diff options
| author | Bret Lambert <blambert@cvs.openbsd.org> | 2013-10-16 16:05:04 +0000 |
|---|---|---|
| committer | Bret Lambert <blambert@cvs.openbsd.org> | 2013-10-16 16:05:04 +0000 |
| commit | ec38e0639be1265c57a291d4c21a6583975459ff (patch) | |
| tree | 52436156aa29355413143753a94eeebd49eaca58 /usr.sbin | |
| parent | e1a82353a24a0948dbf42a2117a9d4119dd5bcc8 (diff) | |
1) move the creation of 'restricted' communication sockets
into snmpd.conf
2) add the ability to specify an alternate 'control' socket location
3) allow for the creation of multiple 'restricted' sockets (but
only one control socket, for the time being)
Committing slightly ahead of schedule in order to clear the pipeline
for a few other upcoming changes.
ok reyk@, sthen@
Diffstat (limited to 'usr.sbin')
| -rw-r--r-- | usr.sbin/snmpd/parse.y | 36 | ||||
| -rw-r--r-- | usr.sbin/snmpd/snmpd.8 | 11 | ||||
| -rw-r--r-- | usr.sbin/snmpd/snmpd.c | 18 | ||||
| -rw-r--r-- | usr.sbin/snmpd/snmpd.conf.5 | 12 | ||||
| -rw-r--r-- | usr.sbin/snmpd/snmpd.h | 7 | ||||
| -rw-r--r-- | usr.sbin/snmpd/snmpe.c | 21 |
6 files changed, 70 insertions, 35 deletions
diff --git a/usr.sbin/snmpd/parse.y b/usr.sbin/snmpd/parse.y index f300b0924d2..98b62993d5a 100644 --- a/usr.sbin/snmpd/parse.y +++ b/usr.sbin/snmpd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.25 2013/03/29 12:53:41 gerhard Exp $ */ +/* $OpenBSD: parse.y,v 1.26 2013/10/16 16:05:02 blambert Exp $ */ /* * Copyright (c) 2007, 2008, 2012 Reyk Floeter <reyk@openbsd.org> @@ -86,6 +86,7 @@ struct snmpd *conf = NULL; static int errors = 0; static struct addresslist *hlist; static struct usmuser *user = NULL; +static int nctlsocks = 0; struct address *host_v4(const char *); struct address *host_v6(const char *); @@ -119,10 +120,11 @@ typedef struct { %token SYSTEM CONTACT DESCR LOCATION NAME OBJECTID SERVICES RTFILTER %token READONLY READWRITE OCTETSTRING INTEGER COMMUNITY TRAP RECEIVER %token SECLEVEL NONE AUTH ENC USER AUTHKEY ENCKEY ERROR DISABLED +%token SOCKET RESTRICTED %token <v.string> STRING %token <v.number> NUMBER %type <v.string> hostcmn -%type <v.number> optwrite yesno seclevel +%type <v.number> optwrite yesno seclevel restricted %type <v.data> objtype %type <v.oid> oid hostoid %type <v.auth> auth @@ -264,6 +266,28 @@ main : LISTEN ON STRING { } user = NULL; } + | SOCKET STRING restricted { + if ($3) { + struct control_sock *rcsock; + + rcsock = calloc(1, sizeof(*rcsock)); + if (rcsock == NULL) { + yyerror("calloc"); + YYERROR; + } + rcsock->cs_name = $2; + rcsock->cs_restricted = 1; + TAILQ_INSERT_TAIL(&conf->sc_rcsocks, rcsock, + cs_entry); + } else { + if (++nctlsocks > 1) { + yyerror("multiple control " + "sockets specified"); + YYERROR; + } + conf->sc_csock.cs_name = $2; + } + } ; system : SYSTEM sysmib @@ -451,6 +475,10 @@ enc : STRING { } ; +restricted : RESTRICTED { $$ = 1; } + | /* nothing */ { $$ = 0; } + ; + %% struct keywords { @@ -505,8 +533,10 @@ lookup(char *s) { "read-only", READONLY }, { "read-write", READWRITE }, { "receiver", RECEIVER }, + { "restricted", RESTRICTED }, { "seclevel", SECLEVEL }, { "services", SERVICES }, + { "socket", SOCKET }, { "string", OCTETSTRING }, { "system", SYSTEM }, { "trap", TRAP }, @@ -851,6 +881,8 @@ parse_config(const char *filename, u_int flags) conf->sc_confpath = filename; conf->sc_address.ss.ss_family = AF_INET; conf->sc_address.port = SNMPD_PORT; + conf->sc_csock.cs_name = SNMPD_SOCKET; + TAILQ_INIT(&conf->sc_rcsocks); strlcpy(conf->sc_rdcommunity, "public", SNMPD_MAXCOMMUNITYLEN); strlcpy(conf->sc_rwcommunity, "private", SNMPD_MAXCOMMUNITYLEN); strlcpy(conf->sc_trcommunity, "public", SNMPD_MAXCOMMUNITYLEN); diff --git a/usr.sbin/snmpd/snmpd.8 b/usr.sbin/snmpd/snmpd.8 index 2cafedff51a..42c69af1bb9 100644 --- a/usr.sbin/snmpd/snmpd.8 +++ b/usr.sbin/snmpd/snmpd.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: snmpd.8,v 1.18 2013/07/16 11:13:34 schwarze Exp $ +.\" $OpenBSD: snmpd.8,v 1.19 2013/10/16 16:05:03 blambert Exp $ .\" .\" Copyright (c) 2007, 2008 Reyk Floeter <reyk@openbsd.org> .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: July 16 2013 $ +.Dd $Mdocdate: October 16 2013 $ .Dt SNMPD 8 .Os .Sh NAME @@ -54,13 +54,6 @@ Show numeric OID values instead of their symbolic names. .It Fl n Configtest mode. Only check the configuration file for validity. -.It Fl r Ar path -Open a second, restricted, control socket that -.Xr snmpctl 8 -can use. -Only -.Em trap -requests are allowed on this socket. .It Fl v Produce more verbose output. .El diff --git a/usr.sbin/snmpd/snmpd.c b/usr.sbin/snmpd/snmpd.c index 57aaeebf317..ef5f5c1b109 100644 --- a/usr.sbin/snmpd/snmpd.c +++ b/usr.sbin/snmpd/snmpd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: snmpd.c,v 1.15 2012/11/29 14:53:24 yasuoka Exp $ */ +/* $OpenBSD: snmpd.c,v 1.16 2013/10/16 16:05:03 blambert Exp $ */ /* * Copyright (c) 2007, 2008, 2012 Reyk Floeter <reyk@openbsd.org> @@ -104,7 +104,6 @@ main(int argc, char *argv[]) u_int flags = 0; int noaction = 0; const char *conffile = CONF_FILE; - const char *rcsock = NULL; smi_init(); @@ -129,9 +128,6 @@ main(int argc, char *argv[]) case 'f': conffile = optarg; break; - case 'r': - rcsock = optarg; - break; case 'v': flags |= SNMPD_F_VERBOSE; break; @@ -160,11 +156,6 @@ main(int argc, char *argv[]) if (getpwnam(SNMPD_USER) == NULL) errx(1, "unknown user %s", SNMPD_USER); - /* Configure the control sockets */ - env->sc_csock.cs_name = SNMPD_SOCKET; - env->sc_rcsock.cs_name = rcsock; - env->sc_rcsock.cs_restricted = 1; - log_init(debug); if (!debug) { @@ -225,6 +216,7 @@ main(int argc, char *argv[]) void snmpd_shutdown(struct snmpd *env) { + struct control_sock *rcs; pid_t pid; if (snmpe_pid) @@ -237,7 +229,11 @@ snmpd_shutdown(struct snmpd *env) } while (pid != -1 || (pid == -1 && errno == EINTR)); control_cleanup(&env->sc_csock); - control_cleanup(&env->sc_rcsock); + while ((rcs = TAILQ_FIRST(&env->sc_rcsocks)) != NULL) { + TAILQ_REMOVE(&env->sc_rcsocks, rcs, cs_entry); + control_cleanup(rcs); + free(rcs); + } log_info("terminating"); exit(0); } diff --git a/usr.sbin/snmpd/snmpd.conf.5 b/usr.sbin/snmpd/snmpd.conf.5 index 6c2513241bb..0878c668745 100644 --- a/usr.sbin/snmpd/snmpd.conf.5 +++ b/usr.sbin/snmpd/snmpd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: snmpd.conf.5,v 1.25 2013/08/26 16:56:49 mikeb Exp $ +.\" $OpenBSD: snmpd.conf.5,v 1.26 2013/10/16 16:05:03 blambert Exp $ .\" .\" Copyright (c) 2007, 2008, 2012 Reyk Floeter <reyk@openbsd.org> .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: August 26 2013 $ +.Dd $Mdocdate: October 16 2013 $ .Dt SNMPD.CONF 5 .Os .Sh NAME @@ -136,6 +136,14 @@ If the chosen value is different from will accept only SNMPv3 requests since older versions neither support authentication nor encryption. .Pp +.It Ic socket Qo Ar path Qc Op Ic restricted +Set the control socket location to +.Ar path . +If +.Ic restricted +is specified a restricted control socket will be created. +By default /var/run/snmpd.sock is used and no restricted socket is created. +.Pp .It Ic system contact Ar string Specify the name or description of the system contact, typically a name or an e-mail address. diff --git a/usr.sbin/snmpd/snmpd.h b/usr.sbin/snmpd/snmpd.h index ce5b42812bf..e598ed0d268 100644 --- a/usr.sbin/snmpd/snmpd.h +++ b/usr.sbin/snmpd/snmpd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: snmpd.h,v 1.45 2013/10/01 12:41:47 reyk Exp $ */ +/* $OpenBSD: snmpd.h,v 1.46 2013/10/16 16:05:03 blambert Exp $ */ /* * Copyright (c) 2007, 2008, 2012 Reyk Floeter <reyk@openbsd.org> @@ -88,7 +88,10 @@ struct control_sock { struct event cs_evt; int cs_fd; int cs_restricted; + + TAILQ_ENTRY(control_sock) cs_entry; }; +TAILQ_HEAD(control_socks, control_sock); enum blockmodes { BM_NORMAL, @@ -404,7 +407,7 @@ struct snmpd { u_int32_t sc_engine_boots; struct control_sock sc_csock; - struct control_sock sc_rcsock; + struct control_socks sc_rcsocks; char sc_rdcommunity[SNMPD_MAXCOMMUNITYLEN]; char sc_rwcommunity[SNMPD_MAXCOMMUNITYLEN]; diff --git a/usr.sbin/snmpd/snmpe.c b/usr.sbin/snmpd/snmpe.c index 8a4cf053c09..81395d4c7e6 100644 --- a/usr.sbin/snmpd/snmpe.c +++ b/usr.sbin/snmpd/snmpe.c @@ -1,4 +1,4 @@ -/* $OpenBSD: snmpe.c,v 1.35 2013/10/01 12:41:48 reyk Exp $ */ +/* $OpenBSD: snmpe.c,v 1.36 2013/10/16 16:05:03 blambert Exp $ */ /* * Copyright (c) 2007, 2008, 2012 Reyk Floeter <reyk@openbsd.org> @@ -71,10 +71,11 @@ snmpe_sig_handler(int sig, short event, void *arg) pid_t snmpe(struct snmpd *x_env, int pipe_parent2snmpe[2]) { - pid_t pid; - struct passwd *pw; - struct event ev_sigint; - struct event ev_sigterm; + pid_t pid; + struct passwd *pw; + struct event ev_sigint; + struct event ev_sigterm; + struct control_sock *rcs; #ifdef DEBUG struct oid *oid; #endif @@ -92,8 +93,9 @@ snmpe(struct snmpd *x_env, int pipe_parent2snmpe[2]) if (control_init(&env->sc_csock) == -1) fatalx("snmpe: control socket setup failed"); - if (control_init(&env->sc_rcsock) == -1) - fatalx("snmpe: restricted control socket setup failed"); + TAILQ_FOREACH(rcs, &env->sc_rcsocks, cs_entry) + if (control_init(rcs) == -1) + fatalx("snmpe: restricted control socket setup failed"); if ((env->sc_sock = snmpe_bind(&env->sc_address)) == -1) fatalx("snmpe: failed to bind SNMP UDP socket"); @@ -155,8 +157,9 @@ snmpe(struct snmpd *x_env, int pipe_parent2snmpe[2]) if (control_listen(&env->sc_csock) == -1) fatalx("snmpe: control socket listen failed"); - if (control_listen(&env->sc_rcsock) == -1) - fatalx("snmpe: restricted control socket listen failed"); + TAILQ_FOREACH(rcs, &env->sc_rcsocks, cs_entry) + if (control_listen(rcs) == -1) + fatalx("snmpe: restricted control socket listen failed"); event_set(&env->sc_ev, env->sc_sock, EV_READ|EV_PERSIST, snmpe_recvmsg, env); |