Page MenuHomeVyOS Platform
Create Task
Maniphest T1160

snmp settings allowing access via IPv6 when it should not
Closed, ResolvedPublicBUG
Actions

Description

When doing this:

set service snmp community test123 client '10.88.87.11'

The generated snmpd.conf looks like this:

rocommunity test123 10.88.87.11
rocommunity6 test123

Which means all IPv6 addresses can query it via SNMP if they know the community string.
I'd expect the rocommunity6 statement to be left out in this scenario.

Details

Difficulty level
Normal (likely a few hours)
Version
VyOS 1.2.0-epa2
Why the issue appeared?
Implementation mistake

Event Timeline

danhusan created this task.Jan 5 2019, 11:19 PM
danhusan assigned this task to syncer.Jan 27 2019, 9:02 PM
syncer reassigned this task from syncer to c-po.Jan 27 2019, 9:06 PM
syncer triaged this task as Normal priority.
syncer added a project: VyOS 1.3 Equuleus.
syncer added a subscriber: syncer.
c-po added a comment.Jan 28 2019, 5:38 AM

IMHO this is a general CLI design issue.

  • set service snmp community foo will allow all IPv4/IPv6 clients to connect
  • set service snmp community bar network 172.16.0.0/12 will allow all IPv6 clients to connect but only 172.16.0.0/12 from the IPv4 range
  • set service snmp community baz network 2001:db8::/64 will allow all IPv4 clients to connect but only 2001:db8::/64 from the IPv6 range
vyos@vyos# cat /etc/snmp/snmpd.conf  | grep rocommunity
rocommunity bar 172.16.0.0/12
rocommunity6 bar
rocommunity baz
rocommunity6 baz 2001:db8::/64
rocommunity foo
rocommunity6 foo

But what should be the desired behavior?

  • When no network or client is speciefied we allow allo but as soon as one network/client is specified we limit it down?
c-po changed the task status from Open to Confirmed.Jan 28 2019, 5:38 AM
c-po changed Difficulty level from Unknown (require assessment) to Normal (likely a few hours).
c-po changed Why the issue appeared? from Will be filled on close to Implementation mistake.
pasik added a subscriber: pasik.Jan 28 2019, 7:13 AM
danhusan added a comment.Jan 28 2019, 8:45 AM
In T1160#31671, @c-po wrote:

But what should be the desired behavior?

  • When no network or client is speciefied we allow allo but as soon as one network/client is specified we limit it down?

Sounds right to me.

c-po added a comment.EditedJan 29 2019, 7:50 AM

@danhusan is this your expected behavior?

vyos@vyos# show service snmp
 community bar {
     network 172.16.0.0/12
 }
 community baz {
     network 2001:db8::/64
 }
 community foo {
 }
 community hhhhhh{
     authorization ro
     network 172.16.100.0/24
 }
 listen-address 172.16.254.36 {
 }

resulting in

vyos@vyos#  cat /etc/snmp/snmpd.conf  | grep rocommunity
rocommunity bar 172.16.0.0/12
rocommunity6 baz 2001:db8::/64
rocommunity foo
rocommunity6 foo
rocommunity hhhhhh 172.16.100.0/24
MrXermon added a subscriber: MrXermon.Jan 29 2019, 10:52 AM
c-po closed this task as Resolved.Jan 30 2019, 6:30 PM
c-po edited projects, added VyOS 1.2 Crux (VyOS 1.2.1); removed VyOS 1.3 Equuleus.
syncer moved this task from Needs Triage to Finished on the VyOS 1.2 Crux (VyOS 1.2.1) board.Apr 17 2019, 7:31 PM