summaryrefslogtreecommitdiffstats
path: root/usr.sbin/snmpd (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Fix some old phrasing on how to set up a trap handler which aren't correctmartijn2021-03-091-7/+18
| | | | | | anymore after moving it from its own subprocess to snmpe. feedback and OK jan@
* Make use of the new '$' feature of ober_scanf_elements to enforce strictermartijn2021-02-223-16/+15
| | | | | | ASN.1 verification. OK claudio@
* Introduce a transaction id. This is currently mostly a dummy-variable, butmartijn2021-02-052-2/+28
| | | | | | will later on be needed for when we reintroduce agentx master support. feedback and OK dlg@, rob@
* Remove print_{debug,verbose} since they're currently unused and I see nomartijn2021-01-282-28/+2
| | | | | | reason to start using them in the future. OK tb@
* these programs (with common ancestry) had a -fno-common problem relatedderaadt2021-01-272-3/+5
| | | | | to privsep_procid. ok mortimer
* Remove the traphandler process, which was nothing more then a sham.martijn2021-01-226-265/+224
| | | | | | | | | | | | | | | | | | | | | | | | | It did nothing more then receive a message over UDP, do some basic ber and ASN.1 parsing and forward the packet to the parent process. snmpe can do/does the same thing but with a far more thorough ASN.1 validation. Because we move trap receiving to snmpe we get trap over tcp for free. However, to make sure that a normal snmp port doesn't automatically start handling traps a new set of "listen on" flags are introduced: read, write, and notify. To enable trap handling either let snmpd listen on port 162 without flags, or add the notify flag. Only a flag without port results in listening on port 162. To keep current behaviour copy all UDP-based "listen on" lines without port and add the notify keyword: listen on 127.0.0.1 port 666 becomes listen on 127.0.0.1 port 666 listen on 127.0.0.1 notify This change also enforces snmpd to honor trap community on receiving a trap, where previously no community was checked before handling a packet. OK denis@, rob@
* Refactor how traphandler verifies the code.martijn2021-01-051-93/+206
| | | | | | | | | | | | Two things of note: 1) traphandler_v1translate now translates v1 traps to v2 traps in line with RFC3584 section 3.1 before handing them over to the "command". This can cause compatibility issues if you still receive v1 traps. 2) sysUpTime and snmpTrapOID are now always taken from the varbindlist, which means that if you run snmpd with -N the names will now show up numerical in the script, instead of by their full symbolic name. lots of feedback and OK rob@
* Remove BER_TYPE_BOOLEAN, it's not part of the spec and I haven't seen itmartijn2021-01-041-14/+1
| | | | | | used anywhere. OK jan@
* Remove the old deprecated listen on syntax.martijn2020-10-301-46/+3
| | | | OK deraadt@
* double word blunder; from sean daviesjmc2020-10-241-3/+3
|
* Move the tcp/udp keyword before <address>. This allows for easier addingmartijn2020-09-102-33/+137
| | | | | | | | | | | of different protocols in the future. The old syntax is still supported for for now, but will generate a deprecation warning and will be removed in a future release. While here add support for specifying a tcp/udp port. This will be used for snmp services, "trap handle" will still only run on port 162. Feedback and OK denis@
* Remove snmpe_dispatch_parent.martijn2020-09-061-14/+2
| | | | | | | It's an empty stub and proc.c will put implement proc_dispatch_null if not set, which does the exact same thing. OK denis@
* replace duplicated sizeofa marco with predefined nitemsjan2020-09-061-16/+14
| | | | OK martijn@
* Split "trap receiver" into its own trap_address struct and clean up themartijn2020-09-066-221/+135
| | | | | | | | | code surrounding this struct and struct address. No functional change intended, except that trap receiver's source-address may now be a resolvable hostname. Tweaks and OK jan@
* Merge listen_sock into address, since there's a 1:1 correlation. Save somemartijn2020-08-234-56/+38
| | | | | | overhead and 18LoC. OK jan@
* Previous commit broke two things:martijn2020-08-171-4/+2
| | | | | | | | | 1) Bulkget broke because mps_getbulkreq doesn't exactly do what it says on the tin, so use it how it works for now. 2) A break statement got left behind resulting in only a single varbind being answered. Reported and tested by sthen@
* Greatly simplify snmpe_parsevarbinds.martijn2020-08-082-110/+89
| | | | | | | except for some minor changes in the handling of snmp_intotal{req,set}vars no functional changes intended. OK jan@
* Allow hrStorageSize and hrStorageUsed to cope with sizes larger thenmartijn2020-07-011-2/+8
| | | | | | | INT32_MAX by increasing the hrStorageAllocationUnits value until they fit. Original patch from Johan Huldtgren (johan+openbsd-tech <at> huldtgren <dot> com) OK sthen@
* Remove control socket referencemartijn2020-07-011-6/+2
|
* Remove agentx and control socket support.martijn2020-06-3011-2476/+14
| | | | | | | | | | | | | | | | snmpctl has been removed two releases ago, which makes the control interface obsolete. agentx support has always been quirky at best, but got completely broken with the BER_MAX_OID_LEN increase in ber.h. This change resulted in the oid length on the snmp side being left uninitialized because of size difference, resulting in weird behaviour. No one reported the breakage, even after 6.7 was released. This change requires users to remove the socket keyword from their snmpd.conf. OK denis@
* Remove redundant codedenis2020-06-051-2/+1
| | | | | | | Reported by Prof. Dr. Steffen Wendzel <wendzel @ hs-worms . de>, thanks! OK martijn@ sthen@
* pf(4): use CLOCK_BOOTTIME to get time_uptime(9) in userspacecheloha2020-05-151-2/+2
| | | | | | | | | | | | | | | | In pf(4), the pf_status.since timestamp is set with time_uptime(9). This is a low-res snapshot of nanouptime(9). nanouptime(9) is used to implement CLOCK_BOOTTIME for clock_gettime(2). It is not used to implement CLOCK_UPTIME, though. The names are misleading. Switch to CLOCK_BOOTTIME in places in userspace where we use pf_status.since so we are working with the right clock. Technically CLOCK_MONOTONIC is equivalent, but we shouldn't use that here. CLOCK_MONOTONIC is not necessarily the "time since boot": the standard says its absolute value is meaningless. ok patrick@ bluhm@
* If read-write is set to disabled, also disable reading with the privatemartijn2020-05-021-3/+5
| | | | | | | | community. Issue reported by Steven Surdock ssurdock <at> engineered-net <dot> com OK deraadt@ claudio@ sthen@
* Make traphandler_parse also set vbinds for SNMPv1 traps.martijn2020-03-111-3/+6
| | | | | | | This also prevents the access of an initialized pointer in traphandler_fork_handler as found by jan@. OK jan@
* Don't log a generr in stats when there is no error.martijn2020-02-141-1/+3
| | | | OK gerhard@
* briefly mention /etc/examples/ in the FILES section of all theschwarze2020-02-101-3/+5
| | | | | manual pages that document the corresponding configuration files; OK jmc@, and general direction discussed with many
* usr.sbin/snmpd: replace TAILQ concatenation loop with TAILQ_CONCATbket2020-01-281-5/+2
| | | | OK florian@, martijn@. reads ok benno@
* When many prefixes are stored in pf tables it is not sensibleflorian2020-01-024-40/+60
| | | | | | | | | | | | to export them via snmp. Introduce option filter-pf-addresses similar to filter-routes which prevents exporting below the OPENBSD-PF-MIB::pfTblAddrTable oid. Other pf table statistics are uneffected by this and still available. With this I can do a bulkwalk starting at pfMIBObjects without hitting timeouts and without spinning the cpu at 100% for days to export 300k prefixes. man page input kn OK claudio, sthen. martijn is also fine with it going in.
* Initialize length of uptime and trapoid for trap_agentx.martijn2019-12-091-1/+3
| | | | | | | This probably needs a cleaner approach in the long run, but fixes the ober_oid_cmp for now. From gerhard_roth <at> genua <dot> de
* The ber_* namespace is used by liblber since time immemorial,tb2019-10-249-543/+543
| | | | | | | | | | | | so move our BER API to the unused ober_* prefix to avoid some breakage in ports. Problem diagnosed by jmatthew with ber_free() in samba, but there are many others as pointed out by sthen. tests & ok rob ok sthen (who had an almost identical diff for libutil) "go head hit it" deraadt
* Revert previous. This introduces problems when requesting the base oid of amartijn2019-10-092-21/+4
| | | | | | | | | | | scalar. For example if you getnext request 1.3.6.1.4.1.30155.6.1.1 you get a varbind oid of 1.3.6.1.4.1.30155.6.1.1.0, but the value of 1.3.6.1.4.1.30155.6.1.2.0. I have a fix in the making, but we're too close to release and here be too many dragons. Found by bluhm@
* For getnext request check if the requested oid or one of its parentmartijn2019-10-032-4/+21
| | | | | | | | | | elements exists and is a (agentx) registered element. If so, forward the getnext to the subagent, else get the actual next element. This is only a partial fix, but lets us at least (together with a different patch for relayd) walk relayd's elements. OK claudio@
* Fix ber_scanf_elements for traphandler:martijn2019-08-141-4/+5
| | | | | | | | | | | | | - pdu header has 3 elements, not 4 - additional varbinds are optional. This is needed to make ber_scanf_elements stricter. Note that people using "trap handle" in their snmpd.conf and expect a trap without additional varbinds to show the trapoid to appear twice will have to adjust their "command". OK rob@
* snmpd was using ifq_len for ifOutQLen, apart from being the wrong variablesthen2019-08-131-13/+2
| | | | | for this MIB in the first place, this has now been removed in ifq changes. Since the MIB is marked as deprecated anyway, simply return 0. ok claudio@
* Report if_iqdrops (input queue drops) as ifInDiscards. This is prettyclaudio2019-08-131-10/+2
| | | | | | much what this counter is for. For sure better than net.inet.ip.ifq.drops which no longer exists. Found by and OK martijn@ and OK sthen@
* Replace snmpctl(8) references with snmp(1).martijn2019-08-092-7/+7
|
* added /* no filesystem visibility */ above unveil("/", "") since "" is too easymestre2019-08-081-1/+2
| | | | | | to misread. as per suggestion by and OK deraadt@
* When system calls indicate an error they return -1, not some arbitraryderaadt2019-06-282-12/+12
| | | | | | value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
* Implement SHA-2 (RFC7860) support for authentication.martijn2019-06-114-9/+61
| | | | OK claudio@, gerhard@
* The digestlength is not always 12 bytes. Make this value variable inmartijn2019-06-112-11/+42
| | | | | | preparation for SHA-2 support. OK claudio@, gerhard@
* Allow arbitrary oids to be specified for the getnext request, instead ofmartijn2019-05-163-4/+11
| | | | | | | | oids needing to be part of the snmpd loaded tree. This is in line with RFC3416. OK gerhard@ who apparently has the exact same diff in his repo.
* According to RFC3414 section 4 applications should be able to discover themartijn2019-05-131-16/+21
| | | | | | | | | | | | snmpEngineBoots and snmpEngineTime by sending an AuthPriv request with the requested values set to zero and with a valid user. Move the engine_boots and engine_time down after the user check and remove the 0-check, so we can reply with the appropriate usmStatsNotInTimeWindows. This allows us to use p5-Net-SNMP against snmpd with seclevel enc. OK rob@
* According to RFC3414 section 4 applications should be able to discover themartijn2019-05-131-4/+4
| | | | | | | | | | snmpEngineID by sending a noAuthNoPriv request. Move the seclevel check to after the usm_decode phase, so we can reply with the mandatory usmStatsUnknownEngineIDs instead of usmStatsUnsupportedSecLevels. This brings us one step closer to using p5-Net-SNMP with seclevel enc. OK tb@, rob@
* The BER API is currently used by ldap, ldapd, ldapctl, ypldap, snmpd, androb2019-05-117-1941/+8
| | | | | | | | | | | | snmpctl. Separate copies of ber.[ch] have existed and been maintained in sync in ldap, ldapd, ypldap and snmpd. This commit moves the BER API into /usr/lib/libutil. All current consumers already link libutil. ldapd and snmpd regress passes, and release builds. With help from tb@ and guenther@. ok deraadt@, tb@
* Index 0 is out of range for hrStorageIndex.gerhard2019-05-021-1/+3
| | | | ok reyk@
* Remove unnecessary end-of-contents octets.rob2019-04-291-2/+2
| | | | ok claudio@
* Only apply sign extension when less than eight bytes have been consumed. Thisrob2019-04-271-3/+4
| | | | | | fixes a problem when handling large negative integers. ok claudio@
* Include two new functions added by martijn@. Still a work in progress.rob2019-03-241-5/+13
|
* (unsigned) means (unsigned int) which on ptrdiff_t or size_t or otherderaadt2019-02-131-3/+3
| | | | | | larger types really is a range reduction... Almost any cast to (unsigned) is a bug. ok millert tb benno
* PF_ROUTE -> AF_ROUTE in the scattered sock()/setsockopt() callskrw2019-01-221-2/+2
| | | | | | where the "wrong" #define was used. ok dlg@
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.