Hi Frank,
I want to filter the source address with community when SNMPv2 request coming in.
I thought that I could configure snmpCommunityTransportTag, snmpTargetAddrTAddress, and snmpTargetAddrTagList to achieve the purpose
Here is my configuration:
I think with this configuration, we accept snmp request with community “test” only when it comes from 192.168.100.1:55533 (snmpTargetAddrTAddress C0 A8 64 11 D8 ED)
After test, it seems not working.
Then I called SnmpCommunityMIB.setSourceAddressFiltering(true), the configuration above seems working now, request with community “test” is being filtered.
Could you please help to confirm if my configuration and the usage of API setSourceAddressFiltering is right? is setSourceAddressFiltering designed to achieve this kind of purpose?
And one more question, if I don’t want to specify the port, only filter on IP adress, then I need to set snmpTargetAddrTMask as “255.255.255.255:0”. is this right?
The source address filtering (if enabled) is doing source address (and port) filtering based on SNMP-COMMUNITY- and SNMP-TARGET-MIB. That is correct.
However, the SnmpTargetAddrTMask needs to be specified for a TDomain like
TransportAddressIPv4 ::= TEXTUAL-CONVENTION
DISPLAY-HINT "1d.1d.1d.1d:2d"
STATUS current
DESCRIPTION
"Represents a transport address consisting of an IPv4
address and a port number (as used for example by UDP,
TCP and SCTP):
octets contents encoding
1-4 IPv4 address network-byte order
5-6 port number network-byte order
This textual convention SHOULD NOT be used directly in object
definitions since it restricts addresses to a specific format.
However, if it is used, it MAY be used either on its own or
in conjunction with TransportAddressType or TransportDomain
as a pair."
SYNTAX OCTET STRING (SIZE (6))
as
OctetString.fromHexString("FF:FF:FF:FF:00:00")
to match the IPv4 address only, but not the TCP port.
What would be the way to use this mask to allow a sub-net to be accessible instead of particular host?
I tried to enter it like “FF:FF:FF:00:00:00”, hopping this means don’t care for last two octets of IP address. Did not work for me.
What I would like to add only one Address entry and then control how much host can assess from that sub-net using mask.
the value “FF:FF:FF:00:00:00” will need the first three octets of the IP address to match (/24). For a (/16) mask, you will have to set "FF:FF:00:00:00:00”.
I added public community for a local access by calling ‘add_public’ available in snmp_community_mib class. My understanding is it should allow only access from local host.
In the function the mask is set to “\xFF\xFF\xFF\xFF\xFF\xFF\xFF”
I change the code in the snmp_community_mib.cpp to print the mask in the passes_filter function. When I make any GET function it will print an empty string.
As all this is the code from AGENT++. can you please, let me know the mask is empty?
I also added to check if mask is invalid address in pass_filter function and it failed too.
So looks like there is a problem in snmpTargetAddrTMask::getUdpAddress().
Beside this I think there is one problem in the add_public() when the index to search for index in snmpTargetAddrExtTable is defined: ind = Oidx::from_string("localAccess").
This function takes two arguments and the second by default is TRUE. I think this should be like ind = Oidx::from_string("localAccess", FALSE). If the second argument is TRUE then there will be a new row created in the snmpTargetAddrExtTable that doesn’t match any entry in the snmpTargetAddrTable.
Can you please, check if this is correct or not?
The above code is correct (the existing sample code is incorrect regarding this). The INDEX clause for snmpTargetAddrEntry specifies an IMPLIED length, therefore the index value needs to be provided with implied length too.
Thank you. One more question here:
As entries in the snmpCommnityEntry adding entries to snmpTargetAddrTable and snmpTragetAddrExtTable indexed by the snmpCommunityName how it is possible to add two Targets in the same Community and have Source Address Validation enabled?
What I found is if for example I add in the same community public two host IP H1@10.5.5.30/32 and H2@10.5.5.28/32 then as the entry for the public is found then the IP address will be set for the H2 and only that one will work.
I know that the solution to provide the one host with wider mask will work, but how about only couple of hosts?
Just, use the snmpCommunityEntry, snmpTargetAddrEntry, and snmpTargetAddrExtEntry directly to configure your requirements. Then you can define more than a single target entry for a community tag and this will then be enable you to specify two or more individual IP addresses per community.
I repeat again: Please do not use the sample methods in production! (And do not assume that those methods provide all possible configuration options.)
I definitely don’t use the sample code. I am learning from it how something works. I test it and then used part of it I need in my code.
I found this not functional and it would be good if you look at it or let me know how to make this works in one example, please.