#
17240de1 |
| 06-Feb-2024 |
martijn <martijn@openbsd.org> |
Let the config parser make use of the mib_string2oid(). If a descriptor is not found in the loaded MIB files it falls back to the old smi_oid2string(), which then throws a deprecation warning. This w
Let the config parser make use of the mib_string2oid(). If a descriptor is not found in the loaded MIB files it falls back to the old smi_oid2string(), which then throws a deprecation warning. This won't trigger for most cases in the default install, but the UCD-DISKIO-MIB and dependencies aren't included (yet?) (which can be fixed by manually including them via "mib directory") and there's a couple of misspellings (e.g. mib_2 vs mib-2, and usmStatsNotInTimeWindow vs usmStatsNotInTimeWindows).
Feedback and OK tb@
show more ...
|
#
f0bcdb5c |
| 06-Feb-2024 |
martijn <martijn@openbsd.org> |
Replace most smi_oid2string() calls with the new mib_oid2string(). smi_oid2string() is still called from trap handle context to not break any existing scripts.
OK tb@
|
#
e60163e5 |
| 16-Jan-2024 |
claudio <claudio@openbsd.org> |
Convert to imsg_get_fd() and remove unused proc_forward_imsg(). OK martijn@
|
#
4e2cbd5c |
| 21-Dec-2023 |
martijn <martijn@openbsd.org> |
mib_init() and MIB() disappeared with mib.c, remove their declarations. MIBDECL() and MIBEND are only used inside mib.h, so move their definition in there.
OK tb@
|
#
a9292d2a |
| 21-Dec-2023 |
martijn <martijn@openbsd.org> |
Clean up snmpd's header situation.
With the help of tb@ and include-what-you-use.
OK tb@
|
#
5645d436 |
| 13-Nov-2023 |
martijn <martijn@openbsd.org> |
Apparently base-gcc doesn't like having OID() inside MIBDECL(). Handroll the OID() logic into MIBDECL().
Found, tested, and OK jca@ OK tb@
|
#
9dc90119 |
| 12-Nov-2023 |
martijn <martijn@openbsd.org> |
Move struct oid from snmpd.h into smi.c and trim a lot of the now unused fat. This includes all the o_flags member related defines.
if it compiles ship it/OK tb@
|
#
46c28d35 |
| 12-Nov-2023 |
martijn <martijn@openbsd.org> |
Remove a bunch of unused smi_ functions and move a couple of definitions out of snmpd.h, which aren't used outside of smi.c
OK tb@
|
#
103df567 |
| 12-Nov-2023 |
martijn <martijn@openbsd.org> |
Let MIBDECL() make use of OID(). This gives use bo_n for free and we won't have to rely on error-prone smi_oidlen.
OK tb@
|
#
d791c660 |
| 12-Nov-2023 |
martijn <martijn@openbsd.org> |
Now that smi.c is basically an oid/name translator, let smi_insert() create the struct oid and let parse.y supply the arguments.
OK tb@
|
#
3c554fea |
| 12-Nov-2023 |
martijn <martijn@openbsd.org> |
Now that the last consumer of mps.c is gone, remove it and its application_legacy.c companion.
OK tb@
|
#
60cc2743 |
| 04-Nov-2023 |
martijn <martijn@openbsd.org> |
Move SNMPv2-MIB::system from mib.c into the new application_internal.c. This was the last consumer of mib.c, so send it to the great bitbucket in the sky.
This move removes the sysORTable, but it wa
Move SNMPv2-MIB::system from mib.c into the new application_internal.c. This was the last consumer of mib.c, so send it to the great bitbucket in the sky.
This move removes the sysORTable, but it was basically non-functioning anyway and removal of previous entries from the table didn't caused any fallout that reached my ears. I hope to add proper sysORTable/agent-capabilities support, which is compatible with AgentX's {Add,Remove}AgentCaps, soon.
OK tb@
show more ...
|
#
16365c53 |
| 04-Nov-2023 |
martijn <martijn@openbsd.org> |
Introduce application_internal.c. This backend is meant to replace application_legacy.c, mps.c, and mib.c. This commit just introduces the backend. The existing MIBs inside mib.c will be copied over
Introduce application_internal.c. This backend is meant to replace application_legacy.c, mps.c, and mib.c. This commit just introduces the backend. The existing MIBs inside mib.c will be copied over in subsequent commits.
OK tb@
show more ...
|
#
5f1d9bbf |
| 06-Oct-2022 |
martijn <martijn@openbsd.org> |
Remove a lot of old (dead) code that's either been superseded, or moved to snmpd_metrics.
OK benno@ sthen@
|
#
1985d3eb |
| 01-Sep-2022 |
martijn <martijn@openbsd.org> |
Add privilege separation to snmpd.
This uses the just imported snmpd_metrics as a new (agentx-based) backend. Snmpd(8) executes all files in /usr/libexec/snmpd and treats regions registered by these
Add privilege separation to snmpd.
This uses the just imported snmpd_metrics as a new (agentx-based) backend. Snmpd(8) executes all files in /usr/libexec/snmpd and treats regions registered by these binaries as authorative, so that no other agentx backends can overwrite them. The snmpe process is now pledged "stdio recvfd inet unix".
This removes quite a few entries from the sysORTable, but the current entries are non-compliant anyway and should be completely revisisted at a later time.
Reduces the time for a full walk by about a factor of 4, bringing us close to the original speed before application.c was introduced.
General design discussed with claudio@ Tested by and OK sthen Release build test and OK tb@
show more ...
|
#
4100cc5f |
| 23-Aug-2022 |
martijn <martijn@openbsd.org> |
(Re)add support for agentx in snmpd Current omissions in protocol support are notifications, index (de)allocation, and agent capabilities.
Help testing sthen@ Feedback/tweaks/OK jmatthew@
|
#
614c3698 |
| 30-Jun-2022 |
martijn <martijn@openbsd.org> |
Introduce a blocklist backend and keyword.
This allows the admin to specify a full region of the OID tree to be blocked and simply returns NOSUCHOBJECT/ENDOFMIBVIEW.
This deprecates filter-pf-addre
Introduce a blocklist backend and keyword.
This allows the admin to specify a full region of the OID tree to be blocked and simply returns NOSUCHOBJECT/ENDOFMIBVIEW.
This deprecates filter-pf-addresses in favour of: blocklist pfTblAddrTable
OK tb@
show more ...
|
#
01465aaa |
| 19-Jan-2022 |
martijn <martijn@openbsd.org> |
Move some smi.c functions to their own header. These are needed for a new application layer, where a lot of the snmpd.h stuff just clutter.
OK jmatthew@ tested as part of larger diff by sthen@ and J
Move some smi.c functions to their own header. These are needed for a new application layer, where a lot of the snmpd.h stuff just clutter.
OK jmatthew@ tested as part of larger diff by sthen@ and Joel Carnat
show more ...
|
#
b0612ba1 |
| 19-Jan-2022 |
martijn <martijn@openbsd.org> |
Move log.c functions to their own header. This is needed for a new application layer where, where a lot of the snmpd.h stuff just clutter.
Requested by benno@ OK jmatthew@ tested as part of larger d
Move log.c functions to their own header. This is needed for a new application layer where, where a lot of the snmpd.h stuff just clutter.
Requested by benno@ OK jmatthew@ tested as part of larger diff by sthen@ and Joel Carnat
show more ...
|
#
ab858812 |
| 02-Sep-2021 |
martijn <martijn@openbsd.org> |
Allow snmpd(8) to send SNMPv3 traps.
OK jmatthew@
|
#
73b5c081 |
| 09-Aug-2021 |
martijn <martijn@openbsd.org> |
Allow setting the engineid.
The previous engineid was based aronud the engine boottime and a random value, which gives problems when sending/receiving unacknowledged PDUs (trapv2) over SNMPv3 with a
Allow setting the engineid.
The previous engineid was based aronud the engine boottime and a random value, which gives problems when sending/receiving unacknowledged PDUs (trapv2) over SNMPv3 with authentication enabled, which need a consistent engineid across restarts to determine the correct user from the sender.
The new default engineid takes a sha256 hash (chosen for its longer output) of gethostname(3) and places the first 27 bytes after the new format number 129. This should give us a very low probability of collisions, assuming all machines have a unique name.
The other formats as specified in SNMP-FRAMEWORK-MIB (RFC3411) are also supported as well as arbitrary formats in the range 128-255 for other private enterprise numbers in hex format.
OK jmatthew@
show more ...
|
#
808130e6 |
| 08-Aug-2021 |
sthen <sthen@openbsd.org> |
Switch default snmpd and snmp auth back to hmac-sha1.
Practical experience on several machines after updates suggests the snmp world isn't really ready for hmac-sha2-256, and the HMAC construction d
Switch default snmpd and snmp auth back to hmac-sha1.
Practical experience on several machines after updates suggests the snmp world isn't really ready for hmac-sha2-256, and the HMAC construction doesn't require collision resistance (which is the weakness of MD5/SHA1; see e.g. "New proofs for NMAC and HMAC: Security without collision-resistance", Bellare 2014).
Feedback from martijn@ (who would prefer to keep using the sha2 hmac), deraadt@, tb@.
show more ...
|
#
c67854d6 |
| 20-Jun-2021 |
martijn <martijn@openbsd.org> |
Change default user auth to hmac-sha256 and enc to aes. The old defaults are just not sane anymore.
OK sthen@
|
#
c92471af |
| 20-Jun-2021 |
martijn <martijn@openbsd.org> |
Tighten default security for snmpd(8). This is done by doing several things: - Only allow SNMPv3 by default. SNMPv1 and SNMPv2c can be enabled by setting the new snmpv* flags on the "liston on" sta
Tighten default security for snmpd(8). This is done by doing several things: - Only allow SNMPv3 by default. SNMPv1 and SNMPv2c can be enabled by setting the new snmpv* flags on the "liston on" statements. - Remove the default community names. They're not secure to use. - Change the default seclevel to enc.
Initial idea, help from and OK sthen@
show more ...
|
#
d16fa18d |
| 20-May-2021 |
martijn <martijn@openbsd.org> |
Rename context to pdutype. This is in line with the naming schema from the RFCs.
While here remove a duplicate sm_type that snuck in during traphandler merger and use human readable names in debug l
Rename context to pdutype. This is in line with the naming schema from the RFCs.
While here remove a duplicate sm_type that snuck in during traphandler merger and use human readable names in debug log entries from packages.
OK jan@
show more ...
|