| Age | Commit message (Collapse) | Author |
|---|
|
to export them via snmp.
Introduce option filter-pf-addresses similar to filter-routes which
prevents exporting below the OPENBSD-PF-MIB::pfTblAddrTable oid.
Other pf table statistics are uneffected by this and still available.
With this I can do a bulkwalk starting at pfMIBObjects without hitting
timeouts and without spinning the cpu at 100% for days to export 300k
prefixes.
man page input kn
OK claudio, sthen. martijn is also fine with it going in.
|
|
This probably needs a cleaner approach in the long run, but fixes the
ober_oid_cmp for now.
From gerhard_roth <at> genua <dot> de
|
|
so move our BER API to the unused ober_* prefix to avoid some
breakage in ports.
Problem diagnosed by jmatthew with ber_free() in samba, but
there are many others as pointed out by sthen.
tests & ok rob
ok sthen (who had an almost identical diff for libutil)
"go head hit it" deraadt
|
|
scalar.
For example if you getnext request 1.3.6.1.4.1.30155.6.1.1 you get a
varbind oid of 1.3.6.1.4.1.30155.6.1.1.0, but the value of
1.3.6.1.4.1.30155.6.1.2.0. I have a fix in the making, but we're too close
to release and here be too many dragons.
Found by bluhm@
|
|
elements exists and is a (agentx) registered element. If so, forward the
getnext to the subagent, else get the actual next element.
This is only a partial fix, but lets us at least (together with a different
patch for relayd) walk relayd's elements.
OK claudio@
|
|
- pdu header has 3 elements, not 4
- additional varbinds are optional.
This is needed to make ber_scanf_elements stricter.
Note that people using "trap handle" in their snmpd.conf and expect a trap
without additional varbinds to show the trapoid to appear twice will have
to adjust their "command".
OK rob@
|
|
for this MIB in the first place, this has now been removed in ifq changes.
Since the MIB is marked as deprecated anyway, simply return 0. ok claudio@
|
|
much what this counter is for. For sure better than net.inet.ip.ifq.drops
which no longer exists.
Found by and OK martijn@ and OK sthen@
|
|
|
|
to misread.
as per suggestion by and OK deraadt@
|
|
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.
|
|
OK claudio@, gerhard@
|
|
preparation for SHA-2 support.
OK claudio@, gerhard@
|
|
oids needing to be part of the snmpd loaded tree.
This is in line with RFC3416.
OK gerhard@ who apparently has the exact same diff in his repo.
|
|
snmpEngineBoots and snmpEngineTime by sending an AuthPriv request with the
requested values set to zero and with a valid user.
Move the engine_boots and engine_time down after the user check and remove
the 0-check, so we can reply with the appropriate usmStatsNotInTimeWindows.
This allows us to use p5-Net-SNMP against snmpd with seclevel enc.
OK rob@
|
|
snmpEngineID by sending a noAuthNoPriv request. Move the seclevel check to
after the usm_decode phase, so we can reply with the mandatory
usmStatsUnknownEngineIDs instead of usmStatsUnsupportedSecLevels.
This brings us one step closer to using p5-Net-SNMP with seclevel enc.
OK tb@, rob@
|
|
snmpctl. Separate copies of ber.[ch] have existed and been maintained in sync
in ldap, ldapd, ypldap and snmpd.
This commit moves the BER API into /usr/lib/libutil. All current consumers
already link libutil. ldapd and snmpd regress passes, and release builds.
With help from tb@ and guenther@.
ok deraadt@, tb@
|
|
ok reyk@
|
|
ok claudio@
|
|
fixes a problem when handling large negative integers.
ok claudio@
|
|
|
|
larger types really is a range reduction...
Almost any cast to (unsigned) is a bug.
ok millert tb benno
|
|
where the "wrong" #define was used.
ok dlg@
|
|
Dup /dev/null to the stdio file descriptors in the children.
based on a fix for httpd(8) and relayd(8); from Jan Klemkow
|
|
OK deraadt@, tb@, claudio@
|
|
Change distance sensor type to be displayed as meters with 3 decimals
instead of millimeters.
ok mpi@ kettenis@
|
|
the prefixlen is never bigger than 128 for inet6.
OK remi@
|
|
|
|
Found via snmpctl snmp walk 127.0.0.1 oid 1
OK claudio@
|
|
pledge cannot be used, nevertheless since we now have unveil available we can
use it to guarantee that in this particular case the snmpe process cannot
access the filesystem at all, therefore close a big attack vector and achieve
a great level of protection even without being able to use pledge.
prodded by deraadt@
|
|
read permissions, but once it reaches pledge(2) just before the main loop both
were already opened. Since snmpd(8) doesn't have a way to load or reload the
config file, not even through SIGHUP, then rpath promise is not needed.
The snmpe process cannot yet be pledged, but it doesn't need fs access so we
can disable the access through unveil("/", ""); unveil(NULL, NULL);
"looks right" to deraadt@
|
|
(and other lexers too)
This commit rectifies earlier change:
in the lex... even inside quotes, a \ followed by space or tab should
expand to space or tab, and a \ followed by newline should be ignored
(as a line continuation). compatible with the needs of hoststated
(which has the most strict quoted string requirements), and ifstated
(where one commonly does line continuations in strings).
OK deraadt@, OK millert@
|
|
rtable 255 is a valid routing table or domain id that wasn't handled
by the ip[6]_mroute code or by snmpd. The arrays in the ip[6]_mroute
code where off by one and didn't allocate space for rtable 255; snmpd
simply ignored rtable 255. All other places in the tree seem to
handle RT_TABLEID_MAX correctly.
OK florian@ benno@ henning@ deraadt@
|
|
"looks good" gilles@ halex@
|
|
ok mpi@
|
|
ok claudio@ miko@
|
|
|
|
build and is still a work in progress. Tweaks and comments welcome.
|
|
ok claudio@
|
|
sockets cause no harm and this way we close another attack surface by not
allowing the daemon to create/delete any more files.
While here also scramble pledge promises to their canonical form.
OK florian@
|
|
possible stack overflow due to recursion in ber_free_elements().
ok claudio@
|
|
ok claudio@
|
|
ok claudio@
|
|
This way the size is the same on all archs and 32bit should be good enough.
OK rob@
|
|
ok tb@, claudio@
|
|
|
|
api uses read and write buffers (byte streams) that are utilized by calling
applications which may or may not use sockets.
ok claudio@
buffer byte streams that applications then use for
|
|
ok claudio@, jca@
|
|
out of memory log_warn(). i.e. ("%s", __func__) instead of manual
function names and redundant verbiage about which wrapper detected the
out of memory condition.
ok henning@
|
|
calloc or strdup), we just need to log that we ran out of memory in a
particular function.
Recommended by florian@ and deraadt@
ok benno@ henning@ tb@
|
