Rename context to pdutype. This is in line with the naming schema from the
RFCs.

While here remove a duplicate sm_type that snuck in during traphandler
merger and use human readable names in debug l

Rename context to pdutype. This is in line with the naming schema from the
RFCs.

While here remove a duplicate sm_type that snuck in during traphandler
merger and use human readable names in debug log entries from packages.

OK jan@

show more ...

Introduce a transaction id. This is currently mostly a dummy-variable, but
will later on be needed for when we reintroduce agentx master support.

feedback and OK dlg@, rob@

Remove print_{debug,verbose} since they're currently unused and I see no
reason to start using them in the future.

OK tb@

these programs (with common ancestry) had a -fno-common problem related
to privsep_procid.
ok mortimer

Remove the traphandler process, which was nothing more then a sham.
It did nothing more then receive a message over UDP, do some basic ber
and ASN.1 parsing and forward the packet to the parent proce

Remove the traphandler process, which was nothing more then a sham.
It did nothing more then receive a message over UDP, do some basic ber
and ASN.1 parsing and forward the packet to the parent process. snmpe can
do/does the same thing but with a far more thorough ASN.1 validation.
Because we move trap receiving to snmpe we get trap over tcp for free.

However, to make sure that a normal snmp port doesn't automatically start
handling traps a new set of "listen on" flags are introduced: read, write,
and notify. To enable trap handling either let snmpd listen on port 162
without flags, or add the notify flag. Only a flag without port results in
listening on port 162.

To keep current behaviour copy all UDP-based "listen on" lines without port
and add the notify keyword:
listen on 127.0.0.1 port 666
becomes
listen on 127.0.0.1 port 666
listen on 127.0.0.1 notify

This change also enforces snmpd to honor trap community on receiving a
trap, where previously no community was checked before handling a packet.

OK denis@, rob@

show more ...

Split "trap receiver" into its own trap_address struct and clean up the
code surrounding this struct and struct address.

No functional change intended, except that trap receiver's source-address
may

Split "trap receiver" into its own trap_address struct and clean up the
code surrounding this struct and struct address.

No functional change intended, except that trap receiver's source-address
may now be a resolvable hostname.

Tweaks and OK jan@

show more ...

Merge listen_sock into address, since there's a 1:1 correlation. Save some
overhead and 18LoC.

OK jan@

Greatly simplify snmpe_parsevarbinds.
except for some minor changes in the handling of snmp_intotal{req,set}vars
no functional changes intended.

OK jan@

Remove agentx and control socket support.

snmpctl has been removed two releases ago, which makes the control
interface obsolete.

agentx support has always been quirky at best, but got completely br

Remove agentx and control socket support.

snmpctl has been removed two releases ago, which makes the control
interface obsolete.

agentx support has always been quirky at best, but got completely broken
with the BER_MAX_OID_LEN increase in ber.h. This change resulted in the
oid length on the snmp side being left uninitialized because of size
difference, resulting in weird behaviour. No one reported the breakage,
even after 6.7 was released.

This change requires users to remove the socket keyword from their
snmpd.conf.

OK denis@

show more ...

When many prefixes are stored in pf tables it is not sensible
to export them via snmp.
Introduce option filter-pf-addresses similar to filter-routes which
prevents exporting below the OPENBSD-PF-MIB:

When many prefixes are stored in pf tables it is not sensible
to export them via snmp.
Introduce option filter-pf-addresses similar to filter-routes which
prevents exporting below the OPENBSD-PF-MIB::pfTblAddrTable oid.
Other pf table statistics are uneffected by this and still available.
With this I can do a bulkwalk starting at pfMIBObjects without hitting
timeouts and without spinning the cpu at 100% for days to export 300k
prefixes.
man page input kn
OK claudio, sthen. martijn is also fine with it going in.

show more ...

Implement SHA-2 (RFC7860) support for authentication.

OK claudio@, gerhard@

The digestlength is not always 12 bytes. Make this value variable in
preparation for SHA-2 support.

OK claudio@, gerhard@

Allow arbitrary oids to be specified for the getnext request, instead of
oids needing to be part of the snmpd loaded tree.

This is in line with RFC3416.

OK gerhard@ who apparently has the exact sam

Allow arbitrary oids to be specified for the getnext request, instead of
oids needing to be part of the snmpd loaded tree.

This is in line with RFC3416.

OK gerhard@ who apparently has the exact same diff in his repo.

show more ...

The BER API is currently used by ldap, ldapd, ldapctl, ypldap, snmpd, and
snmpctl. Separate copies of ber.[ch] have existed and been maintained in sync
in ldap, ldapd, ypldap and snmpd.

This commit

The BER API is currently used by ldap, ldapd, ldapctl, ypldap, snmpd, and
snmpctl. Separate copies of ber.[ch] have existed and been maintained in sync
in ldap, ldapd, ypldap and snmpd.

This commit moves the BER API into /usr/lib/libutil. All current consumers
already link libutil. ldapd and snmpd regress passes, and release builds.

With help from tb@ and guenther@.

ok deraadt@, tb@

show more ...

The child processes of snmpd(8) did not detach from the terminal.
Dup /dev/null to the stdio file descriptors in the children.
based on a fix for httpd(8) and relayd(8); from Jan Klemkow

Remove cpath pledge(2) promise. We decided that not deleting the unix control
sockets cause no harm and this way we close another attack surface by not
allowing the daemon to create/delete any more f

Remove cpath pledge(2) promise. We decided that not deleting the unix control
sockets cause no harm and this way we close another attack surface by not
allowing the daemon to create/delete any more files.

While here also scramble pledge promises to their canonical form.

OK florian@

show more ...

Make ber type and encoding a unsigned int instead of unsigned long.
This way the size is the same on all archs and 32bit should be good enough.
OK rob@

Add TCP support to snmpd.

This implements RFC 3430, with the exception of processing multiple
incoming requests in parallel (Section 2.1). This required too much
code and is optional anyway.

Initia

Add TCP support to snmpd.

This implements RFC 3430, with the exception of processing multiple
incoming requests in parallel (Section 2.1). This required too much
code and is optional anyway.

Initial review by reyk@, very thorough reviews by jca@. Thanks!

OK jca@, gerhard@

show more ...

Bump the read sockbuf of the routing socket to 2MB, may help reduce some of
the desync cases. OK benno@

Make the engine id is just binary data so make it uint8_t.
clang pointed out that we tried to store 128 in a signed char.
OK gerhard

Repair AgentX support.

which I broke when adding support for multiple listen address. SNMP
data should be sent to the client using the appropriate socket, which we
now store when we receive the que

Repair AgentX support.

which I broke when adding support for multiple listen address. SNMP
data should be sent to the client using the appropriate socket, which we
now store when we receive the query.

Reported & fix tested by Rivo Nurges.

show more ...

Stop accessing verbose and debug variables from log.c directly.

This replaces log_verbose() and "extern int verbose" with the two functions
log_setverbose() and log_getverbose().

Pointed out by ben

Stop accessing verbose and debug variables from log.c directly.

This replaces log_verbose() and "extern int verbose" with the two functions
log_setverbose() and log_getverbose().

Pointed out by benno@
OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)

show more ...

Add support for multiple listening sockets

One can now specify multiple "listen on" statements. The default is to
listen on 0.0.0.0 and ::, which means better handling of dual-stack
setups. ok sthe

Add support for multiple listening sockets

One can now specify multiple "listen on" statements. The default is to
listen on 0.0.0.0 and ::, which means better handling of dual-stack
setups. ok sthen@ on a previous version, input and ok reyk@.

show more ...

Improve source IP address handling.

- send replies using a source address equal to the destination address
of queries, using IP_SENDSRCADDR. This help in multihomed setups and
can remove the ne

Improve source IP address handling.

- send replies using a source address equal to the destination address
of queries, using IP_SENDSRCADDR. This help in multihomed setups and
can remove the need to explicitely configure a bind address.
- config knob to set the source address of packets sent to trap
receivers. "trap receiver" gains an optional "source-address"
setting.

Source address issues reported by Andy Lemin. ok benno@

show more ...

Sync snmpd(8) with other daemons proc.c and teach him how to fork+exec.

ok jca@, reyk@