From cc07c4727bdffb4c220ce28ab9f697b01fe4afb7 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Wed, 30 Jan 2019 06:09:04 +0100 Subject: T1160: fix (ro|rw)community ACL WHen building up the SNMP v2 community ro/rw access all hosts from a INET version could access even when the community was locked to one INET family. Example #1: set service snmp community bar network 172.16.0.0/12 Allowed access only to IPv4 network 172.16.0.0/12 but it allowed acces from IPv6 ::/0. Example #2: set service snmp community baz network 2001:db8::/64 Limited IPv6 access to 2001:db8::/64 but IPv4 was open to 0.0.0.0/0 --- src/conf_mode/snmp.py | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) (limited to 'src/conf_mode/snmp.py') diff --git a/src/conf_mode/snmp.py b/src/conf_mode/snmp.py index d21a2b603..06d2e253a 100755 --- a/src/conf_mode/snmp.py +++ b/src/conf_mode/snmp.py @@ -134,20 +134,23 @@ agentaddress unix:/run/snmpd.socket{% if listen_on %}{% for li in listen_on %},{ # SNMP communities {%- for c in communities %} + {%- if c.network_v4 %} {%- for network in c.network_v4 %} {{ c.authorization }}community {{ c.name }} {{ network }} {%- endfor %} -{%- else %} +{%- elif not c.has_source %} {{ c.authorization }}community {{ c.name }} {%- endif %} + {%- if c.network_v6 %} {%- for network in c.network_v6 %} {{ c.authorization }}community6 {{ c.name }} {{ network }} {%- endfor %} -{%- else %} +{%- elif not c.has_source %} {{ c.authorization }}community6 {{ c.name }} {%- endif %} + {%- endfor %} {% if contact %} @@ -266,7 +269,8 @@ def get_config(): 'name': name, 'authorization': 'ro', 'network_v4': [], - 'network_v6': [] + 'network_v6': [], + 'has_source' : False } if conf.exists('community {0} authorization'.format(name)): @@ -288,6 +292,9 @@ def get_config(): else: community['network_v6'].append(addr) + if (len(community['network_v4']) > 0) or (len(community['network_v6']) > 0): + community['has_source'] = True + snmp['communities'].append(community) if conf.exists('contact'): -- cgit v1.2.3