + hrSWRunIndex or SYSAPPL-MIB::sysApplElmtRunIndex for some + row in the appropriate tables." + ::= { tcpConnectionEntry 8 } + +-- The TCP Listener table + +tcpListenerTable OBJECT-TYPE + SYNTAX SEQUENCE OF TcpListenerEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A table containing information about TCP listeners. A + listening application can be represented in three + possible ways: + + 1. An application that is willing to accept both IPv4 and + IPv6 datagrams is represented by + + a tcpListenerLocalAddressType of unknown (0) and + a tcpListenerLocalAddress of ''h (a zero-length + octet-string). + + 2. An application that is willing to accept only IPv4 or + IPv6 datagrams is represented by a + tcpListenerLocalAddressType of the appropriate address + type and a tcpListenerLocalAddress of '0.0.0.0' or '::' + respectively. + + 3. An application that is listening for data destined + only to a specific IP address, but from any remote + system, is represented by a tcpListenerLocalAddressType + of an appropriate address type, with + tcpListenerLocalAddress as the specific local address. + + NOTE: The address type in this table represents the + address type used for the communication, irrespective + of the higher-layer abstraction. For example, an + application using IPv6 'sockets' to communicate via + IPv4 between ::ffff:10.0.0.1 and ::ffff:10.0.0.2 would + use InetAddressType ipv4(1))." + ::= { tcp 20 } + +tcpListenerEntry OBJECT-TYPE + SYNTAX TcpListenerEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A conceptual row of the tcpListenerTable containing + information about a particular TCP listener." + INDEX { tcpListenerLocalAddressType, + tcpListenerLocalAddress, + tcpListenerLocalPort } + ::= { tcpListenerTable 1 } + +TcpListenerEntry ::= SEQUENCE { + tcpListenerLocalAddressType InetAddressType, + tcpListenerLocalAddress InetAddress, + tcpListenerLocalPort InetPortNumber, + tcpListenerProcess Unsigned32 + } + +tcpListenerLocalAddressType OBJECT-TYPE + SYNTAX InetAddressType + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The address type of tcpListenerLocalAddress. The value + should be unknown (0) if connection initiations to all + local IP addresses are accepted." + ::= { tcpListenerEntry 1 } + +tcpListenerLocalAddress OBJECT-TYPE + SYNTAX InetAddress + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The local IP address for this TCP connection. + + The value of this object can be represented in three + possible ways, depending on the characteristics of the + listening application: + + 1. For an application willing to accept both IPv4 and + IPv6 datagrams, the value of this object must be + ''h (a zero-length octet-string), with the value + of the corresponding tcpListenerLocalAddressType + object being unknown (0). + + 2. For an application willing to accept only IPv4 or + IPv6 datagrams, the value of this object must be + '0.0.0.0' or '::' respectively, with + tcpListenerLocalAddressType representing the + appropriate address type. + + 3. For an application which is listening for data + destined only to a specific IP address, the value + of this object is the specific local address, with + tcpListenerLocalAddressType representing the + appropriate address type. + + As this object is used in the index for the + tcpListenerTable, implementors should be + careful not to create entries that would result in OIDs + with more than 128 subidentifiers; otherwise the information + cannot be accessed, using SNMPv1, SNMPv2c, or SNMPv3." + ::= { tcpListenerEntry 2 } + +tcpListenerLocalPort OBJECT-TYPE + SYNTAX InetPortNumber + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The local port number for this TCP connection." + ::= { tcpListenerEntry 3 } + +tcpListenerProcess OBJECT-TYPE + SYNTAX Unsigned32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The system's process ID for the process associated with + this listener, or zero if there is no such process. This + value is expected to be the same as HOST-RESOURCES-MIB:: + hrSWRunIndex or SYSAPPL-MIB::sysApplElmtRunIndex for some + row in the appropriate tables." + ::= { tcpListenerEntry 4 } + +-- The deprecated TCP Connection table + +tcpConnTable OBJECT-TYPE + SYNTAX SEQUENCE OF TcpConnEntry + MAX-ACCESS not-accessible + STATUS deprecated + DESCRIPTION + "A table containing information about existing IPv4-specific + TCP connections or listeners. This table has been + deprecated in favor of the version neutral + tcpConnectionTable." + ::= { tcp 13 } + +tcpConnEntry OBJECT-TYPE + SYNTAX TcpConnEntry + MAX-ACCESS not-accessible + STATUS deprecated + DESCRIPTION + "A conceptual row of the tcpConnTable containing information + about a particular current IPv4 TCP connection. Each row + of this table is transient in that it ceases to exist when + (or soon after) the connection makes the transition to the + CLOSED state." + INDEX { tcpConnLocalAddress, + tcpConnLocalPort, + tcpConnRemAddress, + tcpConnRemPort } + ::= { tcpConnTable 1 } + +TcpConnEntry ::= SEQUENCE { + tcpConnState INTEGER, + tcpConnLocalAddress IpAddress, + tcpConnLocalPort Integer32, + tcpConnRemAddress IpAddress, + tcpConnRemPort Integer32 + + } + +tcpConnState OBJECT-TYPE + SYNTAX INTEGER { + closed(1), + listen(2), + synSent(3), + synReceived(4), + established(5), + finWait1(6), + finWait2(7), + closeWait(8), + lastAck(9), + closing(10), + timeWait(11), + deleteTCB(12) + } + MAX-ACCESS read-write + STATUS deprecated + DESCRIPTION + "The state of this TCP connection. + + The only value that may be set by a management station is + deleteTCB(12). Accordingly, it is appropriate for an agent + to return a `badValue' response if a management station + attempts to set this object to any other value. + + If a management station sets this object to the value + deleteTCB(12), then the TCB (as defined in [RFC793]) of + the corresponding connection on the managed node is + deleted, resulting in immediate termination of the + connection. + + As an implementation-specific option, a RST segment may be + sent from the managed node to the other TCP endpoint (note, + however, that RST segments are not sent reliably)." + ::= { tcpConnEntry 1 } + +tcpConnLocalAddress OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The local IP address for this TCP connection. In the case + of a connection in the listen state willing to + accept connections for any IP interface associated with the + node, the value 0.0.0.0 is used." + ::= { tcpConnEntry 2 } + +tcpConnLocalPort OBJECT-TYPE + SYNTAX Integer32 (0..65535) + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The local port number for this TCP connection." + ::= { tcpConnEntry 3 } + +tcpConnRemAddress OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The remote IP address for this TCP connection." + ::= { tcpConnEntry 4 } + +tcpConnRemPort OBJECT-TYPE + SYNTAX Integer32 (0..65535) + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The remote port number for this TCP connection." + ::= { tcpConnEntry 5 } + +-- conformance information + +tcpMIBConformance OBJECT IDENTIFIER ::= { tcpMIB 2 } + +tcpMIBCompliances OBJECT IDENTIFIER ::= { tcpMIBConformance 1 } +tcpMIBGroups OBJECT IDENTIFIER ::= { tcpMIBConformance 2 } + +-- compliance statements + +tcpMIBCompliance2 MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The compliance statement for systems that implement TCP. + + A number of INDEX objects cannot be + represented in the form of OBJECT clauses in SMIv2 but + have the following compliance requirements, + expressed in OBJECT clause form in this description + clause: + + -- OBJECT tcpConnectionLocalAddressType + -- SYNTAX InetAddressType { ipv4(1), ipv6(2) } + -- DESCRIPTION + -- This MIB requires support for only global IPv4 + + -- and IPv6 address types. + -- + -- OBJECT tcpConnectionRemAddressType + -- SYNTAX InetAddressType { ipv4(1), ipv6(2) } + -- DESCRIPTION + -- This MIB requires support for only global IPv4 + -- and IPv6 address types. + -- + -- OBJECT tcpListenerLocalAddressType + -- SYNTAX InetAddressType { unknown(0), ipv4(1), + -- ipv6(2) } + -- DESCRIPTION + -- This MIB requires support for only global IPv4 + -- and IPv6 address types. The type unknown also + -- needs to be supported to identify a special + -- case in the listener table: a listen using + -- both IPv4 and IPv6 addresses on the device. + -- + " + MODULE -- this module + MANDATORY-GROUPS { tcpBaseGroup, tcpConnectionGroup, + tcpListenerGroup } + GROUP tcpHCGroup + DESCRIPTION + "This group is mandatory for systems that are capable + of receiving or transmitting more than 1 million TCP + segments per second. 1 million segments per second will + cause a Counter32 to wrap in just over an hour." + OBJECT tcpConnectionState + SYNTAX INTEGER { closed(1), listen(2), synSent(3), + synReceived(4), established(5), + finWait1(6), finWait2(7), closeWait(8), + lastAck(9), closing(10), timeWait(11) } + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required, nor is support for the value + deleteTCB (12)." + ::= { tcpMIBCompliances 2 } + +tcpMIBCompliance MODULE-COMPLIANCE + STATUS deprecated + DESCRIPTION + "The compliance statement for IPv4-only systems that + implement TCP. In order to be IP version independent, this + compliance statement is deprecated in favor of + tcpMIBCompliance2. However, agents are still encouraged + to implement these objects in order to interoperate with + the deployed base of managers." + + MODULE -- this module + MANDATORY-GROUPS { tcpGroup } + OBJECT tcpConnState + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required." + ::= { tcpMIBCompliances 1 } + +-- units of conformance + +tcpGroup OBJECT-GROUP + OBJECTS { tcpRtoAlgorithm, tcpRtoMin, tcpRtoMax, + tcpMaxConn, tcpActiveOpens, + tcpPassiveOpens, tcpAttemptFails, + tcpEstabResets, tcpCurrEstab, tcpInSegs, + tcpOutSegs, tcpRetransSegs, tcpConnState, + tcpConnLocalAddress, tcpConnLocalPort, + tcpConnRemAddress, tcpConnRemPort, + tcpInErrs, tcpOutRsts } + STATUS deprecated + DESCRIPTION + "The tcp group of objects providing for management of TCP + entities." + ::= { tcpMIBGroups 1 } + +tcpBaseGroup OBJECT-GROUP + OBJECTS { tcpRtoAlgorithm, tcpRtoMin, tcpRtoMax, + tcpMaxConn, tcpActiveOpens, + tcpPassiveOpens, tcpAttemptFails, + tcpEstabResets, tcpCurrEstab, tcpInSegs, + tcpOutSegs, tcpRetransSegs, + tcpInErrs, tcpOutRsts } + STATUS current + DESCRIPTION + "The group of counters common to TCP entities." + ::= { tcpMIBGroups 2 } + +tcpConnectionGroup OBJECT-GROUP + OBJECTS { tcpConnectionState, tcpConnectionProcess } + STATUS current + DESCRIPTION + "The group provides general information about TCP + connections." + ::= { tcpMIBGroups 3 } + +tcpListenerGroup OBJECT-GROUP + OBJECTS { tcpListenerProcess } + STATUS current + DESCRIPTION + "This group has objects providing general information about + TCP listeners." + ::= { tcpMIBGroups 4 } + +tcpHCGroup OBJECT-GROUP + OBJECTS { tcpHCInSegs, tcpHCOutSegs } + STATUS current + DESCRIPTION + "The group of objects providing for counters of high speed + TCP implementations." + ::= { tcpMIBGroups 5 } + +END diff --git a/mibs/TRANSPORT-ADDRESS-MIB.txt b/mibs/TRANSPORT-ADDRESS-MIB.txt new file mode 100644 index 000000000..227886e78 --- /dev/null +++ b/mibs/TRANSPORT-ADDRESS-MIB.txt @@ -0,0 +1,421 @@ +TRANSPORT-ADDRESS-MIB DEFINITIONS ::= BEGIN + +IMPORTS + MODULE-IDENTITY, OBJECT-IDENTITY, mib-2 FROM SNMPv2-SMI + TEXTUAL-CONVENTION FROM SNMPv2-TC; + +transportAddressMIB MODULE-IDENTITY + LAST-UPDATED "200211010000Z" + ORGANIZATION + "IETF Operations and Management Area" + CONTACT-INFO + "Juergen Schoenwaelder (Editor) + TU Braunschweig + Bueltenweg 74/75 + 38106 Braunschweig, Germany + + Phone: +49 531 391-3289 + EMail: schoenw@ibr.cs.tu-bs.de + + Send comments to <mibs@ops.ietf.org>." + DESCRIPTION + "This MIB module provides commonly used transport + address definitions. + + Copyright (C) The Internet Society (2002). This version of + this MIB module is part of RFC 3419; see the RFC itself for + full legal notices." + + -- Revision log + + REVISION "200211010000Z" + DESCRIPTION + "Initial version, published as RFC 3419." + ::= { mib-2 100 } + +transportDomains OBJECT IDENTIFIER ::= { transportAddressMIB 1 } + +transportDomainUdpIpv4 OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The UDP over IPv4 transport domain. The corresponding + transport address is of type TransportAddressIPv4 for + global IPv4 addresses." + ::= { transportDomains 1 } + +transportDomainUdpIpv6 OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The UDP over IPv6 transport domain. The corresponding + transport address is of type TransportAddressIPv6 for + global IPv6 addresses." + ::= { transportDomains 2 } + +transportDomainUdpIpv4z OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The UDP over IPv4 transport domain. The corresponding + transport address is of type TransportAddressIPv4z for + scoped IPv4 addresses with a zone index." + ::= { transportDomains 3 } + +transportDomainUdpIpv6z OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The UDP over IPv6 transport domain. The corresponding + transport address is of type TransportAddressIPv6z for + scoped IPv6 addresses with a zone index." + ::= { transportDomains 4 } + +transportDomainTcpIpv4 OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The TCP over IPv4 transport domain. The corresponding + transport address is of type TransportAddressIPv4 for + global IPv4 addresses." + ::= { transportDomains 5 } + +transportDomainTcpIpv6 OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The TCP over IPv6 transport domain. The corresponding + transport address is of type TransportAddressIPv6 for + global IPv6 addresses." + ::= { transportDomains 6 } + +transportDomainTcpIpv4z OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The TCP over IPv4 transport domain. The corresponding + transport address is of type TransportAddressIPv4z for + scoped IPv4 addresses with a zone index." + ::= { transportDomains 7 } + +transportDomainTcpIpv6z OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The TCP over IPv6 transport domain. The corresponding + transport address is of type TransportAddressIPv6z for + scoped IPv6 addresses with a zone index." + ::= { transportDomains 8 } + +transportDomainSctpIpv4 OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The SCTP over IPv4 transport domain. The corresponding + transport address is of type TransportAddressIPv4 for + global IPv4 addresses. This transport domain usually + represents the primary address on multihomed SCTP + endpoints." + ::= { transportDomains 9 } + +transportDomainSctpIpv6 OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The SCTP over IPv6 transport domain. The corresponding + transport address is of type TransportAddressIPv6 for + global IPv6 addresses. This transport domain usually + represents the primary address on multihomed SCTP + endpoints." + ::= { transportDomains 10 } + +transportDomainSctpIpv4z OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The SCTP over IPv4 transport domain. The corresponding + transport address is of type TransportAddressIPv4z for + scoped IPv4 addresses with a zone index. This transport + domain usually represents the primary address on + multihomed SCTP endpoints." + ::= { transportDomains 11 } + +transportDomainSctpIpv6z OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The SCTP over IPv6 transport domain. The corresponding + transport address is of type TransportAddressIPv6z for + scoped IPv6 addresses with a zone index. This transport + domain usually represents the primary address on + multihomed SCTP endpoints." + ::= { transportDomains 12 } + +transportDomainLocal OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The Posix Local IPC transport domain. The corresponding + transport address is of type TransportAddressLocal. + + The Posix Local IPC transport domain incorporates the + well-known UNIX domain sockets." + ::= { transportDomains 13 } + +transportDomainUdpDns OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The UDP transport domain using fully qualified domain + names. The corresponding transport address is of type + TransportAddressDns." + ::= { transportDomains 14 } + +transportDomainTcpDns OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The TCP transport domain using fully qualified domain + names. The corresponding transport address is of type + TransportAddressDns." + ::= { transportDomains 15 } + +transportDomainSctpDns OBJECT-IDENTITY + STATUS current + DESCRIPTION + "The SCTP transport domain using fully qualified domain + names. The corresponding transport address is of type + TransportAddressDns." + ::= { transportDomains 16 } + +TransportDomain ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "A value that represents a transport domain. + + Some possible values, such as transportDomainUdpIpv4, are + defined in this module. Other possible values can be + defined in other MIB modules." + SYNTAX OBJECT IDENTIFIER + +-- +-- The enumerated values of the textual convention below should +-- be identical to the last sub-identifier of the OID registered +-- for the same domain. +-- + +TransportAddressType ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "A value that represents a transport domain. This is the + enumerated version of the transport domain registrations + in this MIB module. The enumerated values have the + following meaning: + + unknown(0) unknown transport address type + udpIpv4(1) transportDomainUdpIpv4 + udpIpv6(2) transportDomainUdpIpv6 + udpIpv4z(3) transportDomainUdpIpv4z + udpIpv6z(4) transportDomainUdpIpv6z + tcpIpv4(5) transportDomainTcpIpv4 + tcpIpv6(6) transportDomainTcpIpv6 + tcpIpv4z(7) transportDomainTcpIpv4z + + tcpIpv6z(8) transportDomainTcpIpv6z + sctpIpv4(9) transportDomainSctpIpv4 + sctpIpv6(10) transportDomainSctpIpv6 + sctpIpv4z(11) transportDomainSctpIpv4z + sctpIpv6z(12) transportDomainSctpIpv6z + local(13) transportDomainLocal + udpDns(14) transportDomainUdpDns + tcpDns(15) transportDomainTcpDns + sctpDns(16) transportDomainSctpDns + + This textual convention can be used to represent transport + domains in situations where a syntax of TransportDomain is + unwieldy (for example, when used as an index). + + The usage of this textual convention implies that additional + transport domains can only be supported by updating this MIB + module. This extensibility restriction does not apply for the + TransportDomain textual convention which allows MIB authors + to define additional transport domains independently in + other MIB modules." + SYNTAX INTEGER { + unknown(0), + udpIpv4(1), + udpIpv6(2), + udpIpv4z(3), + udpIpv6z(4), + tcpIpv4(5), + tcpIpv6(6), + tcpIpv4z(7), + tcpIpv6z(8), + sctpIpv4(9), + sctpIpv6(10), + sctpIpv4z(11), + sctpIpv6z(12), + local(13), + udpDns(14), + tcpDns(15), + sctpDns(16) + } + +TransportAddress ::= TEXTUAL-CONVENTION + STATUS current + DESCRIPTION + "Denotes a generic transport address. + + A TransportAddress value is always interpreted within the + context of a TransportAddressType or TransportDomain value. + Every usage of the TransportAddress textual convention MUST + + specify the TransportAddressType or TransportDomain object + which provides the context. Furthermore, MIB authors SHOULD + define a separate TransportAddressType or TransportDomain + object for each TransportAddress object. It is suggested that + the TransportAddressType or TransportDomain is logically + registered before the object(s) which use the + TransportAddress textual convention if they appear in the + same logical row. + + The value of a TransportAddress object must always be + consistent with the value of the associated + TransportAddressType or TransportDomain object. Attempts + to set a TransportAddress object to a value which is + inconsistent with the associated TransportAddressType or + TransportDomain must fail with an inconsistentValue error. + + When this textual convention is used as a syntax of an + index object, there may be issues with the limit of 128 + sub-identifiers specified in SMIv2, STD 58. In this case, + the OBJECT-TYPE declaration MUST include a 'SIZE' clause + to limit the number of potential instance sub-identifiers." + SYNTAX OCTET STRING (SIZE (0..255)) + +TransportAddressIPv4 ::= TEXTUAL-CONVENTION + DISPLAY-HINT "1d.1d.1d.1d:2d" + STATUS current + DESCRIPTION + "Represents a transport address consisting of an IPv4 + address and a port number (as used for example by UDP, + TCP and SCTP): + + octets contents encoding + 1-4 IPv4 address network-byte order + 5-6 port number network-byte order + + This textual convention SHOULD NOT be used directly in object + definitions since it restricts addresses to a specific format. + However, if it is used, it MAY be used either on its own or + in conjunction with TransportAddressType or TransportDomain + as a pair." + SYNTAX OCTET STRING (SIZE (6)) + +TransportAddressIPv6 ::= TEXTUAL-CONVENTION + DISPLAY-HINT "0a[2x:2x:2x:2x:2x:2x:2x:2x]0a:2d" + STATUS current + DESCRIPTION + "Represents a transport address consisting of an IPv6 + address and a port number (as used for example by UDP, + TCP and SCTP): + + octets contents encoding + 1-16 IPv6 address network-byte order + 17-18 port number network-byte order + + This textual convention SHOULD NOT be used directly in object + definitions since it restricts addresses to a specific format. + However, if it is used, it MAY be used either on its own or + in conjunction with TransportAddressType or TransportDomain + as a pair." + SYNTAX OCTET STRING (SIZE (18)) + +TransportAddressIPv4z ::= TEXTUAL-CONVENTION + DISPLAY-HINT "1d.1d.1d.1d%4d:2d" + STATUS current + DESCRIPTION + "Represents a transport address consisting of an IPv4 + address, a zone index and a port number (as used for + example by UDP, TCP and SCTP): + + octets contents encoding + 1-4 IPv4 address network-byte order + 5-8 zone index network-byte order + 9-10 port number network-byte order + + This textual convention SHOULD NOT be used directly in object + definitions since it restricts addresses to a specific format. + However, if it is used, it MAY be used either on its own or + in conjunction with TransportAddressType or TransportDomain + as a pair." + SYNTAX OCTET STRING (SIZE (10)) + +TransportAddressIPv6z ::= TEXTUAL-CONVENTION + DISPLAY-HINT "0a[2x:2x:2x:2x:2x:2x:2x:2x%4d]0a:2d" + STATUS current + DESCRIPTION + "Represents a transport address consisting of an IPv6 + address, a zone index and a port number (as used for + example by UDP, TCP and SCTP): + + octets contents encoding + 1-16 IPv6 address network-byte order + 17-20 zone index network-byte order + 21-22 port number network-byte order + + This textual convention SHOULD NOT be used directly in object + definitions since it restricts addresses to a specific format. + + However, if it is used, it MAY be used either on its own or + in conjunction with TransportAddressType or TransportDomain + as a pair." + SYNTAX OCTET STRING (SIZE (22)) + +TransportAddressLocal ::= TEXTUAL-CONVENTION + DISPLAY-HINT "1a" + STATUS current + DESCRIPTION + "Represents a POSIX Local IPC transport address: + + octets contents encoding + all POSIX Local IPC address string + + The Posix Local IPC transport domain subsumes UNIX domain + sockets. + + This textual convention SHOULD NOT be used directly in object + definitions since it restricts addresses to a specific format. + However, if it is used, it MAY be used either on its own or + in conjunction with TransportAddressType or TransportDomain + as a pair. + + When this textual convention is used as a syntax of an + index object, there may be issues with the limit of 128 + sub-identifiers specified in SMIv2, STD 58. In this case, + the OBJECT-TYPE declaration MUST include a 'SIZE' clause + to limit the number of potential instance sub-identifiers." + REFERENCE + "Protocol Independent Interfaces (IEEE POSIX 1003.1g)" + SYNTAX OCTET STRING (SIZE (1..255)) + +TransportAddressDns ::= TEXTUAL-CONVENTION + DISPLAY-HINT "1a" + STATUS current + DESCRIPTION + "Represents a DNS domain name followed by a colon ':' + (ASCII character 0x3A) and a port number in ASCII. + The name SHOULD be fully qualified whenever possible. + + Values of this textual convention are not directly useable as + transport-layer addressing information, and require runtime + resolution. As such, applications that write them must be + prepared for handling errors if such values are not + supported, or cannot be resolved (if resolution occurs at the + time of the management operation). + + The DESCRIPTION clause of TransportAddress objects that may + + have TransportAddressDns values must fully describe how (and + when) such names are to be resolved to IP addresses and vice + versa. + + This textual convention SHOULD NOT be used directly in object + definitions since it restricts addresses to a specific format. + However, if it is used, it MAY be used either on its own or + in conjunction with TransportAddressType or TransportDomain + as a pair. + + When this textual convention is used as a syntax of an + index object, there may be issues with the limit of 128 + sub-identifiers specified in SMIv2, STD 58. In this case, + the OBJECT-TYPE declaration MUST include a 'SIZE' clause + to limit the number of potential instance sub-identifiers." + SYNTAX OCTET STRING (SIZE (1..255)) + +END diff --git a/mibs/TUNNEL-MIB.txt b/mibs/TUNNEL-MIB.txt new file mode 100644 index 000000000..5f9596b58 --- /dev/null +++ b/mibs/TUNNEL-MIB.txt @@ -0,0 +1,738 @@ +TUNNEL-MIB DEFINITIONS ::= BEGIN + +IMPORTS + MODULE-IDENTITY, OBJECT-TYPE, transmission, + Integer32, IpAddress FROM SNMPv2-SMI -- [RFC2578] + + RowStatus, StorageType FROM SNMPv2-TC -- [RFC2579] + + MODULE-COMPLIANCE, + OBJECT-GROUP FROM SNMPv2-CONF -- [RFC2580] + + InetAddressType, + InetAddress FROM INET-ADDRESS-MIB -- [RFC4001] + + IPv6FlowLabelOrAny FROM IPV6-FLOW-LABEL-MIB -- [RFC3595] + + ifIndex, + InterfaceIndexOrZero FROM IF-MIB -- [RFC2863] + + IANAtunnelType FROM IANAifType-MIB; -- [IFTYPE] + +tunnelMIB MODULE-IDENTITY + LAST-UPDATED "200505160000Z" -- May 16, 2005 + ORGANIZATION "IETF IP Version 6 (IPv6) Working Group" + CONTACT-INFO + " Dave Thaler + Microsoft Corporation + One Microsoft Way + Redmond, WA 98052-6399 + EMail: dthaler@microsoft.com" + DESCRIPTION + "The MIB module for management of IP Tunnels, + independent of the specific encapsulation scheme in + use. + + Copyright (C) The Internet Society (2005). This + version of this MIB module is part of RFC 4087; see + the RFC itself for full legal notices." + + REVISION "200505160000Z" -- May 16, 2005 + DESCRIPTION + "IPv4-specific objects were deprecated, including + tunnelIfLocalAddress, tunnelIfRemoteAddress, the + tunnelConfigTable, and the tunnelMIBBasicGroup. + + Added IP version-agnostic objects that should be used + instead, including tunnelIfAddressType, + tunnelIfLocalInetAddress, tunnelIfRemoteInetAddress, + the tunnelInetConfigTable, and the + tunnelIMIBInetGroup. + + The new tunnelIfLocalInetAddress and + tunnelIfRemoteInetAddress objects are read-write, + rather than read-only. + + Updated DESCRIPTION clauses of existing version- + agnostic objects (e.g., tunnelIfTOS) that contained + IPv4-specific text to cover IPv6 as well. + + Added tunnelIfFlowLabel for tunnels over IPv6. + + The encapsulation method was previously an INTEGER + type, and is now an IANA-maintained textual + convention. + + Published as RFC 4087." + REVISION "199908241200Z" -- August 24, 1999 + DESCRIPTION + "Initial version, published as RFC 2667." + ::= { transmission 131 } + +tunnelMIBObjects OBJECT IDENTIFIER ::= { tunnelMIB 1 } + +tunnel OBJECT IDENTIFIER ::= { tunnelMIBObjects 1 } + +-- the IP Tunnel MIB-Group +-- +-- a collection of objects providing information about +-- IP Tunnels + +tunnelIfTable OBJECT-TYPE + SYNTAX SEQUENCE OF TunnelIfEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The (conceptual) table containing information on + configured tunnels." + ::= { tunnel 1 } + +tunnelIfEntry OBJECT-TYPE + SYNTAX TunnelIfEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An entry (conceptual row) containing the information + on a particular configured tunnel." + INDEX { ifIndex } + ::= { tunnelIfTable 1 } + +TunnelIfEntry ::= SEQUENCE { + tunnelIfLocalAddress IpAddress, -- deprecated + tunnelIfRemoteAddress IpAddress, -- deprecated + tunnelIfEncapsMethod IANAtunnelType, + tunnelIfHopLimit Integer32, + tunnelIfSecurity INTEGER, + tunnelIfTOS Integer32, + tunnelIfFlowLabel IPv6FlowLabelOrAny, + tunnelIfAddressType InetAddressType, + tunnelIfLocalInetAddress InetAddress, + tunnelIfRemoteInetAddress InetAddress, + tunnelIfEncapsLimit Integer32 +} + +tunnelIfLocalAddress OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The address of the local endpoint of the tunnel + (i.e., the source address used in the outer IP + header), or 0.0.0.0 if unknown or if the tunnel is + over IPv6. + + Since this object does not support IPv6, it is + deprecated in favor of tunnelIfLocalInetAddress." + ::= { tunnelIfEntry 1 } + +tunnelIfRemoteAddress OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The address of the remote endpoint of the tunnel + (i.e., the destination address used in the outer IP + header), or 0.0.0.0 if unknown, or an IPv6 address, or + + the tunnel is not a point-to-point link (e.g., if it + is a 6to4 tunnel). + + Since this object does not support IPv6, it is + deprecated in favor of tunnelIfRemoteInetAddress." + ::= { tunnelIfEntry 2 } + +tunnelIfEncapsMethod OBJECT-TYPE + SYNTAX IANAtunnelType + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The encapsulation method used by the tunnel." + ::= { tunnelIfEntry 3 } + +tunnelIfHopLimit OBJECT-TYPE + SYNTAX Integer32 (0 | 1..255) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The IPv4 TTL or IPv6 Hop Limit to use in the outer IP + header. A value of 0 indicates that the value is + copied from the payload's header." + ::= { tunnelIfEntry 4 } + +tunnelIfSecurity OBJECT-TYPE + SYNTAX INTEGER { + none(1), -- no security + ipsec(2), -- IPsec security + other(3) + } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The method used by the tunnel to secure the outer IP + header. The value ipsec indicates that IPsec is used + between the tunnel endpoints for authentication or + encryption or both. More specific security-related + information may be available in a MIB module for the + security protocol in use." + ::= { tunnelIfEntry 5 } + +tunnelIfTOS OBJECT-TYPE + SYNTAX Integer32 (-2..63) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The method used to set the high 6 bits (the + + differentiated services codepoint) of the IPv4 TOS or + IPv6 Traffic Class in the outer IP header. A value of + -1 indicates that the bits are copied from the + payload's header. A value of -2 indicates that a + traffic conditioner is invoked and more information + may be available in a traffic conditioner MIB module. + A value between 0 and 63 inclusive indicates that the + bit field is set to the indicated value. + + Note: instead of the name tunnelIfTOS, a better name + would have been tunnelIfDSCPMethod, but the existing + name appeared in RFC 2667 and existing objects cannot + be renamed." + ::= { tunnelIfEntry 6 } + +tunnelIfFlowLabel OBJECT-TYPE + SYNTAX IPv6FlowLabelOrAny + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The method used to set the IPv6 Flow Label value. + This object need not be present in rows where + tunnelIfAddressType indicates the tunnel is not over + IPv6. A value of -1 indicates that a traffic + conditioner is invoked and more information may be + available in a traffic conditioner MIB. Any other + value indicates that the Flow Label field is set to + the indicated value." + ::= { tunnelIfEntry 7 } + +tunnelIfAddressType OBJECT-TYPE + SYNTAX InetAddressType + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The type of address in the corresponding + tunnelIfLocalInetAddress and tunnelIfRemoteInetAddress + objects." + ::= { tunnelIfEntry 8 } + +tunnelIfLocalInetAddress OBJECT-TYPE + SYNTAX InetAddress + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The address of the local endpoint of the tunnel + (i.e., the source address used in the outer IP + header). If the address is unknown, the value is + + 0.0.0.0 for IPv4 or :: for IPv6. The type of this + object is given by tunnelIfAddressType." + ::= { tunnelIfEntry 9 } + +tunnelIfRemoteInetAddress OBJECT-TYPE + SYNTAX InetAddress + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The address of the remote endpoint of the tunnel + (i.e., the destination address used in the outer IP + header). If the address is unknown or the tunnel is + not a point-to-point link (e.g., if it is a 6to4 + tunnel), the value is 0.0.0.0 for tunnels over IPv4 or + :: for tunnels over IPv6. The type of this object is + given by tunnelIfAddressType." + ::= { tunnelIfEntry 10 } + +tunnelIfEncapsLimit OBJECT-TYPE + SYNTAX Integer32 (-1 | 0..255) + MAX-ACCESS read-write + STATUS current + DESCRIPTION + "The maximum number of additional encapsulations + permitted for packets undergoing encapsulation at this + node. A value of -1 indicates that no limit is + present (except as a result of the packet size)." + REFERENCE "RFC 2473, section 4.1.1" + ::= { tunnelIfEntry 11 } + +tunnelConfigTable OBJECT-TYPE + SYNTAX SEQUENCE OF TunnelConfigEntry + MAX-ACCESS not-accessible + STATUS deprecated + DESCRIPTION + "The (conceptual) table containing information on + configured tunnels. This table can be used to map a + set of tunnel endpoints to the associated ifIndex + value. It can also be used for row creation. Note + that every row in the tunnelIfTable with a fixed IPv4 + destination address should have a corresponding row in + the tunnelConfigTable, regardless of whether it was + created via SNMP. + + Since this table does not support IPv6, it is + deprecated in favor of tunnelInetConfigTable." + ::= { tunnel 2 } + +tunnelConfigEntry OBJECT-TYPE + SYNTAX TunnelConfigEntry + MAX-ACCESS not-accessible + STATUS deprecated + DESCRIPTION + "An entry (conceptual row) containing the information + on a particular configured tunnel. + + Since this entry does not support IPv6, it is + deprecated in favor of tunnelInetConfigEntry." + INDEX { tunnelConfigLocalAddress, + tunnelConfigRemoteAddress, + tunnelConfigEncapsMethod, + tunnelConfigID } + ::= { tunnelConfigTable 1 } + +TunnelConfigEntry ::= SEQUENCE { + tunnelConfigLocalAddress IpAddress, + tunnelConfigRemoteAddress IpAddress, + tunnelConfigEncapsMethod IANAtunnelType, + tunnelConfigID Integer32, + tunnelConfigIfIndex InterfaceIndexOrZero, + tunnelConfigStatus RowStatus +} + +tunnelConfigLocalAddress OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS not-accessible + STATUS deprecated + DESCRIPTION + "The address of the local endpoint of the tunnel, or + 0.0.0.0 if the device is free to choose any of its + addresses at tunnel establishment time. + + Since this object does not support IPv6, it is + deprecated in favor of tunnelInetConfigLocalAddress." + ::= { tunnelConfigEntry 1 } + +tunnelConfigRemoteAddress OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS not-accessible + STATUS deprecated + DESCRIPTION + "The address of the remote endpoint of the tunnel. + + Since this object does not support IPv6, it is + deprecated in favor of tunnelInetConfigRemoteAddress." + ::= { tunnelConfigEntry 2 } + +tunnelConfigEncapsMethod OBJECT-TYPE + SYNTAX IANAtunnelType + MAX-ACCESS not-accessible + STATUS deprecated + DESCRIPTION + "The encapsulation method used by the tunnel. + + Since this object does not support IPv6, it is + deprecated in favor of tunnelInetConfigEncapsMethod." + ::= { tunnelConfigEntry 3 } + +tunnelConfigID OBJECT-TYPE + SYNTAX Integer32 (1..2147483647) + MAX-ACCESS not-accessible + STATUS deprecated + DESCRIPTION + "An identifier used to distinguish between multiple + tunnels of the same encapsulation method, with the + same endpoints. If the encapsulation protocol only + allows one tunnel per set of endpoint addresses (such + as for GRE or IP-in-IP), the value of this object is + 1. For encapsulation methods (such as L2F) which + allow multiple parallel tunnels, the manager is + responsible for choosing any ID which does not + conflict with an existing row, such as choosing a + random number. + + Since this object does not support IPv6, it is + deprecated in favor of tunnelInetConfigID." + ::= { tunnelConfigEntry 4 } + +tunnelConfigIfIndex OBJECT-TYPE + SYNTAX InterfaceIndexOrZero + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "If the value of tunnelConfigStatus for this row is + active, then this object contains the value of ifIndex + corresponding to the tunnel interface. A value of 0 + is not legal in the active state, and means that the + interface index has not yet been assigned. + + Since this object does not support IPv6, it is + deprecated in favor of tunnelInetConfigIfIndex." + ::= { tunnelConfigEntry 5 } + +tunnelConfigStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS deprecated + DESCRIPTION + "The status of this row, by which new entries may be + created, or old entries deleted from this table. The + agent need not support setting this object to + createAndWait or notInService since there are no other + writable objects in this table, and writable objects + in rows of corresponding tables such as the + tunnelIfTable may be modified while this row is + active. + + To create a row in this table for an encapsulation + method which does not support multiple parallel + tunnels with the same endpoints, the management + station should simply use a tunnelConfigID of 1, and + set tunnelConfigStatus to createAndGo. For + encapsulation methods such as L2F which allow multiple + parallel tunnels, the management station may select a + pseudo-random number to use as the tunnelConfigID and + set tunnelConfigStatus to createAndGo. In the event + that this ID is already in use and an + inconsistentValue is returned in response to the set + operation, the management station should simply select + a new pseudo-random number and retry the operation. + + Creating a row in this table will cause an interface + index to be assigned by the agent in an + implementation-dependent manner, and corresponding + rows will be instantiated in the ifTable and the + tunnelIfTable. The status of this row will become + active as soon as the agent assigns the interface + index, regardless of whether the interface is + operationally up. + + Deleting a row in this table will likewise delete the + corresponding row in the ifTable and in the + tunnelIfTable. + + Since this object does not support IPv6, it is + deprecated in favor of tunnelInetConfigStatus." + ::= { tunnelConfigEntry 6 } + +tunnelInetConfigTable OBJECT-TYPE + SYNTAX SEQUENCE OF TunnelInetConfigEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The (conceptual) table containing information on + configured tunnels. This table can be used to map a + set of tunnel endpoints to the associated ifIndex + value. It can also be used for row creation. Note + that every row in the tunnelIfTable with a fixed + destination address should have a corresponding row in + the tunnelInetConfigTable, regardless of whether it + was created via SNMP." + ::= { tunnel 3 } + +tunnelInetConfigEntry OBJECT-TYPE + SYNTAX TunnelInetConfigEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An entry (conceptual row) containing the information + on a particular configured tunnel. Note that there is + a 128 subid maximum for object OIDs. Implementers + need to be aware that if the total number of octets in + tunnelInetConfigLocalAddress and + tunnelInetConfigRemoteAddress exceeds 110 then OIDs of + column instances in this table will have more than 128 + sub-identifiers and cannot be accessed using SNMPv1, + SNMPv2c, or SNMPv3. In practice this is not expected + to be a problem since IPv4 and IPv6 addresses will not + cause the limit to be reached, but if other types are + supported by an agent, care must be taken to ensure + that the sum of the lengths do not cause the limit to + be exceeded." + INDEX { tunnelInetConfigAddressType, + tunnelInetConfigLocalAddress, + tunnelInetConfigRemoteAddress, + tunnelInetConfigEncapsMethod, + tunnelInetConfigID } + ::= { tunnelInetConfigTable 1 } + +TunnelInetConfigEntry ::= SEQUENCE { + tunnelInetConfigAddressType InetAddressType, + tunnelInetConfigLocalAddress InetAddress, + tunnelInetConfigRemoteAddress InetAddress, + tunnelInetConfigEncapsMethod IANAtunnelType, + tunnelInetConfigID Integer32, + tunnelInetConfigIfIndex InterfaceIndexOrZero, + tunnelInetConfigStatus RowStatus, + tunnelInetConfigStorageType StorageType +} + +tunnelInetConfigAddressType OBJECT-TYPE + SYNTAX InetAddressType + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The address type over which the tunnel encapsulates + packets." + ::= { tunnelInetConfigEntry 1 } + +tunnelInetConfigLocalAddress OBJECT-TYPE + SYNTAX InetAddress + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The address of the local endpoint of the tunnel, or + 0.0.0.0 (for IPv4) or :: (for IPv6) if the device is + free to choose any of its addresses at tunnel + establishment time." + ::= { tunnelInetConfigEntry 2 } + +tunnelInetConfigRemoteAddress OBJECT-TYPE + SYNTAX InetAddress + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The address of the remote endpoint of the tunnel." + ::= { tunnelInetConfigEntry 3 } + +tunnelInetConfigEncapsMethod OBJECT-TYPE + SYNTAX IANAtunnelType + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The encapsulation method used by the tunnel." + ::= { tunnelInetConfigEntry 4 } + +tunnelInetConfigID OBJECT-TYPE + SYNTAX Integer32 (1..2147483647) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "An identifier used to distinguish between multiple + tunnels of the same encapsulation method, with the + same endpoints. If the encapsulation protocol only + allows one tunnel per set of endpoint addresses (such + as for GRE or IP-in-IP), the value of this object is + 1. For encapsulation methods (such as L2F) which + allow multiple parallel tunnels, the manager is + responsible for choosing any ID which does not + + conflict with an existing row, such as choosing a + random number." + ::= { tunnelInetConfigEntry 5 } + +tunnelInetConfigIfIndex OBJECT-TYPE + SYNTAX InterfaceIndexOrZero + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "If the value of tunnelInetConfigStatus for this row + is active, then this object contains the value of + ifIndex corresponding to the tunnel interface. A + value of 0 is not legal in the active state, and means + that the interface index has not yet been assigned." + ::= { tunnelInetConfigEntry 6 } + +tunnelInetConfigStatus OBJECT-TYPE + SYNTAX RowStatus + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The status of this row, by which new entries may be + created, or old entries deleted from this table. The + agent need not support setting this object to + createAndWait or notInService since there are no other + writable objects in this table, and writable objects + in rows of corresponding tables such as the + tunnelIfTable may be modified while this row is + active. + + To create a row in this table for an encapsulation + method which does not support multiple parallel + tunnels with the same endpoints, the management + station should simply use a tunnelInetConfigID of 1, + and set tunnelInetConfigStatus to createAndGo. For + encapsulation methods such as L2F which allow multiple + parallel tunnels, the management station may select a + pseudo-random number to use as the tunnelInetConfigID + and set tunnelInetConfigStatus to createAndGo. In the + event that this ID is already in use and an + inconsistentValue is returned in response to the set + operation, the management station should simply select + a new pseudo-random number and retry the operation. + + Creating a row in this table will cause an interface + index to be assigned by the agent in an + implementation-dependent manner, and corresponding + rows will be instantiated in the ifTable and the + + tunnelIfTable. The status of this row will become + active as soon as the agent assigns the interface + index, regardless of whether the interface is + operationally up. + + Deleting a row in this table will likewise delete the + corresponding row in the ifTable and in the + tunnelIfTable." + ::= { tunnelInetConfigEntry 7 } + +tunnelInetConfigStorageType OBJECT-TYPE + SYNTAX StorageType + MAX-ACCESS read-create + STATUS current + DESCRIPTION + "The storage type of this row. If the row is + permanent(4), no objects in the row need be writable." + ::= { tunnelInetConfigEntry 8 } + +-- conformance information + +tunnelMIBConformance + OBJECT IDENTIFIER ::= { tunnelMIB 2 } +tunnelMIBCompliances + OBJECT IDENTIFIER ::= { tunnelMIBConformance 1 } +tunnelMIBGroups OBJECT IDENTIFIER ::= { tunnelMIBConformance 2 } + +-- compliance statements + +tunnelMIBCompliance MODULE-COMPLIANCE + STATUS deprecated + DESCRIPTION + "The (deprecated) IPv4-only compliance statement for + the IP Tunnel MIB. + + This is deprecated in favor of + tunnelMIBInetFullCompliance and + tunnelMIBInetReadOnlyCompliance." + MODULE -- this module + MANDATORY-GROUPS { tunnelMIBBasicGroup } + + OBJECT tunnelIfHopLimit + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required." + + OBJECT tunnelIfTOS + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required." + + OBJECT tunnelConfigStatus + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required." + ::= { tunnelMIBCompliances 1 } + +tunnelMIBInetFullCompliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The full compliance statement for the IP Tunnel MIB." + MODULE -- this module + MANDATORY-GROUPS { tunnelMIBInetGroup } + + OBJECT tunnelIfAddressType + SYNTAX InetAddressType { ipv4(1), ipv6(2), + ipv4z(3), ipv6z(4) } + DESCRIPTION + "An implementation is only required to support IPv4 + and/or IPv6 addresses. An implementation only needs to + support the addresses it actually supports on the + device." + ::= { tunnelMIBCompliances 2 } + +tunnelMIBInetReadOnlyCompliance MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The read-only compliance statement for the IP Tunnel + MIB." + MODULE -- this module + MANDATORY-GROUPS { tunnelMIBInetGroup } + + OBJECT tunnelIfHopLimit + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required." + + OBJECT tunnelIfTOS + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required." + + OBJECT tunnelIfFlowLabel + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required." + + OBJECT tunnelIfAddressType + SYNTAX InetAddressType { ipv4(1), ipv6(2), + ipv4z(3), ipv6z(4) } + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required. + + An implementation is only required to support IPv4 + and/or IPv6 addresses. An implementation only needs to + support the addresses it actually supports on the + device." + + OBJECT tunnelIfLocalInetAddress + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required." + + OBJECT tunnelIfRemoteInetAddress + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required." + + OBJECT tunnelIfEncapsLimit + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required." + + OBJECT tunnelInetConfigStatus + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required, and active is the only + status that needs to be supported." + + OBJECT tunnelInetConfigStorageType + MIN-ACCESS read-only + DESCRIPTION + "Write access is not required." + ::= { tunnelMIBCompliances 3 } + +-- units of conformance + +tunnelMIBBasicGroup OBJECT-GROUP + OBJECTS { tunnelIfLocalAddress, tunnelIfRemoteAddress, + tunnelIfEncapsMethod, tunnelIfHopLimit, tunnelIfTOS, + tunnelIfSecurity, tunnelConfigIfIndex, tunnelConfigStatus } + STATUS deprecated + DESCRIPTION + "A collection of objects to support basic management + + of IPv4 Tunnels. Since this group cannot support + IPv6, it is deprecated in favor of + tunnelMIBInetGroup." + ::= { tunnelMIBGroups 1 } + +tunnelMIBInetGroup OBJECT-GROUP + OBJECTS { tunnelIfAddressType, tunnelIfLocalInetAddress, + tunnelIfRemoteInetAddress, tunnelIfEncapsMethod, + tunnelIfEncapsLimit, + tunnelIfHopLimit, tunnelIfTOS, tunnelIfFlowLabel, + tunnelIfSecurity, tunnelInetConfigIfIndex, + tunnelInetConfigStatus, tunnelInetConfigStorageType } + STATUS current + DESCRIPTION + "A collection of objects to support basic management + of IPv4 and IPv6 Tunnels." + ::= { tunnelMIBGroups 2 } + +END diff --git a/mibs/UDP-MIB.txt b/mibs/UDP-MIB.txt new file mode 100644 index 000000000..eec9dbadb --- /dev/null +++ b/mibs/UDP-MIB.txt @@ -0,0 +1,549 @@ +UDP-MIB DEFINITIONS ::= BEGIN + +IMPORTS + MODULE-IDENTITY, OBJECT-TYPE, Integer32, Counter32, Counter64, + Unsigned32, IpAddress, mib-2 FROM SNMPv2-SMI + MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF + InetAddress, InetAddressType, + InetPortNumber FROM INET-ADDRESS-MIB; + +udpMIB MODULE-IDENTITY + LAST-UPDATED "200505200000Z" -- May 20, 2005 + ORGANIZATION + "IETF IPv6 Working Group + http://www.ietf.org/html.charters/ipv6-charter.html" + CONTACT-INFO + "Bill Fenner (editor) + + AT&T Labs -- Research + 75 Willow Rd. + Menlo Park, CA 94025 + + Phone: +1 650 330-7893 + Email: <fenner@research.att.com> + + John Flick (editor) + + Hewlett-Packard Company + 8000 Foothills Blvd. M/S 5557 + Roseville, CA 95747 + + Phone: +1 916 785 4018 + Email: <john.flick@hp.com> + + Send comments to <ipv6@ietf.org>" + DESCRIPTION + "The MIB module for managing UDP implementations. + Copyright (C) The Internet Society (2005). This + version of this MIB module is part of RFC 4113; + see the RFC itself for full legal notices." + REVISION "200505200000Z" -- May 20, 2005 + DESCRIPTION + "IP version neutral revision, incorporating the + following revisions: + + - Added udpHCInDatagrams and udpHCOutDatagrams in order + to provide high-capacity counters for fast networks. + - Added text to the descriptions of all counter objects + to indicate how discontinuities are detected. + - Deprecated the IPv4-specific udpTable and replaced it + with the version neutral udpEndpointTable. This + table includes support for connected UDP endpoints + and support for identification of the operating + system process associated with a UDP endpoint. + - Deprecated the udpGroup and replaced it with object + groups representing the current set of objects. + - Deprecated udpMIBCompliance and replaced it with + udpMIBCompliance2, which includes the compliance + information for the new object groups. + + This version published as RFC 4113." + REVISION "199411010000Z" -- November 1, 1994 + DESCRIPTION + "Initial SMIv2 version, published as RFC 2013." + REVISION "199103310000Z" -- March 31, 1991 + DESCRIPTION + "The initial revision of this MIB module was part of + MIB-II, published as RFC 1213." + ::= { mib-2 50 } + +-- the UDP group + +udp OBJECT IDENTIFIER ::= { mib-2 7 } + +udpInDatagrams OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of UDP datagrams delivered to UDP + users. + + Discontinuities in the value of this counter can occur + at re-initialization of the management system, and at + other times as indicated by discontinuities in the + value of sysUpTime." + ::= { udp 1 } + +udpNoPorts OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of received UDP datagrams for which + there was no application at the destination port. + + Discontinuities in the value of this counter can occur + at re-initialization of the management system, and at + other times as indicated by discontinuities in the + value of sysUpTime." + ::= { udp 2 } + +udpInErrors OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The number of received UDP datagrams that could not be + delivered for reasons other than the lack of an + application at the destination port. + + Discontinuities in the value of this counter can occur + at re-initialization of the management system, and at + other times as indicated by discontinuities in the + value of sysUpTime." + ::= { udp 3 } + +udpOutDatagrams OBJECT-TYPE + SYNTAX Counter32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of UDP datagrams sent from this + entity. + + Discontinuities in the value of this counter can occur + at re-initialization of the management system, and at + other times as indicated by discontinuities in the + value of sysUpTime." + ::= { udp 4 } + +udpHCInDatagrams OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of UDP datagrams delivered to UDP + users, for devices that can receive more than 1 + million UDP datagrams per second. + + Discontinuities in the value of this counter can occur + at re-initialization of the management system, and at + other times as indicated by discontinuities in the + value of sysUpTime." + ::= { udp 8 } + +udpHCOutDatagrams OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The total number of UDP datagrams sent from this + entity, for devices that can transmit more than 1 + million UDP datagrams per second. + + Discontinuities in the value of this counter can occur + at re-initialization of the management system, and at + other times as indicated by discontinuities in the + value of sysUpTime." + ::= { udp 9 } + +-- +-- { udp 6 } was defined as the ipv6UdpTable in RFC2454's +-- IPV6-UDP-MIB. This RFC obsoletes RFC 2454, so { udp 6 } is +-- obsoleted. +-- + +-- The UDP "Endpoint" table. + +udpEndpointTable OBJECT-TYPE + SYNTAX SEQUENCE OF UdpEndpointEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "A table containing information about this entity's UDP + endpoints on which a local application is currently + accepting or sending datagrams. + + The address type in this table represents the address + type used for the communication, irrespective of the + higher-layer abstraction. For example, an application + using IPv6 'sockets' to communicate via IPv4 between + ::ffff:10.0.0.1 and ::ffff:10.0.0.2 would use + InetAddressType ipv4(1). + + Unlike the udpTable in RFC 2013, this table also allows + the representation of an application that completely + specifies both local and remote addresses and ports. A + listening application is represented in three possible + ways: + + 1) An application that is willing to accept both IPv4 + and IPv6 datagrams is represented by a + udpEndpointLocalAddressType of unknown(0) and a + udpEndpointLocalAddress of ''h (a zero-length + octet-string). + + 2) An application that is willing to accept only IPv4 + or only IPv6 datagrams is represented by a + udpEndpointLocalAddressType of the appropriate + address type and a udpEndpointLocalAddress of + '0.0.0.0' or '::' respectively. + + 3) An application that is listening for datagrams only + for a specific IP address but from any remote + system is represented by a + udpEndpointLocalAddressType of the appropriate + address type, with udpEndpointLocalAddress + specifying the local address. + + In all cases where the remote is a wildcard, the + udpEndpointRemoteAddressType is unknown(0), the + udpEndpointRemoteAddress is ''h (a zero-length + octet-string), and the udpEndpointRemotePort is 0. + + If the operating system is demultiplexing UDP packets + by remote address and port, or if the application has + 'connected' the socket specifying a default remote + address and port, the udpEndpointRemote* values should + be used to reflect this." + ::= { udp 7 } + +udpEndpointEntry OBJECT-TYPE + SYNTAX UdpEndpointEntry + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "Information about a particular current UDP endpoint. + + Implementers need to be aware that if the total number + of elements (octets or sub-identifiers) in + udpEndpointLocalAddress and udpEndpointRemoteAddress + exceeds 111, then OIDs of column instances in this table + will have more than 128 sub-identifiers and cannot be + accessed using SNMPv1, SNMPv2c, or SNMPv3." + INDEX { udpEndpointLocalAddressType, + udpEndpointLocalAddress, + udpEndpointLocalPort, + udpEndpointRemoteAddressType, + udpEndpointRemoteAddress, + udpEndpointRemotePort, + udpEndpointInstance } + ::= { udpEndpointTable 1 } + +UdpEndpointEntry ::= SEQUENCE { + udpEndpointLocalAddressType InetAddressType, + udpEndpointLocalAddress InetAddress, + udpEndpointLocalPort InetPortNumber, + udpEndpointRemoteAddressType InetAddressType, + udpEndpointRemoteAddress InetAddress, + udpEndpointRemotePort InetPortNumber, + udpEndpointInstance Unsigned32, + udpEndpointProcess Unsigned32 + } + +udpEndpointLocalAddressType OBJECT-TYPE + SYNTAX InetAddressType + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The address type of udpEndpointLocalAddress. Only + IPv4, IPv4z, IPv6, and IPv6z addresses are expected, or + unknown(0) if datagrams for all local IP addresses are + accepted." + ::= { udpEndpointEntry 1 } + +udpEndpointLocalAddress OBJECT-TYPE + SYNTAX InetAddress + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The local IP address for this UDP endpoint. + + The value of this object can be represented in three + + possible ways, depending on the characteristics of the + listening application: + + 1. For an application that is willing to accept both + IPv4 and IPv6 datagrams, the value of this object + must be ''h (a zero-length octet-string), with + the value of the corresponding instance of the + udpEndpointLocalAddressType object being unknown(0). + + 2. For an application that is willing to accept only IPv4 + or only IPv6 datagrams, the value of this object + must be '0.0.0.0' or '::', respectively, while the + corresponding instance of the + udpEndpointLocalAddressType object represents the + appropriate address type. + + 3. For an application that is listening for data + destined only to a specific IP address, the value + of this object is the specific IP address for which + this node is receiving packets, with the + corresponding instance of the + udpEndpointLocalAddressType object representing the + appropriate address type. + + As this object is used in the index for the + udpEndpointTable, implementors of this table should be + careful not to create entries that would result in OIDs + with more than 128 subidentifiers; else the information + cannot be accessed using SNMPv1, SNMPv2c, or SNMPv3." + ::= { udpEndpointEntry 2 } + +udpEndpointLocalPort OBJECT-TYPE + SYNTAX InetPortNumber + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The local port number for this UDP endpoint." + ::= { udpEndpointEntry 3 } + +udpEndpointRemoteAddressType OBJECT-TYPE + SYNTAX InetAddressType + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The address type of udpEndpointRemoteAddress. Only + IPv4, IPv4z, IPv6, and IPv6z addresses are expected, or + unknown(0) if datagrams for all remote IP addresses are + accepted. Also, note that some combinations of + + udpEndpointLocalAdressType and + udpEndpointRemoteAddressType are not supported. In + particular, if the value of this object is not + unknown(0), it is expected to always refer to the + same IP version as udpEndpointLocalAddressType." + ::= { udpEndpointEntry 4 } + +udpEndpointRemoteAddress OBJECT-TYPE + SYNTAX InetAddress + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The remote IP address for this UDP endpoint. If + datagrams from any remote system are to be accepted, + this value is ''h (a zero-length octet-string). + Otherwise, it has the type described by + udpEndpointRemoteAddressType and is the address of the + remote system from which datagrams are to be accepted + (or to which all datagrams will be sent). + + As this object is used in the index for the + udpEndpointTable, implementors of this table should be + careful not to create entries that would result in OIDs + with more than 128 subidentifiers; else the information + cannot be accessed using SNMPv1, SNMPv2c, or SNMPv3." + ::= { udpEndpointEntry 5 } + +udpEndpointRemotePort OBJECT-TYPE + SYNTAX InetPortNumber + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The remote port number for this UDP endpoint. If + datagrams from any remote system are to be accepted, + this value is zero." + ::= { udpEndpointEntry 6 } + +udpEndpointInstance OBJECT-TYPE + SYNTAX Unsigned32 (1..'ffffffff'h) + MAX-ACCESS not-accessible + STATUS current + DESCRIPTION + "The instance of this tuple. This object is used to + distinguish among multiple processes 'connected' to + the same UDP endpoint. For example, on a system + implementing the BSD sockets interface, this would be + used to support the SO_REUSEADDR and SO_REUSEPORT + socket options." + ::= { udpEndpointEntry 7 } + +udpEndpointProcess OBJECT-TYPE + SYNTAX Unsigned32 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The system's process ID for the process associated with + this endpoint, or zero if there is no such process. + This value is expected to be the same as + HOST-RESOURCES-MIB::hrSWRunIndex or SYSAPPL-MIB:: + sysApplElmtRunIndex for some row in the appropriate + tables." + ::= { udpEndpointEntry 8 } + +-- The deprecated UDP Listener table + +-- The deprecated UDP listener table only contains information +-- about this entity's IPv4 UDP end-points on which a local +-- application is currently accepting datagrams. It does not +-- provide more detailed connection information, or information +-- about IPv6 endpoints. + +udpTable OBJECT-TYPE + SYNTAX SEQUENCE OF UdpEntry + MAX-ACCESS not-accessible + STATUS deprecated + DESCRIPTION + "A table containing IPv4-specific UDP listener + information. It contains information about all local + IPv4 UDP end-points on which an application is + currently accepting datagrams. This table has been + deprecated in favor of the version neutral + udpEndpointTable." + ::= { udp 5 } + +udpEntry OBJECT-TYPE + SYNTAX UdpEntry + MAX-ACCESS not-accessible + STATUS deprecated + DESCRIPTION + "Information about a particular current UDP listener." + INDEX { udpLocalAddress, udpLocalPort } + ::= { udpTable 1 } + +UdpEntry ::= SEQUENCE { + udpLocalAddress IpAddress, + udpLocalPort Integer32 + +} + +udpLocalAddress OBJECT-TYPE + SYNTAX IpAddress + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The local IP address for this UDP listener. In the + case of a UDP listener that is willing to accept + datagrams for any IP interface associated with the + node, the value 0.0.0.0 is used." + ::= { udpEntry 1 } + +udpLocalPort OBJECT-TYPE + SYNTAX Integer32 (0..65535) + MAX-ACCESS read-only + STATUS deprecated + DESCRIPTION + "The local port number for this UDP listener." + ::= { udpEntry 2 } + +-- conformance information + +udpMIBConformance OBJECT IDENTIFIER ::= { udpMIB 2 } +udpMIBCompliances OBJECT IDENTIFIER ::= { udpMIBConformance 1 } +udpMIBGroups OBJECT IDENTIFIER ::= { udpMIBConformance 2 } + +-- compliance statements + +udpMIBCompliance2 MODULE-COMPLIANCE + STATUS current + DESCRIPTION + "The compliance statement for systems that implement + UDP. + + There are a number of INDEX objects that cannot be + represented in the form of OBJECT clauses in SMIv2, but + for which we have the following compliance + requirements, expressed in OBJECT clause form in this + description clause: + + -- OBJECT udpEndpointLocalAddressType + -- SYNTAX InetAddressType { unknown(0), ipv4(1), + -- ipv6(2), ipv4z(3), + -- ipv6z(4) } + -- DESCRIPTION + -- Support for dns(5) is not required. + -- OBJECT udpEndpointLocalAddress + + -- SYNTAX InetAddress (SIZE(0|4|8|16|20)) + -- DESCRIPTION + -- Support is only required for zero-length + -- octet-strings, and for scoped and unscoped + -- IPv4 and IPv6 addresses. + -- OBJECT udpEndpointRemoteAddressType + -- SYNTAX InetAddressType { unknown(0), ipv4(1), + -- ipv6(2), ipv4z(3), + -- ipv6z(4) } + -- DESCRIPTION + -- Support for dns(5) is not required. + -- OBJECT udpEndpointRemoteAddress + -- SYNTAX InetAddress (SIZE(0|4|8|16|20)) + -- DESCRIPTION + -- Support is only required for zero-length + -- octet-strings, and for scoped and unscoped + -- IPv4 and IPv6 addresses. + " + MODULE -- this module + MANDATORY-GROUPS { udpBaseGroup, udpEndpointGroup } + GROUP udpHCGroup + DESCRIPTION + "This group is mandatory for systems that + are capable of receiving or transmitting more than + 1 million UDP datagrams per second. 1 million + datagrams per second will cause a Counter32 to + wrap in just over an hour." + ::= { udpMIBCompliances 2 } + +udpMIBCompliance MODULE-COMPLIANCE + STATUS deprecated + DESCRIPTION + "The compliance statement for IPv4-only systems that + implement UDP. For IP version independence, this + compliance statement is deprecated in favor of + udpMIBCompliance2. However, agents are still + encouraged to implement these objects in order to + interoperate with the deployed base of managers." + MODULE -- this module + MANDATORY-GROUPS { udpGroup } + ::= { udpMIBCompliances 1 } + +-- units of conformance + +udpGroup OBJECT-GROUP + OBJECTS { udpInDatagrams, udpNoPorts, + udpInErrors, udpOutDatagrams, + udpLocalAddress, udpLocalPort } + STATUS deprecated + DESCRIPTION + "The deprecated group of objects providing for + management of UDP over IPv4." + ::= { udpMIBGroups 1 } + +udpBaseGroup OBJECT-GROUP + OBJECTS { udpInDatagrams, udpNoPorts, udpInErrors, + udpOutDatagrams } + STATUS current + DESCRIPTION + "The group of objects providing for counters of UDP + statistics." + ::= { udpMIBGroups 2 } + +udpHCGroup OBJECT-GROUP + OBJECTS { udpHCInDatagrams, udpHCOutDatagrams } + STATUS current + DESCRIPTION + "The group of objects providing for counters of high + speed UDP implementations." + ::= { udpMIBGroups 3 } + +udpEndpointGroup OBJECT-GROUP + OBJECTS { udpEndpointProcess } + STATUS current + DESCRIPTION + "The group of objects providing for the IP version + independent management of UDP 'endpoints'." + ::= { udpMIBGroups 4 } + +END diff --git a/mibs/VYATTA-TRAP-MIB.txt b/mibs/VYATTA-TRAP-MIB.txt new file mode 100644 index 000000000..9983c2947 --- /dev/null +++ b/mibs/VYATTA-TRAP-MIB.txt @@ -0,0 +1,97 @@ +VYATTA-TRAP-MIB DEFINITIONS ::= BEGIN + + IMPORTS + MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, enterprises + FROM SNMPv2-SMI + MODULE-COMPLIANCE, OBJECT-GROUP + FROM SNMPv2-CONF + ; + + vyattaTrap MODULE-IDENTITY + LAST-UPDATED "201305060000Z" -- May 6, 2013 + ORGANIZATION "Vyatta, A Brocade Company" + CONTACT-INFO + " Support + Postal: Vyatta, A Brocade Company + 1301 Shoreway Road Suite 200 + Belmont, California 94002 + Tel: +1 650 413 7200 + E-Mail: support@vyatta.com" + DESCRIPTION + "The MIB module to describe traps for the Vyatta + Router." + ::= { enterprises 30803 1 } + + +-- Trap Support Objects + +mgmtTrap OBJECT IDENTIFIER ::= { vyattaTrap 1 } +mgmtEventObjects OBJECT IDENTIFIER ::= { mgmtTrap 1 } +mgmtEvent OBJECT IDENTIFIER ::= { mgmtTrap 2 } + +mgmtEventUser OBJECT-TYPE + SYNTAX OCTET STRING + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The user that initiated the event the trap is reporting." + ::= { mgmtEventObjects 1 } + + +mgmtEventSource OBJECT-TYPE + SYNTAX INTEGER { + unknown (0), + firewall (1) } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The source of the event the trap is reporting." + ::= { mgmtEventObjects 2 } + + +mgmtEventType OBJECT-TYPE + SYNTAX INTEGER { + unknown (0), + added (1), + deleted (2), + changed (3) } + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The event type the trap is reporting." + ::= { mgmtEventObjects 3 } + + +mgmtEventPrevCfg OBJECT-TYPE + SYNTAX OCTET STRING + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The previous configuration. This field is only valid + for mgmtEventType deleted and changed." + ::= { mgmtEventObjects 4 } + +mgmtEventCurrCfg OBJECT-TYPE + SYNTAX OCTET STRING + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "The current configuration. This field is only valid + for mgmtEventType added and changed." + ::= { mgmtEventObjects 5 } + + +-- Traps + + mgmtEventTrap NOTIFICATION-TYPE + OBJECTS { mgmtEventUser, + mgmtEventSource, + mgmtEventType, + mgmtEventPrevCfg, + mgmtEventCurrCfg } + STATUS current + DESCRIPTION + "Notification of a configuration related event." + ::= { mgmtEvent 1 } + +END diff --git a/op-mode-definitions/clear-log.xml.in b/op-mode-definitions/clear-log.xml.in new file mode 100644 index 000000000..1f4a1aacd --- /dev/null +++ b/op-mode-definitions/clear-log.xml.in @@ -0,0 +1,13 @@ +<?xml version="1.0"?> +<interfaceDefinition> + <node name="clear"> + <children> + <leafNode name="log"> + <properties> + <help>Clear contents of current master log file</help> + </properties> + <command>sudo journalctl --rotate --vacuum-time=1s</command> + </leafNode> + </children> + </node> +</interfaceDefinition> diff --git a/op-mode-definitions/connect.xml.in b/op-mode-definitions/connect.xml.in index 1ec62949a..8f19eac70 100644 --- a/op-mode-definitions/connect.xml.in +++ b/op-mode-definitions/connect.xml.in @@ -19,7 +19,7 @@ <help>Bring up a connection-oriented network interface</help> <completionHelp> <path>interfaces pppoe</path> - <path>interfaces wirelessmodem</path> + <path>interfaces wwan</path> </completionHelp> </properties> <command>sudo ${vyos_op_scripts_dir}/connect_disconnect.py --connect "$3"</command> diff --git a/op-mode-definitions/conntrack-sync.xml.in b/op-mode-definitions/conntrack-sync.xml.in index d1d3bf744..41a71b04a 100644 --- a/op-mode-definitions/conntrack-sync.xml.in +++ b/op-mode-definitions/conntrack-sync.xml.in @@ -11,13 +11,13 @@ <properties> <help>Reset external cache and request resync with other systems</help> </properties> - <command>${vyos_op_scripts_dir}/conntrack_sync.py --reset-cache-external</command> + <command>sudo ${vyos_op_scripts_dir}/conntrack_sync.py --reset-cache-external</command> </leafNode> <leafNode name="internal-cache"> <properties> <help>Reset internal cache and request resync with other systems</help> </properties> - <command>${vyos_op_scripts_dir}/conntrack_sync.py --reset-cache-internal</command> + <command>sudo ${vyos_op_scripts_dir}/conntrack_sync.py --reset-cache-internal</command> </leafNode> </children> </node> @@ -29,7 +29,7 @@ <properties> <help>Restart connection tracking synchronization service</help> </properties> - <command>${vyos_op_scripts_dir}/conntrack_sync.py --restart</command> + <command>sudo ${vyos_op_scripts_dir}/conntrack_sync.py --restart</command> </leafNode> </children> </node> @@ -49,19 +49,19 @@ <properties> <help>Show external connection tracking cache entries</help> </properties> - <command>${vyos_op_scripts_dir}/conntrack_sync.py --show-external; ${vyos_op_scripts_dir}/conntrack_sync.py --show-external-expect</command> + <command>sudo ${vyos_op_scripts_dir}/conntrack_sync.py --show-external; ${vyos_op_scripts_dir}/conntrack_sync.py --show-external-expect</command> <children> <leafNode name="main"> <properties> <help>Show external main connection tracking cache entries</help> </properties> - <command>${vyos_op_scripts_dir}/conntrack_sync.py --show-external</command> + <command>sudo ${vyos_op_scripts_dir}/conntrack_sync.py --show-external</command> </leafNode> <leafNode name="expect"> <properties> <help>Show external expect connection tracking cache entries</help> </properties> - <command>${vyos_op_scripts_dir}/conntrack_sync.py --show-external-expect</command> + <command>sudo ${vyos_op_scripts_dir}/conntrack_sync.py --show-external-expect</command> </leafNode> </children> </node> @@ -69,19 +69,19 @@ <properties> <help>Show internal connection tracking cache entries</help> </properties> - <command>${vyos_op_scripts_dir}/conntrack_sync.py --show-internal; ${vyos_op_scripts_dir}/conntrack_sync.py --show-internal-expect</command> + <command>sudo ${vyos_op_scripts_dir}/conntrack_sync.py --show-internal; ${vyos_op_scripts_dir}/conntrack_sync.py --show-internal-expect</command> <children> <leafNode name="main"> <properties> <help>Show internal main connection tracking cache entries</help> </properties> - <command>${vyos_op_scripts_dir}/conntrack_sync.py --show-internal</command> + <command>sudo ${vyos_op_scripts_dir}/conntrack_sync.py --show-internal</command> </leafNode> <leafNode name="expect"> <properties> <help>Show internal expect connection tracking cache entries</help> </properties> - <command>${vyos_op_scripts_dir}/conntrack_sync.py --show-internal-expect</command> + <command>sudo ${vyos_op_scripts_dir}/conntrack_sync.py --show-internal-expect</command> </leafNode> </children> </node> diff --git a/op-mode-definitions/disconnect.xml.in b/op-mode-definitions/disconnect.xml.in index bf2c37b89..4415c0ed2 100644 --- a/op-mode-definitions/disconnect.xml.in +++ b/op-mode-definitions/disconnect.xml.in @@ -10,7 +10,7 @@ <help>Take down a connection-oriented network interface</help> <completionHelp> <path>interfaces pppoe</path> - <path>interfaces wirelessmodem</path> + <path>interfaces wwan</path> </completionHelp> </properties> <command>sudo ${vyos_op_scripts_dir}/connect_disconnect.py --disconnect "$3"</command> diff --git a/op-mode-definitions/disks.xml.in b/op-mode-definitions/disks.xml.in index fb39c4f3c..2102a2e8e 100644 --- a/op-mode-definitions/disks.xml.in +++ b/op-mode-definitions/disks.xml.in @@ -26,7 +26,6 @@ </tagNode> </children> </node> - <node name="show"> <children> <tagNode name="disk"> diff --git a/op-mode-definitions/flow-accounting-op.xml.in b/op-mode-definitions/flow-accounting-op.xml.in index b847338f9..7aaae5974 100644 --- a/op-mode-definitions/flow-accounting-op.xml.in +++ b/op-mode-definitions/flow-accounting-op.xml.in @@ -57,7 +57,7 @@ <properties> <help>Restart (net)flow accounting process</help> </properties> - <command>${vyos_op_scripts_dir}/flow_accounting_op.py --action restart</command> + <command>sudo ${vyos_op_scripts_dir}/flow_accounting_op.py --action restart</command> </leafNode> </children> </node> diff --git a/op-mode-definitions/generate-ipsec-profile.xml.in b/op-mode-definitions/generate-ipsec-profile.xml.in new file mode 100644 index 000000000..be9227971 --- /dev/null +++ b/op-mode-definitions/generate-ipsec-profile.xml.in @@ -0,0 +1,145 @@ +<?xml version="1.0"?> +<interfaceDefinition> + <node name="generate"> + <children> + <node name="ipsec"> + <properties> + <help>Generate IPsec related configurations</help> + </properties> + <children> + <node name="profile"> + <properties> + <help>Generate IKEv2 IPSec remote-access VPN profiles</help> + </properties> + <children> + <tagNode name="ios-remote-access"> + <properties> + <help>Generate iOS profile for specified remote-access connection name</help> + <completionHelp> + <path>vpn ipsec remote-access connection</path> + </completionHelp> + </properties> + <children> + <tagNode name="remote"> + <properties> + <help>Remote address where the client will connect to</help> + <completionHelp> + <list><fqdn></list> + <script>${vyos_completion_dir}/list_local_ips.sh --both</script> + </completionHelp> + </properties> + <command>${vyos_op_scripts_dir}/ikev2_profile_generator.py --os ios --connection "$5" --remote "$7"</command> + <children> + <tagNode name="name"> + <properties> + <help>Connection name as seen in the VPN application</help> + <completionHelp> + <list><name></list> + </completionHelp> + </properties> + <command>${vyos_op_scripts_dir}/ikev2_profile_generator.py --os ios --connection "$5" --remote "$7" --name "$9"</command> + <children> + <tagNode name="profile"> + <properties> + <help>Profile name as seen under system profiles</help> + <completionHelp> + <list><name></list> + </completionHelp> + </properties> + <command>${vyos_op_scripts_dir}/ikev2_profile_generator.py --os ios --connection "$5" --remote "$7" --name "$9" --profile "${11}"</command> + </tagNode> + </children> + </tagNode> + <tagNode name="profile"> + <properties> + <help>Profile name as seen under system profiles</help> + <completionHelp> + <list><name></list> + </completionHelp> + </properties> + <command>${vyos_op_scripts_dir}/ikev2_profile_generator.py --os ios --connection "$5" --remote "$7" --profile "$9"</command> + <children> + <tagNode name="name"> + <properties> + <help>Connection name as seen in the VPN application</help> + <completionHelp> + <list><name></list> + </completionHelp> + </properties> + <command>${vyos_op_scripts_dir}/ikev2_profile_generator.py --os ios --connection "$5" --remote "$7" --profile "$9" --name "${11}"</command> + </tagNode> + </children> + </tagNode> + </children> + </tagNode> + </children> + </tagNode> + <tagNode name="windows-remote-access"> + <properties> + <help>Generate iOS profile for specified remote-access connection name</help> + <completionHelp> + <path>vpn ipsec remote-access connection</path> + </completionHelp> + </properties> + <children> + <tagNode name="remote"> + <properties> + <help>Remote address where the client will connect to</help> + <completionHelp> + <list><fqdn></list> + <script>${vyos_completion_dir}/list_local_ips.sh --both</script> + </completionHelp> + </properties> + <command>${vyos_op_scripts_dir}/ikev2_profile_generator.py --os windows --connection "$5" --remote "$7"</command> + <children> + <tagNode name="name"> + <properties> + <help>Connection name as seen in the VPN application</help> + <completionHelp> + <list><name></list> + </completionHelp> + </properties> + <command>${vyos_op_scripts_dir}/ikev2_profile_generator.py --os windows --connection "$5" --remote "$7" --name "$9"</command> + <children> + <tagNode name="profile"> + <properties> + <help>Profile name as seen under system profiles</help> + <completionHelp> + <list><name></list> + </completionHelp> + </properties> + <command>${vyos_op_scripts_dir}/ikev2_profile_generator.py --os windows --connection "$5" --remote "$7" --name "$9" --profile "${11}"</command> + </tagNode> + </children> + </tagNode> + <tagNode name="profile"> + <properties> + <help>Profile name as seen under system profiles</help> + <completionHelp> + <list><name></list> + </completionHelp> + </properties> + <command>${vyos_op_scripts_dir}/ikev2_profile_generator.py --os windows --connection "$5" --remote "$7" --profile "$9"</command> + <children> + <tagNode name="name"> + <properties> + <help>Connection name as seen in the VPN application</help> + <completionHelp> + <list><name></list> + </completionHelp> + </properties> + <command>${vyos_op_scripts_dir}/ikev2_profile_generator.py --os windows --connection "$5" --remote "$7" --profile "$9" --name "${11}"</command> + </tagNode> + </children> + </tagNode> + </children> + </tagNode> + </children> + </tagNode> + </children> + </node> + </children> + </node> + </children> + </node> +</interfaceDefinition> diff --git a/op-mode-definitions/generate-public-key-command.xml.in b/op-mode-definitions/generate-public-key-command.xml.in new file mode 100644 index 000000000..21f0f56f0 --- /dev/null +++ b/op-mode-definitions/generate-public-key-command.xml.in @@ -0,0 +1,33 @@ +<?xml version="1.0"?> +<interfaceDefinition> + <node name="generate"> + <children> + <node name="public-key-command"> + <properties> + <help>Generate configuration mode command to add OpenSSH public key from file</help> + </properties> + <children> + <tagNode name="user"> + <properties> + <help>Username of public key owner</help> + <completionHelp> + <list><username></list> + </completionHelp> + </properties> + <children> + <tagNode name="path"> + <properties> + <help>Local path or remote URL of OpenSSH public key</help> + <completionHelp> + <list><![CDATA[<http[s]://[<username>:<password>@]<hostname>/<path-to-file>> <ftp://[<username>[:<password>]@]<hostname>/<path-to-file>> <tftp://<hostname>/<path-to-file>> <sftp://[<username>[:<password>]@]<hostname>/<path-to-file>> <scp://[<username>[:<password>]@]<hostname>/<path-to-file>> <[file://]/<path-to-file>>]]></list> + </completionHelp> + </properties> + <command>${vyos_op_scripts_dir}/generate_public_key_command.py "$4" "$6"</command> + </tagNode> + </children> + </tagNode> + </children> + </node> + </children> + </node> +</interfaceDefinition> diff --git a/op-mode-definitions/generate-ssh-server-key.xml.in b/op-mode-definitions/generate-ssh-server-key.xml.in index 86bb1b1bd..ecea3e5d1 100644 --- a/op-mode-definitions/generate-ssh-server-key.xml.in +++ b/op-mode-definitions/generate-ssh-server-key.xml.in @@ -14,7 +14,7 @@ <properties> <help>Re-generate SSH host keys and restart SSH server</help> </properties> - <command>${vyos_op_scripts_dir}/generate_ssh_server_key.py</command> + <command>sudo ${vyos_op_scripts_dir}/generate_ssh_server_key.py</command> </node> <tagNode name="client-key"> <properties> diff --git a/op-mode-definitions/generate-wireguard.xml.in b/op-mode-definitions/generate-wireguard.xml.in new file mode 100644 index 000000000..6557b463b --- /dev/null +++ b/op-mode-definitions/generate-wireguard.xml.in @@ -0,0 +1,72 @@ +<?xml version="1.0"?> +<interfaceDefinition> + <node name="generate"> + <children> + <node name="wireguard"> + <properties> + <help>Generate Wireguard keys</help> + </properties> + <children> + <tagNode name="client-config"> + <properties> + <help>Generate Client config QR code</help> + <completionHelp> + <list><client-name></list> + </completionHelp> + </properties> + <children> + <tagNode name="interface"> + <properties> + <help>Local interface used for connection</help> + <completionHelp> + <script>${vyos_completion_dir}/list_interfaces.py --type wireguard</script> + </completionHelp> + </properties> + <children> + <tagNode name="server"> + <properties> + <help>IP address/FQDN used for client connection</help> + <completionHelp> + <script>${vyos_completion_dir}/list_local_ips.sh --both</script> + <list><hostname></list> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/wireguard_client.py --name "$4" --interface "$6" --server "$8"</command> + <children> + <tagNode name="address"> + <properties> + <help>IPv4/IPv6 address used by client</help> + <completionHelp> + <list><x.x.x.x> <h:h:h:h:h:h:h:h></list> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/wireguard_client.py --name "$4" --interface "$6" --server "$8" --address "${10}"</command> + <children> + <tagNode name="address"> + <properties> + <help>IPv4/IPv6 address used by client</help> + <completionHelp> + <list><x.x.x.x> <h:h:h:h:h:h:h:h></list> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/wireguard_client.py --name "$4" --interface "$6" --server "$8" --address "${10}" --address "${12}"</command> + </tagNode> + </children> + </tagNode> + </children> + </tagNode> + </children> + </tagNode> + </children> + </tagNode> + <leafNode name="key-pair"> + <properties> + <help>Generate Wireguard key pair for use with server or peer</help> + </properties> + <command>sudo ${vyos_op_scripts_dir}/pki.py --action generate --wireguard --key "noname"</command> + </leafNode> + </children> + </node> + </children> + </node> +</interfaceDefinition> diff --git a/op-mode-definitions/include/bgp/afi-common.xml.i b/op-mode-definitions/include/bgp/afi-common.xml.i index e48482282..7fc59f3b0 100644 --- a/op-mode-definitions/include/bgp/afi-common.xml.i +++ b/op-mode-definitions/include/bgp/afi-common.xml.i @@ -31,10 +31,25 @@ </properties> <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> </leafNode> -<leafNode name="summary"> +<node name="summary"> <properties> <help>Summary of BGP neighbor status</help> </properties> <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> -</leafNode> + <children> + <leafNode name="established"> + <properties> + <help>Show only sessions in Established state</help> + </properties> + <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> + </leafNode> + <leafNode name="failed"> + <properties> + <help>Show only sessions not in Established state</help> + </properties> + <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> + </leafNode> + </children> +</node> +#include <include/vtysh-generic-wide.xml.i> <!-- included end --> diff --git a/op-mode-definitions/include/vtysh-generic-wide.xml.i b/op-mode-definitions/include/vtysh-generic-wide.xml.i new file mode 100644 index 000000000..acc68b4c0 --- /dev/null +++ b/op-mode-definitions/include/vtysh-generic-wide.xml.i @@ -0,0 +1,8 @@ +<!-- included start from vtysh-generic-wide.xml.i --> +<leafNode name="wide"> + <properties> + <help>Increase table width for longer prefixes</help> + </properties> + <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> +</leafNode> +<!-- included end --> diff --git a/op-mode-definitions/ipv4-route.xml.in b/op-mode-definitions/ipv4-route.xml.in index 1bda3ac11..aab3df0f1 100644 --- a/op-mode-definitions/ipv4-route.xml.in +++ b/op-mode-definitions/ipv4-route.xml.in @@ -43,7 +43,7 @@ <list><x.x.x.x></list> </completionHelp> </properties> - <command>sudo /sbin/ip neigh flush to "$5"</command> + <command>sudo ip neigh flush to "$5"</command> </tagNode> <tagNode name="interface"> <properties> @@ -52,7 +52,7 @@ <script>${vyos_completion_dir}/list_interfaces.py</script> </completionHelp> </properties> - <command>sudo /sbin/ip neigh flush dev "$5"</command> + <command>sudo ip neigh flush dev "$5"</command> </tagNode> </children> </node> @@ -66,7 +66,7 @@ <properties> <help>Flush the kernel route cache</help> </properties> - <command>sudo /sbin/ip route flush cache</command> + <command>sudo ip route flush cache</command> </leafNode> <tagNode name="cache"> @@ -76,7 +76,7 @@ <list><x.x.x.x> <x.x.x.x/x></list> </completionHelp> </properties> - <command>sudo /sbin/ip route flush cache "$5"</command> + <command>sudo ip route flush cache "$5"</command> </tagNode> </children> </node> diff --git a/op-mode-definitions/monitor-bandwidth-test.xml.in b/op-mode-definitions/monitor-bandwidth-test.xml.in index 5b36b1da5..965591280 100644 --- a/op-mode-definitions/monitor-bandwidth-test.xml.in +++ b/op-mode-definitions/monitor-bandwidth-test.xml.in @@ -7,21 +7,51 @@ <help>Initiate or wait for bandwidth test</help> </properties> <children> - <leafNode name="accept"> + <node name="accept"> <properties> <help>Wait for bandwidth test connections (port TCP/5001)</help> </properties> <command>/usr/bin/iperf -V -s</command> - </leafNode> - <tagNode name="initiate"> + <children> + <leafNode name="tcp"> + <properties> + <help>Wait for bandwidth test connections (port TCP/5001)</help> + </properties> + <command>/usr/bin/iperf -V -s</command> + </leafNode> + <leafNode name="udp"> + <properties> + <help>Wait for bandwidth test connections (port UDP/5001)</help> + </properties> + <command>/usr/bin/iperf -V -s -u</command> + </leafNode> + </children> + </node> + <node name="initiate"> <properties> - <help>Initiate a bandwidth test to specified host (port TCP/5001)</help> - <completionHelp> - <list><hostname> <x.x.x.x> <h:h:h:h:h:h:h:h></list> - </completionHelp> + <help>Initiate a bandwidth test to specified host</help> </properties> - <command>${vyos_op_scripts_dir}/monitor_bandwidth_test.sh "$4"</command> - </tagNode> + <children> + <tagNode name="tcp"> + <properties> + <help>Initiate a bandwidth test to specified host (port TCP/5001)</help> + <completionHelp> + <list><hostname> <x.x.x.x> <h:h:h:h:h:h:h:h></list> + </completionHelp> + </properties> + <command>${vyos_op_scripts_dir}/monitor_bandwidth_test.sh "$5"</command> + </tagNode> + <tagNode name="udp"> + <properties> + <help>Initiate a bandwidth test to specified host (port UDP/5001)</help> + <completionHelp> + <list><hostname> <x.x.x.x> <h:h:h:h:h:h:h:h></list> + </completionHelp> + </properties> + <command>${vyos_op_scripts_dir}/monitor_bandwidth_test.sh "$5" "-u"</command> + </tagNode> + </children> + </node> </children> </node> </children> diff --git a/op-mode-definitions/monitor-bridge.xml.in b/op-mode-definitions/monitor-bridge.xml.in new file mode 100644 index 000000000..712a924f1 --- /dev/null +++ b/op-mode-definitions/monitor-bridge.xml.in @@ -0,0 +1,33 @@ +<?xml version="1.0"?> +<interfaceDefinition> + <node name="monitor"> + <children> + <node name="bridge"> + <properties> + <help>Monitoring bridge database generated objects and address changes</help> + </properties> + <command>sudo bridge monitor all</command> + <children> + <node name="link"> + <command>sudo bridge monitor link</command> + <properties> + <help>Monitoring bridge database generated connection interface changes</help> + </properties> + </node> + <node name="fdb"> + <command>sudo bridge monitor fdb</command> + <properties> + <help>Monitor the forwarding database changes generated by the bridge database</help> + </properties> + </node> + <node name="mdb"> + <command>sudo bridge monitor mdb</command> + <properties> + <help>Monitor the multicast database changes generated by the bridge database</help> + </properties> + </node> + </children> + </node> + </children> + </node> +</interfaceDefinition> diff --git a/op-mode-definitions/nhrp.xml.in b/op-mode-definitions/nhrp.xml.in new file mode 100644 index 000000000..9e746cc35 --- /dev/null +++ b/op-mode-definitions/nhrp.xml.in @@ -0,0 +1,65 @@ +<?xml version="1.0" encoding="UTF-8"?> +<interfaceDefinition> + <node name="reset"> + <children> + <node name="nhrp"> + <properties> + <help>Clear/Purge NHRP entries</help> + </properties> + <children> + <node name="flush"> + <properties> + <help>Clear all non-permanent entries</help> + </properties> + <children> + <tagNode name="tunnel"> + <properties> + <help>Clear all non-permanent entries</help> + </properties> + <command>sudo opennhrpctl flush dev $5 || echo OpenNHRP is not running.</command> + </tagNode> + </children> + <command>sudo opennhrpctl flush || echo OpenNHRP is not running.</command> + </node> + <node name="purge"> + <properties> + <help>Purge entries from NHRP cache</help> + </properties> + <children> + <tagNode name="tunnel"> + <properties> + <help>Purge all entries from NHRP cache</help> + </properties> + <command>sudo opennhrpctl purge dev $5 || echo OpenNHRP is not running.</command> + </tagNode> + </children> + <command>sudo opennhrpctl purge || echo OpenNHRP is not running.</command> + </node> + </children> + </node> + </children> + </node> + <node name="show"> + <children> + <node name="nhrp"> + <properties> + <help>Show NHRP info</help> + </properties> + <children> + <leafNode name="interface"> + <properties> + <help>Show NHRP interface connection information</help> + </properties> + <command>if [ -f /var/run/opennhrp.pid ]; then sudo opennhrpctl interface show; else echo OpenNHRP is not running.; fi</command> + </leafNode> + <leafNode name="tunnel"> + <properties> + <help>Show NHRP tunnel connection information</help> + </properties> + <command>if [ -f /var/run/opennhrp.pid ]; then sudo opennhrpctl show ; else echo OpenNHRP is not running.; fi</command> + </leafNode> + </children> + </node> + </children> + </node> +</interfaceDefinition> diff --git a/op-mode-definitions/openconnect.xml.in b/op-mode-definitions/openconnect.xml.in index 36f23239e..6b0082b4c 100644 --- a/op-mode-definitions/openconnect.xml.in +++ b/op-mode-definitions/openconnect.xml.in @@ -17,4 +17,14 @@ </node> </children> </node> + <node name="restart"> + <children> + <leafNode name="openconnect-server"> + <properties> + <help>Restart openconnect server process</help> + </properties> + <command>${vyos_op_scripts_dir}/openconnect-control.py --action="restart"</command> + </leafNode> + </children> + </node> </interfaceDefinition> diff --git a/op-mode-definitions/openvpn.xml.in b/op-mode-definitions/openvpn.xml.in index e9420904a..781fbdc9d 100644 --- a/op-mode-definitions/openvpn.xml.in +++ b/op-mode-definitions/openvpn.xml.in @@ -1,49 +1,5 @@ <?xml version="1.0"?> <interfaceDefinition> - <node name="generate"> - <children> - <node name="openvpn"> - <properties> - <help>OpenVPN key generation tool</help> - </properties> - <children> - <tagNode name="key"> - <properties> - <help>Generate shared-secret key with specified file name</help> - <completionHelp> - <list><filename></list> - </completionHelp> - </properties> - <command> - result=1; - key_path=$4 - full_path= - - if echo $key_path | egrep -ve '^/.*' > /dev/null; then - full_path=/config/auth/$key_path - else - full_path=$key_path - fi - - key_dir=`dirname $full_path` - if [ ! -d $key_dir ]; then - echo "Directory $key_dir does not exist!" - exit 1 - fi - - echo "Generating OpenVPN key to $full_path" - sudo /usr/sbin/openvpn --genkey --secret "$full_path" - result=$? - if [ $result = 0 ]; then - echo "Your new local OpenVPN key has been generated" - fi - /usr/libexec/vyos/validators/file-exists --directory /config/auth "$full_path" - </command> - </tagNode> - </children> - </node> - </children> - </node> <node name="reset"> <properties> <help>Reset a service</help> diff --git a/op-mode-definitions/pki.xml.in b/op-mode-definitions/pki.xml.in new file mode 100644 index 000000000..a11814c8a --- /dev/null +++ b/op-mode-definitions/pki.xml.in @@ -0,0 +1,409 @@ +<?xml version="1.0"?> +<interfaceDefinition> + <node name="generate"> + <children> + <node name="pki"> + <properties> + <help>Generate PKI certificates and keys</help> + </properties> + <children> + <node name="ca"> + <properties> + <help>Generate CA certificate</help> + </properties> + <children> + <tagNode name="sign"> + <properties> + <help>Sign generated CA certificate with another specified CA certificate</help> + <completionHelp> + <path>pki ca</path> + </completionHelp> + </properties> + <children> + <tagNode name="file"> + <properties> + <help>Write generated CA certificate into the specified filename</help> + <completionHelp> + <list><filename></list> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/pki.py --action generate --ca "$7" --sign "$5" --file</command> + </tagNode> + <tagNode name="install"> + <properties> + <help>Commands for installing generated CA certificate into running configuration</help> + <completionHelp> + <list><certificate name></list> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/pki.py --action generate --ca "$7" --sign "$5" --install</command> + </tagNode> + </children> + <command>sudo ${vyos_op_scripts_dir}/pki.py --action generate --ca "noname" --sign "$5"</command> + </tagNode> + <tagNode name="file"> + <properties> + <help>Write generated CA certificate into the specified filename</help> + <completionHelp> + <list><filename></list> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/pki.py --action generate --ca "$5" --file</command> + </tagNode> + <tagNode name="install"> + <properties> + <help>Commands for installing generated CA certificate into running configuration</help> + <completionHelp> + <list><CA name></list> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/pki.py --action generate --ca "$5" --install</command> + </tagNode> + </children> + <command>sudo ${vyos_op_scripts_dir}/pki.py --action generate --ca "noname"</command> + </node> + <node name="certificate"> + <properties> + <help>Generate certificate request</help> + </properties> + <children> + <node name="self-signed"> + <properties> + <help>Generate self-signed certificate</help> + </properties> + <children> + <tagNode name="file"> + <properties> + <help>Write generated self-signed certificate into the specified filename</help> + <completionHelp> + <list><filename></list> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/pki.py --action generate --certificate "$6" --self-sign --file</command> + </tagNode> + <tagNode name="install"> + <properties> + <help>Commands for installing generated self-signed certificate into running configuration</help> + <completionHelp> + <list><certificate name></list> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/pki.py --action generate --certificate "$6" --self-sign --install</command> + </tagNode> + </children> + <command>sudo ${vyos_op_scripts_dir}/pki.py --action generate --certificate "noname" --self-sign</command> + </node> + <tagNode name="sign"> + <properties> + <help>Sign generated certificate with specified CA certificate</help> + <completionHelp> + <path>pki ca</path> + </completionHelp> + </properties> + <children> + <tagNode name="file"> + <properties> + <help>Write generated signed certificate into the specified filename</help> + <completionHelp> + <list><filename></list> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/pki.py --action generate --certificate "$7" --sign "$5" --file</command> + </tagNode> + <tagNode name="install"> + <properties> + <help>Commands for installing generated signed certificate into running configuration</help> + <completionHelp> + <list><certificate name></list> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/pki.py --action generate --certificate "$7" --sign "$5" --install</command> + </tagNode> + </children> + <command>sudo ${vyos_op_scripts_dir}/pki.py --action generate --certificate "noname" --sign "$5"</command> + </tagNode> + <tagNode name="file"> + <properties> + <help>Write generated certificate request and key into the specified filename</help> + <completionHelp> + <list><filename></list> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/pki.py --action generate --certificate "$5" --file</command> + </tagNode> + <tagNode name="install"> + <properties> + <help>Commands for installing generated certificate private key into running configuration</help> + <completionHelp> + <list><certificate name></list> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/pki.py --action generate --certificate "$5" --install</command> + </tagNode> + </children> + <command>sudo ${vyos_op_scripts_dir}/pki.py --action generate --certificate "noname"</command> + </node> + <tagNode name="crl"> + <properties> + <help>Generate CRL for specified CA certificate</help> + <completionHelp> + <path>pki ca</path> + </completionHelp> + </properties> + <children> + <tagNode name="file"> + <properties> + <help>Write generated CRL into the specified filename</help> + <completionHelp> + <list><filename></list> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/pki.py --action generate --crl "$4" --file</command> + </tagNode> + <leafNode name="install"> + <properties> + <help>Commands for installing generated CRL into running configuration</help> + </properties> + <command>sudo ${vyos_op_scripts_dir}/pki.py --action generate --crl "$4" --install</command> + </leafNode> + </children> + <command>sudo ${vyos_op_scripts_dir}/pki.py --action generate --crl "$4"</command> + </tagNode> + <node name="dh"> + <properties> + <help>Generate DH parameters</help> + </properties> + <children> + <tagNode name="file"> + <properties> + <help>Write generated DH parameters into the specified filename</help> + <completionHelp> + <list><filename></list> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/pki.py --action generate --dh "$5" --file</command> + </tagNode> + <tagNode name="install"> + <properties> + <help>Commands for installing generated DH parameters into running configuration</help> + <completionHelp> + <list><DH name></list> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/pki.py --action generate --dh "$5" --install</command> + </tagNode> + </children> + <command>sudo ${vyos_op_scripts_dir}/pki.py --action generate --dh "noname"</command> + </node> + <node name="key-pair"> + <properties> + <help>Generate a key pair</help> + </properties> + <children> + <tagNode name="file"> + <properties> + <help>Write generated key pair into the specified filename</help> + <completionHelp> + <list><filename></list> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/pki.py --action generate --keypair "$5" --file</command> + </tagNode> + <tagNode name="install"> + <properties> + <help>Commands for installing generated key pair into running configuration</help> + <completionHelp> + <list><key name></list> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/pki.py --action generate --keypair "$5" --install</command> + </tagNode> + </children> + <command>sudo ${vyos_op_scripts_dir}/pki.py --action generate --keypair "noname"</command> + </node> + <node name="openvpn"> + <properties> + <help>Generate OpenVPN keys</help> + </properties> + <children> + <node name="shared-secret"> + <properties> + <help>Generate OpenVPN shared secret key</help> + </properties> + <children> + <tagNode name="file"> + <properties> + <help>Write generated OpenVPN shared secret key into the specified filename</help> + <completionHelp> + <list><filename></list> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/pki.py --action generate --openvpn "$6" --file</command> + </tagNode> + <tagNode name="install"> + <properties> + <help>Commands for installing generated OpenVPN shared secret key into running configuration</help> + <completionHelp> + <list><key name></list> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/pki.py --action generate --openvpn "$6" --install</command> + </tagNode> + </children> + <command>sudo ${vyos_op_scripts_dir}/pki.py --action generate --openvpn "noname"</command> + </node> + </children> + </node> + <node name="ssh-key"> + <properties> + <help>Generate SSH key</help> + </properties> + <children> + <tagNode name="file"> + <properties> + <help>Write generated SSH keys into the specified filename</help> + <completionHelp> + <list><filename></list> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/pki.py --action generate --ssh "$5" --file</command> + </tagNode> + <tagNode name="install"> + <properties> + <help>Commands for installing generated SSH key into running configuration</help> + <completionHelp> + <list><key name></list> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/pki.py --action generate --ssh "$5" --install</command> + </tagNode> + </children> + <command>sudo ${vyos_op_scripts_dir}/pki.py --action generate --ssh "noname"</command> + </node> + <node name="wireguard"> + <properties> + <help>Generate Wireguard keys</help> + </properties> + <children> + <node name="key-pair"> + <properties> + <help>Generate Wireguard key pair for use with server or peer</help> + </properties> + <children> + <tagNode name="file"> + <properties> + <help>Write generated Wireguard keys into the specified filename</help> + <completionHelp> + <list><filename></list> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/pki.py --action generate --wireguard --key "$6" --file</command> + </tagNode> + <tagNode name="install"> + <properties> + <help>Commands for installing generated Wireguard key into running configuration</help> + <completionHelp> + <list><interface> <peer></list> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/pki.py --action generate --wireguard --key "$6" --install</command> + </tagNode> + </children> + <command>sudo ${vyos_op_scripts_dir}/pki.py --action generate --wireguard --key "noname"</command> + </node> + <node name="pre-shared-key"> + <properties> + <help>Generate pre-shared key for use with a Wireguard peer</help> + </properties> + <children> + <tagNode name="file"> + <properties> + <help>Write generated Wireguard PSK into the specified filename</help> + <completionHelp> + <list><filename></list> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/pki.py --action generate --wireguard --psk "$6" --file</command> + </tagNode> + <tagNode name="install"> + <properties> + <help>Commands for installing generated Wireguard PSK on specified peer into running configuration</help> + <completionHelp> + <list><peer></list> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/pki.py --action generate --wireguard --psk "$6" --install</command> + </tagNode> + </children> + <command>sudo ${vyos_op_scripts_dir}/pki.py --action generate --wireguard --psk "noname"</command> + </node> + </children> + </node> + </children> + </node> + </children> + </node> + <node name="show"> + <children> + <node name="pki"> + <properties> + <help>Show PKI certificates</help> + </properties> + <children> + <node name="ca"> + <properties> + <help>Show CA certificates</help> + </properties> + <children> + <leafNode name="name"> + <properties> + <help>Show CA certificate by name</help> + <completionHelp> + <path>pki ca</path> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/pki.py --action show --ca "$5"</command> + </leafNode> + </children> + <command>sudo ${vyos_op_scripts_dir}/pki.py --action show --ca "all"</command> + </node> + <node name="certificate"> + <properties> + <help>Show certificates</help> + </properties> + <children> + <leafNode name="name"> + <properties> + <help>Show certificate by name</help> + <completionHelp> + <path>pki certificate</path> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/pki.py --action show --certificate "$5"</command> + </leafNode> + </children> + <command>sudo ${vyos_op_scripts_dir}/pki.py --action show --certificate "all"</command> + </node> + <node name="crl"> + <properties> + <help>Show certificate revocation lists</help> + </properties> + <children> + <leafNode name="name"> + <properties> + <help>Show certificate revocation lists from specified CA</help> + <completionHelp> + <path>pki ca</path> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/pki.py --action show --crl "$5"</command> + </leafNode> + </children> + <command>sudo ${vyos_op_scripts_dir}/pki.py --action show --crl "all"</command> + </node> + </children> + <command>sudo ${vyos_op_scripts_dir}/pki.py --action show</command> + </node> + </children> + </node> +</interfaceDefinition> diff --git a/op-mode-definitions/show-arp.xml.in b/op-mode-definitions/show-arp.xml.in new file mode 100644 index 000000000..12e7d3aa2 --- /dev/null +++ b/op-mode-definitions/show-arp.xml.in @@ -0,0 +1,24 @@ +<?xml version="1.0"?> +<interfaceDefinition> + <node name="show"> + <children> + <node name="arp"> + <properties> + <help>Show Address Resolution Protocol (ARP) information</help> + </properties> + <command>/usr/sbin/arp -e -n</command> + <children> + <tagNode name="interface"> + <properties> + <help>Show Address Resolution Protocol (ARP) cache for specified interface</help> + <completionHelp> + <script>${vyos_completion_dir}/list_interfaces.py -b</script> + </completionHelp> + </properties> + <command>/usr/sbin/arp -e -n -i "$4"</command> + </tagNode> + </children> + </node> + </children> + </node> +</interfaceDefinition> diff --git a/op-mode-definitions/show-bgp.xml.in b/op-mode-definitions/show-bgp.xml.in index 36e7062df..c33a9dacf 100644 --- a/op-mode-definitions/show-bgp.xml.in +++ b/op-mode-definitions/show-bgp.xml.in @@ -8,7 +8,81 @@ </properties> <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> <children> + <node name="cidr-only"> + <properties> + <help>Display only routes with non-natural netmasks</help> + </properties> + <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> + <children> + #include <include/vtysh-generic-wide.xml.i> + </children> + </node> #include <include/bgp/show-bgp-common.xml.i> + <node name="mac"> + <properties> + <help>MAC address</help> + </properties> + <children> + <leafNode name="hash"> + <properties> + <help>MAC address database</help> + </properties> + <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> + </leafNode> + </children> + </node> + <node name="martian"> + <properties> + <help>martian next-hops</help> + </properties> + <children> + <leafNode name="next-hop"> + <properties> + <help>martian next-hop database</help> + </properties> + <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> + </leafNode> + </children> + </node> + <leafNode name="memory"> + <properties> + <help>Global BGP memory statistics</help> + </properties> + <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> + </leafNode> + <node name="nexthop"> + <properties> + <help>Show BGP nexthop table</help> + </properties> + <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> + <children> + #include <include/vtysh-generic-detail.xml.i> + </children> + </node> + <tagNode name="nexthop"> + <properties> + <help>IPv4/IPv6 nexthop address</help> + <completionHelp> + <list><x.x.x.x> <h:h:h:h:h:h:h:h></list> + </completionHelp> + </properties> + <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> + <children> + #include <include/vtysh-generic-detail.xml.i> + </children> + </tagNode> + <leafNode name="statistics"> + <properties> + <help>BGP RIB advertisement statistics</help> + </properties> + <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> + </leafNode> + <leafNode name="statistics-all"> + <properties> + <help>Display number of prefixes for all afi/safi</help> + </properties> + <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> + </leafNode> <leafNode name="vrf"> <properties> <help>Show BGP VRF information</help> @@ -28,6 +102,7 @@ #include <include/bgp/show-bgp-common.xml.i> </children> </tagNode> + #include <include/vtysh-generic-wide.xml.i> </children> </node> </children> diff --git a/op-mode-definitions/show-bridge.xml.in b/op-mode-definitions/show-bridge.xml.in index 78c350e44..0f8d3064d 100644 --- a/op-mode-definitions/show-bridge.xml.in +++ b/op-mode-definitions/show-bridge.xml.in @@ -2,11 +2,24 @@ <interfaceDefinition> <node name="show"> <children> + <node name="bridge"> + <properties> + <help>Show bridging information</help> + </properties> + <children> + <leafNode name="vlan"> + <properties> + <help>View the VLAN filter settings of the bridge</help> + </properties> + <command>bridge -c vlan show</command> + </leafNode> + </children> + </node> <leafNode name="bridge"> <properties> <help>Show bridging information</help> </properties> - <command>/sbin/brctl show</command> + <command>bridge -c link show</command> </leafNode> <tagNode name="bridge"> <properties> @@ -15,25 +28,19 @@ <script>${vyos_completion_dir}/list_interfaces.py --type bridge</script> </completionHelp> </properties> - <command>/sbin/brctl show $3</command> + <command>bridge -c link show | grep "master $3"</command> <children> - <leafNode name="macs"> - <properties> - <help>Show bridge Media Access Control (MAC) address table</help> - </properties> - <command>/sbin/brctl showmacs $3</command> - </leafNode> - <leafNode name="spanning-tree"> + <leafNode name="mdb"> <properties> - <help>Show bridge spanning tree information</help> + <help>Displays the multicast group database for the bridge</help> </properties> - <command>/sbin/brctl showstp $3</command> + <command>bridge -c mdb show dev $3</command> </leafNode> <leafNode name="fdb"> <properties> <help>Show the forwarding database of the bridge</help> </properties> - <command>/usr/sbin/bridge -c fdb show br $3</command> + <command>bridge -c fdb show br $3</command> </leafNode> </children> </tagNode> diff --git a/op-mode-definitions/show-console-server.xml.in b/op-mode-definitions/show-console-server.xml.in index 77a7f3376..253d15498 100644 --- a/op-mode-definitions/show-console-server.xml.in +++ b/op-mode-definitions/show-console-server.xml.in @@ -8,7 +8,7 @@ <properties> <help>Show log for serial console server</help> </properties> - <command>/usr/bin/journalctl -u conserver-server.service</command> + <command>/usr/bin/journalctl --unit conserver-server.service</command> </leafNode> </children> </node> diff --git a/op-mode-definitions/show-hardware.xml.in b/op-mode-definitions/show-hardware.xml.in index 0df2e4404..20fdd753d 100644 --- a/op-mode-definitions/show-hardware.xml.in +++ b/op-mode-definitions/show-hardware.xml.in @@ -53,18 +53,40 @@ </node> </children> </node> - <node name="scsi"> + <node name="storage"> <properties> - <help>Show SCSI device information</help> + <help>Show system storage information</help> </properties> - <command>lsscsi</command> <children> - <node name="detail"> + <leafNode name="nvme"> + <properties> + <help>Show NVMe device information</help> + </properties> + <command>sudo nvme list</command> + </leafNode> + <node name="scsi"> <properties> - <help>Show detailed SCSI device information</help> + <help>Show SCSI device information</help> </properties> - <command>lsscsi -vvv</command> + <command>lsscsi</command> + <children> + <node name="detail"> + <properties> + <help>Show detailed SCSI device information</help> + </properties> + <command>lsscsi -vvv</command> + </node> + </children> </node> + <tagNode name="smart"> + <properties> + <help>Show S.M.A.R.T. device information</help> + <completionHelp> + <script>ls /dev | egrep '([hsv]d[a-z]|nvme[0-9]+n[0-9])$'</script> + </completionHelp> + </properties> + <command>sudo smartctl -a "/dev/$5" | sed 1,3d</command> + </tagNode> </children> </node> <node name="usb"> diff --git a/op-mode-definitions/show-interfaces-bonding.xml.in b/op-mode-definitions/show-interfaces-bonding.xml.in index f6d9b3508..08ce78296 100644 --- a/op-mode-definitions/show-interfaces-bonding.xml.in +++ b/op-mode-definitions/show-interfaces-bonding.xml.in @@ -25,6 +25,12 @@ </properties> <command>if [ -f "/proc/net/bonding/$4" ]; then cat "/proc/net/bonding/$4"; else echo "Interface $4 does not exist!"; fi</command> </leafNode> + <leafNode name="slaves"> + <properties> + <help>Show specified bonding interface information</help> + </properties> + <command>${vyos_op_scripts_dir}/show-bond.py --interface "$4"</command> + </leafNode> <tagNode name="vif"> <properties> <help>Show specified virtual network interface (vif) information</help> @@ -62,6 +68,12 @@ </properties> <command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=bonding --action=show</command> </leafNode> + <leafNode name="slaves"> + <properties> + <help>Show specified bonding interface information</help> + </properties> + <command>${vyos_op_scripts_dir}/show-bond.py --slaves</command> + </leafNode> </children> </node> </children> diff --git a/op-mode-definitions/show-interfaces-bridge.xml.in b/op-mode-definitions/show-interfaces-bridge.xml.in index cc4b248b6..85fde95b5 100644 --- a/op-mode-definitions/show-interfaces-bridge.xml.in +++ b/op-mode-definitions/show-interfaces-bridge.xml.in @@ -33,12 +33,6 @@ </properties> <command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=bridge --action=show</command> </leafNode> - <leafNode name="vlan"> - <properties> - <help>View the VLAN filter settings of the bridge</help> - </properties> - <command>/usr/sbin/bridge -c vlan show</command> - </leafNode> </children> </node> </children> diff --git a/op-mode-definitions/show-interfaces-macsec.xml.in b/op-mode-definitions/show-interfaces-macsec.xml.in index 6aeab66af..a264ff22e 100644 --- a/op-mode-definitions/show-interfaces-macsec.xml.in +++ b/op-mode-definitions/show-interfaces-macsec.xml.in @@ -11,7 +11,7 @@ <path>interfaces macsec</path> </completionHelp> </properties> - <command>/usr/sbin/ip macsec show</command> + <command>ip macsec show</command> </node> <tagNode name="macsec"> <properties> @@ -20,7 +20,7 @@ <path>interfaces macsec</path> </completionHelp> </properties> - <command>/usr/sbin/ip macsec show $4</command> + <command>ip macsec show $4</command> </tagNode> </children> </node> diff --git a/op-mode-definitions/show-interfaces-pppoe.xml.in b/op-mode-definitions/show-interfaces-pppoe.xml.in index 393ca912f..18697a275 100644 --- a/op-mode-definitions/show-interfaces-pppoe.xml.in +++ b/op-mode-definitions/show-interfaces-pppoe.xml.in @@ -17,7 +17,7 @@ <properties> <help>Show specified PPPoE interface log</help> </properties> - <command>/usr/bin/journalctl -u "ppp@$4".service</command> + <command>/usr/bin/journalctl --unit "ppp@$4".service</command> </leafNode> <leafNode name="statistics"> <properties> diff --git a/op-mode-definitions/show-interfaces-wireguard.xml.in b/op-mode-definitions/show-interfaces-wireguard.xml.in new file mode 100644 index 000000000..863357ef7 --- /dev/null +++ b/op-mode-definitions/show-interfaces-wireguard.xml.in @@ -0,0 +1,66 @@ +<?xml version="1.0"?> +<interfaceDefinition> + <node name="show"> + <children> + <node name="interfaces"> + <children> + <tagNode name="wireguard"> + <properties> + <help>Show Wireguard interface information</help> + <completionHelp> + <script>${vyos_completion_dir}/list_interfaces.py --type wireguard</script> + </completionHelp> + </properties> + <command>${vyos_op_scripts_dir}/show_interfaces.py --intf="$4"</command> + <children> + <leafNode name="allowed-ips"> + <properties> + <help>Show all IP addresses allowed for the specified interface</help> + </properties> + <command>sudo wg show "$4" allowed-ips</command> + </leafNode> + <leafNode name="endpoints"> + <properties> + <help>Show all endpoints for the specified interface</help> + </properties> + <command>sudo wg show "$4" endpoints</command> + </leafNode> + <leafNode name="peers"> + <properties> + <help>Show all peer IDs for the specified interface</help> + </properties> + <command>sudo wg show "$4" peers</command> + </leafNode> + <leafNode name="public-key"> + <properties> + <help>Show interface public-key</help> + </properties> + <command>sudo wg show "$4" public-key</command> + </leafNode> + <leafNode name="summary"> + <properties> + <help>Shows current configuration and device information</help> + </properties> + <command>sudo wg show "$4"</command> + </leafNode> + </children> + </tagNode> + <node name="wireguard"> + <properties> + <help>Show Wireguard interface information</help> + </properties> + <command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=wireguard --action=show-brief</command> + <children> + <leafNode name="detail"> + <properties> + <help>Show detailed Wireguard interface information</help> + </properties> + <command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=wireguard --action=show</command> + </leafNode> + </children> + </node> + </children> + </node> + </children> + </node> +</interfaceDefinition> diff --git a/op-mode-definitions/show-interfaces-wirelessmodem.xml.in b/op-mode-definitions/show-interfaces-wirelessmodem.xml.in deleted file mode 100644 index c0ab9c66f..000000000 --- a/op-mode-definitions/show-interfaces-wirelessmodem.xml.in +++ /dev/null @@ -1,51 +0,0 @@ -<?xml version="1.0"?> -<interfaceDefinition> - <node name="show"> - <children> - <node name="interfaces"> - <children> - <tagNode name="wirelessmodem"> - <properties> - <help>Show Wireless Modem (WWAN) interface information</help> - <completionHelp> - <path>interfaces wirelessmodem</path> - </completionHelp> - </properties> - <command>${vyos_op_scripts_dir}/show_interfaces.py --intf="$4"</command> - <children> - <leafNode name="log"> - <properties> - <help>Show specified WWAN interface log</help> - </properties> - <command>/usr/bin/journalctl -u "ppp@$4".service</command> - </leafNode> - <leafNode name="statistics"> - <properties> - <help>Show specified WWAN interface statistics</help> - <completionHelp> - <path>interfaces wirelessmodem</path> - </completionHelp> - </properties> - <command>if [ -d "/sys/class/net/$4" ]; then /usr/sbin/pppstats "$4"; fi</command> - </leafNode> - </children> - </tagNode> - <node name="wirelessmodem"> - <properties> - <help>Show Wireless Modem (WWAN) interface information</help> - </properties> - <command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=wirelessmodem --action=show-brief</command> - <children> - <leafNode name="detail"> - <properties> - <help>Show detailed Wireless Modem (WWAN( interface information</help> - </properties> - <command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=wirelessmodem --action=show</command> - </leafNode> - </children> - </node> - </children> - </node> - </children> - </node> -</interfaceDefinition> diff --git a/op-mode-definitions/show-interfaces-wwan.xml.in b/op-mode-definitions/show-interfaces-wwan.xml.in new file mode 100644 index 000000000..d57e17a13 --- /dev/null +++ b/op-mode-definitions/show-interfaces-wwan.xml.in @@ -0,0 +1,103 @@ +<?xml version="1.0"?> +<interfaceDefinition> + <node name="show"> + <children> + <node name="interfaces"> + <children> + <tagNode name="wwan"> + <properties> + <help>Show Wireless Wire Area Network (WWAN) interface information</help> + <completionHelp> + <path>interfaces wwan</path> + <script>cd /sys/class/net; ls -d wwan*</script> + </completionHelp> + </properties> + <command>${vyos_op_scripts_dir}/show_interfaces.py --intf="$4"</command> + <children> + <leafNode name="capabilities"> + <properties> + <help>Show WWAN module capabilities</help> + </properties> + <command>sudo ${vyos_op_scripts_dir}/show_wwan.py --interface=$4 --capabilities</command> + </leafNode> + <leafNode name="firmware"> + <properties> + <help>Show WWAN module firmware</help> + </properties> + <command>sudo ${vyos_op_scripts_dir}/show_wwan.py --interface=$4 --firmware</command> + </leafNode> + <leafNode name="imei"> + <properties> + <help>Show WWAN module IMEI/ESN/MEID</help> + </properties> + <command>sudo ${vyos_op_scripts_dir}/show_wwan.py --interface=$4 --imei</command> + </leafNode> + <leafNode name="imsi"> + <properties> + <help>Show WWAN module IMSI</help> + </properties> + <command>sudo ${vyos_op_scripts_dir}/show_wwan.py --interface=$4 --imsi</command> + </leafNode> + <leafNode name="model"> + <properties> + <help>Show WWAN module manufacturer</help> + </properties> + <command>sudo ${vyos_op_scripts_dir}/show_wwan.py --interface=$4 --model</command> + </leafNode> + <leafNode name="msisdn"> + <properties> + <help>Show WWAN module MSISDN</help> + </properties> + <command>sudo ${vyos_op_scripts_dir}/show_wwan.py --interface=$4 --msisdn</command> + </leafNode> + <leafNode name="revision"> + <properties> + <help>Show WWAN module revision</help> + </properties> + <command>sudo ${vyos_op_scripts_dir}/show_wwan.py --interface=$4 --revision</command> + </leafNode> + <leafNode name="signal"> + <properties> + <help>Show WWAN module RF signal info</help> + </properties> + <command>sudo ${vyos_op_scripts_dir}/show_wwan.py --interface=$4 --signal</command> + </leafNode> + <leafNode name="sim"> + <properties> + <help>Show WWAN module connected SIM card information</help> + </properties> + <command>sudo ${vyos_op_scripts_dir}/show_wwan.py --interface=$4 --sim</command> + </leafNode> + <leafNode name="summary"> + <properties> + <help>Show WWAN module information summary</help> + </properties> + <command>mmcli --modem ${4#wwan}</command> + </leafNode> + <leafNode name="log"> + <properties> + <help>Show interface log for specified interface</help> + </properties> + <command>echo not implemented</command> + </leafNode> + </children> + </tagNode> + <node name="wwan"> + <properties> + <help>Show Wireless Modem (WWAN) interface information</help> + </properties> + <command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=wirelessmodem --action=show-brief</command> + <children> + <leafNode name="detail"> + <properties> + <help>Show detailed Wireless Modem (WWAN( interface information</help> + </properties> + <command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=wirelessmodem --action=show</command> + </leafNode> + </children> + </node> + </children> + </node> + </children> + </node> +</interfaceDefinition> diff --git a/op-mode-definitions/show-log.xml.in b/op-mode-definitions/show-log.xml.in index 58216bfd1..92c1cf016 100644 --- a/op-mode-definitions/show-log.xml.in +++ b/op-mode-definitions/show-log.xml.in @@ -18,7 +18,7 @@ <properties> <help>Show listing of authorization attempts</help> </properties> - <command>/bin/journalctl -q SYSLOG_FACILITY=10 SYSLOG_FACILITY=4</command> + <command>/bin/journalctl --quiet SYSLOG_FACILITY=10 SYSLOG_FACILITY=4</command> </leafNode> <leafNode name="cluster"> <properties> @@ -123,6 +123,12 @@ </tagNode> </children> </tagNode> + <leafNode name="kernel"> + <properties> + <help>Show messages in kernel ring buffer</help> + </properties> + <command>sudo dmesg</command> + </leafNode> <leafNode name="lldp"> <properties> <help>Show log for LLDP</help> diff --git a/op-mode-definitions/show-protocols-static.xml.in b/op-mode-definitions/show-protocols-static.xml.in deleted file mode 100644 index aaf875072..000000000 --- a/op-mode-definitions/show-protocols-static.xml.in +++ /dev/null @@ -1,49 +0,0 @@ -<?xml version="1.0"?> -<interfaceDefinition> - <node name="show"> - <children> - <node name="arp"> - <properties> - <help>Show Address Resolution Protocol (ARP) information</help> - </properties> - <command>/usr/sbin/arp -e -n</command> - <children> - <tagNode name="interface"> - <properties> - <help>Show Address Resolution Protocol (ARP) cache for specified interface</help> - <completionHelp> - <script>${vyos_completion_dir}/list_interfaces.py -b</script> - </completionHelp> - </properties> - <command>/usr/sbin/arp -e -n -i "$4"</command> - </tagNode> - </children> - </node> - <node name="protocols"> - <children> - <node name="static"> - <children> - <node name="arp"> - <properties> - <help>Show Address Resolution Protocol (ARP) information</help> - </properties> - <command>/usr/sbin/arp -e -n</command> - <children> - <tagNode name="interface"> - <properties> - <help>Show Address Resolution Protocol (ARP) cache for specified interface</help> - <completionHelp> - <script>${vyos_completion_dir}/list_interfaces.py -b</script> - </completionHelp> - </properties> - <command>/usr/sbin/arp -e -n -i "$6"</command> - </tagNode> - </children> - </node> - </children> - </node> - </children> - </node> - </children> - </node> -</interfaceDefinition> diff --git a/op-mode-definitions/show-protocols-bfd.xml.in b/op-mode-definitions/show-protocols.xml.in index 886b01e51..d595e2c3c 100644 --- a/op-mode-definitions/show-protocols-bfd.xml.in +++ b/op-mode-definitions/show-protocols.xml.in @@ -8,6 +8,9 @@ </properties> <children> <node name="bfd"> + <properties> + <help>Show Bidirectional Forwarding Detection (BFD)</help> + </properties> <children> <node name="peer"> <properties> @@ -48,6 +51,30 @@ </leafNode> </children> </node> + <node name="static"> + <properties> + <help>Show static protocol parameters</help> + </properties> + <children> + <node name="arp"> + <properties> + <help>Show Address Resolution Protocol (ARP) information</help> + </properties> + <command>/usr/sbin/arp -e -n</command> + <children> + <tagNode name="interface"> + <properties> + <help>Show Address Resolution Protocol (ARP) cache for specified interface</help> + <completionHelp> + <script>${vyos_completion_dir}/list_interfaces.py -b</script> + </completionHelp> + </properties> + <command>/usr/sbin/arp -e -n -i "$6"</command> + </tagNode> + </children> + </node> + </children> + </node> </children> </node> </children> diff --git a/op-mode-definitions/show-version.xml.in b/op-mode-definitions/show-version.xml.in index 6bc49b8cf..8b7cc7e58 100644 --- a/op-mode-definitions/show-version.xml.in +++ b/op-mode-definitions/show-version.xml.in @@ -26,6 +26,12 @@ </properties> <command>vtysh -c "show version"</command> </leafNode> + <leafNode name="kernel"> + <properties> + <help>Show Linux Kernel version information</help> + </properties> + <command>uname -r</command> + </leafNode> </children> </node> </children> diff --git a/op-mode-definitions/show-vrf.xml.in b/op-mode-definitions/show-vrf.xml.in index 438e7c334..9c38c30fe 100644 --- a/op-mode-definitions/show-vrf.xml.in +++ b/op-mode-definitions/show-vrf.xml.in @@ -21,7 +21,7 @@ <properties> <help>Shows all process ids associated with VRF</help> </properties> - <command>/usr/sbin/ip vrf pids "$3"</command> + <command>ip vrf pids "$3"</command> </leafNode> </children> </tagNode> diff --git a/op-mode-definitions/traceroute.xml.in b/op-mode-definitions/traceroute.xml.in index 1b619ed43..e3217235c 100644 --- a/op-mode-definitions/traceroute.xml.in +++ b/op-mode-definitions/traceroute.xml.in @@ -90,7 +90,7 @@ <list><hostname> <x.x.x.x> <h:h:h:h:h:h:h:h></list> </completionHelp> </properties> - <command>sudo /usr/sbin/ip vrf exec "$3" /usr/bin/traceroute "$4"</command> + <command>sudo ip vrf exec "$3" /usr/bin/traceroute "$4"</command> </tagNode> <tagNode name="ipv4"> <properties> @@ -99,13 +99,13 @@ <list><hostname> <x.x.x.x></list> </completionHelp> </properties> - <command>sudo /usr/sbin/ip vrf exec "$3" /usr/bin/traceroute -4 "$5"</command> + <command>sudo ip vrf exec "$3" /usr/bin/traceroute -4 "$5"</command> <children> <node name="tcp"> <properties> <help>Route tracing and port detection using TCP</help> </properties> - <command>sudo /usr/sbin/ip vrf exec "$3" /usr/bin/tcptraceroute "$5" </command> + <command>sudo ip vrf exec "$3" /usr/bin/tcptraceroute "$5" </command> <children> <tagNode name="port"> <properties> @@ -114,7 +114,7 @@ <list>0-65535</list> </completionHelp> </properties> - <command>sudo /usr/sbin/ip vrf exec "$3" /usr/bin/tcptraceroute "$5" $8</command> + <command>sudo ip vrf exec "$3" /usr/bin/tcptraceroute "$5" $8</command> </tagNode> </children> </node> @@ -127,13 +127,13 @@ <list><hostname> <h:h:h:h:h:h:h:h></list> </completionHelp> </properties> - <command>sudo /usr/sbin/ip vrf exec "$3" /usr/bin/traceroute -6 "$5"</command> + <command>sudo ip vrf exec "$3" /usr/bin/traceroute -6 "$5"</command> <children> <node name="tcp"> <properties> <help>Use TCP/IPv6 packets to perform a traceroute</help> </properties> - <command>sudo /usr/sbin/ip vrf exec "$3" /usr/bin/tcptraceroute6 "$5" </command> + <command>sudo ip vrf exec "$3" /usr/bin/tcptraceroute6 "$5" </command> <children> <tagNode name="port"> <properties> @@ -142,7 +142,7 @@ <list>0-65535</list> </completionHelp> </properties> - <command>sudo /usr/sbin/ip vrf exec "$3" /usr/bin/tcptraceroute6 "$5" $8</command> + <command>sudo ip vrf exec "$3" /usr/bin/tcptraceroute6 "$5" $8</command> </tagNode> </children> </node> @@ -198,7 +198,7 @@ <list><fqdn></list> </completionHelp> </properties> - <command>sudo /usr/sbin/ip vrf exec "$4" /usr/bin/mtr -4 "$6"</command> + <command>sudo ip vrf exec "$4" /usr/bin/mtr -4 "$6"</command> </tagNode> <tagNode name="ipv6"> <properties> @@ -207,7 +207,7 @@ <list><fqdn></list> </completionHelp> </properties> - <command>sudo /usr/sbin/ip vrf exec "$4" /usr/bin/mtr -6 "$6"</command> + <command>sudo ip vrf exec "$4" /usr/bin/mtr -6 "$6"</command> </tagNode> <tagNode name=""> <properties> @@ -216,7 +216,7 @@ <list><hostname> <x.x.x.x> <h:h:h:h:h:h:h:h></list> </completionHelp> </properties> - <command>sudo /usr/sbin/ip vrf exec "$4" /usr/bin/mtr "$5"</command> + <command>sudo ip vrf exec "$4" /usr/bin/mtr "$5"</command> </tagNode> </children> </tagNode> diff --git a/op-mode-definitions/vpn-ipsec.xml.in b/op-mode-definitions/vpn-ipsec.xml.in new file mode 100644 index 000000000..20f275e9b --- /dev/null +++ b/op-mode-definitions/vpn-ipsec.xml.in @@ -0,0 +1,201 @@ +<?xml version="1.0" encoding="UTF-8"?> +<interfaceDefinition> + <node name="reset"> + <children> + <node name="vpn"> + <properties> + <help>Reset Virtual Private Network (VPN) information</help> + </properties> + <children> + <tagNode name="ipsec-peer"> + <properties> + <help>Reset all tunnels for given peer</help> + <completionHelp> + <path>vpn ipsec site-to-site peer</path> + </completionHelp> + </properties> + <children> + <tagNode name="tunnel"> + <properties> + <help>Reset a specific tunnel for given peer</help> + </properties> + <command>sudo ${vyos_op_scripts_dir}/vpn_ipsec.py --action="reset-peer" --name="$4" --tunnel="$6"</command> + </tagNode> + <node name="vti"> + <properties> + <help>Reset the VTI tunnel for given peer</help> + </properties> + <command>sudo ${vyos_op_scripts_dir}/vpn_ipsec.py --action="reset-peer" --name="$4" --tunnel="vti"</command> + </node> + </children> + <command>sudo ${vyos_op_scripts_dir}/vpn_ipsec.py --action="reset-peer" --name="$4" --tunnel="all"</command> + </tagNode> + <tagNode name="ipsec-profile"> + <properties> + <help>Reset all tunnels for given DMVPN profile</help> + <completionHelp> + <path>vpn ipsec profile</path> + </completionHelp> + </properties> + <children> + <tagNode name="tunnel"> + <properties> + <help>Reset a specific tunnel for given DMVPN profile</help> + </properties> + <command>sudo ${vyos_op_scripts_dir}/vpn_ipsec.py --action="reset-profile" --name="$4" --tunnel="$6"</command> + </tagNode> + </children> + <command>sudo ${vyos_op_scripts_dir}/vpn_ipsec.py --action="reset-profile" --name="$4" --tunnel="all"</command> + </tagNode> + </children> + </node> + </children> + </node> + <node name="restart"> + <children> + <node name="vpn"> + <properties> + <help>Restart IPSec VPN</help> + </properties> + <command>if pgrep charon >/dev/null ; then sudo ipsec restart ; sleep 3 ; sudo swanctl -q ; else echo "IPSec process not running" ; fi</command> + </node> + </children> + </node> + <node name="show"> + <children> + <node name="vpn"> + <properties> + <help>Show Virtual Private Network (VPN) information</help> + </properties> + <children> + <node name="debug"> + <properties> + <help>Show VPN debugging information</help> + </properties> + <children> + <tagNode name="peer"> + <properties> + <help>Show debugging information for a peer</help> + </properties> + <children> + <tagNode name="tunnel"> + <properties> + <help>Show debug information for peer tunnel</help> + </properties> + <command>sudo ${vyos_op_scripts_dir}/vpn_ipsec.py --action="vpn-debug" --name="$5" --tunnel="$7"</command> + </tagNode> + </children> + <command>sudo ${vyos_op_scripts_dir}/vpn_ipsec.py --action="vpn-debug" --name="$5" --tunnel="all"</command> + </tagNode> + </children> + <command>sudo ${vyos_op_scripts_dir}/vpn_ipsec.py --action="vpn-debug" --name="all"</command> + </node> + <node name="ike"> + <properties> + <help>Show Internet Key Exchange (IKE) information</help> + </properties> + <children> + <node name="sa"> + <properties> + <help>Show all currently active IKE Security Associations (SA)</help> + </properties> + <children> + <node name="nat-traversal"> + <properties> + <help>Show all currently active IKE Security Associations (SA) that are using NAT Traversal</help> + </properties> + <command>sudo ${vyos_op_scripts_dir}/vpn_ike_sa.py --nat="yes"</command> + </node> + <tagNode name="peer"> + <properties> + <help>Show all currently active IKE Security Associations (SA) for a peer</help> + </properties> + <command>sudo ${vyos_op_scripts_dir}/vpn_ike_sa.py --peer="$6"</command> + </tagNode> + </children> + <command>sudo ${vyos_op_scripts_dir}/vpn_ike_sa.py</command> + </node> + <node name="secrets"> + <properties> + <help>Show all the pre-shared key secrets</help> + </properties> + <command>sudo cat /etc/ipsec.secrets | sed 's/#.*//'</command> + </node> + <node name="status"> + <properties> + <help>Show summary of IKE process information</help> + </properties> + <command>if pgrep charon >/dev/null ; then echo "Running: $(pgrep charon)" ; else echo "Process is not running" ; fi</command> + </node> + </children> + </node> + <node name="ipsec"> + <properties> + <help>Show Internet Protocol Security (IPSec) information</help> + </properties> + <children> + <node name="policy"> + <properties> + <help>Show the in-kernel crypto policies</help> + </properties> + <command>sudo ip xfrm policy list</command> + </node> + <node name="sa"> + <properties> + <help>Show all active IPSec Security Associations (SA)</help> + </properties> + <children> + <!-- + <node name="detail"> + <properties> + <help>Show Detail on all active IPSec Security Associations (SA)</help> + </properties> + <command></command> + </node> + <tagNode name="stats"> + <properties> + <help>Show statistics for all currently active IPSec Security Associations (SA)</help> + <valueHelp> + <format>txt</format> + <description>Show Statistics for SAs associated with a specific peer</description> + </valueHelp> + </properties> + <children> + <tagNode name="tunnel"> + <properties> + <help>Show Statistics for SAs associated with a specific peer</help> + </properties> + <command></command> + </tagNode> + </children> + <command></command> + </tagNode> + --> + <node name="verbose"> + <properties> + <help>Show Verbose Detail on all active IPSec Security Associations (SA)</help> + </properties> + <command>if pgrep charon >/dev/null ; then sudo /usr/sbin/ipsec statusall ; else echo "IPSec process not running" ; fi</command> + </node> + </children> + <command>if pgrep charon >/dev/null ; then sudo /usr/libexec/vyos/op_mode/show_ipsec_sa.py ; else echo "IPSec process not running" ; fi</command> + </node> + <node name="state"> + <properties> + <help>Show the in-kernel crypto state</help> + </properties> + <command>sudo ip xfrm state list</command> + </node> + <node name="status"> + <properties> + <help>Show status of IPSec process</help> + </properties> + <command>if pgrep charon >/dev/null ; then echo -e "IPSec Process Running: $(pgrep charon)\n$(sudo /usr/sbin/ipsec status)" ; else echo "IPSec process not running" ; fi</command> + </node> + </children> + </node> + </children> + </node> + </children> + </node> +</interfaceDefinition> diff --git a/op-mode-definitions/wireguard.xml.in b/op-mode-definitions/wireguard.xml.in deleted file mode 100644 index 0df838b50..000000000 --- a/op-mode-definitions/wireguard.xml.in +++ /dev/null @@ -1,189 +0,0 @@ -<?xml version="1.0"?> -<!-- Wireguard key management --> -<interfaceDefinition> - <node name="generate"> - <children> - <node name="wireguard"> - <properties> - <help>Generate Wireguard keys</help> - </properties> - <children> - <leafNode name="default-keypair"> - <properties> - <help>Generate the default Wireguard keypair</help> - </properties> - <command>sudo ${vyos_op_scripts_dir}/wireguard.py --genkey</command> - </leafNode> - <leafNode name="preshared-key"> - <properties> - <help>Generate a Wireguard preshared key</help> - </properties> - <command>${vyos_op_scripts_dir}/wireguard.py --genpsk</command> - </leafNode> - <tagNode name="named-keypairs"> - <properties> - <help>Generate specified Wireguard keypairs</help> - </properties> - <command>sudo ${vyos_op_scripts_dir}/wireguard.py --genkey --location "$4"</command> - </tagNode> - <tagNode name="client-config"> - <properties> - <help>Generate Client config QR code</help> - <completionHelp> - <list><client-name></list> - </completionHelp> - </properties> - <children> - <tagNode name="interface"> - <properties> - <help>Local interface used for connection</help> - <completionHelp> - <script>${vyos_completion_dir}/list_interfaces.py --type wireguard</script> - </completionHelp> - </properties> - <children> - <tagNode name="server"> - <properties> - <help>IP address/FQDN used for client connection</help> - <completionHelp> - <script>${vyos_completion_dir}/list_local_ips.sh --both</script> - <list><hostname></list> - </completionHelp> - </properties> - <command>sudo ${vyos_op_scripts_dir}/wireguard_client.py --name "$4" --interface "$6" --server "$8"</command> - <children> - <tagNode name="address"> - <properties> - <help>IPv4/IPv6 address used by client</help> - <completionHelp> - <list><x.x.x.x> <h:h:h:h:h:h:h:h></list> - </completionHelp> - </properties> - <command>sudo ${vyos_op_scripts_dir}/wireguard_client.py --name "$4" --interface "$6" --server "$8" --address "${10}"</command> - <children> - <tagNode name="address"> - <properties> - <help>IPv4/IPv6 address used by client</help> - <completionHelp> - <list><x.x.x.x> <h:h:h:h:h:h:h:h></list> - </completionHelp> - </properties> - <command>sudo ${vyos_op_scripts_dir}/wireguard_client.py --name "$4" --interface "$6" --server "$8" --address "${10}" --address "${12}"</command> - </tagNode> - </children> - </tagNode> - </children> - </tagNode> - </children> - </tagNode> - </children> - </tagNode> - </children> - </node> - </children> - </node> - <node name="show"> - <children> - <node name="wireguard"> - <properties> - <help>Show Wireguard properties</help> - </properties> - <children> - <node name="keypairs"> - <properties> - <help>Show Wireguard keys</help> - </properties> - <children> - <tagNode name="pubkey"> - <properties> - <help>Show specified Wireguard public key</help> - <completionHelp> - <script>${vyos_op_scripts_dir}/wireguard.py --listkdir</script> - </completionHelp> - </properties> - <command>${vyos_op_scripts_dir}/wireguard.py --showpub --location "$5"</command> - </tagNode> - <tagNode name="privkey"> - <properties> - <help>Show specified Wireguard private key</help> - <completionHelp> - <script>${vyos_op_scripts_dir}/wireguard.py --listkdir</script> - </completionHelp> - </properties> - <command>${vyos_op_scripts_dir}/wireguard.py --showpriv --location "$5"</command> - </tagNode> - </children> - </node> - </children> - </node> - <node name="interfaces"> - <children> - <tagNode name="wireguard"> - <properties> - <help>Show Wireguard interface information</help> - <completionHelp> - <script>${vyos_completion_dir}/list_interfaces.py --type wireguard</script> - </completionHelp> - </properties> - <command>sudo ${vyos_op_scripts_dir}/wireguard.py --showinterface "$4"</command> - <children> - <leafNode name="allowed-ips"> - <properties> - <help>Show all IP addresses allowed for the specified interface</help> - </properties> - <command>sudo wg show "$4" allowed-ips</command> - </leafNode> - <leafNode name="endpoints"> - <properties> - <help>Show all endpoints for the specified interface</help> - </properties> - <command>sudo wg show "$4" endpoints</command> - </leafNode> - <leafNode name="peers"> - <properties> - <help>Show all peer IDs for the specified interface</help> - </properties> - <command>sudo wg show "$4" peers</command> - </leafNode> - <!-- more commands upon request --> - </children> - </tagNode> - <node name="wireguard"> - <properties> - <help>Show Wireguard interface information</help> - </properties> - <command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=wireguard --action=show-brief</command> - <children> - <leafNode name="detail"> - <properties> - <help>Show detailed Wireguard interface information</help> - </properties> - <command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=wireguard --action=show</command> - </leafNode> - </children> - </node> - </children> - </node> - </children> - </node> - <node name="delete"> - <children> - <node name="wireguard"> - <properties> - <help>Delete Wireguard properties</help> - </properties> - <children> - <tagNode name="keypair"> - <properties> - <help>Delete a Wireguard keypair</help> - <completionHelp> - <script>${vyos_op_scripts_dir}/wireguard.py --listkdir</script> - </completionHelp> - </properties> - <command>sudo ${vyos_op_scripts_dir}/wireguard.py --delkdir --location "$4"</command> - </tagNode> - </children> - </node> - </children> - </node> -</interfaceDefinition> diff --git a/python/vyos/airbag.py b/python/vyos/airbag.py index 510ab7f46..a20f44207 100644 --- a/python/vyos/airbag.py +++ b/python/vyos/airbag.py @@ -18,7 +18,6 @@ from datetime import datetime from vyos import debug from vyos.logger import syslog -from vyos.version import get_version from vyos.version import get_full_version_data @@ -78,7 +77,7 @@ def bug_report(dtype, value, trace): information.update({ 'date': datetime.now().strftime('%Y-%m-%d %H:%M:%S'), 'trace': trace, - 'instructions': COMMUNITY if 'rolling' in get_version() else SUPPORTED, + 'instructions': INSTRUCTIONS, 'note': note, }) @@ -162,20 +161,13 @@ When reporting problems, please include as much information as possible: """ -COMMUNITY = """\ -- Make sure you are running the latest version of the code available at - https://downloads.vyos.io/rolling/current/amd64/vyos-rolling-latest.iso -- Consult the forum to see how to handle this issue - https://forum.vyos.io -- Join our community on slack where our users exchange help and advice - https://vyos.slack.com -""".strip() - -SUPPORTED = """\ -- Make sure you are running the latest stable version of VyOS - the code is available at https://downloads.vyos.io/?dir=release/current -- Contact us using the online help desk +INSTRUCTIONS = """\ +- Contact us using the online help desk if you have a subscription: https://support.vyos.io/ -- Join our community on slack where our users exchange help and advice +- Make sure you are running the latest version of VyOS available at: + https://vyos.net/get/ +- Consult the community forum to see how to handle this issue: + https://forum.vyos.io +- Join us on Slack where our users exchange help and advice: https://vyos.slack.com """.strip() diff --git a/python/vyos/certbot_util.py b/python/vyos/certbot_util.py index df42d4780..bcb78381f 100644 --- a/python/vyos/certbot_util.py +++ b/python/vyos/certbot_util.py @@ -1,7 +1,7 @@ # certbot_util -- adaptation of certbot_nginx name matching functions for VyOS # https://github.com/certbot/certbot/blob/master/LICENSE.txt -from certbot_nginx import parser +from certbot_nginx._internal import parser NAME_RANK = 0 START_WILDCARD_RANK = 1 diff --git a/python/vyos/configquery.py b/python/vyos/configquery.py index ed7346f1f..1cdcbcf39 100644 --- a/python/vyos/configquery.py +++ b/python/vyos/configquery.py @@ -18,9 +18,16 @@ A small library that allows querying existence or value(s) of config settings from op mode, and execution of arbitrary op mode commands. ''' +import re +import json +from copy import deepcopy from subprocess import STDOUT -from vyos.util import popen +import vyos.util +import vyos.xml +from vyos.config import Config +from vyos.configtree import ConfigTree +from vyos.configsource import ConfigSourceSession class ConfigQueryError(Exception): pass @@ -51,32 +58,59 @@ class CliShellApiConfigQuery(GenericConfigQuery): def exists(self, path: list): cmd = ' '.join(path) - (_, err) = popen(f'cli-shell-api existsActive {cmd}') + (_, err) = vyos.util.popen(f'cli-shell-api existsActive {cmd}') if err: return False return True def value(self, path: list): cmd = ' '.join(path) - (out, err) = popen(f'cli-shell-api returnActiveValue {cmd}') + (out, err) = vyos.util.popen(f'cli-shell-api returnActiveValue {cmd}') if err: raise ConfigQueryError('No value for given path') return out def values(self, path: list): cmd = ' '.join(path) - (out, err) = popen(f'cli-shell-api returnActiveValues {cmd}') + (out, err) = vyos.util.popen(f'cli-shell-api returnActiveValues {cmd}') if err: raise ConfigQueryError('No values for given path') return out +class ConfigTreeQuery(GenericConfigQuery): + def __init__(self): + super().__init__() + + config_source = ConfigSourceSession() + self.configtree = Config(config_source=config_source) + + def exists(self, path: list): + return self.configtree.exists(path) + + def value(self, path: list): + return self.configtree.return_value(path) + + def values(self, path: list): + return self.configtree.return_values(path) + + def list_nodes(self, path: list): + return self.configtree.list_nodes(path) + + def get_config_dict(self, path=[], effective=False, key_mangling=None, + get_first_key=False, no_multi_convert=False, + no_tag_node_value_mangle=False): + return self.configtree.get_config_dict(path, effective=effective, + key_mangling=key_mangling, get_first_key=get_first_key, + no_multi_convert=no_multi_convert, + no_tag_node_value_mangle=no_tag_node_value_mangle) + class VbashOpRun(GenericOpRun): def __init__(self): super().__init__() def run(self, path: list, **kwargs): cmd = ' '.join(path) - (out, err) = popen(f'. /opt/vyatta/share/vyatta-op/functions/interpreter/vyatta-op-run; _vyatta_op_run {cmd}', stderr=STDOUT, **kwargs) + (out, err) = vyos.util.popen(f'. /opt/vyatta/share/vyatta-op/functions/interpreter/vyatta-op-run; _vyatta_op_run {cmd}', stderr=STDOUT, **kwargs) if err: raise ConfigQueryError(out) return out diff --git a/python/vyos/configsession.py b/python/vyos/configsession.py index 670e6c7fc..f28ad09c5 100644 --- a/python/vyos/configsession.py +++ b/python/vyos/configsession.py @@ -10,14 +10,14 @@ # See the GNU Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public License along with this library; -# if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA import os import re import sys import subprocess -from vyos.util import call +from vyos.util import is_systemd_service_running CLI_SHELL_API = '/bin/cli-shell-api' SET = '/opt/vyatta/sbin/my_set' @@ -73,8 +73,7 @@ def inject_vyos_env(env): env['vyos_validators_dir'] = '/usr/libexec/vyos/validators' # if running the vyos-configd daemon, inject the vyshim env var - ret = call('systemctl is-active --quiet vyos-configd.service') - if not ret: + if is_systemd_service_running('vyos-configd.service'): env['vyshim'] = '/usr/sbin/vyshim' return env diff --git a/python/vyos/configverify.py b/python/vyos/configverify.py index 99c472582..4279e6982 100644 --- a/python/vyos/configverify.py +++ b/python/vyos/configverify.py @@ -1,4 +1,4 @@ -# Copyright 2020 VyOS maintainers and contributors <maintainers@vyos.io> +# Copyright 2020-2021 VyOS maintainers and contributors <maintainers@vyos.io> # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public @@ -45,6 +45,16 @@ def verify_mtu(config): raise ConfigError(f'Interface MTU too high, ' \ f'maximum supported MTU is {max_mtu}!') +def verify_mtu_parent(config, parent): + if 'mtu' not in config or 'mtu' not in parent: + return + + mtu = int(config['mtu']) + parent_mtu = int(parent['mtu']) + if mtu > parent_mtu: + raise ConfigError(f'Interface MTU ({mtu}) too high, ' \ + f'parent interface MTU is {parent_mtu}!') + def verify_mtu_ipv6(config): """ Common helper function used by interface implementations to perform @@ -139,9 +149,38 @@ def verify_eapol(config): recurring validation of EAPoL configuration. """ if 'eapol' in config: - if not {'cert_file', 'key_file'} <= set(config['eapol']): - raise ConfigError('Both cert and key-file must be specified '\ - 'when using EAPoL!') + if 'certificate' not in config['eapol']: + raise ConfigError('Certificate must be specified when using EAPoL!') + + if 'certificate' not in config['pki']: + raise ConfigError('Invalid certificate specified for EAPoL') + + cert_name = config['eapol']['certificate'] + + if cert_name not in config['pki']['certificate']: + raise ConfigError('Invalid certificate specified for EAPoL') + + cert = config['pki']['certificate'][cert_name] + + if 'certificate' not in cert or 'private' not in cert or 'key' not in cert['private']: + raise ConfigError('Invalid certificate/private key specified for EAPoL') + + if 'password_protected' in cert['private']: + raise ConfigError('Encrypted private key cannot be used for EAPoL') + + if 'ca_certificate' in config['eapol']: + if 'ca' not in config['pki']: + raise ConfigError('Invalid CA certificate specified for EAPoL') + + ca_cert_name = config['eapol']['ca_certificate'] + + if ca_cert_name not in config['pki']['ca']: + raise ConfigError('Invalid CA certificate specified for EAPoL') + + ca_cert = config['pki']['ca'][cert_name] + + if 'certificate' not in ca_cert: + raise ConfigError('Invalid CA certificate specified for EAPoL') def verify_mirror(config): """ @@ -156,6 +195,19 @@ def verify_mirror(config): raise ConfigError(f'Can not mirror "{direction}" traffic back ' \ 'the originating interface!') +def verify_authentication(config): + """ + Common helper function used by interface implementations to perform + recurring validation of authentication for either PPPoE or WWAN interfaces. + + If authentication CLI option is defined, both username and password must + be set! + """ + if 'authentication' not in config: + return + if not {'user', 'password'} <= set(config['authentication']): + raise ConfigError('Authentication requires both username and ' \ + 'password to be set!') def verify_address(config): """ @@ -266,6 +318,7 @@ def verify_vlan_config(config): verify_dhcpv6(vlan) verify_address(vlan) verify_vrf(vlan) + verify_mtu_parent(vlan, config) # 802.1ad (Q-in-Q) VLANs for s_vlan in config.get('vif_s', {}): @@ -273,12 +326,15 @@ def verify_vlan_config(config): verify_dhcpv6(s_vlan) verify_address(s_vlan) verify_vrf(s_vlan) + verify_mtu_parent(s_vlan, config) for c_vlan in s_vlan.get('vif_c', {}): c_vlan = s_vlan['vif_c'][c_vlan] verify_dhcpv6(c_vlan) verify_address(c_vlan) verify_vrf(c_vlan) + verify_mtu_parent(c_vlan, config) + verify_mtu_parent(c_vlan, s_vlan) def verify_accel_ppp_base_service(config): """ @@ -288,7 +344,7 @@ def verify_accel_ppp_base_service(config): # vertify auth settings if dict_search('authentication.mode', config) == 'local': if not dict_search('authentication.local_users', config): - raise ConfigError('PPPoE local auth mode requires local users to be configured!') + raise ConfigError('Authentication mode local requires local users to be configured!') for user in dict_search('authentication.local_users.username', config): user_config = config['authentication']['local_users']['username'][user] @@ -312,7 +368,7 @@ def verify_accel_ppp_base_service(config): raise ConfigError(f'Missing RADIUS secret key for server "{server}"') if 'gateway_address' not in config: - raise ConfigError('PPPoE server requires gateway-address to be configured!') + raise ConfigError('Server requires gateway-address to be configured!') if 'name_server_ipv4' in config: if len(config['name_server_ipv4']) > 2: diff --git a/python/vyos/defaults.py b/python/vyos/defaults.py index 9921e3b5f..03006c383 100644 --- a/python/vyos/defaults.py +++ b/python/vyos/defaults.py @@ -22,7 +22,10 @@ directories = { "migrate": "/opt/vyatta/etc/config-migrate/migrate", "log": "/var/log/vyatta", "templates": "/usr/share/vyos/templates/", - "certbot": "/config/auth/letsencrypt" + "certbot": "/config/auth/letsencrypt", + "api_schema": "/usr/libexec/vyos/services/api/graphql/graphql/schema/", + "api_templates": "/usr/libexec/vyos/services/api/graphql/recipes/templates/" + } cfg_group = 'vyattacfg' diff --git a/python/vyos/ethtool.py b/python/vyos/ethtool.py index 136feae8d..bc103959a 100644 --- a/python/vyos/ethtool.py +++ b/python/vyos/ethtool.py @@ -57,7 +57,11 @@ class Ethtool: if ':' in line: key, value = [s.strip() for s in line.strip().split(":", 1)] key = key.lower().replace(' ', '_') - self.ring_buffers[key] = int(value) + # T3645: ethtool version used on Debian Bullseye changed the + # output format from 0 -> n/a. As we are only interested in the + # tx/rx keys we do not care about RX Mini/Jumbo. + if value.isdigit(): + self.ring_buffers[key] = int(value) def is_fixed_lro(self): diff --git a/python/vyos/ifconfig/__init__.py b/python/vyos/ifconfig/__init__.py index e9da1e9f5..2d3e406ac 100644 --- a/python/vyos/ifconfig/__init__.py +++ b/python/vyos/ifconfig/__init__.py @@ -35,3 +35,4 @@ from vyos.ifconfig.tunnel import TunnelIf from vyos.ifconfig.wireless import WiFiIf from vyos.ifconfig.l2tpv3 import L2TPv3If from vyos.ifconfig.macsec import MACsecIf +from vyos.ifconfig.wwan import WWANIf diff --git a/python/vyos/ifconfig/bond.py b/python/vyos/ifconfig/bond.py index 233d53688..2b9afe109 100644 --- a/python/vyos/ifconfig/bond.py +++ b/python/vyos/ifconfig/bond.py @@ -86,6 +86,9 @@ class BondIf(Interface): _sysfs_get = {**Interface._sysfs_get, **{ 'bond_arp_ip_target': { 'location': '/sys/class/net/{ifname}/bonding/arp_ip_target', + }, + 'bond_mode': { + 'location': '/sys/class/net/{ifname}/bonding/mode', } }} @@ -317,6 +320,19 @@ class BondIf(Interface): return enslaved_ifs + def get_mode(self): + """ + Return bond operation mode. + + Example: + >>> from vyos.ifconfig import BondIf + >>> BondIf('bond0').get_mode() + '802.3ad' + """ + mode = self.get_interface('bond_mode') + # mode is now "802.3ad 4", we are only interested in "802.3ad" + return mode.split()[0] + def set_primary(self, interface): """ A string (eth0, eth2, etc) specifying which slave is the primary diff --git a/python/vyos/ifconfig/ethernet.py b/python/vyos/ifconfig/ethernet.py index b89ca5a5c..07b31a12a 100644 --- a/python/vyos/ifconfig/ethernet.py +++ b/python/vyos/ifconfig/ethernet.py @@ -55,6 +55,11 @@ class EthernetIf(Interface): 'possible': lambda i, v: EthernetIf.feature(i, 'gso', v), # 'shellcmd': 'ethtool -K {ifname} gso {value}', }, + 'lro': { + 'validate': lambda v: assert_list(v, ['on', 'off']), + 'possible': lambda i, v: EthernetIf.feature(i, 'lro', v), + # 'shellcmd': 'ethtool -K {ifname} lro {value}', + }, 'sg': { 'validate': lambda v: assert_list(v, ['on', 'off']), 'possible': lambda i, v: EthernetIf.feature(i, 'sg', v), @@ -238,6 +243,18 @@ class EthernetIf(Interface): raise ValueError("Value out of range") return self.set_interface('gso', 'on' if state else 'off') + def set_lro(self, state): + """ + Enable Large Receive offload. State can be either True or False. + Example: + >>> from vyos.ifconfig import EthernetIf + >>> i = EthernetIf('eth0') + >>> i.set_lro(True) + """ + if not isinstance(state, bool): + raise ValueError("Value out of range") + return self.set_interface('lro', 'on' if state else 'off') + def set_rps(self, state): if not isinstance(state, bool): raise ValueError("Value out of range") @@ -328,6 +345,9 @@ class EthernetIf(Interface): # GSO (generic segmentation offload) self.set_gso(dict_search('offload.gso', config) != None) + # LRO (large receive offload) + self.set_lro(dict_search('offload.lro', config) != None) + # RPS - Receive Packet Steering self.set_rps(dict_search('offload.rps', config) != None) diff --git a/python/vyos/ifconfig/interface.py b/python/vyos/ifconfig/interface.py index 048a2cd19..a1928ba51 100644..100755 --- a/python/vyos/ifconfig/interface.py +++ b/python/vyos/ifconfig/interface.py @@ -311,6 +311,28 @@ class Interface(Control): cmd = 'ip link del dev {ifname}'.format(**self.config) return self._cmd(cmd) + def _set_vrf_ct_zone(self, vrf): + """ + Add/Remove rules in nftables to associate traffic in VRF to an + individual conntack zone + """ + if vrf: + # Get routing table ID for VRF + vrf_table_id = get_interface_config(vrf).get('linkinfo', {}).get( + 'info_data', {}).get('table') + # Add map element with interface and zone ID + if vrf_table_id: + self._cmd( + f'nft add element inet vrf_zones ct_iface_map {{ "{self.ifname}" : {vrf_table_id} }}' + ) + else: + nft_del_element = f'delete element inet vrf_zones ct_iface_map {{ "{self.ifname}" }}' + # Check if deleting is possible first to avoid raising errors + _, err = self._popen(f'nft -c {nft_del_element}') + if not err: + # Remove map element + self._cmd(f'nft {nft_del_element}') + def get_min_mtu(self): """ Get hardware minimum supported MTU @@ -401,6 +423,7 @@ class Interface(Control): >>> Interface('eth0').set_vrf() """ self.set_interface('vrf', vrf) + self._set_vrf_ct_zone(vrf) def set_arp_cache_tmo(self, tmo): """ @@ -779,9 +802,7 @@ class Interface(Control): # Note that currently expanded netmasks are not supported. That means # 2001:db00::0/24 is a valid argument while 2001:db00::0/ffff:ff00:: not. # see https://docs.python.org/3/library/ipaddress.html - bits = bin( - int(v6_addr['netmask'].replace(':', ''), 16)).count('1') - prefix = '/' + str(bits) + prefix = '/' + v6_addr['netmask'].split('/')[-1] # we alsoneed to remove the interface suffix on link local # addresses @@ -1345,12 +1366,55 @@ class Interface(Control): # create/update 802.1q VLAN interfaces for vif_id, vif_config in config.get('vif', {}).items(): + + vif_ifname = f'{ifname}.{vif_id}' + vif_config['ifname'] = vif_ifname + tmp = deepcopy(VLANIf.get_config()) tmp['source_interface'] = ifname tmp['vlan_id'] = vif_id - vif_ifname = f'{ifname}.{vif_id}' - vif_config['ifname'] = vif_ifname + # We need to ensure that the string format is consistent, and we need to exclude redundant spaces. + sep = ' ' + if 'egress_qos' in vif_config: + # Unwrap strings into arrays + egress_qos_array = vif_config['egress_qos'].split() + # The split array is spliced according to the fixed format + tmp['egress_qos'] = sep.join(egress_qos_array) + + if 'ingress_qos' in vif_config: + # Unwrap strings into arrays + ingress_qos_array = vif_config['ingress_qos'].split() + # The split array is spliced according to the fixed format + tmp['ingress_qos'] = sep.join(ingress_qos_array) + + # Since setting the QoS control parameters in the later stage will + # not completely delete the old settings, + # we still need to delete the VLAN encapsulation interface in order to + # ensure that the changed settings are effective. + cur_cfg = get_interface_config(vif_ifname) + qos_str = '' + tmp2 = dict_search('linkinfo.info_data.ingress_qos', cur_cfg) + if 'ingress_qos' in tmp and tmp2: + for item in tmp2: + from_key = item['from'] + to_key = item['to'] + qos_str += f'{from_key}:{to_key} ' + if qos_str != tmp['ingress_qos']: + if self.exists(vif_ifname): + VLANIf(vif_ifname).remove() + + qos_str = '' + tmp2 = dict_search('linkinfo.info_data.egress_qos', cur_cfg) + if 'egress_qos' in tmp and tmp2: + for item in tmp2: + from_key = item['from'] + to_key = item['to'] + qos_str += f'{from_key}:{to_key} ' + if qos_str != tmp['egress_qos']: + if self.exists(vif_ifname): + VLANIf(vif_ifname).remove() + vlan = VLANIf(vif_ifname, **tmp) vlan.update(vif_config) diff --git a/python/vyos/ifconfig/l2tpv3.py b/python/vyos/ifconfig/l2tpv3.py index 7ff0fdd0e..fcd1fbf81 100644 --- a/python/vyos/ifconfig/l2tpv3.py +++ b/python/vyos/ifconfig/l2tpv3.py @@ -13,8 +13,28 @@ # You should have received a copy of the GNU Lesser General Public # License along with this library. If not, see <http://www.gnu.org/licenses/>. +from time import sleep +from time import time +from vyos.util import run from vyos.ifconfig.interface import Interface +def wait_for_add_l2tpv3(timeout=10, sleep_interval=1, cmd=None): + ''' + In some cases, we need to wait until local address is assigned. + And only then can the l2tpv3 tunnel be configured. + For example when ipv6 address in tentative state + or we wait for some routing daemon for remote address. + ''' + start_time = time() + test_command = cmd + while True: + if (start_time + timeout) < time(): + return None + result = run(test_command) + if result == 0: + return True + sleep(sleep_interval) + @Interface.register class L2TPv3If(Interface): """ @@ -43,7 +63,9 @@ class L2TPv3If(Interface): cmd += ' encap {encapsulation}' cmd += ' local {source_address}' cmd += ' remote {remote}' - self._cmd(cmd.format(**self.config)) + c = cmd.format(**self.config) + # wait until the local/remote address is available, but no more 10 sec. + wait_for_add_l2tpv3(cmd=c) # setup session cmd = 'ip l2tp add session name {ifname}' diff --git a/python/vyos/ifconfig/tunnel.py b/python/vyos/ifconfig/tunnel.py index 2a266fc9f..64c735824 100644 --- a/python/vyos/ifconfig/tunnel.py +++ b/python/vyos/ifconfig/tunnel.py @@ -62,6 +62,7 @@ class TunnelIf(Interface): mapping_ipv4 = { 'parameters.ip.key' : 'key', 'parameters.ip.no_pmtu_discovery' : 'nopmtudisc', + 'parameters.ip.ignore_df' : 'ignore-df', 'parameters.ip.tos' : 'tos', 'parameters.ip.ttl' : 'ttl', 'parameters.erspan.direction' : 'erspan_dir', diff --git a/python/vyos/ifconfig/vrrp.py b/python/vyos/ifconfig/vrrp.py index d3e9d5df2..b522cc1ab 100644 --- a/python/vyos/ifconfig/vrrp.py +++ b/python/vyos/ifconfig/vrrp.py @@ -92,11 +92,14 @@ class VRRP(object): try: # send signal to generate the configuration file pid = util.read_file(cls.location['pid']) - os.kill(int(pid), cls._signal[what]) + util.wait_for_file_write_complete(fname, + pre_hook=(lambda: os.kill(int(pid), cls._signal[what])), + timeout=30) - # should look for file size change? - sleep(0.2) return util.read_file(fname) + except OSError: + # raised by vyos.util.read_file + raise VRRPNoData("VRRP data is not available (wait time exceeded)") except FileNotFoundError: raise VRRPNoData("VRRP data is not available (process not running or no active groups)") except Exception: diff --git a/python/vyos/ifconfig/vti.py b/python/vyos/ifconfig/vti.py index e2090c889..470ebbff3 100644 --- a/python/vyos/ifconfig/vti.py +++ b/python/vyos/ifconfig/vti.py @@ -14,6 +14,7 @@ # License along with this library. If not, see <http://www.gnu.org/licenses/>. from vyos.ifconfig.interface import Interface +from vyos.util import dict_search @Interface.register class VTIIf(Interface): @@ -25,3 +26,27 @@ class VTIIf(Interface): 'prefixes': ['vti', ], }, } + + def _create(self): + # This table represents a mapping from VyOS internal config dict to + # arguments used by iproute2. For more information please refer to: + # - https://man7.org/linux/man-pages/man8/ip-link.8.html + # - https://man7.org/linux/man-pages/man8/ip-tunnel.8.html + mapping = { + 'source_interface' : 'dev', + } + + if_id = self.ifname.lstrip('vti') + cmd = f'ip link add {self.ifname} type xfrm if_id {if_id}' + for vyos_key, iproute2_key in mapping.items(): + # dict_search will return an empty dict "{}" for valueless nodes like + # "parameters.nolearning" - thus we need to test the nodes existence + # by using isinstance() + tmp = dict_search(vyos_key, self.config) + if isinstance(tmp, dict): + cmd += f' {iproute2_key}' + elif tmp != None: + cmd += f' {iproute2_key} {tmp}' + + self._cmd(cmd.format(**self.config)) + self.set_interface('admin_state', 'down') diff --git a/python/vyos/ifconfig/wireguard.py b/python/vyos/ifconfig/wireguard.py index e5b9c4408..c4cf2fbbf 100644 --- a/python/vyos/ifconfig/wireguard.py +++ b/python/vyos/ifconfig/wireguard.py @@ -95,7 +95,7 @@ class WireGuardOperational(Operational): for peer in c.list_effective_nodes(["peer"]): if wgdump['peers']: - pubkey = c.return_effective_value(["peer", peer, "pubkey"]) + pubkey = c.return_effective_value(["peer", peer, "public_key"]) if pubkey in wgdump['peers']: wgpeer = wgdump['peers'][pubkey] @@ -194,11 +194,15 @@ class WireGuardIf(Interface): peer = config['peer_remove'][tmp] peer['ifname'] = config['ifname'] - cmd = 'wg set {ifname} peer {pubkey} remove' + cmd = 'wg set {ifname} peer {public_key} remove' self._cmd(cmd.format(**peer)) + config['private_key_file'] = '/tmp/tmp.wireguard.key' + with open(config['private_key_file'], 'w') as f: + f.write(config['private_key']) + # Wireguard base command is identical for every peer - base_cmd = 'wg set {ifname} private-key {private_key}' + base_cmd = 'wg set {ifname} private-key {private_key_file}' if 'port' in config: base_cmd += ' listen-port {port}' if 'fwmark' in config: @@ -210,7 +214,7 @@ class WireGuardIf(Interface): peer = config['peer'][tmp] # start of with a fresh 'wg' command - cmd = base_cmd + ' peer {pubkey}' + cmd = base_cmd + ' peer {public_key}' # If no PSK is given remove it by using /dev/null - passing keys via # the shell (usually bash) is considered insecure, thus we use a file diff --git a/python/vyos/ifconfig/wwan.py b/python/vyos/ifconfig/wwan.py new file mode 100644 index 000000000..f18959a60 --- /dev/null +++ b/python/vyos/ifconfig/wwan.py @@ -0,0 +1,28 @@ +# Copyright 2021 VyOS maintainers and contributors <maintainers@vyos.io> +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library. If not, see <http://www.gnu.org/licenses/>. + +from vyos.ifconfig.interface import Interface + +@Interface.register +class WWANIf(Interface): + iftype = 'wwan' + definition = { + **Interface.definition, + **{ + 'section': 'wwan', + 'prefixes': ['wwan', ], + 'eternal': 'wwan[0-9]+$', + }, + } diff --git a/python/vyos/pki.py b/python/vyos/pki.py new file mode 100644 index 000000000..68ad73bf2 --- /dev/null +++ b/python/vyos/pki.py @@ -0,0 +1,333 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import datetime +import ipaddress + +from cryptography import x509 +from cryptography.exceptions import InvalidSignature +from cryptography.x509.extensions import ExtensionNotFound +from cryptography.x509.oid import NameOID, ExtendedKeyUsageOID, ExtensionOID +from cryptography.hazmat.primitives import hashes +from cryptography.hazmat.primitives import serialization +from cryptography.hazmat.primitives.asymmetric import dh +from cryptography.hazmat.primitives.asymmetric import dsa +from cryptography.hazmat.primitives.asymmetric import ec +from cryptography.hazmat.primitives.asymmetric import padding +from cryptography.hazmat.primitives.asymmetric import rsa + +CERT_BEGIN='-----BEGIN CERTIFICATE-----\n' +CERT_END='\n-----END CERTIFICATE-----' +KEY_BEGIN='-----BEGIN PRIVATE KEY-----\n' +KEY_END='\n-----END PRIVATE KEY-----' +KEY_ENC_BEGIN='-----BEGIN ENCRYPTED PRIVATE KEY-----\n' +KEY_ENC_END='\n-----END ENCRYPTED PRIVATE KEY-----' +KEY_PUB_BEGIN='-----BEGIN PUBLIC KEY-----\n' +KEY_PUB_END='\n-----END PUBLIC KEY-----' +CRL_BEGIN='-----BEGIN X509 CRL-----\n' +CRL_END='\n-----END X509 CRL-----' +CSR_BEGIN='-----BEGIN CERTIFICATE REQUEST-----\n' +CSR_END='\n-----END CERTIFICATE REQUEST-----' +DH_BEGIN='-----BEGIN DH PARAMETERS-----\n' +DH_END='\n-----END DH PARAMETERS-----' +OVPN_BEGIN = '-----BEGIN OpenVPN Static key V{0}-----\n' +OVPN_END = '\n-----END OpenVPN Static key V{0}-----' + +# Print functions + +encoding_map = { + 'PEM': serialization.Encoding.PEM, + 'OpenSSH': serialization.Encoding.OpenSSH +} + +public_format_map = { + 'SubjectPublicKeyInfo': serialization.PublicFormat.SubjectPublicKeyInfo, + 'OpenSSH': serialization.PublicFormat.OpenSSH +} + +private_format_map = { + 'PKCS8': serialization.PrivateFormat.PKCS8, + 'OpenSSH': serialization.PrivateFormat.OpenSSH +} + +def encode_certificate(cert): + return cert.public_bytes(encoding=serialization.Encoding.PEM).decode('utf-8') + +def encode_public_key(cert, encoding='PEM', key_format='SubjectPublicKeyInfo'): + if encoding not in encoding_map: + encoding = 'PEM' + if key_format not in public_format_map: + key_format = 'SubjectPublicKeyInfo' + return cert.public_bytes( + encoding=encoding_map[encoding], + format=public_format_map[key_format]).decode('utf-8') + +def encode_private_key(private_key, encoding='PEM', key_format='PKCS8', passphrase=None): + if encoding not in encoding_map: + encoding = 'PEM' + if key_format not in private_format_map: + key_format = 'PKCS8' + encryption = serialization.NoEncryption() if not passphrase else serialization.BestAvailableEncryption(bytes(passphrase, 'utf-8')) + return private_key.private_bytes( + encoding=encoding_map[encoding], + format=private_format_map[key_format], + encryption_algorithm=encryption).decode('utf-8') + +def encode_dh_parameters(dh_parameters): + return dh_parameters.parameter_bytes( + encoding=serialization.Encoding.PEM, + format=serialization.ParameterFormat.PKCS3).decode('utf-8') + +# EC Helper + +def get_elliptic_curve(size): + curve_func = None + name = f'SECP{size}R1' + if hasattr(ec, name): + curve_func = getattr(ec, name) + else: + curve_func = ec.SECP256R1() # Default to SECP256R1 + return curve_func() + +# Creation functions + +def create_private_key(key_type, key_size=None): + private_key = None + if key_type == 'rsa': + private_key = rsa.generate_private_key(public_exponent=65537, key_size=key_size) + elif key_type == 'dsa': + private_key = dsa.generate_private_key(key_size=key_size) + elif key_type == 'ec': + curve = get_elliptic_curve(key_size) + private_key = ec.generate_private_key(curve) + return private_key + +def create_certificate_request(subject, private_key, subject_alt_names=[]): + subject_obj = x509.Name([ + x509.NameAttribute(NameOID.COUNTRY_NAME, subject['country']), + x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, subject['state']), + x509.NameAttribute(NameOID.LOCALITY_NAME, subject['locality']), + x509.NameAttribute(NameOID.ORGANIZATION_NAME, subject['organization']), + x509.NameAttribute(NameOID.COMMON_NAME, subject['common_name'])]) + + builder = x509.CertificateSigningRequestBuilder() \ + .subject_name(subject_obj) + + if subject_alt_names: + alt_names = [] + for obj in subject_alt_names: + if isinstance(obj, ipaddress.IPv4Address) or isinstance(obj, ipaddress.IPv6Address): + alt_names.append(x509.IPAddress(obj)) + elif isinstance(obj, str): + alt_names.append(x509.DNSName(obj)) + if alt_names: + builder = builder.add_extension(x509.SubjectAlternativeName(alt_names), critical=False) + + return builder.sign(private_key, hashes.SHA256()) + +def add_key_identifier(ca_cert): + try: + ski_ext = ca_cert.extensions.get_extension_for_class(x509.SubjectKeyIdentifier) + return x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(ski_ext.value) + except: + return x509.AuthorityKeyIdentifier.from_issuer_public_key(ca_cert.public_key()) + +def create_certificate(cert_req, ca_cert, ca_private_key, valid_days=365, cert_type='server', is_ca=False, is_sub_ca=False): + ext_key_usage = [] + if is_ca: + ext_key_usage = [ExtendedKeyUsageOID.CLIENT_AUTH, ExtendedKeyUsageOID.SERVER_AUTH] + elif cert_type == 'client': + ext_key_usage = [ExtendedKeyUsageOID.CLIENT_AUTH] + elif cert_type == 'server': + ext_key_usage = [ExtendedKeyUsageOID.SERVER_AUTH] + + builder = x509.CertificateBuilder() \ + .subject_name(cert_req.subject) \ + .issuer_name(ca_cert.subject) \ + .public_key(cert_req.public_key()) \ + .serial_number(x509.random_serial_number()) \ + .not_valid_before(datetime.datetime.utcnow()) \ + .not_valid_after(datetime.datetime.utcnow() + datetime.timedelta(days=int(valid_days))) + + builder = builder.add_extension(x509.BasicConstraints(ca=is_ca, path_length=0 if is_sub_ca else None), critical=True) + builder = builder.add_extension(x509.KeyUsage( + digital_signature=True, + content_commitment=False, + key_encipherment=False, + data_encipherment=False, + key_agreement=False, + key_cert_sign=is_ca, + crl_sign=is_ca, + encipher_only=False, + decipher_only=False), critical=True) + builder = builder.add_extension(x509.ExtendedKeyUsage(ext_key_usage), critical=False) + builder = builder.add_extension(x509.SubjectKeyIdentifier.from_public_key(cert_req.public_key()), critical=False) + + if not is_ca or is_sub_ca: + builder = builder.add_extension(add_key_identifier(ca_cert), critical=False) + + for ext in cert_req.extensions: + builder = builder.add_extension(ext.value, critical=False) + + return builder.sign(ca_private_key, hashes.SHA256()) + +def create_certificate_revocation_list(ca_cert, ca_private_key, serial_numbers=[]): + if not serial_numbers: + return False + + builder = x509.CertificateRevocationListBuilder() \ + .issuer_name(ca_cert.subject) \ + .last_update(datetime.datetime.today()) \ + .next_update(datetime.datetime.today() + datetime.timedelta(1, 0, 0)) + + for serial_number in serial_numbers: + revoked_cert = x509.RevokedCertificateBuilder() \ + .serial_number(serial_number) \ + .revocation_date(datetime.datetime.today()) \ + .build() + builder = builder.add_revoked_certificate(revoked_cert) + + return builder.sign(private_key=ca_private_key, algorithm=hashes.SHA256()) + +def create_dh_parameters(bits=2048): + if not bits or bits < 512: + print("Invalid DH parameter key size") + return False + + return dh.generate_parameters(generator=2, key_size=int(bits)) + +# Wrap functions + +def wrap_public_key(raw_data): + return KEY_PUB_BEGIN + raw_data + KEY_PUB_END + +def wrap_private_key(raw_data, passphrase=None): + return (KEY_ENC_BEGIN if passphrase else KEY_BEGIN) + raw_data + (KEY_ENC_END if passphrase else KEY_END) + +def wrap_certificate_request(raw_data): + return CSR_BEGIN + raw_data + CSR_END + +def wrap_certificate(raw_data): + return CERT_BEGIN + raw_data + CERT_END + +def wrap_crl(raw_data): + return CRL_BEGIN + raw_data + CRL_END + +def wrap_dh_parameters(raw_data): + return DH_BEGIN + raw_data + DH_END + +def wrap_openvpn_key(raw_data, version='1'): + return OVPN_BEGIN.format(version) + raw_data + OVPN_END.format(version) + +# Load functions + +def load_public_key(raw_data, wrap_tags=True): + if wrap_tags: + raw_data = wrap_public_key(raw_data) + + try: + return serialization.load_pem_public_key(bytes(raw_data, 'utf-8')) + except ValueError: + return False + +def load_private_key(raw_data, passphrase=None, wrap_tags=True): + if wrap_tags: + raw_data = wrap_private_key(raw_data, passphrase) + + if passphrase: + passphrase = bytes(passphrase, 'utf-8') + + try: + return serialization.load_pem_private_key(bytes(raw_data, 'utf-8'), password=passphrase) + except ValueError: + return False + +def load_certificate_request(raw_data, wrap_tags=True): + if wrap_tags: + raw_data = wrap_certificate_request(raw_data) + + try: + return x509.load_pem_x509_csr(bytes(raw_data, 'utf-8')) + except ValueError: + return False + +def load_certificate(raw_data, wrap_tags=True): + if wrap_tags: + raw_data = wrap_certificate(raw_data) + + try: + return x509.load_pem_x509_certificate(bytes(raw_data, 'utf-8')) + except ValueError: + return False + +def load_crl(raw_data, wrap_tags=True): + if wrap_tags: + raw_data = wrap_crl(raw_data) + + try: + return x509.load_pem_x509_crl(bytes(raw_data, 'utf-8')) + except ValueError: + return False + +def load_dh_parameters(raw_data, wrap_tags=True): + if wrap_tags: + raw_data = wrap_dh_parameters(raw_data) + + try: + return serialization.load_pem_parameters(bytes(raw_data, 'utf-8')) + except ValueError: + return False + +# Verify + +def is_ca_certificate(cert): + if not cert: + return False + + try: + ext = cert.extensions.get_extension_for_oid(ExtensionOID.BASIC_CONSTRAINTS) + return ext.value.ca + except ExtensionNotFound: + return False + +def verify_certificate(cert, ca_cert): + # Verify certificate was signed by specified CA + if ca_cert.subject != cert.issuer: + return False + + ca_public_key = ca_cert.public_key() + try: + if isinstance(ca_public_key, rsa.RSAPublicKeyWithSerialization): + ca_public_key.verify( + cert.signature, + cert.tbs_certificate_bytes, + padding=padding.PKCS1v15(), + algorithm=cert.signature_hash_algorithm) + elif isinstance(ca_public_key, dsa.DSAPublicKeyWithSerialization): + ca_public_key.verify( + cert.signature, + cert.tbs_certificate_bytes, + algorithm=cert.signature_hash_algorithm) + elif isinstance(ca_public_key, ec.EllipticCurvePublicKeyWithSerialization): + ca_public_key.verify( + cert.signature, + cert.tbs_certificate_bytes, + signature_algorithm=ec.ECDSA(cert.signature_hash_algorithm)) + else: + return False # We cannot verify it + return True + except InvalidSignature: + return False diff --git a/python/vyos/remote.py b/python/vyos/remote.py index f683a6d5a..e972050b7 100644 --- a/python/vyos/remote.py +++ b/python/vyos/remote.py @@ -15,90 +15,176 @@ from ftplib import FTP import os +import shutil import socket +import stat import sys import tempfile import urllib.parse -import urllib.request +import urllib.request as urlreq -from vyos.util import cmd, ask_yes_no +from vyos.template import get_ip +from vyos.template import ip_from_cidr +from vyos.template import is_interface +from vyos.template import is_ipv6 +from vyos.util import cmd +from vyos.util import ask_yes_no +from vyos.util import print_error +from vyos.util import make_progressbar +from vyos.util import make_incremental_progressbar from vyos.version import get_version -from paramiko import SSHClient, SSHException, MissingHostKeyPolicy +from paramiko import SSHClient +from paramiko import SSHException +from paramiko import MissingHostKeyPolicy - -known_hosts_file = os.path.expanduser('~/.ssh/known_hosts') +# This is a hardcoded path and no environment variable can change it. +KNOWN_HOSTS_FILE = os.path.expanduser('~/.ssh/known_hosts') +CHUNK_SIZE = 8192 class InteractivePolicy(MissingHostKeyPolicy): """ Policy for interactively querying the user on whether to proceed with - SSH connections to unknown hosts. + SSH connections to unknown hosts. """ def missing_host_key(self, client, hostname, key): - print(f"Host '{hostname}' not found in known hosts.") - print('Fingerprint: ' + key.get_fingerprint().hex()) + print_error(f"Host '{hostname}' not found in known hosts.") + print_error('Fingerprint: ' + key.get_fingerprint().hex()) if ask_yes_no('Do you wish to continue?'): - if client._host_keys_filename and ask_yes_no('Do you wish to permanently add this host/key pair to known hosts?'): + if client._host_keys_filename\ + and ask_yes_no('Do you wish to permanently add this host/key pair to known hosts?'): client._host_keys.add(hostname, key.get_name(), key) client.save_host_keys(client._host_keys_filename) else: raise SSHException(f"Cannot connect to unknown host '{hostname}'.") + +## Helper routines +def get_authentication_variables(default_username=None, default_password=None): + """ + Return the environment variables `$REMOTE_USERNAME` and `$REMOTE_PASSWORD` and + return the defaults provided if environment variables are empty or nonexistent. + """ + username, password = os.getenv('REMOTE_USERNAME'), os.getenv('REMOTE_PASSWORD') + # Fall back to defaults if the username variable doesn't exist or is an empty string. + # Note that this is different from `os.getenv('REMOTE_USERNAME', default=default_username)`, + # as we want the username and the password to have the same behaviour. + if not username: + return default_username, default_password + else: + return username, password + +def get_source_address(source): + """ + Take a string vaguely indicating an origin source (interface, hostname or IP address), + return a tuple in the format `(source_pair, address_family)` where + `source_pair` is `(source_address, source_port)`. + """ + # TODO: Properly distinguish between IPv4 and IPv6. + port = 0 + if is_interface(source): + source = ip_from_cidr(get_ip(source)[0]) + if is_ipv6(source): + return (source, port), socket.AF_INET6 + else: + return (socket.gethostbyname(source), port), socket.AF_INET + +def get_port_from_url(url): + """ + Return the port number from the given `url` named tuple, fall back to + the default if there isn't one. + """ + defaults = {"http": 80, "https": 443, "ftp": 21, "tftp": 69,\ + "ssh": 22, "scp": 22, "sftp": 22} + if url.port: + return url.port + else: + return defaults[url.scheme] + + ## FTP routines -def transfer_ftp(mode, local_path, hostname, remote_path,\ - username='anonymous', password='', port=21, source=None): - with FTP(source_address=source) as conn: +def upload_ftp(local_path, hostname, remote_path,\ + username='anonymous', password='', port=21,\ + source_pair=None, progressbar=False): + size = os.path.getsize(local_path) + with FTP(source_address=source_pair) as conn: conn.connect(hostname, port) conn.login(username, password) - if mode == 'upload': - with open(local_path, 'rb') as file: - conn.storbinary(f'STOR {remote_path}', file) - elif mode == 'download': - with open(local_path, 'wb') as file: - conn.retrbinary(f'RETR {remote_path}', file.write) - elif mode == 'size': - size = conn.size(remote_path) - if size: - return size + with open(local_path, 'rb') as file: + if progressbar and size: + progress = make_incremental_progressbar(CHUNK_SIZE / size) + next(progress) + callback = lambda block: next(progress) else: - # SIZE is an extension to the FTP specification, although it's extremely common. - raise ValueError('Failed to receive file size from FTP server. \ - Perhaps the server does not implement the SIZE command?') + callback = None + conn.storbinary(f'STOR {remote_path}', file, CHUNK_SIZE, callback) -def upload_ftp(*args, **kwargs): - transfer_ftp('upload', *args, **kwargs) +def download_ftp(local_path, hostname, remote_path,\ + username='anonymous', password='', port=21,\ + source_pair=None, progressbar=False): + with FTP(source_address=source_pair) as conn: + conn.connect(hostname, port) + conn.login(username, password) + size = conn.size(remote_path) + with open(local_path, 'wb') as file: + # No progressbar if we can't determine the size. + if progressbar and size: + progress = make_incremental_progressbar(CHUNK_SIZE / size) + next(progress) + callback = lambda block: (file.write(block), next(progress)) + else: + callback = file.write + conn.retrbinary(f'RETR {remote_path}', callback, CHUNK_SIZE) -def download_ftp(*args, **kwargs): - transfer_ftp('download', *args, **kwargs) +def get_ftp_file_size(hostname, remote_path,\ + username='anonymous', password='', port=21,\ + source_pair=None): + with FTP(source_address=source) as conn: + conn.connect(hostname, port) + conn.login(username, password) + size = conn.size(remote_path) + if size: + return size + else: + # SIZE is an extension to the FTP specification, although it's extremely common. + raise ValueError('Failed to receive file size from FTP server. \ + Perhaps the server does not implement the SIZE command?') -def get_ftp_file_size(*args, **kwargs): - return transfer_ftp('size', None, *args, **kwargs) ## SFTP/SCP routines def transfer_sftp(mode, local_path, hostname, remote_path,\ - username=None, password=None, port=22, source=None): + username=None, password=None, port=22,\ + source_tuple=None, progressbar=False): sock = None - if source: - sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) - sock.bind((source, 0)) + if source_tuple: + (source_address, source_port), address_family = source_tuple + sock = socket.socket(address_family, socket.SOCK_STREAM) + sock.bind((source_address, source_port)) sock.connect((hostname, port)) - try: - with SSHClient() as ssh: - ssh.load_system_host_keys() - if os.path.exists(known_hosts_file): - ssh.load_host_keys(known_hosts_file) - ssh.set_missing_host_key_policy(InteractivePolicy()) - ssh.connect(hostname, port, username, password, sock=sock) - with ssh.open_sftp() as sftp: - if mode == 'upload': - sftp.put(local_path, remote_path) - elif mode == 'download': - sftp.get(remote_path, local_path) - elif mode == 'size': - return sftp.stat(remote_path).st_size - finally: - if sock: - sock.shutdown() - sock.close() + callback = make_progressbar() if progressbar else None + with SSHClient() as ssh: + ssh.load_system_host_keys() + if os.path.exists(KNOWN_HOSTS_FILE): + ssh.load_host_keys(KNOWN_HOSTS_FILE) + ssh.set_missing_host_key_policy(InteractivePolicy()) + ssh.connect(hostname, port, username, password, sock=sock) + with ssh.open_sftp() as sftp: + if mode == 'upload': + try: + # If the remote path is a directory, use the original filename. + if stat.S_ISDIR(sftp.stat(remote_path).st_mode): + path = os.path.join(remote_path, os.path.basename(local_path)) + # A file exists at this destination. We're simply going to clobber it. + else: + path = remote_path + # This path doesn't point at any existing file. We can freely use this filename. + except IOError: + path = remote_path + finally: + sftp.put(local_path, path, callback=callback) + elif mode == 'download': + sftp.get(remote_path, local_path, callback=callback) + elif mode == 'size': + return sftp.stat(remote_path).st_size def upload_sftp(*args, **kwargs): transfer_sftp('upload', *args, **kwargs) @@ -109,32 +195,70 @@ def download_sftp(*args, **kwargs): def get_sftp_file_size(*args, **kwargs): return transfer_sftp('size', None, *args, **kwargs) + ## TFTP routines -def upload_tftp(local_path, hostname, remote_path, port=69, source=None): +def upload_tftp(local_path, hostname, remote_path, port=69, source=None, progressbar=False): source_option = f'--interface {source}' if source else '' + progress_flag = '--progress-bar' if progressbar else '-s' with open(local_path, 'rb') as file: - cmd(f'curl {source_option} -s -T - tftp://{hostname}:{port}/{remote_path}',\ + cmd(f'curl {source_option} {progress_flag} -T - tftp://{hostname}:{port}/{remote_path}',\ stderr=None, input=file.read()).encode() -def download_tftp(local_path, hostname, remote_path, port=69, source=None): +def download_tftp(local_path, hostname, remote_path, port=69, source=None, progressbar=False): source_option = f'--interface {source}' if source else '' + # Not really applicable but we pass it for the sake of uniformity. + progress_flag = '--progress-bar' if progressbar else '-s' with open(local_path, 'wb') as file: - file.write(cmd(f'curl {source_option} -s tftp://{hostname}:{port}/{remote_path}',\ + file.write(cmd(f'curl {source_option} {progress_flag} tftp://{hostname}:{port}/{remote_path}',\ stderr=None).encode()) # get_tftp_file_size() is unimplemented because there is no way to obtain a file's size through TFTP, -# as TFTP does not specify a SIZE command. +# as TFTP does not specify a SIZE command. + ## HTTP(S) routines -def download_http(urlstring, local_path): - request = urllib.request.Request(urlstring, headers={'User-Agent': 'VyOS/' + get_version()}) - with open(local_path, 'wb') as file: - with urllib.request.urlopen(request) as response: - file.write(response.read()) +def install_request_opener(urlstring, username, password): + """ + Take `username` and `password` strings and install the appropriate + password manager to `urllib.request.urlopen()` for the given `urlstring`. + """ + manager = urlreq.HTTPPasswordMgrWithDefaultRealm() + manager.add_password(None, urlstring, username, password) + urlreq.install_opener(urlreq.build_opener(urlreq.HTTPBasicAuthHandler(manager))) + +# upload_http() is unimplemented. -def get_http_file_size(urlstring): - request = urllib.request.Request(urlstring, headers={'User-Agent': 'VyOS/' + get_version()}) - with urllib.request.urlopen(request) as response: +def download_http(local_path, urlstring, username=None, password=None, progressbar=False): + """ + Download the file from from `urlstring` to `local_path`. + Optionally takes `username` and `password` for authentication. + """ + request = urlreq.Request(urlstring, headers={'User-Agent': 'VyOS/' + get_version()}) + if username: + install_request_opener(urlstring, username, password) + with open(local_path, 'wb') as file, urlreq.urlopen(request) as response: + size = response.getheader('Content-Length') + if progressbar and size: + progress = make_incremental_progressbar(CHUNK_SIZE / int(size)) + next(progress) + for chunk in iter(lambda: response.read(CHUNK_SIZE), b''): + file.write(chunk) + next(progress) + next(progress) + # If we can't determine the size or if a progress bar wasn't requested, + # we can let `shutil` take care of the copying. + else: + shutil.copyfileobj(response, file) + +def get_http_file_size(urlstring, username=None, password=None): + """ + Return the size of the file from `urlstring` in terms of number of bytes. + Optionally takes `username` and `password` for authentication. + """ + request = urlreq.Request(urlstring, headers={'User-Agent': 'VyOS/' + get_version()}) + if username: + install_request_opener(urlstring, username, password) + with urlreq.urlopen(request) as response: size = response.getheader('Content-Length') if size: return int(size) @@ -142,69 +266,96 @@ def get_http_file_size(urlstring): else: raise ValueError('Failed to receive file size from HTTP server.') -# Dynamic dispatchers -def download(local_path, urlstring, source=None): + +## Dynamic dispatchers +def download(local_path, urlstring, source=None, progressbar=False): """ - Dispatch the appropriate download function for the given URL and save to local path. + Dispatch the appropriate download function for the given `urlstring` and save to `local_path`. + Optionally takes a `source` address or interface (not valid for HTTP(S)). + Supports HTTP, HTTPS, FTP, SFTP, SCP (through SFTP) and TFTP. + Reads `$REMOTE_USERNAME` and `$REMOTE_PASSWORD` environment variables. """ url = urllib.parse.urlparse(urlstring) + username, password = get_authentication_variables(url.username, url.password) + port = get_port_from_url(url) + if url.scheme == 'http' or url.scheme == 'https': if source: - print('Warning: Custom source address not supported for HTTP connections.', file=sys.stderr) - download_http(urlstring, local_path) + print_error('Warning: Custom source address not supported for HTTP connections.') + download_http(local_path, urlstring, username, password, progressbar) elif url.scheme == 'ftp': - username = url.username if url.username else 'anonymous' - download_ftp(local_path, url.hostname, url.path, username, url.password, source=source) + source = get_source_address(source)[0] if source else None + username = username if username else 'anonymous' + download_ftp(local_path, url.hostname, url.path, username, password, port, source, progressbar) elif url.scheme == 'sftp' or url.scheme == 'scp': - download_sftp(local_path, url.hostname, url.path, url.username, url.password, source=source) + source = get_source_address(source) if source else None + download_sftp(local_path, url.hostname, url.path, username, password, port, source, progressbar) elif url.scheme == 'tftp': - download_tftp(local_path, url.hostname, url.path, source=source) + download_tftp(local_path, url.hostname, url.path, port, source, progressbar) else: raise ValueError(f'Unsupported URL scheme: {url.scheme}') -def upload(local_path, urlstring, source=None): +def upload(local_path, urlstring, source=None, progressbar=False): """ Dispatch the appropriate upload function for the given URL and upload from local path. + Optionally takes a `source` address. + Supports FTP, SFTP, SCP (through SFTP) and TFTP. + Reads `$REMOTE_USERNAME` and `$REMOTE_PASSWORD` environment variables. """ url = urllib.parse.urlparse(urlstring) + username, password = get_authentication_variables(url.username, url.password) + port = get_port_from_url(url) + if url.scheme == 'ftp': - username = url.username if url.username else 'anonymous' - upload_ftp(local_path, url.hostname, url.path, username, url.password, source=source) + username = username if username else 'anonymous' + source = get_source_address(source)[0] if source else None + upload_ftp(local_path, url.hostname, url.path, username, password, port, source, progressbar) elif url.scheme == 'sftp' or url.scheme == 'scp': - upload_sftp(local_path, url.hostname, url.path, url.username, url.password, source=source) + source = get_source_address(source) if source else None + upload_sftp(local_path, url.hostname, url.path, username, password, port, source, progressbar) elif url.scheme == 'tftp': - upload_tftp(local_path, url.hostname, url.path, source=source) + upload_tftp(local_path, url.hostname, url.path, port, source, progressbar) else: raise ValueError(f'Unsupported URL scheme: {url.scheme}') def get_remote_file_size(urlstring, source=None): """ - Return the size of the remote file in bytes. + Dispatch the appropriate function to return the size of the remote file from `urlstring` + in terms of number of bytes. + Optionally takes a `source` address (not valid for HTTP(S)). + Supports HTTP, HTTPS, FTP and SFTP (through SFTP). + Reads `$REMOTE_USERNAME` and `$REMOTE_PASSWORD` environment variables. """ url = urllib.parse.urlparse(urlstring) + username, password = get_authentication_variables(url.username, url.password) + port = get_port_from_url(url) + if url.scheme == 'http' or url.scheme == 'https': - return get_http_file_size(urlstring) + if source: + print_error('Warning: Custom source address not supported for HTTP connections.') + return get_http_file_size(urlstring, username, password) elif url.scheme == 'ftp': - username = url.username if url.username else 'anonymous' - return get_ftp_file_size(url.hostname, url.path, username, url.password, source=source) + source = get_source_address(source)[0] if source else None + username = username if username else 'anonymous' + return get_ftp_file_size(url.hostname, url.path, username, password, port, source) elif url.scheme == 'sftp' or url.scheme == 'scp': - return get_sftp_file_size(url.hostname, url.path, url.username, url.password, source=source) + source = get_source_address(source) if source else None + return get_sftp_file_size(url.hostname, url.path, username, password, port, source) else: raise ValueError(f'Unsupported URL scheme: {url.scheme}') def get_remote_config(urlstring, source=None): """ - Download remote (config) file and return the contents. + Download remote (config) file from `urlstring` and return the contents as a string. Args: remote file URI: - scp://<user>[:<passwd>]@<host>/<file> - sftp://<user>[:<passwd>]@<host>/<file> - http://<host>/<file> - https://<host>/<file> - ftp://[<user>[:<passwd>]@]<host>/<file> - tftp://<host>/<file> + tftp://<host>[:<port>]/<file> + http[s]://<host>[:<port>]/<file> + [scp|sftp|ftp]://[<user>[:<passwd>]@]<host>[:port]/<file> + source address (optional): + <interface> + <IP address> """ - url = urllib.parse.urlparse(urlstring) temp = tempfile.NamedTemporaryFile(delete=False).name try: download(temp, urlstring, source) @@ -212,3 +363,41 @@ def get_remote_config(urlstring, source=None): return file.read() finally: os.remove(temp) + +def friendly_download(local_path, urlstring, source=None): + """ + Download from `urlstring` to `local_path` in an informative way. + Checks the storage space before attempting download. + Intended to be called from interactive, user-facing scripts. + """ + destination_directory = os.path.dirname(local_path) + try: + free_space = shutil.disk_usage(destination_directory).free + try: + file_size = get_remote_file_size(urlstring, source) + if file_size < 1024 * 1024: + print_error(f'The file is {file_size / 1024.0:.3f} KiB.') + else: + print_error(f'The file is {file_size / (1024.0 * 1024.0):.3f} MiB.') + if file_size > free_space: + raise OSError(f'Not enough disk space available in "{destination_directory}".') + except ValueError: + # Can't do a storage check in this case, so we bravely continue. + file_size = 0 + print_error('Could not determine the file size in advance.') + else: + print_error('Downloading...') + download(local_path, urlstring, source, progressbar=file_size > 1024 * 1024) + except KeyboardInterrupt: + print_error('Download aborted by user.') + sys.exit(1) + except: + import traceback + # There are a myriad different reasons a download could fail. + # SSH errors, FTP errors, I/O errors, HTTP errors (403, 404...) + # We omit the scary stack trace but print the error nevertheless. + print_error(f'Failed to download {urlstring}.') + traceback.print_exception(*sys.exc_info()[:2], None) + sys.exit(1) + else: + print_error('Download complete.') diff --git a/python/vyos/template.py b/python/vyos/template.py index e1986b1e4..08a5712af 100644 --- a/python/vyos/template.py +++ b/python/vyos/template.py @@ -29,13 +29,17 @@ _FILTERS = {} # reuse Environments with identical settings to improve performance @functools.lru_cache(maxsize=2) -def _get_environment(): +def _get_environment(location=None): + if location is None: + loc_loader=FileSystemLoader(directories["templates"]) + else: + loc_loader=FileSystemLoader(location) env = Environment( # Don't check if template files were modified upon re-rendering auto_reload=False, # Cache up to this number of templates for quick re-rendering cache_size=100, - loader=FileSystemLoader(directories["templates"]), + loader=loc_loader, trim_blocks=True, ) env.filters.update(_FILTERS) @@ -63,7 +67,7 @@ def register_filter(name, func=None): return func -def render_to_string(template, content, formater=None): +def render_to_string(template, content, formater=None, location=None): """Render a template from the template directory, raise on any errors. :param template: the path to the template relative to the template folder @@ -78,7 +82,7 @@ def render_to_string(template, content, formater=None): package is build (recovering the load time and overhead caused by having the file out of the code). """ - template = _get_environment().get_template(template) + template = _get_environment(location).get_template(template) rendered = template.render(content) if formater is not None: rendered = formater(rendered) @@ -93,6 +97,7 @@ def render( permission=None, user=None, group=None, + location=None, ): """Render a template from the template directory to a file, raise on any errors. @@ -109,7 +114,7 @@ def render( # As we are opening the file with 'w', we are performing the rendering before # calling open() to not accidentally erase the file if rendering fails - rendered = render_to_string(template, content, formater) + rendered = render_to_string(template, content, formater, location) # Write to file with open(destination, "w") as file: @@ -375,3 +380,96 @@ def get_ipv4(interface): """ Get interface IPv4 addresses""" from vyos.ifconfig import Interface return Interface(interface).get_addr_v4() + +@register_filter('get_ipv6') +def get_ipv6(interface): + """ Get interface IPv6 addresses""" + from vyos.ifconfig import Interface + return Interface(interface).get_addr_v6() + +@register_filter('get_ip') +def get_ip(interface): + """ Get interface IP addresses""" + from vyos.ifconfig import Interface + return Interface(interface).get_addr() + +@register_filter('get_esp_ike_cipher') +def get_esp_ike_cipher(group_config): + pfs_lut = { + 'dh-group1' : 'modp768', + 'dh-group2' : 'modp1024', + 'dh-group5' : 'modp1536', + 'dh-group14' : 'modp2048', + 'dh-group15' : 'modp3072', + 'dh-group16' : 'modp4096', + 'dh-group17' : 'modp6144', + 'dh-group18' : 'modp8192', + 'dh-group19' : 'ecp256', + 'dh-group20' : 'ecp384', + 'dh-group21' : 'ecp512', + 'dh-group22' : 'modp1024s160', + 'dh-group23' : 'modp2048s224', + 'dh-group24' : 'modp2048s256', + 'dh-group25' : 'ecp192', + 'dh-group26' : 'ecp224', + 'dh-group27' : 'ecp224bp', + 'dh-group28' : 'ecp256bp', + 'dh-group29' : 'ecp384bp', + 'dh-group30' : 'ecp512bp', + 'dh-group31' : 'curve25519', + 'dh-group32' : 'curve448' + } + + ciphers = [] + if 'proposal' in group_config: + for priority, proposal in group_config['proposal'].items(): + # both encryption and hash need to be specified for a proposal + if not {'encryption', 'hash'} <= set(proposal): + continue + + tmp = '{encryption}-{hash}'.format(**proposal) + if 'dh_group' in proposal: + tmp += '-' + pfs_lut[ 'dh-group' + proposal['dh_group'] ] + elif 'pfs' in group_config and group_config['pfs'] != 'disable': + group = group_config['pfs'] + if group_config['pfs'] == 'enable': + group = 'dh-group2' + tmp += '-' + pfs_lut[group] + + ciphers.append(tmp) + return ciphers + +@register_filter('get_uuid') +def get_uuid(interface): + """ Get interface IP addresses""" + from uuid import uuid1 + return uuid1() + +openvpn_translate = { + 'des': 'des-cbc', + '3des': 'des-ede3-cbc', + 'bf128': 'bf-cbc', + 'bf256': 'bf-cbc', + 'aes128gcm': 'aes-128-gcm', + 'aes128': 'aes-128-cbc', + 'aes192gcm': 'aes-192-gcm', + 'aes192': 'aes-192-cbc', + 'aes256gcm': 'aes-256-gcm', + 'aes256': 'aes-256-cbc' +} + +@register_filter('openvpn_cipher') +def get_openvpn_cipher(cipher): + if cipher in openvpn_translate: + return openvpn_translate[cipher].upper() + return cipher.upper() + +@register_filter('openvpn_ncp_ciphers') +def get_openvpn_ncp_ciphers(ciphers): + out = [] + for cipher in ciphers: + if cipher in openvpn_translate: + out.append(openvpn_translate[cipher]) + else: + out.append(cipher) + return ':'.join(out).upper() diff --git a/python/vyos/util.py b/python/vyos/util.py index 2a3f6a228..59f9f1c44 100644 --- a/python/vyos/util.py +++ b/python/vyos/util.py @@ -1,4 +1,4 @@ -# Copyright 2020 VyOS maintainers and contributors <maintainers@vyos.io> +# Copyright 2020-2021 VyOS maintainers and contributors <maintainers@vyos.io> # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public @@ -22,25 +22,13 @@ import sys # where it is used so it is as local as possible to the execution # - -def _need_sudo(command): - return os.path.basename(command.split()[0]) in ('systemctl', ) - - -def _add_sudo(command): - if _need_sudo(command): - return 'sudo ' + command - return command - - from subprocess import Popen from subprocess import PIPE from subprocess import STDOUT from subprocess import DEVNULL - def popen(command, flag='', shell=None, input=None, timeout=None, env=None, - stdout=PIPE, stderr=PIPE, decode='utf-8', autosudo=True): + stdout=PIPE, stderr=PIPE, decode='utf-8'): """ popen is a wrapper helper aound subprocess.Popen with it default setting it will return a tuple (out, err) @@ -79,9 +67,6 @@ def popen(command, flag='', shell=None, input=None, timeout=None, env=None, if not debug.enabled(flag): flag = 'command' - if autosudo: - command = _add_sudo(command) - cmd_msg = f"cmd '{command}'" debug.message(cmd_msg, flag) @@ -98,11 +83,8 @@ def popen(command, flag='', shell=None, input=None, timeout=None, env=None, stdin = PIPE input = input.encode() if type(input) is str else input - p = Popen( - command, - stdin=stdin, stdout=stdout, stderr=stderr, - env=env, shell=use_shell, - ) + p = Popen(command, stdin=stdin, stdout=stdout, stderr=stderr, + env=env, shell=use_shell) pipe = p.communicate(input, timeout) @@ -135,7 +117,7 @@ def popen(command, flag='', shell=None, input=None, timeout=None, env=None, def run(command, flag='', shell=None, input=None, timeout=None, env=None, - stdout=DEVNULL, stderr=PIPE, decode='utf-8', autosudo=True): + stdout=DEVNULL, stderr=PIPE, decode='utf-8'): """ A wrapper around popen, which discard the stdout and will return the error code of a command @@ -151,8 +133,8 @@ def run(command, flag='', shell=None, input=None, timeout=None, env=None, def cmd(command, flag='', shell=None, input=None, timeout=None, env=None, - stdout=PIPE, stderr=PIPE, decode='utf-8', autosudo=True, - raising=None, message='', expect=[0]): + stdout=PIPE, stderr=PIPE, decode='utf-8', raising=None, message='', + expect=[0]): """ A wrapper around popen, which returns the stdout and will raise the error code of a command @@ -183,7 +165,7 @@ def cmd(command, flag='', shell=None, input=None, timeout=None, env=None, def call(command, flag='', shell=None, input=None, timeout=None, env=None, - stdout=PIPE, stderr=PIPE, decode='utf-8', autosudo=True): + stdout=PIPE, stderr=PIPE, decode='utf-8'): """ A wrapper around popen, which print the stdout and will return the error code of a command @@ -239,7 +221,6 @@ def write_file(fname, data, defaultonfailure=None, user=None, group=None): return defaultonfailure raise e - def read_json(fname, defaultonfailure=None): """ read and json decode the content of a file @@ -459,7 +440,6 @@ def process_running(pid_file): pid = f.read().strip() return pid_exists(int(pid)) - def process_named_running(name): """ Checks if process with given name is running and returns its PID. If Process is not running, return None @@ -470,7 +450,6 @@ def process_named_running(name): return p.pid return None - def seconds_to_human(s, separator=""): """ Converts number of seconds passed to a human-readable interval such as 1w4d18h35m59s @@ -525,6 +504,46 @@ def file_is_persistent(path): absolute = os.path.abspath(os.path.dirname(path)) return re.match(location,absolute) +def wait_for_inotify(file_path, pre_hook=None, event_type=None, timeout=None, sleep_interval=0.1): + """ Waits for an inotify event to occur """ + if not os.path.dirname(file_path): + raise ValueError( + "File path {} does not have a directory part (required for inotify watching)".format(file_path)) + if not os.path.basename(file_path): + raise ValueError( + "File path {} does not have a file part, do not know what to watch for".format(file_path)) + + from inotify.adapters import Inotify + from time import time + from time import sleep + + time_start = time() + + i = Inotify() + i.add_watch(os.path.dirname(file_path)) + + if pre_hook: + pre_hook() + + for event in i.event_gen(yield_nones=True): + if (timeout is not None) and ((time() - time_start) > timeout): + # If the function didn't return until this point, + # the file failed to have been written to and closed within the timeout + raise OSError("Waiting for file {} to be written has failed".format(file_path)) + + # Most such events don't take much time, so it's better to check right away + # and sleep later. + if event is not None: + (_, type_names, path, filename) = event + if filename == os.path.basename(file_path): + if event_type in type_names: + return + sleep(sleep_interval) + +def wait_for_file_write_complete(file_path, pre_hook=None, timeout=None, sleep_interval=0.1): + """ Waits for a process to close a file after opening it in write mode. """ + wait_for_inotify(file_path, + event_type='IN_CLOSE_WRITE', pre_hook=pre_hook, timeout=timeout, sleep_interval=sleep_interval) def commit_in_progress(): """ Not to be used in normal op mode scripts! """ @@ -571,6 +590,25 @@ def wait_for_commit_lock(): while commit_in_progress(): sleep(1) +def ask_input(question, default='', numeric_only=False, valid_responses=[]): + question_out = question + if default: + question_out += f' (Default: {default})' + response = '' + while True: + response = input(question_out + ' ').strip() + if not response and default: + return default + if numeric_only: + if not response.isnumeric(): + print("Invalid value, try again.") + continue + response = int(response) + if valid_responses and response not in valid_responses: + print("Invalid value, try again.") + continue + break + return response def ask_yes_no(question, default=False) -> bool: """Ask a yes/no question via input() and return their answer.""" @@ -672,6 +710,19 @@ def dict_search(path, my_dict): c = c.get(p, {}) return c.get(parts[-1], None) +def dict_search_args(dict_object, *path): + # Traverse dictionary using variable arguments + # Added due to above function not allowing for '.' in the key names + # Example: dict_search_args(some_dict, 'key', 'subkey', 'subsubkey', ...) + if not isinstance(dict_object, dict) or not path: + return None + + for item in path: + if item not in dict_object: + return None + dict_object = dict_object[item] + return dict_object + def get_interface_config(interface): """ Returns the used encapsulation protocol for given interface. If interface does not exist, None is returned. @@ -682,6 +733,16 @@ def get_interface_config(interface): tmp = loads(cmd(f'ip -d -j link show {interface}'))[0] return tmp +def get_interface_address(interface): + """ Returns the used encapsulation protocol for given interface. + If interface does not exist, None is returned. + """ + if not os.path.exists(f'/sys/class/net/{interface}'): + return None + from json import loads + tmp = loads(cmd(f'ip -d -j addr show {interface}'))[0] + return tmp + def get_all_vrfs(): """ Return a dictionary of all system wide known VRF instances """ from json import loads @@ -694,3 +755,58 @@ def get_all_vrfs(): name = entry.pop('name') data[name] = entry return data + +def print_error(str='', end='\n'): + """ + Print `str` to stderr, terminated with `end`. + Used for warnings and out-of-band messages to avoid mangling precious + stdout output. + """ + sys.stderr.write(str) + sys.stderr.write(end) + sys.stderr.flush() + +def make_progressbar(): + """ + Make a procedure that takes two arguments `done` and `total` and prints a + progressbar based on the ratio thereof, whose length is determined by the + width of the terminal. + """ + import shutil, math + col, _ = shutil.get_terminal_size() + col = max(col - 15, 20) + def print_progressbar(done, total): + if done <= total: + increment = total / col + length = math.ceil(done / increment) + percentage = str(math.ceil(100 * done / total)).rjust(3) + print_error(f'[{length * "#"}{(col - length) * "_"}] {percentage}%', '\r') + # Print a newline so that the subsequent prints don't overwrite the full bar. + if done == total: + print_error() + return print_progressbar + +def make_incremental_progressbar(increment: float): + """ + Make a generator that displays a progressbar that grows monotonically with + every iteration. + First call displays it at 0% and every subsequent iteration displays it + at `increment` increments where 0.0 < `increment` < 1.0. + Intended for FTP and HTTP transfers with stateless callbacks. + """ + print_progressbar = make_progressbar() + total = 0.0 + while total < 1.0: + print_progressbar(total, 1.0) + yield + total += increment + print_progressbar(1, 1) + # Ignore further calls. + while True: + yield + +def is_systemd_service_running(service): + """ Test is a specified systemd service is actually running. + Returns True if service is running, false otherwise. """ + tmp = run(f'systemctl is-active --quiet {service}') + return bool((tmp == 0)) diff --git a/python/vyos/validate.py b/python/vyos/validate.py index 23e88b5ac..0dad2a6cb 100644 --- a/python/vyos/validate.py +++ b/python/vyos/validate.py @@ -49,7 +49,7 @@ def is_intf_addr_assigned(intf, addr): return _is_intf_addr_assigned(intf, ip, mask) return _is_intf_addr_assigned(intf, addr) -def _is_intf_addr_assigned(intf, address, netmask=''): +def _is_intf_addr_assigned(intf, address, netmask=None): """ Verify if the given IPv4/IPv6 address is assigned to specific interface. It can check both a single IP address (e.g. 192.0.2.1 or a assigned CIDR @@ -85,14 +85,14 @@ def _is_intf_addr_assigned(intf, address, netmask=''): continue # we do not have a netmask to compare against, they are the same - if netmask == '': + if not netmask: return True prefixlen = '' if is_ipv4(ip_addr): prefixlen = sum([bin(int(_)).count('1') for _ in ip['netmask'].split('.')]) else: - prefixlen = sum([bin(int(_,16)).count('1') for _ in ip['netmask'].split(':') if _]) + prefixlen = sum([bin(int(_,16)).count('1') for _ in ip['netmask'].split('/')[0].split(':') if _]) if str(prefixlen) == netmask: return True diff --git a/python/vyos/xml/load.py b/python/vyos/xml/load.py index 0965d4220..37479c6e1 100644 --- a/python/vyos/xml/load.py +++ b/python/vyos/xml/load.py @@ -225,6 +225,9 @@ def _format_node(inside, conf, xml): else: _fatal(constraint) + elif 'constraintGroup' in properties: + properties.pop('constraintGroup') + elif 'constraintErrorMessage' in properties: r[kw.error] = properties.pop('constraintErrorMessage') diff --git a/python/vyos/xml/test_xml.py b/python/vyos/xml/test_xml.py index ff55151d2..3a6f0132d 100644 --- a/python/vyos/xml/test_xml.py +++ b/python/vyos/xml/test_xml.py @@ -59,7 +59,7 @@ class TestSearch(TestCase): last = self.xml.traverse("interfaces") self.assertEqual(last, '') self.assertEqual(self.xml.inside, ['interfaces']) - self.assertEqual(self.xml.options, ['bonding', 'bridge', 'dummy', 'ethernet', 'geneve', 'l2tpv3', 'loopback', 'macsec', 'openvpn', 'pppoe', 'pseudo-ethernet', 'tunnel', 'vxlan', 'wireguard', 'wireless', 'wirelessmodem']) + self.assertEqual(self.xml.options, ['bonding', 'bridge', 'dummy', 'ethernet', 'geneve', 'l2tpv3', 'loopback', 'macsec', 'openvpn', 'pppoe', 'pseudo-ethernet', 'tunnel', 'vxlan', 'wireguard', 'wireless', 'wwan']) self.assertEqual(self.xml.filling, False) self.assertEqual(self.xml.word, '') self.assertEqual(self.xml.check, False) @@ -72,7 +72,7 @@ class TestSearch(TestCase): last = self.xml.traverse("interfaces ") self.assertEqual(last, '') self.assertEqual(self.xml.inside, ['interfaces']) - self.assertEqual(self.xml.options, ['bonding', 'bridge', 'dummy', 'ethernet', 'geneve', 'l2tpv3', 'loopback', 'macsec', 'openvpn', 'pppoe', 'pseudo-ethernet', 'tunnel', 'vxlan', 'wireguard', 'wireless', 'wirelessmodem']) + self.assertEqual(self.xml.options, ['bonding', 'bridge', 'dummy', 'ethernet', 'geneve', 'l2tpv3', 'loopback', 'macsec', 'openvpn', 'pppoe', 'pseudo-ethernet', 'tunnel', 'vxlan', 'wireguard', 'wireless', 'wwan']) self.assertEqual(self.xml.filling, False) self.assertEqual(self.xml.word, last) self.assertEqual(self.xml.check, False) @@ -85,7 +85,7 @@ class TestSearch(TestCase): last = self.xml.traverse("interfaces w") self.assertEqual(last, 'w') self.assertEqual(self.xml.inside, ['interfaces']) - self.assertEqual(self.xml.options, ['wireguard', 'wireless', 'wirelessmodem']) + self.assertEqual(self.xml.options, ['wireguard', 'wireless', 'wwan']) self.assertEqual(self.xml.filling, True) self.assertEqual(self.xml.word, last) self.assertEqual(self.xml.check, True) @@ -276,4 +276,4 @@ class TestSearch(TestCase): self.assertEqual(self.xml.filled, True) self.assertEqual(self.xml.plain, False) - # Need to add a check for a valuless leafNode
\ No newline at end of file + # Need to add a check for a valuless leafNode diff --git a/schema/interface_definition.rnc b/schema/interface_definition.rnc index 6647f5e11..d7fc4966c 100644 --- a/schema/interface_definition.rnc +++ b/schema/interface_definition.rnc @@ -93,6 +93,7 @@ properties = element properties { help? & constraint? & + constraintGroup* & valueHelp* & (element constraintErrorMessage { text })? & completionHelp* & @@ -140,6 +141,16 @@ constraint = element constraint validator )+ } +# Tag and leaf nodes may have constraintGroups on their names and +# values (respectively). +# When multiple constraints are listed within a group, they work as +# logical AND +constraintGroup = element constraintGroup +{ + ( (element regex { text }) | + validator )+ +} + # A constraint may also use an external validator rather than regex validator = element validator { diff --git a/schema/interface_definition.rng b/schema/interface_definition.rng index 22e886006..3ff60cf18 100644 --- a/schema/interface_definition.rng +++ b/schema/interface_definition.rng @@ -161,6 +161,9 @@ <ref name="constraint"/> </optional> <zeroOrMore> + <ref name="constraintGroup"/> + </zeroOrMore> + <zeroOrMore> <ref name="valueHelp"/> </zeroOrMore> <optional> @@ -244,6 +247,24 @@ </oneOrMore> </element> </define> + <!-- + Tag and leaf nodes may have constraintGroups on their names and + values (respectively). + When multiple constraints are listed within a group, they work as + logical AND + --> + <define name="constraintGroup"> + <element name="constraintGroup"> + <oneOrMore> + <choice> + <element name="regex"> + <text/> + </element> + <ref name="validator"/> + </choice> + </oneOrMore> + </element> + </define> <!-- A constraint may also use an external validator rather than regex --> <define name="validator"> <element name="validator"> diff --git a/scripts/build-command-templates b/scripts/build-command-templates index 452c420eb..d8abb0a13 100755 --- a/scripts/build-command-templates +++ b/scripts/build-command-templates @@ -86,6 +86,37 @@ def make_path(l): print(path) return path +def collect_validators(ve): + regexes = [] + regex_elements = ve.findall("regex") + if regex_elements is not None: + regexes = list(map(lambda e: e.text.strip().replace('\\','\\\\'), regex_elements)) + if "" in regexes: + print("Warning: empty regex, node will be accepting any value") + + validator_elements = ve.findall("validator") + validators = [] + if validator_elements is not None: + for v in validator_elements: + v_name = os.path.join(validator_dir, v.get("name")) + + # XXX: lxml returns None for empty arguments + v_argument = None + try: + v_argument = v.get("argument") + except: + pass + if v_argument is None: + v_argument = "" + + validators.append("{0} {1}".format(v_name, v_argument)) + + + regex_args = " ".join(map(lambda s: "--regex \\\'{0}\\\'".format(s), regexes)) + validator_args = " ".join(map(lambda s: "--exec \\\"{0}\\\"".format(s), validators)) + + return regex_args + " " + validator_args + def get_properties(p): props = {} @@ -108,7 +139,8 @@ def get_properties(p): except: props["val_help"] = [] - # Get the constraint statements + # Get the constraint and constraintGroup statements + error_msg = default_constraint_err_msg # Get the error message if it's there try: @@ -117,40 +149,24 @@ def get_properties(p): pass vce = p.find("constraint") - vc = [] + + distinct_validator_string = "" if vce is not None: # The old backend doesn't support multiple validators in OR mode # so we emulate it - regexes = [] - regex_elements = vce.findall("regex") - if regex_elements is not None: - regexes = list(map(lambda e: e.text.strip().replace('\\','\\\\'), regex_elements)) - if "" in regexes: - print("Warning: empty regex, node will be accepting any value") - - validator_elements = vce.findall("validator") - validators = [] - if validator_elements is not None: - for v in validator_elements: - v_name = os.path.join(validator_dir, v.get("name")) - - # XXX: lxml returns None for empty arguments - v_argument = None - try: - v_argument = v.get("argument") - except: - pass - if v_argument is None: - v_argument = "" - - validators.append("{0} {1}".format(v_name, v_argument)) - - - regex_args = " ".join(map(lambda s: "--regex \\\'{0}\\\'".format(s), regexes)) - validator_args = " ".join(map(lambda s: "--exec \\\"{0}\\\"".format(s), validators)) + distinct_validator_string = collect_validators(vce) + + vcge = p.findall("constraintGroup") + + group_validator_string = "" + if len(vcge): + for vcg in vcge: + group_validator_string = group_validator_string + " --grp " + collect_validators(vcg) + + if vce is not None or len(vcge): validator_script = '${vyos_libexec_dir}/validate-value' - validator_string = "exec \"{0} {1} {2} --value \\\'$VAR(@)\\\'\"; \"{3}\"".format(validator_script, regex_args, validator_args, error_msg) + validator_string = "exec \"{0} {1} {2} --value \\\'$VAR(@)\\\'\"; \"{3}\"".format(validator_script, distinct_validator_string, group_validator_string, error_msg) props["constraint"] = validator_string diff --git a/scripts/override-default b/scripts/override-default index c8a0ff1da..0c49087c8 100755 --- a/scripts/override-default +++ b/scripts/override-default @@ -27,6 +27,7 @@ import sys import glob import logging +from copy import deepcopy from lxml import etree debug = False @@ -60,30 +61,55 @@ def override_element(l: list): for el in parents: el.getparent().remove(el) +def merge_remaining(l: list, elementtree): + """ + Merge (now) single leaf node containing 'defaultValue' with leaf nodes + of same path and no 'defaultValue'. + """ + for p in l: + p = p.split() + path_str = f'/interfaceDefinition/*' + path_list = [] + for i in range(len(p)): + path_list.append(f'[@name="{p[i]}"]') + path_str += '/children/*'.join(path_list) + rp = elementtree.xpath(path_str) + if len(rp) > 1: + for el in rp[1:]: + # in practice there will only be one child of the path, + # either defaultValue or Properties, since + # override_element() has already run + for child in el: + rp[0].append(deepcopy(child)) + el.getparent().remove(el) + def collect_and_override(dir_name): """ - Collect elements with defaultValue tag into dictionary indexed by tuple - of (name: str, ancestor path: str). + Collect elements with defaultValue tag into dictionary indexed by name + attributes of ancestor path. """ for fname in glob.glob(f'{dir_name}/*.xml'): tree = etree.parse(fname) root = tree.getroot() defv = {} - xpath_str = f'//defaultValue' + xpath_str = '//defaultValue' xp = tree.xpath(xpath_str) for element in xp: ap = element.xpath('ancestor::*[@name]') ap_name = [el.get("name") for el in ap] - ap_path_str = ' '.join(ap_name[:-1]) - defv.setdefault((ap_name[-1], ap_path_str), []).append(element) + ap_path_str = ' '.join(ap_name) + defv.setdefault(ap_path_str, []).append(element) for k, v in defv.items(): if len(v) > 1: - logger.info(f"overridding default in {k[0]}, path '{k[1]}'") + logger.info(f"overridding default in path '{k}'") override_element(v) + to_merge = list(defv) + merge_remaining(to_merge, tree) + revised_str = etree.tostring(root, encoding='unicode', pretty_print=True) with open(f'{fname}', 'w') as f: diff --git a/scripts/transclude-template b/scripts/transclude-template new file mode 100755 index 000000000..5c6668a84 --- /dev/null +++ b/scripts/transclude-template @@ -0,0 +1,50 @@ +#!/usr/bin/env python3 +# +# transclude-template: preprocessor for XML interface definitions to +# interpret #include statements to include nested XML fragments and +# snippets in documents. +# +# Copyright (C) 2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# +# + +import os +import re +import sys + +regexp = re.compile(r'^ *#include <(.+)>$') + +def parse_file(filename): + lines = "" + with open(filename, 'r') as f: + while True: + line = f.readline() + if line: + result = regexp.match(line) + if result: + lines += parse_file(os.path.join(directory, result.group(1))) + else: + lines += line + else: + return lines + +if __name__ == '__main__': + if len(sys.argv) < 2: + print('Must specify XML file!', file=sys.stderr) + sys.exit(1) + filename = sys.argv[1] + directory = os.path.dirname(os.path.abspath(filename)) + print(parse_file(filename)) + diff --git a/smoketest/configs/bgp-azure-ipsec-gateway b/smoketest/configs/bgp-azure-ipsec-gateway index 0862531fd..ddcd459ae 100644 --- a/smoketest/configs/bgp-azure-ipsec-gateway +++ b/smoketest/configs/bgp-azure-ipsec-gateway @@ -307,6 +307,7 @@ system { } vpn { ipsec { + auto-update 120 esp-group ESP-AZURE { compression disable lifetime 27000 @@ -341,35 +342,35 @@ vpn { log-modes ike } site-to-site { - peer 51.105.0.2 { + peer 51.105.0.1 { authentication { mode pre-shared-secret pre-shared-secret averysecretpsktowardsazure } connection-type respond + default-esp-group ESP-AZURE ike-group IKE-AZURE ikev2-reauth inherit local-address 192.0.2.189 vti { bind vti51 - esp-group ESP-AZURE } } - peer 51.105.0.3 { + peer 51.105.0.2 { authentication { mode pre-shared-secret pre-shared-secret averysecretpsktowardsazure } connection-type respond + default-esp-group ESP-AZURE ike-group IKE-AZURE ikev2-reauth inherit local-address 192.0.2.189 vti { bind vti52 - esp-group ESP-AZURE } } - peer 51.105.0.246 { + peer 51.105.0.3 { authentication { mode pre-shared-secret pre-shared-secret averysecretpsktowardsazure @@ -383,7 +384,7 @@ vpn { esp-group ESP-AZURE } } - peer 51.105.0.247 { + peer 51.105.0.4 { authentication { mode pre-shared-secret pre-shared-secret averysecretpsktowardsazure @@ -397,7 +398,7 @@ vpn { esp-group ESP-AZURE } } - peer 51.105.0.18 { + peer 51.105.0.5 { authentication { mode pre-shared-secret pre-shared-secret averysecretpsktowardsazure @@ -411,7 +412,7 @@ vpn { esp-group ESP-AZURE } } - peer 51.105.0.19 { + peer 51.105.0.6 { authentication { mode pre-shared-secret pre-shared-secret averysecretpsktowardsazure diff --git a/smoketest/configs/bgp-rpki b/smoketest/configs/bgp-rpki index e11ec9e72..dffab4c69 100644 --- a/smoketest/configs/bgp-rpki +++ b/smoketest/configs/bgp-rpki @@ -34,6 +34,13 @@ policy { local-preference 100 } } + rule 40 { + action permit + set { + extcommunity-rt 192.0.2.100:100 + extcommunity-soo 64500:100 + } + } } } protocols { diff --git a/smoketest/configs/ospf-small b/smoketest/configs/ospf-small index d95ba4ea4..767f4e21f 100644 --- a/smoketest/configs/ospf-small +++ b/smoketest/configs/ospf-small @@ -124,6 +124,22 @@ system { server 2.pool.ntp.org { } } + sysctl { + all net.ipv4.conf.eth0.tag { + value 1 + } + all net.ipv4.conf.eth1.tag { + value 1 + } + custom net.mpls.default_ttl { + value 10 + } + custom net.mpls.ip_ttl_propagate { + value 0 + } + net.ipv4.igmp_max_memberships 5 + net.ipv4.ipfrag_time 4 + } syslog { global { facility all { diff --git a/smoketest/configs/pki-ipsec b/smoketest/configs/pki-ipsec new file mode 100644 index 000000000..6fc239d27 --- /dev/null +++ b/smoketest/configs/pki-ipsec @@ -0,0 +1,148 @@ +interfaces { + dummy dum0 { + address 172.20.0.1/30 + } + ethernet eth0 { + address 192.168.150.1/24 + } +} +system { + config-management { + commit-revisions 100 + } + console { + device ttyS0 { + speed 115200 + } + } + host-name vyos + login { + user vyos { + authentication { + encrypted-password $6$2Ta6TWHd/U$NmrX0x9kexCimeOcYK1MfhMpITF9ELxHcaBU/znBq.X2ukQOj61fVI2UYP/xBzP4QtiTcdkgs7WOQMHWsRymO/ + plaintext-password "" + } + } + } + ntp { + server time1.vyos.net { + } + server time2.vyos.net { + } + server time3.vyos.net { + } + } + syslog { + global { + facility all { + level info + } + facility protocols { + level debug + } + } + } +} +vpn { + ipsec { + esp-group MyESPGroup { + proposal 1 { + encryption aes128 + hash sha1 + } + } + ike-group MyIKEGroup { + proposal 1 { + dh-group 2 + encryption aes128 + hash sha1 + } + } + ipsec-interfaces { + interface eth0 + } + site-to-site { + peer 192.168.150.2 { + authentication { + mode x509 + x509 { + ca-cert-file ovpn_test_ca.pem + cert-file ovpn_test_server.pem + key { + file ovpn_test_server.key + } + } + } + default-esp-group MyESPGroup + ike-group MyIKEGroup + local-address 192.168.150.1 + tunnel 0 { + local { + prefix 172.20.0.0/24 + } + remote { + prefix 172.21.0.0/24 + } + } + } + peer 192.168.150.3 { + authentication { + mode rsa + pre-shared-secret MYSECRETKEY + rsa-key-name peer2 + } + default-esp-group MyESPGroup + ike-group MyIKEGroup + local-address 192.168.150.1 + tunnel 0 { + local { + prefix 172.20.0.0/24 + } + remote { + prefix 172.22.0.0/24 + } + } + } + } + } + l2tp { + remote-access { + authentication { + local-users { + username alice { + password notsecure + } + } + mode local + } + client-ip-pool { + start 192.168.255.2 + stop 192.168.255.254 + } + ipsec-settings { + authentication { + mode x509 + x509 { + ca-cert-file /config/auth/ovpn_test_ca.pem + server-cert-file /config/auth/ovpn_test_server.pem + server-key-file /config/auth/ovpn_test_server.key + } + } + } + outside-address 192.168.150.1 + } + } + rsa-keys { + local-key { + file /config/auth/ovpn_test_server.key + } + rsa-key-name peer2 { + rsa-key 0sAwEAAbudt5WQZSW2plbixjpgx4yVN/WMHdYRIZhyypJWO4ujQ/UQS9j3oTBgV2+RLtQ0YQ7eocwIfkvJVUnnZVMyZ4asQMOarQgbQ5nFGliCcDOMtNXRxHlMsvmjLx4o6FWbGukwgoxsT2x915n0XMn4XJNNSIEQotxj2GWFhEfBSPHyOM++kODk0lkbE7mLeHMMFq02vQhoczzEPWxjUUoY3jywhmHMfb4PdAKLFyt9x40znmPCYh+NSMQmpBXtD3gjGtX62bgrqKuP3BJU44x1gLlv8rJAJ4SY74YKnFUZ8m5GSbnVapwPOrp65lJZFKOGs2XXjAp5leoR+wmSYyqbDJM= + } + } +} + + +// Warning: Do not remove the following line. +// vyos-config-version: "bgp@1:broadcast-relay@1:cluster@1:config-management@1:conntrack@2:conntrack-sync@2:dhcp-relay@2:dhcp-server@5:dhcpv6-server@1:dns-forwarding@3:firewall@5:https@2:interfaces@22:ipoe-server@1:ipsec@6:isis@1:l2tp@3:lldp@1:mdns@1:nat@5:nat66@1:ntp@1:policy@1:pppoe-server@5:pptp@2:qos@1:quagga@9:rpki@1:salt@1:snmp@2:ssh@2:sstp@3:system@21:vrf@2:vrrp@2:vyos-accel-ppp@2:wanloadbalance@3:webproxy@2:zone-policy@1" +// Release version: 1.4-rolling-202106290839 diff --git a/smoketest/configs/pki-misc b/smoketest/configs/pki-misc new file mode 100644 index 000000000..c90226a2a --- /dev/null +++ b/smoketest/configs/pki-misc @@ -0,0 +1,98 @@ +interfaces { + ethernet eth0 { + address 192.168.150.1/24 + } +} +service { + https { + certificates { + system-generated-certificate { + lifetime 365 + } + } + } +} +system { + config-management { + commit-revisions 100 + } + console { + device ttyS0 { + speed 115200 + } + } + host-name vyos + login { + user vyos { + authentication { + encrypted-password $6$2Ta6TWHd/U$NmrX0x9kexCimeOcYK1MfhMpITF9ELxHcaBU/znBq.X2ukQOj61fVI2UYP/xBzP4QtiTcdkgs7WOQMHWsRymO/ + plaintext-password "" + } + } + } + ntp { + server time1.vyos.net { + } + server time2.vyos.net { + } + server time3.vyos.net { + } + } + syslog { + global { + facility all { + level info + } + facility protocols { + level debug + } + } + } +} +vpn { + openconnect { + authentication { + local-users { + username test { + password test + } + } + mode local + } + network-settings { + client-ip-settings { + subnet 192.168.160.0/24 + } + } + ssl { + ca-cert-file /config/auth/ovpn_test_ca.pem + cert-file /config/auth/ovpn_test_server.pem + key-file /config/auth/ovpn_test_server.key + } + } + sstp { + authentication { + local-users { + username test { + password test + } + } + mode local + protocols mschap-v2 + } + client-ip-pool { + subnet 192.168.170.0/24 + } + gateway-address 192.168.150.1 + ssl { + ca-cert-file /config/auth/ovpn_test_ca.pem + cert-file /config/auth/ovpn_test_server.pem + key-file /config/auth/ovpn_test_server.key + } + } +} + + +// Warning: Do not remove the following line. +// vyos-config-version: "bgp@1:broadcast-relay@1:cluster@1:config-management@1:conntrack@2:conntrack-sync@2:dhcp-relay@2:dhcp-server@5:dhcpv6-server@1:dns-forwarding@3:firewall@5:https@2:interfaces@22:ipoe-server@1:ipsec@6:isis@1:l2tp@3:lldp@1:mdns@1:nat@5:nat66@1:ntp@1:policy@1:pppoe-server@5:pptp@2:qos@1:quagga@9:rpki@1:salt@1:snmp@2:ssh@2:sstp@3:system@21:vrf@2:vrrp@2:vyos-accel-ppp@2:wanloadbalance@3:webproxy@2:zone-policy@1" +// Release version: 1.4-rolling-202106290839 diff --git a/smoketest/scripts/cli/base_interfaces_test.py b/smoketest/scripts/cli/base_interfaces_test.py index 56e436afc..7f69b8444 100644 --- a/smoketest/scripts/cli/base_interfaces_test.py +++ b/smoketest/scripts/cli/base_interfaces_test.py @@ -25,6 +25,7 @@ from netifaces import interfaces from base_vyostest_shim import VyOSUnitTestSHIM from vyos.configsession import ConfigSession +from vyos.configsession import ConfigSessionError from vyos.ifconfig import Interface from vyos.ifconfig import Section from vyos.util import read_file @@ -230,8 +231,8 @@ class BasicInterfaceTest: # verify changed MTU for intf in self._interfaces: - tmp = read_file(f'/sys/class/net/{intf}/mtu') - self.assertEqual(tmp, self._mtu) + tmp = get_interface_config(intf) + self.assertEqual(tmp['mtu'], int(self._mtu)) def test_mtu_1200_no_ipv6_interface(self): # Testcase if MTU can be changed to 1200 on non IPv6 @@ -255,8 +256,8 @@ class BasicInterfaceTest: # verify changed MTU for intf in self._interfaces: - tmp = read_file(f'/sys/class/net/{intf}/mtu') - self.assertEqual(tmp, self._mtu) + tmp = get_interface_config(intf) + self.assertEqual(tmp['mtu'], int(self._mtu)) self._mtu = old_mtu @@ -275,22 +276,164 @@ class BasicInterfaceTest: for vlan in self._vlan_range: base = self._base_path + [interface, 'vif', vlan] - self.cli_set(base + ['mtu', self._mtu]) for address in self._test_addr: self.cli_set(base + ['address', address]) + self.cli_set(base + ['ingress-qos', '0:1']) + self.cli_set(base + ['egress-qos', '1:6']) self.cli_commit() for intf in self._interfaces: for vlan in self._vlan_range: vif = f'{intf}.{vlan}' + tmp = get_interface_config(f'{vif}') + + tmp2 = dict_search('linkinfo.info_data.ingress_qos', tmp) + for item in tmp2 if tmp2 else []: + from_key = item['from'] + to_key = item['to'] + self.assertEqual(from_key, 0) + self.assertEqual(to_key, 1) + + tmp2 = dict_search('linkinfo.info_data.egress_qos', tmp) + for item in tmp2 if tmp2 else []: + from_key = item['from'] + to_key = item['to'] + self.assertEqual(from_key, 1) + self.assertEqual(to_key, 6) + + for address in self._test_addr: + self.assertTrue(is_intf_addr_assigned(vif, address)) + + self.assertEqual(Interface(vif).get_admin_state(), 'up') + + def test_vif_8021q_mtu_limits(self): + # XXX: This testcase is not allowed to run as first testcase, reason + # is the Wireless test will first load the wifi kernel hwsim module + # which creates a wlan0 and wlan1 interface which will fail the + # tearDown() test in the end that no interface is allowed to survive! + if not self._test_vlan: + self.skipTest('not supported') + + mtu_1500 = '1500' + mtu_9000 = '9000' + + for interface in self._interfaces: + base = self._base_path + [interface] + self.cli_set(base + ['mtu', mtu_1500]) + for option in self._options.get(interface, []): + self.cli_set(base + option.split()) + if 'source-interface' in option: + iface = option.split()[-1] + iface_type = Section.section(iface) + self.cli_set(['interfaces', iface_type, iface, 'mtu', mtu_9000]) + + for vlan in self._vlan_range: + base = self._base_path + [interface, 'vif', vlan] + self.cli_set(base + ['mtu', mtu_9000]) + + # check validate() - VIF MTU must not be larger the parent interface + # MTU size. + with self.assertRaises(ConfigSessionError): + self.cli_commit() + + # Change MTU on base interface to be the same as on the VIF interface + for interface in self._interfaces: + base = self._base_path + [interface] + self.cli_set(base + ['mtu', mtu_9000]) + + self.cli_commit() + + # Verify MTU on base and VIF interfaces + for interface in self._interfaces: + tmp = get_interface_config(interface) + self.assertEqual(tmp['mtu'], int(mtu_9000)) + + for vlan in self._vlan_range: + tmp = get_interface_config(f'{interface}.{vlan}') + self.assertEqual(tmp['mtu'], int(mtu_9000)) + + + def test_vif_8021q_qos_change(self): + # XXX: This testcase is not allowed to run as first testcase, reason + # is the Wireless test will first load the wifi kernel hwsim module + # which creates a wlan0 and wlan1 interface which will fail the + # tearDown() test in the end that no interface is allowed to survive! + if not self._test_vlan: + self.skipTest('not supported') + + for interface in self._interfaces: + base = self._base_path + [interface] + for option in self._options.get(interface, []): + self.cli_set(base + option.split()) + + for vlan in self._vlan_range: + base = self._base_path + [interface, 'vif', vlan] + for address in self._test_addr: + self.cli_set(base + ['address', address]) + self.cli_set(base + ['ingress-qos', '0:1']) + self.cli_set(base + ['egress-qos', '1:6']) + + self.cli_commit() + + for intf in self._interfaces: + for vlan in self._vlan_range: + vif = f'{intf}.{vlan}' + tmp = get_interface_config(f'{vif}') + + tmp2 = dict_search('linkinfo.info_data.ingress_qos', tmp) + for item in tmp2 if tmp2 else []: + from_key = item['from'] + to_key = item['to'] + self.assertEqual(from_key, 0) + self.assertEqual(to_key, 1) + + tmp2 = dict_search('linkinfo.info_data.egress_qos', tmp) + for item in tmp2 if tmp2 else []: + from_key = item['from'] + to_key = item['to'] + self.assertEqual(from_key, 1) + self.assertEqual(to_key, 6) + for address in self._test_addr: self.assertTrue(is_intf_addr_assigned(vif, address)) - tmp = read_file(f'/sys/class/net/{vif}/mtu') - self.assertEqual(tmp, self._mtu) self.assertEqual(Interface(vif).get_admin_state(), 'up') + new_ingress_qos_from = 1 + new_ingress_qos_to = 6 + new_egress_qos_from = 2 + new_egress_qos_to = 7 + for interface in self._interfaces: + base = self._base_path + [interface] + for vlan in self._vlan_range: + base = self._base_path + [interface, 'vif', vlan] + self.cli_delete(base + ['ingress-qos', '0:1']) + self.cli_delete(base + ['egress-qos', '1:6']) + self.cli_set(base + ['ingress-qos', f'{new_ingress_qos_from}:{new_ingress_qos_to}']) + self.cli_set(base + ['egress-qos', f'{new_egress_qos_from}:{new_egress_qos_to}']) + + self.cli_commit() + + for intf in self._interfaces: + for vlan in self._vlan_range: + vif = f'{intf}.{vlan}' + tmp = get_interface_config(f'{vif}') + + tmp2 = dict_search('linkinfo.info_data.ingress_qos', tmp) + if tmp2: + from_key = tmp2[0]['from'] + to_key = tmp2[0]['to'] + self.assertEqual(from_key, new_ingress_qos_from) + self.assertEqual(to_key, new_ingress_qos_to) + + tmp2 = dict_search('linkinfo.info_data.egress_qos', tmp) + if tmp2: + from_key = tmp2[0]['from'] + to_key = tmp2[0]['to'] + self.assertEqual(from_key, new_egress_qos_from) + self.assertEqual(to_key, new_egress_qos_to) + def test_vif_8021q_lower_up_down(self): # Testcase for https://phabricator.vyos.net/T3349 if not self._test_vlan: @@ -364,8 +507,8 @@ class BasicInterfaceTest: # for address in self._test_addr: # self.assertTrue(is_intf_addr_assigned(vif, address)) - tmp = read_file(f'/sys/class/net/{vif}/mtu') - self.assertEqual(tmp, self._mtu) + tmp = get_interface_config(vif) + self.assertEqual(tmp['mtu'], int(self._mtu)) def test_vif_s_protocol_change(self): # XXX: This testcase is not allowed to run as first testcase, reason @@ -375,8 +518,6 @@ class BasicInterfaceTest: if not self._test_qinq: self.skipTest('not supported') - self.debug = True - for interface in self._interfaces: base = self._base_path + [interface] for option in self._options.get(interface, []): diff --git a/smoketest/scripts/cli/test_interfaces_bonding.py b/smoketest/scripts/cli/test_interfaces_bonding.py index cf147fe58..86000553e 100755 --- a/smoketest/scripts/cli/test_interfaces_bonding.py +++ b/smoketest/scripts/cli/test_interfaces_bonding.py @@ -133,5 +133,22 @@ class BondingInterfaceTest(BasicInterfaceTest.TestCase): self.assertEqual(0, tmp['linkinfo']['info_data']['min_links']) self.assertEqual(lacp_rate, tmp['linkinfo']['info_data']['ad_lacp_rate']) + def test_bonding_hash_policy(self): + # Define available bonding hash policies + hash_policies = ['layer2', 'layer2+3', 'layer2+3', 'encap2+3', 'encap3+4'] + for hash_policy in hash_policies: + for interface in self._interfaces: + for option in self._options.get(interface, []): + self.cli_set(self._base_path + [interface] + option.split()) + + self.cli_set(self._base_path + [interface, 'hash-policy', hash_policy]) + + self.cli_commit() + + # verify config + for interface in self._interfaces: + defined_policy = read_file(f'/sys/class/net/{interface}/bonding/xmit_hash_policy').split() + self.assertEqual(defined_policy[0], hash_policy) + if __name__ == '__main__': unittest.main(verbosity=2) diff --git a/smoketest/scripts/cli/test_interfaces_bridge.py b/smoketest/scripts/cli/test_interfaces_bridge.py index 21f20c781..4f7e03298 100755 --- a/smoketest/scripts/cli/test_interfaces_bridge.py +++ b/smoketest/scripts/cli/test_interfaces_bridge.py @@ -134,7 +134,19 @@ class BridgeInterfaceTest(BasicInterfaceTest.TestCase): for interface in self._interfaces: base = self._base_path + [interface] self.cli_set(base + ['enable-vlan']) - super().test_vif_8021q_interfaces() + super().test_vif_8021q_lower_up_down() + + def test_vif_8021q_qos_change(self): + for interface in self._interfaces: + base = self._base_path + [interface] + self.cli_set(base + ['enable-vlan']) + super().test_vif_8021q_qos_change() + + def test_vif_8021q_mtu_limits(self): + for interface in self._interfaces: + base = self._base_path + [interface] + self.cli_set(base + ['enable-vlan']) + super().test_vif_8021q_mtu_limits() def test_bridge_vlan_filter(self): vif_vlan = 2 diff --git a/smoketest/scripts/cli/test_interfaces_ethernet.py b/smoketest/scripts/cli/test_interfaces_ethernet.py index cb0c8a426..a9cdab16a 100755 --- a/smoketest/scripts/cli/test_interfaces_ethernet.py +++ b/smoketest/scripts/cli/test_interfaces_ethernet.py @@ -25,9 +25,9 @@ from vyos.util import cmd from vyos.util import process_named_running from vyos.util import read_file -ca_cert = '/config/auth/eapol_test_ca.pem' -ssl_cert = '/config/auth/eapol_test_server.pem' -ssl_key = '/config/auth/eapol_test_server.key' +pki_path = ['pki'] +cert_data = 'MIICFDCCAbugAwIBAgIUfMbIsB/ozMXijYgUYG80T1ry+mcwCgYIKoZIzj0EAwIwWTELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzESMBAGA1UEAwwJVnlPUyBUZXN0MB4XDTIxMDcyMDEyNDUxMloXDTI2MDcxOTEyNDUxMlowWTELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzESMBAGA1UEAwwJVnlPUyBUZXN0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE01HrLcNttqq4/PtoMua8rMWEkOdBu7vP94xzDO7A8C92ls1v86eePy4QllKCzIw3QxBIoCuH2peGRfWgPRdFsKNhMF8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMB0GA1UdDgQWBBSu+JnU5ZC4mkuEpqg2+Mk4K79oeDAKBggqhkjOPQQDAgNHADBEAiBEFdzQ/Bc3LftzngrY605UhA6UprHhAogKgROv7iR4QgIgEFUxTtW3xXJcnUPWhhUFhyZoqfn8dE93+dm/LDnp7C0=' +key_data = 'MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgPLpD0Ohhoq0g4nhx2KMIuze7ucKUt/lBEB2wc03IxXyhRANCAATTUestw222qrj8+2gy5rysxYSQ50G7u8/3jHMM7sDwL3aWzW/zp54/LhCWUoLMjDdDEEigK4fal4ZF9aA9F0Ww' def get_wpa_supplicant_value(interface, key): tmp = read_file(f'/run/wpa_supplicant/{interface}.conf') @@ -66,6 +66,8 @@ class EthernetInterfaceTest(BasicInterfaceTest.TestCase): def tearDown(self): + self.cli_delete(pki_path) + for interface in self._interfaces: # when using a dedicated interface to test via TEST_ETH environment # variable only this one will be cleared in the end - usable to test @@ -118,7 +120,7 @@ class EthernetInterfaceTest(BasicInterfaceTest.TestCase): self.cli_commit() for interface in self._interfaces: - cpus = read_file('/sys/class/net/eth1/queues/rx-0/rps_cpus') + cpus = read_file(f'/sys/class/net/{interface}/queues/rx-0/rps_cpus') # remove the nasty ',' separation on larger strings cpus = cpus.replace(',','') cpus = int(cpus, 16) @@ -149,11 +151,14 @@ class EthernetInterfaceTest(BasicInterfaceTest.TestCase): self.cli_commit() def test_eapol_support(self): + self.cli_set(pki_path + ['ca', 'eapol', 'certificate', cert_data]) + self.cli_set(pki_path + ['certificate', 'eapol', 'certificate', cert_data]) + self.cli_set(pki_path + ['certificate', 'eapol', 'private', 'key', key_data]) + for interface in self._interfaces: # Enable EAPoL - self.cli_set(self._base_path + [interface, 'eapol', 'ca-cert-file', ca_cert]) - self.cli_set(self._base_path + [interface, 'eapol', 'cert-file', ssl_cert]) - self.cli_set(self._base_path + [interface, 'eapol', 'key-file', ssl_key]) + self.cli_set(self._base_path + [interface, 'eapol', 'ca-certificate', 'eapol']) + self.cli_set(self._base_path + [interface, 'eapol', 'certificate', 'eapol']) self.cli_commit() @@ -172,35 +177,17 @@ class EthernetInterfaceTest(BasicInterfaceTest.TestCase): self.assertEqual('0', tmp) tmp = get_wpa_supplicant_value(interface, 'ca_cert') - self.assertEqual(f'"{ca_cert}"', tmp) + self.assertEqual(f'"/run/wpa_supplicant/{interface}_ca.pem"', tmp) tmp = get_wpa_supplicant_value(interface, 'client_cert') - self.assertEqual(f'"{ssl_cert}"', tmp) + self.assertEqual(f'"/run/wpa_supplicant/{interface}_cert.pem"', tmp) tmp = get_wpa_supplicant_value(interface, 'private_key') - self.assertEqual(f'"{ssl_key}"', tmp) + self.assertEqual(f'"/run/wpa_supplicant/{interface}_cert.key"', tmp) mac = read_file(f'/sys/class/net/{interface}/address') tmp = get_wpa_supplicant_value(interface, 'identity') self.assertEqual(f'"{mac}"', tmp) if __name__ == '__main__': - # Our SSL certificates need a subject ... - subject = '/C=DE/ST=BY/O=VyOS/localityName=Cloud/commonName=vyos/' \ - 'organizationalUnitName=VyOS/emailAddress=maintainers@vyos.io/' - - if not (os.path.isfile(ssl_key) and os.path.isfile(ssl_cert)): - # Generate mandatory SSL certificate - tmp = f'openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 '\ - f'-keyout {ssl_key} -out {ssl_cert} -subj {subject}' - cmd(tmp) - - if not os.path.isfile(ca_cert): - # Generate "CA" - tmp = f'openssl req -new -x509 -key {ssl_key} -out {ca_cert} -subj {subject}' - cmd(tmp) - - for file in [ca_cert, ssl_cert, ssl_key]: - cmd(f'sudo chown radius_priv_user:vyattacfg {file}') - unittest.main(verbosity=2) diff --git a/smoketest/scripts/cli/test_interfaces_openvpn.py b/smoketest/scripts/cli/test_interfaces_openvpn.py index 655ee770d..7ce1b9872 100755 --- a/smoketest/scripts/cli/test_interfaces_openvpn.py +++ b/smoketest/scripts/cli/test_interfaces_openvpn.py @@ -37,12 +37,11 @@ from vyos.template import netmask_from_cidr PROCESS_NAME = 'openvpn' base_path = ['interfaces', 'openvpn'] -ca_cert = '/config/auth/ovpn_test_ca.pem' -ssl_cert = '/config/auth/ovpn_test_server.pem' -ssl_key = '/config/auth/ovpn_test_server.key' -dh_pem = '/config/auth/ovpn_test_dh.pem' -s2s_key = '/config/auth/ovpn_test_site2site.key' -auth_key = '/config/auth/ovpn_test_tls_auth.key' + +cert_data = 'MIICFDCCAbugAwIBAgIUfMbIsB/ozMXijYgUYG80T1ry+mcwCgYIKoZIzj0EAwIwWTELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzESMBAGA1UEAwwJVnlPUyBUZXN0MB4XDTIxMDcyMDEyNDUxMloXDTI2MDcxOTEyNDUxMlowWTELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzESMBAGA1UEAwwJVnlPUyBUZXN0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE01HrLcNttqq4/PtoMua8rMWEkOdBu7vP94xzDO7A8C92ls1v86eePy4QllKCzIw3QxBIoCuH2peGRfWgPRdFsKNhMF8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMB0GA1UdDgQWBBSu+JnU5ZC4mkuEpqg2+Mk4K79oeDAKBggqhkjOPQQDAgNHADBEAiBEFdzQ/Bc3LftzngrY605UhA6UprHhAogKgROv7iR4QgIgEFUxTtW3xXJcnUPWhhUFhyZoqfn8dE93+dm/LDnp7C0=' +key_data = 'MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgPLpD0Ohhoq0g4nhx2KMIuze7ucKUt/lBEB2wc03IxXyhRANCAATTUestw222qrj8+2gy5rysxYSQ50G7u8/3jHMM7sDwL3aWzW/zp54/LhCWUoLMjDdDEEigK4fal4ZF9aA9F0Ww' +dh_data = 'MIIBCAKCAQEApzGAPcQlLJiOyfGZgl1qxNgufXkdpjG7lMaOrO4TGr1giFe3jIFOFxJNC/G9Dn+KSukaWssVVR+Jwr/JesZFPawihS03wC7cZsccykNRIjiteqJDwYJZUHieOxyCuCeY4pqOUCl1uswRGjLvIFtwynpnXKKuz2YtjNifma90PEgv/vVWKix+Q0TAbdbzJzO5xp8UVn9DuYfSr10k3LbDqDM7w5ezHZxFk24S5pN/yoOpdbxB8TS67q3IYXxR3F+RseKu4J3AvkxXSP1j7COXddPpLnvbJT/SW8NrjuC/n0eKGvmeyqNv108Y89jnT79MxMMRQk66iwlsd1m4pa/OYwIBAg==' +ovpn_key_data = '443f2a710ac411c36894b2531e62c4550b079b8f3f08997f4be57c64abfdaaa431d2396b01ecec3a2c0618959e8186d99f489742d25673ffb3268841ebb2e7042a2daabe584e79d51d2b1d7409bf8840f7e42efa3e660a521719b04ee88b9043e6315ae12da7c9abd55f67eeed71a9ee8c6e163b5d2661fc332cf90cb45658b4adf892f79537d37d3a3d90da283ce885adf325ffd2b5be92067cdf0345c7712c9d36b642c170351b6d9ce9f6230c7a2617b0c181121bce7d5373404fb68e65210b36e6d40ef2769cf8990503859f6f2db3c85ba74420430a6250d6a74ca51ece4b85124bfdfec0c8a530cefa7350378d81a4539f74bed832a902ae4798142e4a' remote_port = '1194' protocol = 'udp' @@ -65,6 +64,12 @@ class TestInterfacesOpenVPN(VyOSUnitTestSHIM.TestCase): self.cli_set(['interfaces', 'dummy', dummy_if, 'address', '192.0.2.1/32']) self.cli_set(['vrf', 'name', vrf_name, 'table', '12345']) + self.cli_set(['pki', 'ca', 'ovpn_test', 'certificate', cert_data]) + self.cli_set(['pki', 'certificate', 'ovpn_test', 'certificate', cert_data]) + self.cli_set(['pki', 'certificate', 'ovpn_test', 'private', 'key', key_data]) + self.cli_set(['pki', 'dh', 'ovpn_test', 'parameters', dh_data]) + self.cli_set(['pki', 'openvpn', 'shared-secret', 'ovpn_test', 'key', ovpn_key_data]) + def tearDown(self): self.cli_delete(base_path) self.cli_delete(['interfaces', 'dummy', dummy_if]) @@ -76,16 +81,8 @@ class TestInterfacesOpenVPN(VyOSUnitTestSHIM.TestCase): interface = 'vtun2000' path = base_path + [interface] self.cli_set(path + ['mode', 'client']) - - # check validate() - cannot specify both "encryption disable-ncp" and - # "encryption ncp-ciphers" at the same time - self.cli_set(path + ['encryption', 'disable-ncp']) self.cli_set(path + ['encryption', 'ncp-ciphers', 'aes192gcm']) - with self.assertRaises(ConfigSessionError): - self.cli_commit() - self.cli_delete(path + ['encryption', 'ncp-ciphers']) - # check validate() - cannot specify local-port in client mode self.cli_set(path + ['local-port', '5000']) with self.assertRaises(ConfigSessionError): @@ -109,25 +106,24 @@ class TestInterfacesOpenVPN(VyOSUnitTestSHIM.TestCase): self.cli_commit() self.cli_set(path + ['remote-host', '192.0.9.9']) - # check validate() - cannot specify "tls dh-file" in client mode - self.cli_set(path + ['tls', 'dh-file', dh_pem]) + # check validate() - cannot specify "tls dh-params" in client mode + self.cli_set(path + ['tls', 'dh-params', 'ovpn_test']) with self.assertRaises(ConfigSessionError): self.cli_commit() self.cli_delete(path + ['tls']) - # check validate() - must specify one of "shared-secret-key-file" and "tls" + # check validate() - must specify one of "shared-secret-key" and "tls" with self.assertRaises(ConfigSessionError): self.cli_commit() - self.cli_set(path + ['shared-secret-key-file', s2s_key]) + self.cli_set(path + ['shared-secret-key', 'ovpn_test']) - # check validate() - must specify one of "shared-secret-key-file" and "tls" + # check validate() - must specify one of "shared-secret-key" and "tls" with self.assertRaises(ConfigSessionError): self.cli_commit() - self.cli_delete(path + ['shared-secret-key-file', s2s_key]) + self.cli_delete(path + ['shared-secret-key', 'ovpn_test']) - self.cli_set(path + ['tls', 'ca-cert-file', ca_cert]) - self.cli_set(path + ['tls', 'cert-file', ssl_cert]) - self.cli_set(path + ['tls', 'key-file', ssl_key]) + self.cli_set(path + ['tls', 'ca-certificate', 'ovpn_test']) + self.cli_set(path + ['tls', 'certificate', 'ovpn_test']) # check validate() - can not have auth username without a password self.cli_set(path + ['authentication', 'username', 'vyos']) @@ -160,9 +156,8 @@ class TestInterfacesOpenVPN(VyOSUnitTestSHIM.TestCase): self.cli_set(path + ['protocol', protocol]) self.cli_set(path + ['remote-host', remote_host]) self.cli_set(path + ['remote-port', remote_port]) - self.cli_set(path + ['tls', 'ca-cert-file', ca_cert]) - self.cli_set(path + ['tls', 'cert-file', ssl_cert]) - self.cli_set(path + ['tls', 'key-file', ssl_key]) + self.cli_set(path + ['tls', 'ca-certificate', 'ovpn_test']) + self.cli_set(path + ['tls', 'certificate', 'ovpn_test']) self.cli_set(path + ['vrf', vrf_name]) self.cli_set(path + ['authentication', 'username', interface+'user']) self.cli_set(path + ['authentication', 'password', interface+'secretpw']) @@ -184,12 +179,12 @@ class TestInterfacesOpenVPN(VyOSUnitTestSHIM.TestCase): self.assertIn(f'remote {remote_host}', config) self.assertIn(f'persist-tun', config) self.assertIn(f'auth {auth_hash}', config) - self.assertIn(f'cipher aes-256-cbc', config) + self.assertIn(f'cipher AES-256-CBC', config) # TLS options - self.assertIn(f'ca {ca_cert}', config) - self.assertIn(f'cert {ssl_cert}', config) - self.assertIn(f'key {ssl_key}', config) + self.assertIn(f'ca /run/openvpn/{interface}_ca.pem', config) + self.assertIn(f'cert /run/openvpn/{interface}_cert.pem', config) + self.assertIn(f'key /run/openvpn/{interface}_cert.key', config) self.assertTrue(process_named_running(PROCESS_NAME)) self.assertEqual(get_vrf(interface), vrf_name) @@ -236,11 +231,11 @@ class TestInterfacesOpenVPN(VyOSUnitTestSHIM.TestCase): self.cli_commit() self.cli_delete(path + ['remote-host']) - # check validate() - must specify "tls dh-file" when not using EC keys + # check validate() - must specify "tls dh-params" when not using EC keys # in server mode with self.assertRaises(ConfigSessionError): self.cli_commit() - self.cli_set(path + ['tls', 'dh-file', dh_pem]) + self.cli_set(path + ['tls', 'dh-params', 'ovpn_test']) # check validate() - must specify "server subnet" or add interface to # bridge in server mode @@ -259,20 +254,15 @@ class TestInterfacesOpenVPN(VyOSUnitTestSHIM.TestCase): self.cli_commit() self.cli_delete(path + ['server', 'subnet', '100.64.0.0/10']) - # check validate() - must specify "tls ca-cert-file" + # check validate() - must specify "tls ca-certificate" with self.assertRaises(ConfigSessionError): self.cli_commit() - self.cli_set(path + ['tls', 'ca-cert-file', ca_cert]) + self.cli_set(path + ['tls', 'ca-certificate', 'ovpn_test']) - # check validate() - must specify "tls cert-file" + # check validate() - must specify "tls certificate" with self.assertRaises(ConfigSessionError): self.cli_commit() - self.cli_set(path + ['tls', 'cert-file', ssl_cert]) - - # check validate() - must specify "tls key-file" - with self.assertRaises(ConfigSessionError): - self.cli_commit() - self.cli_set(path + ['tls', 'key-file', ssl_key]) + self.cli_set(path + ['tls', 'certificate', 'ovpn_test']) # check validate() - cannot specify "tls role" in client-server mode' self.cli_set(path + ['tls', 'role', 'active']) @@ -280,7 +270,7 @@ class TestInterfacesOpenVPN(VyOSUnitTestSHIM.TestCase): self.cli_commit() # check validate() - cannot specify "tls role" in client-server mode' - self.cli_set(path + ['tls', 'auth-file', auth_key]) + self.cli_set(path + ['tls', 'auth-key', 'ovpn_test']) with self.assertRaises(ConfigSessionError): self.cli_commit() @@ -290,11 +280,11 @@ class TestInterfacesOpenVPN(VyOSUnitTestSHIM.TestCase): self.cli_commit() self.cli_delete(path + ['protocol']) - # check validate() - cannot specify "tls dh-file" when "tls role" is "active" - self.cli_set(path + ['tls', 'dh-file', dh_pem]) + # check validate() - cannot specify "tls dh-params" when "tls role" is "active" + self.cli_set(path + ['tls', 'dh-params', 'ovpn_test']) with self.assertRaises(ConfigSessionError): self.cli_commit() - self.cli_delete(path + ['tls', 'dh-file']) + self.cli_delete(path + ['tls', 'dh-params']) # Now test the other path with tls role passive self.cli_set(path + ['tls', 'role', 'passive']) @@ -305,10 +295,10 @@ class TestInterfacesOpenVPN(VyOSUnitTestSHIM.TestCase): self.cli_delete(path + ['protocol']) - # check validate() - must specify "tls dh-file" when "tls role" is "passive" + # check validate() - must specify "tls dh-params" when "tls role" is "passive" with self.assertRaises(ConfigSessionError): self.cli_commit() - self.cli_set(path + ['tls', 'dh-file', dh_pem]) + self.cli_set(path + ['tls', 'dh-params', 'ovpn_test']) self.cli_commit() @@ -346,10 +336,9 @@ class TestInterfacesOpenVPN(VyOSUnitTestSHIM.TestCase): self.cli_set(path + ['server', 'client', 'client1', 'subnet', route]) self.cli_set(path + ['replace-default-route']) - self.cli_set(path + ['tls', 'ca-cert-file', ca_cert]) - self.cli_set(path + ['tls', 'cert-file', ssl_cert]) - self.cli_set(path + ['tls', 'key-file', ssl_key]) - self.cli_set(path + ['tls', 'dh-file', dh_pem]) + self.cli_set(path + ['tls', 'ca-certificate', 'ovpn_test']) + self.cli_set(path + ['tls', 'certificate', 'ovpn_test']) + self.cli_set(path + ['tls', 'dh-params', 'ovpn_test']) self.cli_set(path + ['vrf', vrf_name]) self.cli_commit() @@ -375,17 +364,17 @@ class TestInterfacesOpenVPN(VyOSUnitTestSHIM.TestCase): self.assertIn(f'persist-key', config) self.assertIn(f'proto udp', config) # default protocol self.assertIn(f'auth {auth_hash}', config) - self.assertIn(f'cipher aes-192-cbc', config) + self.assertIn(f'cipher AES-192-CBC', config) self.assertIn(f'topology subnet', config) self.assertIn(f'lport {port}', config) self.assertIn(f'push "redirect-gateway def1"', config) self.assertIn(f'keepalive 5 25', config) # TLS options - self.assertIn(f'ca {ca_cert}', config) - self.assertIn(f'cert {ssl_cert}', config) - self.assertIn(f'key {ssl_key}', config) - self.assertIn(f'dh {dh_pem}', config) + self.assertIn(f'ca /run/openvpn/{interface}_ca.pem', config) + self.assertIn(f'cert /run/openvpn/{interface}_cert.pem', config) + self.assertIn(f'key /run/openvpn/{interface}_cert.key', config) + self.assertIn(f'dh /run/openvpn/{interface}_dh.pem', config) # IP pool configuration netmask = IPv4Network(subnet).netmask @@ -433,10 +422,9 @@ class TestInterfacesOpenVPN(VyOSUnitTestSHIM.TestCase): self.cli_set(path + ['replace-default-route']) self.cli_set(path + ['keep-alive', 'failure-count', '10']) self.cli_set(path + ['keep-alive', 'interval', '5']) - self.cli_set(path + ['tls', 'ca-cert-file', ca_cert]) - self.cli_set(path + ['tls', 'cert-file', ssl_cert]) - self.cli_set(path + ['tls', 'key-file', ssl_key]) - self.cli_set(path + ['tls', 'dh-file', dh_pem]) + self.cli_set(path + ['tls', 'ca-certificate', 'ovpn_test']) + self.cli_set(path + ['tls', 'certificate', 'ovpn_test']) + self.cli_set(path + ['tls', 'dh-params', 'ovpn_test']) self.cli_set(path + ['vrf', vrf_name]) self.cli_commit() @@ -456,17 +444,17 @@ class TestInterfacesOpenVPN(VyOSUnitTestSHIM.TestCase): self.assertIn(f'persist-key', config) self.assertIn(f'proto udp', config) # default protocol self.assertIn(f'auth {auth_hash}', config) - self.assertIn(f'cipher aes-192-cbc', config) + self.assertIn(f'cipher AES-192-CBC', config) self.assertIn(f'topology net30', config) self.assertIn(f'lport {port}', config) self.assertIn(f'push "redirect-gateway def1"', config) self.assertIn(f'keepalive 5 50', config) # TLS options - self.assertIn(f'ca {ca_cert}', config) - self.assertIn(f'cert {ssl_cert}', config) - self.assertIn(f'key {ssl_key}', config) - self.assertIn(f'dh {dh_pem}', config) + self.assertIn(f'ca /run/openvpn/{interface}_ca.pem', config) + self.assertIn(f'cert /run/openvpn/{interface}_cert.pem', config) + self.assertIn(f'key /run/openvpn/{interface}_cert.key', config) + self.assertIn(f'dh /run/openvpn/{interface}_dh.pem', config) # IP pool configuration netmask = IPv4Network(subnet).netmask @@ -538,10 +526,10 @@ class TestInterfacesOpenVPN(VyOSUnitTestSHIM.TestCase): self.cli_commit() self.cli_delete(path + ['remote-address', '2001:db8:ffff::2']) - # check validate() - Must specify one of "shared-secret-key-file" and "tls" + # check validate() - Must specify one of "shared-secret-key" and "tls" with self.assertRaises(ConfigSessionError): self.cli_commit() - self.cli_set(path + ['shared-secret-key-file', s2s_key]) + self.cli_set(path + ['shared-secret-key', 'ovpn_test']) self.cli_commit() @@ -573,7 +561,7 @@ class TestInterfacesOpenVPN(VyOSUnitTestSHIM.TestCase): self.cli_set(path + ['mode', 'site-to-site']) self.cli_set(path + ['local-port', port]) self.cli_set(path + ['remote-port', port]) - self.cli_set(path + ['shared-secret-key-file', s2s_key]) + self.cli_set(path + ['shared-secret-key', 'ovpn_test']) self.cli_set(path + ['remote-address', remote_address]) self.cli_set(path + ['vrf', vrf_name]) @@ -597,7 +585,7 @@ class TestInterfacesOpenVPN(VyOSUnitTestSHIM.TestCase): self.assertIn(f'ifconfig {local_address} {local_address_subnet}', config) self.assertIn(f'dev {interface}', config) - self.assertIn(f'secret {s2s_key}', config) + self.assertIn(f'secret /run/openvpn/{interface}_shared.key', config) self.assertIn(f'lport {port}', config) self.assertIn(f'rport {port}', config) @@ -617,37 +605,4 @@ class TestInterfacesOpenVPN(VyOSUnitTestSHIM.TestCase): if __name__ == '__main__': - # Our SSL certificates need a subject ... - subject = '/C=DE/ST=BY/O=VyOS/localityName=Cloud/commonName=vyos/' \ - 'organizationalUnitName=VyOS/emailAddress=maintainers@vyos.io/' - - if not (os.path.isfile(ssl_key) and os.path.isfile(ssl_cert)): - # Generate mandatory SSL certificate - tmp = f'openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 '\ - f'-keyout {ssl_key} -out {ssl_cert} -subj {subject}' - cmd(tmp) - - if not os.path.isfile(ca_cert): - # Generate "CA" - tmp = f'openssl req -new -x509 -key {ssl_key} -out {ca_cert} -subj {subject}' - cmd(tmp) - - if not os.path.isfile(dh_pem): - # Generate "DH" key - tmp = f'openssl dhparam -out {dh_pem} 2048' - cmd(tmp) - - if not os.path.isfile(s2s_key): - # Generate site-2-site key - tmp = f'openvpn --genkey --secret {s2s_key}' - cmd(tmp) - - if not os.path.isfile(auth_key): - # Generate TLS auth key - tmp = f'openvpn --genkey --secret {auth_key}' - cmd(tmp) - - for file in [ca_cert, ssl_cert, ssl_key, dh_pem, s2s_key, auth_key]: - cmd(f'sudo chown openvpn:openvpn {file}') - unittest.main(verbosity=2) diff --git a/smoketest/scripts/cli/test_interfaces_pppoe.py b/smoketest/scripts/cli/test_interfaces_pppoe.py index b8682fe71..3412ebae0 100755 --- a/smoketest/scripts/cli/test_interfaces_pppoe.py +++ b/smoketest/scripts/cli/test_interfaces_pppoe.py @@ -179,5 +179,19 @@ class PPPoEInterfaceTest(VyOSUnitTestSHIM.TestCase): tmp = re.findall(f'systemctl restart dhcp6c@{interface}.service', tmp) self.assertTrue(tmp) + def test_pppoe_authentication(self): + # When username or password is set - so must be the other + interface = 'pppoe0' + self.cli_set(base_path + [interface, 'authentication', 'user', 'vyos']) + self.cli_set(base_path + [interface, 'source-interface', self._source_interface]) + self.cli_set(base_path + [interface, 'ipv6', 'address', 'autoconf']) + + # check validate() - if user is set, so must be the password + with self.assertRaises(ConfigSessionError): + self.cli_commit() + + self.cli_set(base_path + [interface, 'authentication', 'password', 'vyos']) + self.cli_commit() + if __name__ == '__main__': unittest.main(verbosity=2) diff --git a/smoketest/scripts/cli/test_interfaces_pseudo_ethernet.py b/smoketest/scripts/cli/test_interfaces_pseudo_ethernet.py index ff343bb87..ae899cddd 100755 --- a/smoketest/scripts/cli/test_interfaces_pseudo_ethernet.py +++ b/smoketest/scripts/cli/test_interfaces_pseudo_ethernet.py @@ -14,8 +14,10 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. +import os import unittest +from vyos.ifconfig import Section from base_interfaces_test import BasicInterfaceTest class PEthInterfaceTest(BasicInterfaceTest.TestCase): @@ -29,10 +31,20 @@ class PEthInterfaceTest(BasicInterfaceTest.TestCase): cls._test_vlan = True cls._test_qinq = True cls._base_path = ['interfaces', 'pseudo-ethernet'] - cls._options = { - 'peth0': ['source-interface eth1'], - 'peth1': ['source-interface eth1'], - } + + cls._options = {} + # we need to filter out VLAN interfaces identified by a dot (.) + # in their name - just in case! + if 'TEST_ETH' in os.environ: + for tmp in os.environ['TEST_ETH'].split(): + cls._options.update({f'p{tmp}' : [f'source-interface {tmp}']}) + + else: + for tmp in Section.interfaces('ethernet'): + if '.' in tmp: + continue + cls._options.update({f'p{tmp}' : [f'source-interface {tmp}']}) + cls._interfaces = list(cls._options) # call base-classes classmethod super(cls, cls).setUpClass() diff --git a/smoketest/scripts/cli/test_interfaces_tunnel.py b/smoketest/scripts/cli/test_interfaces_tunnel.py index ebb0158dc..841527d21 100755 --- a/smoketest/scripts/cli/test_interfaces_tunnel.py +++ b/smoketest/scripts/cli/test_interfaces_tunnel.py @@ -189,6 +189,7 @@ class TunnelInterfaceTest(BasicInterfaceTest.TestCase): self.cli_set(self._base_path + [interface, 'parameters', 'ip', 'no-pmtu-discovery']) self.cli_set(self._base_path + [interface, 'parameters', 'ip', 'key', gre_key]) self.cli_set(self._base_path + [interface, 'parameters', 'ip', 'tos', tos]) + self.cli_set(self._base_path + [interface, 'parameters', 'ip', 'ttl', '0']) # Check if commit is ok self.cli_commit() @@ -221,7 +222,7 @@ class TunnelInterfaceTest(BasicInterfaceTest.TestCase): self.assertEqual(encapsulation, conf['linkinfo']['info_kind']) self.assertEqual(self.local_v4, conf['linkinfo']['info_data']['local']) self.assertEqual(remote_ip4, conf['linkinfo']['info_data']['remote']) - self.assertEqual(0, conf['linkinfo']['info_data']['ttl']) + self.assertEqual(64, conf['linkinfo']['info_data']['ttl']) # Change remote ip address (inc host by 2 new_remote = inc_ip(remote_ip4, 2) @@ -258,7 +259,7 @@ class TunnelInterfaceTest(BasicInterfaceTest.TestCase): self.assertEqual(encapsulation, conf['linkinfo']['info_kind']) self.assertEqual(self.local_v4, conf['linkinfo']['info_data']['local']) self.assertEqual(remote_ip4, conf['linkinfo']['info_data']['remote']) - self.assertEqual(0, conf['linkinfo']['info_data']['ttl']) + self.assertEqual(64, conf['linkinfo']['info_data']['ttl']) self.assertEqual(f'0.0.0.{ip_key}', conf['linkinfo']['info_data']['ikey']) self.assertEqual(f'0.0.0.{ip_key}', conf['linkinfo']['info_data']['okey']) self.assertEqual(int(idx), conf['linkinfo']['info_data']['erspan_index']) @@ -314,7 +315,7 @@ class TunnelInterfaceTest(BasicInterfaceTest.TestCase): self.assertEqual(encapsulation, conf['linkinfo']['info_kind']) self.assertEqual(self.local_v6, conf['linkinfo']['info_data']['local']) self.assertEqual(remote_ip6, conf['linkinfo']['info_data']['remote']) - self.assertEqual(0, conf['linkinfo']['info_data']['ttl']) + self.assertEqual(64, conf['linkinfo']['info_data']['ttl']) self.assertEqual(f'0.0.0.{ip_key}', conf['linkinfo']['info_data']['ikey']) self.assertEqual(f'0.0.0.{ip_key}', conf['linkinfo']['info_data']['okey']) self.assertEqual(erspan_ver, conf['linkinfo']['info_data']['erspan_ver']) diff --git a/smoketest/scripts/cli/test_interfaces_wireguard.py b/smoketest/scripts/cli/test_interfaces_wireguard.py index d31ec0332..3707eaac3 100755 --- a/smoketest/scripts/cli/test_interfaces_wireguard.py +++ b/smoketest/scripts/cli/test_interfaces_wireguard.py @@ -21,11 +21,6 @@ from base_vyostest_shim import VyOSUnitTestSHIM from vyos.configsession import ConfigSession from vyos.configsession import ConfigSessionError - -# Generate WireGuard default keypair -if not os.path.isdir('/config/auth/wireguard/default'): - os.system('sudo /usr/libexec/vyos/op_mode/wireguard.py --genkey') - base_path = ['interfaces', 'wireguard'] class WireGuardInterfaceTest(VyOSUnitTestSHIM.TestCase): @@ -42,12 +37,15 @@ class WireGuardInterfaceTest(VyOSUnitTestSHIM.TestCase): # Create WireGuard interfaces with associated peers for intf in self._interfaces: peer = 'foo-' + intf + privkey = '6ISOkASm6VhHOOSz/5iIxw+Q9adq9zA17iMM4X40dlc=' psk = 'u2xdA70hkz0S1CG0dZlOh0aq2orwFXRIVrKo4DCvHgM=' pubkey = 'n6ZZL7ph/QJUJSUUTyu19c77my1dRCDHkMzFQUO9Z3A=' for addr in self._test_addr: self.cli_set(base_path + [intf, 'address', addr]) + self.cli_set(base_path + [intf, 'private-key', privkey]) + self.cli_set(base_path + [intf, 'peer', peer, 'address', '127.0.0.1']) self.cli_set(base_path + [intf, 'peer', peer, 'port', '1337']) @@ -57,7 +55,7 @@ class WireGuardInterfaceTest(VyOSUnitTestSHIM.TestCase): self.cli_set(base_path + [intf, 'peer', peer, 'allowed-ips', ip]) self.cli_set(base_path + [intf, 'peer', peer, 'preshared-key', psk]) - self.cli_set(base_path + [intf, 'peer', peer, 'pubkey', pubkey]) + self.cli_set(base_path + [intf, 'peer', peer, 'public-key', pubkey]) self.cli_commit() self.assertTrue(os.path.isdir(f'/sys/class/net/{intf}')) @@ -68,17 +66,19 @@ class WireGuardInterfaceTest(VyOSUnitTestSHIM.TestCase): # Remove one of the configured peers. interface = 'wg0' port = '12345' + privkey = '6ISOkASm6VhHOOSz/5iIxw+Q9adq9zA17iMM4X40dlc=' pubkey_1 = 'n1CUsmR0M2LUUsyicBd6blZICwUqqWWHbu4ifZ2/9gk=' pubkey_2 = 'ebFx/1G0ti8tvuZd94sEIosAZZIznX+dBAKG/8DFm0I=' self.cli_set(base_path + [interface, 'address', '172.16.0.1/24']) + self.cli_set(base_path + [interface, 'private-key', privkey]) - self.cli_set(base_path + [interface, 'peer', 'PEER01', 'pubkey', pubkey_1]) + self.cli_set(base_path + [interface, 'peer', 'PEER01', 'public-key', pubkey_1]) self.cli_set(base_path + [interface, 'peer', 'PEER01', 'port', port]) self.cli_set(base_path + [interface, 'peer', 'PEER01', 'allowed-ips', '10.205.212.10/32']) self.cli_set(base_path + [interface, 'peer', 'PEER01', 'address', '192.0.2.1']) - self.cli_set(base_path + [interface, 'peer', 'PEER02', 'pubkey', pubkey_2]) + self.cli_set(base_path + [interface, 'peer', 'PEER02', 'public-key', pubkey_2]) self.cli_set(base_path + [interface, 'peer', 'PEER02', 'port', port]) self.cli_set(base_path + [interface, 'peer', 'PEER02', 'allowed-ips', '10.205.212.11/32']) self.cli_set(base_path + [interface, 'peer', 'PEER02', 'address', '192.0.2.2']) diff --git a/smoketest/scripts/cli/test_interfaces_wirelessmodem.py b/smoketest/scripts/cli/test_interfaces_wirelessmodem.py deleted file mode 100755 index c36835ea7..000000000 --- a/smoketest/scripts/cli/test_interfaces_wirelessmodem.py +++ /dev/null @@ -1,83 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2020-2021 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. - -import os -import unittest - -from psutil import process_iter -from base_vyostest_shim import VyOSUnitTestSHIM - -from vyos.configsession import ConfigSession -from vyos.configsession import ConfigSessionError - -config_file = '/etc/ppp/peers/{}' -base_path = ['interfaces', 'wirelessmodem'] - -def get_config_value(interface, key): - with open(config_file.format(interface), 'r') as f: - for line in f: - if line.startswith(key): - return list(line.split()) - return [] - -class WWANInterfaceTest(VyOSUnitTestSHIM.TestCase): - def setUp(self): - self._interfaces = ['wlm0', 'wlm1'] - - def tearDown(self): - self.cli_delete(base_path) - self.cli_commit() - - def test_wwan(self): - for interface in self._interfaces: - self.cli_set(base_path + [interface, 'no-peer-dns']) - self.cli_set(base_path + [interface, 'connect-on-demand']) - - # check validate() - APN must be configure - with self.assertRaises(ConfigSessionError): - self.cli_commit() - self.cli_set(base_path + [interface, 'apn', 'vyos.net']) - - # check validate() - device must be configure - with self.assertRaises(ConfigSessionError): - self.cli_commit() - self.cli_set(base_path + [interface, 'device', 'ttyS0']) - - # commit changes - self.cli_commit() - - # verify configuration file(s) - for interface in self._interfaces: - tmp = get_config_value(interface, 'ifname')[1] - self.assertTrue(interface in tmp) - - tmp = get_config_value(interface, 'demand')[0] - self.assertTrue('demand' in tmp) - - tmp = os.path.isfile(f'/etc/ppp/peers/chat.{interface}') - self.assertTrue(tmp) - - # Check if ppp process is running in the interface in question - running = False - for p in process_iter(): - if "pppd" in p.name(): - if interface in p.cmdline(): - running = True - - self.assertTrue(running) - -if __name__ == '__main__': - unittest.main(verbosity=2) diff --git a/smoketest/scripts/cli/test_pki.py b/smoketest/scripts/cli/test_pki.py new file mode 100755 index 000000000..deaf23b05 --- /dev/null +++ b/smoketest/scripts/cli/test_pki.py @@ -0,0 +1,189 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import unittest + +from base_vyostest_shim import VyOSUnitTestSHIM +from vyos.configsession import ConfigSession +from vyos.configsession import ConfigSessionError + +base_path = ['pki'] + +valid_ca_cert = """ +MIIDgTCCAmmgAwIBAgIUeM0mATGs+sKF7ViBM6DEf9fQ19swDQYJKoZIhvcNAQEL +BQAwVzELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcM +CVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzEQMA4GA1UEAwwHVnlPUyBDQTAeFw0y +MTA2MjgxMzE2NDZaFw0yNjA2MjcxMzE2NDZaMFcxCzAJBgNVBAYTAkdCMRMwEQYD +VQQIDApTb21lLVN0YXRlMRIwEAYDVQQHDAlTb21lLUNpdHkxDTALBgNVBAoMBFZ5 +T1MxEDAOBgNVBAMMB1Z5T1MgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQDK98WwZIqgC6teHPSsyKLLRtboy55aisJN0D3iHJ8WGKkDmIrdCR2LI4J5 +C82ErfPOzl4Ck4vTmqh8wnuK/dhUxxzNdFJBMPHAe/E+UawYrubtJj5g8iHYowZJ +T5HQKnZbcqlPvl6EizA+etO48WGljKhpimj9/LVTp81+BtFNP4tJ/vOl+iqyJ0+P +xiqQNDJgAF18meQRKaT9CcXycsciG9snMlB1tdOR7KDbi8lJ86lOi5ukPJaiMgWE +u4UlyFVyHJ/68NvtwRhYerMoQquqDs21OXkOd8spZL6qEsxMeK8InedA7abPaxgx +ORpHguPQV4Ib5HBH9Chdb9zBMheZAgMBAAGjRTBDMA8GA1UdEwEB/wQFMAMBAf8w +IAYDVR0lAQH/BBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMA4GA1UdDwEB/wQEAwIB +hjANBgkqhkiG9w0BAQsFAAOCAQEAbwJZifMEDbrKPQfGLp7ZA1muM728o4EYmmE7 +9eWwH22wGMSZI7T2xr5zRlFLs+Jha917yQK4b5xBMjQRAJlHKjzNLJ+3XaGlnWja +TBJ2SC5YktrmXRAIS7PxTRk/r1bHs/D00+sEWewbFYr8Js4a1Cv4TksTNyjHx8pv +phA+KIx/4qdojTslz+oH/cakUz0M9fh2B2xsO4bab5vX+LGLCK7jjeAL4Zyjf1hD +yx+Ri79L5N8h4Q69fER4cIkW7KVKUOyjEg3N4ST56urdycmyq9bXFz5pRxuZLInA +6RRToJrL8i0aPLJ6SyMujfREfjqOxdW5vyNF5/RkY+5Nz8JMgQ== +""" + +valid_ca_private_key = """ +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDK98WwZIqgC6te +HPSsyKLLRtboy55aisJN0D3iHJ8WGKkDmIrdCR2LI4J5C82ErfPOzl4Ck4vTmqh8 +wnuK/dhUxxzNdFJBMPHAe/E+UawYrubtJj5g8iHYowZJT5HQKnZbcqlPvl6EizA+ +etO48WGljKhpimj9/LVTp81+BtFNP4tJ/vOl+iqyJ0+PxiqQNDJgAF18meQRKaT9 +CcXycsciG9snMlB1tdOR7KDbi8lJ86lOi5ukPJaiMgWEu4UlyFVyHJ/68NvtwRhY +erMoQquqDs21OXkOd8spZL6qEsxMeK8InedA7abPaxgxORpHguPQV4Ib5HBH9Chd +b9zBMheZAgMBAAECggEAa/CK5L0DcAvkrd9OS9lDokFhJ1qqM1KZ9NHrJyW7gP/K +Wow0RUqEuKtAxuj8+jOcdn4PRuV6tiUIt5iiJQ/MjYF6ktTqrZq+5nPDnzXGBTZ2 +vuXYxKvgThqczD4RuJfsa8O1wR/nmit/k6q0kCVmnakJI1+laHWNZRjXUs+DXcWb +rUN5D4/5kyjvFilH1c8arfrO2O4DcwfX1zNbxicgYrGmjE5m6WCZKWdcgpBcIQSh +ZfNATfXIEZ16WmDIFZnuOEUtFAzweR2ataLQNoyaTUeEe6g+ZDtUQIGKR/f0+Z4T +/JMJfPX/vRn0l3nRJWWC7Okpa2xb0hVdBmS/op+TNQKBgQDvNGAkS4uUx8xw724k +zCKQJRnzR80AQ6b2FoqRbAevWm+i0ntsCMyvCItAQS8Bw+9fgITvsmd9SdYPncMQ +Z1oQYPk5yso/SPUyuNPXtygDxUP1xS1yja5MObqyrq2O2EzcxiVxEHGlZMLTNxNA +1tE8nF4c0nQpV/EfLtkQFnnUSwKBgQDZOA2hiLaiDlPj03S4UXDu6aUD2o07782C +UKl6A331ZhH/8zGEiUvBKg8IG/2FyCHQDC0C6rbfoarAhrRGbDHKkDTKNmThTj+I +YBkLt/5OATvqkEw8eL0nB+PY5JKH04/jE0F/YM/StUsgxvMCVhtp0u/d2Hq4V9sk +xah6oFbtKwKBgGEvs3wroWtyffLIpMSYl9Ze7Js2aekYk4ZahDQvYzPwl3jc8b5k +GN1oqEMT+MhL1j7EFb7ZikiSLkGsBGvuwd3zuG6toNxzhQP1qkRzqvNVO5ZoZV2s +iMt5jQw6AlQON7RfYSj92F6tgKaWMuFeJibtFSO6se12SIY134U0zIzfAoGAQWF7 +yNkrj4+cdICbKzdoNKEiyAwqYpYFV2oL+OvAJ/L3DAEZMHla0eNk7t3t6yyX8NUZ +Xz1imeFBUf25mVDLk9rf6NWCe8ZfnR6/qyVQaA47CJkyOSlmVa8sR4ZVDIkDUCfl +mP98zkE/QbhgQJ3GVo3lIPMdzQq0rVbJJU/Jmk0CgYEAtHRNaoKBsxKfb7N7ewla +MzwcULIORODjWM8MUXM+R50F/2uYMiTvpz6eIUVfXoFyQoioYI8kcDZ8NamiQIS7 +uZsHfKpgMDJkV3kOoZQusoDhasGQ0SOnxbz/y0XmNUtAePipH0jPY1SYUvWbvm2y +a4aWVhBFly9hi2ZeHiVxVhk= +""" + +valid_cert = """ +MIIB9zCCAZygAwIBAgIUQ5G1nyASL/YsKGyLNGhRPPQyo4kwCgYIKoZIzj0EAwIw +XjELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNv +bWUtQ2l0eTENMAsGA1UECgwEVnlPUzEXMBUGA1UEAwwOVnlPUyBUZXN0IENlcnQw +HhcNMjEwNjI4MTMyNjIyWhcNMjIwNjI4MTMyNjIyWjBeMQswCQYDVQQGEwJHQjET +MBEGA1UECAwKU29tZS1TdGF0ZTESMBAGA1UEBwwJU29tZS1DaXR5MQ0wCwYDVQQK +DARWeU9TMRcwFQYDVQQDDA5WeU9TIFRlc3QgQ2VydDBZMBMGByqGSM49AgEGCCqG +SM49AwEHA0IABBsebIt+8rr2UysTpL8NnYUtmt47e3sC3H9IO8iI/N4uFrmGVgTL +E2G+RDGzZgG/r7LviJSTuE9HX7wHLcIr0SmjODA2MAwGA1UdEwEB/wQCMAAwFgYD +VR0lAQH/BAwwCgYIKwYBBQUHAwEwDgYDVR0PAQH/BAQDAgeAMAoGCCqGSM49BAMC +A0kAMEYCIQD5xK5kdC3TJ7SZrBGvzIM7E7Cil/KZJUyQDR9eFNNZVQIhALg8DTfr +wAawf8L+Ncjn/l2gd5cB0nGij0D7uYnm3zf/ +""" + +valid_dh_params = """ +MIIBCAKCAQEAnNldZCrJk5MxhFoUlvvaYmUO+TmtL0uL62H2RIHJ+O0R+8vzdGPh +6zDAzo46EJK735haUgu8+A1RTsXDOXcwBqDlVe0hYj9KaPHz1HpfNKntpoPCJAYJ +wiH8dd5zVMH+iBwEKlrfteV9vWHn0HUxgLJFSLp5o6y0qpKPREJu6k0XguGScrPa +Iw6RUwsoDy3unHfk+YeC0o040R18F75V1mXWTjQlEgM7ZO2JZkLGkhW30jB0vSHr +krFqOvtPUiyG7r3+j18IUYLTN0s+5FOCfCjvSVKibNlB1vUz5y/9Ve8roctpkRM/ +5R5FA0mtbl7U/yMSX4FRIQ/A9BlHiu4bowIBAg== +""" +valid_public_ec_key = """ +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEAoInInwjlu/3+wDqvRa/Eyg3EMvB +pPyq2v4jqEtEh2n4lOCi7ZgNjr+1sQSvrn8mccpALYl3/RKOougC5oQzCg== +""" + +valid_private_rsa_key = """ +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDDoAVyJPpcLBFs +2NdS1qMOSj7mwKBKVZiBN3nqbLiOvEHbVe22UMNvUFU3sGs2Ta2zXwhPF3d6vPPs +GlYTkO3XAffMSNXhjCsvWHiIOR4JrWf598Bpt+txBsxsa12kM3/HM7RDf3zdN2gT +twzrcWzu+zOTXlqJ2OSq/BRRZO9IMbQLQ1/h42GJHEr4THnY4zDqUjmMmIuiBXn4 +xoE4KFLH1+xPTVleeKvPPeJ1wsshoUjlXYOgcsrXasDUt5gtkkXsVQwR9Lvbh+Rc +BhT+tJmrX9Cwq4YAd3tLSNJARS9HanRZ8uV0RTyZsImdw1Fr5ySpG2oEp/Z5mbL6 +QYqDmQ+DAgMBAAECggEAGu7qMQf0TEJo98J3CtmwQ2Rnep+ksfdM8uVvbJ4hXs1+ +h7Mx8jr2XVoDEZLBgA17z8lSvIjvkz92mdgaZ8E5bbPAqSiSAeapf3A/0AmFIDH2 +scyxehyvVrVn6blygAvzGLr+o5hm2ZIqSySVq8jHBbQiKrT/5CCvgvcH2Rj7dMXd +T5lL73tCRJZsgvFNlxyj4Omj9Lh7SjL+tIwEQaLFbvANXrZ/BPyw4OlK8daBNg9b +5GvJSDitAVMgDEEApGYu1iNwMM4UJSQAC27eJdr+qJO6DDqktWOyWcyXrxJ9mDVK +FNbb9QNQZDj7bFfm6rCuSdH9yYe3vly+SNJqtyCiwQKBgQDvemt/57KiwQffmoKR +65NAZsQvmA4PtELYOV8NPeYH1BZN/EPmCc74iELJdQPFDYy903aRJEPGt7jfqprd +PexLwt73P/XiUjPrsbqgJqfF/EMiczxAktyW3xBt2lIWU1MUUmO1ps+ZZEg8Ks4e +K/3+FWqbwZ8drDBUT9BthUA0oQKBgQDRHxU6bu938PGweFJcIG6U21nsYaWiwCiT +LXA5vWZ+UEqz81BUye6tIcCDgeku3HvC/0ycvrBM9F4AZCjnnEvrAJHKl6e4j+C4 +IpghGQvRvQ9ihDs9JIHnaoUC1i8dE3ISbbp1r7CN+J/HnAC2OeECMJuffXdnkVWa +xRdxU+9towKBgCwFVeNyJO00DI126o+GPVA2U9Pn4JXUbgEvMqDNgw5nVx5Iw/Zy +USBwc85yexnq7rcqOv5dKzRJK2u6AbOvoVMf5DqRAFL1B2RJDGRKFscXIwQfKLE6 +DeCR6oQ3AKXn9TqkFn4axsiMnZapy6/SKGNfbnRpOCWNNGkbLtYjC3VhAoGAN0kO +ZapaaM0sOEk3DOAOHBB5j4KpNYOztmU23Cz0YcR8W2KiBCh2jxLzQFEiAp+LoJu5 +9156YX3hNB1GqySo9XHrGTJKxwJSmJucuHNUqphe7t6igqGaLkH89CkHv5oaeEDG +IMLX3FC0fSMDFSnsEJYlLl8PKDRF+2rLrcxQ6h0CgYAZllNu8a7tE6cM6QsCILQn +NjuLuZRX8/KYWRqBJxatwZXCcMe2jti1HKTVVVCyYffOFa1QcAjCPknAmAz80l3e +g6a75NnEXo0J6YLAOOxd8fD2/HidhbceCmTF+3msidIzCsBidBkgn6V5TXx2IyMS +xGsJxVHfSKeooUQn6q76sg== +""" + +class TestPKI(VyOSUnitTestSHIM.TestCase): + def setUp(self): + self.cli_delete(base_path) + + def tearDown(self): + self.cli_delete(base_path) + self.cli_commit() + + def test_valid_pki(self): + # Valid CA + self.cli_set(base_path + ['ca', 'smoketest', 'certificate', valid_ca_cert.replace('\n','')]) + self.cli_set(base_path + ['ca', 'smoketest', 'private', 'key', valid_ca_private_key.replace('\n','')]) + + # Valid cert + self.cli_set(base_path + ['certificate', 'smoketest', 'certificate', valid_cert.replace('\n','')]) + + # Valid DH + self.cli_set(base_path + ['dh', 'smoketest', 'parameters', valid_dh_params.replace('\n','')]) + + # Valid public key + self.cli_set(base_path + ['key-pair', 'smoketest', 'public', 'key', valid_public_ec_key.replace('\n','')]) + + # Valid private key + self.cli_set(base_path + ['key-pair', 'smoketest1', 'private', 'key', valid_private_rsa_key.replace('\n','')]) + self.cli_commit() + + def test_invalid_ca_valid_certificate(self): + self.cli_set(base_path + ['ca', 'smoketest', 'certificate', valid_cert.replace('\n','')]) + + with self.assertRaises(ConfigSessionError): + self.cli_commit() + + def test_invalid_certificate(self): + self.cli_set(base_path + ['certificate', 'smoketest', 'certificate', 'invalidcertdata']) + + with self.assertRaises(ConfigSessionError): + self.cli_commit() + + def test_invalid_public_key(self): + self.cli_set(base_path + ['key-pair', 'smoketest', 'public', 'key', 'invalidkeydata']) + + with self.assertRaises(ConfigSessionError): + self.cli_commit() + + def test_invalid_private_key(self): + self.cli_set(base_path + ['key-pair', 'smoketest', 'private', 'key', 'invalidkeydata']) + + with self.assertRaises(ConfigSessionError): + self.cli_commit() + + def test_invalid_dh_parameters(self): + self.cli_set(base_path + ['dh', 'smoketest', 'parameters', 'thisisinvalid']) + + with self.assertRaises(ConfigSessionError): + self.cli_commit() + +if __name__ == '__main__': + unittest.main(verbosity=2) diff --git a/smoketest/scripts/cli/test_policy.py b/smoketest/scripts/cli/test_policy.py index 59425b789..2d7b78048 100755 --- a/smoketest/scripts/cli/test_policy.py +++ b/smoketest/scripts/cli/test_policy.py @@ -773,6 +773,9 @@ class TestPolicy(VyOSUnitTestSHIM.TestCase): 'as-path-prepend' : '1234567890 987654321', 'atomic-aggregate' : '', 'distance' : '110', + 'extcommunity-bw' : '20000', + 'extcommunity-rt' : '123:456', + 'extcommunity-soo' : '456:789', 'ipv6-next-hop-global': '2001::1', 'ipv6-next-hop-local' : 'fe80::1', 'ip-next-hop' : '192.168.1.1', @@ -789,6 +792,18 @@ class TestPolicy(VyOSUnitTestSHIM.TestCase): }, }, }, + 'bandwidth-configuration' : { + 'rule' : { + '10' : { + 'action' : 'deny', + 'set' : { + 'as-path-prepend' : '100 100', + 'distance' : '200', + 'extcommunity-bw' : 'num-multipaths', + }, + }, + }, + }, } self.cli_set(['policy', 'access-list', access_list, 'rule', '10', 'action', 'permit']) @@ -896,6 +911,12 @@ class TestPolicy(VyOSUnitTestSHIM.TestCase): self.cli_set(path + ['rule', rule, 'set', 'atomic-aggregate']) if 'distance' in rule_config['set']: self.cli_set(path + ['rule', rule, 'set', 'distance', rule_config['set']['distance']]) + if 'extcommunity-bw' in rule_config['set']: + self.cli_set(path + ['rule', rule, 'set', 'extcommunity', 'bandwidth', rule_config['set']['extcommunity-bw']]) + if 'extcommunity-rt' in rule_config['set']: + self.cli_set(path + ['rule', rule, 'set', 'extcommunity', 'rt', rule_config['set']['extcommunity-rt']]) + if 'extcommunity-soo' in rule_config['set']: + self.cli_set(path + ['rule', rule, 'set', 'extcommunity', 'soo', rule_config['set']['extcommunity-soo']]) if 'ipv6-next-hop-global' in rule_config['set']: self.cli_set(path + ['rule', rule, 'set', 'ipv6-next-hop', 'global', rule_config['set']['ipv6-next-hop-global']]) if 'ipv6-next-hop-local' in rule_config['set']: @@ -1035,6 +1056,12 @@ class TestPolicy(VyOSUnitTestSHIM.TestCase): tmp += 'atomic-aggregate' elif 'distance' in rule_config['set']: tmp += 'distance ' + rule_config['set']['distance'] + elif 'extcommunity-bw' in rule_config['set']: + tmp += 'extcommunity bandwidth' + rule_config['set']['extcommunity-bw'] + elif 'extcommunity-rt' in rule_config['set']: + tmp += 'extcommunity rt' + rule_config['set']['extcommunity-rt'] + elif 'extcommunity-soo' in rule_config['set']: + tmp += 'extcommunity rt' + rule_config['set']['extcommunity-soo'] elif 'ip-next-hop' in rule_config['set']: tmp += 'ip next-hop ' + rule_config['set']['ip-next-hop'] elif 'ipv6-next-hop-global' in rule_config['set']: diff --git a/smoketest/scripts/cli/test_protocols_bgp.py b/smoketest/scripts/cli/test_protocols_bgp.py index 0ed66657c..c3a2ffbf9 100755 --- a/smoketest/scripts/cli/test_protocols_bgp.py +++ b/smoketest/scripts/cli/test_protocols_bgp.py @@ -224,6 +224,10 @@ class TestProtocolsBGP(VyOSUnitTestSHIM.TestCase): self.cli_set(base_path + ['parameters', 'graceful-shutdown']) self.cli_set(base_path + ['parameters', 'ebgp-requires-policy']) + self.cli_set(base_path + ['parameters', 'bestpath', 'as-path', 'multipath-relax']) + self.cli_set(base_path + ['parameters', 'bestpath', 'bandwidth', 'default-weight-for-missing']) + self.cli_set(base_path + ['parameters', 'bestpath', 'compare-routerid']) + # AFI maximum path support self.cli_set(base_path + ['address-family', 'ipv4-unicast', 'maximum-paths', 'ebgp', max_path_v4]) self.cli_set(base_path + ['address-family', 'ipv4-unicast', 'maximum-paths', 'ibgp', max_path_v4ibgp]) @@ -242,6 +246,9 @@ class TestProtocolsBGP(VyOSUnitTestSHIM.TestCase): self.assertIn(f' no bgp default ipv4-unicast', frrconfig) self.assertIn(f' bgp graceful-restart stalepath-time {stalepath_time}', frrconfig) self.assertIn(f' bgp graceful-shutdown', frrconfig) + self.assertIn(f' bgp bestpath as-path multipath-relax', frrconfig) + self.assertIn(f' bgp bestpath bandwidth default-weight-for-missing', frrconfig) + self.assertIn(f' bgp bestpath compare-routerid', frrconfig) self.assertNotIn(f'bgp ebgp-requires-policy', frrconfig) afiv4_config = self.getFRRconfig(' address-family ipv4 unicast') @@ -611,6 +618,7 @@ class TestProtocolsBGP(VyOSUnitTestSHIM.TestCase): self.assertIn(f'{family}', frrconfig) self.assertIn(f'local-install {flowspec_int}', frrconfig) + def test_bgp_10_vrf_simple(self): router_id = '127.0.0.3' vrfs = ['red', 'green', 'blue'] @@ -644,5 +652,63 @@ class TestProtocolsBGP(VyOSUnitTestSHIM.TestCase): # zebra_route_map = f' ip protocol bgp route-map {route_map_in}' # self.assertIn(zebra_route_map, vrfconfig) + + def test_bgp_11_confederation(self): + router_id = '127.10.10.2' + confed_id = str(int(ASN) + 1) + confed_asns = '10 20 30 40' + + self.cli_set(base_path + ['local-as', ASN]) + self.cli_set(base_path + ['parameters', 'router-id', router_id]) + self.cli_set(base_path + ['parameters', 'confederation', 'identifier', confed_id]) + for asn in confed_asns.split(): + self.cli_set(base_path + ['parameters', 'confederation', 'peers', asn]) + + # commit changes + self.cli_commit() + + # Verify FRR bgpd configuration + frrconfig = self.getFRRconfig(f'router bgp {ASN}') + self.assertIn(f'router bgp {ASN}', frrconfig) + self.assertIn(f' bgp router-id {router_id}', frrconfig) + self.assertIn(f' bgp confederation identifier {confed_id}', frrconfig) + self.assertIn(f' bgp confederation peers {confed_asns}', frrconfig) + + + def test_bgp_12_v6_link_local(self): + remote_asn = str(int(ASN) + 10) + interface = 'eth0' + + self.cli_set(base_path + ['local-as', ASN]) + self.cli_set(base_path + ['neighbor', interface, 'address-family', 'ipv6-unicast']) + self.cli_set(base_path + ['neighbor', interface, 'interface', 'v6only', 'remote-as', remote_asn]) + + # commit changes + self.cli_commit() + + # Verify FRR bgpd configuration + frrconfig = self.getFRRconfig(f'router bgp {ASN}') + self.assertIn(f'router bgp {ASN}', frrconfig) + self.assertIn(f' neighbor {interface} interface v6only remote-as {remote_asn}', frrconfig) + self.assertIn(f' address-family ipv6 unicast', frrconfig) + self.assertIn(f' neighbor {interface} activate', frrconfig) + self.assertIn(f' exit-address-family', frrconfig) + + def test_bgp_13_solo(self): + remote_asn = str(int(ASN) + 150) + neighbor = '192.0.2.55' + + self.cli_set(base_path + ['local-as', ASN]) + self.cli_set(base_path + ['neighbor', neighbor, 'remote-as', remote_asn]) + self.cli_set(base_path + ['neighbor', neighbor, 'solo']) + + # commit changes + self.cli_commit() + + # Verify FRR bgpd configuration + frrconfig = self.getFRRconfig(f'router bgp {ASN}') + self.assertIn(f'router bgp {ASN}', frrconfig) + self.assertIn(f' neighbor {neighbor} solo', frrconfig) + if __name__ == '__main__': unittest.main(verbosity=2)
\ No newline at end of file diff --git a/smoketest/scripts/cli/test_protocols_isis.py b/smoketest/scripts/cli/test_protocols_isis.py index b31d2b494..9b6d4a4ec 100755 --- a/smoketest/scripts/cli/test_protocols_isis.py +++ b/smoketest/scripts/cli/test_protocols_isis.py @@ -29,6 +29,13 @@ domain = 'VyOS' net = '49.0001.1921.6800.1002.00' class TestProtocolsISIS(VyOSUnitTestSHIM.TestCase): + @classmethod + def setUpClass(cls): + cls._interfaces = Section.interfaces('ethernet') + + # call base-classes classmethod + super(cls, cls).setUpClass() + def tearDown(self): self.cli_delete(base_path) self.cli_commit() @@ -36,21 +43,30 @@ class TestProtocolsISIS(VyOSUnitTestSHIM.TestCase): # Check for running process self.assertTrue(process_named_running(PROCESS_NAME)) + def isis_base_config(self): + self.cli_set(base_path + ['net', net]) + for interface in self._interfaces: + self.cli_set(base_path + ['interface', interface]) + def test_isis_01_redistribute(self): prefix_list = 'EXPORT-ISIS' route_map = 'EXPORT-ISIS' rule = '10' + self.cli_set(['policy', 'prefix-list', prefix_list, 'rule', rule, 'action', 'permit']) self.cli_set(['policy', 'prefix-list', prefix_list, 'rule', rule, 'prefix', '203.0.113.0/24']) self.cli_set(['policy', 'route-map', route_map, 'rule', rule, 'action', 'permit']) self.cli_set(['policy', 'route-map', route_map, 'rule', rule, 'match', 'ip', 'address', 'prefix-list', prefix_list]) - self.cli_set(base_path + ['net', net]) - self.cli_set(base_path + ['redistribute', 'ipv4', 'connected', 'level-2', 'route-map', route_map]) + self.cli_set(base_path) - interfaces = Section.interfaces('ethernet') - for interface in interfaces: - self.cli_set(base_path + ['interface', interface]) + # verify() - net id and interface are mandatory + with self.assertRaises(ConfigSessionError): + self.cli_commit() + + self.isis_base_config() + self.cli_set(base_path + ['redistribute', 'ipv4', 'connected', 'level-2', 'route-map', route_map]) + self.cli_set(base_path + ['log-adjacency-changes']) # Commit all changes self.cli_commit() @@ -58,11 +74,13 @@ class TestProtocolsISIS(VyOSUnitTestSHIM.TestCase): # Verify all changes tmp = self.getFRRconfig(f'router isis {domain}') self.assertIn(f' net {net}', tmp) + self.assertIn(f' log-adjacency-changes', tmp) self.assertIn(f' redistribute ipv4 connected level-2 route-map {route_map}', tmp) - for interface in interfaces: + for interface in self._interfaces: tmp = self.getFRRconfig(f'interface {interface}') self.assertIn(f' ip router isis {domain}', tmp) + self.assertIn(f' ipv6 router isis {domain}', tmp) self.cli_delete(['policy', 'route-map', route_map]) self.cli_delete(['policy', 'prefix-list', prefix_list]) @@ -104,14 +122,10 @@ class TestProtocolsISIS(VyOSUnitTestSHIM.TestCase): self.cli_set(['policy', 'route-map', route_map, 'rule', '10', 'action', 'permit']) - self.cli_set(base_path + ['net', net]) + self.isis_base_config() self.cli_set(base_path + ['redistribute', 'ipv4', 'connected', 'level-2', 'route-map', route_map]) - - interfaces = Section.interfaces('ethernet') - for interface in interfaces: - self.cli_set(base_path + ['interface', interface]) - self.cli_set(base_path + ['route-map', route_map]) + # commit changes self.cli_commit() @@ -131,5 +145,59 @@ class TestProtocolsISIS(VyOSUnitTestSHIM.TestCase): self.cli_delete(['policy', 'route-map', route_map]) + def test_isis_04_default_information(self): + metric = '50' + route_map = 'default-foo-' + + self.isis_base_config() + for afi in ['ipv4', 'ipv6']: + for level in ['level-1', 'level-2']: + self.cli_set(base_path + ['default-information', 'originate', afi, level, 'always']) + self.cli_set(base_path + ['default-information', 'originate', afi, level, 'metric', metric]) + self.cli_set(base_path + ['default-information', 'originate', afi, level, 'route-map', route_map + level + afi]) + + # Commit all changes + self.cli_commit() + + # Verify all changes + tmp = self.getFRRconfig(f'router isis {domain}') + self.assertIn(f' net {net}', tmp) + + for afi in ['ipv4', 'ipv6']: + for level in ['level-1', 'level-2']: + route_map_name = route_map + level + afi + self.assertIn(f' default-information originate {afi} {level} always route-map {route_map_name} metric {metric}', tmp) + + + def test_isis_05_password(self): + password = 'foo' + + self.isis_base_config() + + self.cli_set(base_path + ['area-password', 'plaintext-password', password]) + self.cli_set(base_path + ['area-password', 'md5', password]) + self.cli_set(base_path + ['domain-password', 'plaintext-password', password]) + self.cli_set(base_path + ['domain-password', 'md5', password]) + + # verify() - can not use both md5 and plaintext-password for area-password + with self.assertRaises(ConfigSessionError): + self.cli_commit() + self.cli_delete(base_path + ['area-password', 'md5', password]) + + # verify() - can not use both md5 and plaintext-password for domain-password + with self.assertRaises(ConfigSessionError): + self.cli_commit() + self.cli_delete(base_path + ['domain-password', 'md5', password]) + + # Commit all changes + self.cli_commit() + + # Verify all changes + tmp = self.getFRRconfig(f'router isis {domain}') + self.assertIn(f' net {net}', tmp) + self.assertIn(f' domain-password clear {password}', tmp) + self.assertIn(f' area-password clear {password}', tmp) + + if __name__ == '__main__': unittest.main(verbosity=2) diff --git a/smoketest/scripts/cli/test_protocols_nhrp.py b/smoketest/scripts/cli/test_protocols_nhrp.py new file mode 100755 index 000000000..aa0ac268d --- /dev/null +++ b/smoketest/scripts/cli/test_protocols_nhrp.py @@ -0,0 +1,97 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import unittest + +from base_vyostest_shim import VyOSUnitTestSHIM + +from vyos.util import call, process_named_running, read_file + +tunnel_path = ['interfaces', 'tunnel'] +nhrp_path = ['protocols', 'nhrp'] +vpn_path = ['vpn', 'ipsec'] + +class TestProtocolsNHRP(VyOSUnitTestSHIM.TestCase): + def tearDown(self): + self.cli_delete(nhrp_path) + self.cli_delete(tunnel_path) + self.cli_commit() + + def test_config(self): + self.cli_delete(nhrp_path) + self.cli_delete(tunnel_path) + + # Tunnel + self.cli_set(tunnel_path + ["tun100", "address", "172.16.253.134/29"]) + self.cli_set(tunnel_path + ["tun100", "encapsulation", "gre"]) + self.cli_set(tunnel_path + ["tun100", "source-address", "192.0.2.1"]) + self.cli_set(tunnel_path + ["tun100", "multicast", "enable"]) + self.cli_set(tunnel_path + ["tun100", "parameters", "ip", "key", "1"]) + + # NHRP + self.cli_set(nhrp_path + ["tunnel", "tun100", "cisco-authentication", "secret"]) + self.cli_set(nhrp_path + ["tunnel", "tun100", "holding-time", "300"]) + self.cli_set(nhrp_path + ["tunnel", "tun100", "multicast", "dynamic"]) + self.cli_set(nhrp_path + ["tunnel", "tun100", "redirect"]) + self.cli_set(nhrp_path + ["tunnel", "tun100", "shortcut"]) + + # IKE/ESP Groups + self.cli_set(vpn_path + ["esp-group", "ESP-HUB", "compression", "disable"]) + self.cli_set(vpn_path + ["esp-group", "ESP-HUB", "lifetime", "1800"]) + self.cli_set(vpn_path + ["esp-group", "ESP-HUB", "mode", "transport"]) + self.cli_set(vpn_path + ["esp-group", "ESP-HUB", "pfs", "dh-group2"]) + self.cli_set(vpn_path + ["esp-group", "ESP-HUB", "proposal", "1", "encryption", "aes256"]) + self.cli_set(vpn_path + ["esp-group", "ESP-HUB", "proposal", "1", "hash", "sha1"]) + self.cli_set(vpn_path + ["esp-group", "ESP-HUB", "proposal", "2", "encryption", "3des"]) + self.cli_set(vpn_path + ["esp-group", "ESP-HUB", "proposal", "2", "hash", "md5"]) + self.cli_set(vpn_path + ["ike-group", "IKE-HUB", "ikev2-reauth", "no"]) + self.cli_set(vpn_path + ["ike-group", "IKE-HUB", "key-exchange", "ikev1"]) + self.cli_set(vpn_path + ["ike-group", "IKE-HUB", "lifetime", "3600"]) + self.cli_set(vpn_path + ["ike-group", "IKE-HUB", "proposal", "1", "dh-group", "2"]) + self.cli_set(vpn_path + ["ike-group", "IKE-HUB", "proposal", "1", "encryption", "aes256"]) + self.cli_set(vpn_path + ["ike-group", "IKE-HUB", "proposal", "1", "hash", "sha1"]) + self.cli_set(vpn_path + ["ike-group", "IKE-HUB", "proposal", "2", "dh-group", "2"]) + self.cli_set(vpn_path + ["ike-group", "IKE-HUB", "proposal", "2", "encryption", "aes128"]) + self.cli_set(vpn_path + ["ike-group", "IKE-HUB", "proposal", "2", "hash", "sha1"]) + + # Profile - Not doing full DMVPN checks here, just want to verify the profile name in the output + self.cli_set(vpn_path + ["interface", "eth0"]) + self.cli_set(vpn_path + ["profile", "NHRPVPN", "authentication", "mode", "pre-shared-secret"]) + self.cli_set(vpn_path + ["profile", "NHRPVPN", "authentication", "pre-shared-secret", "secret"]) + self.cli_set(vpn_path + ["profile", "NHRPVPN", "bind", "tunnel", "tun100"]) + self.cli_set(vpn_path + ["profile", "NHRPVPN", "esp-group", "ESP-HUB"]) + self.cli_set(vpn_path + ["profile", "NHRPVPN", "ike-group", "IKE-HUB"]) + + self.cli_commit() + + opennhrp_lines = [ + 'interface tun100 #hub NHRPVPN', + 'cisco-authentication secret', + 'holding-time 300', + 'shortcut', + 'multicast dynamic', + 'redirect' + ] + + tmp_opennhrp_conf = read_file('/run/opennhrp/opennhrp.conf') + + for line in opennhrp_lines: + self.assertIn(line, tmp_opennhrp_conf) + + self.assertTrue(process_named_running('opennhrp')) + +if __name__ == '__main__': + unittest.main(verbosity=2) diff --git a/smoketest/scripts/cli/test_protocols_ospf.py b/smoketest/scripts/cli/test_protocols_ospf.py index 7ff909e33..59862ca3d 100755 --- a/smoketest/scripts/cli/test_protocols_ospf.py +++ b/smoketest/scripts/cli/test_protocols_ospf.py @@ -14,18 +14,23 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. +import logging +import sys import unittest from base_vyostest_shim import VyOSUnitTestSHIM from vyos.ifconfig import Section from vyos.util import process_named_running +from vyos.util import cmd PROCESS_NAME = 'ospfd' base_path = ['protocols', 'ospf'] route_map = 'foo-bar-baz10' +log = logging.getLogger('TestProtocolsOSPF') + class TestProtocolsOSPF(VyOSUnitTestSHIM.TestCase): def setUp(self): self.cli_set(['policy', 'route-map', route_map, 'rule', '10', 'action', 'permit']) @@ -195,11 +200,17 @@ class TestProtocolsOSPF(VyOSUnitTestSHIM.TestCase): # Verify FRR ospfd configuration frrconfig = self.getFRRconfig('router ospf') - self.assertIn(f'router ospf', frrconfig) - self.assertIn(f' passive-interface default', frrconfig) # default - for interface in interfaces: - self.assertIn(f' no passive-interface {interface}', frrconfig) # default - + try: + self.assertIn(f'router ospf', frrconfig) + self.assertIn(f' passive-interface default', frrconfig) # default + for interface in interfaces: + self.assertIn(f' no passive-interface {interface}', frrconfig) # default + except: + log.debug(frrconfig) + log.debug(cmd('sudo dmesg')) + log.debug(cmd('sudo cat /var/log/messages')) + log.debug(cmd('vtysh -c "show run"')) + self.fail('Now we can hopefully see why OSPF fails!') def test_ospf_08_redistribute(self): metric = '15' @@ -339,4 +350,5 @@ class TestProtocolsOSPF(VyOSUnitTestSHIM.TestCase): self.assertNotIn(zebra_route_map, frrconfig) if __name__ == '__main__': + logging.basicConfig(stream=sys.stderr, level=logging.DEBUG) unittest.main(verbosity=2) diff --git a/smoketest/scripts/cli/test_protocols_ospfv3.py b/smoketest/scripts/cli/test_protocols_ospfv3.py index 6bb551642..0b4b01993 100755 --- a/smoketest/scripts/cli/test_protocols_ospfv3.py +++ b/smoketest/scripts/cli/test_protocols_ospfv3.py @@ -150,5 +150,22 @@ class TestProtocolsOSPFv3(VyOSUnitTestSHIM.TestCase): cost = str(int(cost) + 10) priority = str(int(priority) + 5) + + def test_ospfv3_05_area_stub(self): + area_stub = '23' + area_stub_nosum = '26' + + self.cli_set(base_path + ['area', area_stub, 'area-type', 'stub']) + self.cli_set(base_path + ['area', area_stub_nosum, 'area-type', 'stub', 'no-summary']) + + # commit changes + self.cli_commit() + + # Verify FRR ospfd configuration + frrconfig = self.getFRRconfig('router ospf6') + self.assertIn(f'router ospf6', frrconfig) + self.assertIn(f' area {area_stub} stub', frrconfig) + self.assertIn(f' area {area_stub_nosum} stub no-summary', frrconfig) + if __name__ == '__main__': unittest.main(verbosity=2) diff --git a/smoketest/scripts/cli/test_protocols_rpki.py b/smoketest/scripts/cli/test_protocols_rpki.py index 8212e9469..6d334a9f8 100755 --- a/smoketest/scripts/cli/test_protocols_rpki.py +++ b/smoketest/scripts/cli/test_protocols_rpki.py @@ -84,6 +84,7 @@ class TestProtocolsRPKI(VyOSUnitTestSHIM.TestCase): self.assertIn(f'rpki cache {peer} {port} preference {preference}', frrconfig) def test_rpki_ssh(self): + self.skipTest('Currently untested, see: https://github.com/FRRouting/frr/issues/7978') polling = '7200' cache = { '192.0.2.3' : { diff --git a/smoketest/scripts/cli/test_service_dhcpv6-server.py b/smoketest/scripts/cli/test_service_dhcpv6-server.py index e85a055c7..3f9564e59 100755 --- a/smoketest/scripts/cli/test_service_dhcpv6-server.py +++ b/smoketest/scripts/cli/test_service_dhcpv6-server.py @@ -86,6 +86,7 @@ class TestServiceDHCPServer(VyOSUnitTestSHIM.TestCase): cid = '00:01:00:01:12:34:56:78:aa:bb:cc:dd:ee:{}'.format(client_base) self.cli_set(pool + ['static-mapping', client, 'identifier', cid]) self.cli_set(pool + ['static-mapping', client, 'ipv6-address', inc_ip(subnet, client_base)]) + self.cli_set(pool + ['static-mapping', client, 'ipv6-prefix', inc_ip(subnet, client_base << 64) + '/64']) client_base += 1 # commit changes @@ -114,8 +115,10 @@ class TestServiceDHCPServer(VyOSUnitTestSHIM.TestCase): for client in ['client1', 'client2', 'client3']: cid = '00:01:00:01:12:34:56:78:aa:bb:cc:dd:ee:{}'.format(client_base) ip = inc_ip(subnet, client_base) + prefix = inc_ip(subnet, client_base << 64) + '/64' self.assertIn(f'host {shared_net_name}_{client}' + ' {', config) self.assertIn(f'fixed-address6 {ip};', config) + self.assertIn(f'fixed-prefix6 {prefix};', config) self.assertIn(f'host-identifier option dhcp6.client-id {cid};', config) client_base += 1 @@ -161,8 +164,7 @@ class TestServiceDHCPServer(VyOSUnitTestSHIM.TestCase): self.cli_commit() config = read_file(DHCPD_CONF) - self.assertIn(f'option dhcp6.name-servers {ns_global_1};', config) - self.assertIn(f'option dhcp6.name-servers {ns_global_2};', config) + self.assertIn(f'option dhcp6.name-servers {ns_global_1}, {ns_global_2};', config) self.assertIn(f'subnet6 {subnet}' + r' {', config) self.assertIn(f'set shared-networkname = "{shared_net_name}";', config) diff --git a/smoketest/scripts/cli/test_service_https.py b/smoketest/scripts/cli/test_service_https.py index 3ed7655e9..3af63636a 100755 --- a/smoketest/scripts/cli/test_service_https.py +++ b/smoketest/scripts/cli/test_service_https.py @@ -22,14 +22,20 @@ from vyos.util import run base_path = ['service', 'https'] +pki_base = ['pki'] +cert_data = 'MIICFDCCAbugAwIBAgIUfMbIsB/ozMXijYgUYG80T1ry+mcwCgYIKoZIzj0EAwIwWTELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzESMBAGA1UEAwwJVnlPUyBUZXN0MB4XDTIxMDcyMDEyNDUxMloXDTI2MDcxOTEyNDUxMlowWTELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzESMBAGA1UEAwwJVnlPUyBUZXN0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE01HrLcNttqq4/PtoMua8rMWEkOdBu7vP94xzDO7A8C92ls1v86eePy4QllKCzIw3QxBIoCuH2peGRfWgPRdFsKNhMF8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMB0GA1UdDgQWBBSu+JnU5ZC4mkuEpqg2+Mk4K79oeDAKBggqhkjOPQQDAgNHADBEAiBEFdzQ/Bc3LftzngrY605UhA6UprHhAogKgROv7iR4QgIgEFUxTtW3xXJcnUPWhhUFhyZoqfn8dE93+dm/LDnp7C0=' +key_data = 'MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgPLpD0Ohhoq0g4nhx2KMIuze7ucKUt/lBEB2wc03IxXyhRANCAATTUestw222qrj8+2gy5rysxYSQ50G7u8/3jHMM7sDwL3aWzW/zp54/LhCWUoLMjDdDEEigK4fal4ZF9aA9F0Ww' + class TestHTTPSService(VyOSUnitTestSHIM.TestCase): def setUp(self): # ensure we can also run this test on a live system - so lets clean # out the current configuration :) self.cli_delete(base_path) + self.cli_delete(pki_base) def tearDown(self): self.cli_delete(base_path) + self.cli_delete(pki_base) self.cli_commit() def test_default(self): @@ -56,5 +62,16 @@ class TestHTTPSService(VyOSUnitTestSHIM.TestCase): ret = run('sudo /usr/sbin/nginx -t') self.assertEqual(ret, 0) + def test_certificate(self): + self.cli_set(pki_base + ['certificate', 'test_https', 'certificate', cert_data]) + self.cli_set(pki_base + ['certificate', 'test_https', 'private', 'key', key_data]) + + self.cli_set(base_path + ['certificates', 'certificate', 'test_https']) + + self.cli_commit() + + ret = run('sudo /usr/sbin/nginx -t') + self.assertEqual(ret, 0) + if __name__ == '__main__': unittest.main(verbosity=2) diff --git a/smoketest/scripts/cli/test_service_pppoe-server.py b/smoketest/scripts/cli/test_service_pppoe-server.py index 2b11ee362..51cc098ef 100755 --- a/smoketest/scripts/cli/test_service_pppoe-server.py +++ b/smoketest/scripts/cli/test_service_pppoe-server.py @@ -91,6 +91,10 @@ class TestServicePPPoEServer(BasicAccelPPPTest.TestCase): mru = '9000' self.set(['ppp-options', 'mru', mru]) + # interface-cache + interface_cache = '128000' + self.set(['ppp-options', 'interface-cache', interface_cache]) + # commit changes self.cli_commit() @@ -113,6 +117,9 @@ class TestServicePPPoEServer(BasicAccelPPPTest.TestCase): # check other settings self.assertEqual(conf['connlimit']['limit'], '20/min') + # check interface-cache + self.assertEqual(conf['ppp']['unit-cache'], interface_cache) + # Check for running process self.assertTrue(process_named_running(self._process_name)) diff --git a/smoketest/scripts/cli/test_service_router-advert.py b/smoketest/scripts/cli/test_service_router-advert.py index b19c49c6e..26b4626c2 100755 --- a/smoketest/scripts/cli/test_service_router-advert.py +++ b/smoketest/scripts/cli/test_service_router-advert.py @@ -43,11 +43,10 @@ class TestServiceRADVD(VyOSUnitTestSHIM.TestCase): self.cli_delete(base_path) self.cli_commit() - def test_single(self): + def test_common(self): self.cli_set(base_path + ['prefix', '::/64', 'no-on-link-flag']) self.cli_set(base_path + ['prefix', '::/64', 'no-autonomous-flag']) self.cli_set(base_path + ['prefix', '::/64', 'valid-lifetime', 'infinity']) - self.cli_set(base_path + ['dnssl', '2001:db8::1234']) self.cli_set(base_path + ['other-config-flag']) # commit changes @@ -92,5 +91,28 @@ class TestServiceRADVD(VyOSUnitTestSHIM.TestCase): # Check for running process self.assertTrue(process_named_running('radvd')) + def test_dns(self): + nameserver = ['2001:db8::1', '2001:db8::2'] + dnssl = ['vyos.net', 'vyos.io'] + + self.cli_set(base_path + ['prefix', '::/64', 'valid-lifetime', 'infinity']) + self.cli_set(base_path + ['other-config-flag']) + + for ns in nameserver: + self.cli_set(base_path + ['name-server', ns]) + for sl in dnssl: + self.cli_set(base_path + ['dnssl', sl]) + + # commit changes + self.cli_commit() + + config = read_file(RADVD_CONF) + + tmp = 'RDNSS ' + ' '.join(nameserver) + ' {' + self.assertIn(tmp, config) + + tmp = 'DNSSL ' + ' '.join(dnssl) + ' {' + self.assertIn(tmp, config) + if __name__ == '__main__': unittest.main(verbosity=2) diff --git a/smoketest/scripts/cli/test_system_conntrack.py b/smoketest/scripts/cli/test_system_conntrack.py new file mode 100755 index 000000000..21d626d2f --- /dev/null +++ b/smoketest/scripts/cli/test_system_conntrack.py @@ -0,0 +1,238 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import os +import unittest + +from base_vyostest_shim import VyOSUnitTestSHIM + +from vyos.configsession import ConfigSession +from vyos.util import cmd +from vyos.util import read_file + +base_path = ['system', 'conntrack'] + +def get_sysctl(parameter): + tmp = parameter.replace(r'.', r'/') + return read_file(f'/proc/sys/{tmp}') + +class TestSystemConntrack(VyOSUnitTestSHIM.TestCase): + def tearDown(self): + self.cli_delete(base_path) + self.cli_commit() + + def test_conntrack_options(self): + conntrack_config = { + 'net.netfilter.nf_conntrack_expect_max' : { + 'cli' : ['expect-table-size'], + 'test_value' : '8192', + 'default_value' : '2048', + }, + 'net.nf_conntrack_max' :{ + 'cli' : ['table-size'], + 'test_value' : '500000', + 'default_value' : '262144', + }, + 'net.ipv4.tcp_max_syn_backlog' :{ + 'cli' : ['tcp', 'half-open-connections'], + 'test_value' : '2048', + 'default_value' : '512', + }, + 'net.netfilter.nf_conntrack_tcp_loose' :{ + 'cli' : ['tcp', 'loose'], + 'test_value' : 'disable', + 'default_value' : '1', + }, + 'net.netfilter.nf_conntrack_tcp_max_retrans' :{ + 'cli' : ['tcp', 'max-retrans'], + 'test_value' : '1024', + 'default_value' : '3', + }, + 'net.netfilter.nf_conntrack_icmp_timeout' :{ + 'cli' : ['timeout', 'icmp'], + 'test_value' : '180', + 'default_value' : '30', + }, + 'net.netfilter.nf_conntrack_generic_timeout' :{ + 'cli' : ['timeout', 'other'], + 'test_value' : '1200', + 'default_value' : '600', + }, + 'net.netfilter.nf_conntrack_tcp_timeout_close_wait' :{ + 'cli' : ['timeout', 'tcp', 'close-wait'], + 'test_value' : '30', + 'default_value' : '60', + }, + 'net.netfilter.nf_conntrack_tcp_timeout_close' :{ + 'cli' : ['timeout', 'tcp', 'close'], + 'test_value' : '20', + 'default_value' : '10', + }, + 'net.netfilter.nf_conntrack_tcp_timeout_established' :{ + 'cli' : ['timeout', 'tcp', 'established'], + 'test_value' : '1000', + 'default_value' : '432000', + }, + 'net.netfilter.nf_conntrack_tcp_timeout_fin_wait' :{ + 'cli' : ['timeout', 'tcp', 'fin-wait'], + 'test_value' : '240', + 'default_value' : '120', + }, + 'net.netfilter.nf_conntrack_tcp_timeout_last_ack' :{ + 'cli' : ['timeout', 'tcp', 'last-ack'], + 'test_value' : '300', + 'default_value' : '30', + }, + 'net.netfilter.nf_conntrack_tcp_timeout_syn_recv' :{ + 'cli' : ['timeout', 'tcp', 'syn-recv'], + 'test_value' : '100', + 'default_value' : '60', + }, + 'net.netfilter.nf_conntrack_tcp_timeout_syn_sent' :{ + 'cli' : ['timeout', 'tcp', 'syn-sent'], + 'test_value' : '300', + 'default_value' : '120', + }, + 'net.netfilter.nf_conntrack_tcp_timeout_time_wait' :{ + 'cli' : ['timeout', 'tcp', 'time-wait'], + 'test_value' : '303', + 'default_value' : '120', + }, + 'net.netfilter.nf_conntrack_udp_timeout' :{ + 'cli' : ['timeout', 'udp', 'other'], + 'test_value' : '90', + 'default_value' : '30', + }, + 'net.netfilter.nf_conntrack_udp_timeout_stream' :{ + 'cli' : ['timeout', 'udp', 'stream'], + 'test_value' : '200', + 'default_value' : '180', + }, + } + + for parameter, parameter_config in conntrack_config.items(): + self.cli_set(base_path + parameter_config['cli'] + [parameter_config['test_value']]) + + # commit changes + self.cli_commit() + + # validate configuration + for parameter, parameter_config in conntrack_config.items(): + tmp = parameter_config['test_value'] + # net.netfilter.nf_conntrack_tcp_loose has a fancy "disable" value, + # make this work + if tmp == 'disable': + tmp = '0' + self.assertEqual(get_sysctl(f'{parameter}'), tmp) + + # delete all configuration options and revert back to defaults + self.cli_delete(base_path) + self.cli_commit() + + # validate configuration + for parameter, parameter_config in conntrack_config.items(): + self.assertEqual(get_sysctl(f'{parameter}'), parameter_config['default_value']) + + + def test_conntrack_module_disable(self): + # Some features are disabled by onloading the kernel helper module(s) + modules = { + 'ftp' : { + 'driver' : ['nf_nat_ftp', 'nf_conntrack_ftp'], + }, + 'h323' : { + 'driver' : ['nf_nat_h323', 'nf_conntrack_h323'], + }, + 'nfs' : { + 'iptables' : ['-A VYATTA_CT_HELPER -p udp -m udp --dport 111 -j CT --helper rpc', + '-A VYATTA_CT_HELPER -p tcp -m tcp --dport 111 -j CT --helper rpc'], + }, + 'pptp' : { + 'driver' : ['nf_nat_pptp', 'nf_conntrack_pptp'], + }, + 'sip' : { + 'driver' : ['nf_nat_sip', 'nf_conntrack_sip'], + }, + 'sqlnet' : { + 'iptables' : ['-A VYATTA_CT_HELPER -p tcp -m tcp --dport 1536 -j CT --helper tns', + '-A VYATTA_CT_HELPER -p tcp -m tcp --dport 1525 -j CT --helper tns', + '-A VYATTA_CT_HELPER -p tcp -m tcp --dport 1521 -j CT --helper tns'], + }, + 'tftp' : { + 'driver' : ['nf_nat_tftp', 'nf_conntrack_tftp'], + }, + } + + for module in modules: + self.cli_set(base_path + ['modules', module, 'disable']) + + # commit changes + self.cli_commit() + + # verify modules are no longer loaded on the system + for module, module_options in modules.items(): + if 'driver' in module_options: + for driver in module_options['driver']: + self.assertFalse(os.path.isdir(f'/sys/module/{driver}')) + if 'iptables' in module_options: + rules = cmd('sudo iptables-save -t raw') + for ruleset in module_options['iptables']: + self.assertNotIn(ruleset, rules) + + # reload modules + for module in modules: + self.cli_delete(base_path + ['modules', module, 'disable']) + + # commit changes + self.cli_commit() + + # verify modules are again loaded on the system + for module, module_options in modules.items(): + if 'driver' in module_options: + for driver in module_options['driver']: + self.assertTrue(os.path.isdir(f'/sys/module/{driver}')) + if 'iptables' in module_options: + rules = cmd('sudo iptables-save -t raw') + for ruleset in module_options['iptables']: + self.assertIn(ruleset, rules) + + def test_conntrack_hash_size(self): + hash_size = '65536' + hash_size_default = '32768' + + self.cli_set(base_path + ['hash-size', hash_size]) + + # commit changes + self.cli_commit() + + # verify new configuration - only effective after reboot, but + # a valid config file is sufficient + tmp = read_file('/etc/modprobe.d/vyatta_nf_conntrack.conf') + self.assertIn(hash_size, tmp) + + # Test default value by deleting the configuration + self.cli_delete(base_path + ['hash-size']) + + # commit changes + self.cli_commit() + + # verify new configuration - only effective after reboot, but + # a valid config file is sufficient + tmp = read_file('/etc/modprobe.d/vyatta_nf_conntrack.conf') + self.assertIn(hash_size_default, tmp) + +if __name__ == '__main__': + unittest.main(verbosity=2) diff --git a/smoketest/scripts/cli/test_system_login.py b/smoketest/scripts/cli/test_system_login.py index aa97511e0..8327235fb 100755 --- a/smoketest/scripts/cli/test_system_login.py +++ b/smoketest/scripts/cli/test_system_login.py @@ -41,6 +41,17 @@ class TestSystemLogin(VyOSUnitTestSHIM.TestCase): self.cli_commit() + def test_add_linux_system_user(self): + system_user = 'backup' + self.cli_set(base_path + ['user', system_user, 'authentication', 'plaintext-password', system_user]) + + # check validate() - can not add username which exists on the Debian + # base system (UID < 1000) + with self.assertRaises(ConfigSessionError): + self.cli_commit() + + self.cli_delete(base_path + ['user', system_user]) + def test_system_login_user(self): # Check if user can be created and we can SSH to localhost self.cli_set(['service', 'ssh', 'port', '22']) diff --git a/smoketest/scripts/cli/test_vpn_ipsec.py b/smoketest/scripts/cli/test_vpn_ipsec.py new file mode 100755 index 000000000..a34387dc9 --- /dev/null +++ b/smoketest/scripts/cli/test_vpn_ipsec.py @@ -0,0 +1,377 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import os +import unittest + +from base_vyostest_shim import VyOSUnitTestSHIM +from vyos.util import call +from vyos.util import process_named_running +from vyos.util import read_file + +ethernet_path = ['interfaces', 'ethernet'] +tunnel_path = ['interfaces', 'tunnel'] +vti_path = ['interfaces', 'vti'] +nhrp_path = ['protocols', 'nhrp'] +base_path = ['vpn', 'ipsec'] + +dhcp_waiting_file = '/tmp/ipsec_dhcp_waiting' +swanctl_file = '/etc/swanctl/swanctl.conf' + +peer_ip = '203.0.113.45' +interface = 'eth1' +vif = '100' +esp_group = 'MyESPGroup' +ike_group = 'MyIKEGroup' +secret = 'MYSECRETKEY' + +ca_pem = """ +MIIDSzCCAjOgAwIBAgIUQHK+ZgTUYZksvXY2/MyW+Jiels4wDQYJKoZIhvcNAQEL +BQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMjEwNjE0MTk0NTI3WhcNMzEw +NjEyMTk0NTI3WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAKCAzpatA8yywXhGunWD//6Qg9EMJMb+7didNr10 +DuYPPGyTOXwG4Xicbr0FJ6cNkWg4wj3ZXEqqBzgS1Z9u78yuYPt5LE9eM8Wtawp7 +qIUCMTlSu4uD3/4A3c1xfHDpTOEl1BDvxMtQxQZcMNQVUG5ZMdcWQvqvQG6F7Nak ++jgkaQ+Gyhwq++KVTEHJsA6+POuD0uaqAJv3tLGrRf4y4zdOn4thuTQ9swIBjKW6 +ci78Dk0F4u24YYV2BHKsPEPIyCQxKSRrMvqVWWljX9HmNsGawyEhLvW34aphj0aD +JL/n1kWm+DnGyM+Rp6pXQz5y3xAnmKeYziaQNnvHoQi+gY0CAwEAAaOBkDCBjTAd +BgNVHQ4EFgQUy43jkjE+CORrxeddqofQztZ9UxYwUQYDVR0jBEowSIAUy43jkjE+ +CORrxeddqofQztZ9UxahGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghRAcr5m +BNRhmSy9djb8zJb4mJ6WzjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkq +hkiG9w0BAQsFAAOCAQEALHdd1JXq6EUF9dSUijPLEiDVwn2TTIBIxvQqFzpWDDHg +EWLzRJESyNUbIiwuUGwvqcVki0TmQcFR9XwmcDFDotlXz9OQISBlCW+Twuf4/XAL +11njH8qXSaWF/wPbF35NOPhV5xOOCZ6K7Vilp3tK6LeOWvz2AUtwiVE1prNV3cIA +B2ham0JASS0HIkfrcjpZNcx4NlSBaFf4MK5A11p13zPqMqzdEqn6n8fbYEADfVzy +TfdqX1dPVc9zaM8uwyh5VyYBMDV7DoL384ZHJZYLENK/pT4kbl+sM/Cnhvyu0UCe +RVqJGQtCdChZpDAVkzJRQYw3/FR8Mj+M+8GrgOrJ0w== +""" + +peer_cert = """ +MIIDZjCCAk6gAwIBAgIRAKHpoE0rTcB/YXhnFpeckngwDQYJKoZIhvcNAQELBQAw +FjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMjEwNjE0MjAwNDQ3WhcNMjQwNTI5 +MjAwNDQ3WjAQMQ4wDAYDVQQDDAVwZWVyMTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBALNwjDC1Lj2ojfCi1TESsyD0MLuqUVLTBZaXCXFtQdB/Aw3b3eBc +J8+FUYQ6xMplmklXcjJEyXSMvqENpLX6xEDNWWvqTf22eEWt36QTfBeyFyDKtXnm +4Y+ufXAHl3sLtyZN/7q+Xl4ubYvtAHVRLYzkXAtj1tVdaYEZQy8x/F3ZFFUsCfxR +RqJBKTxcENP8STpIz9X8dS9iif9SBA42C0eHqMWv1tYW1IHO9gQxYFS3cvoPDPlD +AJ3ihu5x3fO892S7FtZLVN/GsN1TKRKL217eVPyW0+QcnUwbrXWc7fnmm1btXVmh +9YKPdtX8WnEeOtMCVZGKqdydnI3iAqvPmd0CAwEAAaOBtDCBsTAJBgNVHRMEAjAA +MB0GA1UdDgQWBBQGsAPY4cHnTNUv7l+l8OYRSqcX8jBRBgNVHSMESjBIgBTLjeOS +MT4I5GvF512qh9DO1n1TFqEapBgwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0GCFEBy +vmYE1GGZLL12NvzMlviYnpbOMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQE +AwIFoDAQBgNVHREECTAHggVwZWVyMTANBgkqhkiG9w0BAQsFAAOCAQEAdJr+11eG +FvChxu/LkwsXe2V+OZzGRq+hmQlaK3kG/AyI5hVA/IVHJkDe281wbBNKBWYxeSMn +lAKbwuhPluO99oldzY9ZVkSiRmLh3r27wy/y+1plvoNxyTN7644Hvtk/8P/LV67R +amXvVgkhpvIQSBfgifXzqUs+BV/x7TSeN3isxNOB8FP6imODsw8lF0Ir1Ze34emr +TMNo5wNR5xp2dUa9OkzjRpgpifh20zM3UeVOixIPoq78IDjT0aZP8Lve2/g4Ccc6 +RHNF31r/2UL8rZfQRUAMijVdAvIINCk0kRBhNcr9MCi3czmmgiXXMGwLWLvSkfnE +W06wKX1lpPSptg== +""" + +peer_key = """ +MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCzcIwwtS49qI3w +otUxErMg9DC7qlFS0wWWlwlxbUHQfwMN293gXCfPhVGEOsTKZZpJV3IyRMl0jL6h +DaS1+sRAzVlr6k39tnhFrd+kE3wXshcgyrV55uGPrn1wB5d7C7cmTf+6vl5eLm2L +7QB1US2M5FwLY9bVXWmBGUMvMfxd2RRVLAn8UUaiQSk8XBDT/Ek6SM/V/HUvYon/ +UgQONgtHh6jFr9bWFtSBzvYEMWBUt3L6Dwz5QwCd4obucd3zvPdkuxbWS1TfxrDd +UykSi9te3lT8ltPkHJ1MG611nO355ptW7V1ZofWCj3bV/FpxHjrTAlWRiqncnZyN +4gKrz5ndAgMBAAECggEACvAya4mv3uxWcrPKYSptpvWbvuTb/juE3LAqUDLDz0ze +x8p+VP3pI1pSJMhcVKYq6IufF3df/G3T9Qda4gj+S6D48X4f8PZdkInP1zWk2+Ds +TgBtXZf4agTN+rVLw6FsMbaRfzW5lO4pmV0CKSSgrTUCc2NLpkgCdW8vzEG0y5ek +15uBOyvuydWM4CFgZT/cUvnu4UtPFL1vaTdD4Lw0FfZq4iS8SWsGbbMoTPKkJRlS +k9oMEOvhA1WIfSgiG0FyaidoNEormB6J1SKVo27P8SOYu2etiFdF9SJUYg9cBzM3 +z3HcAsXeSh2kpc8Fc2yOS6zI5AsC0Len2SQmKQD8YQKBgQDlgg5cZV5AY2Ji6b+T +nTHjna7dg/kzUOYs0AmK9DHHziZJ2SKucJlB9smynPLjY/MQbKcNWQ1Cad+olDNP +Ts4lLhs4kbITkmgPQME3it1fGstHy/sGcF0m+YRsSxfwt5bxLXH86+d067C0XMhg +URMgGv9ZBTe/P1LuhIUTEjYzlQKBgQDIJvl7sSXHRRB0k7NU/uV3Tut3NTqIzXiz +pq9hMyF+3aIqaA7kdjIIJczv1grVYz+RUdX3Gu1FyHMl8ynoEz5NNWsbe+Ay/moa +ztijak3UH3M+d6WsxSRehdYl6DaMstHwWfKZvWNJCGyl7ckz9gGjc3DY/qYqZDrx +p3LlZsY7KQKBgQCj3ur2GgLkIpI7Yf9CHPlkNlCHJhYnB9pxoNFPf/CTY6R/EiTr +PMaRDO8TM3FR3ynMTmgw5abMBuCFc9v3AqO6dGNHTvBBfUYDrg7H48UQhQckaocA +H/bDP2HIGQ4s+Ek0R2ieWKpZF3iCL8V60CjBwcUVAN6/FS3X1JNX/KbqyQKBgQDA +8dlk5PN/MlPXnZ6t2/7G0bxpsVVZFYI65P+CGvE6RFuUt7VLhalbc10pAtR0unVI +GHTD/iAnOkHOnqeSQiK3+TvkRbluTxVn/GiYt9yJFTxaRqrebzlNKYW0CzOy1JtP +MNaOYCS6/bUHC7//KDKSJ7HsbScwDGlKFVrMTBPiaQKBgQCjkIJDZ4pC3er7QiC3 +RXWPyxIG5iTjn4fizphaBt6+pkBAlBh0V6inmleAWa5DJSpgU4jQv4mZsAQs6ctq +usmoy47ke8pTXPHgQ8ZUwsfM4IztqOm+w0X6mSZi6HdJCnMdxCZBBpO225UvonSR +rgiyCHemtMepq57Pl1Nmj49eEA== +""" + +class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): + def setUp(self): + self.cli_set(base_path + ['interface', f'{interface}.{vif}']) + + # Set IKE/ESP Groups + self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '1', 'encryption', 'aes128']) + self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '1', 'hash', 'sha1']) + self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1', 'dh-group', '2']) + self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1', 'encryption', 'aes128']) + self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1', 'hash', 'sha1']) + + def tearDown(self): + # Check for running process + self.assertTrue(process_named_running('charon')) + + self.cli_delete(base_path) + self.cli_delete(nhrp_path) + self.cli_delete(tunnel_path) + self.cli_delete(vti_path) + self.cli_delete(ethernet_path) + self.cli_commit() + + # Check for no longer running process + self.assertFalse(process_named_running('charon')) + + def test_01_dhcp_fail_handling(self): + # Interface for dhcp-interface + self.cli_set(ethernet_path + [interface, 'vif', vif, 'address', 'dhcp']) # Use VLAN to avoid getting IP from qemu dhcp server + + # Site to site + peer_base_path = base_path + ['site-to-site', 'peer', peer_ip] + self.cli_set(peer_base_path + ['authentication', 'mode', 'pre-shared-secret']) + self.cli_set(peer_base_path + ['authentication', 'pre-shared-secret', secret]) + self.cli_set(peer_base_path + ['ike-group', ike_group]) + self.cli_set(peer_base_path + ['default-esp-group', esp_group]) + self.cli_set(peer_base_path + ['dhcp-interface', f'{interface}.{vif}']) + self.cli_set(peer_base_path + ['tunnel', '1', 'protocol', 'gre']) + + self.cli_commit() + + self.assertTrue(os.path.exists(dhcp_waiting_file)) + + dhcp_waiting = read_file(dhcp_waiting_file) + self.assertIn(f'{interface}.{vif}', dhcp_waiting) # Ensure dhcp-failed interface was added for dhclient hook + + def test_02_site_to_site(self): + self.cli_set(base_path + ['ike-group', ike_group, 'key-exchange', 'ikev2']) + + # Site to site + local_address = '192.0.2.10' + peer_base_path = base_path + ['site-to-site', 'peer', peer_ip] + + self.cli_set(peer_base_path + ['authentication', 'mode', 'pre-shared-secret']) + self.cli_set(peer_base_path + ['authentication', 'pre-shared-secret', secret]) + self.cli_set(peer_base_path + ['ike-group', ike_group]) + self.cli_set(peer_base_path + ['default-esp-group', esp_group]) + self.cli_set(peer_base_path + ['local-address', local_address]) + self.cli_set(peer_base_path + ['tunnel', '1', 'protocol', 'tcp']) + self.cli_set(peer_base_path + ['tunnel', '1', 'local', 'prefix', '172.16.10.0/24']) + self.cli_set(peer_base_path + ['tunnel', '1', 'local', 'prefix', '172.16.11.0/24']) + self.cli_set(peer_base_path + ['tunnel', '1', 'local', 'port', '443']) + self.cli_set(peer_base_path + ['tunnel', '1', 'remote', 'prefix', '172.17.10.0/24']) + self.cli_set(peer_base_path + ['tunnel', '1', 'remote', 'prefix', '172.17.11.0/24']) + self.cli_set(peer_base_path + ['tunnel', '1', 'remote', 'port', '443']) + + self.cli_commit() + + # Verify strongSwan configuration + swanctl_conf = read_file(swanctl_file) + swanctl_conf_lines = [ + f'version = 2', + f'auth = psk', + f'proposals = aes128-sha1-modp1024', + f'esp_proposals = aes128-sha1-modp1024', + f'local_addrs = {local_address} # dhcp:no', + f'remote_addrs = {peer_ip}', + f'mode = tunnel', + f'local_ts = 172.16.10.0/24[tcp/443],172.16.11.0/24[tcp/443]', + f'remote_ts = 172.17.10.0/24[tcp/443],172.17.11.0/24[tcp/443]' + ] + for line in swanctl_conf_lines: + self.assertIn(line, swanctl_conf) + + swanctl_secrets_lines = [ + f'id-local = {local_address} # dhcp:no', + f'id-remote = {peer_ip}', + f'secret = "{secret}"' + ] + for line in swanctl_secrets_lines: + self.assertIn(line, swanctl_conf) + + + def test_03_site_to_site_vti(self): + local_address = '192.0.2.10' + vti = 'vti10' + # VTI interface + self.cli_set(vti_path + [vti, 'address', '10.1.1.1/24']) + self.cli_set(base_path + ['ike-group', ike_group, 'key-exchange', 'ikev2']) + + # Site to site + peer_base_path = base_path + ['site-to-site', 'peer', peer_ip] + self.cli_set(peer_base_path + ['authentication', 'mode', 'pre-shared-secret']) + self.cli_set(peer_base_path + ['authentication', 'pre-shared-secret', secret]) + self.cli_set(peer_base_path + ['ike-group', ike_group]) + self.cli_set(peer_base_path + ['default-esp-group', esp_group]) + self.cli_set(peer_base_path + ['local-address', local_address]) + self.cli_set(peer_base_path + ['tunnel', '1', 'local', 'prefix', '172.16.10.0/24']) + self.cli_set(peer_base_path + ['tunnel', '1', 'local', 'prefix', '172.16.11.0/24']) + self.cli_set(peer_base_path + ['tunnel', '1', 'remote', 'prefix', '172.17.10.0/24']) + self.cli_set(peer_base_path + ['tunnel', '1', 'remote', 'prefix', '172.17.11.0/24']) + self.cli_set(peer_base_path + ['vti', 'bind', vti]) + self.cli_set(peer_base_path + ['vti', 'esp-group', esp_group]) + + self.cli_commit() + + swanctl_conf = read_file(swanctl_file) + swanctl_conf_lines = [ + f'version = 2', + f'auth = psk', + f'proposals = aes128-sha1-modp1024', + f'esp_proposals = aes128-sha1-modp1024', + f'local_addrs = {local_address} # dhcp:no', + f'remote_addrs = {peer_ip}', + f'mode = tunnel', + f'local_ts = 172.16.10.0/24,172.16.11.0/24', + f'remote_ts = 172.17.10.0/24,172.17.11.0/24', + f'if_id_in = {vti.lstrip("vti")}', # will be 10 for vti10 + f'if_id_out = {vti.lstrip("vti")}', + f'updown = "/etc/ipsec.d/vti-up-down {vti} no"' + ] + for line in swanctl_conf_lines: + self.assertIn(line, swanctl_conf) + + swanctl_secrets_lines = [ + f'id-local = {local_address} # dhcp:no', + f'id-remote = {peer_ip}', + f'secret = "{secret}"' + ] + for line in swanctl_secrets_lines: + self.assertIn(line, swanctl_conf) + + + def test_04_dmvpn(self): + tunnel_if = 'tun100' + nhrp_secret = 'secret' + + # Tunnel + self.cli_set(tunnel_path + [tunnel_if, 'address', '172.16.253.134/29']) + self.cli_set(tunnel_path + [tunnel_if, 'encapsulation', 'gre']) + self.cli_set(tunnel_path + [tunnel_if, 'source-address', '192.0.2.1']) + self.cli_set(tunnel_path + [tunnel_if, 'multicast', 'enable']) + self.cli_set(tunnel_path + [tunnel_if, 'parameters', 'ip', 'key', '1']) + + # NHRP + self.cli_set(nhrp_path + ['tunnel', tunnel_if, 'cisco-authentication', nhrp_secret]) + self.cli_set(nhrp_path + ['tunnel', tunnel_if, 'holding-time', '300']) + self.cli_set(nhrp_path + ['tunnel', tunnel_if, 'multicast', 'dynamic']) + self.cli_set(nhrp_path + ['tunnel', tunnel_if, 'redirect']) + self.cli_set(nhrp_path + ['tunnel', tunnel_if, 'shortcut']) + + # IKE/ESP Groups + self.cli_set(base_path + ['esp-group', esp_group, 'compression', 'disable']) + self.cli_set(base_path + ['esp-group', esp_group, 'lifetime', '1800']) + self.cli_set(base_path + ['esp-group', esp_group, 'mode', 'transport']) + self.cli_set(base_path + ['esp-group', esp_group, 'pfs', 'dh-group2']) + self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '2', 'encryption', 'aes256']) + self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '2', 'hash', 'sha1']) + self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '3', 'encryption', '3des']) + self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '3', 'hash', 'md5']) + + self.cli_set(base_path + ['ike-group', ike_group, 'ikev2-reauth', 'no']) + self.cli_set(base_path + ['ike-group', ike_group, 'key-exchange', 'ikev1']) + self.cli_set(base_path + ['ike-group', ike_group, 'lifetime', '3600']) + self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '2', 'dh-group', '2']) + self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '2', 'encryption', 'aes256']) + self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '2', 'hash', 'sha1']) + + # Profile + self.cli_set(base_path + ['profile', 'NHRPVPN', 'authentication', 'mode', 'pre-shared-secret']) + self.cli_set(base_path + ['profile', 'NHRPVPN', 'authentication', 'pre-shared-secret', nhrp_secret]) + self.cli_set(base_path + ['profile', 'NHRPVPN', 'bind', 'tunnel', tunnel_if]) + self.cli_set(base_path + ['profile', 'NHRPVPN', 'esp-group', esp_group]) + self.cli_set(base_path + ['profile', 'NHRPVPN', 'ike-group', ike_group]) + + self.cli_commit() + + swanctl_conf = read_file(swanctl_file) + swanctl_lines = [ + f'proposals = aes128-sha1-modp1024,aes256-sha1-modp1024', + f'version = 1', + f'rekey_time = 3600s', + f'esp_proposals = aes128-sha1-modp1024,aes256-sha1-modp1024,3des-md5-modp1024', + f'local_ts = dynamic[gre]', + f'remote_ts = dynamic[gre]', + f'mode = transport', + f'secret = {nhrp_secret}' + ] + for line in swanctl_lines: + self.assertIn(line, swanctl_conf) + + def test_05_x509_site2site(self): + # Enable PKI + peer_name = 'peer1' + ca_name = 'MyVyOS-CA' + self.cli_set(['pki', 'ca', ca_name, 'certificate', ca_pem.replace('\n','')]) + self.cli_set(['pki', 'certificate', peer_name, 'certificate', peer_cert.replace('\n','')]) + self.cli_set(['pki', 'certificate', peer_name, 'private', 'key', peer_key.replace('\n','')]) + + vti = 'vti20' + self.cli_set(vti_path + [vti, 'address', '192.168.0.1/31']) + + peer_ip = '172.18.254.202' + local_address = '172.18.254.201' + peer_base_path = base_path + ['site-to-site', 'peer', peer_ip] + + self.cli_set(peer_base_path + ['authentication', 'id', peer_name]) + self.cli_set(peer_base_path + ['authentication', 'mode', 'x509']) + self.cli_set(peer_base_path + ['authentication', 'remote-id', 'peer2']) + self.cli_set(peer_base_path + ['authentication', 'x509', 'ca-certificate', ca_name]) + self.cli_set(peer_base_path + ['authentication', 'x509', 'certificate', peer_name]) + self.cli_set(peer_base_path + ['connection-type', 'initiate']) + self.cli_set(peer_base_path + ['ike-group', ike_group]) + self.cli_set(peer_base_path + ['ikev2-reauth', 'inherit']) + self.cli_set(peer_base_path + ['local-address', local_address]) + self.cli_set(peer_base_path + ['vti', 'bind', vti]) + self.cli_set(peer_base_path + ['vti', 'esp-group', esp_group]) + + self.cli_commit() + + swanctl_conf = read_file(swanctl_file) + tmp = peer_ip.replace('.', '-') + swanctl_lines = [ + f'peer_{tmp}', + f'version = 0', # key-exchange not set - defaulting to 0 for ikev1 and ikev2 + f'send_cert = always', + f'mobike = yes', + f'keyingtries = 0', + f'id = "{peer_name}"', + f'auth = pubkey', + f'certs = {peer_name}.pem', + f'proposals = aes128-sha1-modp1024', + f'esp_proposals = aes128-sha1-modp1024', + f'local_addrs = {local_address} # dhcp:no', + f'remote_addrs = {peer_ip}', + f'local_ts = 0.0.0.0/0,::/0', + f'remote_ts = 0.0.0.0/0,::/0', + f'updown = "/etc/ipsec.d/vti-up-down {vti} no"', + f'if_id_in = {vti.lstrip("vti")}', # will be 10 for vti10 + f'if_id_out = {vti.lstrip("vti")}', + f'ipcomp = no', + f'mode = tunnel', + f'start_action = start', + ] + for line in swanctl_lines: + self.assertIn(line, swanctl_conf) + + swanctl_secrets_lines = [ + f'peer_{tmp}', + f'file = {peer_name}.pem', + ] + for line in swanctl_secrets_lines: + self.assertIn(line, swanctl_conf) + +if __name__ == '__main__': + unittest.main(verbosity=2) diff --git a/smoketest/scripts/cli/test_vpn_openconnect.py b/smoketest/scripts/cli/test_vpn_openconnect.py index bf528c8b7..cad3b1182 100755 --- a/smoketest/scripts/cli/test_vpn_openconnect.py +++ b/smoketest/scripts/cli/test_vpn_openconnect.py @@ -23,25 +23,33 @@ from vyos.util import process_named_running OCSERV_CONF = '/run/ocserv/ocserv.conf' base_path = ['vpn', 'openconnect'] -cert = '/etc/ssl/certs/ssl-cert-snakeoil.pem' -cert_key = '/etc/ssl/private/ssl-cert-snakeoil.key' + +pki_path = ['pki'] +cert_data = 'MIICFDCCAbugAwIBAgIUfMbIsB/ozMXijYgUYG80T1ry+mcwCgYIKoZIzj0EAwIwWTELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzESMBAGA1UEAwwJVnlPUyBUZXN0MB4XDTIxMDcyMDEyNDUxMloXDTI2MDcxOTEyNDUxMlowWTELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzESMBAGA1UEAwwJVnlPUyBUZXN0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE01HrLcNttqq4/PtoMua8rMWEkOdBu7vP94xzDO7A8C92ls1v86eePy4QllKCzIw3QxBIoCuH2peGRfWgPRdFsKNhMF8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMB0GA1UdDgQWBBSu+JnU5ZC4mkuEpqg2+Mk4K79oeDAKBggqhkjOPQQDAgNHADBEAiBEFdzQ/Bc3LftzngrY605UhA6UprHhAogKgROv7iR4QgIgEFUxTtW3xXJcnUPWhhUFhyZoqfn8dE93+dm/LDnp7C0=' +key_data = 'MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgPLpD0Ohhoq0g4nhx2KMIuze7ucKUt/lBEB2wc03IxXyhRANCAATTUestw222qrj8+2gy5rysxYSQ50G7u8/3jHMM7sDwL3aWzW/zp54/LhCWUoLMjDdDEEigK4fal4ZF9aA9F0Ww' class TestVpnOpenconnect(VyOSUnitTestSHIM.TestCase): def tearDown(self): # Delete vpn openconnect configuration + self.cli_delete(pki_path) self.cli_delete(base_path) self.cli_commit() def test_vpn(self): user = 'vyos_user' password = 'vyos_pass' + self.cli_delete(pki_path) self.cli_delete(base_path) + + self.cli_set(pki_path + ['ca', 'openconnect', 'certificate', cert_data]) + self.cli_set(pki_path + ['certificate', 'openconnect', 'certificate', cert_data]) + self.cli_set(pki_path + ['certificate', 'openconnect', 'private', 'key', key_data]) + self.cli_set(base_path + ["authentication", "local-users", "username", user, "password", password]) self.cli_set(base_path + ["authentication", "mode", "local"]) self.cli_set(base_path + ["network-settings", "client-ip-settings", "subnet", "192.0.2.0/24"]) - self.cli_set(base_path + ["ssl", "ca-cert-file", cert]) - self.cli_set(base_path + ["ssl", "cert-file", cert]) - self.cli_set(base_path + ["ssl", "key-file", cert_key]) + self.cli_set(base_path + ["ssl", "ca-certificate", 'openconnect']) + self.cli_set(base_path + ["ssl", "certificate", 'openconnect']) self.cli_commit() diff --git a/smoketest/scripts/cli/test_vpn_sstp.py b/smoketest/scripts/cli/test_vpn_sstp.py index 033338685..24673278b 100755 --- a/smoketest/scripts/cli/test_vpn_sstp.py +++ b/smoketest/scripts/cli/test_vpn_sstp.py @@ -19,9 +19,9 @@ import unittest from base_accel_ppp_test import BasicAccelPPPTest from vyos.util import cmd -ca_cert = '/tmp/ca.crt' -ssl_cert = '/tmp/server.crt' -ssl_key = '/tmp/server.key' +pki_path = ['pki'] +cert_data = 'MIICFDCCAbugAwIBAgIUfMbIsB/ozMXijYgUYG80T1ry+mcwCgYIKoZIzj0EAwIwWTELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzESMBAGA1UEAwwJVnlPUyBUZXN0MB4XDTIxMDcyMDEyNDUxMloXDTI2MDcxOTEyNDUxMlowWTELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzESMBAGA1UEAwwJVnlPUyBUZXN0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE01HrLcNttqq4/PtoMua8rMWEkOdBu7vP94xzDO7A8C92ls1v86eePy4QllKCzIw3QxBIoCuH2peGRfWgPRdFsKNhMF8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMB0GA1UdDgQWBBSu+JnU5ZC4mkuEpqg2+Mk4K79oeDAKBggqhkjOPQQDAgNHADBEAiBEFdzQ/Bc3LftzngrY605UhA6UprHhAogKgROv7iR4QgIgEFUxTtW3xXJcnUPWhhUFhyZoqfn8dE93+dm/LDnp7C0=' +key_data = 'MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgPLpD0Ohhoq0g4nhx2KMIuze7ucKUt/lBEB2wc03IxXyhRANCAATTUestw222qrj8+2gy5rysxYSQ50G7u8/3jHMM7sDwL3aWzW/zp54/LhCWUoLMjDdDEEigK4fal4ZF9aA9F0Ww' class TestVPNSSTPServer(BasicAccelPPPTest.TestCase): def setUp(self): @@ -31,28 +31,21 @@ class TestVPNSSTPServer(BasicAccelPPPTest.TestCase): self._chap_secrets = '/run/accel-pppd/sstp.chap-secrets' super().setUp() + def tearDown(self): + self.cli_delete(pki_path) + super().tearDown() + def basic_config(self): + self.cli_delete(pki_path) + self.cli_set(pki_path + ['ca', 'sstp', 'certificate', cert_data]) + self.cli_set(pki_path + ['certificate', 'sstp', 'certificate', cert_data]) + self.cli_set(pki_path + ['certificate', 'sstp', 'private', 'key', key_data]) # SSL is mandatory - self.set(['ssl', 'ca-cert-file', ca_cert]) - self.set(['ssl', 'cert-file', ssl_cert]) - self.set(['ssl', 'key-file', ssl_key]) + self.set(['ssl', 'ca-certificate', 'sstp']) + self.set(['ssl', 'certificate', 'sstp']) self.set(['client-ip-pool', 'subnet', '192.0.2.0/24']) super().basic_config() if __name__ == '__main__': - # Our SSL certificates need a subject ... - subject = '/C=DE/ST=BY/O=VyOS/localityName=Cloud/commonName=vyos/' \ - 'organizationalUnitName=VyOS/emailAddress=maintainers@vyos.io/' - - # Generate mandatory SSL certificate - tmp = f'openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 '\ - f'-keyout {ssl_key} -out {ssl_cert} -subj {subject}' - cmd(tmp) - - # Generate "CA" - tmp = f'openssl req -new -x509 -key {ssl_key} -out {ca_cert} '\ - f'-subj {subject}' - cmd(tmp) - unittest.main(verbosity=2) diff --git a/smoketest/scripts/cli/test_vrf.py b/smoketest/scripts/cli/test_vrf.py index 591630c46..f36d16344 100755 --- a/smoketest/scripts/cli/test_vrf.py +++ b/smoketest/scripts/cli/test_vrf.py @@ -119,6 +119,24 @@ class VRFTest(VyOSUnitTestSHIM.TestCase): self.assertTrue(is_intf_addr_assigned(vrf, '127.0.0.1')) self.assertTrue(is_intf_addr_assigned(vrf, '::1')) + def test_vrf_bind_all(self): + table = '2000' + for vrf in vrfs: + base = base_path + ['name', vrf] + self.cli_set(base + ['table', str(table)]) + table = str(int(table) + 1) + + self.cli_set(base_path + ['bind-to-all']) + + # commit changes + self.cli_commit() + + # Verify VRF configuration + tmp = read_file('/proc/sys/net/ipv4/tcp_l3mdev_accept') + self.assertIn(tmp, '1') + tmp = read_file('/proc/sys/net/ipv4/udp_l3mdev_accept') + self.assertIn(tmp, '1') + def test_vrf_table_id_is_unalterable(self): # Linux Kernel prohibits the change of a VRF table on the fly. # VRF must be deleted and recreated! diff --git a/smoketest/scripts/system/test_config_mount.py b/smoketest/scripts/system/test_config_mount.py new file mode 100755 index 000000000..657158c39 --- /dev/null +++ b/smoketest/scripts/system/test_config_mount.py @@ -0,0 +1,26 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import os +import unittest + +class TestConfigDir(unittest.TestCase): + def test_config_dir(self): + self.assertTrue(os.path.isdir('/config')) + +if __name__ == '__main__': + unittest.main(verbosity=2) + diff --git a/src/completion/list_disks.py b/src/completion/list_disks.py index ff1135e23..0aa872abb 100755 --- a/src/completion/list_disks.py +++ b/src/completion/list_disks.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2019 VyOS maintainers and contributors +# Copyright (C) 2019-2021 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -23,11 +23,20 @@ parser.add_argument("-e", "--exclude", type=str, help="Exclude specified device args = parser.parse_args() disks = set() -with open('/proc/partitions') as partitions_file: - for line in partitions_file: - fields = line.strip().split() - if len(fields) == 4 and fields[3].isalpha() and fields[3] != 'name': - disks.add(fields[3]) +with open('/proc/partitions') as f: + table = f.read() + +for line in table.splitlines()[1:]: + fields = line.strip().split() + # probably an empty line at the top + if len(fields) == 0: + continue + disks.add(fields[3]) + +if 'loop0' in disks: + disks.remove('loop0') +if 'sr0' in disks: + disks.remove('sr0') if args.exclude: disks.remove(args.exclude) diff --git a/src/completion/list_dumpable_interfaces.py b/src/completion/list_dumpable_interfaces.py index 101c92fbe..67bf6206b 100755 --- a/src/completion/list_dumpable_interfaces.py +++ b/src/completion/list_dumpable_interfaces.py @@ -7,6 +7,6 @@ import re from vyos.util import cmd if __name__ == '__main__': - out = cmd('/usr/sbin/tcpdump -D').split('\n') + out = cmd('tcpdump -D').split('\n') intfs = " ".join(map(lambda s: re.search(r'\d+\.(\S+)\s', s).group(1), out)) print(intfs) diff --git a/src/completion/list_protocols.sh b/src/completion/list_protocols.sh new file mode 100755 index 000000000..e9d50a70f --- /dev/null +++ b/src/completion/list_protocols.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +grep -v '^#' /etc/protocols | awk 'BEGIN {ORS=""} {if ($3) {print TRS $1; TRS=" "}}' diff --git a/src/completion/list_sysctl_parameters.sh b/src/completion/list_sysctl_parameters.sh new file mode 100755 index 000000000..c111716bb --- /dev/null +++ b/src/completion/list_sysctl_parameters.sh @@ -0,0 +1,20 @@ +#!/bin/sh +# +# Copyright (C) 2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +declare -a vals +eval "vals=($(/sbin/sysctl -N -a))" +echo ${vals[@]} +exit 0 diff --git a/src/conf_mode/conntrack.py b/src/conf_mode/conntrack.py new file mode 100755 index 000000000..4e6e39c0f --- /dev/null +++ b/src/conf_mode/conntrack.py @@ -0,0 +1,140 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import os + +from sys import exit + +from vyos.config import Config +from vyos.configdict import dict_merge +from vyos.util import cmd +from vyos.util import run +from vyos.util import process_named_running +from vyos.util import dict_search +from vyos.template import render +from vyos.xml import defaults +from vyos import ConfigError +from vyos import airbag +airbag.enable() + +conntrack_config = r'/etc/modprobe.d/vyatta_nf_conntrack.conf' +sysctl_file = r'/run/sysctl/10-vyos-conntrack.conf' + +# Every ALG (Application Layer Gateway) consists of either a Kernel Object +# also called a Kernel Module/Driver or some rules present in iptables +module_map = { + 'ftp' : { + 'ko' : ['nf_nat_ftp', 'nf_conntrack_ftp'], + }, + 'h323' : { + 'ko' : ['nf_nat_h323', 'nf_conntrack_h323'], + }, + 'nfs' : { + 'iptables' : ['VYATTA_CT_HELPER --table raw --proto tcp --dport 111 --jump CT --helper rpc', + 'VYATTA_CT_HELPER --table raw --proto udp --dport 111 --jump CT --helper rpc'], + }, + 'pptp' : { + 'ko' : ['nf_nat_pptp', 'nf_conntrack_pptp'], + }, + 'sip' : { + 'ko' : ['nf_nat_sip', 'nf_conntrack_sip'], + }, + 'sqlnet' : { + 'iptables' : ['VYATTA_CT_HELPER --table raw --proto tcp --dport 1521 --jump CT --helper tns', + 'VYATTA_CT_HELPER --table raw --proto tcp --dport 1525 --jump CT --helper tns', + 'VYATTA_CT_HELPER --table raw --proto tcp --dport 1536 --jump CT --helper tns'], + }, + 'tftp' : { + 'ko' : ['nf_nat_tftp', 'nf_conntrack_tftp'], + }, +} + +def resync_conntrackd(): + tmp = run('/usr/libexec/vyos/conf_mode/conntrack_sync.py') + if tmp > 0: + print('ERROR: error restarting conntrackd!') + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + base = ['system', 'conntrack'] + + conntrack = conf.get_config_dict(base, key_mangling=('-', '_'), + get_first_key=True) + + # We have gathered the dict representation of the CLI, but there are default + # options which we need to update into the dictionary retrived. + default_values = defaults(base) + conntrack = dict_merge(default_values, conntrack) + + return conntrack + +def verify(conntrack): + return None + +def generate(conntrack): + render(conntrack_config, 'conntrack/vyos_nf_conntrack.conf.tmpl', conntrack) + render(sysctl_file, 'conntrack/sysctl.conf.tmpl', conntrack) + + return None + +def apply(conntrack): + # Depending on the enable/disable state of the ALG (Application Layer Gateway) + # modules we need to either insmod or rmmod the helpers. + for module, module_config in module_map.items(): + if dict_search(f'modules.{module}.disable', conntrack) != None: + if 'ko' in module_config: + for mod in module_config['ko']: + # Only remove the module if it's loaded + if os.path.exists(f'/sys/module/{mod}'): + cmd(f'rmmod {mod}') + if 'iptables' in module_config: + for rule in module_config['iptables']: + print(f'iptables --delete {rule}') + cmd(f'iptables --delete {rule}') + else: + if 'ko' in module_config: + for mod in module_config['ko']: + cmd(f'modprobe {mod}') + if 'iptables' in module_config: + for rule in module_config['iptables']: + # Only install iptables rule if it does not exist + tmp = run(f'iptables --check {rule}') + if tmp > 0: + cmd(f'iptables --insert {rule}') + + + if process_named_running('conntrackd'): + # Reload conntrack-sync daemon to fetch new sysctl values + resync_conntrackd() + + # We silently ignore all errors + # See: https://bugzilla.redhat.com/show_bug.cgi?id=1264080 + cmd(f'sysctl -f {sysctl_file}') + + return None + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/conntrack_sync.py b/src/conf_mode/conntrack_sync.py index 7f22fa2dd..f82a077e6 100755 --- a/src/conf_mode/conntrack_sync.py +++ b/src/conf_mode/conntrack_sync.py @@ -71,15 +71,26 @@ def verify(conntrack): if 'interface' not in conntrack: raise ConfigError('Interface not defined!') - for interface in conntrack['interface']: + has_peer = False + for interface, interface_config in conntrack['interface'].items(): verify_interface_exists(interface) # Interface must not only exist, it must also carry an IP address if len(get_ipv4(interface)) < 1: raise ConfigError(f'Interface {interface} requires an IP address!') + if 'peer' in interface_config: + has_peer = True + + # If one interface runs in unicast mode instead of multicast, so must all the + # others, else conntrackd will error out with: "cannot use UDP with other + # dedicated link protocols" + if has_peer: + for interface, interface_config in conntrack['interface'].items(): + if 'peer' not in interface_config: + raise ConfigError('Can not mix unicast and multicast mode!') if 'expect_sync' in conntrack: if len(conntrack['expect_sync']) > 1 and 'all' in conntrack['expect_sync']: - raise ConfigError('Cannot configure all with other protocol') + raise ConfigError('Can not configure expect-sync "all" with other protocols!') if 'listen_address' in conntrack: address = conntrack['listen_address'] diff --git a/src/conf_mode/containers.py b/src/conf_mode/containers.py index 5efdb6a2f..21b47f42a 100755 --- a/src/conf_mode/containers.py +++ b/src/conf_mode/containers.py @@ -75,7 +75,7 @@ def get_config(config=None): base = ['container'] container = conf.get_config_dict(base, key_mangling=('-', '_'), - get_first_key=True) + get_first_key=True, no_tag_node_value_mangle=True) # We have gathered the dict representation of the CLI, but there are default # options which we need to update into the dictionary retrived. default_values = defaults(base) diff --git a/src/conf_mode/dhcp_server.py b/src/conf_mode/dhcp_server.py index 0ed09e130..cdee72e09 100755 --- a/src/conf_mode/dhcp_server.py +++ b/src/conf_mode/dhcp_server.py @@ -18,6 +18,8 @@ import os from ipaddress import ip_address from ipaddress import ip_network +from netaddr import IPAddress +from netaddr import IPRange from sys import exit from vyos.config import Config @@ -163,8 +165,7 @@ def verify(dhcp): # Check if DHCP address range is inside configured subnet declaration if 'range' in subnet_config: - range_start = [] - range_stop = [] + networks = [] for range, range_config in subnet_config['range'].items(): if not {'start', 'stop'} <= set(range_config): raise ConfigError(f'DHCP range "{range}" start and stop address must be defined!') @@ -179,18 +180,16 @@ def verify(dhcp): raise ConfigError(f'DHCP range "{range}" stop address must be greater or equal\n' \ 'to the ranges start address!') - # Range start address must be unique - if range_config['start'] in range_start: - raise ConfigError('Conflicting DHCP lease range: Pool start\n' \ - 'address "{start}" defined multipe times!'.format(range_config)) + for network in networks: + start = range_config['start'] + stop = range_config['stop'] + if start in network: + raise ConfigError(f'Range "{range}" start address "{start}" already part of another range!') + if stop in network: + raise ConfigError(f'Range "{range}" stop address "{stop}" already part of another range!') - # Range stop address must be unique - if range_config['stop'] in range_start: - raise ConfigError('Conflicting DHCP lease range: Pool stop\n' \ - 'address "{stop}" defined multipe times!'.format(range_config)) - - range_start.append(range_config['start']) - range_stop.append(range_config['stop']) + tmp = IPRange(range_config['start'], range_config['stop']) + networks.append(tmp) if 'failover' in subnet_config: for key in ['local_address', 'peer_address', 'name', 'status']: diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py new file mode 100755 index 000000000..8e6ce5b14 --- /dev/null +++ b/src/conf_mode/firewall.py @@ -0,0 +1,73 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import os + +from sys import exit + +from vyos.config import Config +from vyos.configdict import dict_merge +from vyos.configdict import node_changed +from vyos.configdict import leaf_node_changed +from vyos.template import render +from vyos.util import call +from vyos import ConfigError +from vyos import airbag +from pprint import pprint +airbag.enable() + + +def get_config(config=None): + + if config: + conf = config + else: + conf = Config() + base = ['nfirewall'] + firewall = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True, + no_tag_node_value_mangle=True) + + pprint(firewall) + return firewall + +def verify(firewall): + # bail out early - looks like removal from running config + if not firewall: + return None + + return None + +def generate(firewall): + if not firewall: + return None + + return None + +def apply(firewall): + if not firewall: + return None + + return None + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/flow_accounting_conf.py b/src/conf_mode/flow_accounting_conf.py index 0727b47a8..9cae29481 100755 --- a/src/conf_mode/flow_accounting_conf.py +++ b/src/conf_mode/flow_accounting_conf.py @@ -43,7 +43,7 @@ uacctd_conf_path = '/etc/pmacct/uacctd.conf' iptables_nflog_table = 'raw' iptables_nflog_chain = 'VYATTA_CT_PREROUTING_HOOK' egress_iptables_nflog_table = 'mangle' -egress_iptables_nflog_chain = 'POSTROUTING' +egress_iptables_nflog_chain = 'FORWARD' # helper functions # check if node exists and return True if this is true diff --git a/src/conf_mode/https.py b/src/conf_mode/https.py index a6e2d9c8c..be4380462 100755 --- a/src/conf_mode/https.py +++ b/src/conf_mode/https.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2019-2020 VyOS maintainers and contributors +# Copyright (C) 2019-2021 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -14,6 +14,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. +import os import sys from copy import deepcopy @@ -23,13 +24,17 @@ import vyos.certbot_util from vyos.config import Config from vyos import ConfigError -from vyos.util import call +from vyos.pki import wrap_certificate +from vyos.pki import wrap_private_key from vyos.template import render +from vyos.util import call from vyos import airbag airbag.enable() config_file = '/etc/nginx/sites-available/default' +cert_dir = '/etc/ssl/certs' +key_dir = '/etc/ssl/private' certbot_dir = vyos.defaults.directories['certbot'] # https config needs to coordinate several subsystems: api, certbot, @@ -56,12 +61,58 @@ def get_config(config=None): if not conf.exists('service https'): return None + https = conf.get_config_dict('service https', get_first_key=True) + + if https: + https['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'), + get_first_key=True, no_tag_node_value_mangle=True) + + return https + +def verify(https): + if https is None: + return None + + if 'certificates' in https: + certificates = https['certificates'] + + if 'certificate' in certificates: + if not https['pki']: + raise ConfigError("PKI is not configured") + + cert_name = certificates['certificate'] + + if cert_name not in https['pki']['certificate']: + raise ConfigError("Invalid certificate on https configuration") + + pki_cert = https['pki']['certificate'][cert_name] + + if 'certificate' not in pki_cert: + raise ConfigError("Missing certificate on https configuration") + + if 'private' not in pki_cert or 'key' not in pki_cert['private']: + raise ConfigError("Missing certificate private key on https configuration") + + if 'certbot' in https['certificates']: + vhost_names = [] + for vh, vh_conf in https.get('virtual-host', {}).items(): + vhost_names += vh_conf.get('server-name', []) + domains = https['certificates']['certbot'].get('domain-name', []) + domains_found = [domain for domain in domains if domain in vhost_names] + if not domains_found: + raise ConfigError("At least one 'virtual-host <id> server-name' " + "matching the 'certbot domain-name' is required.") + return None + +def generate(https): + if https is None: + return None + server_block_list = [] - https_dict = conf.get_config_dict('service https', get_first_key=True) # organize by vhosts - vhost_dict = https_dict.get('virtual-host', {}) + vhost_dict = https.get('virtual-host', {}) if not vhost_dict: # no specified virtual hosts (server blocks); use default @@ -79,18 +130,30 @@ def get_config(config=None): # get certificate data - cert_dict = https_dict.get('certificates', {}) + cert_dict = https.get('certificates', {}) + + if 'certificate' in cert_dict: + cert_name = cert_dict['certificate'] + pki_cert = https['pki']['certificate'][cert_name] + + cert_path = os.path.join(cert_dir, f'{cert_name}.pem') + key_path = os.path.join(key_dir, f'{cert_name}.pem') + + with open(cert_path, 'w') as f: + f.write(wrap_certificate(pki_cert['certificate'])) + + with open(key_path, 'w') as f: + f.write(wrap_private_key(pki_cert['private']['key'])) - # self-signed certificate + vyos_cert_data = { + "crt": cert_path, + "key": key_path + } - vyos_cert_data = {} - if 'system-generated-certificate' in list(cert_dict): - vyos_cert_data = vyos.defaults.vyos_cert_data - if vyos_cert_data: for block in server_block_list: block['vyos_cert'] = vyos_cert_data - # letsencrypt certificate using certbot + # letsencrypt certificate using certbot certbot = False cert_domains = cert_dict.get('certbot', {}).get('domain-name', []) @@ -110,15 +173,15 @@ def get_config(config=None): api_set = False api_data = {} - if 'api' in list(https_dict): + if 'api' in list(https): api_set = True api_data = vyos.defaults.api_data - api_settings = https_dict.get('api', {}) + api_settings = https.get('api', {}) if api_settings: port = api_settings.get('port', '') if port: api_data['port'] = port - vhosts = https_dict.get('api-restrict', {}).get('virtual-host', []) + vhosts = https.get('api-restrict', {}).get('virtual-host', []) if vhosts: api_data['vhost'] = vhosts[:] @@ -132,34 +195,16 @@ def get_config(config=None): if block['id'] in vhost_list: block['api'] = api_data - # return dict for use in template - - https = {'server_block_list' : server_block_list, - 'api_set': api_set, - 'certbot': certbot} - - return https - -def verify(https): - if https is None: - return None - - if https['certbot']: - for sb in https['server_block_list']: - if sb['certbot']: - return None - raise ConfigError("At least one 'virtual-host <id> server-name' " - "matching the 'certbot domain-name' is required.") - return None - -def generate(https): - if https is None: - return None - if 'server_block_list' not in https or not https['server_block_list']: https['server_block_list'] = [default_server_block] - render(config_file, 'https/nginx.default.tmpl', https) + data = { + 'server_block_list': server_block_list, + 'api_set': api_set, + 'certbot': certbot + } + + render(config_file, 'https/nginx.default.tmpl', data) return None diff --git a/src/conf_mode/interfaces-dummy.py b/src/conf_mode/interfaces-dummy.py index 44fc9cb9e..55c783f38 100755 --- a/src/conf_mode/interfaces-dummy.py +++ b/src/conf_mode/interfaces-dummy.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2019-2020 VyOS maintainers and contributors +# Copyright (C) 2019-2021 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -14,8 +14,6 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. -import os - from sys import exit from vyos.config import Config @@ -42,7 +40,7 @@ def get_config(config=None): return dummy def verify(dummy): - if 'deleted' in dummy.keys(): + if 'deleted' in dummy: verify_bridge_delete(dummy) return None @@ -58,7 +56,7 @@ def apply(dummy): d = DummyIf(dummy['ifname']) # Remove dummy interface - if 'deleted' in dummy.keys(): + if 'deleted' in dummy: d.remove() else: d.update(dummy) diff --git a/src/conf_mode/interfaces-ethernet.py b/src/conf_mode/interfaces-ethernet.py index 378f400b8..78c24952b 100755 --- a/src/conf_mode/interfaces-ethernet.py +++ b/src/conf_mode/interfaces-ethernet.py @@ -32,6 +32,8 @@ from vyos.configverify import verify_vlan_config from vyos.configverify import verify_vrf from vyos.ethtool import Ethtool from vyos.ifconfig import EthernetIf +from vyos.pki import wrap_certificate +from vyos.pki import wrap_private_key from vyos.template import render from vyos.util import call from vyos.util import dict_search @@ -40,6 +42,7 @@ from vyos import airbag airbag.enable() # XXX: wpa_supplicant works on the source interface +cfg_dir = '/run/wpa_supplicant' wpa_suppl_conf = '/run/wpa_supplicant/{ifname}.conf' def get_config(config=None): @@ -52,8 +55,15 @@ def get_config(config=None): else: conf = Config() base = ['interfaces', 'ethernet'] + + tmp_pki = conf.get_config_dict(['pki'], key_mangling=('-', '_'), + get_first_key=True, no_tag_node_value_mangle=True) + ethernet = get_interface_dict(conf, base) + if 'deleted' not in ethernet: + ethernet['pki'] = tmp_pki + return ethernet def verify(ethernet): @@ -126,6 +136,27 @@ def generate(ethernet): if 'eapol' in ethernet: render(wpa_suppl_conf.format(**ethernet), 'ethernet/wpa_supplicant.conf.tmpl', ethernet) + + ifname = ethernet['ifname'] + cert_file_path = os.path.join(cfg_dir, f'{ifname}_cert.pem') + cert_key_path = os.path.join(cfg_dir, f'{ifname}_cert.key') + + cert_name = ethernet['eapol']['certificate'] + pki_cert = ethernet['pki']['certificate'][cert_name] + + with open(cert_file_path, 'w') as f: + f.write(wrap_certificate(pki_cert['certificate'])) + + with open(cert_key_path, 'w') as f: + f.write(wrap_private_key(pki_cert['private']['key'])) + + if 'ca_certificate' in ethernet['eapol']: + ca_cert_file_path = os.path.join(cfg_dir, f'{ifname}_ca.pem') + ca_cert_name = ethernet['eapol']['ca_certificate'] + pki_ca_cert = ethernet['pki']['ca'][cert_name] + + with open(ca_cert_file_path, 'w') as f: + f.write(wrap_certificate(pki_ca_cert['certificate'])) else: # delete configuration on interface removal if os.path.isfile(wpa_suppl_conf.format(**ethernet)): diff --git a/src/conf_mode/interfaces-loopback.py b/src/conf_mode/interfaces-loopback.py index 30a27abb4..193334443 100755 --- a/src/conf_mode/interfaces-loopback.py +++ b/src/conf_mode/interfaces-loopback.py @@ -45,8 +45,8 @@ def generate(loopback): return None def apply(loopback): - l = LoopbackIf(loopback['ifname']) - if 'deleted' in loopback.keys(): + l = LoopbackIf(**loopback) + if 'deleted' in loopback: l.remove() else: l.update(loopback) diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py index 4afb85526..74e29ed82 100755 --- a/src/conf_mode/interfaces-openvpn.py +++ b/src/conf_mode/interfaces-openvpn.py @@ -17,6 +17,7 @@ import os import re +from cryptography.hazmat.primitives.asymmetric import ec from glob import glob from sys import exit from ipaddress import IPv4Address @@ -31,8 +32,14 @@ from vyos.config import Config from vyos.configdict import get_interface_dict from vyos.configverify import verify_vrf from vyos.configverify import verify_bridge_delete -from vyos.configverify import verify_diffie_hellman_length from vyos.ifconfig import VTunIf +from vyos.pki import load_dh_parameters +from vyos.pki import load_private_key +from vyos.pki import wrap_certificate +from vyos.pki import wrap_crl +from vyos.pki import wrap_dh_parameters +from vyos.pki import wrap_openvpn_key +from vyos.pki import wrap_private_key from vyos.template import render from vyos.template import is_ipv4 from vyos.template import is_ipv6 @@ -40,6 +47,7 @@ from vyos.util import call from vyos.util import chown from vyos.util import chmod_600 from vyos.util import dict_search +from vyos.util import dict_search_args from vyos.validate import is_addr_assigned from vyos import ConfigError @@ -49,23 +57,9 @@ airbag.enable() user = 'openvpn' group = 'openvpn' +cfg_dir = '/run/openvpn' cfg_file = '/run/openvpn/{ifname}.conf' -def checkCertHeader(header, filename): - """ - Verify if filename contains specified header. - Returns True if match is found, False if no match or file is not found - """ - if not os.path.isfile(filename): - return False - - with open(filename, 'r') as f: - for line in f: - if re.match(header, line): - return True - - return False - def get_config(config=None): """ Retrive CLI config as dictionary. Dictionary can never be empty, as at least the @@ -76,14 +70,105 @@ def get_config(config=None): else: conf = Config() base = ['interfaces', 'openvpn'] + + tmp_pki = conf.get_config_dict(['pki'], key_mangling=('-', '_'), + get_first_key=True, no_tag_node_value_mangle=True) + openvpn = get_interface_dict(conf, base) + if 'deleted' not in openvpn: + openvpn['pki'] = tmp_pki + openvpn['auth_user_pass_file'] = '/run/openvpn/{ifname}.pw'.format(**openvpn) openvpn['daemon_user'] = user openvpn['daemon_group'] = group return openvpn +def is_ec_private_key(pki, cert_name): + if not pki or 'certificate' not in pki: + return False + if cert_name not in pki['certificate']: + return False + + pki_cert = pki['certificate'][cert_name] + if 'private' not in pki_cert or 'key' not in pki_cert['private']: + return False + + key = load_private_key(pki_cert['private']['key']) + return isinstance(key, ec.EllipticCurvePrivateKey) + +def verify_pki(openvpn): + pki = openvpn['pki'] + interface = openvpn['ifname'] + mode = openvpn['mode'] + shared_secret_key = dict_search_args(openvpn, 'shared_secret_key') + tls = dict_search_args(openvpn, 'tls') + + if not bool(shared_secret_key) ^ bool(tls): # xor check if only one is set + raise ConfigError('Must specify only one of "shared-secret-key" and "tls"') + + if mode in ['server', 'client'] and not tls: + raise ConfigError('Must specify "tls" for server and client modes') + + if not pki: + raise ConfigError('PKI is not configured') + + if shared_secret_key: + if not dict_search_args(pki, 'openvpn', 'shared_secret'): + raise ConfigError('There are no openvpn shared-secrets in PKI configuration') + + if shared_secret_key not in pki['openvpn']['shared_secret']: + raise ConfigError(f'Invalid shared-secret on openvpn interface {interface}') + + if tls: + if 'ca_certificate' not in tls: + raise ConfigError(f'Must specify "tls ca-certificate" on openvpn interface {interface}') + + if tls['ca_certificate'] not in pki['ca']: + raise ConfigError(f'Invalid CA certificate on openvpn interface {interface}') + + if not (mode == 'client' and 'auth_key' in tls): + if 'certificate' not in tls: + raise ConfigError(f'Missing "tls certificate" on openvpn interface {interface}') + + if 'certificate' in tls: + if tls['certificate'] not in pki['certificate']: + raise ConfigError(f'Invalid certificate on openvpn interface {interface}') + + if dict_search_args(pki, 'certificate', tls['certificate'], 'private', 'password_protected'): + raise ConfigError(f'Cannot use encrypted private key on openvpn interface {interface}') + + if mode == 'server' and 'dh_params' not in tls and not is_ec_private_key(pki, tls['certificate']): + raise ConfigError('Must specify "tls dh-params" when not using EC keys in server mode') + + if 'dh_params' in tls: + if 'dh' not in pki: + raise ConfigError('There are no DH parameters in PKI configuration') + + if tls['dh_params'] not in pki['dh']: + raise ConfigError(f'Invalid dh-params on openvpn interface {interface}') + + pki_dh = pki['dh'][tls['dh_params']] + dh_params = load_dh_parameters(pki_dh['parameters']) + dh_numbers = dh_params.parameter_numbers() + dh_bits = dh_numbers.p.bit_length() + + if dh_bits < 2048: + raise ConfigError(f'Minimum DH key-size is 2048 bits') + + if 'auth_key' in tls or 'crypt_key' in tls: + if not dict_search_args(pki, 'openvpn', 'shared_secret'): + raise ConfigError('There are no openvpn shared-secrets in PKI configuration') + + if 'auth_key' in tls: + if tls['auth_key'] not in pki['openvpn']['shared_secret']: + raise ConfigError(f'Invalid auth-key on openvpn interface {interface}') + + if 'crypt_key' in tls: + if tls['crypt_key'] not in pki['openvpn']['shared_secret']: + raise ConfigError(f'Invalid crypt-key on openvpn interface {interface}') + def verify(openvpn): if 'deleted' in openvpn: verify_bridge_delete(openvpn) @@ -92,12 +177,6 @@ def verify(openvpn): if 'mode' not in openvpn: raise ConfigError('Must specify OpenVPN operation mode!') - # Check if we have disabled ncp and at the same time specified ncp-ciphers - if 'encryption' in openvpn: - if {'disable_ncp', 'ncp_ciphers'} <= set(openvpn.get('encryption')): - raise ConfigError('Can not specify both "encryption disable-ncp" '\ - 'and "encryption ncp-ciphers"') - # # OpenVPN client mode - VERIFY # @@ -114,8 +193,8 @@ def verify(openvpn): if openvpn['protocol'] == 'tcp-passive': raise ConfigError('Protocol "tcp-passive" is not valid in client mode') - if dict_search('tls.dh_file', openvpn): - raise ConfigError('Cannot specify "tls dh-file" in client mode') + if dict_search('tls.dh_params', openvpn): + raise ConfigError('Cannot specify "tls dh-params" in client mode') # # OpenVPN site-to-site - VERIFY @@ -200,11 +279,6 @@ def verify(openvpn): if 'remote_host' in openvpn: raise ConfigError('Cannot specify "remote-host" in server mode') - if 'tls' in openvpn: - if 'dh_file' not in openvpn['tls']: - if 'key_file' in openvpn['tls'] and not checkCertHeader('-----BEGIN EC PRIVATE KEY-----', openvpn['tls']['key_file']): - raise ConfigError('Must specify "tls dh-file" when not using EC keys in server mode') - tmp = dict_search('server.subnet', openvpn) if tmp: v4_subnets = len([subnet for subnet in tmp if is_ipv4(subnet)]) @@ -312,97 +386,40 @@ def verify(openvpn): if 'remote_host' not in openvpn: raise ConfigError('Must specify "remote-host" with "tcp-active"') - # shared secret and TLS - if not ('shared_secret_key_file' in openvpn or 'tls' in openvpn): - raise ConfigError('Must specify one of "shared-secret-key-file" and "tls"') - - if {'shared_secret_key_file', 'tls'} <= set(openvpn): - raise ConfigError('Can only specify one of "shared-secret-key-file" and "tls"') - - if openvpn['mode'] in ['client', 'server']: - if 'tls' not in openvpn: - raise ConfigError('Must specify "tls" for server and client mode') - # # TLS/encryption # - if 'shared_secret_key_file' in openvpn: + if 'shared_secret_key' in openvpn: if dict_search('encryption.cipher', openvpn) in ['aes128gcm', 'aes192gcm', 'aes256gcm']: - raise ConfigError('GCM encryption with shared-secret-key-file not supported') - - file = dict_search('shared_secret_key_file', openvpn) - if file and not checkCertHeader('-----BEGIN OpenVPN Static key V1-----', file): - raise ConfigError(f'Specified shared-secret-key-file "{file}" is not valid') + raise ConfigError('GCM encryption with shared-secret-key not supported') if 'tls' in openvpn: - if 'ca_cert_file' not in openvpn['tls']: - raise ConfigError('Must specify "tls ca-cert-file"') - - if not (openvpn['mode'] == 'client' and 'auth_file' in openvpn['tls']): - if 'cert_file' not in openvpn['tls']: - raise ConfigError('Missing "tls cert-file"') - - if 'key_file' not in openvpn['tls']: - raise ConfigError('Missing "tls key-file"') - - if {'auth_file', 'crypt_file'} <= set(openvpn['tls']): - raise ConfigError('TLS auth and crypt are mutually exclusive') - - file = dict_search('tls.ca_cert_file', openvpn) - if file and not checkCertHeader('-----BEGIN CERTIFICATE-----', file): - raise ConfigError(f'Specified ca-cert-file "{file}" is invalid') - - file = dict_search('tls.auth_file', openvpn) - if file and not checkCertHeader('-----BEGIN OpenVPN Static key V1-----', file): - raise ConfigError(f'Specified auth-file "{file}" is invalid') - - file = dict_search('tls.cert_file', openvpn) - if file and not checkCertHeader('-----BEGIN CERTIFICATE-----', file): - raise ConfigError(f'Specified cert-file "{file}" is invalid') - - file = dict_search('tls.key_file', openvpn) - if file and not checkCertHeader('-----BEGIN (?:RSA |EC )?PRIVATE KEY-----', file): - raise ConfigError(f'Specified key-file "{file}" is not valid') - - file = dict_search('tls.crypt_file', openvpn) - if file and not checkCertHeader('-----BEGIN OpenVPN Static key V1-----', file): - raise ConfigError(f'Specified TLS crypt-file "{file}" is invalid') - - file = dict_search('tls.crl_file', openvpn) - if file and not checkCertHeader('-----BEGIN X509 CRL-----', file): - raise ConfigError(f'Specified crl-file "{file} not valid') - - file = dict_search('tls.dh_file', openvpn) - if file and not checkCertHeader('-----BEGIN DH PARAMETERS-----', file): - raise ConfigError(f'Specified dh-file "{file}" is not valid') - - if file and not verify_diffie_hellman_length(file, 2048): - raise ConfigError(f'Minimum DH key-size is 2048 bits') + if {'auth_key', 'crypt_key'} <= set(openvpn['tls']): + raise ConfigError('TLS auth and crypt keys are mutually exclusive') tmp = dict_search('tls.role', openvpn) if tmp: if openvpn['mode'] in ['client', 'server']: - if not dict_search('tls.auth_file', openvpn): + if not dict_search('tls.auth_key', openvpn): raise ConfigError('Cannot specify "tls role" in client-server mode') if tmp == 'active': if openvpn['protocol'] == 'tcp-passive': raise ConfigError('Cannot specify "tcp-passive" when "tls role" is "active"') - if dict_search('tls.dh_file', openvpn): - raise ConfigError('Cannot specify "tls dh-file" when "tls role" is "active"') + if dict_search('tls.dh_params', openvpn): + raise ConfigError('Cannot specify "tls dh-params" when "tls role" is "active"') elif tmp == 'passive': if openvpn['protocol'] == 'tcp-active': raise ConfigError('Cannot specify "tcp-active" when "tls role" is "passive"') - if not dict_search('tls.dh_file', openvpn): - raise ConfigError('Must specify "tls dh-file" when "tls role" is "passive"') + if not dict_search('tls.dh_params', openvpn): + raise ConfigError('Must specify "tls dh-params" when "tls role" is "passive"') - file = dict_search('tls.key_file', openvpn) - if file and checkCertHeader('-----BEGIN EC PRIVATE KEY-----', file): - if dict_search('tls.dh_file', openvpn): - print('Warning: using dh-file and EC keys simultaneously will ' \ + if 'certificate' in openvpn['tls'] and is_ec_private_key(openvpn['pki'], openvpn['tls']['certificate']): + if 'dh_params' in openvpn['tls']: + print('Warning: using dh-params and EC keys simultaneously will ' \ 'lead to DH ciphers being used instead of ECDH') if dict_search('encryption.cipher', openvpn) == 'none': @@ -410,6 +427,8 @@ def verify(openvpn): print('No encryption will be performed and data is transmitted in ' \ 'plain text over the network!') + verify_pki(openvpn) + # # Auth user/pass # @@ -425,6 +444,110 @@ def verify(openvpn): return None +def generate_pki_files(openvpn): + pki = openvpn['pki'] + + if not pki: + return None + + interface = openvpn['ifname'] + shared_secret_key = dict_search_args(openvpn, 'shared_secret_key') + tls = dict_search_args(openvpn, 'tls') + + files = [] + + if shared_secret_key: + pki_key = pki['openvpn']['shared_secret'][shared_secret_key] + key_path = os.path.join(cfg_dir, f'{interface}_shared.key') + + with open(key_path, 'w') as f: + f.write(wrap_openvpn_key(pki_key['key'])) + + files.append(key_path) + + if tls: + if 'ca_certificate' in tls: + cert_name = tls['ca_certificate'] + pki_ca = pki['ca'][cert_name] + + if 'certificate' in pki_ca: + cert_path = os.path.join(cfg_dir, f'{interface}_ca.pem') + + with open(cert_path, 'w') as f: + f.write(wrap_certificate(pki_ca['certificate'])) + + files.append(cert_path) + + if 'crl' in pki_ca: + for crl in pki_ca['crl']: + crl_path = os.path.join(cfg_dir, f'{interface}_crl.pem') + + with open(crl_path, 'w') as f: + f.write(wrap_crl(crl)) + + files.append(crl_path) + openvpn['tls']['crl'] = True + + if 'certificate' in tls: + cert_name = tls['certificate'] + pki_cert = pki['certificate'][cert_name] + + if 'certificate' in pki_cert: + cert_path = os.path.join(cfg_dir, f'{interface}_cert.pem') + + with open(cert_path, 'w') as f: + f.write(wrap_certificate(pki_cert['certificate'])) + + files.append(cert_path) + + if 'private' in pki_cert and 'key' in pki_cert['private']: + key_path = os.path.join(cfg_dir, f'{interface}_cert.key') + + with open(key_path, 'w') as f: + f.write(wrap_private_key(pki_cert['private']['key'])) + + files.append(key_path) + openvpn['tls']['private_key'] = True + + if 'dh_params' in tls: + dh_name = tls['dh_params'] + pki_dh = pki['dh'][dh_name] + + if 'parameters' in pki_dh: + dh_path = os.path.join(cfg_dir, f'{interface}_dh.pem') + + with open(dh_path, 'w') as f: + f.write(wrap_dh_parameters(pki_dh['parameters'])) + + files.append(dh_path) + + if 'auth_key' in tls: + key_name = tls['auth_key'] + pki_key = pki['openvpn']['shared_secret'][key_name] + + if 'key' in pki_key: + key_path = os.path.join(cfg_dir, f'{interface}_auth.key') + + with open(key_path, 'w') as f: + f.write(wrap_openvpn_key(pki_key['key'])) + + files.append(key_path) + + if 'crypt_key' in tls: + key_name = tls['crypt_key'] + pki_key = pki['openvpn']['shared_secret'][key_name] + + if 'key' in pki_key: + key_path = os.path.join(cfg_dir, f'{interface}_crypt.key') + + with open(key_path, 'w') as f: + f.write(wrap_openvpn_key(pki_key['key'])) + + files.append(key_path) + + return files + + def generate(openvpn): interface = openvpn['ifname'] directory = os.path.dirname(cfg_file.format(**openvpn)) @@ -444,13 +567,7 @@ def generate(openvpn): chown(ccd_dir, user, group) # Fix file permissons for keys - fix_permissions = [] - - tmp = dict_search('shared_secret_key_file', openvpn) - if tmp: fix_permissions.append(openvpn['shared_secret_key_file']) - - tmp = dict_search('tls.key_file', openvpn) - if tmp: fix_permissions.append(tmp) + fix_permissions = generate_pki_files(openvpn) # Generate User/Password authentication file if 'authentication' in openvpn: @@ -462,8 +579,9 @@ def generate(openvpn): os.remove(openvpn['auth_user_pass_file']) # Generate client specific configuration - if dict_search('server.client', openvpn): - for client, client_config in dict_search('server.client', openvpn).items(): + server_client = dict_search_args(openvpn, 'server', 'client') + if server_client: + for client, client_config in server_client.items(): client_file = os.path.join(ccd_dir, client) # Our client need's to know its subnet mask ... diff --git a/src/conf_mode/interfaces-pppoe.py b/src/conf_mode/interfaces-pppoe.py index 3675db73b..6c4c6c95b 100755 --- a/src/conf_mode/interfaces-pppoe.py +++ b/src/conf_mode/interfaces-pppoe.py @@ -22,6 +22,7 @@ from netifaces import interfaces from vyos.config import Config from vyos.configdict import get_interface_dict +from vyos.configverify import verify_authentication from vyos.configverify import verify_source_interface from vyos.configverify import verify_vrf from vyos.configverify import verify_mtu_ipv6 @@ -51,6 +52,7 @@ def verify(pppoe): return None verify_source_interface(pppoe) + verify_authentication(pppoe) verify_vrf(pppoe) verify_mtu_ipv6(pppoe) diff --git a/src/conf_mode/interfaces-pseudo-ethernet.py b/src/conf_mode/interfaces-pseudo-ethernet.py index 34a054837..945a2ea9c 100755 --- a/src/conf_mode/interfaces-pseudo-ethernet.py +++ b/src/conf_mode/interfaces-pseudo-ethernet.py @@ -24,6 +24,7 @@ from vyos.configverify import verify_address from vyos.configverify import verify_bridge_delete from vyos.configverify import verify_source_interface from vyos.configverify import verify_vlan_config +from vyos.configverify import verify_mtu_parent from vyos.ifconfig import MACVLANIf from vyos import ConfigError @@ -45,6 +46,9 @@ def get_config(config=None): mode = leaf_node_changed(conf, ['mode']) if mode: peth.update({'mode_old' : mode}) + if 'source_interface' in peth: + peth['parent'] = get_interface_dict(conf, ['interfaces', 'ethernet'], + peth['source_interface']) return peth def verify(peth): @@ -55,9 +59,10 @@ def verify(peth): verify_source_interface(peth) verify_vrf(peth) verify_address(peth) - + verify_mtu_parent(peth, peth['parent']) # use common function to verify VLAN configuration verify_vlan_config(peth) + return None def generate(peth): diff --git a/src/conf_mode/interfaces-tunnel.py b/src/conf_mode/interfaces-tunnel.py index 4e6c8a9ab..294da8ef9 100755 --- a/src/conf_mode/interfaces-tunnel.py +++ b/src/conf_mode/interfaces-tunnel.py @@ -109,6 +109,14 @@ def verify(tunnel): if tunnel['encapsulation'] in ['ipip6', 'ip6ip6', 'ip6gre']: raise ConfigError('Can not disable PMTU discovery for given encapsulation') + if dict_search('parameters.ip.ignore_df', tunnel) != None: + if tunnel['encapsulation'] not in ['gretap']: + raise ConfigError('Option ignore-df can only be used on GRETAP tunnels!') + + if dict_search('parameters.ip.no_pmtu_discovery', tunnel) == None: + raise ConfigError('Option ignore-df requires path MTU discovery to be disabled!') + + def generate(tunnel): return None diff --git a/src/conf_mode/interfaces-vti.py b/src/conf_mode/interfaces-vti.py new file mode 100755 index 000000000..57950ffea --- /dev/null +++ b/src/conf_mode/interfaces-vti.py @@ -0,0 +1,66 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +from netifaces import interfaces +from sys import exit + +from vyos.config import Config +from vyos.configdict import get_interface_dict +from vyos.ifconfig import VTIIf +from vyos.util import dict_search +from vyos import ConfigError +from vyos import airbag +airbag.enable() + +def get_config(config=None): + """ + Retrive CLI config as dictionary. Dictionary can never be empty, as at least the + interface name will be added or a deleted flag + """ + if config: + conf = config + else: + conf = Config() + base = ['interfaces', 'vti'] + vti = get_interface_dict(conf, base) + return vti + +def verify(vti): + return None + +def generate(vti): + return None + +def apply(vti): + # Remove macsec interface + if 'deleted' in vti: + VTIIf(**vti).remove() + return None + + tmp = VTIIf(**vti) + tmp.update(vti) + + return None + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/interfaces-vxlan.py b/src/conf_mode/interfaces-vxlan.py index 8e6247a30..804f2d14f 100755 --- a/src/conf_mode/interfaces-vxlan.py +++ b/src/conf_mode/interfaces-vxlan.py @@ -25,7 +25,9 @@ from vyos.configverify import verify_address from vyos.configverify import verify_bridge_delete from vyos.configverify import verify_mtu_ipv6 from vyos.configverify import verify_source_interface -from vyos.ifconfig import VXLANIf, Interface +from vyos.ifconfig import Interface +from vyos.ifconfig import VXLANIf +from vyos.template import is_ipv6 from vyos import ConfigError from vyos import airbag airbag.enable() @@ -65,12 +67,19 @@ def verify(vxlan): raise ConfigError('Must configure VNI for VXLAN') if 'source_interface' in vxlan: - # VXLAN adds a 50 byte overhead - we need to check the underlaying MTU - # if our configured MTU is at least 50 bytes less + # VXLAN adds at least an overhead of 50 byte - we need to check the + # underlaying device if our VXLAN package is not going to be fragmented! + vxlan_overhead = 50 + if 'source_address' in vxlan and is_ipv6(vxlan['source_address']): + # IPv6 adds an extra 20 bytes overhead because the IPv6 header is 20 + # bytes larger than the IPv4 header - assuming no extra options are + # in use. + vxlan_overhead += 20 + lower_mtu = Interface(vxlan['source_interface']).get_mtu() - if lower_mtu < (int(vxlan['mtu']) + 50): - raise ConfigError('VXLAN has a 50 byte overhead, underlaying device ' \ - f'MTU is to small ({lower_mtu} bytes)') + if lower_mtu < (int(vxlan['mtu']) + vxlan_overhead): + raise ConfigError(f'Underlaying device MTU is to small ({lower_mtu} '\ + f'bytes) for VXLAN overhead ({vxlan_overhead} bytes!)') verify_mtu_ipv6(vxlan) verify_address(vxlan) diff --git a/src/conf_mode/interfaces-wireguard.py b/src/conf_mode/interfaces-wireguard.py index 024ab8f59..4c566a5ad 100755 --- a/src/conf_mode/interfaces-wireguard.py +++ b/src/conf_mode/interfaces-wireguard.py @@ -46,17 +46,14 @@ def get_config(config=None): base = ['interfaces', 'wireguard'] wireguard = get_interface_dict(conf, base) - # Mangle private key - it has a default so its always valid - wireguard['private_key'] = '/config/auth/wireguard/{private_key}/private.key'.format(**wireguard) - # Determine which Wireguard peer has been removed. # Peers can only be removed with their public key! dict = {} tmp = node_changed(conf, ['peer'], key_mangling=('-', '_')) for peer in (tmp or []): - pubkey = leaf_node_changed(conf, ['peer', peer, 'pubkey']) - if pubkey: - dict = dict_merge({'peer_remove' : {peer : {'pubkey' : pubkey[0]}}}, dict) + public_key = leaf_node_changed(conf, ['peer', peer, 'public_key']) + if public_key: + dict = dict_merge({'peer_remove' : {peer : {'public_key' : public_key[0]}}}, dict) wireguard.update(dict) return wireguard @@ -70,9 +67,8 @@ def verify(wireguard): verify_address(wireguard) verify_vrf(wireguard) - if not os.path.exists(wireguard['private_key']): - raise ConfigError('Wireguard private-key not found! Execute: ' \ - '"run generate wireguard [default-keypair|named-keypairs]"') + if 'private_key' not in wireguard: + raise ConfigError('Wireguard private-key not defined') if 'peer' not in wireguard: raise ConfigError('At least one Wireguard peer is required!') @@ -84,7 +80,7 @@ def verify(wireguard): if 'allowed_ips' not in peer: raise ConfigError(f'Wireguard allowed-ips required for peer "{tmp}"!') - if 'pubkey' not in peer: + if 'public_key' not in peer: raise ConfigError(f'Wireguard public-key required for peer "{tmp}"!') if ('address' in peer and 'port' not in peer) or ('port' in peer and 'address' not in peer): diff --git a/src/conf_mode/interfaces-wirelessmodem.py b/src/conf_mode/interfaces-wirelessmodem.py deleted file mode 100755 index 976953b31..000000000 --- a/src/conf_mode/interfaces-wirelessmodem.py +++ /dev/null @@ -1,132 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2020 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. - -import os - -from sys import exit - -from vyos.config import Config -from vyos.configdict import get_interface_dict -from vyos.configverify import verify_vrf -from vyos.template import render -from vyos.util import call -from vyos.util import check_kmod -from vyos.util import find_device_file -from vyos import ConfigError -from vyos import airbag -airbag.enable() - -k_mod = ['option', 'usb_wwan', 'usbserial'] - -def get_config(config=None): - """ - Retrive CLI config as dictionary. Dictionary can never be empty, as at least the - interface name will be added or a deleted flag - """ - if config: - conf = config - else: - conf = Config() - base = ['interfaces', 'wirelessmodem'] - wwan = get_interface_dict(conf, base) - - return wwan - -def verify(wwan): - if 'deleted' in wwan: - return None - - if not 'apn' in wwan: - raise ConfigError('No APN configured for "{ifname}"'.format(**wwan)) - - if not 'device' in wwan: - raise ConfigError('Physical "device" must be configured') - - # we can not use isfile() here as Linux device files are no regular files - # thus the check will return False - dev_path = find_device_file(wwan['device']) - if dev_path is None or not os.path.exists(dev_path): - raise ConfigError('Device "{device}" does not exist'.format(**wwan)) - - verify_vrf(wwan) - - return None - -def generate(wwan): - # set up configuration file path variables where our templates will be - # rendered into - ifname = wwan['ifname'] - config_wwan = f'/etc/ppp/peers/{ifname}' - config_wwan_chat = f'/etc/ppp/peers/chat.{ifname}' - script_wwan_pre_up = f'/etc/ppp/ip-pre-up.d/1010-vyos-wwan-{ifname}' - script_wwan_ip_up = f'/etc/ppp/ip-up.d/1010-vyos-wwan-{ifname}' - script_wwan_ip_down = f'/etc/ppp/ip-down.d/1010-vyos-wwan-{ifname}' - - config_files = [config_wwan, config_wwan_chat, script_wwan_pre_up, - script_wwan_ip_up, script_wwan_ip_down] - - # Always hang-up WWAN connection prior generating new configuration file - call(f'systemctl stop ppp@{ifname}.service') - - if 'deleted' in wwan: - # Delete PPP configuration files - for file in config_files: - if os.path.exists(file): - os.unlink(file) - - else: - wwan['device'] = find_device_file(wwan['device']) - - # Create PPP configuration files - render(config_wwan, 'wwan/peer.tmpl', wwan) - # Create PPP chat script - render(config_wwan_chat, 'wwan/chat.tmpl', wwan) - - # generated script file must be executable - - # Create script for ip-pre-up.d - render(script_wwan_pre_up, 'wwan/ip-pre-up.script.tmpl', - wwan, permission=0o755) - # Create script for ip-up.d - render(script_wwan_ip_up, 'wwan/ip-up.script.tmpl', - wwan, permission=0o755) - # Create script for ip-down.d - render(script_wwan_ip_down, 'wwan/ip-down.script.tmpl', - wwan, permission=0o755) - - return None - -def apply(wwan): - if 'deleted' in wwan: - # bail out early - return None - - if not 'disable' in wwan: - # "dial" WWAN connection - call('systemctl start ppp@{ifname}.service'.format(**wwan)) - - return None - -if __name__ == '__main__': - try: - check_kmod(k_mod) - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/interfaces-wwan.py b/src/conf_mode/interfaces-wwan.py new file mode 100755 index 000000000..31c599145 --- /dev/null +++ b/src/conf_mode/interfaces-wwan.py @@ -0,0 +1,105 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2020-2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import os + +from sys import exit + +from vyos.config import Config +from vyos.configdict import get_interface_dict +from vyos.configverify import verify_authentication +from vyos.configverify import verify_interface_exists +from vyos.configverify import verify_vrf +from vyos.ifconfig import WWANIf +from vyos.util import cmd +from vyos.util import dict_search +from vyos.template import render +from vyos import ConfigError +from vyos import airbag +airbag.enable() + +def get_config(config=None): + """ + Retrive CLI config as dictionary. Dictionary can never be empty, as at least the + interface name will be added or a deleted flag + """ + if config: + conf = config + else: + conf = Config() + base = ['interfaces', 'wwan'] + wwan = get_interface_dict(conf, base) + + return wwan + +def verify(wwan): + if 'deleted' in wwan: + return None + + ifname = wwan['ifname'] + if not 'apn' in wwan: + raise ConfigError(f'No APN configured for "{ifname}"!') + + verify_interface_exists(ifname) + verify_authentication(wwan) + verify_vrf(wwan) + + return None + +def generate(wwan): + return None + +def apply(wwan): + # we only need the modem number. wwan0 -> 0, wwan1 -> 1 + modem = wwan['ifname'].lstrip('wwan') + base_cmd = f'mmcli --modem {modem}' + # Number of bearers is limited - always disconnect first + cmd(f'{base_cmd} --simple-disconnect') + + w = WWANIf(wwan['ifname']) + if 'deleted' in wwan or 'disable' in wwan: + w.remove() + return None + + ip_type = 'ipv4' + slaac = dict_search('ipv6.address.autoconf', wwan) != None + if 'address' in wwan: + if 'dhcp' in wwan['address'] and ('dhcpv6' in wwan['address'] or slaac): + ip_type = 'ipv4v6' + elif 'dhcpv6' in wwan['address'] or slaac: + ip_type = 'ipv6' + elif 'dhcp' in wwan['address']: + ip_type = 'ipv4' + + options = f'ip-type={ip_type},apn=' + wwan['apn'] + if 'authentication' in wwan: + options += ',user={user},password={password}'.format(**wwan['authentication']) + + command = f'{base_cmd} --simple-connect="{options}"' + cmd(command) + w.update(wwan) + + return None + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/ipsec-settings.py b/src/conf_mode/ipsec-settings.py deleted file mode 100755 index a65e8b567..000000000 --- a/src/conf_mode/ipsec-settings.py +++ /dev/null @@ -1,230 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2018-2020 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. - -import re -import os - -from time import sleep -from sys import exit - -from vyos.config import Config -from vyos import ConfigError -from vyos.util import call -from vyos.template import render - -from vyos import airbag -airbag.enable() - -ra_conn_name = "remote-access" -charon_conf_file = "/etc/strongswan.d/charon.conf" -ipsec_secrets_file = "/etc/ipsec.secrets" -ipsec_ra_conn_dir = "/etc/ipsec.d/tunnels/" -ipsec_ra_conn_file = ipsec_ra_conn_dir + ra_conn_name -ipsec_conf_file = "/etc/ipsec.conf" -ca_cert_path = "/etc/ipsec.d/cacerts" -server_cert_path = "/etc/ipsec.d/certs" -server_key_path = "/etc/ipsec.d/private" -delim_ipsec_l2tp_begin = "### VyOS L2TP VPN Begin ###" -delim_ipsec_l2tp_end = "### VyOS L2TP VPN End ###" -charon_pidfile = "/var/run/charon.pid" - -def get_config(config=None): - if config: - config = config - else: - config = Config() - data = {"install_routes": "yes"} - - if config.exists("vpn ipsec options disable-route-autoinstall"): - data["install_routes"] = "no" - - if config.exists("vpn ipsec ipsec-interfaces interface"): - data["ipsec_interfaces"] = config.return_values("vpn ipsec ipsec-interfaces interface") - - # Init config variables - data["delim_ipsec_l2tp_begin"] = delim_ipsec_l2tp_begin - data["delim_ipsec_l2tp_end"] = delim_ipsec_l2tp_end - data["ipsec_ra_conn_file"] = ipsec_ra_conn_file - data["ra_conn_name"] = ra_conn_name - # Get l2tp ipsec settings - data["ipsec_l2tp"] = False - conf_ipsec_command = "vpn l2tp remote-access ipsec-settings " #last space is useful - if config.exists(conf_ipsec_command): - data["ipsec_l2tp"] = True - - # Authentication params - if config.exists(conf_ipsec_command + "authentication mode"): - data["ipsec_l2tp_auth_mode"] = config.return_value(conf_ipsec_command + "authentication mode") - if config.exists(conf_ipsec_command + "authentication pre-shared-secret"): - data["ipsec_l2tp_secret"] = config.return_value(conf_ipsec_command + "authentication pre-shared-secret") - - # mode x509 - if config.exists(conf_ipsec_command + "authentication x509 ca-cert-file"): - data["ipsec_l2tp_x509_ca_cert_file"] = config.return_value(conf_ipsec_command + "authentication x509 ca-cert-file") - if config.exists(conf_ipsec_command + "authentication x509 crl-file"): - data["ipsec_l2tp_x509_crl_file"] = config.return_value(conf_ipsec_command + "authentication x509 crl-file") - if config.exists(conf_ipsec_command + "authentication x509 server-cert-file"): - data["ipsec_l2tp_x509_server_cert_file"] = config.return_value(conf_ipsec_command + "authentication x509 server-cert-file") - data["server_cert_file_copied"] = server_cert_path+"/"+re.search('\w+(?:\.\w+)*$', config.return_value(conf_ipsec_command + "authentication x509 server-cert-file")).group(0) - if config.exists(conf_ipsec_command + "authentication x509 server-key-file"): - data["ipsec_l2tp_x509_server_key_file"] = config.return_value(conf_ipsec_command + "authentication x509 server-key-file") - data["server_key_file_copied"] = server_key_path+"/"+re.search('\w+(?:\.\w+)*$', config.return_value(conf_ipsec_command + "authentication x509 server-key-file")).group(0) - if config.exists(conf_ipsec_command + "authentication x509 server-key-password"): - data["ipsec_l2tp_x509_server_key_password"] = config.return_value(conf_ipsec_command + "authentication x509 server-key-password") - - # Common l2tp ipsec params - if config.exists(conf_ipsec_command + "ike-lifetime"): - data["ipsec_l2tp_ike_lifetime"] = config.return_value(conf_ipsec_command + "ike-lifetime") - else: - data["ipsec_l2tp_ike_lifetime"] = "3600" - - if config.exists(conf_ipsec_command + "lifetime"): - data["ipsec_l2tp_lifetime"] = config.return_value(conf_ipsec_command + "lifetime") - else: - data["ipsec_l2tp_lifetime"] = "3600" - - if config.exists("vpn l2tp remote-access outside-address"): - data['outside_addr'] = config.return_value('vpn l2tp remote-access outside-address') - - return data - -def write_ipsec_secrets(c): - if c.get("ipsec_l2tp_auth_mode") == "pre-shared-secret": - secret_txt = "{0}\n{1} %any : PSK \"{2}\"\n{3}\n".format(delim_ipsec_l2tp_begin, c['outside_addr'], c['ipsec_l2tp_secret'], delim_ipsec_l2tp_end) - elif c.get("ipsec_l2tp_auth_mode") == "x509": - secret_txt = "{0}\n: RSA {1}\n{2}\n".format(delim_ipsec_l2tp_begin, c['server_key_file_copied'], delim_ipsec_l2tp_end) - - old_umask = os.umask(0o077) - with open(ipsec_secrets_file, 'a+') as f: - f.write(secret_txt) - os.umask(old_umask) - -def write_ipsec_conf(c): - ipsec_confg_txt = "{0}\ninclude {1}\n{2}\n".format(delim_ipsec_l2tp_begin, ipsec_ra_conn_file, delim_ipsec_l2tp_end) - - old_umask = os.umask(0o077) - with open(ipsec_conf_file, 'a+') as f: - f.write(ipsec_confg_txt) - os.umask(old_umask) - -### Remove config from file by delimiter -def remove_confs(delim_begin, delim_end, conf_file): - call("sed -i '/"+delim_begin+"/,/"+delim_end+"/d' "+conf_file) - - -### Checking certificate storage and notice if certificate not in /config directory -def check_cert_file_store(cert_name, file_path, dts_path): - if not re.search('^\/config\/.+', file_path): - print("Warning: \"" + file_path + "\" lies outside of /config/auth directory. It will not get preserved during image upgrade.") - #Checking file existence - if not os.path.isfile(file_path): - raise ConfigError("L2TP VPN configuration error: Invalid "+cert_name+" \""+file_path+"\"") - else: - ### Cpy file to /etc/ipsec.d/certs/ /etc/ipsec.d/cacerts/ - # todo make check - ret = call('cp -f '+file_path+' '+dts_path) - if ret: - raise ConfigError("L2TP VPN configuration error: Cannot copy "+file_path) - -def verify(data): - # l2tp ipsec check - if data["ipsec_l2tp"]: - # Checking dependecies for "authentication mode pre-shared-secret" - if data.get("ipsec_l2tp_auth_mode") == "pre-shared-secret": - if not data.get("ipsec_l2tp_secret"): - raise ConfigError("pre-shared-secret required") - if not data.get("outside_addr"): - raise ConfigError("outside-address not defined") - - # Checking dependecies for "authentication mode x509" - if data.get("ipsec_l2tp_auth_mode") == "x509": - if not data.get("ipsec_l2tp_x509_server_key_file"): - raise ConfigError("L2TP VPN configuration error: \"server-key-file\" not defined.") - else: - check_cert_file_store("server-key-file", data['ipsec_l2tp_x509_server_key_file'], server_key_path) - - if not data.get("ipsec_l2tp_x509_server_cert_file"): - raise ConfigError("L2TP VPN configuration error: \"server-cert-file\" not defined.") - else: - check_cert_file_store("server-cert-file", data['ipsec_l2tp_x509_server_cert_file'], server_cert_path) - - if not data.get("ipsec_l2tp_x509_ca_cert_file"): - raise ConfigError("L2TP VPN configuration error: \"ca-cert-file\" must be defined for X.509") - else: - check_cert_file_store("ca-cert-file", data['ipsec_l2tp_x509_ca_cert_file'], ca_cert_path) - - if not data.get('ipsec_interfaces'): - raise ConfigError("L2TP VPN configuration error: \"vpn ipsec ipsec-interfaces\" must be specified.") - -def generate(data): - render(charon_conf_file, 'ipsec/charon.tmpl', data) - - if data["ipsec_l2tp"]: - remove_confs(delim_ipsec_l2tp_begin, delim_ipsec_l2tp_end, ipsec_secrets_file) - # old_umask = os.umask(0o077) - # render(ipsec_secrets_file, 'ipsec/ipsec.secrets.tmpl', data) - # os.umask(old_umask) - ## Use this method while IPSec CLI handler won't be overwritten to python - write_ipsec_secrets(data) - - old_umask = os.umask(0o077) - - # Create tunnels directory if does not exist - if not os.path.exists(ipsec_ra_conn_dir): - os.makedirs(ipsec_ra_conn_dir) - - render(ipsec_ra_conn_file, 'ipsec/remote-access.tmpl', data) - os.umask(old_umask) - - remove_confs(delim_ipsec_l2tp_begin, delim_ipsec_l2tp_end, ipsec_conf_file) - # old_umask = os.umask(0o077) - # render(ipsec_conf_file, 'ipsec/ipsec.conf.tmpl', data) - # os.umask(old_umask) - ## Use this method while IPSec CLI handler won't be overwritten to python - write_ipsec_conf(data) - - else: - if os.path.exists(ipsec_ra_conn_file): - remove_confs(delim_ipsec_l2tp_begin, delim_ipsec_l2tp_end, ipsec_ra_conn_file) - remove_confs(delim_ipsec_l2tp_begin, delim_ipsec_l2tp_end, ipsec_secrets_file) - remove_confs(delim_ipsec_l2tp_begin, delim_ipsec_l2tp_end, ipsec_conf_file) - -def restart_ipsec(): - call('ipsec restart >&/dev/null') - # counter for apply swanctl config - counter = 10 - while counter <= 10: - if os.path.exists(charon_pidfile): - call('swanctl -q >&/dev/null') - break - counter -=1 - sleep(1) - if counter == 0: - raise ConfigError('VPN configuration error: IPSec is not running.') - -def apply(data): - # Restart IPSec daemon - restart_ipsec() - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/le_cert.py b/src/conf_mode/le_cert.py index 755c89966..6e169a3d5 100755 --- a/src/conf_mode/le_cert.py +++ b/src/conf_mode/le_cert.py @@ -22,6 +22,7 @@ from vyos.config import Config from vyos import ConfigError from vyos.util import cmd from vyos.util import call +from vyos.util import is_systemd_service_running from vyos import airbag airbag.enable() @@ -87,8 +88,7 @@ def generate(cert): # certbot will attempt to reload nginx, even with 'certonly'; # start nginx if not active - ret = call('systemctl is-active --quiet nginx.service') - if ret: + if not is_systemd_service_running('nginx.service'): call('systemctl start nginx.service') request_certbot(cert) diff --git a/src/conf_mode/pki.py b/src/conf_mode/pki.py new file mode 100755 index 000000000..ef1b57650 --- /dev/null +++ b/src/conf_mode/pki.py @@ -0,0 +1,167 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +from sys import exit + +from vyos.config import Config +from vyos.configdict import dict_merge +from vyos.pki import is_ca_certificate +from vyos.pki import load_certificate +from vyos.pki import load_certificate_request +from vyos.pki import load_public_key +from vyos.pki import load_private_key +from vyos.pki import load_crl +from vyos.pki import load_dh_parameters +from vyos.util import ask_input +from vyos.xml import defaults +from vyos import ConfigError +from vyos import airbag +airbag.enable() + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + base = ['pki'] + if not conf.exists(base): + return None + + pki = conf.get_config_dict(base, key_mangling=('-', '_'), + get_first_key=True, no_tag_node_value_mangle=True) + + default_values = defaults(base) + pki = dict_merge(default_values, pki) + return pki + +def is_valid_certificate(raw_data): + # If it loads correctly we're good, or return False + return load_certificate(raw_data, wrap_tags=True) + +def is_valid_ca_certificate(raw_data): + # Check if this is a valid certificate with CA attributes + cert = load_certificate(raw_data, wrap_tags=True) + if not cert: + return False + return is_ca_certificate(cert) + +def is_valid_public_key(raw_data): + # If it loads correctly we're good, or return False + return load_public_key(raw_data, wrap_tags=True) + +def is_valid_private_key(raw_data, protected=False): + # If it loads correctly we're good, or return False + # With encrypted private keys, we always return true as we cannot ask for password to verify + if protected: + return True + return load_private_key(raw_data, passphrase=None, wrap_tags=True) + +def is_valid_crl(raw_data): + # If it loads correctly we're good, or return False + return load_crl(raw_data, wrap_tags=True) + +def is_valid_dh_parameters(raw_data): + # If it loads correctly we're good, or return False + return load_dh_parameters(raw_data, wrap_tags=True) + +def verify(pki): + if not pki: + return None + + if 'ca' in pki: + for name, ca_conf in pki['ca'].items(): + if 'certificate' in ca_conf: + if not is_valid_ca_certificate(ca_conf['certificate']): + raise ConfigError(f'Invalid certificate on CA certificate "{name}"') + + if 'private' in ca_conf and 'key' in ca_conf['private']: + private = ca_conf['private'] + protected = 'password_protected' in private + + if not is_valid_private_key(private['key'], protected): + raise ConfigError(f'Invalid private key on CA certificate "{name}"') + + if 'crl' in ca_conf: + ca_crls = ca_conf['crl'] + if isinstance(ca_crls, str): + ca_crls = [ca_crls] + + for crl in ca_crls: + if not is_valid_crl(crl): + raise ConfigError(f'Invalid CRL on CA certificate "{name}"') + + if 'certificate' in pki: + for name, cert_conf in pki['certificate'].items(): + if 'certificate' in cert_conf: + if not is_valid_certificate(cert_conf['certificate']): + raise ConfigError(f'Invalid certificate on certificate "{name}"') + + if 'private' in cert_conf and 'key' in cert_conf['private']: + private = cert_conf['private'] + protected = 'password_protected' in private + + if not is_valid_private_key(private['key'], protected): + raise ConfigError(f'Invalid private key on certificate "{name}"') + + if 'dh' in pki: + for name, dh_conf in pki['dh'].items(): + if 'parameters' in dh_conf: + if not is_valid_dh_parameters(dh_conf['parameters']): + raise ConfigError(f'Invalid DH parameters on "{name}"') + + if 'key_pair' in pki: + for name, key_conf in pki['key_pair'].items(): + if 'public' in key_conf and 'key' in key_conf['public']: + if not is_valid_public_key(key_conf['public']['key']): + raise ConfigError(f'Invalid public key on key-pair "{name}"') + + if 'private' in key_conf and 'key' in key_conf['private']: + private = key_conf['private'] + protected = 'password_protected' in private + if not is_valid_private_key(private['key'], protected): + raise ConfigError(f'Invalid private key on key-pair "{name}"') + + if 'x509' in pki: + if 'default' in pki['x509']: + default_values = pki['x509']['default'] + if 'country' in default_values: + country = default_values['country'] + if len(country) != 2 or not country.isalpha(): + raise ConfigError(f'Invalid default country value. Value must be 2 alpha characters.') + + return None + +def generate(pki): + if not pki: + return None + + return None + +def apply(pki): + if not pki: + return None + + return None + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/protocols_bfd.py b/src/conf_mode/protocols_bfd.py index dd70d6bab..348bae59f 100755 --- a/src/conf_mode/protocols_bfd.py +++ b/src/conf_mode/protocols_bfd.py @@ -102,12 +102,6 @@ def apply(bfd): frr_cfg.add_before(r'(ip prefix-list .*|route-map .*|line vty)', bfd['new_frr_config']) frr_cfg.commit_configuration() - # If FRR config is blank, rerun the blank commit x times due to frr-reload - # behavior/bug not properly clearing out on one commit. - if bfd['new_frr_config'] == '': - for a in range(5): - frr_cfg.commit_configuration() - return None if __name__ == '__main__': diff --git a/src/conf_mode/protocols_bgp.py b/src/conf_mode/protocols_bgp.py index 74253c2d7..9ecfd07fe 100755 --- a/src/conf_mode/protocols_bgp.py +++ b/src/conf_mode/protocols_bgp.py @@ -57,6 +57,11 @@ def get_config(config=None): if not conf.exists(base): bgp.update({'deleted' : ''}) + if not vrf: + # We are running in the default VRF context, thus we can not delete + # our main BGP instance if there are dependent BGP VRF instances. + bgp['dependent_vrfs'] = conf.get_config_dict(['vrf', 'name'], + key_mangling=('-', '_'), get_first_key=True, no_tag_node_value_mangle=True) return bgp # We also need some additional information from the config, prefix-lists @@ -88,10 +93,19 @@ def verify_remote_as(peer_config, bgp_config): tmp = dict_search(f'peer_group.{peer_group_name}.remote_as', bgp_config) if tmp: return tmp + if 'v6only' in peer_config['interface']: + if 'remote_as' in peer_config['interface']['v6only']: + return peer_config['interface']['v6only']['remote_as'] + return None def verify(bgp): if not bgp or 'deleted' in bgp: + if 'dependent_vrfs' in bgp: + for vrf, vrf_options in bgp['dependent_vrfs'].items(): + if dict_search('protocols.bgp', vrf_options) != None: + raise ConfigError('Cannot delete default BGP instance, ' \ + 'dependent VRF instance(s) exist!') return None if 'local_as' not in bgp: @@ -267,15 +281,6 @@ def apply(bgp): frr_cfg.add_before(r'(ip prefix-list .*|route-map .*|line vty)', bgp['frr_bgpd_config']) frr_cfg.commit_configuration(bgp_daemon) - # If FRR config is blank, re-run the blank commit x times due to frr-reload - # behavior/bug not properly clearing out on one commit. - if bgp['frr_bgpd_config'] == '': - for a in range(5): - frr_cfg.commit_configuration(bgp_daemon) - if bgp['frr_zebra_config'] == '': - for a in range(5): - frr_cfg.commit_configuration(zebra_daemon) - # Save configuration to /run/frr/config/frr.conf frr.save_configuration() diff --git a/src/conf_mode/protocols_isis.py b/src/conf_mode/protocols_isis.py index ef21e0055..d4c82249b 100755 --- a/src/conf_mode/protocols_isis.py +++ b/src/conf_mode/protocols_isis.py @@ -128,9 +128,11 @@ def verify(isis): raise ConfigError(f'Interface {interface} is not a member of VRF {vrf}!') # If md5 and plaintext-password set at the same time - if 'area_password' in isis: - if {'md5', 'plaintext_password'} <= set(isis['encryption']): - raise ConfigError('Can not use both md5 and plaintext-password for ISIS area-password!') + for password in ['area_password', 'domain_password']: + if password in isis: + if {'md5', 'plaintext_password'} <= set(isis[password]): + tmp = password.replace('_', '-') + raise ConfigError(f'Can use either md5 or plaintext-password for {tmp}!') # If one param from delay set, but not set others if 'spf_delay_ietf' in isis: @@ -147,7 +149,7 @@ def verify(isis): # If Redistribute set, but level don't set if 'redistribute' in isis: proc_level = isis.get('level','').replace('-','_') - for afi in ['ipv4']: + for afi in ['ipv4', 'ipv6']: if afi not in isis['redistribute']: continue @@ -196,7 +198,7 @@ def generate(isis): isis['protocol'] = 'isis' # required for frr/vrf.route-map.frr.tmpl isis['frr_zebra_config'] = render_to_string('frr/vrf.route-map.frr.tmpl', isis) - isis['frr_isisd_config'] = render_to_string('frr/isis.frr.tmpl', isis) + isis['frr_isisd_config'] = render_to_string('frr/isisd.frr.tmpl', isis) return None def apply(isis): @@ -230,15 +232,6 @@ def apply(isis): frr_cfg.add_before(r'(ip prefix-list .*|route-map .*|line vty)', isis['frr_isisd_config']) frr_cfg.commit_configuration(isis_daemon) - # If FRR config is blank, rerun the blank commit x times due to frr-reload - # behavior/bug not properly clearing out on one commit. - if isis['frr_isisd_config'] == '': - for a in range(5): - frr_cfg.commit_configuration(isis_daemon) - if isis['frr_zebra_config'] == '': - for a in range(5): - frr_cfg.commit_configuration(zebra_daemon) - # Save configuration to /run/frr/config/frr.conf frr.save_configuration() diff --git a/src/conf_mode/protocols_nhrp.py b/src/conf_mode/protocols_nhrp.py new file mode 100755 index 000000000..12dacdba0 --- /dev/null +++ b/src/conf_mode/protocols_nhrp.py @@ -0,0 +1,122 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +from vyos.config import Config +from vyos.configdict import node_changed +from vyos.template import render +from vyos.util import process_named_running +from vyos.util import run +from vyos import ConfigError +from vyos import airbag +airbag.enable() + +opennhrp_conf = '/run/opennhrp/opennhrp.conf' + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + base = ['protocols', 'nhrp'] + + nhrp = conf.get_config_dict(base, key_mangling=('-', '_'), + get_first_key=True, no_tag_node_value_mangle=True) + nhrp['del_tunnels'] = node_changed(conf, base + ['tunnel'], key_mangling=('-', '_')) + + if not conf.exists(base): + return nhrp + + nhrp['if_tunnel'] = conf.get_config_dict(['interfaces', 'tunnel'], key_mangling=('-', '_'), + get_first_key=True, no_tag_node_value_mangle=True) + + nhrp['profile_map'] = {} + profile = conf.get_config_dict(['vpn', 'ipsec', 'profile'], key_mangling=('-', '_'), + get_first_key=True, no_tag_node_value_mangle=True) + + for name, profile_conf in profile.items(): + if 'bind' in profile_conf and 'tunnel' in profile_conf['bind']: + interfaces = profile_conf['bind']['tunnel'] + if isinstance(interfaces, str): + interfaces = [interfaces] + for interface in interfaces: + nhrp['profile_map'][interface] = name + + return nhrp + +def verify(nhrp): + if 'tunnel' in nhrp: + for name, nhrp_conf in nhrp['tunnel'].items(): + if not nhrp['if_tunnel'] or name not in nhrp['if_tunnel']: + raise ConfigError(f'Tunnel interface "{name}" does not exist') + + tunnel_conf = nhrp['if_tunnel'][name] + + if 'encapsulation' not in tunnel_conf or tunnel_conf['encapsulation'] != 'gre': + raise ConfigError(f'Tunnel "{name}" is not an mGRE tunnel') + + if 'remote' in tunnel_conf: + raise ConfigError(f'Tunnel "{name}" cannot have a remote address defined') + + if 'map' in nhrp_conf: + for map_name, map_conf in nhrp_conf['map'].items(): + if 'nbma_address' not in map_conf: + raise ConfigError(f'nbma-address missing on map {map_name} on tunnel {name}') + + if 'dynamic_map' in nhrp_conf: + for map_name, map_conf in nhrp_conf['dynamic_map'].items(): + if 'nbma_domain_name' not in map_conf: + raise ConfigError(f'nbma-domain-name missing on dynamic-map {map_name} on tunnel {name}') + return None + +def generate(nhrp): + render(opennhrp_conf, 'nhrp/opennhrp.conf.tmpl', nhrp) + return None + +def apply(nhrp): + if 'tunnel' in nhrp: + for tunnel, tunnel_conf in nhrp['tunnel'].items(): + if 'source_address' in tunnel_conf: + chain = f'VYOS_NHRP_{tunnel}_OUT_HOOK' + source_address = tunnel_conf['source_address'] + + chain_exists = run(f'sudo iptables --check {chain} -j RETURN') == 0 + if not chain_exists: + run(f'sudo iptables --new {chain}') + run(f'sudo iptables --append {chain} -p gre -s {source_address} -d 224.0.0.0/4 -j DROP') + run(f'sudo iptables --append {chain} -j RETURN') + run(f'sudo iptables --insert OUTPUT 2 -j {chain}') + + for tunnel in nhrp['del_tunnels']: + chain = f'VYOS_NHRP_{tunnel}_OUT_HOOK' + chain_exists = run(f'sudo iptables --check {chain} -j RETURN') == 0 + if chain_exists: + run(f'sudo iptables --delete OUTPUT -j {chain}') + run(f'sudo iptables --flush {chain}') + run(f'sudo iptables --delete-chain {chain}') + + action = 'restart' if nhrp and 'tunnel' in nhrp else 'stop' + run(f'systemctl {action} opennhrp') + return None + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/protocols_ospf.py b/src/conf_mode/protocols_ospf.py index 21eb8e447..78c1c82bd 100755 --- a/src/conf_mode/protocols_ospf.py +++ b/src/conf_mode/protocols_ospf.py @@ -211,15 +211,6 @@ def apply(ospf): frr_cfg.add_before(r'(ip prefix-list .*|route-map .*|line vty)', ospf['frr_ospfd_config']) frr_cfg.commit_configuration(ospf_daemon) - # If FRR config is blank, rerun the blank commit x times due to frr-reload - # behavior/bug not properly clearing out on one commit. - if ospf['frr_ospfd_config'] == '': - for a in range(5): - frr_cfg.commit_configuration(ospf_daemon) - if ospf['frr_zebra_config'] == '': - for a in range(5): - frr_cfg.commit_configuration(zebra_daemon) - # Save configuration to /run/frr/config/frr.conf frr.save_configuration() diff --git a/src/conf_mode/protocols_ospfv3.py b/src/conf_mode/protocols_ospfv3.py index 1964e9d34..fef0f509b 100755 --- a/src/conf_mode/protocols_ospfv3.py +++ b/src/conf_mode/protocols_ospfv3.py @@ -86,12 +86,6 @@ def apply(ospfv3): frr_cfg.add_before(r'(ip prefix-list .*|route-map .*|line vty)', ospfv3['new_frr_config']) frr_cfg.commit_configuration(frr_daemon) - # If FRR config is blank, re-run the blank commit x times due to frr-reload - # behavior/bug not properly clearing out on one commit. - if ospfv3['new_frr_config'] == '': - for a in range(5): - frr_cfg.commit_configuration(frr_daemon) - # Save configuration to /run/frr/config/frr.conf frr.save_configuration() diff --git a/src/conf_mode/protocols_rip.py b/src/conf_mode/protocols_rip.py index 907ac54ac..e56eb1f56 100755 --- a/src/conf_mode/protocols_rip.py +++ b/src/conf_mode/protocols_rip.py @@ -117,12 +117,6 @@ def apply(rip): frr_cfg.add_before(r'(ip prefix-list .*|route-map .*|line vty)', rip['new_frr_config']) frr_cfg.commit_configuration(rip_daemon) - # If FRR config is blank, rerun the blank commit x times due to frr-reload - # behavior/bug not properly clearing out on one commit. - if rip['new_frr_config'] == '': - for a in range(5): - frr_cfg.commit_configuration(rip_daemon) - # Save configuration to /run/frr/config/frr.conf frr.save_configuration() diff --git a/src/conf_mode/protocols_ripng.py b/src/conf_mode/protocols_ripng.py index 44c080546..aaec5dacb 100755 --- a/src/conf_mode/protocols_ripng.py +++ b/src/conf_mode/protocols_ripng.py @@ -108,12 +108,6 @@ def apply(ripng): frr_cfg.add_before(r'(ip prefix-list .*|route-map .*|line vty)', ripng['new_frr_config']) frr_cfg.commit_configuration(frr_daemon) - # If FRR config is blank, rerun the blank commit x times due to frr-reload - # behavior/bug not properly clearing out on one commit. - if ripng['new_frr_config'] == '': - for a in range(5): - frr_cfg.commit_configuration(frr_daemon) - # Save configuration to /run/frr/config/frr.conf frr.save_configuration() diff --git a/src/conf_mode/protocols_rpki.py b/src/conf_mode/protocols_rpki.py index d8f99efb8..947c8ab7a 100755 --- a/src/conf_mode/protocols_rpki.py +++ b/src/conf_mode/protocols_rpki.py @@ -90,12 +90,6 @@ def apply(rpki): frr_cfg.add_before(r'(ip prefix-list .*|route-map .*|line vty)', rpki['new_frr_config']) frr_cfg.commit_configuration(frr_daemon) - # If FRR config is blank, re-run the blank commit x times due to frr-reload - # behavior/bug not properly clearing out on one commit. - if rpki['new_frr_config'] == '': - for a in range(5): - frr_cfg.commit_configuration(frr_daemon) - return None if __name__ == '__main__': diff --git a/src/conf_mode/protocols_static.py b/src/conf_mode/protocols_static.py index 1d45cb71c..338247e30 100755 --- a/src/conf_mode/protocols_static.py +++ b/src/conf_mode/protocols_static.py @@ -107,12 +107,6 @@ def apply(static): frr_cfg.add_before(r'(interface .*|line vty)', static['new_frr_config']) frr_cfg.commit_configuration(static_daemon) - # If FRR config is blank, rerun the blank commit x times due to frr-reload - # behavior/bug not properly clearing out on one commit. - if static['new_frr_config'] == '': - for a in range(5): - frr_cfg.commit_configuration(static_daemon) - # Save configuration to /run/frr/config/frr.conf frr.save_configuration() diff --git a/src/conf_mode/service_mdns-repeater.py b/src/conf_mode/service_mdns-repeater.py index 729518c96..c920920ed 100755 --- a/src/conf_mode/service_mdns-repeater.py +++ b/src/conf_mode/service_mdns-repeater.py @@ -16,10 +16,12 @@ import os +from json import loads from sys import exit from netifaces import ifaddresses, interfaces, AF_INET from vyos.config import Config +from vyos.ifconfig.vrrp import VRRP from vyos.template import render from vyos.util import call from vyos import ConfigError @@ -27,6 +29,7 @@ from vyos import airbag airbag.enable() config_file = r'/etc/default/mdns-repeater' +vrrp_running_file = '/run/mdns_vrrp_active' def get_config(config=None): if config: @@ -35,6 +38,9 @@ def get_config(config=None): conf = Config() base = ['service', 'mdns', 'repeater'] mdns = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) + + if mdns: + mdns['vrrp_exists'] = conf.exists('high-availability vrrp') return mdns def verify(mdns): @@ -60,6 +66,18 @@ def verify(mdns): return None +# Get VRRP states from interfaces, returns only interfaces where state is MASTER +def get_vrrp_master(interfaces): + json_data = loads(VRRP.collect('json')) + for group in json_data: + if 'data' in group: + if 'ifp_ifname' in group['data']: + iface = group['data']['ifp_ifname'] + state = group['data']['state'] # 2 = Master + if iface in interfaces and state != 2: + interfaces.remove(iface) + return interfaces + def generate(mdns): if not mdns: return None @@ -68,6 +86,12 @@ def generate(mdns): print('Warning: mDNS repeater will be deactivated because it is disabled') return None + if mdns['vrrp_exists'] and 'vrrp_disable' in mdns: + mdns['interface'] = get_vrrp_master(mdns['interface']) + + if len(mdns['interface']) < 2: + return None + render(config_file, 'mdns-repeater/mdns-repeater.tmpl', mdns) return None @@ -76,7 +100,21 @@ def apply(mdns): call('systemctl stop mdns-repeater.service') if os.path.exists(config_file): os.unlink(config_file) + + if os.path.exists(vrrp_running_file): + os.unlink(vrrp_running_file) else: + if 'vrrp_disable' not in mdns and os.path.exists(vrrp_running_file): + os.unlink(vrrp_running_file) + + if mdns['vrrp_exists'] and 'vrrp_disable' in mdns: + if not os.path.exists(vrrp_running_file): + os.mknod(vrrp_running_file) # vrrp script looks for this file to update mdns repeater + + if len(mdns['interface']) < 2: + call('systemctl stop mdns-repeater.service') + return None + call('systemctl restart mdns-repeater.service') return None diff --git a/src/conf_mode/service_router-advert.py b/src/conf_mode/service_router-advert.py index 65eb11ce3..9afcdd63e 100755 --- a/src/conf_mode/service_router-advert.py +++ b/src/conf_mode/service_router-advert.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2018-2019 VyOS maintainers and contributors +# Copyright (C) 2018-2021 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -40,11 +40,14 @@ def get_config(config=None): # We have gathered the dict representation of the CLI, but there are default # options which we need to update into the dictionary retrived. default_interface_values = defaults(base + ['interface']) - # we deal with prefix defaults later on + # we deal with prefix, route defaults later on if 'prefix' in default_interface_values: del default_interface_values['prefix'] + if 'route' in default_interface_values: + del default_interface_values['route'] default_prefix_values = defaults(base + ['interface', 'prefix']) + default_route_values = defaults(base + ['interface', 'route']) if 'interface' in rtradv: for interface in rtradv['interface']: @@ -56,6 +59,11 @@ def get_config(config=None): rtradv['interface'][interface]['prefix'][prefix] = dict_merge( default_prefix_values, rtradv['interface'][interface]['prefix'][prefix]) + if 'route' in rtradv['interface'][interface]: + for route in rtradv['interface'][interface]['route']: + rtradv['interface'][interface]['route'][route] = dict_merge( + default_route_values, rtradv['interface'][interface]['route'][route]) + if 'name_server' in rtradv['interface'][interface]: # always use a list when dealing with nameservers - eases the template generation if isinstance(rtradv['interface'][interface]['name_server'], str): diff --git a/src/conf_mode/snmp.py b/src/conf_mode/snmp.py index 3990e5735..23e45a5b7 100755 --- a/src/conf_mode/snmp.py +++ b/src/conf_mode/snmp.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2018-2020 VyOS maintainers and contributors +# Copyright (C) 2018-2021 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -54,6 +54,7 @@ default_config_data = { 'location' : '', 'description' : '', 'contact' : '', + 'route_table': 'False', 'trap_source': '', 'trap_targets': [], 'vyos_user': '', @@ -186,6 +187,9 @@ def get_config(): snmp['script_ext'].append(extension) + if conf.exists('oid-enable route-table'): + snmp['route_table'] = True + if conf.exists('vrf'): # Append key to dict but don't place it in the default dictionary. # This is required to make the override.conf.tmpl work until we diff --git a/src/conf_mode/system-login-banner.py b/src/conf_mode/system-login-banner.py index 569010735..a960a4da3 100755 --- a/src/conf_mode/system-login-banner.py +++ b/src/conf_mode/system-login-banner.py @@ -22,11 +22,11 @@ from vyos import airbag airbag.enable() motd=""" -The programs included with the Debian GNU/Linux system are free software; +The programs included with the Debian/VyOS GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. -Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent +Debian/VyOS GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. """ @@ -36,7 +36,7 @@ PRELOGIN_NET_FILE = r'/etc/issue.net' POSTLOGIN_FILE = r'/etc/motd' default_config_data = { - 'issue': 'Welcome to VyOS - \n \l\n', + 'issue': 'Welcome to VyOS - \\n \\l\n', 'issue_net': 'Welcome to VyOS\n', 'motd': motd } diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py index da0fc2a25..f0b92aea8 100755 --- a/src/conf_mode/system-login.py +++ b/src/conf_mode/system-login.py @@ -43,12 +43,11 @@ radius_config_file = "/etc/pam_radius_auth.conf" def get_local_users(): """Return list of dynamically allocated users (see Debian Policy Manual)""" local_users = [] - for p in getpwall(): - username = p[0] - uid = getpwnam(username).pw_uid + for s_user in getpwall(): + uid = getpwnam(s_user.pw_name).pw_uid if uid in range(1000, 29999): - if username not in ['radius_user', 'radius_priv_user']: - local_users.append(username) + if s_user.pw_name not in ['radius_user', 'radius_priv_user']: + local_users.append(s_user.pw_name) return local_users @@ -104,7 +103,14 @@ def verify(login): raise ConfigError(f'Attempting to delete current user: {cur_user}') if 'user' in login: + system_users = getpwall() for user, user_config in login['user'].items(): + # Linux system users range up until UID 1000, we can not create a + # VyOS CLI user which already exists as system user + for s_user in system_users: + if s_user.pw_name == user and s_user.pw_uid < 1000: + raise ConfigError(f'User "{user}" can not be created, conflict with local system account!') + for pubkey, pubkey_options in (dict_search('authentication.public_keys', user_config) or {}).items(): if 'type' not in pubkey_options: raise ConfigError(f'Missing type for public-key "{pubkey}"!') diff --git a/src/conf_mode/system-option.py b/src/conf_mode/system-option.py index 454611c55..55cf6b142 100755 --- a/src/conf_mode/system-option.py +++ b/src/conf_mode/system-option.py @@ -24,6 +24,7 @@ from vyos.config import Config from vyos.configdict import dict_merge from vyos.template import render from vyos.util import cmd +from vyos.util import is_systemd_service_running from vyos.validate import is_addr_assigned from vyos.xml import defaults from vyos import ConfigError @@ -114,7 +115,7 @@ def apply(options): if 'performance' in options: cmd('systemctl restart tuned.service') # wait until daemon has started before sending configuration - while (int(os.system('systemctl is-active --quiet tuned.service')) != 0): + while (not is_systemd_service_running('tuned.service')): sleep(0.250) cmd('tuned-adm profile network-{performance}'.format(**options)) else: diff --git a/src/conf_mode/system_sysctl.py b/src/conf_mode/system_sysctl.py new file mode 100755 index 000000000..4f16d1ed6 --- /dev/null +++ b/src/conf_mode/system_sysctl.py @@ -0,0 +1,73 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import os + +from sys import exit + +from vyos.config import Config +from vyos.template import render +from vyos.util import cmd +from vyos import ConfigError +from vyos import airbag +airbag.enable() + +config_file = r'/run/sysctl/99-vyos-sysctl.conf' + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + base = ['system', 'sysctl'] + if not conf.exists(base): + return None + + sysctl = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True, + no_tag_node_value_mangle=True) + + return sysctl + +def verify(sysctl): + return None + +def generate(sysctl): + if not sysctl: + if os.path.isfile(config_file): + os.unlink(config_file) + return None + + render(config_file, 'system/sysctl.conf.tmpl', sysctl) + return None + +def apply(sysctl): + if not sysctl: + return None + + # We silently ignore all errors + # See: https://bugzilla.redhat.com/show_bug.cgi?id=1264080 + cmd(f'sysctl -f {config_file}') + return None + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py index 969266c30..d3065fc47 100755 --- a/src/conf_mode/vpn_ipsec.py +++ b/src/conf_mode/vpn_ipsec.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2020 VyOS maintainers and contributors +# Copyright (C) 2021 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -14,54 +14,586 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. +import ipaddress import os from sys import exit +from time import sleep +from time import time from vyos.config import Config +from vyos.configdict import leaf_node_changed +from vyos.configverify import verify_interface_exists +from vyos.configdict import dict_merge +from vyos.ifconfig import Interface +from vyos.pki import encode_public_key +from vyos.pki import load_private_key +from vyos.pki import wrap_certificate +from vyos.pki import wrap_crl +from vyos.pki import wrap_public_key +from vyos.pki import wrap_private_key +from vyos.template import ip_from_cidr +from vyos.template import is_ipv4 +from vyos.template import is_ipv6 from vyos.template import render +from vyos.validate import is_ipv6_link_local from vyos.util import call from vyos.util import dict_search +from vyos.util import dict_search_args +from vyos.util import run +from vyos.xml import defaults from vyos import ConfigError from vyos import airbag -from pprint import pprint airbag.enable() +dhcp_wait_attempts = 2 +dhcp_wait_sleep = 1 + +swanctl_dir = '/etc/swanctl' +ipsec_conf = '/etc/ipsec.conf' +ipsec_secrets = '/etc/ipsec.secrets' +charon_conf = '/etc/strongswan.d/charon.conf' +charon_dhcp_conf = '/etc/strongswan.d/charon/dhcp.conf' +charon_radius_conf = '/etc/strongswan.d/charon/eap-radius.conf' +interface_conf = '/etc/strongswan.d/interfaces_use.conf' +swanctl_conf = f'{swanctl_dir}/swanctl.conf' + +default_install_routes = 'yes' + +vici_socket = '/var/run/charon.vici' + +CERT_PATH = f'{swanctl_dir}/x509/' +PUBKEY_PATH = f'{swanctl_dir}/pubkey/' +KEY_PATH = f'{swanctl_dir}/private/' +CA_PATH = f'{swanctl_dir}/x509ca/' +CRL_PATH = f'{swanctl_dir}/x509crl/' + +DHCP_BASE = '/var/lib/dhcp/dhclient' +DHCP_HOOK_IFLIST = '/tmp/ipsec_dhcp_waiting' + def get_config(config=None): if config: conf = config else: conf = Config() - base = ['vpn', 'nipsec'] + base = ['vpn', 'ipsec'] + l2tp_base = ['vpn', 'l2tp', 'remote-access', 'ipsec-settings'] if not conf.exists(base): return None # retrieve common dictionary keys - ipsec = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) + ipsec = conf.get_config_dict(base, key_mangling=('-', '_'), + get_first_key=True, no_tag_node_value_mangle=True) + + # We have gathered the dict representation of the CLI, but there are default + # options which we need to update into the dictionary retrived. + default_values = defaults(base) + # XXX: T2665: we must safely remove default values for tag nodes, those are + # added in a more fine grained way later on + del default_values['esp_group'] + del default_values['ike_group'] + del default_values['remote_access'] + ipsec = dict_merge(default_values, ipsec) + + if 'esp_group' in ipsec: + default_values = defaults(base + ['esp-group']) + for group in ipsec['esp_group']: + ipsec['esp_group'][group] = dict_merge(default_values, + ipsec['esp_group'][group]) + if 'ike_group' in ipsec: + default_values = defaults(base + ['ike-group']) + # proposal is a tag node which may come with individual defaults per node + if 'proposal' in default_values: + del default_values['proposal'] + + for group in ipsec['ike_group']: + ipsec['ike_group'][group] = dict_merge(default_values, + ipsec['ike_group'][group]) + + if 'proposal' in ipsec['ike_group'][group]: + default_values = defaults(base + ['ike-group', 'proposal']) + for proposal in ipsec['ike_group'][group]['proposal']: + ipsec['ike_group'][group]['proposal'][proposal] = dict_merge(default_values, + ipsec['ike_group'][group]['proposal'][proposal]) + + if 'remote_access' in ipsec and 'connection' in ipsec['remote_access']: + default_values = defaults(base + ['remote-access', 'connection']) + for rw in ipsec['remote_access']['connection']: + ipsec['remote_access']['connection'][rw] = dict_merge(default_values, + ipsec['remote_access']['connection'][rw]) + + if 'remote_access' in ipsec and 'radius' in ipsec['remote_access'] and 'server' in ipsec['remote_access']['radius']: + default_values = defaults(base + ['remote-access', 'radius', 'server']) + for server in ipsec['remote_access']['radius']['server']: + ipsec['remote_access']['radius']['server'][server] = dict_merge(default_values, + ipsec['remote_access']['radius']['server'][server]) + + ipsec['dhcp_no_address'] = {} + ipsec['install_routes'] = 'no' if conf.exists(base + ["options", "disable-route-autoinstall"]) else default_install_routes + ipsec['interface_change'] = leaf_node_changed(conf, base + ['interface']) + ipsec['nhrp_exists'] = conf.exists(['protocols', 'nhrp', 'tunnel']) + ipsec['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'), + get_first_key=True, + no_tag_node_value_mangle=True) + + tmp = conf.get_config_dict(l2tp_base, key_mangling=('-', '_'), + get_first_key=True, + no_tag_node_value_mangle=True) + if tmp: + ipsec['l2tp'] = tmp + l2tp_defaults = defaults(l2tp_base) + ipsec['l2tp'] = dict_merge(l2tp_defaults, ipsec['l2tp']) + ipsec['l2tp_outside_address'] = conf.return_value(['vpn', 'l2tp', 'remote-access', 'outside-address']) + ipsec['l2tp_ike_default'] = 'aes256-sha1-modp1024,3des-sha1-modp1024' + ipsec['l2tp_esp_default'] = 'aes256-sha1,3des-sha1' + return ipsec +def get_dhcp_address(iface): + addresses = Interface(iface).get_addr() + if not addresses: + return None + for address in addresses: + if not is_ipv6_link_local(address): + return ip_from_cidr(address) + return None + +def verify_pki_x509(pki, x509_conf): + if not pki or 'ca' not in pki or 'certificate' not in pki: + raise ConfigError(f'PKI is not configured') + + ca_cert_name = x509_conf['ca_certificate'] + cert_name = x509_conf['certificate'] + + if not dict_search_args(pki, 'ca', ca_cert_name, 'certificate'): + raise ConfigError(f'Missing CA certificate on specified PKI CA certificate "{ca_cert_name}"') + + if not dict_search_args(pki, 'certificate', cert_name, 'certificate'): + raise ConfigError(f'Missing certificate on specified PKI certificate "{cert_name}"') + + if not dict_search_args(pki, 'certificate', cert_name, 'private', 'key'): + raise ConfigError(f'Missing private key on specified PKI certificate "{cert_name}"') + + return True + +def verify_pki_rsa(pki, rsa_conf): + if not pki or 'key_pair' not in pki: + raise ConfigError(f'PKI is not configured') + + local_key = rsa_conf['local_key'] + remote_key = rsa_conf['remote_key'] + + if not dict_search_args(pki, 'key_pair', local_key, 'private', 'key'): + raise ConfigError(f'Missing private key on specified local-key "{local_key}"') + + if not dict_search_args(pki, 'key_pair', remote_key, 'public', 'key'): + raise ConfigError(f'Missing public key on specified remote-key "{remote_key}"') + + return True + def verify(ipsec): if not ipsec: return None + if 'interfaces' in ipsec : + for ifname in ipsec['interface']: + verify_interface_exists(ifname) + + if 'l2tp' in ipsec: + if 'esp_group' in ipsec['l2tp']: + if 'esp_group' not in ipsec or ipsec['l2tp']['esp_group'] not in ipsec['esp_group']: + raise ConfigError(f"Invalid esp-group on L2TP remote-access config") + + if 'ike_group' in ipsec['l2tp']: + if 'ike_group' not in ipsec or ipsec['l2tp']['ike_group'] not in ipsec['ike_group']: + raise ConfigError(f"Invalid ike-group on L2TP remote-access config") + + if 'authentication' not in ipsec['l2tp']: + raise ConfigError(f'Missing authentication settings on L2TP remote-access config') + + if 'mode' not in ipsec['l2tp']['authentication']: + raise ConfigError(f'Missing authentication mode on L2TP remote-access config') + + if not ipsec['l2tp_outside_address']: + raise ConfigError(f'Missing outside-address on L2TP remote-access config') + + if ipsec['l2tp']['authentication']['mode'] == 'pre-shared-secret': + if 'pre_shared_secret' not in ipsec['l2tp']['authentication']: + raise ConfigError(f'Missing pre shared secret on L2TP remote-access config') + + if ipsec['l2tp']['authentication']['mode'] == 'x509': + if 'x509' not in ipsec['l2tp']['authentication']: + raise ConfigError(f'Missing x509 settings on L2TP remote-access config') + + x509 = ipsec['l2tp']['authentication']['x509'] + + if 'ca_certificate' not in x509 or 'certificate' not in x509: + raise ConfigError(f'Missing x509 certificates on L2TP remote-access config') + + verify_pki_x509(ipsec['pki'], x509) + + if 'profile' in ipsec: + for profile, profile_conf in ipsec['profile'].items(): + if 'esp_group' in profile_conf: + if 'esp_group' not in ipsec or profile_conf['esp_group'] not in ipsec['esp_group']: + raise ConfigError(f"Invalid esp-group on {profile} profile") + else: + raise ConfigError(f"Missing esp-group on {profile} profile") + + if 'ike_group' in profile_conf: + if 'ike_group' not in ipsec or profile_conf['ike_group'] not in ipsec['ike_group']: + raise ConfigError(f"Invalid ike-group on {profile} profile") + else: + raise ConfigError(f"Missing ike-group on {profile} profile") + + if 'authentication' not in profile_conf: + raise ConfigError(f"Missing authentication on {profile} profile") + + if 'remote_access' in ipsec: + if 'connection' in ipsec['remote_access']: + for name, ra_conf in ipsec['remote_access']['connection'].items(): + if 'esp_group' in ra_conf: + if 'esp_group' not in ipsec or ra_conf['esp_group'] not in ipsec['esp_group']: + raise ConfigError(f"Invalid esp-group on {name} remote-access config") + else: + raise ConfigError(f"Missing esp-group on {name} remote-access config") + + if 'ike_group' in ra_conf: + if 'ike_group' not in ipsec or ra_conf['ike_group'] not in ipsec['ike_group']: + raise ConfigError(f"Invalid ike-group on {name} remote-access config") + + ike = ra_conf['ike_group'] + if dict_search(f'ike_group.{ike}.key_exchange', ipsec) != 'ikev2': + raise ConfigError('IPSec remote-access connections requires IKEv2!') + + else: + raise ConfigError(f"Missing ike-group on {name} remote-access config") + + if 'authentication' not in ra_conf: + raise ConfigError(f"Missing authentication on {name} remote-access config") + + if ra_conf['authentication']['server_mode'] == 'x509': + if 'x509' not in ra_conf['authentication']: + raise ConfigError(f"Missing x509 settings on {name} remote-access config") + + x509 = ra_conf['authentication']['x509'] + + if 'ca_certificate' not in x509 or 'certificate' not in x509: + raise ConfigError(f"Missing x509 certificates on {name} remote-access config") + + verify_pki_x509(ipsec['pki'], x509) + elif ra_conf['authentication']['server_mode'] == 'pre-shared-secret': + if 'pre_shared_secret' not in ra_conf['authentication']: + raise ConfigError(f"Missing pre-shared-key on {name} remote-access config") + + + if 'client_mode' in ra_conf['authentication']: + if ra_conf['authentication']['client_mode'] == 'eap-radius': + if 'radius' not in ipsec['remote_access'] or 'server' not in ipsec['remote_access']['radius'] or len(ipsec['remote_access']['radius']['server']) == 0: + raise ConfigError('RADIUS authentication requires at least one server') + + if 'pool' in ra_conf: + if 'dhcp' in ra_conf['pool'] and len(ra_conf['pool']) > 1: + raise ConfigError(f'Can not use both DHCP and a predefined address pool for "{name}"!') + + for pool in ra_conf['pool']: + if pool == 'dhcp': + if dict_search('remote_access.dhcp.server', ipsec) == None: + raise ConfigError('IPSec DHCP server is not configured!') + + elif 'pool' not in ipsec['remote_access'] or pool not in ipsec['remote_access']['pool']: + raise ConfigError(f'Requested pool "{pool}" does not exist!') + + if 'pool' in ipsec['remote_access']: + for pool, pool_config in ipsec['remote_access']['pool'].items(): + if 'prefix' not in pool_config: + raise ConfigError(f'Missing madatory prefix option for pool "{pool}"!') + + if 'name_server' in pool_config: + if len(pool_config['name_server']) > 2: + raise ConfigError(f'Only two name-servers are supported for remote-access pool "{pool}"!') + + for ns in pool_config['name_server']: + v4_addr_and_ns = is_ipv4(ns) and not is_ipv4(pool_config['prefix']) + v6_addr_and_ns = is_ipv6(ns) and not is_ipv6(pool_config['prefix']) + if v4_addr_and_ns or v6_addr_and_ns: + raise ConfigError('Must use both IPv4 or IPv6 addresses for pool prefix and name-server adresses!') + + if 'exclude' in pool_config: + for exclude in pool_config['exclude']: + v4_addr_and_exclude = is_ipv4(exclude) and not is_ipv4(pool_config['prefix']) + v6_addr_and_exclude = is_ipv6(exclude) and not is_ipv6(pool_config['prefix']) + if v4_addr_and_exclude or v6_addr_and_exclude: + raise ConfigError('Must use both IPv4 or IPv6 addresses for pool prefix and exclude prefixes!') + + if 'radius' in ipsec['remote_access'] and 'server' in ipsec['remote_access']['radius']: + for server, server_config in ipsec['remote_access']['radius']['server'].items(): + if 'key' not in server_config: + raise ConfigError(f'Missing RADIUS secret key for server "{server}"') + + if 'site_to_site' in ipsec and 'peer' in ipsec['site_to_site']: + for peer, peer_conf in ipsec['site_to_site']['peer'].items(): + has_default_esp = False + if 'default_esp_group' in peer_conf: + has_default_esp = True + if 'esp_group' not in ipsec or peer_conf['default_esp_group'] not in ipsec['esp_group']: + raise ConfigError(f"Invalid esp-group on site-to-site peer {peer}") + + if 'ike_group' in peer_conf: + if 'ike_group' not in ipsec or peer_conf['ike_group'] not in ipsec['ike_group']: + raise ConfigError(f"Invalid ike-group on site-to-site peer {peer}") + else: + raise ConfigError(f"Missing ike-group on site-to-site peer {peer}") + + if 'authentication' not in peer_conf or 'mode' not in peer_conf['authentication']: + raise ConfigError(f"Missing authentication on site-to-site peer {peer}") + + if peer_conf['authentication']['mode'] == 'x509': + if 'x509' not in peer_conf['authentication']: + raise ConfigError(f"Missing x509 settings on site-to-site peer {peer}") + + x509 = peer_conf['authentication']['x509'] + + if 'ca_certificate' not in x509 or 'certificate' not in x509: + raise ConfigError(f"Missing x509 certificates on site-to-site peer {peer}") + + verify_pki_x509(ipsec['pki'], x509) + elif peer_conf['authentication']['mode'] == 'rsa': + if 'rsa' not in peer_conf['authentication']: + raise ConfigError(f"Missing RSA settings on site-to-site peer {peer}") + + rsa = peer_conf['authentication']['rsa'] + + if 'local_key' not in rsa: + raise ConfigError(f"Missing RSA local-key on site-to-site peer {peer}") + + if 'remote_key' not in rsa: + raise ConfigError(f"Missing RSA remote-key on site-to-site peer {peer}") + + verify_pki_rsa(ipsec['pki'], rsa) + + if 'local_address' not in peer_conf and 'dhcp_interface' not in peer_conf: + raise ConfigError(f"Missing local-address or dhcp-interface on site-to-site peer {peer}") + + if 'dhcp_interface' in peer_conf: + dhcp_interface = peer_conf['dhcp_interface'] + + verify_interface_exists(dhcp_interface) + + if not os.path.exists(f'{DHCP_BASE}_{dhcp_interface}.conf'): + raise ConfigError(f"Invalid dhcp-interface on site-to-site peer {peer}") + + address = get_dhcp_address(dhcp_interface) + count = 0 + while not address and count < dhcp_wait_attempts: + address = get_dhcp_address(dhcp_interface) + count += 1 + sleep(dhcp_wait_sleep) + + if not address: + ipsec['dhcp_no_address'][peer] = dhcp_interface + print(f"Failed to get address from dhcp-interface on site-to-site peer {peer} -- skipped") + continue + + if 'vti' in peer_conf: + if 'local_address' in peer_conf and 'dhcp_interface' in peer_conf: + raise ConfigError(f"A single local-address or dhcp-interface is required when using VTI on site-to-site peer {peer}") + + if 'bind' in peer_conf['vti']: + vti_interface = peer_conf['vti']['bind'] + if not os.path.exists(f'/sys/class/net/{vti_interface}'): + raise ConfigError(f'VTI interface {vti_interface} for site-to-site peer {peer} does not exist!') + + if 'vti' not in peer_conf and 'tunnel' not in peer_conf: + raise ConfigError(f"No VTI or tunnel specified on site-to-site peer {peer}") + + if 'tunnel' in peer_conf: + for tunnel, tunnel_conf in peer_conf['tunnel'].items(): + if 'esp_group' not in tunnel_conf and not has_default_esp: + raise ConfigError(f"Missing esp-group on tunnel {tunnel} for site-to-site peer {peer}") + + esp_group_name = tunnel_conf['esp_group'] if 'esp_group' in tunnel_conf else peer_conf['default_esp_group'] + + if esp_group_name not in ipsec['esp_group']: + raise ConfigError(f"Invalid esp-group on tunnel {tunnel} for site-to-site peer {peer}") + + esp_group = ipsec['esp_group'][esp_group_name] + + if 'mode' in esp_group and esp_group['mode'] == 'transport': + if 'protocol' in tunnel_conf and ((peer in ['any', '0.0.0.0']) or ('local_address' not in peer_conf or peer_conf['local_address'] in ['any', '0.0.0.0'])): + raise ConfigError(f"Fixed local-address or peer required when a protocol is defined with ESP transport mode on tunnel {tunnel} for site-to-site peer {peer}") + + if ('local' in tunnel_conf and 'prefix' in tunnel_conf['local']) or ('remote' in tunnel_conf and 'prefix' in tunnel_conf['remote']): + raise ConfigError(f"Local/remote prefix cannot be used with ESP transport mode on tunnel {tunnel} for site-to-site peer {peer}") + +def cleanup_pki_files(): + for path in [CERT_PATH, CA_PATH, CRL_PATH, KEY_PATH, PUBKEY_PATH]: + if not os.path.exists(path): + continue + for file in os.listdir(path): + file_path = os.path.join(path, file) + if os.path.isfile(file_path): + os.unlink(file_path) + +def generate_pki_files_x509(pki, x509_conf): + ca_cert_name = x509_conf['ca_certificate'] + ca_cert_data = dict_search_args(pki, 'ca', ca_cert_name, 'certificate') + ca_cert_crls = dict_search_args(pki, 'ca', ca_cert_name, 'crl') or [] + crl_index = 1 + + cert_name = x509_conf['certificate'] + cert_data = dict_search_args(pki, 'certificate', cert_name, 'certificate') + key_data = dict_search_args(pki, 'certificate', cert_name, 'private', 'key') + protected = 'passphrase' in x509_conf + + with open(os.path.join(CA_PATH, f'{ca_cert_name}.pem'), 'w') as f: + f.write(wrap_certificate(ca_cert_data)) + + for crl in ca_cert_crls: + with open(os.path.join(CRL_PATH, f'{ca_cert_name}_{crl_index}.pem'), 'w') as f: + f.write(wrap_crl(crl)) + crl_index += 1 + + with open(os.path.join(CERT_PATH, f'{cert_name}.pem'), 'w') as f: + f.write(wrap_certificate(cert_data)) + + with open(os.path.join(KEY_PATH, f'x509_{cert_name}.pem'), 'w') as f: + f.write(wrap_private_key(key_data, protected)) + +def generate_pki_files_rsa(pki, rsa_conf): + local_key_name = rsa_conf['local_key'] + local_key_data = dict_search_args(pki, 'key_pair', local_key_name, 'private', 'key') + protected = 'passphrase' in rsa_conf + remote_key_name = rsa_conf['remote_key'] + remote_key_data = dict_search_args(pki, 'key_pair', remote_key_name, 'public', 'key') + + local_key = load_private_key(local_key_data, rsa_conf['passphrase'] if protected else None) + + with open(os.path.join(KEY_PATH, f'rsa_{local_key_name}.pem'), 'w') as f: + f.write(wrap_private_key(local_key_data, protected)) + + with open(os.path.join(PUBKEY_PATH, f'{local_key_name}.pem'), 'w') as f: + f.write(encode_public_key(local_key.public_key())) + + with open(os.path.join(PUBKEY_PATH, f'{remote_key_name}.pem'), 'w') as f: + f.write(wrap_public_key(remote_key_data)) + def generate(ipsec): + cleanup_pki_files() + if not ipsec: - return None + for config_file in [ipsec_conf, ipsec_secrets, charon_dhcp_conf, + charon_radius_conf, interface_conf, swanctl_conf]: + if os.path.isfile(config_file): + os.unlink(config_file) + render(charon_conf, 'ipsec/charon.tmpl', {'install_routes': default_install_routes}) + return - return ipsec + if ipsec['dhcp_no_address']: + with open(DHCP_HOOK_IFLIST, 'w') as f: + f.write(" ".join(ipsec['dhcp_no_address'].values())) + + for path in [swanctl_dir, CERT_PATH, CA_PATH, CRL_PATH, PUBKEY_PATH]: + if not os.path.exists(path): + os.mkdir(path, mode=0o755) + + if not os.path.exists(KEY_PATH): + os.mkdir(KEY_PATH, mode=0o700) + + if 'l2tp' in ipsec: + if 'authentication' in ipsec['l2tp'] and 'x509' in ipsec['l2tp']['authentication']: + generate_pki_files_x509(ipsec['pki'], ipsec['l2tp']['authentication']['x509']) + + if 'remote_access' in ipsec and 'connection' in ipsec['remote_access']: + for rw, rw_conf in ipsec['remote_access']['connection'].items(): + + if 'authentication' in rw_conf and 'x509' in rw_conf['authentication']: + generate_pki_files_x509(ipsec['pki'], rw_conf['authentication']['x509']) + + if 'site_to_site' in ipsec and 'peer' in ipsec['site_to_site']: + for peer, peer_conf in ipsec['site_to_site']['peer'].items(): + if peer in ipsec['dhcp_no_address']: + continue + + if peer_conf['authentication']['mode'] == 'x509': + generate_pki_files_x509(ipsec['pki'], peer_conf['authentication']['x509']) + elif peer_conf['authentication']['mode'] == 'rsa': + generate_pki_files_rsa(ipsec['pki'], peer_conf['authentication']['rsa']) + + local_ip = '' + if 'local_address' in peer_conf: + local_ip = peer_conf['local_address'] + elif 'dhcp_interface' in peer_conf: + local_ip = get_dhcp_address(peer_conf['dhcp_interface']) + + ipsec['site_to_site']['peer'][peer]['local_address'] = local_ip + + if 'tunnel' in peer_conf: + for tunnel, tunnel_conf in peer_conf['tunnel'].items(): + local_prefixes = dict_search_args(tunnel_conf, 'local', 'prefix') + remote_prefixes = dict_search_args(tunnel_conf, 'remote', 'prefix') + + if not local_prefixes or not remote_prefixes: + continue + + passthrough = [] + + for local_prefix in local_prefixes: + for remote_prefix in remote_prefixes: + local_net = ipaddress.ip_network(local_prefix) + remote_net = ipaddress.ip_network(remote_prefix) + if local_net.overlaps(remote_net): + passthrough.append(local_prefix) + + ipsec['site_to_site']['peer'][peer]['tunnel'][tunnel]['passthrough'] = passthrough + + + render(ipsec_conf, 'ipsec/ipsec.conf.tmpl', ipsec) + render(ipsec_secrets, 'ipsec/ipsec.secrets.tmpl', ipsec) + render(charon_conf, 'ipsec/charon.tmpl', ipsec) + render(charon_dhcp_conf, 'ipsec/charon/dhcp.conf.tmpl', ipsec) + render(charon_radius_conf, 'ipsec/charon/eap-radius.conf.tmpl', ipsec) + render(interface_conf, 'ipsec/interfaces_use.conf.tmpl', ipsec) + render(swanctl_conf, 'ipsec/swanctl.conf.tmpl', ipsec) + +def resync_nhrp(ipsec): + if ipsec and not ipsec['nhrp_exists']: + return + + tmp = run('/usr/libexec/vyos/conf_mode/protocols_nhrp.py') + if tmp > 0: + print('ERROR: failed to reapply NHRP settings!') + +def wait_for_vici_socket(timeout=5, sleep_interval=0.1): + start_time = time() + test_command = f'sudo socat -u OPEN:/dev/null UNIX-CONNECT:{vici_socket}' + while True: + if (start_time + timeout) < time(): + return None + result = run(test_command) + if result == 0: + return True + sleep(sleep_interval) def apply(ipsec): if not ipsec: - return None + call('sudo ipsec stop') + else: + call('sudo ipsec restart') + call('sudo ipsec rereadall') + call('sudo ipsec reload') + + if wait_for_vici_socket(): + call('sudo swanctl -q') - pprint(ipsec) + resync_nhrp(ipsec) if __name__ == '__main__': try: - c = get_config() - verify(c) - generate(c) - apply(c) + ipsec = get_config() + verify(ipsec) + generate(ipsec) + apply(ipsec) except ConfigError as e: print(e) exit(1) diff --git a/src/conf_mode/vpn_l2tp.py b/src/conf_mode/vpn_l2tp.py index e970d2ef5..9c52f77ca 100755 --- a/src/conf_mode/vpn_l2tp.py +++ b/src/conf_mode/vpn_l2tp.py @@ -20,7 +20,6 @@ import re from copy import deepcopy from stat import S_IRUSR, S_IWUSR, S_IRGRP from sys import exit -from time import sleep from ipaddress import ip_network diff --git a/src/conf_mode/vpn_openconnect.py b/src/conf_mode/vpn_openconnect.py index 2986c3458..f6db196dc 100755 --- a/src/conf_mode/vpn_openconnect.py +++ b/src/conf_mode/vpn_openconnect.py @@ -19,9 +19,11 @@ from sys import exit from vyos.config import Config from vyos.configdict import dict_merge -from vyos.xml import defaults +from vyos.pki import wrap_certificate +from vyos.pki import wrap_private_key from vyos.template import render from vyos.util import call +from vyos.xml import defaults from vyos import ConfigError from crypt import crypt, mksalt, METHOD_SHA512 @@ -50,6 +52,10 @@ def get_config(): default_values = defaults(base) ocserv = dict_merge(default_values, ocserv) + if ocserv: + ocserv['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'), + get_first_key=True, no_tag_node_value_mangle=True) + return ocserv def verify(ocserv): @@ -72,14 +78,36 @@ def verify(ocserv): raise ConfigError('openconnect authentication credentials required') # Check ssl - if "ssl" in ocserv: - req_cert = ['cert_file', 'key_file'] - for cert in req_cert: - if not cert in ocserv["ssl"]: - raise ConfigError('openconnect ssl {0} required'.format(cert.replace('_', '-'))) - else: + if 'ssl' not in ocserv: raise ConfigError('openconnect ssl required') + if not ocserv['pki'] or 'certificate' not in ocserv['pki']: + raise ConfigError('PKI not configured') + + ssl = ocserv['ssl'] + if 'certificate' not in ssl: + raise ConfigError('openconnect ssl certificate required') + + cert_name = ssl['certificate'] + + if cert_name not in ocserv['pki']['certificate']: + raise ConfigError('Invalid openconnect ssl certificate') + + cert = ocserv['pki']['certificate'][cert_name] + + if 'certificate' not in cert: + raise ConfigError('Missing certificate in PKI') + + if 'private' not in cert or 'key' not in cert['private']: + raise ConfigError('Missing private key in PKI') + + if 'ca_certificate' in ssl: + if 'ca' not in ocserv['pki']: + raise ConfigError('PKI not configured') + + if ssl['ca_certificate'] not in ocserv['pki']['ca']: + raise ConfigError('Invalid openconnect ssl CA certificate') + # Check network settings if "network_settings" in ocserv: if "push_route" in ocserv["network_settings"]: @@ -109,6 +137,29 @@ def generate(ocserv): # Render local users render(ocserv_passwd, 'ocserv/ocserv_passwd.tmpl', ocserv["authentication"]["local_users"]) + if "ssl" in ocserv: + cert_file_path = os.path.join(cfg_dir, 'cert.pem') + cert_key_path = os.path.join(cfg_dir, 'cert.key') + ca_cert_file_path = os.path.join(cfg_dir, 'ca.pem') + + if 'certificate' in ocserv['ssl']: + cert_name = ocserv['ssl']['certificate'] + pki_cert = ocserv['pki']['certificate'][cert_name] + + with open(cert_file_path, 'w') as f: + f.write(wrap_certificate(pki_cert['certificate'])) + + if 'private' in pki_cert and 'key' in pki_cert['private']: + with open(cert_key_path, 'w') as f: + f.write(wrap_private_key(pki_cert['private']['key'])) + + if 'ca_certificate' in ocserv['ssl']: + ca_name = ocserv['ssl']['ca_certificate'] + pki_ca_cert = ocserv['pki']['ca'][ca_name] + + with open(ca_cert_file_path, 'w') as f: + f.write(wrap_certificate(pki_ca_cert['certificate'])) + # Render config render(ocserv_conf, 'ocserv/ocserv_config.tmpl', ocserv) diff --git a/src/conf_mode/vpn_sstp.py b/src/conf_mode/vpn_sstp.py index 47367f125..d1a71a5ad 100755 --- a/src/conf_mode/vpn_sstp.py +++ b/src/conf_mode/vpn_sstp.py @@ -21,6 +21,8 @@ from sys import exit from vyos.config import Config from vyos.configdict import get_accel_dict from vyos.configverify import verify_accel_ppp_base_service +from vyos.pki import wrap_certificate +from vyos.pki import wrap_private_key from vyos.template import render from vyos.util import call from vyos.util import dict_search @@ -28,6 +30,7 @@ from vyos import ConfigError from vyos import airbag airbag.enable() +cfg_dir = '/run/accel-pppd' sstp_conf = '/run/accel-pppd/sstp.conf' sstp_chap_secrets = '/run/accel-pppd/sstp.chap-secrets' @@ -42,6 +45,11 @@ def get_config(config=None): # retrieve common dictionary keys sstp = get_accel_dict(conf, base, sstp_chap_secrets) + + if sstp: + sstp['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'), + get_first_key=True, no_tag_node_value_mangle=True) + return sstp def verify(sstp): @@ -56,31 +64,59 @@ def verify(sstp): # # SSL certificate checks # - tmp = dict_search('ssl.ca_cert_file', sstp) - if not tmp: - raise ConfigError(f'SSL CA certificate file required!') - else: - if not os.path.isfile(tmp): - raise ConfigError(f'SSL CA certificate "{tmp}" does not exist!') + if not sstp['pki']: + raise ConfigError('PKI is not configured') - tmp = dict_search('ssl.cert_file', sstp) - if not tmp: - raise ConfigError(f'SSL public key file required!') - else: - if not os.path.isfile(tmp): - raise ConfigError(f'SSL public key "{tmp}" does not exist!') + if 'ssl' not in sstp: + raise ConfigError('SSL missing on SSTP config') - tmp = dict_search('ssl.key_file', sstp) - if not tmp: - raise ConfigError(f'SSL private key file required!') - else: - if not os.path.isfile(tmp): - raise ConfigError(f'SSL private key "{tmp}" does not exist!') + ssl = sstp['ssl'] + + if 'ca_certificate' not in ssl: + raise ConfigError('SSL CA certificate missing on SSTP config') + + if 'certificate' not in ssl: + raise ConfigError('SSL certificate missing on SSTP config') + + cert_name = ssl['certificate'] + + if ssl['ca_certificate'] not in sstp['pki']['ca']: + raise ConfigError('Invalid CA certificate on SSTP config') + + if cert_name not in sstp['pki']['certificate']: + raise ConfigError('Invalid certificate on SSTP config') + + pki_cert = sstp['pki']['certificate'][cert_name] + + if 'private' not in pki_cert or 'key' not in pki_cert['private']: + raise ConfigError('Missing private key for certificate on SSTP config') + + if 'password_protected' in pki_cert['private']: + raise ConfigError('Encrypted private key is not supported on SSTP config') def generate(sstp): if not sstp: return None + cert_file_path = os.path.join(cfg_dir, 'sstp-cert.pem') + cert_key_path = os.path.join(cfg_dir, 'sstp-cert.key') + ca_cert_file_path = os.path.join(cfg_dir, 'sstp-ca.pem') + + cert_name = sstp['ssl']['certificate'] + pki_cert = sstp['pki']['certificate'][cert_name] + + with open(cert_file_path, 'w') as f: + f.write(wrap_certificate(pki_cert['certificate'])) + + with open(cert_key_path, 'w') as f: + f.write(wrap_private_key(pki_cert['private']['key'])) + + ca_cert_name = sstp['ssl']['ca_certificate'] + pki_ca = sstp['pki']['ca'][ca_cert_name] + + with open(ca_cert_file_path, 'w') as f: + f.write(wrap_certificate(pki_ca['certificate'])) + # accel-cmd reload doesn't work so any change results in a restart of the daemon render(sstp_conf, 'accel-ppp/sstp.config.tmpl', sstp) diff --git a/src/conf_mode/vrf.py b/src/conf_mode/vrf.py index a39da8991..c1cfc1dcb 100755 --- a/src/conf_mode/vrf.py +++ b/src/conf_mode/vrf.py @@ -18,6 +18,7 @@ import os from sys import exit from json import loads +from tempfile import NamedTemporaryFile from vyos.config import Config from vyos.configdict import node_changed @@ -28,6 +29,8 @@ from vyos.util import call from vyos.util import cmd from vyos.util import dict_search from vyos.util import get_interface_config +from vyos.util import popen +from vyos.util import run from vyos import ConfigError from vyos import frr from vyos import airbag @@ -125,11 +128,17 @@ def verify(vrf): return None + def generate(vrf): render(config_file, 'vrf/vrf.conf.tmpl', vrf) vrf['new_frr_config'] = render_to_string('frr/vrf.frr.tmpl', vrf) + # Render nftables zones config + vrf['nft_vrf_zones'] = NamedTemporaryFile().name + render(vrf['nft_vrf_zones'], 'firewall/nftables-vrf-zones.tmpl', vrf) + return None + def apply(vrf): # Documentation # @@ -141,7 +150,7 @@ def apply(vrf): # set the default VRF global behaviour bind_all = '0' - if 'bind_to_all' in vrf: + if 'bind-to-all' in vrf: bind_all = '1' call(f'sysctl -wq net.ipv4.tcp_l3mdev_accept={bind_all}') call(f'sysctl -wq net.ipv4.udp_l3mdev_accept={bind_all}') @@ -151,8 +160,19 @@ def apply(vrf): call(f'ip -4 route del vrf {tmp} unreachable default metric 4278198272') call(f'ip -6 route del vrf {tmp} unreachable default metric 4278198272') call(f'ip link delete dev {tmp}') + # Remove nftables conntrack zone map item + nft_del_element = f'delete element inet vrf_zones ct_iface_map {{ "{tmp}" }}' + cmd(f'nft {nft_del_element}') if 'name' in vrf: + # Separate VRFs in conntrack table + # check if table already exists + _, err = popen('nft list table inet vrf_zones') + # If not, create a table + if err: + cmd(f'nft -f {vrf["nft_vrf_zones"]}') + os.unlink(vrf['nft_vrf_zones']) + for name, config in vrf['name'].items(): table = config['table'] @@ -182,6 +202,9 @@ def apply(vrf): # reconfiguration. state = 'down' if 'disable' in config else 'up' vrf_if.set_admin_state(state) + # Add nftables conntrack zone map item + nft_add_element = f'add element inet vrf_zones ct_iface_map {{ "{name}" : {table} }}' + cmd(f'nft {nft_add_element}') # Linux routing uses rules to find tables - routing targets are then # looked up in those tables. If the lookup got a matching route, the @@ -214,22 +237,25 @@ def apply(vrf): # clean out l3mdev-table rule if present if 1000 in [r.get('priority') for r in list_rules() if r.get('priority') == 1000]: call(f'ip {af} rule del pref 1000') - - # add configuration to FRR - frr_cfg = frr.FRRConfig() - frr_cfg.load_configuration(frr_daemon) - frr_cfg.modify_section(f'^vrf [a-zA-Z-]*$', '') - frr_cfg.add_before(r'(interface .*|line vty)', vrf['new_frr_config']) - frr_cfg.commit_configuration(frr_daemon) - - # If FRR config is blank, rerun the blank commit x times due to frr-reload - # behavior/bug not properly clearing out on one commit. - if vrf['new_frr_config'] == '': - for a in range(5): - frr_cfg.commit_configuration(frr_daemon) - - # Save configuration to /run/frr/config/frr.conf - frr.save_configuration() + # Remove VRF zones table from nftables + tmp = run('nft list table inet vrf_zones') + if tmp == 0: + cmd('nft delete table inet vrf_zones') + + # T3694: Somehow we hit a priority inversion here as we need to remove the + # VRF assigned VNI before we can remove a BGP bound VRF instance. Maybe + # move this to an individual helper script that set's up the VNI for the + # given VRF after any routing protocol. + # + # # add configuration to FRR + # frr_cfg = frr.FRRConfig() + # frr_cfg.load_configuration(frr_daemon) + # frr_cfg.modify_section(f'^vrf [a-zA-Z-]*$', '') + # frr_cfg.add_before(r'(interface .*|line vty)', vrf['new_frr_config']) + # frr_cfg.commit_configuration(frr_daemon) + # + # # Save configuration to /run/frr/config/frr.conf + # frr.save_configuration() return None diff --git a/src/conf_mode/vyos_cert.py b/src/conf_mode/vyos_cert.py deleted file mode 100755 index dc7c64684..000000000 --- a/src/conf_mode/vyos_cert.py +++ /dev/null @@ -1,147 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2019 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. -# -# - -import sys -import os -import tempfile -import pathlib -import ssl - -import vyos.defaults -from vyos.config import Config -from vyos import ConfigError -from vyos.util import cmd - -from vyos import airbag -airbag.enable() - -vyos_conf_scripts_dir = vyos.defaults.directories['conf_mode'] - -# XXX: this model will need to be extended for tag nodes -dependencies = [ - 'https.py', -] - -def status_self_signed(cert_data): -# check existence and expiration date - path = pathlib.Path(cert_data['conf']) - if not path.is_file(): - return False - path = pathlib.Path(cert_data['crt']) - if not path.is_file(): - return False - path = pathlib.Path(cert_data['key']) - if not path.is_file(): - return False - - # check if certificate is 1/2 past lifetime, with openssl -checkend - end_days = int(cert_data['lifetime']) - end_seconds = int(0.5*60*60*24*end_days) - checkend_cmd = 'openssl x509 -checkend {end} -noout -in {crt}'.format(end=end_seconds, **cert_data) - try: - cmd(checkend_cmd, message='Called process error') - return True - except OSError as err: - if err.errno == 1: - return False - print(err) - # XXX: This seems wrong to continue on failure - # implicitely returning None - -def generate_self_signed(cert_data): - san_config = None - - if ssl.OPENSSL_VERSION_INFO < (1, 1, 1, 0, 0): - san_config = tempfile.NamedTemporaryFile() - with open(san_config.name, 'w') as fd: - fd.write('[req]\n') - fd.write('distinguished_name=req\n') - fd.write('[san]\n') - fd.write('subjectAltName=DNS:vyos\n') - - openssl_req_cmd = ('openssl req -x509 -nodes -days {lifetime} ' - '-newkey rsa:4096 -keyout {key} -out {crt} ' - '-subj "/O=Sentrium/OU=VyOS/CN=vyos" ' - '-extensions san -config {san_conf}' - ''.format(san_conf=san_config.name, - **cert_data)) - - else: - openssl_req_cmd = ('openssl req -x509 -nodes -days {lifetime} ' - '-newkey rsa:4096 -keyout {key} -out {crt} ' - '-subj "/O=Sentrium/OU=VyOS/CN=vyos" ' - '-addext "subjectAltName=DNS:vyos"' - ''.format(**cert_data)) - - try: - cmd(openssl_req_cmd, message='Called process error') - except OSError as err: - print(err) - # XXX: seems wrong to ignore the failure - - os.chmod('{key}'.format(**cert_data), 0o400) - - with open('{conf}'.format(**cert_data), 'w') as f: - f.write('ssl_certificate {crt};\n'.format(**cert_data)) - f.write('ssl_certificate_key {key};\n'.format(**cert_data)) - - if san_config: - san_config.close() - -def get_config(config=None): - vyos_cert = vyos.defaults.vyos_cert_data - - if config: - conf = config - else: - conf = Config() - if not conf.exists('service https certificates system-generated-certificate'): - return None - else: - conf.set_level('service https certificates system-generated-certificate') - - if conf.exists('lifetime'): - lifetime = conf.return_value('lifetime') - vyos_cert['lifetime'] = lifetime - - return vyos_cert - -def verify(vyos_cert): - return None - -def generate(vyos_cert): - if vyos_cert is None: - return None - - if not status_self_signed(vyos_cert): - generate_self_signed(vyos_cert) - -def apply(vyos_cert): - for dep in dependencies: - command = '{0}/{1}'.format(vyos_conf_scripts_dir, dep) - cmd(command, raising=ConfigError) - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - sys.exit(1) diff --git a/src/etc/cron.hourly/vyos-logrotate-hourly b/src/etc/cron.hourly/vyos-logrotate-hourly new file mode 100755 index 000000000..f4f56a9c2 --- /dev/null +++ b/src/etc/cron.hourly/vyos-logrotate-hourly @@ -0,0 +1,4 @@ +#!/bin/sh + +test -x /usr/sbin/logrotate || exit 0 +/usr/sbin/logrotate /etc/logrotate.conf diff --git a/src/etc/dhcp/dhclient-exit-hooks.d/ipsec-dhclient-hook b/src/etc/dhcp/dhclient-exit-hooks.d/ipsec-dhclient-hook new file mode 100755 index 000000000..a7a9a2ce6 --- /dev/null +++ b/src/etc/dhcp/dhclient-exit-hooks.d/ipsec-dhclient-hook @@ -0,0 +1,88 @@ +#!/bin/bash +# +# Copyright (C) 2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +if [ "$reason" == "REBOOT" ] || [ "$reason" == "EXPIRE" ]; then + exit 0 +fi + +DHCP_HOOK_IFLIST="/tmp/ipsec_dhcp_waiting" + +if [ -f $DHCP_HOOK_IFLIST ] && [ "$reason" == "BOUND" ]; then + if grep -qw $interface $DHCP_HOOK_IFLIST; then + sudo rm $DHCP_HOOK_IFLIST + sudo python3 /usr/libexec/vyos/conf_mode/vpn_ipsec.py + exit 0 + fi +fi + +if [ "$old_ip_address" == "$new_ip_address" ] && [ "$reason" == "BOUND" ]; then + exit 0 +fi + +python3 - <<PYEND +import os +import re +from vyos.util import call +from vyos.util import cmd + +SWANCTL_CONF="/etc/swanctl/swanctl.conf" + +def getlines(file): + with open(file, 'r') as f: + return f.readlines() + +def writelines(file, lines): + with open(file, 'w') as f: + f.writelines(lines) + +def ipsec_down(ip_address): + # This prevents the need to restart ipsec and kill all active connections, only the stale connection is closed + status = cmd('sudo ipsec statusall') + connection_name = None + for line in status.split("\n"): + if line.find(ip_address) > 0: + regex_match = re.search(r'(peer_[^:\[]+)', line) + if regex_match: + connection_name = regex_match[1] + break + if connection_name: + call(f'sudo ipsec down {connection_name}') + +if __name__ == '__main__': + interface = os.getenv('interface') + new_ip = os.getenv('new_ip_address') + old_ip = os.getenv('old_ip_address') + + conf_lines = getlines(SWANCTL_CONF) + found = False + to_match = f'# dhcp:{interface}' + + for i, line in enumerate(conf_lines): + if line.find(to_match) > 0: + conf_lines[i] = line.replace(old_ip, new_ip) + found = True + + for i, line in enumerate(secrets_lines): + if line.find(to_match) > 0: + secrets_lines[i] = line.replace(old_ip, new_ip) + + if found: + writelines(SWANCTL_CONF, conf_lines) + ipsec_down(old_ip) + call('sudo ipsec rereadall') + call('sudo ipsec reload') + call('sudo swanctl -q') +PYEND
\ No newline at end of file diff --git a/src/etc/ipsec.d/key-pair.template b/src/etc/ipsec.d/key-pair.template new file mode 100644 index 000000000..56be97516 --- /dev/null +++ b/src/etc/ipsec.d/key-pair.template @@ -0,0 +1,67 @@ +[ req ] + default_bits = 2048 + default_keyfile = privkey.pem + distinguished_name = req_distinguished_name + string_mask = utf8only + attributes = req_attributes + dirstring_type = nobmp +# SHA-1 is deprecated, so use SHA-2 instead. + default_md = sha256 +# Extension to add when the -x509 option is used. + x509_extensions = v3_ca + +[ req_distinguished_name ] + countryName = Country Name (2 letter code) + countryName_min = 2 + countryName_max = 2 + ST = State Name + localityName = Locality Name (eg, city) + organizationName = Organization Name (eg, company) + organizationalUnitName = Organizational Unit Name (eg, department) + commonName = Common Name (eg, Device hostname) + commonName_max = 64 + emailAddress = Email Address + emailAddress_max = 40 +[ req_attributes ] + challengePassword = A challenge password (optional) + challengePassword_min = 4 + challengePassword_max = 20 +[ v3_ca ] + subjectKeyIdentifier=hash + authorityKeyIdentifier=keyid:always,issuer:always + basicConstraints = critical, CA:true + keyUsage = critical, digitalSignature, cRLSign, keyCertSign +[ v3_intermediate_ca ] +# Extensions for a typical intermediate CA (`man x509v3_config`). + subjectKeyIdentifier = hash + authorityKeyIdentifier = keyid:always,issuer + basicConstraints = critical, CA:true, pathlen:0 + keyUsage = critical, digitalSignature, cRLSign, keyCertSign +[ usr_cert ] +# Extensions for client certificates (`man x509v3_config`). + basicConstraints = CA:FALSE + nsCertType = client, email + nsComment = "OpenSSL Generated Client Certificate" + subjectKeyIdentifier = hash + authorityKeyIdentifier = keyid,issuer + keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment + extendedKeyUsage = clientAuth, emailProtection +[ server_cert ] +# Extensions for server certificates (`man x509v3_config`). + basicConstraints = CA:FALSE + nsCertType = server + nsComment = "OpenSSL Generated Server Certificate" + subjectKeyIdentifier = hash + authorityKeyIdentifier = keyid,issuer:always + keyUsage = critical, digitalSignature, keyEncipherment + extendedKeyUsage = serverAuth +[ crl_ext ] +# Extension for CRLs (`man x509v3_config`). + authorityKeyIdentifier=keyid:always +[ ocsp ] +# Extension for OCSP signing certificates (`man ocsp`). + basicConstraints = CA:FALSE + subjectKeyIdentifier = hash + authorityKeyIdentifier = keyid,issuer + keyUsage = critical, digitalSignature + extendedKeyUsage = critical, OCSPSigning diff --git a/src/etc/ipsec.d/vti-up-down b/src/etc/ipsec.d/vti-up-down new file mode 100755 index 000000000..281c9bf2b --- /dev/null +++ b/src/etc/ipsec.d/vti-up-down @@ -0,0 +1,75 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +## Script called up strongswan to bring the vti interface up/down based on the state of the IPSec tunnel. +## Called as vti_up_down vti_intf_name + +import os +import sys + +from syslog import syslog +from syslog import openlog +from syslog import LOG_PID +from syslog import LOG_INFO + +from vyos.configquery import ConfigTreeQuery +from vyos.util import call +from vyos.util import get_interface_config +from vyos.util import get_interface_address + +def get_dhcp_address(interface): + addr = get_interface_address(interface) + if not addr: + return None + if len(addr['addr_info']) == 0: + return None + return addr['addr_info'][0]['local'] + +if __name__ == '__main__': + verb = os.getenv('PLUTO_VERB') + connection = os.getenv('PLUTO_CONNECTION') + interface = sys.argv[1] + dhcp_interface = sys.argv[2] + + openlog(ident=f'vti-up-down', logoption=LOG_PID, facility=LOG_INFO) + syslog(f'Interface {interface} {verb} {connection}') + + if verb in ['up-client', 'up-host']: + call('sudo ip route delete default table 220') + + vti_link = get_interface_config(interface) + + if not vti_link: + syslog(f'Interface {interface} not found') + sys.exit(0) + + vti_link_up = (vti_link['operstate'] == 'UP' if 'operstate' in vti_link else False) + + config = ConfigTreeQuery() + vti_dict = config.get_config_dict(['interfaces', 'vti', interface], + get_first_key=True) + + if verb in ['up-client', 'up-host']: + if not vti_link_up: + if dhcp_interface != 'no': + local_ip = get_dhcp_address(dhcp_interface) + call(f'sudo ip tunnel change {interface} local {local_ip}') + if 'disable' not in vti_dict: + call(f'sudo ip link set {interface} up') + else: + syslog(f'Interface {interface} is admin down ...') + elif verb in ['down-client', 'down-host']: + if vti_link_up: + call(f'sudo ip link set {interface} down') diff --git a/src/etc/opennhrp/opennhrp-script.py b/src/etc/opennhrp/opennhrp-script.py new file mode 100755 index 000000000..f7487ee5f --- /dev/null +++ b/src/etc/opennhrp/opennhrp-script.py @@ -0,0 +1,136 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +from pprint import pprint +import os +import re +import sys +import vici + +from vyos.util import cmd +from vyos.util import process_named_running + +NHRP_CONFIG="/run/opennhrp/opennhrp.conf" + +def parse_type_ipsec(interface): + with open(NHRP_CONFIG, 'r') as f: + lines = f.readlines() + match = rf'^interface {interface} #(hub|spoke)(?:\s([\w-]+))?$' + for line in lines: + m = re.match(match, line) + if m: + return m[1], m[2] + return None, None + +def vici_initiate(conn, child_sa, src_addr, dest_addr): + try: + session = vici.Session() + logs = session.initiate({ + 'ike': conn, + 'child': child_sa, + 'timeout': '-1', + 'my-host': src_addr, + 'other-host': dest_addr + }) + for log in logs: + message = log['msg'].decode('ascii') + print('INIT LOG:', message) + return True + except: + return None + +def vici_terminate(conn, child_sa, src_addr, dest_addr): + try: + session = vici.Session() + logs = session.terminate({ + 'ike': conn, + 'child': child_sa, + 'timeout': '-1', + 'my-host': src_addr, + 'other-host': dest_addr + }) + for log in logs: + message = log['msg'].decode('ascii') + print('TERM LOG:', message) + return True + except: + return None + +def iface_up(interface): + cmd(f'sudo ip route flush proto 42 dev {interface}') + cmd(f'sudo ip neigh flush dev {interface}') + +def peer_up(dmvpn_type, conn): + src_addr = os.getenv('NHRP_SRCADDR') + src_nbma = os.getenv('NHRP_SRCNBMA') + dest_addr = os.getenv('NHRP_DESTADDR') + dest_nbma = os.getenv('NHRP_DESTNBMA') + dest_mtu = os.getenv('NHRP_DESTMTU') + + if dest_mtu: + args = cmd(f'sudo ip route get {dest_nbma} from {src_nbma}') + cmd(f'sudo ip route add {args} proto 42 mtu {dest_mtu}') + + if conn and dmvpn_type == 'spoke' and process_named_running('charon'): + vici_terminate(conn, 'dmvpn', src_nbma, dest_nbma) + vici_initiate(conn, 'dmvpn', src_nbma, dest_nbma) + +def peer_down(dmvpn_type, conn): + src_nbma = os.getenv('NHRP_SRCNBMA') + dest_nbma = os.getenv('NHRP_DESTNBMA') + + if conn and dmvpn_type == 'spoke' and process_named_running('charon'): + vici_terminate(conn, 'dmvpn', src_nbma, dest_nbma) + + cmd(f'sudo ip route del {dest_nbma} src {src_nbma} proto 42') + +def route_up(interface): + dest_addr = os.getenv('NHRP_DESTADDR') + dest_prefix = os.getenv('NHRP_DESTPREFIX') + next_hop = os.getenv('NHRP_NEXTHOP') + + cmd(f'sudo ip route replace {dest_addr}/{dest_prefix} proto 42 via {next_hop} dev {interface}') + cmd('sudo ip route flush cache') + +def route_down(interface): + dest_addr = os.getenv('NHRP_DESTADDR') + dest_prefix = os.getenv('NHRP_DESTPREFIX') + + cmd(f'sudo ip route del {dest_addr}/{dest_prefix} proto 42') + cmd('sudo ip route flush cache') + +if __name__ == '__main__': + action = sys.argv[1] + interface = os.getenv('NHRP_INTERFACE') + dmvpn_type, profile_name = parse_type_ipsec(interface) + + dmvpn_conn = None + + if profile_name: + dmvpn_conn = f'dmvpn-{profile_name}-{interface}' + + if action == 'interface-up': + iface_up(interface) + elif action == 'peer-register': + pass + elif action == 'peer-up': + peer_up(dmvpn_type, dmvpn_conn) + elif action == 'peer-down': + peer_down(dmvpn_type, dmvpn_conn) + elif action == 'route-up': + route_up(interface) + elif action == 'route-down': + route_down(interface) diff --git a/src/etc/ppp/ip-pre-up b/src/etc/ppp/ip-pre-up deleted file mode 100755 index 05840650b..000000000 --- a/src/etc/ppp/ip-pre-up +++ /dev/null @@ -1,51 +0,0 @@ -#!/bin/sh -# -# This script is run by the pppd when the link is created. -# It uses run-parts to run scripts in /etc/ppp/ip-pre-up.d, to -# change name, setup firewall,etc you should create script(s) there. -# -# Be aware that other packages may include /etc/ppp/ip-pre-up.d scripts (named -# after that package), so choose local script names with that in mind. -# -# This script is called with the following arguments: -# Arg Name Example -# $1 Interface name ppp0 -# $2 The tty ttyS1 -# $3 The link speed 38400 -# $4 Local IP number 12.34.56.78 -# $5 Peer IP number 12.34.56.99 -# $6 Optional ``ipparam'' value foo - -# The environment is cleared before executing this script -# so the path must be reset -PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin -export PATH - -# These variables are for the use of the scripts run by run-parts -PPP_IFACE="$1" -PPP_TTY="$2" -PPP_SPEED="$3" -PPP_LOCAL="$4" -PPP_REMOTE="$5" -PPP_IPPARAM="$6" -export PPP_IFACE PPP_TTY PPP_SPEED PPP_LOCAL PPP_REMOTE PPP_IPPARAM - -# as an additional convenience, $PPP_TTYNAME is set to the tty name, -# stripped of /dev/ (if present) for easier matching. -PPP_TTYNAME=`/usr/bin/basename "$2"` -export PPP_TTYNAME - -# If /var/log/ppp-ipupdown.log exists use it for logging. -if [ -e /var/log/ppp-ipupdown.log ]; then - exec > /var/log/ppp-ipupdown.log 2>&1 - echo $0 $* - echo -fi - -# This script can be used to override the .d files supplied by other packages. -if [ -x /etc/ppp/ip-pre-up.local ]; then - exec /etc/ppp/ip-pre-up.local "$*" -fi - -run-parts /etc/ppp/ip-pre-up.d \ - --arg="$1" --arg="$2" --arg="$3" --arg="$4" --arg="$5" --arg="$6" diff --git a/src/etc/securetty b/src/etc/securetty new file mode 100644 index 000000000..17d8610a0 --- /dev/null +++ b/src/etc/securetty @@ -0,0 +1,83 @@ +# /etc/securetty: list of terminals on which root is allowed to login. +# See securetty(5) and login(1). +console + +# Standard serial ports +ttyS0 +ttyS1 + +# USB dongles +ttyUSB0 +ttyUSB1 +ttyUSB2 + +# Standard hypervisor virtual console +hvc0 + +# Oldstyle Xen console +xvc0 + +# Standard consoles +tty1 +tty2 +tty3 +tty4 +tty5 +tty6 +tty7 +tty8 +tty9 +tty10 +tty11 +tty12 +tty13 +tty14 +tty15 +tty16 +tty17 +tty18 +tty19 +tty20 +tty21 +tty22 +tty23 +tty24 +tty25 +tty26 +tty27 +tty28 +tty29 +tty30 +tty31 +tty32 +tty33 +tty34 +tty35 +tty36 +tty37 +tty38 +tty39 +tty40 +tty41 +tty42 +tty43 +tty44 +tty45 +tty46 +tty47 +tty48 +tty49 +tty50 +tty51 +tty52 +tty53 +tty54 +tty55 +tty56 +tty57 +tty58 +tty59 +tty60 +tty61 +tty62 +tty63 diff --git a/src/etc/security/capability.conf b/src/etc/security/capability.conf new file mode 100644 index 000000000..0a7235f16 --- /dev/null +++ b/src/etc/security/capability.conf @@ -0,0 +1,10 @@ +# this is a capability file (used in conjunction with the pam_cap.so module) + +# Special capability for Vyatta admin +all %vyattacfg + +# Vyatta Operator +cap_net_admin,cap_sys_boot,cap_audit_write %vyattaop + +## 'everyone else' gets no inheritable capabilities +none * diff --git a/src/etc/sudoers.d/vyos b/src/etc/sudoers.d/vyos new file mode 100644 index 000000000..f760b417f --- /dev/null +++ b/src/etc/sudoers.d/vyos @@ -0,0 +1,53 @@ +# +# VyOS modifications to sudo configuration +# +Defaults syslog_goodpri=info +Defaults env_keep+=VYATTA_* + +# +# Command groups allowed for operator users +# +Cmnd_Alias IPTABLES = /sbin/iptables --list -n,\ + /sbin/iptables -L -vn,\ + /sbin/iptables -L * -vn,\ + /sbin/iptables -t * -L *, \ + /sbin/iptables -Z *,\ + /sbin/iptables -Z -t nat, \ + /sbin/iptables -t * -Z * +Cmnd_Alias IP6TABLES = /sbin/ip6tables -t * -Z *, \ + /sbin/ip6tables -t * -L * +Cmnd_Alias CONNTRACK = /usr/sbin/conntrack -L *, \ + /usr/sbin/conntrack -G *, \ + /usr/sbin/conntrack -E * +Cmnd_Alias IPFLUSH = /sbin/ip route flush cache, \ + /sbin/ip route flush cache *,\ + /sbin/ip neigh flush to *, \ + /sbin/ip neigh flush dev *, \ + /sbin/ip -f inet6 route flush cache, \ + /sbin/ip -f inet6 route flush cache *,\ + /sbin/ip -f inet6 neigh flush to *, \ + /sbin/ip -f inet6 neigh flush dev * +Cmnd_Alias ETHTOOL = /sbin/ethtool -p *, \ + /sbin/ethtool -S *, \ + /sbin/ethtool -a *, \ + /sbin/ethtool -c *, \ + /sbin/ethtool -i * +Cmnd_Alias DMIDECODE = /usr/sbin/dmidecode +Cmnd_Alias DISK = /usr/bin/lsof, /sbin/fdisk -l *, /sbin/sfdisk -d * +Cmnd_Alias DATE = /bin/date, /usr/sbin/ntpdate +Cmnd_Alias PPPOE_CMDS = /sbin/pppd, /sbin/poff, /usr/sbin/pppstats +Cmnd_Alias PCAPTURE = /usr/bin/tcpdump +Cmnd_Alias HWINFO = /usr/bin/lspci +Cmnd_Alias FORCE_CLUSTER = /usr/share/heartbeat/hb_takeover, \ + /usr/share/heartbeat/hb_standby +%operator ALL=NOPASSWD: DATE, IPTABLES, ETHTOOL, IPFLUSH, HWINFO, \ + PPPOE_CMDS, PCAPTURE, /usr/sbin/wanpipemon, \ + DMIDECODE, DISK, CONNTRACK, IP6TABLES, \ + FORCE_CLUSTER + +# Allow any user to run files in sudo-users +%users ALL=NOPASSWD: /opt/vyatta/bin/sudo-users/ + +# Allow members of group sudo to execute any command +%sudo ALL=NOPASSWD: ALL + diff --git a/src/etc/sysctl.d/30-vyos-router.conf b/src/etc/sysctl.d/30-vyos-router.conf index 8265e12dc..e03d3a29c 100644 --- a/src/etc/sysctl.d/30-vyos-router.conf +++ b/src/etc/sysctl.d/30-vyos-router.conf @@ -72,6 +72,12 @@ net.ipv4.conf.default.send_redirects=1 # Increase size of buffer for netlink net.core.rmem_max=2097152 +# Remove IPv4 and IPv6 routes from forward information base when link goes down +net.ipv4.conf.all.ignore_routes_with_linkdown=1 +net.ipv4.conf.default.ignore_routes_with_linkdown=1 +net.ipv6.conf.all.ignore_routes_with_linkdown=1 +net.ipv6.conf.default.ignore_routes_with_linkdown=1 + # Enable packet forwarding for IPv6 net.ipv6.conf.all.forwarding=1 @@ -81,6 +87,7 @@ net.ipv6.route.max_size = 262144 # Do not forget IPv6 addresses when a link goes down net.ipv6.conf.default.keep_addr_on_down=1 net.ipv6.conf.all.keep_addr_on_down=1 +net.ipv6.route.skip_notify_on_dev_down=1 # Default value of 20 seems to interfere with larger OSPF and VRRP setups net.ipv4.igmp_max_memberships = 512 diff --git a/src/etc/systemd/system/LCDd.service.d/override.conf b/src/etc/systemd/system/LCDd.service.d/override.conf deleted file mode 100644 index 5f3f0dc95..000000000 --- a/src/etc/systemd/system/LCDd.service.d/override.conf +++ /dev/null @@ -1,8 +0,0 @@ -[Unit] -After= -After=vyos-router.service - -[Service] -ExecStart= -ExecStart=/usr/sbin/LCDd -c /run/LCDd/LCDd.conf - diff --git a/src/etc/systemd/system/ModemManager.service.d/override.conf b/src/etc/systemd/system/ModemManager.service.d/override.conf new file mode 100644 index 000000000..07a18460e --- /dev/null +++ b/src/etc/systemd/system/ModemManager.service.d/override.conf @@ -0,0 +1,7 @@ +[Unit] +After= +After=vyos-router.service + +[Service] +ExecStart= +ExecStart=/usr/sbin/ModemManager --filter-policy=strict --log-level=INFO --log-timestamps --log-journal diff --git a/src/etc/systemd/system/radvd.service.d/override.conf b/src/etc/systemd/system/radvd.service.d/override.conf index c2f640cf5..472710a8b 100644 --- a/src/etc/systemd/system/radvd.service.d/override.conf +++ b/src/etc/systemd/system/radvd.service.d/override.conf @@ -1,4 +1,5 @@ [Unit] +ConditionPathExists= ConditionPathExists=/run/radvd/radvd.conf After= After=vyos-router.service diff --git a/src/etc/udev/rules.d/99-vyos-wwan.rules b/src/etc/udev/rules.d/99-vyos-wwan.rules deleted file mode 100644 index 67f30a3dd..000000000 --- a/src/etc/udev/rules.d/99-vyos-wwan.rules +++ /dev/null @@ -1,11 +0,0 @@ -ACTION!="add|change", GOTO="mbim_to_qmi_rules_end" - -SUBSYSTEM!="usb", GOTO="mbim_to_qmi_rules_end" - -# ignore any device with only one configuration -ATTR{bNumConfigurations}=="1", GOTO="mbim_to_qmi_rules_end" - -# force Sierra Wireless MC7710 to configuration #1 -ATTR{idVendor}=="1199",ATTR{idProduct}=="68a2",ATTR{bConfigurationValue}="1" - -LABEL="mbim_to_qmi_rules_end" diff --git a/src/etc/vmware-tools/scripts/resume-vm-default.d/ether-resume.py b/src/etc/vmware-tools/scripts/resume-vm-default.d/ether-resume.py index dc751c45c..4e7fb117c 100755 --- a/src/etc/vmware-tools/scripts/resume-vm-default.d/ether-resume.py +++ b/src/etc/vmware-tools/scripts/resume-vm-default.d/ether-resume.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2018-2020 VyOS maintainers and contributors +# Copyright (C) 2018-2021 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -15,48 +15,46 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. import sys -import syslog as sl +import syslog from vyos.config import Config from vyos import ConfigError from vyos.util import run - def get_config(): c = Config() interfaces = dict() for intf in c.list_effective_nodes('interfaces ethernet'): - # skip interfaces that are disabled or is configured for dhcp - check_disable = "interfaces ethernet {} disable".format(intf) - check_dhcp = "interfaces ethernet {} address dhcp".format(intf) + # skip interfaces that are disabled + check_disable = f'interfaces ethernet {intf} disable' if c.exists_effective(check_disable): continue # get addresses configured on the interface intf_addresses = c.return_effective_values( - "interfaces ethernet {} address".format(intf) - ) + f'interfaces ethernet {intf} address') interfaces[intf] = [addr.strip("'") for addr in intf_addresses] return interfaces - def apply(config): + syslog.openlog(ident='ether-resume', logoption=syslog.LOG_PID, + facility=syslog.LOG_INFO) + for intf, addresses in config.items(): # bring the interface up - cmd = ["ip", "link", "set", "dev", intf, "up"] - sl.syslog(sl.LOG_NOTICE, " ".join(cmd)) + cmd = f'ip link set dev {intf} up' + syslog.syslog(cmd) run(cmd) # add configured addresses to interface for addr in addresses: - if addr == "dhcp": - cmd = ["dhclient", intf] - else: - cmd = ["ip", "address", "add", addr, "dev", intf] - sl.syslog(sl.LOG_NOTICE, " ".join(cmd)) + # dhcp is handled by netplug + if addr in ['dhcp', 'dhcpv6']: + continue + cmd = f'ip address add {addr} dev {intf}' + syslog.syslog(cmd) run(cmd) - if __name__ == '__main__': try: config = get_config() diff --git a/src/etc/vmware-tools/tools.conf b/src/etc/vmware-tools/tools.conf new file mode 100644 index 000000000..da98a4f85 --- /dev/null +++ b/src/etc/vmware-tools/tools.conf @@ -0,0 +1,2 @@ +[guestinfo] + poll-interval=30 diff --git a/src/helpers/strip-private.py b/src/helpers/strip-private.py index 420a039eb..c165d2cba 100755 --- a/src/helpers/strip-private.py +++ b/src/helpers/strip-private.py @@ -116,32 +116,33 @@ if __name__ == "__main__": (True, re.compile(r'pre-shared-secret \S+'), 'pre-shared-secret xxxxxx'), # Strip OSPF md5-key (True, re.compile(r'md5-key \S+'), 'md5-key xxxxxx'), - + # Strip WireGuard private-key + (True, re.compile(r'private-key \S+'), 'private-key xxxxxx'), + # Strip MAC addresses (args.mac, re.compile(r'([0-9a-fA-F]{2}\:){5}([0-9a-fA-F]{2}((\:{0,1})){3})'), r'XX:XX:XX:XX:XX:\2'), # Strip host-name, domain-name, and domain-search (args.hostname, re.compile(r'(host-name|domain-name|domain-search) \S+'), r'\1 xxxxxx'), - + # Strip user-names (args.username, re.compile(r'(user|username|user-id) \S+'), r'\1 xxxxxx'), # Strip full-name (args.username, re.compile(r'(full-name) [ -_A-Z a-z]+'), r'\1 xxxxxx'), - + # Strip DHCP static-mapping and shared network names (args.dhcp, re.compile(r'(shared-network-name|static-mapping) \S+'), r'\1 xxxxxx'), - + # Strip host/domain names (args.domain, re.compile(r' (peer|remote-host|local-host|server) ([\w-]+\.)+[\w-]+'), r' \1 xxxxx.tld'), - + # Strip BGP ASNs (args.asn, re.compile(r'(bgp|remote-as) (\d+)'), r'\1 XXXXXX'), - + # Strip LLDP location parameters (args.lldp, re.compile(r'(altitude|datum|latitude|longitude|ca-value|country-code) (\S+)'), r'\1 xxxxxx'), - + # Strip SNMP location (args.snmp, re.compile(r'(location) \S+'), r'\1 xxxxxx'), ] strip_lines(stripping_rules) - diff --git a/src/helpers/vyos-bridge-sync.py b/src/helpers/vyos-bridge-sync.py deleted file mode 100755 index 097d28d85..000000000 --- a/src/helpers/vyos-bridge-sync.py +++ /dev/null @@ -1,51 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2019 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. -# - -# Script is used to synchronize configured bridge interfaces. -# one can add a non existing interface to a bridge group (e.g. VLAN) -# but the vlan interface itself does yet not exist. It should be added -# to the bridge automatically once it's available - -import argparse -from sys import exit -from time import sleep - -from vyos.config import Config -from vyos.util import cmd, run - - -if __name__ == '__main__': - parser = argparse.ArgumentParser() - parser.add_argument('-i', '--interface', action='store', help='Interface name which should be added to bridge it is configured for', required=True) - args, unknownargs = parser.parse_known_args() - - conf = Config() - if not conf.list_nodes('interfaces bridge'): - # no bridge interfaces exist .. bail out early - exit(0) - else: - for bridge in conf.list_nodes('interfaces bridge'): - for member_if in conf.list_nodes('interfaces bridge {} member interface'.format(bridge)): - if args.interface == member_if: - command = 'brctl addif "{}" "{}"'.format(bridge, args.interface) - # let interfaces etc. settle - especially required for OpenVPN bridged interfaces - sleep(4) - # XXX: This is ignoring any issue, should be cmd but kept as it - # XXX: during the migration to not cause any regression - run(command) - - exit(0) diff --git a/src/migration-scripts/https/2-to-3 b/src/migration-scripts/https/2-to-3 new file mode 100755 index 000000000..fa29fdd18 --- /dev/null +++ b/src/migration-scripts/https/2-to-3 @@ -0,0 +1,86 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +# * Migrate system signed certificate to use PKI + +import sys + +from vyos.configtree import ConfigTree +from vyos.pki import create_certificate +from vyos.pki import create_certificate_request +from vyos.pki import create_private_key +from vyos.pki import encode_certificate +from vyos.pki import encode_private_key + +if (len(sys.argv) < 2): + print("Must specify file name!") + sys.exit(1) + +file_name = sys.argv[1] + +with open(file_name, 'r') as f: + config_file = f.read() + +config = ConfigTree(config_file) + +base = ['service', 'https', 'certificates'] +pki_base = ['pki'] + +if not config.exists(base + ['system-generated-certificate']): + sys.exit(0) + +def wrapped_pem_to_config_value(pem): + out = [] + for line in pem.strip().split("\n"): + if not line or line.startswith("-----") or line[0] == '#': + continue + out.append(line) + return "".join(out) + +if not config.exists(pki_base + ['certificate']): + config.set(pki_base + ['certificate']) + config.set_tag(pki_base + ['certificate']) + +valid_days = 365 +if config.exists(base + ['system-generated-certificate', 'lifetime']): + valid_days = int(config.return_value(base + ['system-generated-certificate', 'lifetime'])) + +key = create_private_key('rsa', 2048) +subject = {'country': 'GB', 'state': 'N/A', 'locality': 'N/A', 'organization': 'VyOS', 'common_name': 'vyos'} +cert_req = create_certificate_request(subject, key, ['vyos']) +cert = create_certificate(cert_req, cert_req, key, valid_days) + +if cert: + cert_pem = encode_certificate(cert) + config.set(pki_base + ['certificate', 'generated_https', 'certificate'], value=wrapped_pem_to_config_value(cert_pem)) + +if key: + key_pem = encode_private_key(key) + config.set(pki_base + ['certificate', 'generated_https', 'private', 'key'], value=wrapped_pem_to_config_value(key_pem)) + +if cert and key: + config.set(base + ['certificate'], value='generated_https') +else: + print('Failed to migrate system-generated-certificate from https service') + +config.delete(base + ['system-generated-certificate']) + +try: + with open(file_name, 'w') as f: + f.write(config.to_string()) +except OSError as e: + print("Failed to save the modified config: {}".format(e)) + sys.exit(1) diff --git a/src/migration-scripts/interfaces/18-to-19 b/src/migration-scripts/interfaces/18-to-19 index 06e07572f..a12c4a6cd 100755 --- a/src/migration-scripts/interfaces/18-to-19 +++ b/src/migration-scripts/interfaces/18-to-19 @@ -14,65 +14,31 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. +import os + from sys import argv from sys import exit -from vyos.configtree import ConfigTree - -def migrate_ospf(config, path, interface): - path = path + ['ospf'] - if config.exists(path): - new_base = ['protocols', 'ospf', 'interface'] - config.set(new_base) - config.set_tag(new_base) - config.copy(path, new_base + [interface]) - config.delete(path) - - # if "ip ospf" was the only setting, we can clean out the empty - # ip node afterwards - if len(config.list_nodes(path[:-1])) == 0: - config.delete(path[:-1]) - -def migrate_ospfv3(config, path, interface): - path = path + ['ospfv3'] - if config.exists(path): - new_base = ['protocols', 'ospfv3', 'interface'] - config.set(new_base) - config.set_tag(new_base) - config.copy(path, new_base + [interface]) - config.delete(path) - # if "ipv6 ospfv3" was the only setting, we can clean out the empty - # ip node afterwards - if len(config.list_nodes(path[:-1])) == 0: - config.delete(path[:-1]) - -def migrate_rip(config, path, interface): - path = path + ['rip'] - if config.exists(path): - new_base = ['protocols', 'rip', 'interface'] - config.set(new_base) - config.set_tag(new_base) - config.copy(path, new_base + [interface]) - config.delete(path) - - # if "ip rip" was the only setting, we can clean out the empty - # ip node afterwards - if len(config.list_nodes(path[:-1])) == 0: - config.delete(path[:-1]) +from vyos.configtree import ConfigTree -def migrate_ripng(config, path, interface): - path = path + ['ripng'] - if config.exists(path): - new_base = ['protocols', 'ripng', 'interface'] - config.set(new_base) - config.set_tag(new_base) - config.copy(path, new_base + [interface]) - config.delete(path) +def replace_nat_interfaces(config, old, new): + if not config.exists(['nat']): + return + for direction in ['destination', 'source']: + conf_direction = ['nat', direction, 'rule'] + if not config.exists(conf_direction): + return + for rule in config.list_nodes(conf_direction): + conf_rule = conf_direction + [rule] + if config.exists(conf_rule + ['inbound-interface']): + tmp = config.return_value(conf_rule + ['inbound-interface']) + if tmp == old: + config.set(conf_rule + ['inbound-interface'], value=new) + if config.exists(conf_rule + ['outbound-interface']): + tmp = config.return_value(conf_rule + ['outbound-interface']) + if tmp == old: + config.set(conf_rule + ['outbound-interface'], value=new) - # if "ipv6 ripng" was the only setting, we can clean out the empty - # ip node afterwards - if len(config.list_nodes(path[:-1])) == 0: - config.delete(path[:-1]) if __name__ == '__main__': if (len(argv) < 1): @@ -80,62 +46,58 @@ if __name__ == '__main__': exit(1) file_name = argv[1] + with open(file_name, 'r') as f: config_file = f.read() config = ConfigTree(config_file) - - # - # Migrate "interface ethernet eth0 ip ospf" to "protocols ospf interface eth0" - # - for type in config.list_nodes(['interfaces']): - for interface in config.list_nodes(['interfaces', type]): - ip_base = ['interfaces', type, interface, 'ip'] - ipv6_base = ['interfaces', type, interface, 'ipv6'] - migrate_rip(config, ip_base, interface) - migrate_ripng(config, ipv6_base, interface) - migrate_ospf(config, ip_base, interface) - migrate_ospfv3(config, ipv6_base, interface) - - vif_path = ['interfaces', type, interface, 'vif'] - if config.exists(vif_path): - for vif in config.list_nodes(vif_path): - vif_ip_base = vif_path + [vif, 'ip'] - vif_ipv6_base = vif_path + [vif, 'ipv6'] - ifname = f'{interface}.{vif}' - - migrate_rip(config, vif_ip_base, ifname) - migrate_ripng(config, vif_ipv6_base, ifname) - migrate_ospf(config, vif_ip_base, ifname) - migrate_ospfv3(config, vif_ipv6_base, ifname) - - - vif_s_path = ['interfaces', type, interface, 'vif-s'] - if config.exists(vif_s_path): - for vif_s in config.list_nodes(vif_s_path): - vif_s_ip_base = vif_s_path + [vif_s, 'ip'] - vif_s_ipv6_base = vif_s_path + [vif_s, 'ipv6'] - - # vif-c interfaces MUST be migrated before their parent vif-s - # interface as the migrate_*() functions delete the path! - vif_c_path = ['interfaces', type, interface, 'vif-s', vif_s, 'vif-c'] - if config.exists(vif_c_path): - for vif_c in config.list_nodes(vif_c_path): - vif_c_ip_base = vif_c_path + [vif_c, 'ip'] - vif_c_ipv6_base = vif_c_path + [vif_c, 'ipv6'] - ifname = f'{interface}.{vif_s}.{vif_c}' - - migrate_rip(config, vif_c_ip_base, ifname) - migrate_ripng(config, vif_c_ipv6_base, ifname) - migrate_ospf(config, vif_c_ip_base, ifname) - migrate_ospfv3(config, vif_c_ipv6_base, ifname) - - - ifname = f'{interface}.{vif_s}' - migrate_rip(config, vif_s_ip_base, ifname) - migrate_ripng(config, vif_s_ipv6_base, ifname) - migrate_ospf(config, vif_s_ip_base, ifname) - migrate_ospfv3(config, vif_s_ipv6_base, ifname) + base = ['interfaces', 'wirelessmodem'] + if not config.exists(base): + # Nothing to do + exit(0) + + new_base = ['interfaces', 'wwan'] + config.set(new_base) + config.set_tag(new_base) + for old_interface in config.list_nodes(base): + # convert usb0b1.3p1.2 device identifier and extract 1.3 usb bus id + usb = config.return_value(base + [old_interface, 'device']) + device = usb.split('b')[-1] + busid = device.split('p')[0] + for new_interface in os.listdir('/sys/class/net'): + # we are only interested in interfaces starting with wwan + if not new_interface.startswith('wwan'): + continue + device = os.readlink(f'/sys/class/net/{new_interface}/device') + device = device.split(':')[0] + if busid in device: + config.copy(base + [old_interface], new_base + [new_interface]) + replace_nat_interfaces(config, old_interface, new_interface) + + config.delete(base) + + # Now that we have copied the old wirelessmodem interfaces to wwan + # we can start to migrate also individual config items. + for interface in config.list_nodes(new_base): + # we do no longer need the USB device name + config.delete(new_base + [interface, 'device']) + # set/unset DNS configuration + dns = new_base + [interface, 'no-peer-dns'] + if config.exists(dns): + config.delete(dns) + else: + config.set(['system', 'name-servers-dhcp'], value=interface, replace=False) + + # Backup distance is now handled by DHCP option "default-route-distance" + distance = dns = new_base + [interface, 'backup', 'distance'] + old_default_distance = '10' + if config.exists(distance): + old_default_distance = config.return_value(distance) + config.delete(distance) + config.set(new_base + [interface, 'dhcp-options', 'default-route-distance'], value=old_default_distance) + + # the new wwan interface use regular IP addressing + config.set(new_base + [interface, 'address'], value='dhcp') try: with open(file_name, 'w') as f: diff --git a/src/migration-scripts/interfaces/20-to-21 b/src/migration-scripts/interfaces/20-to-21 new file mode 100755 index 000000000..06e07572f --- /dev/null +++ b/src/migration-scripts/interfaces/20-to-21 @@ -0,0 +1,145 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +from sys import argv +from sys import exit +from vyos.configtree import ConfigTree + +def migrate_ospf(config, path, interface): + path = path + ['ospf'] + if config.exists(path): + new_base = ['protocols', 'ospf', 'interface'] + config.set(new_base) + config.set_tag(new_base) + config.copy(path, new_base + [interface]) + config.delete(path) + + # if "ip ospf" was the only setting, we can clean out the empty + # ip node afterwards + if len(config.list_nodes(path[:-1])) == 0: + config.delete(path[:-1]) + +def migrate_ospfv3(config, path, interface): + path = path + ['ospfv3'] + if config.exists(path): + new_base = ['protocols', 'ospfv3', 'interface'] + config.set(new_base) + config.set_tag(new_base) + config.copy(path, new_base + [interface]) + config.delete(path) + + # if "ipv6 ospfv3" was the only setting, we can clean out the empty + # ip node afterwards + if len(config.list_nodes(path[:-1])) == 0: + config.delete(path[:-1]) + +def migrate_rip(config, path, interface): + path = path + ['rip'] + if config.exists(path): + new_base = ['protocols', 'rip', 'interface'] + config.set(new_base) + config.set_tag(new_base) + config.copy(path, new_base + [interface]) + config.delete(path) + + # if "ip rip" was the only setting, we can clean out the empty + # ip node afterwards + if len(config.list_nodes(path[:-1])) == 0: + config.delete(path[:-1]) + +def migrate_ripng(config, path, interface): + path = path + ['ripng'] + if config.exists(path): + new_base = ['protocols', 'ripng', 'interface'] + config.set(new_base) + config.set_tag(new_base) + config.copy(path, new_base + [interface]) + config.delete(path) + + # if "ipv6 ripng" was the only setting, we can clean out the empty + # ip node afterwards + if len(config.list_nodes(path[:-1])) == 0: + config.delete(path[:-1]) + +if __name__ == '__main__': + if (len(argv) < 1): + print("Must specify file name!") + exit(1) + + file_name = argv[1] + with open(file_name, 'r') as f: + config_file = f.read() + + config = ConfigTree(config_file) + + # + # Migrate "interface ethernet eth0 ip ospf" to "protocols ospf interface eth0" + # + for type in config.list_nodes(['interfaces']): + for interface in config.list_nodes(['interfaces', type]): + ip_base = ['interfaces', type, interface, 'ip'] + ipv6_base = ['interfaces', type, interface, 'ipv6'] + migrate_rip(config, ip_base, interface) + migrate_ripng(config, ipv6_base, interface) + migrate_ospf(config, ip_base, interface) + migrate_ospfv3(config, ipv6_base, interface) + + vif_path = ['interfaces', type, interface, 'vif'] + if config.exists(vif_path): + for vif in config.list_nodes(vif_path): + vif_ip_base = vif_path + [vif, 'ip'] + vif_ipv6_base = vif_path + [vif, 'ipv6'] + ifname = f'{interface}.{vif}' + + migrate_rip(config, vif_ip_base, ifname) + migrate_ripng(config, vif_ipv6_base, ifname) + migrate_ospf(config, vif_ip_base, ifname) + migrate_ospfv3(config, vif_ipv6_base, ifname) + + + vif_s_path = ['interfaces', type, interface, 'vif-s'] + if config.exists(vif_s_path): + for vif_s in config.list_nodes(vif_s_path): + vif_s_ip_base = vif_s_path + [vif_s, 'ip'] + vif_s_ipv6_base = vif_s_path + [vif_s, 'ipv6'] + + # vif-c interfaces MUST be migrated before their parent vif-s + # interface as the migrate_*() functions delete the path! + vif_c_path = ['interfaces', type, interface, 'vif-s', vif_s, 'vif-c'] + if config.exists(vif_c_path): + for vif_c in config.list_nodes(vif_c_path): + vif_c_ip_base = vif_c_path + [vif_c, 'ip'] + vif_c_ipv6_base = vif_c_path + [vif_c, 'ipv6'] + ifname = f'{interface}.{vif_s}.{vif_c}' + + migrate_rip(config, vif_c_ip_base, ifname) + migrate_ripng(config, vif_c_ipv6_base, ifname) + migrate_ospf(config, vif_c_ip_base, ifname) + migrate_ospfv3(config, vif_c_ipv6_base, ifname) + + + ifname = f'{interface}.{vif_s}' + migrate_rip(config, vif_s_ip_base, ifname) + migrate_ripng(config, vif_s_ipv6_base, ifname) + migrate_ospf(config, vif_s_ip_base, ifname) + migrate_ospfv3(config, vif_s_ipv6_base, ifname) + + try: + with open(file_name, 'w') as f: + f.write(config.to_string()) + except OSError as e: + print("Failed to save the modified config: {}".format(e)) + exit(1) diff --git a/src/migration-scripts/interfaces/21-to-22 b/src/migration-scripts/interfaces/21-to-22 new file mode 100755 index 000000000..d1ec2ad3e --- /dev/null +++ b/src/migration-scripts/interfaces/21-to-22 @@ -0,0 +1,60 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +# A VTI interface also requires an IPSec configuration - VyOS 1.2 supported +# having a VTI interface in the CLI but no IPSec configuration - drop VTI +# configuration if this is the case for VyOS 1.4 + +import sys +from vyos.configtree import ConfigTree + +if __name__ == '__main__': + if (len(sys.argv) < 1): + print("Must specify file name!") + sys.exit(1) + + file_name = sys.argv[1] + + with open(file_name, 'r') as f: + config_file = f.read() + + config = ConfigTree(config_file) + base = ['interfaces', 'vti'] + if not config.exists(base): + # Nothing to do + sys.exit(0) + + ipsec_base = ['vpn', 'ipsec', 'site-to-site', 'peer'] + for interface in config.list_nodes(base): + found = False + if config.exists(ipsec_base): + for peer in config.list_nodes(ipsec_base): + if config.exists(ipsec_base + [peer, 'vti', 'bind']): + tmp = config.return_value(ipsec_base + [peer, 'vti', 'bind']) + if tmp == interface: + # Interface was found and we no longer need to search + # for it in our IPSec peers + found = True + break + if not found: + config.delete(base + [interface]) + + try: + with open(file_name, 'w') as f: + f.write(config.to_string()) + except OSError as e: + print("Failed to save the modified config: {}".format(e)) + sys.exit(1) diff --git a/src/migration-scripts/interfaces/22-to-23 b/src/migration-scripts/interfaces/22-to-23 new file mode 100755 index 000000000..93ce9215f --- /dev/null +++ b/src/migration-scripts/interfaces/22-to-23 @@ -0,0 +1,369 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +# Migrate Wireguard to store keys in CLI +# Migrate EAPoL to PKI configuration + +import os +import sys +from vyos.configtree import ConfigTree +from vyos.pki import load_certificate +from vyos.pki import load_crl +from vyos.pki import load_dh_parameters +from vyos.pki import load_private_key +from vyos.pki import encode_certificate +from vyos.pki import encode_dh_parameters +from vyos.pki import encode_private_key +from vyos.util import run + +def wrapped_pem_to_config_value(pem): + out = [] + for line in pem.strip().split("\n"): + if not line or line.startswith("-----") or line[0] == '#': + continue + out.append(line) + return "".join(out) + +def read_file_for_pki(config_auth_path): + full_path = os.path.join(AUTH_DIR, config_auth_path) + output = None + + if os.path.isfile(full_path): + if not os.access(full_path, os.R_OK): + run(f'sudo chmod 644 {full_path}') + + with open(full_path, 'r') as f: + output = f.read() + + return output + +if (len(sys.argv) < 1): + print("Must specify file name!") + sys.exit(1) + +file_name = sys.argv[1] + +with open(file_name, 'r') as f: + config_file = f.read() + +config = ConfigTree(config_file) + +AUTH_DIR = '/config/auth' +pki_base = ['pki'] + +# OpenVPN +base = ['interfaces', 'openvpn'] + +if config.exists(base): + for interface in config.list_nodes(base): + x509_base = base + [interface, 'tls'] + pki_name = f'openvpn_{interface}' + + if config.exists(base + [interface, 'shared-secret-key-file']): + if not config.exists(pki_base + ['openvpn', 'shared-secret']): + config.set(pki_base + ['openvpn', 'shared-secret']) + config.set_tag(pki_base + ['openvpn', 'shared-secret']) + + key_file = config.return_value(base + [interface, 'shared-secret-key-file']) + key = read_file_for_pki(key_file) + key_pki_name = f'{pki_name}_shared' + + if key: + config.set(pki_base + ['openvpn', 'shared-secret', key_pki_name, 'key'], value=wrapped_pem_to_config_value(key)) + config.set(pki_base + ['openvpn', 'shared-secret', key_pki_name, 'version'], value='1') + config.set(base + [interface, 'shared-secret-key'], value=key_pki_name) + else: + print(f'Failed to migrate shared-secret-key on openvpn interface {interface}') + + config.delete(base + [interface, 'shared-secret-key-file']) + + if not config.exists(base + [interface, 'tls']): + continue + + if config.exists(base + [interface, 'tls', 'auth-file']): + if not config.exists(pki_base + ['openvpn', 'shared-secret']): + config.set(pki_base + ['openvpn', 'shared-secret']) + config.set_tag(pki_base + ['openvpn', 'shared-secret']) + + key_file = config.return_value(base + [interface, 'tls', 'auth-file']) + key = read_file_for_pki(key_file) + key_pki_name = f'{pki_name}_auth' + + if key: + config.set(pki_base + ['openvpn', 'shared-secret', key_pki_name, 'key'], value=wrapped_pem_to_config_value(key)) + config.set(pki_base + ['openvpn', 'shared-secret', key_pki_name, 'version'], value='1') + config.set(base + [interface, 'tls', 'auth-key'], value=key_pki_name) + else: + print(f'Failed to migrate auth-key on openvpn interface {interface}') + + config.delete(base + [interface, 'tls', 'auth-file']) + + if config.exists(base + [interface, 'tls', 'crypt-file']): + if not config.exists(pki_base + ['openvpn', 'shared-secret']): + config.set(pki_base + ['openvpn', 'shared-secret']) + config.set_tag(pki_base + ['openvpn', 'shared-secret']) + + key_file = config.return_value(base + [interface, 'tls', 'crypt-file']) + key = read_file_for_pki(key_file) + key_pki_name = f'{pki_name}_crypt' + + if key: + config.set(pki_base + ['openvpn', 'shared-secret', key_pki_name, 'key'], value=wrapped_pem_to_config_value(key)) + config.set(pki_base + ['openvpn', 'shared-secret', key_pki_name, 'version'], value='1') + config.set(base + [interface, 'tls', 'crypt-key'], value=key_pki_name) + else: + print(f'Failed to migrate crypt-key on openvpn interface {interface}') + + config.delete(base + [interface, 'tls', 'crypt-file']) + + if config.exists(x509_base + ['ca-cert-file']): + if not config.exists(pki_base + ['ca']): + config.set(pki_base + ['ca']) + config.set_tag(pki_base + ['ca']) + + cert_file = config.return_value(x509_base + ['ca-cert-file']) + cert_path = os.path.join(AUTH_DIR, cert_file) + cert = None + + if os.path.isfile(cert_path): + if not os.access(cert_path, os.R_OK): + run(f'sudo chmod 644 {cert_path}') + + with open(cert_path, 'r') as f: + cert_data = f.read() + cert = load_certificate(cert_data, wrap_tags=False) + + if cert: + cert_pem = encode_certificate(cert) + config.set(pki_base + ['ca', pki_name, 'certificate'], value=wrapped_pem_to_config_value(cert_pem)) + config.set(x509_base + ['ca-certificate'], value=pki_name) + else: + print(f'Failed to migrate CA certificate on openvpn interface {interface}') + + config.delete(x509_base + ['ca-cert-file']) + + if config.exists(x509_base + ['crl-file']): + if not config.exists(pki_base + ['ca']): + config.set(pki_base + ['ca']) + config.set_tag(pki_base + ['ca']) + + crl_file = config.return_value(x509_base + ['crl-file']) + crl_path = os.path.join(AUTH_DIR, crl_file) + crl = None + + if os.path.isfile(crl_path): + if not os.access(crl_path, os.R_OK): + run(f'sudo chmod 644 {crl_path}') + + with open(crl_path, 'r') as f: + crl_data = f.read() + crl = load_crl(crl_data, wrap_tags=False) + + if crl: + crl_pem = encode_certificate(crl) + config.set(pki_base + ['ca', pki_name, 'crl'], value=wrapped_pem_to_config_value(crl_pem)) + else: + print(f'Failed to migrate CRL on openvpn interface {interface}') + + config.delete(x509_base + ['crl-file']) + + if config.exists(x509_base + ['cert-file']): + if not config.exists(pki_base + ['certificate']): + config.set(pki_base + ['certificate']) + config.set_tag(pki_base + ['certificate']) + + cert_file = config.return_value(x509_base + ['cert-file']) + cert_path = os.path.join(AUTH_DIR, cert_file) + cert = None + + if os.path.isfile(cert_path): + if not os.access(cert_path, os.R_OK): + run(f'sudo chmod 644 {cert_path}') + + with open(cert_path, 'r') as f: + cert_data = f.read() + cert = load_certificate(cert_data, wrap_tags=False) + + if cert: + cert_pem = encode_certificate(cert) + config.set(pki_base + ['certificate', pki_name, 'certificate'], value=wrapped_pem_to_config_value(cert_pem)) + config.set(x509_base + ['certificate'], value=pki_name) + else: + print(f'Failed to migrate certificate on openvpn interface {interface}') + + config.delete(x509_base + ['cert-file']) + + if config.exists(x509_base + ['key-file']): + key_file = config.return_value(x509_base + ['key-file']) + key_path = os.path.join(AUTH_DIR, key_file) + key = None + + if os.path.isfile(key_path): + if not os.access(key_path, os.R_OK): + run(f'sudo chmod 644 {key_path}') + + with open(key_path, 'r') as f: + key_data = f.read() + key = load_private_key(key_data, passphrase=None, wrap_tags=False) + + if key: + key_pem = encode_private_key(key, passphrase=None) + config.set(pki_base + ['certificate', pki_name, 'private', 'key'], value=wrapped_pem_to_config_value(key_pem)) + else: + print(f'Failed to migrate private key on openvpn interface {interface}') + + config.delete(x509_base + ['key-file']) + + if config.exists(x509_base + ['dh-file']): + if not config.exists(pki_base + ['dh']): + config.set(pki_base + ['dh']) + config.set_tag(pki_base + ['dh']) + + dh_file = config.return_value(x509_base + ['dh-file']) + dh_path = os.path.join(AUTH_DIR, dh_file) + dh = None + + if os.path.isfile(dh_path): + if not os.access(dh_path, os.R_OK): + run(f'sudo chmod 644 {dh_path}') + + with open(dh_path, 'r') as f: + dh_data = f.read() + dh = load_dh_parameters(dh_data, wrap_tags=False) + + if dh: + dh_pem = encode_dh_parameters(dh) + config.set(pki_base + ['dh', pki_name, 'parameters'], value=wrapped_pem_to_config_value(dh_pem)) + config.set(x509_base + ['dh-params'], value=pki_name) + else: + print(f'Failed to migrate DH parameters on openvpn interface {interface}') + + config.delete(x509_base + ['dh-file']) + +# Wireguard +base = ['interfaces', 'wireguard'] + +if config.exists(base): + for interface in config.list_nodes(base): + private_key_path = base + [interface, 'private-key'] + + key_file = 'default' + if config.exists(private_key_path): + key_file = config.return_value(private_key_path) + + full_key_path = f'/config/auth/wireguard/{key_file}/private.key' + + if not os.path.exists(full_key_path): + print(f'Could not find wireguard private key for migration on interface "{interface}"') + continue + + with open(full_key_path, 'r') as f: + key_data = f.read().strip() + config.set(private_key_path, value=key_data) + + for peer in config.list_nodes(base + [interface, 'peer']): + config.rename(base + [interface, 'peer', peer, 'pubkey'], 'public-key') + +# Ethernet EAPoL +base = ['interfaces', 'ethernet'] + +if config.exists(base): + for interface in config.list_nodes(base): + if not config.exists(base + [interface, 'eapol']): + continue + + x509_base = base + [interface, 'eapol'] + pki_name = f'eapol_{interface}' + + if config.exists(x509_base + ['ca-cert-file']): + if not config.exists(pki_base + ['ca']): + config.set(pki_base + ['ca']) + config.set_tag(pki_base + ['ca']) + + cert_file = config.return_value(x509_base + ['ca-cert-file']) + cert_path = os.path.join(AUTH_DIR, cert_file) + cert = None + + if os.path.isfile(cert_path): + if not os.access(cert_path, os.R_OK): + run(f'sudo chmod 644 {cert_path}') + + with open(cert_path, 'r') as f: + cert_data = f.read() + cert = load_certificate(cert_data, wrap_tags=False) + + if cert: + cert_pem = encode_certificate(cert) + config.set(pki_base + ['ca', pki_name, 'certificate'], value=wrapped_pem_to_config_value(cert_pem)) + config.set(x509_base + ['ca-certificate'], value=pki_name) + else: + print(f'Failed to migrate CA certificate on eapol config for interface {interface}') + + config.delete(x509_base + ['ca-cert-file']) + + if config.exists(x509_base + ['cert-file']): + if not config.exists(pki_base + ['certificate']): + config.set(pki_base + ['certificate']) + config.set_tag(pki_base + ['certificate']) + + cert_file = config.return_value(x509_base + ['cert-file']) + cert_path = os.path.join(AUTH_DIR, cert_file) + cert = None + + if os.path.isfile(cert_path): + if not os.access(cert_path, os.R_OK): + run(f'sudo chmod 644 {cert_path}') + + with open(cert_path, 'r') as f: + cert_data = f.read() + cert = load_certificate(cert_data, wrap_tags=False) + + if cert: + cert_pem = encode_certificate(cert) + config.set(pki_base + ['certificate', pki_name, 'certificate'], value=wrapped_pem_to_config_value(cert_pem)) + config.set(x509_base + ['certificate'], value=pki_name) + else: + print(f'Failed to migrate certificate on eapol config for interface {interface}') + + config.delete(x509_base + ['cert-file']) + + if config.exists(x509_base + ['key-file']): + key_file = config.return_value(x509_base + ['key-file']) + key_path = os.path.join(AUTH_DIR, key_file) + key = None + + if os.path.isfile(key_path): + if not os.access(key_path, os.R_OK): + run(f'sudo chmod 644 {key_path}') + + with open(key_path, 'r') as f: + key_data = f.read() + key = load_private_key(key_data, passphrase=None, wrap_tags=False) + + if key: + key_pem = encode_private_key(key, passphrase=None) + config.set(pki_base + ['certificate', pki_name, 'private', 'key'], value=wrapped_pem_to_config_value(key_pem)) + else: + print(f'Failed to migrate private key on eapol config for interface {interface}') + + config.delete(x509_base + ['key-file']) + +try: + with open(file_name, 'w') as f: + f.write(config.to_string()) +except OSError as e: + print("Failed to save the modified config: {}".format(e)) + sys.exit(1) diff --git a/src/migration-scripts/interfaces/5-to-6 b/src/migration-scripts/interfaces/5-to-6 index 1291751d8..ae79c1d1b 100755 --- a/src/migration-scripts/interfaces/5-to-6 +++ b/src/migration-scripts/interfaces/5-to-6 @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2020 VyOS maintainers and contributors +# Copyright (C) 2020-2021 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -55,6 +55,16 @@ def copy_rtradv(c, old_base, interface): min_max = interval.split('-')[0] c.set(new_base + ['interval', min_max], value=tmp) + # cleanup boolean nodes in individual route + route_base = new_base + ['route'] + if c.exists(route_base): + for route in config.list_nodes(route_base): + if c.exists(route_base + [route, 'remove-route']): + tmp = c.return_value(route_base + [route, 'remove-route']) + c.delete(route_base + [route, 'remove-route']) + if tmp == 'false': + c.set(route_base + [route, 'no-remove-route']) + # cleanup boolean nodes in individual prefix prefix_base = new_base + ['prefix'] if c.exists(prefix_base): diff --git a/src/migration-scripts/ipsec/4-to-5 b/src/migration-scripts/ipsec/4-to-5 index b64aa8462..4e959a7bf 100755 --- a/src/migration-scripts/ipsec/4-to-5 +++ b/src/migration-scripts/ipsec/4-to-5 @@ -1,4 +1,18 @@ #!/usr/bin/env python3 +# +# Copyright (C) 2019 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. # log-modes have changed, keyword all to any diff --git a/src/migration-scripts/ipsec/5-to-6 b/src/migration-scripts/ipsec/5-to-6 new file mode 100755 index 000000000..e9adee01b --- /dev/null +++ b/src/migration-scripts/ipsec/5-to-6 @@ -0,0 +1,93 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +# Remove deprecated strongSwan options from VyOS CLI +# - vpn ipsec nat-traversal enable +# - vpn ipsec nat-networks allowed-network + +from sys import argv +from sys import exit + +from vyos.configtree import ConfigTree + +if (len(argv) < 1): + print("Must specify file name!") + exit(1) + +file_name = argv[1] + +with open(file_name, 'r') as f: + config_file = f.read() + +base = ['vpn', 'ipsec'] +config = ConfigTree(config_file) + +if not config.exists(base): + # Nothing to do + exit(0) + +# Delete CLI nodes whose config options got removed by strongSwan +for cli_node in ['nat-traversal', 'nat-networks']: + if config.exists(base + [cli_node]): + config.delete(base + [cli_node]) + +# Remove options only valid in Openswan +if config.exists(base + ['site-to-site', 'peer']): + for peer in config.list_nodes(base + ['site-to-site', 'peer']): + if not config.exists(base + ['site-to-site', 'peer', peer, 'tunnel']): + continue + for tunnel in config.list_nodes(base + ['site-to-site', 'peer', peer, 'tunnel']): + # allow-public-networks - Sets a value in ipsec.conf that was only ever valid in Openswan on kernel 2.6 + nat_networks = base + ['site-to-site', 'peer', peer, 'tunnel', tunnel, 'allow-nat-networks'] + if config.exists(nat_networks): + config.delete(nat_networks) + + # allow-nat-networks - Also sets a value only valid in Openswan + public_networks = base + ['site-to-site', 'peer', peer, 'tunnel', tunnel, 'allow-public-networks'] + if config.exists(public_networks): + config.delete(public_networks) + +# Rename "logging log-level" and "logging log-modes" to something more human friendly +log = base + ['logging'] +if config.exists(log): + config.rename(log, 'log') + log = base + ['log'] + +log_level = log + ['log-level'] +if config.exists(log_level): + config.rename(log_level, 'level') + +log_mode = log + ['log-modes'] +if config.exists(log_mode): + config.rename(log_mode, 'subsystem') + +# Rename "ipsec-interfaces interface" to "interface" +base_interfaces = base + ['ipsec-interfaces', 'interface'] +if config.exists(base_interfaces): + config.copy(base_interfaces, base + ['interface']) + config.delete(base_interfaces) + +# Remove deprecated "auto-update" option +tmp = base + ['auto-update'] +if config.exists(tmp): + config.delete(tmp) + +try: + with open(file_name, 'w') as f: + f.write(config.to_string()) +except OSError as e: + print(f'Failed to save the modified config: {e}') + exit(1) diff --git a/src/migration-scripts/ipsec/6-to-7 b/src/migration-scripts/ipsec/6-to-7 new file mode 100755 index 000000000..788a87095 --- /dev/null +++ b/src/migration-scripts/ipsec/6-to-7 @@ -0,0 +1,169 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +# Migrate /config/auth certificates and keys into PKI configuration + +import os + +from sys import argv +from sys import exit + +from vyos.configtree import ConfigTree +from vyos.pki import load_certificate +from vyos.pki import load_crl +from vyos.pki import load_private_key +from vyos.pki import encode_certificate +from vyos.pki import encode_private_key +from vyos.util import run + +if (len(argv) < 1): + print("Must specify file name!") + exit(1) + +file_name = argv[1] + +with open(file_name, 'r') as f: + config_file = f.read() + +pki_base = ['pki'] +ipsec_site_base = ['vpn', 'ipsec', 'site-to-site', 'peer'] + +config = ConfigTree(config_file) +changes_made = False + +AUTH_DIR = '/config/auth' + +def wrapped_pem_to_config_value(pem): + return "".join(pem.strip().split("\n")[1:-1]) + +if config.exists(ipsec_site_base): + config.set(pki_base + ['ca']) + config.set_tag(pki_base + ['ca']) + + config.set(pki_base + ['certificate']) + config.set_tag(pki_base + ['certificate']) + + for peer in config.list_nodes(ipsec_site_base): + if not config.exists(ipsec_site_base + [peer, 'authentication', 'x509']): + continue + + changes_made = True + + peer_x509_base = ipsec_site_base + [peer, 'authentication', 'x509'] + pki_name = 'peer_' + peer.replace(".", "-") + + if config.exists(peer_x509_base + ['cert-file']): + cert_file = config.return_value(peer_x509_base + ['cert-file']) + cert_path = os.path.join(AUTH_DIR, cert_file) + cert = None + + if os.path.isfile(cert_path): + if not os.access(cert_path, os.R_OK): + run(f'sudo chmod 644 {cert_path}') + + with open(cert_path, 'r') as f: + cert_data = f.read() + cert = load_certificate(cert_data, wrap_tags=False) + + if cert: + cert_pem = encode_certificate(cert) + config.set(pki_base + ['certificate', pki_name, 'certificate'], value=wrapped_pem_to_config_value(cert_pem)) + config.set(peer_x509_base + ['certificate'], value=pki_name) + else: + print(f'Failed to migrate certificate on peer "{peer}"') + + config.delete(peer_x509_base + ['cert-file']) + + if config.exists(peer_x509_base + ['ca-cert-file']): + ca_cert_file = config.return_value(peer_x509_base + ['ca-cert-file']) + ca_cert_path = os.path.join(AUTH_DIR, ca_cert_file) + ca_cert = None + + if os.path.isfile(ca_cert_path): + if not os.access(ca_cert_path, os.R_OK): + run(f'sudo chmod 644 {ca_cert_path}') + + with open(ca_cert_path, 'r') as f: + ca_cert_data = f.read() + ca_cert = load_certificate(ca_cert_data, wrap_tags=False) + + if ca_cert: + ca_cert_pem = encode_certificate(ca_cert) + config.set(pki_base + ['ca', pki_name, 'certificate'], value=wrapped_pem_to_config_value(ca_cert_pem)) + config.set(peer_x509_base + ['ca-certificate'], value=pki_name) + else: + print(f'Failed to migrate CA certificate on peer "{peer}"') + + config.delete(peer_x509_base + ['ca-cert-file']) + + if config.exists(peer_x509_base + ['crl-file']): + crl_file = config.return_value(peer_x509_base + ['crl-file']) + crl_path = os.path.join(AUTH_DIR, crl_file) + crl = None + + if os.path.isfile(crl_path): + if not os.access(crl_path, os.R_OK): + run(f'sudo chmod 644 {crl_path}') + + with open(crl_path, 'r') as f: + crl_data = f.read() + crl = load_crl(crl_data, wrap_tags=False) + + if crl: + crl_pem = encode_certificate(crl) + config.set(pki_base + ['ca', pki_name, 'crl'], value=wrapped_pem_to_config_value(crl_pem)) + else: + print(f'Failed to migrate CRL on peer "{peer}"') + + config.delete(peer_x509_base + ['crl-file']) + + if config.exists(peer_x509_base + ['key', 'file']): + key_file = config.return_value(peer_x509_base + ['key', 'file']) + key_passphrase = None + + if config.exists(peer_x509_base + ['key', 'password']): + key_passphrase = config.return_value(peer_x509_base + ['key', 'password']) + + key_path = os.path.join(AUTH_DIR, key_file) + key = None + + if os.path.isfile(key_path): + if not os.access(key_path, os.R_OK): + run(f'sudo chmod 644 {key_path}') + + with open(key_path, 'r') as f: + key_data = f.read() + key = load_private_key(key_data, passphrase=key_passphrase, wrap_tags=False) + + if key: + key_pem = encode_private_key(key, passphrase=key_passphrase) + config.set(pki_base + ['certificate', pki_name, 'private', 'key'], value=wrapped_pem_to_config_value(key_pem)) + + if key_passphrase: + config.set(pki_base + ['certificate', pki_name, 'private', 'password-protected']) + config.set(peer_x509_base + ['private-key-passphrase'], value=key_passphrase) + else: + print(f'Failed to migrate private key on peer "{peer}"') + + config.delete(peer_x509_base + ['key']) + +if changes_made: + try: + with open(file_name, 'w') as f: + f.write(config.to_string()) + except OSError as e: + print("Failed to save the modified config: {}".format(e)) + sys.exit(1) diff --git a/src/migration-scripts/ipsec/7-to-8 b/src/migration-scripts/ipsec/7-to-8 new file mode 100755 index 000000000..5d48b2875 --- /dev/null +++ b/src/migration-scripts/ipsec/7-to-8 @@ -0,0 +1,125 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +# Migrate rsa keys into PKI configuration + +import base64 +import os +import struct + +from cryptography.hazmat.primitives.asymmetric import rsa + +from sys import argv +from sys import exit + +from vyos.configtree import ConfigTree +from vyos.pki import load_public_key +from vyos.pki import load_private_key +from vyos.pki import encode_public_key +from vyos.pki import encode_private_key + +if (len(argv) < 1): + print("Must specify file name!") + exit(1) + +file_name = argv[1] + +with open(file_name, 'r') as f: + config_file = f.read() + +pki_base = ['pki'] +ipsec_site_base = ['vpn', 'ipsec', 'site-to-site', 'peer'] +rsa_keys_base = ['vpn', 'rsa-keys'] + +config = ConfigTree(config_file) + +LOCAL_KEY_PATHS = ['/config/auth/', '/config/ipsec.d/rsa-keys/'] + +def migrate_from_vyatta_key(data): + data = base64.b64decode(data[2:]) + length = struct.unpack('B', data[:1])[0] + e = int.from_bytes(data[1:1+length], 'big') + n = int.from_bytes(data[1+length:], 'big') + public_numbers = rsa.RSAPublicNumbers(e, n) + return public_numbers.public_key() + +def wrapped_pem_to_config_value(pem): + return "".join(pem.strip().split("\n")[1:-1]) + +local_key_name = 'localhost' + +if config.exists(rsa_keys_base): + if not config.exists(pki_base + ['key-pair']): + config.set(pki_base + ['key-pair']) + config.set_tag(pki_base + ['key-pair']) + + if config.exists(rsa_keys_base + ['local-key', 'file']): + local_file = config.return_value(rsa_keys_base + ['local-key', 'file']) + local_path = None + local_key = None + + for path in LOCAL_KEY_PATHS: + full_path = os.path.join(path, local_file) + if os.path.exists(full_path): + local_path = full_path + break + + if local_path: + with open(local_path, 'r') as f: + local_key_data = f.read() + local_key = load_private_key(local_key_data, wrap_tags=False) + + if local_key: + local_key_pem = encode_private_key(local_key) + config.set(pki_base + ['key-pair', local_key_name, 'private', 'key'], value=wrapped_pem_to_config_value(local_key_pem)) + else: + print('Failed to migrate local RSA key') + + if config.exists(rsa_keys_base + ['rsa-key-name']): + for rsa_name in config.list_nodes(rsa_keys_base + ['rsa-key-name']): + if not config.exists(rsa_keys_base + ['rsa-key-name', rsa_name, 'rsa-key']): + continue + + vyatta_key = config.return_value(rsa_keys_base + ['rsa-key-name', rsa_name, 'rsa-key']) + public_key = migrate_from_vyatta_key(vyatta_key) + + if public_key: + public_key_pem = encode_public_key(public_key) + config.set(pki_base + ['key-pair', rsa_name, 'public', 'key'], value=wrapped_pem_to_config_value(public_key_pem)) + else: + print(f'Failed to migrate rsa-key "{rsa_name}"') + + config.delete(rsa_keys_base) + +if config.exists(ipsec_site_base): + for peer in config.list_nodes(ipsec_site_base): + mode = config.return_value(ipsec_site_base + [peer, 'authentication', 'mode']) + + if mode != 'rsa': + continue + + config.set(ipsec_site_base + [peer, 'authentication', 'rsa', 'local-key'], value=local_key_name) + + remote_key_name = config.return_value(ipsec_site_base + [peer, 'authentication', 'rsa-key-name']) + config.set(ipsec_site_base + [peer, 'authentication', 'rsa', 'remote-key'], value=remote_key_name) + config.delete(ipsec_site_base + [peer, 'authentication', 'rsa-key-name']) + +try: + with open(file_name, 'w') as f: + f.write(config.to_string()) +except OSError as e: + print("Failed to save the modified config: {}".format(e)) + sys.exit(1) diff --git a/src/migration-scripts/l2tp/3-to-4 b/src/migration-scripts/l2tp/3-to-4 new file mode 100755 index 000000000..18eabadec --- /dev/null +++ b/src/migration-scripts/l2tp/3-to-4 @@ -0,0 +1,169 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +# - remove primary/secondary identifier from nameserver +# - TODO: remove radius server req-limit + +import os + +from sys import argv +from sys import exit +from vyos.configtree import ConfigTree +from vyos.pki import load_certificate +from vyos.pki import load_crl +from vyos.pki import load_private_key +from vyos.pki import encode_certificate +from vyos.pki import encode_private_key +from vyos.util import run + +if (len(argv) < 1): + print("Must specify file name!") + exit(1) + +file_name = argv[1] + +with open(file_name, 'r') as f: + config_file = f.read() + +config = ConfigTree(config_file) +base = ['vpn', 'l2tp', 'remote-access', 'ipsec-settings'] +pki_base = ['pki'] + +if not config.exists(base): + exit(0) + +AUTH_DIR = '/config/auth' + +def wrapped_pem_to_config_value(pem): + return "".join(pem.strip().split("\n")[1:-1]) + +if not config.exists(base + ['authentication', 'x509']): + exit(0) + +x509_base = base + ['authentication', 'x509'] +pki_name = 'l2tp_remote_access' + +if not config.exists(pki_base + ['ca']): + config.set(pki_base + ['ca']) + config.set_tag(pki_base + ['ca']) + +if not config.exists(pki_base + ['certificate']): + config.set(pki_base + ['certificate']) + config.set_tag(pki_base + ['certificate']) + +if config.exists(x509_base + ['ca-cert-file']): + cert_file = config.return_value(x509_base + ['ca-cert-file']) + cert_path = os.path.join(AUTH_DIR, cert_file) + cert = None + + if os.path.isfile(cert_path): + if not os.access(cert_path, os.R_OK): + run(f'sudo chmod 644 {cert_path}') + + with open(cert_path, 'r') as f: + cert_data = f.read() + cert = load_certificate(cert_data, wrap_tags=False) + + if cert: + cert_pem = encode_certificate(cert) + config.set(pki_base + ['ca', pki_name, 'certificate'], value=wrapped_pem_to_config_value(cert_pem)) + config.set(x509_base + ['ca-certificate'], value=pki_name) + else: + print(f'Failed to migrate CA certificate on l2tp remote-access config') + + config.delete(x509_base + ['ca-cert-file']) + +if config.exists(x509_base + ['crl-file']): + crl_file = config.return_value(x509_base + ['crl-file']) + crl_path = os.path.join(AUTH_DIR, crl_file) + crl = None + + if os.path.isfile(crl_path): + if not os.access(crl_path, os.R_OK): + run(f'sudo chmod 644 {crl_path}') + + with open(crl_path, 'r') as f: + crl_data = f.read() + crl = load_certificate(crl_data, wrap_tags=False) + + if crl: + crl_pem = encode_certificate(crl) + config.set(pki_base + ['ca', pki_name, 'crl'], value=wrapped_pem_to_config_value(crl_pem)) + else: + print(f'Failed to migrate CRL on l2tp remote-access config') + + config.delete(x509_base + ['crl-file']) + +if config.exists(x509_base + ['server-cert-file']): + cert_file = config.return_value(x509_base + ['server-cert-file']) + cert_path = os.path.join(AUTH_DIR, cert_file) + cert = None + + if os.path.isfile(cert_path): + if not os.access(cert_path, os.R_OK): + run(f'sudo chmod 644 {cert_path}') + + with open(cert_path, 'r') as f: + cert_data = f.read() + cert = load_certificate(cert_data, wrap_tags=False) + + if cert: + cert_pem = encode_certificate(cert) + config.set(pki_base + ['certificate', pki_name, 'certificate'], value=wrapped_pem_to_config_value(cert_pem)) + config.set(x509_base + ['certificate'], value=pki_name) + else: + print(f'Failed to migrate certificate on l2tp remote-access config') + + config.delete(x509_base + ['server-cert-file']) + +if config.exists(x509_base + ['server-key-file']): + key_file = config.return_value(x509_base + ['server-key-file']) + key_passphrase = None + + if config.exists(x509_base + ['server-key-password']): + key_passphrase = config.return_value(x509_base + ['server-key-password']) + + key_path = os.path.join(AUTH_DIR, key_file) + key = None + + if os.path.isfile(key_path): + if not os.access(key_path, os.R_OK): + run(f'sudo chmod 644 {key_path}') + + with open(key_path, 'r') as f: + key_data = f.read() + key = load_private_key(key_data, passphrase=key_passphrase, wrap_tags=False) + + if key: + key_pem = encode_private_key(key, passphrase=key_passphrase) + config.set(pki_base + ['certificate', pki_name, 'private', 'key'], value=wrapped_pem_to_config_value(key_pem)) + + if key_passphrase: + config.set(pki_base + ['certificate', pki_name, 'private', 'password-protected']) + config.set(x509_base + ['private-key-passphrase'], value=key_passphrase) + else: + print(f'Failed to migrate private key on l2tp remote-access config') + + config.delete(x509_base + ['server-key-file']) + if config.exists(x509_base + ['server-key-password']): + config.delete(x509_base + ['server-key-password']) + +try: + with open(file_name, 'w') as f: + f.write(config.to_string()) +except OSError as e: + print("Failed to save the modified config: {}".format(e)) + exit(1) diff --git a/src/migration-scripts/openconnect/0-to-1 b/src/migration-scripts/openconnect/0-to-1 new file mode 100755 index 000000000..83cd09143 --- /dev/null +++ b/src/migration-scripts/openconnect/0-to-1 @@ -0,0 +1,136 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +# - Update SSL to use PKI configuration + +import os + +from sys import argv +from sys import exit +from vyos.configtree import ConfigTree +from vyos.pki import load_certificate +from vyos.pki import load_crl +from vyos.pki import load_private_key +from vyos.pki import encode_certificate +from vyos.pki import encode_private_key +from vyos.util import run + +if (len(argv) < 1): + print("Must specify file name!") + exit(1) + +file_name = argv[1] + +with open(file_name, 'r') as f: + config_file = f.read() + +config = ConfigTree(config_file) +base = ['vpn', 'openconnect'] +pki_base = ['pki'] + +if not config.exists(base): + exit(0) + +AUTH_DIR = '/config/auth' + +def wrapped_pem_to_config_value(pem): + return "".join(pem.strip().split("\n")[1:-1]) + +if not config.exists(base + ['ssl']): + exit(0) + +x509_base = base + ['ssl'] +pki_name = 'openconnect' + +if not config.exists(pki_base + ['ca']): + config.set(pki_base + ['ca']) + config.set_tag(pki_base + ['ca']) + +if not config.exists(pki_base + ['certificate']): + config.set(pki_base + ['certificate']) + config.set_tag(pki_base + ['certificate']) + +if config.exists(x509_base + ['ca-cert-file']): + cert_file = config.return_value(x509_base + ['ca-cert-file']) + cert_path = os.path.join(AUTH_DIR, cert_file) + cert = None + + if os.path.isfile(cert_path): + if not os.access(cert_path, os.R_OK): + run(f'sudo chmod 644 {cert_path}') + + with open(cert_path, 'r') as f: + cert_data = f.read() + cert = load_certificate(cert_data, wrap_tags=False) + + if cert: + cert_pem = encode_certificate(cert) + config.set(pki_base + ['ca', pki_name, 'certificate'], value=wrapped_pem_to_config_value(cert_pem)) + config.set(x509_base + ['ca-certificate'], value=pki_name) + else: + print(f'Failed to migrate CA certificate on openconnect config') + + config.delete(x509_base + ['ca-cert-file']) + +if config.exists(x509_base + ['cert-file']): + cert_file = config.return_value(x509_base + ['cert-file']) + cert_path = os.path.join(AUTH_DIR, cert_file) + cert = None + + if os.path.isfile(cert_path): + if not os.access(cert_path, os.R_OK): + run(f'sudo chmod 644 {cert_path}') + + with open(cert_path, 'r') as f: + cert_data = f.read() + cert = load_certificate(cert_data, wrap_tags=False) + + if cert: + cert_pem = encode_certificate(cert) + config.set(pki_base + ['certificate', pki_name, 'certificate'], value=wrapped_pem_to_config_value(cert_pem)) + config.set(x509_base + ['certificate'], value=pki_name) + else: + print(f'Failed to migrate certificate on openconnect config') + + config.delete(x509_base + ['cert-file']) + +if config.exists(x509_base + ['key-file']): + key_file = config.return_value(x509_base + ['key-file']) + key_path = os.path.join(AUTH_DIR, key_file) + key = None + + if os.path.isfile(key_path): + if not os.access(key_path, os.R_OK): + run(f'sudo chmod 644 {key_path}') + + with open(key_path, 'r') as f: + key_data = f.read() + key = load_private_key(key_data, passphrase=None, wrap_tags=False) + + if key: + key_pem = encode_private_key(key, passphrase=None) + config.set(pki_base + ['certificate', pki_name, 'private', 'key'], value=wrapped_pem_to_config_value(key_pem)) + else: + print(f'Failed to migrate private key on openconnect config') + + config.delete(x509_base + ['key-file']) + +try: + with open(file_name, 'w') as f: + f.write(config.to_string()) +except OSError as e: + print("Failed to save the modified config: {}".format(e)) + exit(1) diff --git a/src/migration-scripts/policy/0-to-1 b/src/migration-scripts/policy/0-to-1 new file mode 100755 index 000000000..7134920ad --- /dev/null +++ b/src/migration-scripts/policy/0-to-1 @@ -0,0 +1,65 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +# T3631: route-map: migrate "set extcommunity-rt" and "set extcommunity-soo" +# to "set extcommunity rt|soo" to match FRR syntax + + +from sys import argv +from sys import exit + +from vyos.configtree import ConfigTree + +if (len(argv) < 1): + print("Must specify file name!") + exit(1) + +file_name = argv[1] + +with open(file_name, 'r') as f: + config_file = f.read() + +base = ['policy', 'route-map'] +config = ConfigTree(config_file) + +if not config.exists(base): + # Nothing to do + exit(0) + + +for route_map in config.list_nodes(base): + if not config.exists(base + [route_map, 'rule']): + continue + for rule in config.list_nodes(base + [route_map, 'rule']): + base_rule = base + [route_map, 'rule', rule] + + if config.exists(base_rule + ['set', 'extcommunity-rt']): + tmp = config.return_value(base_rule + ['set', 'extcommunity-rt']) + config.delete(base_rule + ['set', 'extcommunity-rt']) + config.set(base_rule + ['set', 'extcommunity', 'rt'], value=tmp) + + + if config.exists(base_rule + ['set', 'extcommunity-soo']): + tmp = config.return_value(base_rule + ['set', 'extcommunity-soo']) + config.delete(base_rule + ['set', 'extcommunity-soo']) + config.set(base_rule + ['set', 'extcommunity', 'soo'], value=tmp) + +try: + with open(file_name, 'w') as f: + f.write(config.to_string()) +except OSError as e: + print(f'Failed to save the modified config: {e}') + exit(1) diff --git a/src/migration-scripts/quagga/7-to-8 b/src/migration-scripts/quagga/7-to-8 index 9c277a6f1..15c44924f 100755 --- a/src/migration-scripts/quagga/7-to-8 +++ b/src/migration-scripts/quagga/7-to-8 @@ -14,61 +14,14 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. -# - T2450: drop interface-route and interface-route6 from "protocols static" +# - T3391: Migrate "maximum-paths" setting from "protocols bgp asn maximum-paths" +# under the IPv4 address-family tree. Reason is we currently have no way in +# configuring this for IPv6 address-family. This mimics the FRR configuration. from sys import argv from sys import exit - from vyos.configtree import ConfigTree -def migrate_interface_route(config, base, path, route_route6): - """ Generic migration function which can be called on every instance of - interface-route, beeing it ipv4, ipv6 or nested under the "static table" nodes. - - What we do? - - Drop 'interface-route' or 'interface-route6' and migrate the route unter the - 'route' or 'route6' tag node. - """ - if config.exists(base + path): - for route in config.list_nodes(base + path): - interface = config.list_nodes(base + path + [route, 'next-hop-interface']) - - tmp = base + path + [route, 'next-hop-interface'] - for interface in config.list_nodes(tmp): - new_base = base + [route_route6, route, 'interface'] - config.set(new_base) - config.set_tag(base + [route_route6]) - config.set_tag(new_base) - config.copy(tmp + [interface], new_base + [interface]) - - config.delete(base + path) - -def migrate_route(config, base, path, route_route6): - """ Generic migration function which can be called on every instance of - route, beeing it ipv4, ipv6 or even nested under the static table nodes. - - What we do? - - for consistency reasons rename next-hop-interface to interface - - for consistency reasons rename next-hop-vrf to vrf - """ - if config.exists(base + path): - for route in config.list_nodes(base + path): - next_hop = base + path + [route, 'next-hop'] - if config.exists(next_hop): - for gateway in config.list_nodes(next_hop): - # IPv4 routes calls it next-hop-interface, rename this to - # interface instead so it's consitent with IPv6 - interface_path = next_hop + [gateway, 'next-hop-interface'] - if config.exists(interface_path): - config.rename(interface_path, 'interface') - - # When VRFs got introduced, I (c-po) named it next-hop-vrf, - # we can also call it vrf which is simply shorter. - vrf_path = next_hop + [gateway, 'next-hop-vrf'] - if config.exists(vrf_path): - config.rename(vrf_path, 'vrf') - - if (len(argv) < 2): print("Must specify file name!") exit(1) @@ -78,41 +31,27 @@ file_name = argv[1] with open(file_name, 'r') as f: config_file = f.read() -base = ['protocols', 'static'] - +base = ['protocols', 'bgp'] config = ConfigTree(config_file) + if not config.exists(base): # Nothing to do exit(0) -# Migrate interface-route into route -migrate_interface_route(config, base, ['interface-route'], 'route') - -# Migrate interface-route6 into route6 -migrate_interface_route(config, base, ['interface-route6'], 'route6') - -# Cleanup nodes inside route -migrate_route(config, base, ['route'], 'route') - -# Cleanup nodes inside route6 -migrate_route(config, base, ['route6'], 'route6') - -# -# PBR table cleanup -table_path = base + ['table'] -if config.exists(table_path): - for table in config.list_nodes(table_path): - # Migrate interface-route into route - migrate_interface_route(config, table_path + [table], ['interface-route'], 'route') - - # Migrate interface-route6 into route6 - migrate_interface_route(config, table_path + [table], ['interface-route6'], 'route6') - - # Cleanup nodes inside route - migrate_route(config, table_path + [table], ['route'], 'route') - - # Cleanup nodes inside route6 - migrate_route(config, table_path + [table], ['route6'], 'route6') +# Check if BGP is actually configured and obtain the ASN +asn_list = config.list_nodes(base) +if asn_list: + # There's always just one BGP node, if any + bgp_base = base + [asn_list[0]] + + maximum_paths = bgp_base + ['maximum-paths'] + if config.exists(maximum_paths): + for bgp_type in ['ebgp', 'ibgp']: + if config.exists(maximum_paths + [bgp_type]): + new_base = bgp_base + ['address-family', 'ipv4-unicast', 'maximum-paths'] + config.set(new_base) + config.copy(maximum_paths + [bgp_type], new_base + [bgp_type]) + config.delete(maximum_paths) try: with open(file_name, 'w') as f: diff --git a/src/migration-scripts/quagga/8-to-9 b/src/migration-scripts/quagga/8-to-9 index 15c44924f..38507bd3d 100755 --- a/src/migration-scripts/quagga/8-to-9 +++ b/src/migration-scripts/quagga/8-to-9 @@ -14,14 +14,76 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. -# - T3391: Migrate "maximum-paths" setting from "protocols bgp asn maximum-paths" -# under the IPv4 address-family tree. Reason is we currently have no way in -# configuring this for IPv6 address-family. This mimics the FRR configuration. +# - T2450: drop interface-route and interface-route6 from "protocols static" from sys import argv from sys import exit + from vyos.configtree import ConfigTree +def migrate_interface_route(config, base, path, route_route6): + """ Generic migration function which can be called on every instance of + interface-route, beeing it ipv4, ipv6 or nested under the "static table" nodes. + + What we do? + - Drop 'interface-route' or 'interface-route6' and migrate the route unter the + 'route' or 'route6' tag node. + """ + if config.exists(base + path): + for route in config.list_nodes(base + path): + interface = config.list_nodes(base + path + [route, 'next-hop-interface']) + + tmp = base + path + [route, 'next-hop-interface'] + for interface in config.list_nodes(tmp): + new_base = base + [route_route6, route, 'interface'] + config.set(new_base) + config.set_tag(base + [route_route6]) + config.set_tag(new_base) + config.copy(tmp + [interface], new_base + [interface]) + + config.delete(base + path) + +def migrate_route(config, base, path, route_route6): + """ Generic migration function which can be called on every instance of + route, beeing it ipv4, ipv6 or even nested under the static table nodes. + + What we do? + - for consistency reasons rename next-hop-interface to interface + - for consistency reasons rename next-hop-vrf to vrf + """ + if config.exists(base + path): + for route in config.list_nodes(base + path): + next_hop = base + path + [route, 'next-hop'] + if config.exists(next_hop): + for gateway in config.list_nodes(next_hop): + # IPv4 routes calls it next-hop-interface, rename this to + # interface instead so it's consitent with IPv6 + interface_path = next_hop + [gateway, 'next-hop-interface'] + if config.exists(interface_path): + config.rename(interface_path, 'interface') + + # When VRFs got introduced, I (c-po) named it next-hop-vrf, + # we can also call it vrf which is simply shorter. + vrf_path = next_hop + [gateway, 'next-hop-vrf'] + if config.exists(vrf_path): + config.rename(vrf_path, 'vrf') + + next_hop = base + path + [route, 'interface'] + if config.exists(next_hop): + for interface in config.list_nodes(next_hop): + # IPv4 routes calls it next-hop-interface, rename this to + # interface instead so it's consitent with IPv6 + interface_path = next_hop + [interface, 'next-hop-interface'] + if config.exists(interface_path): + config.rename(interface_path, 'interface') + + # When VRFs got introduced, I (c-po) named it next-hop-vrf, + # we can also call it vrf which is simply shorter. + vrf_path = next_hop + [interface, 'next-hop-vrf'] + if config.exists(vrf_path): + config.rename(vrf_path, 'vrf') + + if (len(argv) < 2): print("Must specify file name!") exit(1) @@ -31,27 +93,41 @@ file_name = argv[1] with open(file_name, 'r') as f: config_file = f.read() -base = ['protocols', 'bgp'] -config = ConfigTree(config_file) +base = ['protocols', 'static'] +config = ConfigTree(config_file) if not config.exists(base): # Nothing to do exit(0) -# Check if BGP is actually configured and obtain the ASN -asn_list = config.list_nodes(base) -if asn_list: - # There's always just one BGP node, if any - bgp_base = base + [asn_list[0]] - - maximum_paths = bgp_base + ['maximum-paths'] - if config.exists(maximum_paths): - for bgp_type in ['ebgp', 'ibgp']: - if config.exists(maximum_paths + [bgp_type]): - new_base = bgp_base + ['address-family', 'ipv4-unicast', 'maximum-paths'] - config.set(new_base) - config.copy(maximum_paths + [bgp_type], new_base + [bgp_type]) - config.delete(maximum_paths) +# Migrate interface-route into route +migrate_interface_route(config, base, ['interface-route'], 'route') + +# Migrate interface-route6 into route6 +migrate_interface_route(config, base, ['interface-route6'], 'route6') + +# Cleanup nodes inside route +migrate_route(config, base, ['route'], 'route') + +# Cleanup nodes inside route6 +migrate_route(config, base, ['route6'], 'route6') + +# +# PBR table cleanup +table_path = base + ['table'] +if config.exists(table_path): + for table in config.list_nodes(table_path): + # Migrate interface-route into route + migrate_interface_route(config, table_path + [table], ['interface-route'], 'route') + + # Migrate interface-route6 into route6 + migrate_interface_route(config, table_path + [table], ['interface-route6'], 'route6') + + # Cleanup nodes inside route + migrate_route(config, table_path + [table], ['route'], 'route') + + # Cleanup nodes inside route6 + migrate_route(config, table_path + [table], ['route6'], 'route6') try: with open(file_name, 'w') as f: diff --git a/src/migration-scripts/sstp/3-to-4 b/src/migration-scripts/sstp/3-to-4 new file mode 100755 index 000000000..0568f043f --- /dev/null +++ b/src/migration-scripts/sstp/3-to-4 @@ -0,0 +1,136 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +# - Update SSL to use PKI configuration + +import os + +from sys import argv +from sys import exit +from vyos.configtree import ConfigTree +from vyos.pki import load_certificate +from vyos.pki import load_crl +from vyos.pki import load_private_key +from vyos.pki import encode_certificate +from vyos.pki import encode_private_key +from vyos.util import run + +if (len(argv) < 1): + print("Must specify file name!") + exit(1) + +file_name = argv[1] + +with open(file_name, 'r') as f: + config_file = f.read() + +config = ConfigTree(config_file) +base = ['vpn', 'sstp'] +pki_base = ['pki'] + +if not config.exists(base): + exit(0) + +AUTH_DIR = '/config/auth' + +def wrapped_pem_to_config_value(pem): + return "".join(pem.strip().split("\n")[1:-1]) + +if not config.exists(base + ['ssl']): + exit(0) + +x509_base = base + ['ssl'] +pki_name = 'sstp' + +if not config.exists(pki_base + ['ca']): + config.set(pki_base + ['ca']) + config.set_tag(pki_base + ['ca']) + +if not config.exists(pki_base + ['certificate']): + config.set(pki_base + ['certificate']) + config.set_tag(pki_base + ['certificate']) + +if config.exists(x509_base + ['ca-cert-file']): + cert_file = config.return_value(x509_base + ['ca-cert-file']) + cert_path = os.path.join(AUTH_DIR, cert_file) + cert = None + + if os.path.isfile(cert_path): + if not os.access(cert_path, os.R_OK): + run(f'sudo chmod 644 {cert_path}') + + with open(cert_path, 'r') as f: + cert_data = f.read() + cert = load_certificate(cert_data, wrap_tags=False) + + if cert: + cert_pem = encode_certificate(cert) + config.set(pki_base + ['ca', pki_name, 'certificate'], value=wrapped_pem_to_config_value(cert_pem)) + config.set(x509_base + ['ca-certificate'], value=pki_name) + else: + print(f'Failed to migrate CA certificate on sstp config') + + config.delete(x509_base + ['ca-cert-file']) + +if config.exists(x509_base + ['cert-file']): + cert_file = config.return_value(x509_base + ['cert-file']) + cert_path = os.path.join(AUTH_DIR, cert_file) + cert = None + + if os.path.isfile(cert_path): + if not os.access(cert_path, os.R_OK): + run(f'sudo chmod 644 {cert_path}') + + with open(cert_path, 'r') as f: + cert_data = f.read() + cert = load_certificate(cert_data, wrap_tags=False) + + if cert: + cert_pem = encode_certificate(cert) + config.set(pki_base + ['certificate', pki_name, 'certificate'], value=wrapped_pem_to_config_value(cert_pem)) + config.set(x509_base + ['certificate'], value=pki_name) + else: + print(f'Failed to migrate certificate on sstp config') + + config.delete(x509_base + ['cert-file']) + +if config.exists(x509_base + ['key-file']): + key_file = config.return_value(x509_base + ['key-file']) + key_path = os.path.join(AUTH_DIR, key_file) + key = None + + if os.path.isfile(key_path): + if not os.access(key_path, os.R_OK): + run(f'sudo chmod 644 {key_path}') + + with open(key_path, 'r') as f: + key_data = f.read() + key = load_private_key(key_data, passphrase=None, wrap_tags=False) + + if key: + key_pem = encode_private_key(key, passphrase=None) + config.set(pki_base + ['certificate', pki_name, 'private', 'key'], value=wrapped_pem_to_config_value(key_pem)) + else: + print(f'Failed to migrate private key on sstp config') + + config.delete(x509_base + ['key-file']) + +try: + with open(file_name, 'w') as f: + f.write(config.to_string()) +except OSError as e: + print("Failed to save the modified config: {}".format(e)) + exit(1) diff --git a/src/migration-scripts/system/20-to-21 b/src/migration-scripts/system/20-to-21 new file mode 100755 index 000000000..ad41be646 --- /dev/null +++ b/src/migration-scripts/system/20-to-21 @@ -0,0 +1,57 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import os + +from sys import exit, argv +from vyos.configtree import ConfigTree + +if (len(argv) < 1): + print("Must specify file name!") + exit(1) + +file_name = argv[1] +with open(file_name, 'r') as f: + config_file = f.read() + +base = ['system', 'sysctl'] +config = ConfigTree(config_file) + +if not config.exists(base): + # Nothing to do + exit(0) + +for all_custom in ['all', 'custom']: + if config.exists(base + [all_custom]): + for key in config.list_nodes(base + [all_custom]): + tmp = config.return_value(base + [all_custom, key, 'value']) + config.set(base + ['parameter', key, 'value'], value=tmp) + config.set_tag(base + ['parameter']) + config.delete(base + [all_custom]) + +for ipv4_param in ['net.ipv4.igmp_max_memberships', 'net.ipv4.ipfrag_time']: + if config.exists(base + [ipv4_param]): + tmp = config.return_value(base + [ipv4_param]) + config.set(base + ['parameter', ipv4_param, 'value'], value=tmp) + config.set_tag(base + ['parameter']) + config.delete(base + [ipv4_param]) + +try: + with open(file_name, 'w') as f: + f.write(config.to_string()) +except OSError as e: + print("Failed to save the modified config: {}".format(e)) + exit(1) diff --git a/src/migration-scripts/vrf/0-to-1 b/src/migration-scripts/vrf/0-to-1 index 29b2fab74..2b41ef3c7 100755 --- a/src/migration-scripts/vrf/0-to-1 +++ b/src/migration-scripts/vrf/0-to-1 @@ -91,6 +91,16 @@ for vrf in config.list_nodes(base): if config.exists(vrf_path): config.rename(vrf_path, 'vrf') + next_hop = route_path + [route, 'interface'] + if config.exists(next_hop): + for interface in config.list_nodes(next_hop): + interface_path = next_hop + [interface, 'next-hop-interface'] + if config.exists(interface_path): + config.rename(interface_path, 'interface') + vrf_path = next_hop + [interface, 'next-hop-vrf'] + if config.exists(vrf_path): + config.rename(vrf_path, 'vrf') + # # Cleanup nodes inside route6 # diff --git a/src/migration-scripts/vrf/1-to-2 b/src/migration-scripts/vrf/1-to-2 index 20128e957..9bc704e02 100755 --- a/src/migration-scripts/vrf/1-to-2 +++ b/src/migration-scripts/vrf/1-to-2 @@ -49,6 +49,7 @@ for vrf in config.list_nodes(base): new_static_base = vrf_base + [vrf, 'protocols'] config.set(new_static_base) config.copy(static_base, new_static_base + ['static']) + config.set_tag(new_static_base + ['static', 'route']) # Now delete the old configuration config.delete(base) diff --git a/src/migration-scripts/vrf/2-to-3 b/src/migration-scripts/vrf/2-to-3 new file mode 100755 index 000000000..8e0f97141 --- /dev/null +++ b/src/migration-scripts/vrf/2-to-3 @@ -0,0 +1,144 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +# Since connection tracking zones are int16, VRFs tables maximum value must +# be limited to 65535 +# Also, interface names in nftables cannot start from numbers, +# so VRF name should not start from a number + +from sys import argv +from sys import exit +from random import randrange +from random import choice +from string import ascii_lowercase +from vyos.configtree import ConfigTree +import re + + +# Helper function to find all config items with a VRF name +def _search_vrfs(config_commands, vrf_name): + vrf_values = [] + # Regex to find path of config command with old VRF + regex_filter = re.compile(rf'^set (?P<cmd_path>[^\']+vrf) \'{vrf_name}\'$') + # Check each command for VRF value + for config_command in config_commands: + search_result = regex_filter.search(config_command) + if search_result: + # Append VRF command to a list + vrf_values.append(search_result.group('cmd_path').split()) + if vrf_values: + return vrf_values + else: + return None + + +# Helper function to find all config items with a table number +def _search_tables(config_commands, table_num): + table_items = {'table_tags': [], 'table_values': []} + # Regex to find values and nodes with a table number + regex_tags = re.compile(rf'^set (?P<cmd_path>[^\']+table {table_num}) ?.*$') + regex_values = re.compile( + rf'^set (?P<cmd_path>[^\']+table) \'{table_num}\'$') + for config_command in config_commands: + # Search for tag nodes + search_result = regex_tags.search(config_command) + if search_result: + # Append table node path to a tag nodes list + cmd_path = search_result.group('cmd_path').split() + if cmd_path not in table_items['table_tags']: + table_items['table_tags'].append(cmd_path) + # Search for value nodes + search_result = regex_values.search(config_command) + if search_result: + # Append table node path to a value nodes list + table_items['table_values'].append( + search_result.group('cmd_path').split()) + return table_items + + +if (len(argv) < 2): + print("Must specify file name!") + exit(1) + +file_name = argv[1] + +with open(file_name, 'r') as f: + config_file = f.read() + +base = ['vrf', 'name'] +config = ConfigTree(config_file) + +if not config.exists(base): + # Nothing to do + exit(0) + +# Get a list of all currently used VRFs and tables +vrfs_current = {} +for vrf in config.list_nodes(base): + vrfs_current[vrf] = int(config.return_value(base + [vrf, 'table'])) + +# Check VRF names and table numbers +name_regex = re.compile(r'^\d.*$') +for vrf_name, vrf_table in vrfs_current.items(): + # Check table number + if vrf_table > 65535: + # Find new unused table number + vrfs_current[vrf_name] = None + while not vrfs_current[vrf_name]: + table_random = randrange(100, 65535) + if table_random not in vrfs_current.values(): + vrfs_current[vrf_name] = table_random + # Update number to a new one + config.set(['vrf', 'name', vrf_name, 'table'], + vrfs_current[vrf_name], + replace=True) + # Check config items with old table number and replace to new one + config_commands = config.to_commands().split('\n') + table_config_lines = _search_tables(config_commands, vrf_table) + # Rename table nodes + if table_config_lines.get('table_tags'): + for table_config_path in table_config_lines.get('table_tags'): + config.rename(table_config_path, f'{vrfs_current[vrf_name]}') + # Replace table values + if table_config_lines.get('table_values'): + for table_config_path in table_config_lines.get('table_values'): + config.set(table_config_path, + f'{vrfs_current[vrf_name]}', + replace=True) + + # Check VRF name + if name_regex.match(vrf_name): + vrf_name_new = None + while not vrf_name_new: + vrf_name_rand = f'{choice(ascii_lowercase)}{vrf_name}'[:15] + if vrf_name_rand not in vrfs_current: + vrf_name_new = vrf_name_rand + # Update VRF name to a new one + config.rename(['vrf', 'name', vrf_name], vrf_name_new) + # Check config items with old VRF name and replace to new one + config_commands = config.to_commands().split('\n') + vrf_config_lines = _search_vrfs(config_commands, vrf_name) + # Rename VRF to a new name + if vrf_config_lines: + for vrf_value_path in vrf_config_lines: + config.set(vrf_value_path, vrf_name_new, replace=True) + +try: + with open(file_name, 'w') as f: + f.write(config.to_string()) +except OSError as e: + print("Failed to save the modified config: {}".format(e)) + exit(1) diff --git a/src/op_mode/dynamic_dns.py b/src/op_mode/dynamic_dns.py index 962943896..263a3b6a5 100755 --- a/src/op_mode/dynamic_dns.py +++ b/src/op_mode/dynamic_dns.py @@ -36,6 +36,10 @@ update-status: {{ entry.status }} """ def show_status(): + # A ddclient status file must not always exist + if not os.path.exists(cache_file): + sys.exit(0) + data = { 'hosts': [] } @@ -61,11 +65,10 @@ def show_status(): if ip: outp['ip'] = ip.split(',')[0] - if 'atime=' in line: - atime = line.split('atime=')[1] - if atime: - tmp = atime.split(',')[0] - outp['time'] = time.strftime("%Y-%m-%d %H:%M:%S", time.gmtime(int(tmp, base=10))) + if 'mtime=' in line: + mtime = line.split('mtime=')[1] + if mtime: + outp['time'] = time.strftime("%Y-%m-%d %H:%M:%S", time.gmtime(int(mtime.split(',')[0], base=10))) if 'status=' in line: status = line.split('status=')[1] diff --git a/src/op_mode/generate_public_key_command.py b/src/op_mode/generate_public_key_command.py new file mode 100755 index 000000000..7a7b6c923 --- /dev/null +++ b/src/op_mode/generate_public_key_command.py @@ -0,0 +1,41 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import os +import sys +import urllib.parse + +import vyos.remote + +def get_key(path): + url = urllib.parse.urlparse(path) + if url.scheme == 'file' or url.scheme == '': + with open(os.path.expanduser(path), 'r') as f: + key_string = f.read() + else: + key_string = vyos.remote.get_remote_config(path) + return key_string.split() + +username = sys.argv[1] +algorithm, key, identifier = get_key(sys.argv[2]) + +print('# To add this key as an embedded key, run the following commands:') +print('configure') +print(f'set system login user {username} authentication public-keys {identifier} key {key}') +print(f'set system login user {username} authentication public-keys {identifier} type {algorithm}') +print('commit') +print('save') +print('exit') diff --git a/src/op_mode/ikev2_profile_generator.py b/src/op_mode/ikev2_profile_generator.py new file mode 100755 index 000000000..d45525431 --- /dev/null +++ b/src/op_mode/ikev2_profile_generator.py @@ -0,0 +1,230 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import argparse + +from jinja2 import Template +from sys import exit +from socket import getfqdn +from cryptography.x509.oid import NameOID + +from vyos.config import Config +from vyos.pki import load_certificate +from vyos.template import render_to_string +from vyos.util import ask_input + +# Apple profiles only support one IKE/ESP encryption cipher and hash, whereas +# VyOS comes with a multitude of different proposals for a connection. +# +# We take all available proposals from the VyOS CLI and ask the user which one +# he would like to get enabled in his profile - thus there is limited possibility +# to select a proposal that is not supported on the connection profile. +# +# IOS supports IKE-SA encryption algorithms: +# - DES +# - 3DES +# - AES-128 +# - AES-256 +# - AES-128-GCM +# - AES-256-GCM +# - ChaCha20Poly1305 +# +vyos2apple_cipher = { + '3des' : '3DES', + 'aes128' : 'AES-128', + 'aes256' : 'AES-256', + 'aes128gcm128' : 'AES-128-GCM', + 'aes256gcm128' : 'AES-256-GCM', + 'chacha20poly1305' : 'ChaCha20Poly1305', +} + +# Windows supports IKE-SA encryption algorithms: +# - DES3 +# - AES128 +# - AES192 +# - AES256 +# - GCMAES128 +# - GCMAES192 +# - GCMAES256 +# +vyos2windows_cipher = { + '3des' : 'DES3', + 'aes128' : 'AES128', + 'aes192' : 'AES192', + 'aes256' : 'AES256', + 'aes128gcm128' : 'GCMAES128', + 'aes192gcm128' : 'GCMAES192', + 'aes256gcm128' : 'GCMAES256', +} + +# IOS supports IKE-SA integrity algorithms: +# - SHA1-96 +# - SHA1-160 +# - SHA2-256 +# - SHA2-384 +# - SHA2-512 +# +vyos2apple_integrity = { + 'sha1' : 'SHA1-96', + 'sha1_160' : 'SHA1-160', + 'sha256' : 'SHA2-256', + 'sha384' : 'SHA2-384', + 'sha512' : 'SHA2-512', +} + +# Windows supports IKE-SA integrity algorithms: +# - SHA1-96 +# - SHA1-160 +# - SHA2-256 +# - SHA2-384 +# - SHA2-512 +# +vyos2windows_integrity = { + 'sha1' : 'SHA196', + 'sha256' : 'SHA256', + 'aes128gmac' : 'GCMAES128', + 'aes192gmac' : 'GCMAES192', + 'aes256gmac' : 'GCMAES256', +} + +# IOS 14.2 and later do no support dh-group 1,2 and 5. Supported DH groups would +# be: 14, 15, 16, 17, 18, 19, 20, 21, 31 +ios_supported_dh_groups = ['14', '15', '16', '17', '18', '19', '20', '21', '31'] +# Windows 10 only allows a limited set of DH groups +windows_supported_dh_groups = ['1', '2', '14', '24'] + +parser = argparse.ArgumentParser() +parser.add_argument('--os', const='all', nargs='?', choices=['ios', 'windows'], help='Operating system used for config generation', required=True) +parser.add_argument("--connection", action="store", help='IPsec IKEv2 remote-access connection name from CLI', required=True) +parser.add_argument("--remote", action="store", help='VPN connection remote-address where the client will connect to', required=True) +parser.add_argument("--profile", action="store", help='IKEv2 profile name used in the profile list on the device') +parser.add_argument("--name", action="store", help='VPN connection name as seen in the VPN application later') +args = parser.parse_args() + +ipsec_base = ['vpn', 'ipsec'] +config_base = ipsec_base + ['remote-access', 'connection'] +pki_base = ['pki'] +conf = Config() +if not conf.exists(config_base): + exit('IPSec remote-access is not configured!') + +profile_name = 'VyOS IKEv2 Profile' +if args.profile: + profile_name = args.profile + +vpn_name = 'VyOS IKEv2 VPN' +if args.name: + vpn_name = args.name + +conn_base = config_base + [args.connection] +if not conf.exists(conn_base): + exit(f'IPSec remote-access connection "{args.connection}" does not exist!') + +data = conf.get_config_dict(conn_base, key_mangling=('-', '_'), + get_first_key=True, no_tag_node_value_mangle=True) + +data['profile_name'] = profile_name +data['vpn_name'] = vpn_name +data['remote'] = args.remote +# This is a reverse-DNS style unique identifier used to detect duplicate profiles +tmp = getfqdn().split('.') +tmp = reversed(tmp) +data['rfqdn'] = '.'.join(tmp) + +pki = conf.get_config_dict(pki_base, get_first_key=True) +ca_name = data['authentication']['x509']['ca_certificate'] +cert_name = data['authentication']['x509']['certificate'] + +ca_cert = load_certificate(pki['ca'][ca_name]['certificate']) +cert = load_certificate(pki['certificate'][cert_name]['certificate']) + +data['ca_cn'] = ca_cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value +data['cert_cn'] = cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value +data['ca_cert'] = conf.return_value(pki_base + ['ca', ca_name, 'certificate']) + +esp_proposals = conf.get_config_dict(ipsec_base + ['esp-group', data['esp_group'], 'proposal'], + key_mangling=('-', '_'), get_first_key=True) +ike_proposal = conf.get_config_dict(ipsec_base + ['ike-group', data['ike_group'], 'proposal'], + key_mangling=('-', '_'), get_first_key=True) + + +# This script works only for Apple iOS/iPadOS and Windows. Both operating systems +# have different limitations thus we load the limitations based on the operating +# system used. + +vyos2client_cipher = vyos2apple_cipher if args.os == 'ios' else vyos2windows_cipher; +vyos2client_integrity = vyos2apple_integrity if args.os == 'ios' else vyos2windows_integrity; +supported_dh_groups = ios_supported_dh_groups if args.os == 'ios' else windows_supported_dh_groups; + +# Create a dictionary containing client conform IKE settings +ike = {} +count = 1 +for _, proposal in ike_proposal.items(): + if {'dh_group', 'encryption', 'hash'} <= set(proposal): + if (proposal['encryption'] in set(vyos2client_cipher) and + proposal['hash'] in set(vyos2client_integrity) and + proposal['dh_group'] in set(supported_dh_groups)): + + # We 're-code' from the VyOS IPSec proposals to the Apple naming scheme + proposal['encryption'] = vyos2client_cipher[ proposal['encryption'] ] + proposal['hash'] = vyos2client_integrity[ proposal['hash'] ] + + ike.update( { str(count) : proposal } ) + count += 1 + +# Create a dictionary containing Apple conform ESP settings +esp = {} +count = 1 +for _, proposal in esp_proposals.items(): + if {'encryption', 'hash'} <= set(proposal): + if proposal['encryption'] in set(vyos2client_cipher) and proposal['hash'] in set(vyos2client_integrity): + # We 're-code' from the VyOS IPSec proposals to the Apple naming scheme + proposal['encryption'] = vyos2client_cipher[ proposal['encryption'] ] + proposal['hash'] = vyos2client_integrity[ proposal['hash'] ] + + esp.update( { str(count) : proposal } ) + count += 1 +try: + if len(ike) > 1: + # Propare the input questions for the user + tmp = '\n' + for number, options in ike.items(): + tmp += f'({number}) Encryption {options["encryption"]}, Integrity {options["hash"]}, DH group {options["dh_group"]}\n' + tmp += '\nSelect one of the above IKE groups: ' + data['ike_encryption'] = ike[ ask_input(tmp, valid_responses=list(ike)) ] + else: + data['ike_encryption'] = ike['1'] + + if len(esp) > 1: + tmp = '\n' + for number, options in esp.items(): + tmp += f'({number}) Encryption {options["encryption"]}, Integrity {options["hash"]}\n' + tmp += '\nSelect one of the above ESP groups: ' + data['esp_encryption'] = esp[ ask_input(tmp, valid_responses=list(esp)) ] + else: + data['esp_encryption'] = esp['1'] + +except KeyboardInterrupt: + exit("Interrupted") + +print('\n\n==== <snip> ====') +if args.os == 'ios': + print(render_to_string('ipsec/ios_profile.tmpl', data)) + print('==== </snip> ====\n') + print('Save the XML from above to a new file named "vyos.mobileconfig" and E-Mail it to your phone.') +elif args.os == 'windows': + print(render_to_string('ipsec/windows_profile.tmpl', data)) + print('==== </snip> ====\n') diff --git a/src/op_mode/monitor_bandwidth_test.sh b/src/op_mode/monitor_bandwidth_test.sh index 6da0291c5..900223bca 100755 --- a/src/op_mode/monitor_bandwidth_test.sh +++ b/src/op_mode/monitor_bandwidth_test.sh @@ -26,5 +26,5 @@ elif [[ $(dig $1 AAAA +short | grep -v '\.$' | wc -l) -gt 0 ]]; then OPT="-V" fi -/usr/bin/iperf $OPT -c $1 +/usr/bin/iperf $OPT -c $1 $2 diff --git a/src/op_mode/openconnect-control.py b/src/op_mode/openconnect-control.py index ef9fe618c..c3cd25186 100755 --- a/src/op_mode/openconnect-control.py +++ b/src/op_mode/openconnect-control.py @@ -58,7 +58,7 @@ def main(): is_ocserv_configured() if args.action == "restart": - run("systemctl restart ocserv") + run("sudo systemctl restart ocserv.service") sys.exit(0) elif args.action == "show_sessions": show_sessions() diff --git a/src/op_mode/ping.py b/src/op_mode/ping.py index 29b430d53..2144ab53c 100755 --- a/src/op_mode/ping.py +++ b/src/op_mode/ping.py @@ -50,6 +50,11 @@ options = { 'type': '<seconds>', 'help': 'Number of seconds before ping exits' }, + 'do-not-fragment': { + 'ping': '{command} -M do', + 'type': 'noarg', + 'help': 'Set DF-bit flag to 1 for no fragmentation' + }, 'flood': { 'ping': 'sudo {command} -f', 'type': 'noarg', @@ -215,6 +220,8 @@ if __name__ == '__main__': try: ip = socket.gethostbyname(host) + except UnicodeError: + sys.exit(f'ping: Unknown host: {host}') except socket.gaierror: ip = host @@ -227,4 +234,4 @@ if __name__ == '__main__': # print(f'{command} {host}') os.system(f'{command} {host}') - +
\ No newline at end of file diff --git a/src/op_mode/pki.py b/src/op_mode/pki.py new file mode 100755 index 000000000..297270cf1 --- /dev/null +++ b/src/op_mode/pki.py @@ -0,0 +1,845 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import argparse +import ipaddress +import os +import re +import sys +import tabulate + +from cryptography import x509 +from cryptography.x509.oid import ExtendedKeyUsageOID + +from vyos.config import Config +from vyos.configdict import dict_merge +from vyos.pki import encode_certificate, encode_public_key, encode_private_key, encode_dh_parameters +from vyos.pki import create_certificate, create_certificate_request, create_certificate_revocation_list +from vyos.pki import create_private_key +from vyos.pki import create_dh_parameters +from vyos.pki import load_certificate, load_certificate_request, load_private_key, load_crl +from vyos.pki import verify_certificate +from vyos.xml import defaults +from vyos.util import ask_input, ask_yes_no +from vyos.util import cmd + +CERT_REQ_END = '-----END CERTIFICATE REQUEST-----' + +auth_dir = '/config/auth' + +# Helper Functions + +def get_default_values(): + # Fetch default x509 values + conf = Config() + base = ['pki', 'x509', 'default'] + x509_defaults = conf.get_config_dict(base, key_mangling=('-', '_'), + get_first_key=True, no_tag_node_value_mangle=True) + default_values = defaults(base) + return dict_merge(default_values, x509_defaults) + +def get_config_ca_certificate(name=None): + # Fetch ca certificates from config + conf = Config() + base = ['pki', 'ca'] + + if not conf.exists(base): + return False + + if name: + base = base + [name] + if not conf.exists(base + ['private', 'key']) or not conf.exists(base + ['certificate']): + return False + + return conf.get_config_dict(base, key_mangling=('-', '_'), + get_first_key=True, no_tag_node_value_mangle=True) + +def get_config_certificate(name=None): + # Get certificates from config + conf = Config() + base = ['pki', 'certificate'] + + if not conf.exists(base): + return False + + if name: + base = base + [name] + if not conf.exists(base + ['private', 'key']) or not conf.exists(base + ['certificate']): + return False + + return conf.get_config_dict(base, key_mangling=('-', '_'), + get_first_key=True, no_tag_node_value_mangle=True) + +def get_certificate_ca(cert, ca_certs): + # Find CA certificate for given certificate + for ca_name, ca_dict in ca_certs.items(): + if 'certificate' not in ca_dict: + continue + + ca_cert = load_certificate(ca_dict['certificate']) + + if not ca_cert: + continue + + if verify_certificate(cert, ca_cert): + return ca_name + return None + +def get_config_revoked_certificates(): + # Fetch revoked certificates from config + conf = Config() + ca_base = ['pki', 'ca'] + cert_base = ['pki', 'certificate'] + + certs = [] + + if conf.exists(ca_base): + ca_certificates = conf.get_config_dict(ca_base, key_mangling=('-', '_'), + get_first_key=True, no_tag_node_value_mangle=True) + certs.extend(ca_certificates.values()) + + if conf.exists(cert_base): + certificates = conf.get_config_dict(cert_base, key_mangling=('-', '_'), + get_first_key=True, no_tag_node_value_mangle=True) + certs.extend(certificates.values()) + + return [cert_dict for cert_dict in certs if 'revoke' in cert_dict] + +def get_revoked_by_serial_numbers(serial_numbers=[]): + # Return serial numbers of revoked certificates + certs_out = [] + certs = get_config_certificate() + ca_certs = get_config_ca_certificate() + if certs: + for cert_name, cert_dict in certs.items(): + if 'certificate' not in cert_dict: + continue + + cert = load_certificate(cert_dict['certificate']) + if cert.serial_number in serial_numbers: + certs_out.append(cert_name) + if ca_certs: + for cert_name, cert_dict in ca_certs.items(): + if 'certificate' not in cert_dict: + continue + + cert = load_certificate(cert_dict['certificate']) + if cert.serial_number in serial_numbers: + certs_out.append(cert_name) + return certs_out + +def install_certificate(name, cert='', private_key=None, key_type=None, key_passphrase=None, is_ca=False): + # Show conf commands for installing certificate + prefix = 'ca' if is_ca else 'certificate' + print("Configure mode commands to install:") + + if cert: + cert_pem = "".join(encode_certificate(cert).strip().split("\n")[1:-1]) + print("set pki %s %s certificate '%s'" % (prefix, name, cert_pem)) + + if private_key: + key_pem = "".join(encode_private_key(private_key, passphrase=key_passphrase).strip().split("\n")[1:-1]) + print("set pki %s %s private key '%s'" % (prefix, name, key_pem)) + if key_passphrase: + print("set pki %s %s private password-protected" % (prefix, name)) + +def install_crl(ca_name, crl): + # Show conf commands for installing crl + print("Configure mode commands to install CRL:") + crl_pem = "".join(encode_certificate(crl).strip().split("\n")[1:-1]) + print("set pki ca %s crl '%s'" % (ca_name, crl_pem)) + +def install_dh_parameters(name, params): + # Show conf commands for installing dh params + print("Configure mode commands to install DH parameters:") + dh_pem = "".join(encode_dh_parameters(params).strip().split("\n")[1:-1]) + print("set pki dh %s parameters '%s'" % (name, dh_pem)) + +def install_ssh_key(name, public_key, private_key, passphrase=None): + # Show conf commands for installing ssh key + key_openssh = encode_public_key(public_key, encoding='OpenSSH', key_format='OpenSSH') + username = os.getlogin() + type_key_split = key_openssh.split(" ") + print("Configure mode commands to install SSH key:") + print("set system login user %s authentication public-keys %s key '%s'" % (username, name, type_key_split[1])) + print("set system login user %s authentication public-keys %s type '%s'" % (username, name, type_key_split[0])) + print("") + print(encode_private_key(private_key, encoding='PEM', key_format='OpenSSH', passphrase=passphrase)) + +def install_keypair(name, key_type, private_key=None, public_key=None, passphrase=None): + # Show conf commands for installing key-pair + print("Configure mode commands to install key pair:") + + if public_key: + install_public_key = ask_yes_no('Do you want to install the public key?', default=True) + public_key_pem = encode_public_key(public_key) + + if install_public_key: + install_public_pem = "".join(public_key_pem.strip().split("\n")[1:-1]) + print("set pki key-pair %s public key '%s'" % (name, install_public_pem)) + else: + print("Public key:") + print(public_key_pem) + + if private_key: + install_private_key = ask_yes_no('Do you want to install the private key?', default=True) + private_key_pem = encode_private_key(private_key, passphrase=passphrase) + + if install_private_key: + install_private_pem = "".join(private_key_pem.strip().split("\n")[1:-1]) + print("set pki key-pair %s private key '%s'" % (name, install_private_pem)) + if passphrase: + print("set pki key-pair %s private password-protected" % (name,)) + else: + print("Private key:") + print(private_key_pem) + +def install_wireguard_key(name, private_key, public_key): + # Show conf commands for installing wireguard key pairs + is_interface = re.match(r'^wg[\d]+$', name) + + print("Configure mode commands to install key:") + if is_interface: + print("set interfaces wireguard %s private-key '%s'" % (name, private_key)) + print("") + print("Public key for use on peer configuration: " + public_key) + else: + print("set interfaces wireguard [INTERFACE] peer %s public-key '%s'" % (name, public_key)) + print("") + print("Private key for use on peer configuration: " + private_key) + +def install_wireguard_psk(name, psk): + # Show conf commands for installing wireguard psk + print("set interfaces wireguard [INTERFACE] peer %s preshared-key '%s'" % (name, psk)) + +def ask_passphrase(): + passphrase = None + print("Note: If you plan to use the generated key on this router, do not encrypt the private key.") + if ask_yes_no('Do you want to encrypt the private key with a passphrase?'): + passphrase = ask_input('Enter passphrase:') + return passphrase + +def write_file(filename, contents): + full_path = os.path.join(auth_dir, filename) + directory = os.path.dirname(full_path) + + if not os.path.exists(directory): + print('Failed to write file: directory does not exist') + return False + + if os.path.exists(full_path) and not ask_yes_no('Do you want to overwrite the existing file?'): + return False + + with open(full_path, 'w') as f: + f.write(contents) + + print(f'File written to {full_path}') + +# Generation functions + +def generate_private_key(): + key_type = ask_input('Enter private key type: [rsa, dsa, ec]', default='rsa', valid_responses=['rsa', 'dsa', 'ec']) + + size_valid = [] + size_default = 0 + + if key_type in ['rsa', 'dsa']: + size_default = 2048 + size_valid = [512, 1024, 2048, 4096] + elif key_type == 'ec': + size_default = 256 + size_valid = [224, 256, 384, 521] + + size = ask_input('Enter private key bits:', default=size_default, numeric_only=True, valid_responses=size_valid) + + return create_private_key(key_type, size), key_type + +def parse_san_string(san_string): + if not san_string: + return None + + output = [] + san_split = san_string.strip().split(",") + + for pair_str in san_split: + tag, value = pair_str.strip().split(":", 1) + if tag == 'ipv4': + output.append(ipaddress.IPv4Address(value)) + elif tag == 'ipv6': + output.append(ipaddress.IPv6Address(value)) + elif tag == 'dns': + output.append(value) + return output + +def generate_certificate_request(private_key=None, key_type=None, return_request=False, name=None, install=False, file=False, ask_san=True): + if not private_key: + private_key, key_type = generate_private_key() + + default_values = get_default_values() + subject = {} + subject['country'] = ask_input('Enter country code:', default=default_values['country']) + subject['state'] = ask_input('Enter state:', default=default_values['state']) + subject['locality'] = ask_input('Enter locality:', default=default_values['locality']) + subject['organization'] = ask_input('Enter organization name:', default=default_values['organization']) + subject['common_name'] = ask_input('Enter common name:', default='vyos.io') + subject_alt_names = None + + if ask_san and ask_yes_no('Do you want to configure Subject Alternative Names?'): + print("Enter alternative names in a comma separate list, example: ipv4:1.1.1.1,ipv6:fe80::1,dns:vyos.net") + san_string = ask_input('Enter Subject Alternative Names:') + subject_alt_names = parse_san_string(san_string) + + cert_req = create_certificate_request(subject, private_key, subject_alt_names) + + if return_request: + return cert_req + + passphrase = ask_passphrase() + + if not install and not file: + print(encode_certificate(cert_req)) + print(encode_private_key(private_key, passphrase=passphrase)) + return None + + if install: + print("Certificate request:") + print(encode_certificate(cert_req) + "\n") + install_certificate(name, private_key=private_key, key_type=key_type, key_passphrase=passphrase, is_ca=False) + + if file: + write_file(f'{name}.csr', encode_certificate(cert_req)) + write_file(f'{name}.key', encode_private_key(private_key, passphrase=passphrase)) + +def generate_certificate(cert_req, ca_cert, ca_private_key, is_ca=False, is_sub_ca=False): + valid_days = ask_input('Enter how many days certificate will be valid:', default='365' if not is_ca else '1825', numeric_only=True) + cert_type = None + if not is_ca: + cert_type = ask_input('Enter certificate type: (client, server)', default='server', valid_responses=['client', 'server']) + return create_certificate(cert_req, ca_cert, ca_private_key, valid_days, cert_type, is_ca, is_sub_ca) + +def generate_ca_certificate(name, install=False, file=False): + private_key, key_type = generate_private_key() + cert_req = generate_certificate_request(private_key, key_type, return_request=True, ask_san=False) + cert = generate_certificate(cert_req, cert_req, private_key, is_ca=True) + passphrase = ask_passphrase() + + if not install and not file: + print(encode_certificate(cert)) + print(encode_private_key(private_key, passphrase=passphrase)) + return None + + if install: + install_certificate(name, cert, private_key, key_type, key_passphrase=passphrase, is_ca=True) + + if file: + write_file(f'{name}.pem', encode_certificate(cert)) + write_file(f'{name}.key', encode_private_key(private_key, passphrase=passphrase)) + +def generate_ca_certificate_sign(name, ca_name, install=False, file=False): + ca_dict = get_config_ca_certificate(ca_name) + + if not ca_dict: + print(f"CA certificate or private key for '{ca_name}' not found") + return None + + ca_cert = load_certificate(ca_dict['certificate']) + + if not ca_cert: + print("Failed to load signing CA certificate, aborting") + return None + + ca_private = ca_dict['private'] + ca_private_passphrase = None + if 'password_protected' in ca_private: + ca_private_passphrase = ask_input('Enter signing CA private key passphrase:') + ca_private_key = load_private_key(ca_private['key'], passphrase=ca_private_passphrase) + + if not ca_private_key: + print("Failed to load signing CA private key, aborting") + return None + + private_key = None + key_type = None + + cert_req = None + if not ask_yes_no('Do you already have a certificate request?'): + private_key, key_type = generate_private_key() + cert_req = generate_certificate_request(private_key, key_type, return_request=True, ask_san=False) + else: + print("Paste certificate request and press enter:") + lines = [] + curr_line = '' + while True: + curr_line = input().strip() + if not curr_line or curr_line == CERT_REQ_END: + break + lines.append(curr_line) + + if not lines: + print("Aborted") + return None + + wrap = lines[0].find('-----') < 0 # Only base64 pasted, add the CSR tags for parsing + cert_req = load_certificate_request("\n".join(lines), wrap) + + if not cert_req: + print("Invalid certificate request") + return None + + cert = generate_certificate(cert_req, ca_cert, ca_private_key, is_ca=True, is_sub_ca=True) + passphrase = ask_passphrase() + + if not install and not file: + print(encode_certificate(cert)) + print(encode_private_key(private_key, passphrase=passphrase)) + return None + + if install: + install_certificate(name, cert, private_key, key_type, key_passphrase=passphrase, is_ca=True) + + if file: + write_file(f'{name}.pem', encode_certificate(cert)) + write_file(f'{name}.key', encode_private_key(private_key, passphrase=passphrase)) + +def generate_certificate_sign(name, ca_name, install=False, file=False): + ca_dict = get_config_ca_certificate(ca_name) + + if not ca_dict: + print(f"CA certificate or private key for '{ca_name}' not found") + return None + + ca_cert = load_certificate(ca_dict['certificate']) + + if not ca_cert: + print("Failed to load CA certificate, aborting") + return None + + ca_private = ca_dict['private'] + ca_private_passphrase = None + if 'password_protected' in ca_private: + ca_private_passphrase = ask_input('Enter CA private key passphrase:') + ca_private_key = load_private_key(ca_private['key'], passphrase=ca_private_passphrase) + + if not ca_private_key: + print("Failed to load CA private key, aborting") + return None + + private_key = None + key_type = None + + cert_req = None + if not ask_yes_no('Do you already have a certificate request?'): + private_key, key_type = generate_private_key() + cert_req = generate_certificate_request(private_key, key_type, return_request=True) + else: + print("Paste certificate request and press enter:") + lines = [] + curr_line = '' + while True: + curr_line = input().strip() + if not curr_line or curr_line == CERT_REQ_END: + break + lines.append(curr_line) + + if not lines: + print("Aborted") + return None + + wrap = lines[0].find('-----') < 0 # Only base64 pasted, add the CSR tags for parsing + cert_req = load_certificate_request("\n".join(lines), wrap) + + if not cert_req: + print("Invalid certificate request") + return None + + cert = generate_certificate(cert_req, ca_cert, ca_private_key, is_ca=False) + passphrase = ask_passphrase() + + if not install and not file: + print(encode_certificate(cert)) + print(encode_private_key(private_key, passphrase=passphrase)) + return None + + if install: + install_certificate(name, cert, private_key, key_type, key_passphrase=passphrase, is_ca=False) + + if file: + write_file(f'{name}.pem', encode_certificate(cert)) + write_file(f'{name}.key', encode_private_key(private_key, passphrase=passphrase)) + +def generate_certificate_selfsign(name, install=False, file=False): + private_key, key_type = generate_private_key() + cert_req = generate_certificate_request(private_key, key_type, return_request=True) + cert = generate_certificate(cert_req, cert_req, private_key, is_ca=False) + passphrase = ask_passphrase() + + if not install and not file: + print(encode_certificate(cert)) + print(encode_private_key(private_key, passphrase=passphrase)) + return None + + if install: + install_certificate(name, cert, private_key=private_key, key_type=key_type, key_passphrase=passphrase, is_ca=False) + + if file: + write_file(f'{name}.pem', encode_certificate(cert)) + write_file(f'{name}.key', encode_private_key(private_key, passphrase=passphrase)) + +def generate_certificate_revocation_list(ca_name, install=False, file=False): + ca_dict = get_config_ca_certificate(ca_name) + + if not ca_dict: + print(f"CA certificate or private key for '{ca_name}' not found") + return None + + ca_cert = load_certificate(ca_dict['certificate']) + + if not ca_cert: + print("Failed to load CA certificate, aborting") + return None + + ca_private = ca_dict['private'] + ca_private_passphrase = None + if 'password_protected' in ca_private: + ca_private_passphrase = ask_input('Enter CA private key passphrase:') + ca_private_key = load_private_key(ca_private['key'], passphrase=ca_private_passphrase) + + if not ca_private_key: + print("Failed to load CA private key, aborting") + return None + + revoked_certs = get_config_revoked_certificates() + to_revoke = [] + + for cert_dict in revoked_certs: + if 'certificate' not in cert_dict: + continue + + cert_data = cert_dict['certificate'] + + try: + cert = load_certificate(cert_data) + + if cert.issuer == ca_cert.subject: + to_revoke.append(cert.serial_number) + except ValueError: + continue + + if not to_revoke: + print("No revoked certificates to add to the CRL") + return None + + crl = create_certificate_revocation_list(ca_cert, ca_private_key, to_revoke) + + if not crl: + print("Failed to create CRL") + return None + + if not install and not file: + print(encode_certificate(crl)) + return None + + if install: + install_crl(ca_name, crl) + + if file: + write_file(f'{name}.crl', encode_certificate(crl)) + +def generate_ssh_keypair(name, install=False, file=False): + private_key, key_type = generate_private_key() + public_key = private_key.public_key() + passphrase = ask_passphrase() + + if not install and not file: + print(encode_public_key(public_key, encoding='OpenSSH', key_format='OpenSSH')) + print("") + print(encode_private_key(private_key, encoding='PEM', key_format='OpenSSH', passphrase=passphrase)) + return None + + if install: + install_ssh_key(name, public_key, private_key, passphrase) + + if file: + write_file(f'{name}.pem', encode_public_key(public_key, encoding='OpenSSH', key_format='OpenSSH')) + write_file(f'{name}.key', encode_private_key(private_key, encoding='PEM', key_format='OpenSSH', passphrase=passphrase)) + +def generate_dh_parameters(name, install=False, file=False): + bits = ask_input('Enter DH parameters key size:', default=2048, numeric_only=True) + + print("Generating parameters...") + + dh_params = create_dh_parameters(bits) + if not dh_params: + print("Failed to create DH parameters") + return None + + if not install and not file: + print("DH Parameters:") + print(encode_dh_parameters(dh_params)) + + if install: + install_dh_parameters(name, dh_params) + + if file: + write_file(f'{name}.pem', encode_dh_parameters(dh_params)) + +def generate_keypair(name, install=False, file=False): + private_key, key_type = generate_private_key() + public_key = private_key.public_key() + passphrase = ask_passphrase() + + if not install and not file: + print(encode_public_key(public_key)) + print("") + print(encode_private_key(private_key, passphrase=passphrase)) + return None + + if install: + install_keypair(name, key_type, private_key, public_key, passphrase) + + if file: + write_file(f'{name}.pem', encode_public_key(public_key)) + write_file(f'{name}.key', encode_private_key(private_key, passphrase=passphrase)) + +def generate_openvpn_key(name, install=False, file=False): + result = cmd('openvpn --genkey secret /dev/stdout | grep -o "^[^#]*"') + + if not result: + print("Failed to generate OpenVPN key") + return None + + if not install and not file: + print(result) + return None + + if install: + key_lines = result.split("\n") + key_data = "".join(key_lines[1:-1]) # Remove wrapper tags and line endings + key_version = '1' + + version_search = re.search(r'BEGIN OpenVPN Static key V(\d+)', result) # Future-proofing (hopefully) + if version_search: + key_version = version_search[1] + + print("Configure mode commands to install OpenVPN key:") + print("set pki openvpn shared-secret %s key '%s'" % (name, key_data)) + print("set pki openvpn shared-secret %s version '%s'" % (name, key_version)) + + if file: + write_file(f'{name}.key', result) + +def generate_wireguard_key(name, install=False, file=False): + private_key = cmd('wg genkey') + public_key = cmd('wg pubkey', input=private_key) + + if not install: + print("Private key: " + private_key) + print("Public key: " + public_key) + return None + + if install: + install_wireguard_key(name, private_key, public_key) + + if file: + write_file(f'{name}_public.key', public_key) + write_file(f'{name}_private.key', private_key) + +def generate_wireguard_psk(name, install=False, file=False): + psk = cmd('wg genpsk') + + if not install and not file: + print("Pre-shared key:") + print(psk) + return None + + if install: + install_wireguard_psk(name, psk) + + if file: + write_file(f'{name}.key', psk) + +# Show functions + +def show_certificate_authority(name=None): + headers = ['Name', 'Subject', 'Issuer CN', 'Issued', 'Expiry', 'Private Key', 'Parent'] + data = [] + certs = get_config_ca_certificate() + if certs: + for cert_name, cert_dict in certs.items(): + if name and name != cert_name: + continue + if 'certificate' not in cert_dict: + continue + + cert = load_certificate(cert_dict['certificate']) + parent_ca_name = get_certificate_ca(cert, certs) + cert_issuer_cn = cert.issuer.rfc4514_string().split(",")[0] + + if not parent_ca_name or parent_ca_name == cert_name: + parent_ca_name = 'N/A' + + if not cert: + continue + + have_private = 'Yes' if 'private' in cert_dict and 'key' in cert_dict['private'] else 'No' + data.append([cert_name, cert.subject.rfc4514_string(), cert_issuer_cn, cert.not_valid_before, cert.not_valid_after, have_private, parent_ca_name]) + + print("Certificate Authorities:") + print(tabulate.tabulate(data, headers)) + +def show_certificate(name=None): + headers = ['Name', 'Type', 'Subject CN', 'Issuer CN', 'Issued', 'Expiry', 'Revoked', 'Private Key', 'CA Present'] + data = [] + certs = get_config_certificate() + if certs: + ca_certs = get_config_ca_certificate() + + for cert_name, cert_dict in certs.items(): + if name and name != cert_name: + continue + if 'certificate' not in cert_dict: + continue + + cert = load_certificate(cert_dict['certificate']) + + if not cert: + continue + + ca_name = get_certificate_ca(cert, ca_certs) + cert_subject_cn = cert.subject.rfc4514_string().split(",")[0] + cert_issuer_cn = cert.issuer.rfc4514_string().split(",")[0] + cert_type = 'Unknown' + ext = cert.extensions.get_extension_for_class(x509.ExtendedKeyUsage) + if ext and ExtendedKeyUsageOID.SERVER_AUTH in ext.value: + cert_type = 'Server' + elif ext and ExtendedKeyUsageOID.CLIENT_AUTH in ext.value: + cert_type = 'Client' + + revoked = 'Yes' if 'revoke' in cert_dict else 'No' + have_private = 'Yes' if 'private' in cert_dict and 'key' in cert_dict['private'] else 'No' + have_ca = f'Yes ({ca_name})' if ca_name else 'No' + data.append([ + cert_name, cert_type, cert_subject_cn, cert_issuer_cn, + cert.not_valid_before, cert.not_valid_after, + revoked, have_private, have_ca]) + + print("Certificates:") + print(tabulate.tabulate(data, headers)) + +def show_crl(name=None): + headers = ['CA Name', 'Updated', 'Revokes'] + data = [] + certs = get_config_ca_certificate() + if certs: + for cert_name, cert_dict in certs.items(): + if name and name != cert_name: + continue + if 'crl' not in cert_dict: + continue + + crls = cert_dict['crl'] + if isinstance(crls, str): + crls = [crls] + + for crl_data in cert_dict['crl']: + crl = load_crl(crl_data) + + if not crl: + continue + + certs = get_revoked_by_serial_numbers([revoked.serial_number for revoked in crl]) + data.append([cert_name, crl.last_update, ", ".join(certs)]) + + print("Certificate Revocation Lists:") + print(tabulate.tabulate(data, headers)) + +if __name__ == '__main__': + parser = argparse.ArgumentParser() + parser.add_argument('--action', help='PKI action', required=True) + + # X509 + parser.add_argument('--ca', help='Certificate Authority', required=False) + parser.add_argument('--certificate', help='Certificate', required=False) + parser.add_argument('--crl', help='Certificate Revocation List', required=False) + parser.add_argument('--sign', help='Sign certificate with specified CA', required=False) + parser.add_argument('--self-sign', help='Self-sign the certificate', action='store_true') + + # SSH + parser.add_argument('--ssh', help='SSH Key', required=False) + + # DH + parser.add_argument('--dh', help='DH Parameters', required=False) + + # Key pair + parser.add_argument('--keypair', help='Key pair', required=False) + + # OpenVPN + parser.add_argument('--openvpn', help='OpenVPN TLS key', required=False) + + # Wireguard + parser.add_argument('--wireguard', help='Wireguard', action='store_true') + parser.add_argument('--key', help='Wireguard key pair', required=False) + parser.add_argument('--psk', help='Wireguard pre shared key', required=False) + + # Global + parser.add_argument('--file', help='Write generated keys into specified filename', action='store_true') + parser.add_argument('--install', help='Install generated keys into running-config', action='store_true') + + args = parser.parse_args() + + try: + if args.action == 'generate': + if args.ca: + if args.sign: + generate_ca_certificate_sign(args.ca, args.sign, install=args.install, file=args.file) + else: + generate_ca_certificate(args.ca, install=args.install, file=args.file) + elif args.certificate: + if args.sign: + generate_certificate_sign(args.certificate, args.sign, install=args.install, file=args.file) + elif args.self_sign: + generate_certificate_selfsign(args.certificate, install=args.install, file=args.file) + else: + generate_certificate_request(name=args.certificate, install=args.install) + elif args.crl: + generate_certificate_revocation_list(args.crl, install=args.install, file=args.file) + elif args.ssh: + generate_ssh_keypair(args.ssh, install=args.install, file=args.file) + elif args.dh: + generate_dh_parameters(args.dh, install=args.install, file=args.file) + elif args.keypair: + generate_keypair(args.keypair, install=args.install, file=args.file) + elif args.openvpn: + generate_openvpn_key(args.openvpn, install=args.install, file=args.file) + elif args.wireguard: + if args.key: + generate_wireguard_key(args.key, install=args.install, file=args.file) + elif args.psk: + generate_wireguard_psk(args.psk, install=args.install, file=args.file) + elif args.action == 'show': + if args.ca: + show_certificate_authority(None if args.ca == 'all' else args.ca) + elif args.certificate: + show_certificate(None if args.certificate == 'all' else args.certificate) + elif args.crl: + show_crl(None if args.crl == 'all' else args.crl) + else: + show_certificate_authority() + show_certificate() + show_crl() + except KeyboardInterrupt: + print("Aborted") + sys.exit(0) diff --git a/src/op_mode/show-bond.py b/src/op_mode/show-bond.py new file mode 100755 index 000000000..edf7847fc --- /dev/null +++ b/src/op_mode/show-bond.py @@ -0,0 +1,92 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import jinja2 + +from argparse import ArgumentParser +from vyos.ifconfig import Section +from vyos.ifconfig import BondIf +from vyos.util import read_file + +from sys import exit + +parser = ArgumentParser() +parser.add_argument("--slaves", action="store_true", help="Show LLDP neighbors on all interfaces") +parser.add_argument("--interface", action="store", help="Show LLDP neighbors on specific interface") + +args = parser.parse_args() + +all_bonds = Section.interfaces('bonding') +# we are not interested in any bond vlan interface +all_bonds = [x for x in all_bonds if '.' not in x] + +TMPL_BRIEF = """Interface Mode State Link Slaves +{% for interface in data %} +{{ "%-12s" | format(interface.ifname) }} {{ "%-22s" | format(interface.mode) }} {{ "%-8s" | format(interface.admin_state) }} {{ "%-6s" | format(interface.oper_state) }} {{ interface.members | join(' ') }} +{% endfor %} +""" + +TMPL_INDIVIDUAL_BOND = """Interface RX: bytes packets TX: bytes packets +{{ "%-16s" | format(data.ifname) }} {{ "%-10s" | format(data.rx_bytes) }} {{ "%-11s" | format(data.rx_packets) }} {{ "%-10s" | format(data.tx_bytes) }} {{ data.tx_packets }} +{% for member in data.members if data.members is defined %} + {{ "%-12s" | format(member.ifname) }} {{ "%-10s" | format(member.rx_bytes) }} {{ "%-11s" | format(member.rx_packets) }} {{ "%-10s" | format(member.tx_bytes) }} {{ member.tx_packets }} +{% endfor %} +""" + +if args.slaves and args.interface: + exit('Can not use both --slaves and --interfaces option at the same time') + parser.print_help() + +elif args.slaves: + data = [] + template = TMPL_BRIEF + for bond in all_bonds: + tmp = BondIf(bond) + cfg_dict = {} + cfg_dict['ifname'] = bond + cfg_dict['mode'] = tmp.get_mode() + cfg_dict['admin_state'] = tmp.get_admin_state() + cfg_dict['oper_state'] = tmp.operational.get_state() + cfg_dict['members'] = tmp.get_slaves() + data.append(cfg_dict) + +elif args.interface: + template = TMPL_INDIVIDUAL_BOND + data = {} + data['ifname'] = args.interface + data['rx_bytes'] = read_file(f'/sys/class/net/{args.interface}/statistics/rx_bytes') + data['rx_packets'] = read_file(f'/sys/class/net/{args.interface}/statistics/rx_packets') + data['tx_bytes'] = read_file(f'/sys/class/net/{args.interface}/statistics/tx_bytes') + data['tx_packets'] = read_file(f'/sys/class/net/{args.interface}/statistics/tx_packets') + + # each bond member interface has its own statistics + data['members'] = [] + for member in BondIf(args.interface).get_slaves(): + tmp = {} + tmp['ifname'] = member + tmp['rx_bytes'] = read_file(f'/sys/class/net/{member}/statistics/rx_bytes') + tmp['rx_packets'] = read_file(f'/sys/class/net/{member}/statistics/rx_packets') + tmp['tx_bytes'] = read_file(f'/sys/class/net/{member}/statistics/tx_bytes') + tmp['tx_packets'] = read_file(f'/sys/class/net/{member}/statistics/tx_packets') + data['members'].append(tmp) + +else: + parser.print_help() + exit(1) + +tmpl = jinja2.Template(template, trim_blocks=True) +config_text = tmpl.render(data=data) +print(config_text) diff --git a/src/op_mode/show_dhcp.py b/src/op_mode/show_dhcp.py index ff1e3cc56..4df275e04 100755 --- a/src/op_mode/show_dhcp.py +++ b/src/op_mode/show_dhcp.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2018-2020 VyOS maintainers and contributors +# Copyright (C) 2018-2021 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -27,8 +27,7 @@ from datetime import datetime from isc_dhcp_leases import Lease, IscDhcpLeases from vyos.config import Config -from vyos.util import call - +from vyos.util import is_systemd_service_running lease_file = "/config/dhcpd.leases" pool_key = "shared-networkname" @@ -217,7 +216,7 @@ if __name__ == '__main__': exit(0) # if dhcp server is down, inactive leases may still be shown as active, so warn the user. - if call('systemctl -q is-active isc-dhcp-server.service') != 0: + if not is_systemd_service_running('isc-dhcp-server.service'): print("WARNING: DHCP server is configured but not started. Data may be stale.") if args.leases: diff --git a/src/op_mode/show_dhcpv6.py b/src/op_mode/show_dhcpv6.py index f70f04298..1f987ff7b 100755 --- a/src/op_mode/show_dhcpv6.py +++ b/src/op_mode/show_dhcpv6.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2018-2020 VyOS maintainers and contributors +# Copyright (C) 2018-2021 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -27,7 +27,7 @@ from datetime import datetime from isc_dhcp_leases import Lease, IscDhcpLeases from vyos.config import Config -from vyos.util import call +from vyos.util import is_systemd_service_running lease_file = "/config/dhcpdv6.leases" pool_key = "shared-networkname" @@ -202,7 +202,7 @@ if __name__ == '__main__': exit(0) # if dhcp server is down, inactive leases may still be shown as active, so warn the user. - if call('systemctl -q is-active isc-dhcp-server6.service') != 0: + if not is_systemd_service_running('isc-dhcp-server6.service'): print("WARNING: DHCPv6 server is configured but not started. Data may be stale.") if args.leases: diff --git a/src/op_mode/show_ipsec_sa.py b/src/op_mode/show_ipsec_sa.py index 645a0571d..e491267fd 100755 --- a/src/op_mode/show_ipsec_sa.py +++ b/src/op_mode/show_ipsec_sa.py @@ -23,39 +23,24 @@ import hurry.filesize import vyos.util +def format_output(conns, sas): + sa_data = [] -try: - session = vici.Session() - sas = session.list_sas() -except PermissionError: - print("You do not have a permission to connect to the IPsec daemon") - sys.exit(1) -except ConnectionRefusedError: - print("IPsec is not runing") - sys.exit(1) -except Exception as e: - print("An error occured: {0}".format(e)) - sys.exit(1) - -sa_data = [] - -for sa in sas: - # list_sas() returns a list of single-item dicts - for peer in sa: - parent_sa = sa[peer] - child_sas = parent_sa["child-sas"] - installed_sas = {k: v for k, v in child_sas.items() if v["state"] == b"INSTALLED"} + for peer, parent_conn in conns.items(): + if peer not in sas: + continue + + parent_sa = sas[peer] + child_sas = parent_sa['child-sas'] + installed_sas = {v['name'].decode(): v for k, v in child_sas.items() if v["state"] == b"INSTALLED"} # parent_sa["state"] = IKE state, child_sas["state"] = ESP state + state = 'down' + uptime = 'N/A' + if parent_sa["state"] == b"ESTABLISHED" and installed_sas: state = "up" - else: - state = "down" - - if state == "up": uptime = vyos.util.seconds_to_human(parent_sa["established"].decode()) - else: - uptime = "N/A" remote_host = parent_sa["remote-host"].decode() remote_id = parent_sa["remote-id"].decode() @@ -64,51 +49,77 @@ for sa in sas: remote_id = "N/A" # The counters can only be obtained from the child SAs - if not installed_sas: - data = [peer, state, "N/A", "N/A", "N/A", "N/A", "N/A", "N/A"] - sa_data.append(data) - else: - for csa in installed_sas: - isa = installed_sas[csa] - csa_name = isa['name'] - csa_name = csa_name.decode() - - bytes_in = hurry.filesize.size(int(isa["bytes-in"].decode())) - bytes_out = hurry.filesize.size(int(isa["bytes-out"].decode())) - bytes_str = "{0}/{1}".format(bytes_in, bytes_out) - - pkts_in = hurry.filesize.size(int(isa["packets-in"].decode()), system=hurry.filesize.si) - pkts_out = hurry.filesize.size(int(isa["packets-out"].decode()), system=hurry.filesize.si) - pkts_str = "{0}/{1}".format(pkts_in, pkts_out) - # Remove B from <1K values - pkts_str = re.sub(r'B', r'', pkts_str) - - enc = isa["encr-alg"].decode() - if "encr-keysize" in isa: - key_size = isa["encr-keysize"].decode() - else: - key_size = "" - if "integ-alg" in isa: - hash = isa["integ-alg"].decode() - else: - hash = "" - if "dh-group" in isa: - dh_group = isa["dh-group"].decode() - else: - dh_group = "" - - proposal = enc - if key_size: - proposal = "{0}_{1}".format(proposal, key_size) - if hash: - proposal = "{0}/{1}".format(proposal, hash) - if dh_group: - proposal = "{0}/{1}".format(proposal, dh_group) - - data = [csa_name, state, uptime, bytes_str, pkts_str, remote_host, remote_id, proposal] + for child_conn in parent_conn['children']: + if child_conn not in installed_sas: + data = [child_conn, "down", "N/A", "N/A", "N/A", "N/A", "N/A", "N/A"] sa_data.append(data) - -headers = ["Connection", "State", "Uptime", "Bytes In/Out", "Packets In/Out", "Remote address", "Remote ID", "Proposal"] -sa_data = sorted(sa_data, key=lambda peer: peer[0]) -output = tabulate.tabulate(sa_data, headers) -print(output) + continue + + isa = installed_sas[child_conn] + csa_name = isa['name'] + csa_name = csa_name.decode() + + bytes_in = hurry.filesize.size(int(isa["bytes-in"].decode())) + bytes_out = hurry.filesize.size(int(isa["bytes-out"].decode())) + bytes_str = "{0}/{1}".format(bytes_in, bytes_out) + + pkts_in = hurry.filesize.size(int(isa["packets-in"].decode()), system=hurry.filesize.si) + pkts_out = hurry.filesize.size(int(isa["packets-out"].decode()), system=hurry.filesize.si) + pkts_str = "{0}/{1}".format(pkts_in, pkts_out) + # Remove B from <1K values + pkts_str = re.sub(r'B', r'', pkts_str) + + enc = isa["encr-alg"].decode() + if "encr-keysize" in isa: + key_size = isa["encr-keysize"].decode() + else: + key_size = "" + if "integ-alg" in isa: + hash = isa["integ-alg"].decode() + else: + hash = "" + if "dh-group" in isa: + dh_group = isa["dh-group"].decode() + else: + dh_group = "" + + proposal = enc + if key_size: + proposal = "{0}_{1}".format(proposal, key_size) + if hash: + proposal = "{0}/{1}".format(proposal, hash) + if dh_group: + proposal = "{0}/{1}".format(proposal, dh_group) + + data = [csa_name, state, uptime, bytes_str, pkts_str, remote_host, remote_id, proposal] + sa_data.append(data) + return sa_data + +if __name__ == '__main__': + try: + session = vici.Session() + conns = {} + sas = {} + + for conn in session.list_conns(): + for key in conn: + conns[key] = conn[key] + + for sa in session.list_sas(): + for key in sa: + sas[key] = sa[key] + + headers = ["Connection", "State", "Uptime", "Bytes In/Out", "Packets In/Out", "Remote address", "Remote ID", "Proposal"] + sa_data = format_output(conns, sas) + sa_data = sorted(sa_data, key=lambda peer: peer[0]) + output = tabulate.tabulate(sa_data, headers) + print(output) + except PermissionError: + print("You do not have a permission to connect to the IPsec daemon") + sys.exit(1) + except ConnectionRefusedError: + print("IPsec is not runing") + sys.exit(1) + except Exception as e: + print("An error occured: {0}".format(e)) + sys.exit(1) diff --git a/src/op_mode/show_nat66_rules.py b/src/op_mode/show_nat66_rules.py index a25e146a7..967ec9d37 100755 --- a/src/op_mode/show_nat66_rules.py +++ b/src/op_mode/show_nat66_rules.py @@ -68,7 +68,7 @@ if args.source or args.destination: rule = comment.replace('SRC-NAT66-','') rule = rule.replace('DST-NAT66-','') chain = data['chain'] - if not (args.source and chain == 'POSTROUTING') or (not args.source and chain == 'PREROUTING'): + if not ((args.source and chain == 'POSTROUTING') or (not args.source and chain == 'PREROUTING')): continue interface = dict_search('match.right', data['expr'][0]) srcdest = dict_search('match.right.prefix.addr', data['expr'][2]) @@ -79,16 +79,19 @@ if args.source or args.destination: else: srcdest = dict_search('match.right', data['expr'][2]) - tran_addr = dict_search('snat.addr.prefix.addr' if args.source else 'dnat.addr.prefix.addr', data['expr'][3]) - if tran_addr: - addr_tmp = dict_search('snat.addr.prefix.len' if args.source else 'dnat.addr.prefix.len', data['expr'][3]) - if addr_tmp: - srcdest = srcdest + '/' + str(addr_tmp) + tran_addr_json = dict_search('snat.addr' if args.source else 'dnat.addr', data['expr'][3]) + if tran_addr_json: + if isinstance(srcdest_json,str): + tran_addr = tran_addr_json + + if 'prefix' in tran_addr_json: + addr_tmp = dict_search('snat.addr.prefix.addr' if args.source else 'dnat.addr.prefix.addr', data['expr'][3]) + len_tmp = dict_search('snat.addr.prefix.len' if args.source else 'dnat.addr.prefix.len', data['expr'][3]) + if addr_tmp: + tran_addr = addr_tmp + '/' + str(len_tmp) else: if 'masquerade' in data['expr'][3]: tran_addr = 'masquerade' - else: - tran_addr = dict_search('snat.addr' if args.source else 'dnat.addr', data['expr'][3]) print(format_nat66_rule.format(rule, srcdest, tran_addr, interface)) diff --git a/src/op_mode/show_nat_rules.py b/src/op_mode/show_nat_rules.py index 68cff61c8..0f40ecabe 100755 --- a/src/op_mode/show_nat_rules.py +++ b/src/op_mode/show_nat_rules.py @@ -33,9 +33,9 @@ if args.source or args.destination: tmp = cmd('sudo nft -j list table ip nat') tmp = json.loads(tmp) - format_nat66_rule = '{0: <10} {1: <50} {2: <50} {3: <10}' - print(format_nat66_rule.format("Rule", "Source" if args.source else "Destination", "Translation", "Outbound Interface" if args.source else "Inbound Interface")) - print(format_nat66_rule.format("----", "------" if args.source else "-----------", "-----------", "------------------" if args.source else "-----------------")) + format_nat_rule = '{0: <10} {1: <50} {2: <50} {3: <10}' + print(format_nat_rule.format("Rule", "Source" if args.source else "Destination", "Translation", "Outbound Interface" if args.source else "Inbound Interface")) + print(format_nat_rule.format("----", "------" if args.source else "-----------", "-----------", "------------------" if args.source else "-----------------")) data_json = jmespath.search('nftables[?rule].rule[?chain]', tmp) for idx in range(0, len(data_json)): @@ -63,30 +63,50 @@ if args.source or args.destination: rule = int(''.join(list(filter(str.isdigit, comment)))) chain = data['chain'] - if not (args.source and chain == 'POSTROUTING') or (not args.source and chain == 'PREROUTING'): + if not ((args.source and chain == 'POSTROUTING') or (not args.source and chain == 'PREROUTING')): continue interface = dict_search('match.right', data['expr'][0]) - srcdest = dict_search('match.right.prefix.addr', data['expr'][1]) - if srcdest: - addr_tmp = dict_search('match.right.prefix.len', data['expr'][1]) - if addr_tmp: - srcdest = srcdest + '/' + str(addr_tmp) - else: - srcdest = dict_search('match.right', data['expr'][1]) - tran_addr = dict_search('snat.addr.prefix.addr' if args.source else 'dnat.addr.prefix.addr', data['expr'][3]) - if tran_addr: - addr_tmp = dict_search('snat.addr.prefix.len' if args.source else 'dnat.addr.prefix.len', data['expr'][3]) - if addr_tmp: - srcdest = srcdest + '/' + str(addr_tmp) + srcdest = '' + for i in [1, 2]: + srcdest_json = dict_search('match.right', data['expr'][i]) + if not srcdest_json: + continue + + if isinstance(srcdest_json,str): + srcdest += srcdest_json + ' ' + elif 'prefix' in srcdest_json: + addr_tmp = dict_search('match.right.prefix.addr', data['expr'][i]) + len_tmp = dict_search('match.right.prefix.len', data['expr'][i]) + if addr_tmp and len_tmp: + srcdest = addr_tmp + '/' + str(len_tmp) + ' ' + elif 'set' in srcdest_json: + if isinstance(srcdest_json['set'][0],str): + srcdest += 'port ' + str(srcdest_json['set'][0]) + ' ' + else: + port_range = srcdest_json['set'][0]['range'] + srcdest += 'port ' + str(port_range[0]) + '-' + str(port_range[1]) + ' ' + + tran_addr = '' + tran_addr_json = dict_search('snat.addr' if args.source else 'dnat.addr', data['expr'][3]) + if tran_addr_json: + if isinstance(tran_addr_json,str): + tran_addr = tran_addr_json + elif 'prefix' in tran_addr_json: + addr_tmp = dict_search('snat.addr.prefix.addr' if args.source else 'dnat.addr.prefix.addr', data['expr'][3]) + len_tmp = dict_search('snat.addr.prefix.len' if args.source else 'dnat.addr.prefix.len', data['expr'][3]) + if addr_tmp and len_tmp: + tran_addr = addr_tmp + '/' + str(len_tmp) else: if 'masquerade' in data['expr'][3]: tran_addr = 'masquerade' elif 'log' in data['expr'][3]: continue - else: - tran_addr = dict_search('snat.addr' if args.source else 'dnat.addr', data['expr'][3]) - - print(format_nat66_rule.format(rule, srcdest, tran_addr, interface)) + + tran_port = dict_search('snat.port' if args.source else 'dnat.port', data['expr'][3]) + if tran_port: + tran_addr += ' port ' + str(tran_port) + + print(format_nat_rule.format(rule, srcdest, tran_addr, interface)) exit(0) else: diff --git a/src/op_mode/show_vrf.py b/src/op_mode/show_vrf.py index 94358c6e4..3c7a90205 100755 --- a/src/op_mode/show_vrf.py +++ b/src/op_mode/show_vrf.py @@ -20,12 +20,11 @@ from json import loads from vyos.util import cmd -vrf_out_tmpl = """ -VRF name state mac address flags interfaces +vrf_out_tmpl = """VRF name state mac address flags interfaces -------- ----- ----------- ----- ---------- -{% for v in vrf %} +{%- for v in vrf %} {{"%-16s"|format(v.ifname)}} {{ "%-8s"|format(v.operstate | lower())}} {{"%-17s"|format(v.address | lower())}} {{ v.flags|join(',')|lower()}} {{v.members|join(',')|lower()}} -{% endfor %} +{%- endfor %} """ diff --git a/src/op_mode/show_wwan.py b/src/op_mode/show_wwan.py new file mode 100755 index 000000000..249dda2a5 --- /dev/null +++ b/src/op_mode/show_wwan.py @@ -0,0 +1,78 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import argparse + +from sys import exit +from vyos.util import cmd + +parser = argparse.ArgumentParser() +parser.add_argument("--model", help="Get module model", action="store_true") +parser.add_argument("--revision", help="Get module revision", action="store_true") +parser.add_argument("--capabilities", help="Get module capabilities", action="store_true") +parser.add_argument("--imei", help="Get module IMEI/ESN/MEID", action="store_true") +parser.add_argument("--imsi", help="Get module IMSI", action="store_true") +parser.add_argument("--msisdn", help="Get module MSISDN", action="store_true") +parser.add_argument("--sim", help="Get SIM card status", action="store_true") +parser.add_argument("--signal", help="Get current RF signal info", action="store_true") +parser.add_argument("--firmware", help="Get current RF signal info", action="store_true") + +required = parser.add_argument_group('Required arguments') +required.add_argument("--interface", help="WWAN interface name, e.g. wwan0", required=True) + +def qmi_cmd(device, command, silent=False): + tmp = cmd(f'qmicli --device={device} --device-open-proxy {command}') + tmp = tmp.replace(f'[{cdc}] ', '') + if not silent: + # skip first line as this only holds the info headline + for line in tmp.splitlines()[1:]: + print(line.lstrip()) + return tmp + +if __name__ == '__main__': + args = parser.parse_args() + + # remove the WWAN prefix from the interface, required for the CDC interface + if_num = args.interface.replace('wwan','') + cdc = f'/dev/cdc-wdm{if_num}' + + if args.model: + qmi_cmd(cdc, '--dms-get-model') + elif args.capabilities: + qmi_cmd(cdc, '--dms-get-capabilities') + qmi_cmd(cdc, '--dms-get-band-capabilities') + elif args.revision: + qmi_cmd(cdc, '--dms-get-revision') + elif args.imei: + qmi_cmd(cdc, '--dms-get-ids') + elif args.imsi: + qmi_cmd(cdc, '--dms-uim-get-imsi') + elif args.msisdn: + qmi_cmd(cdc, '--dms-get-msisdn') + elif args.sim: + qmi_cmd(cdc, '--uim-get-card-status') + elif args.signal: + qmi_cmd(cdc, '--nas-get-signal-info') + qmi_cmd(cdc, '--nas-get-rf-band-info') + elif args.firmware: + tmp = qmi_cmd(cdc, '--dms-get-manufacturer', silent=True) + if 'Sierra Wireless' in tmp: + qmi_cmd(cdc, '--dms-swi-get-current-firmware') + else: + qmi_cmd(cdc, '--dms-get-software-version') + else: + parser.print_help() + exit(1) diff --git a/src/op_mode/vpn_ike_sa.py b/src/op_mode/vpn_ike_sa.py new file mode 100755 index 000000000..00f34564a --- /dev/null +++ b/src/op_mode/vpn_ike_sa.py @@ -0,0 +1,77 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import argparse +import re +import sys +import vici + +from vyos.util import process_named_running + +ike_sa_peer_prefix = """\ +Peer ID / IP Local ID / IP +------------ -------------""" + +ike_sa_tunnel_prefix = """ + + State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time + ----- ------ ------- ---- --------- ----- ------ ------""" + +def s(byte_string): + return str(byte_string, 'utf-8') + +def ike_sa(peer, nat): + session = vici.Session() + sas = session.list_sas() + peers = [] + for conn in sas: + for name, sa in conn.items(): + if peer and not name.startswith('peer_' + peer): + continue + if name.startswith('peer_') and name in peers: + continue + if nat and 'nat-local' not in sa: + continue + peers.append(name) + remote_str = f'{s(sa["remote-host"])} {s(sa["remote-id"])}' if s(sa['remote-id']) != '%any' else s(sa["remote-host"]) + local_str = f'{s(sa["local-host"])} {s(sa["local-id"])}' if s(sa['local-id']) != '%any' else s(sa["local-host"]) + print(ike_sa_peer_prefix) + print('%-39s %-39s' % (remote_str, local_str)) + state = 'up' if 'state' in sa and s(sa['state']) == 'ESTABLISHED' else 'down' + version = 'IKEv' + s(sa['version']) + encryption = f'{s(sa["encr-alg"])}' if 'encr-alg' in sa else 'n/a' + if 'encr-keysize' in sa: + encryption += '_' + s(sa["encr-keysize"]) + integrity = s(sa['integ-alg']) if 'integ-alg' in sa else 'n/a' + dh_group = s(sa['dh-group']) if 'dh-group' in sa else 'n/a' + natt = 'yes' if 'nat-local' in sa and s(sa['nat-local']) == 'yes' else 'no' + atime = s(sa['established']) if 'established' in sa else '0' + ltime = s(sa['rekey-time']) if 'rekey_time' in sa else '0' + print(ike_sa_tunnel_prefix) + print(' %-6s %-6s %-12s %-13s %-14s %-6s %-7s %-7s\n' % (state, version, encryption, integrity, dh_group, natt, atime, ltime)) + +if __name__ == '__main__': + parser = argparse.ArgumentParser() + parser.add_argument('--peer', help='Peer name', required=False) + parser.add_argument('--nat', help='NAT Traversal', required=False) + + args = parser.parse_args() + + if not process_named_running('charon'): + print("IPSec Process NOT Running") + sys.exit(0) + + ike_sa(args.peer, args.nat) diff --git a/src/op_mode/vpn_ipsec.py b/src/op_mode/vpn_ipsec.py new file mode 100755 index 000000000..06e227ccf --- /dev/null +++ b/src/op_mode/vpn_ipsec.py @@ -0,0 +1,119 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import re +import argparse +from subprocess import TimeoutExpired + +from vyos.util import call + +SWANCTL_CONF = '/etc/swanctl/swanctl.conf' + +def get_peer_connections(peer, tunnel, return_all = False): + search = rf'^[\s]*(peer_{peer}_(tunnel_[\d]+|vti)).*' + matches = [] + with open(SWANCTL_CONF, 'r') as f: + for line in f.readlines(): + result = re.match(search, line) + if result: + suffix = f'tunnel_{tunnel}' if tunnel.isnumeric() else tunnel + if return_all or (result[2] == suffix): + matches.append(result[1]) + return matches + +def reset_peer(peer, tunnel): + if not peer: + print('Invalid peer, aborting') + return + + conns = get_peer_connections(peer, tunnel, return_all = (not tunnel or tunnel == 'all')) + + if not conns: + print('Tunnel(s) not found, aborting') + return + + result = True + for conn in conns: + try: + call(f'sudo /usr/sbin/ipsec down {conn}', timeout = 10) + call(f'sudo /usr/sbin/ipsec up {conn}', timeout = 10) + except TimeoutExpired as e: + print(f'Timed out while resetting {conn}') + result = False + + + print('Peer reset result: ' + ('success' if result else 'failed')) + +def get_profile_connection(profile, tunnel = None): + search = rf'(dmvpn-{profile}-[\w]+)' if tunnel == 'all' else rf'(dmvpn-{profile}-{tunnel})' + with open(SWANCTL_CONF, 'r') as f: + for line in f.readlines(): + result = re.search(search, line) + if result: + return result[1] + return None + +def reset_profile(profile, tunnel): + if not profile: + print('Invalid profile, aborting') + return + + if not tunnel: + print('Invalid tunnel, aborting') + return + + conn = get_profile_connection(profile) + + if not conn: + print('Profile not found, aborting') + return + + call(f'sudo /usr/sbin/ipsec down {conn}') + result = call(f'sudo /usr/sbin/ipsec up {conn}') + + print('Profile reset result: ' + ('success' if result == 0 else 'failed')) + +def debug_peer(peer, tunnel): + if not peer or peer == "all": + call('sudo /usr/sbin/ipsec statusall') + return + + if not tunnel or tunnel == 'all': + tunnel = '' + + conn = get_peer_connections(peer, tunnel) + + if not conns: + print('Peer not found, aborting') + return + + for conn in conns: + call(f'sudo /usr/sbin/ipsec statusall | grep {conn}') + +if __name__ == '__main__': + parser = argparse.ArgumentParser() + parser.add_argument('--action', help='Control action', required=True) + parser.add_argument('--name', help='Name for peer reset', required=False) + parser.add_argument('--tunnel', help='Specific tunnel of peer', required=False) + + args = parser.parse_args() + + if args.action == 'reset-peer': + reset_peer(args.name, args.tunnel) + elif args.action == "reset-profile": + reset_profile(args.name, args.tunnel) + elif args.action == "vpn-debug": + debug_peer(args.name, args.tunnel) diff --git a/src/op_mode/wireguard.py b/src/op_mode/wireguard.py deleted file mode 100755 index e08bc983a..000000000 --- a/src/op_mode/wireguard.py +++ /dev/null @@ -1,159 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2018-2020 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. - -import argparse -import os -import sys -import shutil -import syslog as sl -import re - -from vyos.config import Config -from vyos.ifconfig import WireGuardIf -from vyos.util import cmd -from vyos.util import run -from vyos.util import check_kmod -from vyos import ConfigError - -dir = r'/config/auth/wireguard' -psk = dir + '/preshared.key' - -k_mod = 'wireguard' - -def generate_keypair(pk, pub): - """ generates a keypair which is stored in /config/auth/wireguard """ - old_umask = os.umask(0o027) - if run(f'wg genkey | tee {pk} | wg pubkey > {pub}') != 0: - raise ConfigError("wireguard key-pair generation failed") - else: - sl.syslog( - sl.LOG_NOTICE, "new keypair wireguard key generated in " + dir) - os.umask(old_umask) - - -def genkey(location): - """ helper function to check, regenerate the keypair """ - pk = "{}/private.key".format(location) - pub = "{}/public.key".format(location) - old_umask = os.umask(0o027) - if os.path.exists(pk) and os.path.exists(pub): - try: - choice = input( - "You already have a wireguard key-pair, do you want to re-generate? [y/n] ") - if choice == 'y' or choice == 'Y': - generate_keypair(pk, pub) - except KeyboardInterrupt: - sys.exit(0) - else: - """ if keypair is bing executed from a running iso """ - if not os.path.exists(location): - run(f'sudo mkdir -p {location}') - run(f'sudo chgrp vyattacfg {location}') - run(f'sudo chmod 750 {location}') - generate_keypair(pk, pub) - os.umask(old_umask) - - -def showkey(key): - """ helper function to show privkey or pubkey """ - if os.path.exists(key): - print (open(key).read().strip()) - else: - print ("{} not found".format(key)) - - -def genpsk(): - """ - generates a preshared key and shows it on stdout, - it's stored only in the cli config - """ - - psk = cmd('wg genpsk') - print(psk) - -def list_key_dirs(): - """ lists all dirs under /config/auth/wireguard """ - if os.path.exists(dir): - nks = next(os.walk(dir))[1] - for nk in nks: - print (nk) - -def del_key_dir(kname): - """ deletes /config/auth/wireguard/<kname> """ - kdir = "{0}/{1}".format(dir,kname) - if not os.path.isdir(kdir): - print ("named keypair {} not found".format(kname)) - return 1 - shutil.rmtree(kdir) - - -if __name__ == '__main__': - check_kmod(k_mod) - parser = argparse.ArgumentParser(description='wireguard key management') - parser.add_argument( - '--genkey', action="store_true", help='generate key-pair') - parser.add_argument( - '--showpub', action="store_true", help='shows public key') - parser.add_argument( - '--showpriv', action="store_true", help='shows private key') - parser.add_argument( - '--genpsk', action="store_true", help='generates preshared-key') - parser.add_argument( - '--location', action="store", help='key location within {}'.format(dir)) - parser.add_argument( - '--listkdir', action="store_true", help='lists named keydirectories') - parser.add_argument( - '--delkdir', action="store_true", help='removes named keydirectories') - parser.add_argument( - '--showinterface', action="store", help='shows interface details') - args = parser.parse_args() - - try: - if args.genkey: - if args.location: - genkey("{0}/{1}".format(dir, args.location)) - else: - genkey("{}/default".format(dir)) - if args.showpub: - if args.location: - showkey("{0}/{1}/public.key".format(dir, args.location)) - else: - showkey("{}/default/public.key".format(dir)) - if args.showpriv: - if args.location: - showkey("{0}/{1}/private.key".format(dir, args.location)) - else: - showkey("{}/default/private.key".format(dir)) - if args.genpsk: - genpsk() - if args.listkdir: - list_key_dirs() - if args.showinterface: - try: - intf = WireGuardIf(args.showinterface, create=False, debug=False) - print(intf.operational.show_interface()) - # the interface does not exists - except Exception: - pass - if args.delkdir: - if args.location: - del_key_dir(args.location) - else: - del_key_dir("default") - - except ConfigError as e: - print(e) - sys.exit(1) diff --git a/src/op_mode/wireguard_client.py b/src/op_mode/wireguard_client.py index 7a620a01e..7661254da 100755 --- a/src/op_mode/wireguard_client.py +++ b/src/op_mode/wireguard_client.py @@ -38,7 +38,7 @@ To enable this configuration on a VyOS router you can use the following commands {% for addr in address if address is defined %} set interfaces wireguard {{ interface }} peer {{ name }} allowed-ips '{{ addr }}' {% endfor %} -set interfaces wireguard {{ interface }} peer {{ name }} pubkey '{{ pubkey }}' +set interfaces wireguard {{ interface }} peer {{ name }} public-key '{{ pubkey }}' """ client_config = """ diff --git a/src/services/api/graphql/README.graphql b/src/services/api/graphql/README.graphql new file mode 100644 index 000000000..a04138010 --- /dev/null +++ b/src/services/api/graphql/README.graphql @@ -0,0 +1,116 @@ + +Example using GraphQL mutations to configure a DHCP server: + +This assumes that the http-api is running: + +'set service https api' + +One can configure an address on an interface, and configure the DHCP server +to run with that address as default router by requesting these 'mutations' +in the GraphQL playground: + +mutation { + createInterfaceEthernet (data: {interface: "eth1", + address: "192.168.0.1/24", + description: "BOB"}) { + success + errors + data { + address + } + } +} + +mutation { + createDhcpServer(data: {sharedNetworkName: "BOB", + subnet: "192.168.0.0/24", + defaultRouter: "192.168.0.1", + dnsServer: "192.168.0.1", + domainName: "vyos.net", + lease: 86400, + range: 0, + start: "192.168.0.9", + stop: "192.168.0.254", + dnsForwardingAllowFrom: "192.168.0.0/24", + dnsForwardingCacheSize: 0, + dnsForwardingListenAddress: "192.168.0.1"}) { + success + errors + data { + defaultRouter + } + } +} + +The GraphQL playground will be found at: + +https://{{ host_address }}/graphql + +An equivalent curl command to the first example above would be: + +curl -k 'https://192.168.100.168/graphql' -H 'Content-Type: application/json' --data-binary '{"query": "mutation {createInterfaceEthernet (data: {interface: \"eth1\", address: \"192.168.0.1/24\", description: \"BOB\"}) {success errors data {address}}}"}' + +Note that the 'mutation' term is prefaced by 'query' in the curl command. + +What's here: + +services +├── api +│ └── graphql +│ ├── graphql +│ │ ├── directives.py +│ │ ├── __init__.py +│ │ ├── mutations.py +│ │ └── schema +│ │ ├── dhcp_server.graphql +│ │ ├── interface_ethernet.graphql +│ │ └── schema.graphql +│ ├── recipes +│ │ ├── dhcp_server.py +│ │ ├── __init__.py +│ │ ├── interface_ethernet.py +│ │ ├── recipe.py +│ │ └── templates +│ │ ├── dhcp_server.tmpl +│ │ └── interface_ethernet.tmpl +│ └── state.py +├── vyos-configd +├── vyos-hostsd +└── vyos-http-api-server + +The GraphQL library that we are using, Ariadne, advertises itself as a +'schema-first' implementation: define the schema; define resolvers +(handlers) for declared Query and Mutation types (Subscription types are not +currently used). + +In the current approach to a high-level API, we consider the +Jinja2-templated collection of configuration mode 'set'/'delete' commands as +the Ur-data; the GraphQL schema is produced from those files, located in +'api/graphql/recipes/templates'. + +Resolvers for the schema Mutation fields are dynamically generated using a +'directive' added to the respective schema field. The directive, +'@generate', is handled by the class 'DataDirective' in +'api/graphql/graphql/directives.py', which calls the 'make_resolver' function in +'api/graphql/graphql/mutations.py'; the produced resolver calls the appropriate +wrapper in 'api/graphql/recipes', with base class doing the (overridable) +configuration steps of calling all defined 'set'/'delete' commands. + +Integrating the above with vyos-http-api-server is ~10 lines of code. + +What needs to be done: + +• automate generation of schema and wrappers from templated configuration +commands + +• investigate whether the subclassing provided by the named wrappers in +'api/graphql/recipes' is sufficient for use cases which need to modify data + +• encapsulate the manipulation of 'canonical names' which transforms the +prefixed camel-case schema names to various snake-case file/function names + +• consider mechanism for migration of templates: offline vs. on-the-fly + +• define the naming convention for those schema fields that refer to +configuration mode parameters: e.g. how much of the path is needed as prefix +to uniquely define the term diff --git a/src/services/api/graphql/graphql/__init__.py b/src/services/api/graphql/graphql/__init__.py new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/src/services/api/graphql/graphql/__init__.py diff --git a/src/services/api/graphql/graphql/directives.py b/src/services/api/graphql/graphql/directives.py new file mode 100644 index 000000000..651421c35 --- /dev/null +++ b/src/services/api/graphql/graphql/directives.py @@ -0,0 +1,17 @@ +from ariadne import SchemaDirectiveVisitor, ObjectType +from . mutations import make_resolver + +class DataDirective(SchemaDirectiveVisitor): + """ + Class providing implementation of 'generate' directive in schema. + + """ + def visit_field_definition(self, field, object_type): + name = f'{field.type}' + # field.type contains the return value of the mutation; trim value + # to produce canonical name + name = name.replace('Result', '', 1) + + func = make_resolver(name) + field.resolve = func + return field diff --git a/src/services/api/graphql/graphql/mutations.py b/src/services/api/graphql/graphql/mutations.py new file mode 100644 index 000000000..98c665c9a --- /dev/null +++ b/src/services/api/graphql/graphql/mutations.py @@ -0,0 +1,60 @@ + +from importlib import import_module +from typing import Any, Dict +from ariadne import ObjectType, convert_kwargs_to_snake_case, convert_camel_case_to_snake +from graphql import GraphQLResolveInfo +from makefun import with_signature + +from .. import state + +mutation = ObjectType("Mutation") + +def make_resolver(mutation_name): + """Dynamically generate a resolver for the mutation named in the + schema by 'mutation_name'. + + Dynamic generation is provided using the package 'makefun' (via the + decorator 'with_signature'), which provides signature-preserving + function wrappers; it provides several improvements over, say, + functools.wraps. + + :raise Exception: + encapsulating ConfigErrors, or internal errors + """ + class_name = mutation_name.replace('create', '', 1).replace('delete', '', 1) + func_base_name = convert_camel_case_to_snake(class_name) + resolver_name = f'resolve_create_{func_base_name}' + func_sig = '(obj: Any, info: GraphQLResolveInfo, data: Dict)' + + @mutation.field(mutation_name) + @convert_kwargs_to_snake_case + @with_signature(func_sig, func_name=resolver_name) + async def func_impl(*args, **kwargs): + try: + if 'data' not in kwargs: + return { + "success": False, + "errors": ['missing data'] + } + + data = kwargs['data'] + session = state.settings['app'].state.vyos_session + + mod = import_module(f'api.graphql.recipes.{func_base_name}') + klass = getattr(mod, class_name) + k = klass(session, data) + k.configure() + + return { + "success": True, + "data": data + } + except Exception as error: + return { + "success": False, + "errors": [str(error)] + } + + return func_impl + + diff --git a/src/services/api/graphql/graphql/schema/dhcp_server.graphql b/src/services/api/graphql/graphql/schema/dhcp_server.graphql new file mode 100644 index 000000000..a7ee75d40 --- /dev/null +++ b/src/services/api/graphql/graphql/schema/dhcp_server.graphql @@ -0,0 +1,35 @@ +input dhcpServerConfigInput { + sharedNetworkName: String + subnet: String + defaultRouter: String + dnsServer: String + domainName: String + lease: Int + range: Int + start: String + stop: String + dnsForwardingAllowFrom: String + dnsForwardingCacheSize: Int + dnsForwardingListenAddress: String +} + +type dhcpServerConfig { + sharedNetworkName: String + subnet: String + defaultRouter: String + dnsServer: String + domainName: String + lease: Int + range: Int + start: String + stop: String + dnsForwardingAllowFrom: String + dnsForwardingCacheSize: Int + dnsForwardingListenAddress: String +} + +type createDhcpServerResult { + data: dhcpServerConfig + success: Boolean! + errors: [String] +} diff --git a/src/services/api/graphql/graphql/schema/interface_ethernet.graphql b/src/services/api/graphql/graphql/schema/interface_ethernet.graphql new file mode 100644 index 000000000..fdcf97bad --- /dev/null +++ b/src/services/api/graphql/graphql/schema/interface_ethernet.graphql @@ -0,0 +1,18 @@ +input interfaceEthernetConfigInput { + interface: String + address: String + replace: Boolean = true + description: String +} + +type interfaceEthernetConfig { + interface: String + address: String + description: String +} + +type createInterfaceEthernetResult { + data: interfaceEthernetConfig + success: Boolean! + errors: [String] +} diff --git a/src/services/api/graphql/graphql/schema/schema.graphql b/src/services/api/graphql/graphql/schema/schema.graphql new file mode 100644 index 000000000..8a5e17962 --- /dev/null +++ b/src/services/api/graphql/graphql/schema/schema.graphql @@ -0,0 +1,15 @@ +schema { + query: Query + mutation: Mutation +} + +type Query { + _dummy: String +} + +directive @generate on FIELD_DEFINITION + +type Mutation { + createDhcpServer(data: dhcpServerConfigInput) : createDhcpServerResult @generate + createInterfaceEthernet(data: interfaceEthernetConfigInput) : createInterfaceEthernetResult @generate +} diff --git a/src/services/api/graphql/recipes/__init__.py b/src/services/api/graphql/recipes/__init__.py new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/src/services/api/graphql/recipes/__init__.py diff --git a/src/services/api/graphql/recipes/dhcp_server.py b/src/services/api/graphql/recipes/dhcp_server.py new file mode 100644 index 000000000..3edb3028e --- /dev/null +++ b/src/services/api/graphql/recipes/dhcp_server.py @@ -0,0 +1,13 @@ + +from . recipe import Recipe + +class DhcpServer(Recipe): + def __init__(self, session, command_file): + super().__init__(session, command_file) + + # Define any custom processing of parameters here by overriding + # configure: + # + # def configure(self): + # self.data = transform_data(self.data) + # super().configure() diff --git a/src/services/api/graphql/recipes/interface_ethernet.py b/src/services/api/graphql/recipes/interface_ethernet.py new file mode 100644 index 000000000..f88f5924f --- /dev/null +++ b/src/services/api/graphql/recipes/interface_ethernet.py @@ -0,0 +1,13 @@ + +from . recipe import Recipe + +class InterfaceEthernet(Recipe): + def __init__(self, session, command_file): + super().__init__(session, command_file) + + # Define any custom processing of parameters here by overriding + # configure: + # + # def configure(self): + # self.data = transform_data(self.data) + # super().configure() diff --git a/src/services/api/graphql/recipes/recipe.py b/src/services/api/graphql/recipes/recipe.py new file mode 100644 index 000000000..8fbb9e0bf --- /dev/null +++ b/src/services/api/graphql/recipes/recipe.py @@ -0,0 +1,49 @@ +from ariadne import convert_camel_case_to_snake +import vyos.defaults +from vyos.template import render + +class Recipe(object): + def __init__(self, session, data): + self._session = session + self.data = data + self._name = convert_camel_case_to_snake(type(self).__name__) + + @property + def data(self): + return self.__data + + @data.setter + def data(self, data): + if isinstance(data, dict): + self.__data = data + else: + raise ValueError("data must be of type dict") + + def configure(self): + session = self._session + data = self.data + func_base_name = self._name + + tmpl_file = f'{func_base_name}.tmpl' + cmd_file = f'/tmp/{func_base_name}.cmds' + tmpl_dir = vyos.defaults.directories['api_templates'] + + try: + render(cmd_file, tmpl_file, data, location=tmpl_dir) + commands = [] + with open(cmd_file) as f: + lines = f.readlines() + for line in lines: + commands.append(line.split()) + for cmd in commands: + if cmd[0] == 'set': + session.set(cmd[1:]) + elif cmd[0] == 'delete': + session.delete(cmd[1:]) + else: + raise ValueError('Operation must be "set" or "delete"') + session.commit() + except Exception as error: + raise error + + diff --git a/src/services/api/graphql/recipes/templates/dhcp_server.tmpl b/src/services/api/graphql/recipes/templates/dhcp_server.tmpl new file mode 100644 index 000000000..629ce83c1 --- /dev/null +++ b/src/services/api/graphql/recipes/templates/dhcp_server.tmpl @@ -0,0 +1,9 @@ +set service dhcp-server shared-network-name {{ shared_network_name }} subnet {{ subnet }} default-router {{ default_router }} +set service dhcp-server shared-network-name {{ shared_network_name }} subnet {{ subnet }} dns-server {{ dns_server }} +set service dhcp-server shared-network-name {{ shared_network_name }} subnet {{ subnet }} domain-name {{ domain_name }} +set service dhcp-server shared-network-name {{ shared_network_name }} subnet {{ subnet }} lease {{ lease }} +set service dhcp-server shared-network-name {{ shared_network_name }} subnet {{ subnet }} range {{ range }} start {{ start }} +set service dhcp-server shared-network-name {{ shared_network_name }} subnet {{ subnet }} range {{ range }} stop {{ stop }} +set service dns forwarding allow-from {{ dns_forwarding_allow_from }} +set service dns forwarding cache-size {{ dns_forwarding_cache_size }} +set service dns forwarding listen-address {{ dns_forwarding_listen_address }} diff --git a/src/services/api/graphql/recipes/templates/interface_ethernet.tmpl b/src/services/api/graphql/recipes/templates/interface_ethernet.tmpl new file mode 100644 index 000000000..d9d7ed691 --- /dev/null +++ b/src/services/api/graphql/recipes/templates/interface_ethernet.tmpl @@ -0,0 +1,5 @@ +{% if replace %} +delete interfaces ethernet {{ interface }} address +{% endif %} +set interfaces ethernet {{ interface }} address {{ address }} +set interfaces ethernet {{ interface }} description {{ description }} diff --git a/src/services/api/graphql/state.py b/src/services/api/graphql/state.py new file mode 100644 index 000000000..63db9f4ef --- /dev/null +++ b/src/services/api/graphql/state.py @@ -0,0 +1,4 @@ + +def init(): + global settings + settings = {} diff --git a/src/services/vyos-configd b/src/services/vyos-configd index 6f770b696..670b6e66a 100755 --- a/src/services/vyos-configd +++ b/src/services/vyos-configd @@ -133,8 +133,7 @@ def explicit_print(path, mode, msg): logger.critical("error explicit_print") def run_script(script, config, args) -> int: - if args: - script.argv = args + script.argv = args config.set_level([]) try: c = script.get_config(config) @@ -208,7 +207,7 @@ def process_node_data(config, data) -> int: return R_ERROR_DAEMON script_name = None - args = None + args = [] res = re.match(r'^(VYOS_TAGNODE_VALUE=[^/]+)?.*\/([^/]+).py(.*)', data) if res.group(1): @@ -221,7 +220,7 @@ def process_node_data(config, data) -> int: return R_ERROR_DAEMON if res.group(3): args = res.group(3).split() - args.insert(0, f'{script_name}.py') + args.insert(0, f'{script_name}.py') if script_name not in include_set: return R_PASS diff --git a/src/services/vyos-http-api-server b/src/services/vyos-http-api-server index 8069d7146..cb4ce4072 100755 --- a/src/services/vyos-http-api-server +++ b/src/services/vyos-http-api-server @@ -32,11 +32,20 @@ from fastapi.responses import HTMLResponse from fastapi.exceptions import RequestValidationError from fastapi.routing import APIRoute from pydantic import BaseModel, StrictStr, validator +from starlette.datastructures import FormData, MutableHeaders +from starlette.formparsers import FormParser, MultiPartParser +from multipart.multipart import parse_options_header + +from ariadne import make_executable_schema, load_schema_from_path, snake_case_fallback_resolvers +from ariadne.asgi import GraphQL import vyos.config +import vyos.defaults from vyos.configsession import ConfigSession, ConfigSessionError +import api.graphql.state + DEFAULT_CONFIG_FILE = '/etc/vyos/http-api.conf' CFG_GROUP = 'vyattacfg' @@ -236,6 +245,35 @@ class MultipartRequest(Request): ERR_PATH_NOT_LIST_OF_STR = False offending_command = {} exception = None + + @property + def orig_headers(self): + self._orig_headers = super().headers + return self._orig_headers + + @property + def headers(self): + self._headers = super().headers.mutablecopy() + self._headers['content-type'] = 'application/json' + return self._headers + + async def form(self) -> FormData: + if not hasattr(self, "_form"): + assert ( + parse_options_header is not None + ), "The `python-multipart` library must be installed to use form parsing." + content_type_header = self.orig_headers.get("Content-Type") + content_type, options = parse_options_header(content_type_header) + if content_type == b"multipart/form-data": + multipart_parser = MultiPartParser(self.orig_headers, self.stream()) + self._form = await multipart_parser.parse() + elif content_type == b"application/x-www-form-urlencoded": + form_parser = FormParser(self.orig_headers, self.stream()) + self._form = await form_parser.parse() + else: + self._form = FormData() + return self._form + async def body(self) -> bytes: if not hasattr(self, "_body"): forms = {} @@ -571,6 +609,25 @@ def show_op(data: ShowModel): return success(res) +### +# GraphQL integration +### + +api.graphql.state.init() + +from api.graphql.graphql.mutations import mutation +from api.graphql.graphql.directives import DataDirective + +api_schema_dir = vyos.defaults.directories['api_schema'] + +type_defs = load_schema_from_path(api_schema_dir) + +schema = make_executable_schema(type_defs, mutation, snake_case_fallback_resolvers, directives={"generate": DataDirective}) + +app.add_route('/graphql', GraphQL(schema, debug=True)) + +### + if __name__ == '__main__': # systemd's user and group options don't work, do it by hand here, # else no one else will be able to commit @@ -594,6 +651,8 @@ if __name__ == '__main__': app.state.vyos_debug = True if server_config['debug'] == 'true' else False app.state.vyos_strict = True if server_config['strict'] == 'true' else False + api.graphql.state.settings['app'] = app + try: uvicorn.run(app, host=server_config["listen_address"], port=int(server_config["port"]), diff --git a/src/system/keepalived-fifo.py b/src/system/keepalived-fifo.py index 7e2076820..3b4330e9b 100755 --- a/src/system/keepalived-fifo.py +++ b/src/system/keepalived-fifo.py @@ -37,6 +37,8 @@ logs_handler_syslog.setFormatter(logs_format) logger.addHandler(logs_handler_syslog) logger.setLevel(logging.DEBUG) +mdns_running_file = '/run/mdns_vrrp_active' +mdns_update_command = 'sudo /usr/libexec/vyos/conf_mode/service_mdns-repeater.py' # class for all operations class KeepalivedFifo: @@ -121,6 +123,9 @@ class KeepalivedFifo: logger.info("{} {} changed state to {}".format(n_type, n_name, n_state)) # check and run commands for VRRP instances if n_type == 'INSTANCE': + if os.path.exists(mdns_running_file): + cmd(mdns_update_command) + if n_name in self.vrrp_config['vrrp_groups'] and n_state in self.vrrp_config['vrrp_groups'][n_name]: n_script = self.vrrp_config['vrrp_groups'][n_name].get(n_state) if n_script: @@ -128,6 +133,9 @@ class KeepalivedFifo: # check and run commands for VRRP sync groups # currently, this is not available in VyOS CLI if n_type == 'GROUP': + if os.path.exists(mdns_running_file): + cmd(mdns_update_command) + if n_name in self.vrrp_config['sync_groups'] and n_state in self.vrrp_config['sync_groups'][n_name]: n_script = self.vrrp_config['sync_groups'][n_name].get(n_state) if n_script: diff --git a/src/system/unpriv-ip b/src/system/unpriv-ip deleted file mode 100755 index 1ea0d626a..000000000 --- a/src/system/unpriv-ip +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/sh -sudo /sbin/ip $* diff --git a/src/systemd/LCDd.service b/src/systemd/LCDd.service new file mode 100644 index 000000000..233c1e2ca --- /dev/null +++ b/src/systemd/LCDd.service @@ -0,0 +1,14 @@ +[Unit] +Description=LCD display daemon +Documentation=man:LCDd(8) http://www.lcdproc.org/ +RequiresMountsFor=/run +ConditionPathExists=/run/LCDd/LCDd.conf +After=vyos-router.service + + +[Service] +User=root +ExecStart=/usr/sbin/LCDd -s 1 -f -c /run/LCDd/LCDd.conf + +[Install] +WantedBy=multi-user.target diff --git a/src/systemd/isc-dhcp-server.service b/src/systemd/isc-dhcp-server.service index 9aa70a7cc..a7d86e69c 100644 --- a/src/systemd/isc-dhcp-server.service +++ b/src/systemd/isc-dhcp-server.service @@ -14,10 +14,10 @@ Environment=PID_FILE=/run/dhcp-server/dhcpd.pid CONFIG_FILE=/run/dhcp-server/dhc PIDFile=/run/dhcp-server/dhcpd.pid ExecStartPre=/bin/sh -ec '\ touch ${LEASE_FILE}; \ -chown dhcpd:nogroup ${LEASE_FILE}* ; \ +chown dhcpd:vyattacfg ${LEASE_FILE}* ; \ chmod 664 ${LEASE_FILE}* ; \ -/usr/sbin/dhcpd -4 -t -T -q -user dhcpd -group nogroup -pf ${PID_FILE} -cf ${CONFIG_FILE} -lf ${LEASE_FILE} ' -ExecStart=/usr/sbin/dhcpd -4 -q -user dhcpd -group nogroup -pf ${PID_FILE} -cf ${CONFIG_FILE} -lf ${LEASE_FILE} +/usr/sbin/dhcpd -4 -t -T -q -user dhcpd -group vyattacfg -pf ${PID_FILE} -cf ${CONFIG_FILE} -lf ${LEASE_FILE} ' +ExecStart=/usr/sbin/dhcpd -4 -q -user dhcpd -group vyattacfg -pf ${PID_FILE} -cf ${CONFIG_FILE} -lf ${LEASE_FILE} Restart=always [Install] diff --git a/src/systemd/opennhrp.service b/src/systemd/opennhrp.service new file mode 100644 index 000000000..70235f89d --- /dev/null +++ b/src/systemd/opennhrp.service @@ -0,0 +1,13 @@ +[Unit] +Description=OpenNHRP +After=vyos-router.service +ConditionPathExists=/run/opennhrp/opennhrp.conf +StartLimitIntervalSec=0 + +[Service] +Type=forking +ExecStart=/usr/sbin/opennhrp -d -v -a /run/opennhrp.socket -c /run/opennhrp/opennhrp.conf -s /etc/opennhrp/opennhrp-script.py -p /run/opennhrp.pid +ExecReload=/usr/bin/kill -HUP $MAINPID +PIDFile=/run/opennhrp.pid +Restart=on-failure +RestartSec=20 diff --git a/src/tests/test_template.py b/src/tests/test_template.py index 67c0fe84a..2d065f545 100644 --- a/src/tests/test_template.py +++ b/src/tests/test_template.py @@ -122,3 +122,63 @@ class TestVyOSTemplate(TestCase): self.assertTrue(vyos.template.compare_netmask('2001:db8:1000::/48', '2001:db8:2000::/48')) self.assertTrue(vyos.template.compare_netmask('2001:db8:1000::/64', '2001:db8:2000::/64')) self.assertFalse(vyos.template.compare_netmask('2001:db8:1000::/48', '2001:db8:2000::/64')) + + def test_cipher_to_string(self): + ESP_DEFAULT = 'aes256gcm128-sha256-ecp256,aes128ccm64-sha256-ecp256' + IKEv2_DEFAULT = 'aes256gcm128-sha256-ecp256,aes128ccm128-md5_128-modp1024' + + data = { + 'esp_group': { + 'ESP_DEFAULT': { + 'compression': 'disable', + 'lifetime': '3600', + 'mode': 'tunnel', + 'pfs': 'dh-group19', + 'proposal': { + '10': { + 'encryption': 'aes256gcm128', + 'hash': 'sha256', + }, + '20': { + 'encryption': 'aes128ccm64', + 'hash': 'sha256', + } + } + } + }, + 'ike_group': { + 'IKEv2_DEFAULT': { + 'close_action': 'none', + 'dead_peer_detection': { + 'action': 'hold', + 'interval': '30', + 'timeout': '120' + }, + 'ikev2_reauth': 'no', + 'key_exchange': 'ikev2', + 'lifetime': '10800', + 'mobike': 'disable', + 'proposal': { + '10': { + 'dh_group': '19', + 'encryption': 'aes256gcm128', + 'hash': 'sha256' + }, + '20': { + 'dh_group': '2', + 'encryption': 'aes128ccm128', + 'hash': 'md5_128' + }, + } + } + }, + } + + for group_name, group_config in data['esp_group'].items(): + ciphers = vyos.template.get_esp_ike_cipher(group_config) + self.assertIn(ESP_DEFAULT, ','.join(ciphers)) + + for group_name, group_config in data['ike_group'].items(): + ciphers = vyos.template.get_esp_ike_cipher(group_config) + self.assertIn(IKEv2_DEFAULT, ','.join(ciphers)) + diff --git a/src/tests/test_util.py b/src/tests/test_util.py index 22bc085c5..9bd27adc0 100644 --- a/src/tests/test_util.py +++ b/src/tests/test_util.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2020 VyOS maintainers and contributors +# Copyright (C) 2020-2021 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -15,7 +15,7 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. from unittest import TestCase -from vyos.util import mangle_dict_keys +from vyos.util import * class TestVyOSUtil(TestCase): def test_key_mangline(self): @@ -23,4 +23,3 @@ class TestVyOSUtil(TestCase): expected_data = {"foo_bar": {"baz_quux": None}} new_data = mangle_dict_keys(data, '-', '_') self.assertEqual(new_data, expected_data) - diff --git a/src/validators/interface-name b/src/validators/interface-name index 5bac671b1..105815eee 100755 --- a/src/validators/interface-name +++ b/src/validators/interface-name @@ -20,7 +20,7 @@ import re from sys import argv from sys import exit -pattern = '^(bond|br|dum|en|ersp|eth|gnv|lan|l2tp|l2tpeth|macsec|peth|ppp|pppoe|pptp|sstp|tun|vti|vtun|vxlan|wg|wlan|wlm)[0-9]+(.\d+)?|lo$' +pattern = '^(bond|br|dum|en|ersp|eth|gnv|lan|l2tp|l2tpeth|macsec|peth|ppp|pppoe|pptp|sstp|tun|vti|vtun|vxlan|wg|wlan|wwan)[0-9]+(.\d+)?|lo$' if __name__ == '__main__': if len(argv) != 2: diff --git a/src/validators/ipv6-exclude b/src/validators/ipv6-exclude new file mode 100755 index 000000000..893eeab09 --- /dev/null +++ b/src/validators/ipv6-exclude @@ -0,0 +1,7 @@ +#!/bin/sh +arg="$1" +if [ "${arg:0:1}" != "!" ]; then + exit 1 +fi +path=$(dirname "$0") +${path}/ipv6 "${arg:1}" diff --git a/src/validators/ipv6-range b/src/validators/ipv6-range new file mode 100755 index 000000000..033b6461b --- /dev/null +++ b/src/validators/ipv6-range @@ -0,0 +1,16 @@ +#!/usr/bin/python3 + +import sys +import re +from vyos.template import is_ipv6 + +if __name__ == '__main__': + if len(sys.argv)>1: + ipv6_range = sys.argv[1] + # Regex for ipv6-ipv6 https://regexr.com/ + if re.search('([a-f0-9:]+:+)+[a-f0-9]+-([a-f0-9:]+:+)+[a-f0-9]+', ipv6_range): + for tmp in ipv6_range.split('-'): + if not is_ipv6(tmp): + sys.exit(1) + + sys.exit(0) diff --git a/src/validators/ipv6-range-exclude b/src/validators/ipv6-range-exclude new file mode 100755 index 000000000..912b55ae3 --- /dev/null +++ b/src/validators/ipv6-range-exclude @@ -0,0 +1,7 @@ +#!/bin/sh +arg="$1" +if [ "${arg:0:1}" != "!" ]; then + exit 1 +fi +path=$(dirname "$0") +${path}/ipv6-range "${arg:1}" diff --git a/src/validators/sysctl b/src/validators/sysctl new file mode 100755 index 000000000..9b5bba3e1 --- /dev/null +++ b/src/validators/sysctl @@ -0,0 +1,24 @@ +#!/bin/sh +# +# Copyright (C) 2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +declare -a array +eval "array=($(/sbin/sysctl -N -a))" + +if [[ ! " ${array[@]} " =~ " $1 " ]]; then + # passed sysctl option is invalid + exit 1 +fi +exit 0 diff --git a/src/validators/vrf-name b/src/validators/vrf-name index 7b6313888..29167c635 100755 --- a/src/validators/vrf-name +++ b/src/validators/vrf-name @@ -33,8 +33,8 @@ if __name__ == '__main__': if vrf == "lo": exit(1) - pattern = "^(?!(bond|br|dum|eth|lan|eno|ens|enp|enx|gnv|ipoe|l2tp|l2tpeth|" \ - "vtun|ppp|pppoe|peth|tun|vti|vxlan|wg|wlan|wlm)\d+(\.\d+(v.+)?)?$).*$" + pattern = r'^(?!(bond|br|dum|eth|lan|eno|ens|enp|enx|gnv|ipoe|l2tp|l2tpeth|\ + vtun|ppp|pppoe|peth|tun|vti|vxlan|wg|wlan|wwan|\d)\d*(\.\d+)?(v.+)?).*$' if not re.match(pattern, vrf): exit(1) |