How to filter source address with community when using SNMPv2

Hi Frank,
I want to filter the source address with community when SNMPv2 request coming in.
I thought that I could configure snmpCommunityTransportTag, snmpTargetAddrTAddress, and snmpTargetAddrTagList to achieve the purpose
Here is my configuration:

vcapuser@localhost ncs-packages]$ snmpwalk -v 2c -c test localhost 1.3.6.1.6.3.18|grep “.‘test’”
SNMP-COMMUNITY-MIB::snmpCommunityName.‘test’ = STRING: “test”
SNMP-COMMUNITY-MIB::snmpCommunitySecurityName.‘test’ = STRING: public
SNMP-COMMUNITY-MIB::snmpCommunityContextEngineID.‘test’ = STRING: “32473”
SNMP-COMMUNITY-MIB::snmpCommunityContextName.‘test’ = STRING:
SNMP-COMMUNITY-MIB::snmpCommunityTransportTag.‘test’ = STRING: test
SNMP-COMMUNITY-MIB::snmpCommunityStorageType.‘test’ = INTEGER: permanent(4)
SNMP-COMMUNITY-MIB::snmpCommunityStatus.‘test’ = INTEGER: active(1)
SNMP-COMMUNITY-MIB::snmpTargetAddrTMask.‘test’ = “”
SNMP-COMMUNITY-MIB::snmpTargetAddrMMS.‘test’ = INTEGER: 484

[vcapuser@localhost ncs-packages]$ snmpwalk -v 2c -c test localhost 1.3.6.1.6.3.12|grep “.‘test’”
SNMP-TARGET-MIB::snmpTargetAddrTDomain.‘test’ = OID: SNMPv2-SMI::mib-2.100.1.1
SNMP-TARGET-MIB::snmpTargetAddrTAddress.‘test’ = Hex-STRING: C0 A8 64 11 D8 ED
SNMP-TARGET-MIB::snmpTargetAddrTimeout.‘test’ = INTEGER: 250
SNMP-TARGET-MIB::snmpTargetAddrRetryCount.‘test’ = INTEGER: 1
SNMP-TARGET-MIB::snmpTargetAddrTagList.‘test’ = STRING: test
SNMP-TARGET-MIB::snmpTargetAddrParams.‘test’ = STRING: SNMPv2c
SNMP-TARGET-MIB::snmpTargetAddrStorageType.‘test’ = INTEGER: permanent(4)
SNMP-TARGET-MIB::snmpTargetAddrRowStatus.‘test’ = INTEGER: active(1)

I think with this configuration, we accept snmp request with community “test” only when it comes from 192.168.100.1:55533 (snmpTargetAddrTAddress C0 A8 64 11 D8 ED)
After test, it seems not working.

Then I called SnmpCommunityMIB.setSourceAddressFiltering(true), the configuration above seems working now, request with community “test” is being filtered.

Could you please help to confirm if my configuration and the usage of API setSourceAddressFiltering is right? is setSourceAddressFiltering designed to achieve this kind of purpose?

And one more question, if I don’t want to specify the port, only filter on IP adress, then I need to set snmpTargetAddrTMask as “255.255.255.255:0”. is this right?

Looking forward to your advice.
Thanks.

BR,
Terry

The source address filtering (if enabled) is doing source address (and port) filtering based on SNMP-COMMUNITY- and SNMP-TARGET-MIB. That is correct.

However, the SnmpTargetAddrTMask needs to be specified for a TDomain like

TransportAddressIPv4 ::= TEXTUAL-CONVENTION
    DISPLAY-HINT "1d.1d.1d.1d:2d"
    STATUS  current
    DESCRIPTION
            "Represents a transport address consisting of an IPv4
            address and a port number (as used for example by UDP,
            TCP and SCTP):

             octets       contents         encoding
              1-4         IPv4 address     network-byte order
              5-6         port number      network-byte order

            This textual convention SHOULD NOT be used directly in object
            definitions since it restricts addresses to a specific format.
            However, if it is used, it MAY be used either on its own or
            in conjunction with TransportAddressType or TransportDomain
            as a pair."
    SYNTAX OCTET STRING (SIZE (6))

as

OctetString.fromHexString("FF:FF:FF:FF:00:00")

to match the IPv4 address only, but not the TCP port.

Thanks for your answer, Frank.

Hello Frank,

What would be the way to use this mask to allow a sub-net to be accessible instead of particular host?
I tried to enter it like “FF:FF:FF:00:00:00”, hopping this means don’t care for last two octets of IP address. Did not work for me.
What I would like to add only one Address entry and then control how much host can assess from that sub-net using mask.

Hello,

the value “FF:FF:FF:00:00:00” will need the first three octets of the IP address to match (/24). For a (/16) mask, you will have to set "FF:FF:00:00:00:00”.

Kind regards,
Jochen

Hello Jochen,

That is what I was expecting as I said in my post, but for some reason I could not make it work.

Regards,
Safet

Hi,

Any though about this topic?

Regards,
Safet

The assumption quoted above is not correct and does not match what Jochen wrote. Did you tried it as Jochen wrote or as you wrote it?

And here is the log:
20210208.10:58:11: 0: (1)INFO : getUdpAddress: FIND FOR INDEX (index): (108.111.99.97.108.65.99.99.101.115.115)
20210208.10:58:11: 0: (4)INFO : passes_filter: FOR TAG: (tag): (108.111.99.97.108.65.99.99.101.115.115)
20210208.10:58:11: 0: (4)INFO : passes_filter: MASK FROM TABLE: (mask): ()
20210208.10:58:11: 0: (4)INFO : passes_filter: ADDR FROM TABLE: (a): (127.0.0.1/0)
20210208.10:58:11: 0: (4)INFO : passes_filter: ADDR FROM INPUT: (b): (127.0.0.1/0)

Hello,

I added public community for a local access by calling ‘add_public’ available in snmp_community_mib class. My understanding is it should allow only access from local host.
In the function the mask is set to “\xFF\xFF\xFF\xFF\xFF\xFF\xFF”
I change the code in the snmp_community_mib.cpp to print the mask in the passes_filter function. When I make any GET function it will print an empty string.
As all this is the code from AGENT++. can you please, let me know the mask is empty?
I also added to check if mask is invalid address in pass_filter function and it failed too.
So looks like there is a problem in snmpTargetAddrTMask::getUdpAddress().

Beside this I think there is one problem in the add_public() when the index to search for index in snmpTargetAddrExtTable is defined: ind = Oidx::from_string("localAccess").
This function takes two arguments and the second by default is TRUE. I think this should be like ind = Oidx::from_string("localAccess", FALSE). If the second argument is TRUE then there will be a new row created in the snmpTargetAddrExtTable that doesn’t match any entry in the snmpTargetAddrTable.
Can you please, check if this is correct or not?

Regards,
Safet

The above code is correct (the existing sample code is incorrect regarding this). The INDEX clause for snmpTargetAddrEntry specifies an IMPLIED length, therefore the index value needs to be provided with implied length too.

This bug will be corrected with the next release.

Best regards,
Frank

Hello Frank,

Thank you. One more question here:
As entries in the snmpCommnityEntry adding entries to snmpTargetAddrTable and snmpTragetAddrExtTable indexed by the snmpCommunityName how it is possible to add two Targets in the same Community and have Source Address Validation enabled?
What I found is if for example I add in the same community public two host IP H1@10.5.5.30/32 and H2@10.5.5.28/32 then as the entry for the public is found then the IP address will be set for the H2 and only that one will work.
I know that the solution to provide the one host with wider mask will work, but how about only couple of hosts?

Please, help.

Regards,
Safet

Hi Safet,

Just, use the snmpCommunityEntry, snmpTargetAddrEntry, and snmpTargetAddrExtEntry directly to configure your requirements. Then you can define more than a single target entry for a community tag and this will then be enable you to specify two or more individual IP addresses per community.

I repeat again: Please do not use the sample methods in production! (And do not assume that those methods provide all possible configuration options.)

Best regards,
Frank

Hello Frank,

I definitely don’t use the sample code. I am learning from it how something works. I test it and then used part of it I need in my code.
I found this not functional and it would be good if you look at it or let me know how to make this works in one example, please.

Regards,
Safet
Safet