SNMPD configuration incorrect for IPv6

zoc · November 23, 2022, 12:29pm

Hello VyOS team !

When configuring the SNMP daemon for IPv4 and IPv6, the generated snmpd.conf file does not contain rocommunity6 statement. Please have a look below for the exact version I’m running and excerpt of my configuration.

VyOS Version:

Version: VyOS 1.4-rolling-202211190627
Release train: current

Built by: autobuild@vyos.net
Built on: Sat 19 Nov 2022 06:27 UTC
Build UUID: 687dfd47-11ca-4c0c-8045-944ed60279be
Build commit ID: cd6f8ab1040139

Architecture: x86_64
Boot via: installed image
System type: KVM guest

Hardware vendor: QEMU
Hardware model: Standard PC (i440FX + PIIX, 1996)
Hardware S/N:
Hardware UUID: 9245d8cc-e46e-4478-b2d8-587b2e087fee

Copyright: VyOS maintainers and contributors

Configuration:

snmp {
    community monitor {
        authorization "ro"
    }
    contact "**redacted**"
    listen-address 10.100.0.2 {
        port "161"
    }
    listen-address 127.0.0.1 {
        port "161"
    }
    listen-address fd00:dead:babe:100::2 {
        port "161"
    }
    location "**redacted**"
}

roedie · November 23, 2022, 12:50pm

Ah yes, there seems to be a copy/paste error in the etc.snmpd.conf.j2 template. It says:

{%         if comm_config.network is vyos_defined %}
{%             for network in comm_config.network %}
{%                 if network | is_ipv4 %}
{{ comm_config.authorization }}community {{ comm }} {{ network }}
{%                 elif client | is_ipv6 %}
{{ comm_config.authorization }}community6 {{ comm }} {{ network }}
{%                 endif %}
{%             endfor %}
{%         endif %}

But should be

{%         if comm_config.network is vyos_defined %}
{%             for network in comm_config.network %}
{%                 if network | is_ipv4 %}
{{ comm_config.authorization }}community {{ comm }} {{ network }}
{%                 elif network| is_ipv6 %}
{{ comm_config.authorization }}community6 {{ comm }} {{ network }}
{%                 endif %}
{%             endfor %}
{%         endif %}

I’ll create a PR later if time permits.

roedie · November 23, 2022, 6:20pm

See:

github.com/vyos/vyos-1x

T4835: snmpd: Fix copy/paste error in snmpd.conf

vyos:current ← roedie:T4835

opened 06:20PM - 23 Nov 22 UTC

roedie

+1 -1

## Change Summary The variable 'client' was accidently used where 'network sh…ould have been used. This lead to missing community6 string when an IPv6 network was defined instead of an IPv6 client. ## Types of changes  - [x] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Code style update (formatting, renaming) - [ ] Refactoring (no functional changes) - [ ] Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component - [ ] Other (please describe): ## Related Task(s) * https://phabricator.vyos.net/T4835 ## Component(s) name snmpd ## Proposed changes ## How to test  ## Checklist: - [x] I have read the [**CONTRIBUTING**](https://github.com/vyos/vyos-1x/blob/current/CONTRIBUTING.md) document - [x] I have linked this PR to one or more Phabricator Task(s) - [ ] I have run the components [**SMOKETESTS**](https://github.com/vyos/vyos-1x/tree/current/smoketest/scripts/cli) if applicable - [x] My commit headlines contain a valid Task id - [ ] My change requires a change to the documentation - [ ] I have updated the documentation accordingly

zoc · November 28, 2022, 10:34am

Hi @roedie,

Thanks for the fix, and I see that the change is in the latest nightly I downloaded this morning. However… It is still not working with the configuration I posted : no community6 string.

Looking a bit more at the template (now that I understand a bit more how it works), I see this line:

{%         if comm_config.client is not vyos_defined and comm_config.network is not vyos_defined %}          
{{ comm_config.authorization }}community {{ comm }}                                                          
{%         endif %}

It does not have any equivalent for community6. Don’t know if it’s the reason it’s not working but it might be.

zoc · November 28, 2022, 10:38am

Actually, I’ve just duplicated the line in the if statement and changed community to community6 and now it works.

However I don’t really know what it implies to have both community statements being generated without more control.

roedie · December 1, 2022, 8:09pm

I would say that it allows everyone who knows the community to do requests.

I’ll create a fix for this one as well.