net-snmp-coders — Discussion of internal project coding (Please use this OR -users, NOT both!)

Re: Unable to compile net-snmp due to netlink API change

[Craig S. <cs...@dr...>]

On Wed, 3 Apr 2024 at 16:05, Bart Van Assche <bva...@ac...> wrote:

> Something else must be going on. This is the code from configure.ac that
> checks for libnl-3:
>
>         if test "x$ac_cv_header_netlink_netlink_h" = xyes; then
>             AC_EGREP_HEADER([nl_socket_free], [netlink/socket.h],
>                             [AC_DEFINE([HAVE_LIBNL3], [1],
>                             [Define to 1 if <netlink/netlink.h> provides
> the
>                             libnl3 API])])
>         fi
>
It's a little bit more complicated than that.
The issue is when HAVE_LIBNL3 is not defined but HAVE_NETLINK_NETLINK_H is
defined.
/* Define to 1 if you have the <netlink/netlink.h> header file. */
#define HAVE_NETLINK_NETLINK_H 1
/* Define to 1 if <netlink/netlink.h> provides the libnl3 API */
/* #undef HAVE_LIBNL3 */

Then the compat stuff around line 622 of tcpTable.c comes into play, but
its not nl1, its nl3 we have here.
So what's going on with the detection? Something strange in automake and
some magic variables.

The reason why HAVE_LIBNL3 is blank is the test for AC_EGREP_HEADER fails:
configure:28188: result: no
conftest.c:186:10: fatal error: netlink/socket.h: No such file or directory
  186 | #include <netlink/socket.h>
      |          ^~~~~~~~~~~~~~~~~~
compilation terminated.

It can't find the include file because the CFLAGS needs to set the include
path and it doesn't if the libnl-route-3 test fails
 (I guess it zeroes it on failure or maybe because LIBNLROUTE3_CFLAGS is
blank?)
Moving the EGREP test for nl_socket_free immediately before the test for
libnl-route-3 works,
because it uses the CFLAGS of the previous successful test. Compiling works
too, until you try to link it to the missing library
for some of the data_access/*_linux.c files.

The fix isn't to move the EGREP(nl_socket_free) test, that's a symptom.
I'm not sure if the older library needs the route library or not, so the
next steps are hard to say.
If it was just the new library then a fatal error on Linux for the absence
of either libnl3 or libnl-route-3 would do it.

Re: Getting listening port number while processing request

[Bart V. A. <bva...@ac...>]

On 4/3/24 02:35, Teus Benschop wrote:
>
> A snmpd was set to listen on 10 ports through multiple entries like 
> “agentaddress tcp:<port>” in the snmpd.conf file.
> It was verified through snmpget that the snmpd listens on all 10 ports.
>
> Function “netsnmp_callback_open” in file 
> snmplib/transports/snmpCallbackDomain.c was patched to write a few 
> debug messages.
>
> It appears that the function “netsnmp_callback_open” is called once.
> It sets the “callback_ss->local_port” to “((netsnmp_callback_info *) 
> callback_tr->data)->callback_num”, which is 1.
> In the handler callback function, the 
> reqinfo->asp->session->local_port is 0 while processing each snmpget.
>
> You wrote "Make sure that session->local_port is set correctly." I 
> studied the code to set this properly, but didn't manage to get the 
> port number set correctly.

I think this is the callchain for registering the ports that the agent 
listens on:

init_master_agent()
   netsnmp_agent_listen_on()
     netsnmp_transport_open_server()
     netsnmp_register_agent_nsap()
       netsnmp_sess_config_transport()
       snmp_add()
         snmp_sess_add_ex()
           transport->f_setup_session()

One possible approach is to implement the .f_setup_session() callback in 
the TCP transport and to make it copy the port information from the 
transport into the session.

Best regards,

Bart.

Re: Getting listening port number while processing request

[Teus B. <teu...@gm...>]

On Thu, 28 Mar 2024 at 00:13, Bart Van Assche <bva...@ac...> wrote:

> Thanks for the background information. I'm not sure the Net-SNMP API needs
> to be modified to realize this. How about the following approach:
>
>    - Use netsnmp_register_handler() in MIB implementations to associate
>    OIDs with callback functions.
>    - In the handler callback function, use the
>    reqinfo->asp->session->local_port information.
>    - Make sure that session->local_port is set correctly. This may
>    require a code change in Net-SNMP.
>
>
> Hi Bart,

I have gone through the above very helpful steps, as follows:

A snmpd was set to listen on 10 ports through multiple entries like
“agentaddress tcp:<port>” in the snmpd.conf file.
It was verified through snmpget that the snmpd listens on all 10 ports.

Function “netsnmp_callback_open” in file
snmplib/transports/snmpCallbackDomain.c was patched to write a few debug
messages.

It appears that the function “netsnmp_callback_open” is called once.
It sets the “callback_ss->local_port” to “((netsnmp_callback_info *)
callback_tr->data)->callback_num”, which is 1.
In the handler callback function, the reqinfo->asp->session->local_port is
0 while processing each snmpget.

You wrote "Make sure that session->local_port is set correctly." I studied
the code to set this properly, but didn't manage to get the port number set
correctly.

Any help or hints for setting session->local_port would be greatly
appreciated :)

With kind regards,

Teus.

snmptrap : use hostname in source address field

[Pushpa T. <pus...@gm...>]

Hi All,

For snmpv2c traps, Is it possible to configure hostname in the field of
source address

Eg:

*Current behaviour: snmptrap received at manager*
2024-04-03 09:09:54 192.168.112.122(via UDP:
[192.168.112.122]:35620->[192.168.168.136]:162)
TRAP, SNMP v1, community public
iso.3.6.1.4.1.8072.2.3.1 Enterprise Specific Trap (17) Uptime: 4 days,
15:30:06.57
iso.3.6.1.4.1.8072.2.1.1 = INTEGER: 123456


*Expected behviour:*
2024-04-03 09:09:54 192.168.112.122(via UDP:
[snmp_agent_122]:35620->[192.168.168.136]:162)
TRAP, SNMP v1, community public
iso.3.6.1.4.1.8072.2.3.1 Enterprise Specific Trap (17) Uptime: 4 days,
15:30:06.57
iso.3.6.1.4.1.8072.2.1.1 = INTEGER: 123456

                                                           or

2024-04-03 09:09:54 192.168.112.122(via UDP:
[192.168.112.122_agent_122]:35620->[192.168.168.136]:162)
TRAP, SNMP v1, community public
iso.3.6.1.4.1.8072.2.3.1 Enterprise Specific Trap (17) Uptime: 4 days,
15:30:06.57
iso.3.6.1.4.1.8072.2.1.1 = INTEGER: 123456

Kindly guide.

Thanks,
Pushpa.T

Re: Unable to compile net-snmp due to netlink API change

[Bart V. A. <bva...@ac...>]

On 4/2/24 13:40, Craig Small wrote:
> On Wed, 3 Apr 2024 at 02:19, Bart Van Assche <bva...@ac...> wrote:
>
>     Can you please check the configure script logs to see why libnl-3 was
>     not detected?
>
> libnl-3 was detected:
> configure:27875: $PKG_CONFIG --exists --print-errors "libnl-3.0"
> configure:27878: $? = 0
> configure:27936: result: yes
>
> But libnl-route-3.0 was not:
> configure:27942: $PKG_CONFIG --exists --print-errors "libnl-route-3.0"
> Package libnl-route-3.0 was not found in the pkg-config search path.
>
> I added libnl-route-3-dev and it compiled ok.
>
> There's something not quite right with the configure script, because 
> it evaluates
> libnl-3 + !libnl-route-3 = libnl1
> instead of failing.

Something else must be going on. This is the code from configure.ac that 
checks for libnl-3:

         if test "x$ac_cv_header_netlink_netlink_h" = xyes; then
             AC_EGREP_HEADER([nl_socket_free], [netlink/socket.h],
                             [AC_DEFINE([HAVE_LIBNL3], [1],
                             [Define to 1 if <netlink/netlink.h> 
provides the
                             libnl3 API])])
         fi

Thanks,

Bart.

Re: Unable to compile net-snmp due to netlink API change

[Craig S. <cs...@dr...>]

On Wed, 3 Apr 2024 at 02:19, Bart Van Assche <bva...@ac...> wrote:

> Can you please check the configure script logs to see why libnl-3 was
> not detected?
>
libnl-3 was detected:
configure:27875: $PKG_CONFIG --exists --print-errors "libnl-3.0"
configure:27878: $? = 0
configure:27936: result: yes

But libnl-route-3.0 was not:
configure:27942: $PKG_CONFIG --exists --print-errors "libnl-route-3.0"
Package libnl-route-3.0 was not found in the pkg-config search path.

I added libnl-route-3-dev and it compiled ok.

There's something not quite right with the configure script, because it
evaluates
libnl-3 + !libnl-route-3 = libnl1
instead of failing.

 - Craig

Re: Unable to compile net-snmp due to netlink API change

[Bart V. A. <bva...@ac...>]

On 4/2/24 01:49, Craig Small via Net-snmp-coders wrote:
> Hello All,
>    I was attempting to compile the git head of net-snmp. One big change 
> is that uses netlink sockets instead of reading /proc/net/*
> 
> The issue is the API is different to the library I can see.
> 
> mibgroup/mibII/tcpTable.c:631:12: error: too few arguments to function 
> ‘nl_geterror’
>    631 |     return nl_geterror();
>        |            ^~~~~~~~~~~
> 
> And indeed nl_geterror() requires a int:
> https://github.com/tgraf/libnl/blob/master/include/netlink/errno.h#L56 
> <https://github.com/tgraf/libnl/blob/master/include/netlink/errno.h#L56>
> extern const char * nl_geterror(int);
> 
> So I'm not exactly sure what netlink library is being used here. I 
> cannot disable this feature either:
> mibgroup/if-mib/data_access/interface_linux.c:27:2: error: #error 
> libnl-3 is required. Please install the libnl-3 and libnl-route-3 
> development packages and remove --without-nl from the configure options 
> if necessary.
>     27 | #error libnl-3 is required. Please install the libnl-3 and 
> libnl-route-3 development packages and remove --without-nl from the 
> configure options if necessary.
>        |  ^~~~~

The Net-SNMP configure script detects whether libnl-1 / libnl-3 is
present. The above error message comes from the libnl-3 compat code and
hence means that libnl-3 was not detected. I'm referring to this code:

         if test "x$ac_cv_header_netlink_netlink_h" = xyes; then
             AC_EGREP_HEADER([nl_socket_free], [netlink/socket.h],
                             [AC_DEFINE([HAVE_LIBNL3], [1],
                             [Define to 1 if <netlink/netlink.h> 
provides the
                             libnl3 API])])
         fi

Can you please check the configure script logs to see why libnl-3 was
not detected?

Thanks,

Bart.

Unable to compile net-snmp due to netlink API change

[Craig S. <cs...@dr...>]

Hello All,
  I was attempting to compile the git head of net-snmp. One big change is
that uses netlink sockets instead of reading /proc/net/*

The issue is the API is different to the library I can see.

mibgroup/mibII/tcpTable.c:631:12: error: too few arguments to function
‘nl_geterror’
  631 |     return nl_geterror();
      |            ^~~~~~~~~~~

And indeed nl_geterror() requires a int:
https://github.com/tgraf/libnl/blob/master/include/netlink/errno.h#L56
extern const char * nl_geterror(int);

So I'm not exactly sure what netlink library is being used here. I cannot
disable this feature either:
mibgroup/if-mib/data_access/interface_linux.c:27:2: error: #error libnl-3
is required. Please install the libnl-3 and libnl-route-3 development
packages and remove --without-nl from the configure options if necessary.
   27 | #error libnl-3 is required. Please install the libnl-3 and
libnl-route-3 development packages and remove --without-nl from the
configure options if necessary.
      |  ^~~~~

 - Craig

-- 

Craig Small             https://dropbear.xyz/  csmall at : dropbear.xyz
Debian GNU/Linux        https://www.debian.org/
<http://www.debian.org/>  csmall at : debian.org
GPG fingerprint:     5D2F B320 B825 D939 04D2  0519 3938 F96B DF50 FEA5

Re: Getting listening port number while processing request

[Teus B. <teu...@gm...>]

On Thu, 28 Mar 2024 at 00:13, Bart Van Assche <bva...@ac...> wrote:

> Hi Teus,
>
> Thanks for the background information. I'm not sure the Net-SNMP API needs
> to be modified to realize this. How about the following approach:
>
>    - Use netsnmp_register_handler() in MIB implementations to associate
>    OIDs with callback functions.
>    - In the handler callback function, use the
>    reqinfo->asp->session->local_port information.
>    - Make sure that session->local_port is set correctly. This may
>    require a code change in Net-SNMP.
>
> Best regards,
>
> Bart.
>
>
> Hi Bart,

What a great hint this is: No API change, and making sure that the
local_port is set correctly.

I am going to look into this for sure, and try to get this to work for TCP.

Thank you a lot for this information, that is helpful :)

Teus.

Re: Getting listening port number while processing request

[Bart V. A. <bva...@ac...>]

On 3/27/24 00:15, Teus Benschop wrote:
> On Wed, 27 Mar 2024 at 00:58, Bart Van Assche <bva...@ac...> wrote:
>
>     Please explain why you want to obtain that information and also
>     how you plan to use it. Which APIs to modify will depend on the
>     answer to that question.
>
>
>
> Hello Bert,
>
> Thank you for asking this question.
>
> The background to this is that we are building software to control 
> traffic signs above the highways. These signs are controlled through 
> one of the NTCIP protocols (https://www.ntcip.org). And this protocol 
> again is based on the SNMP protocol. Each traffic sign contains one 
> SNMP agent that listens on a given port number.
>
> We are building a simulator to simulate all of those traffic signs. 
> Currently one simulator simulates one traffic sign. The traffic sign 
> has many and large SNMP tables registered with Net-SNMP. Due to the 
> sheer size and amount of objects in the SNMP tables, plus many other 
> registered objects, one simulator now allocates about 350 Mbytes of 
> memory.
>
> If we simulate, say, 20 traffic signs, then the allocated memory 
> becomes about 7 Gbytes. If we simulate 100 traffic signs, then the 
> allocated memory becomes around 35 Gigabytes.
>
> We now have the idea to only run one SNMP agent, and hence allocate 
> only 350 Megabytes of memory, but then let this SNMP agent listen on 
> multiple ports, through the Net-SNMP library.
>
> The traffic signs listen on the TCP protocol, hence the simulator uses 
> TCP too.
>
> If the simulator listens on, say, port 2001, 2002, 2003, and so on, 
> then this would simulate traffic sign #1 on port 2001, traffic sign #2 
> on port 2002, and traffic sign #3 on port 2003. If the traffic control 
> software sends a SNMP get request to, say, port 2002, then the traffic 
> sign simulator knows that it should respond with data about traffic 
> sign #2.
>
> Hence if the Net-SNMP library would expose the TCP port number that a 
> given request was sent to, the simulator would make a call to the 
> Net-SNMP library to find the port number, and give an appropriate 
> response.
>
> This is the reason why I want to obtain the port number, and this 
> would be the intended usage of it.

Hi Teus,

Thanks for the background information. I'm not sure the Net-SNMP API 
needs to be modified to realize this. How about the following approach:

  * Use netsnmp_register_handler() in MIB implementations to associate
    OIDs with callback functions.
  * In the handler callback function, use the
    reqinfo->asp->session->local_port information.
  * Make sure that session->local_port is set correctly. This may
    require a code change in Net-SNMP.

Best regards,

Bart.

Re: Getting listening port number while processing request

[Teus B. <teu...@gm...>]

On Wed, 27 Mar 2024 at 00:58, Bart Van Assche <bva...@ac...> wrote:

> Please explain why you want to obtain that information and also how you
> plan to use it. Which APIs to modify will depend on the answer to that
> question.
>
>
>
Hello Bert,

Thank you for asking this question.

The background to this is that we are building software to control traffic
signs above the highways. These signs are controlled through one of the
NTCIP protocols (https://www.ntcip.org). And this protocol again is based
on the SNMP protocol. Each traffic sign contains one SNMP agent that
listens on a given port number.

We are building a simulator to simulate all of those traffic signs.
Currently one simulator simulates one traffic sign. The traffic sign has
many and large SNMP tables registered with Net-SNMP. Due to the sheer size
and amount of objects in the SNMP tables, plus many other registered
objects, one simulator now allocates about 350 Mbytes of memory.

If we simulate, say, 20 traffic signs, then the allocated memory becomes
about 7 Gbytes. If we simulate 100 traffic signs, then the allocated memory
becomes around 35 Gigabytes.

We now have the idea to only run one SNMP agent, and hence allocate only
350 Megabytes of memory, but then let this SNMP agent listen on multiple
ports, through the Net-SNMP library.

The traffic signs listen on the TCP protocol, hence the simulator uses TCP
too.

If the simulator listens on, say, port 2001, 2002, 2003, and so on, then
this would simulate traffic sign #1 on port 2001, traffic sign #2 on port
2002, and traffic sign #3 on port 2003. If the traffic control software
sends a SNMP get request to, say, port 2002, then the traffic sign
simulator knows that it should respond with data about traffic sign #2.

Hence if the Net-SNMP library would expose the TCP port number that a given
request was sent to, the simulator would make a call to the Net-SNMP library
to find the port number, and give an appropriate response.

This is the reason why I want to obtain the port number, and this would be
the intended usage of it.

Thanks,

Teus

snmp code fix for Vulnerability

[sukeerthi bj <suk...@gm...>]

Hi Team,

I am currently working on NET-SNMP code integration for a project.
I want to understand the code changes for this  CVE-2008-6123.
Can someone please point to the change list for same?

-Sukeerthi

Re: Getting listening port number while processing request

[Bart V. A. <bva...@ac...>]

On 3/25/24 11:26, Teus Benschop wrote:
> 2. What are the ideas to expose this agent_tcp_port_number via the 
> API? (Possibly I could add a function in the public API, that gets 
> this variable and exposes it as a call.) Ideas?

Please explain why you want to obtain that information and also how you 
plan to use it. Which APIs to modify will depend on the answer to that 
question.

Thanks,

Bart.

Re: Updating the LM-SENSORS MIB (Issue #752)

[Niels B. <ni...@ba...>]

Den 26-03-2024 kl. 10:10 skrev Craig Small via Net-snmp-coders:
 > Hi,
 >   This email is about working out how the LM-SENSORS MIB should be 
updated. If it was just a matter of updating the SNMP agent, I'd just 
create a pull request but the MIB is (might be?) different.

Great!

 > How do I get this MIB updated? I'm willing to write it up and the 
change for the agent, would a PR for the MIB be enough or does it need 
to go through some sort of other approval process?

There is nothing special about updating the MIB, so just include the 
update in your PR.

Personally I would prefer that that new object had

UNITS "Cel"
DISPLAY-HINT "d-3"

instead of displaying a milli-value, but that is personal taste.

Remember to add a REVISION section to the MIB when you update it.

/Niels

-- 
Niels Baggesen -- @home -- Århus -- Denmark -- ni...@ba...
The purpose of computing is insight, not numbers  --  R W Hamming

Re: Updating the LM-SENSORS MIB (Issue #752)

[Bart V. A. <bva...@ac...>]

On 3/26/24 02:10, Craig Small via Net-snmp-coders wrote:
> This email is about working out how the LM-SENSORS MIB should be 
> updated. If it was just a matter of updating the SNMP agent, I'd just 
> create a pull request but the MIB is (might be?) different.
>
> The issue is that Gauge32 can only represent a non-negative integer 
> (ref RFC 2578). which means if the temperature sensor reads negative 
> values, which does happen.
>
> How do I get this MIB updated? I'm willing to write it up and the 
> change for the agent, would a PR for the MIB be enough or does it need 
> to go through some sort of other approval process?

Please submit a pull request that adds a new MIB object with the desired 
characteristics (MIB changes + code changes). Anyone who disagrees can 
speak up now or can comment on the pull request.

Thanks,

Bart.

Updating the LM-SENSORS MIB (Issue #752)

[Craig S. <cs...@dr...>]

Hi,
 This email is about working out how the LM-SENSORS MIB should be updated.
If it was just a matter of updating the SNMP agent, I'd just create a pull
request but the MIB is (might be?) different.

The issue is that Gauge32 can only represent a non-negative integer (ref
RFC 2578). which means if the temperature sensor reads negative values,
which does happen.

How do I get this MIB updated? I'm willing to write it up and the change
for the agent, would a PR for the MIB be enough or does it need to go
through some sort of other approval process?

 - Craig
Reference: https://github.com/net-snmp/net-snmp/issues/752

-- 

Craig Small             https://dropbear.xyz/  csmall at : dropbear.xyz
Debian GNU/Linux        https://www.debian.org/
<http://www.debian.org/>  csmall at : debian.org
GPG fingerprint:     5D2F B320 B825 D939 04D2  0519 3938 F96B DF50 FEA5

Re: Getting listening port number while processing request

[Teus B. <teu...@gm...>]

Hello again,

On the topic of getting the agent listening port number while processing a
SNMP equest, discussed in previous emails:

I am working on a proposal for a patch, and have this code already, as a
first possible partial solution to the above wish.

File: snmplib/transports/snmpTCPBaseDomain.c

Code:

// The port number of the agent to which the SNMP request was sent.

*static* uint16_t agent_tcp_port_number = 0;

*int* netsnmp_tcpbase_recv(netsnmp_transport *t, *void* *buf, *int* size,

                         *void* **opaque, *int* *olength) // Todo

{

    *int* rc = -1;



    *if* (t != *NULL* && t->sock >= 0) {

        *while* (rc < 0) {

            rc = recvfrom(t->sock, buf, size, 0, *NULL*, *NULL*);

            *if* (rc < 0 && errno != EINTR) {

                DEBUGMSGTL(("netsnmp_tcpbase", "recv fd %d err %d
(\"%s\")\n",

                            t->sock, errno, strerror(errno)));

                *break*;

            }

            DEBUGMSGTL(("netsnmp_tcpbase", "recv fd %d got %d bytes\n",
t->sock, rc));


            *struct* sockaddr_in sin;

            socklen_t len = *sizeof*(sin);

            *if* (getsockname(t->sock, (*struct* sockaddr *)&sin, &len) == -
1)

                DEBUGMSGTL(("vms", "getsockname error %s\n",
strerror(errno)));

            *else* {

                agent_tcp_port_number = ntohs(sin.sin_port)

                DEBUGMSGTL(("vms", "agent port number %d\n",
agent_tcp_port_number));

            }



        }

....

This is just a first attempt at getting this to work. The code above logs
the agent's port number, so that is now working.

Questions:

1. What do you think of this code?
2. What are the ideas to expose this agent_tcp_port_number via the API?
(Possibly I could add a function in the public API, that gets this variable
and exposes it as a call.) Ideas?

Met vriendelijke groeten,
With kind regards,

Teus Benschop
https://freesoftwareconsultants.nl
https://bibledit.org

trap2sink question

[Josef Ř. <jr...@re...>]

Hi folks,

I would like to ask for confirmation/correction of my understanding for
following scenario:

If I have in /etc/snmp/snmpd.conf file

agentaddress 10.2.37.21:161
...
trap2sink 10.2.23.200 trapnni
trap2sink 1.1.1.1 trapnni
trap2sink 10.2.23.201 trapnni

and in `~/.snmp/hosts`

clientaddr 10.2.38.21
transport udp:10.2.23.200:162

than when sending a trap the output is:

Sending 96 bytes to UDP: [10.2.23.200]:162->[10.2.38.21]:33534
Sending 96 bytes to UDP: [1.1.1.1]:162->[0.0.0.0]:55734
Sending 96 bytes to UDP: [10.2.23.201]:162->[10.2.38.21]:59991

Do I understand correctly that because the 1.1.1.1 address isn't part of
10.x.x.x class (doesn't have the same prefix), there is only one option to
set destination address to 0.0.0.0 Or is this bad behaviour?

Best regards

Josef Ridky
Senior Software Engineer
Core Services Team
Red Hat Czech, s.r.o.

SNMPV3 traps from subagent code

[Prankur C. <pra...@gm...>]

Dear Snmp Community,

I have written a subagent (skeleton generated from subagent.m2c), where the
while loop is as follows:
/* you're main loop here... */
    while(keep_running) {
        //check and send traps
        if (gTrapsAvailable) {
            gTrapsAvailable = false;
            //call traps
            for (const auto error : gErrors) {
                send_user_trap(error); //internally calls the send_v3trap()
api
            }
        }
        /* if you use select(), see snmp_select_info() in snmp_api(3) */
        /*     --- OR ---  */
        agent_check_and_process(1); /* 0 == don't block */
        //std::this_thread::sleep_for(std::chrono::milliseconds(100));

    }

My original problem was related to sending snmpv3 traps (send_v3trap()
api) *when
called from a different thread context*, then there were duplicate traps
sent.

/* excerpt from debug logs , total 4 times send_v3trap api called but 8
trap send)

2024-03-05 12:50:01 trap: send_trap -1 -1 iso.3.6.1.4.1.8072.3.2.10
2024-03-05 12:50:01 trap: sending trap type=12, version=193 to Local IPC:
/var/agentx/master
2024-03-05 12:50:01 agentx_build: packet built okay
test trap send_v3trap send
2024-03-05 12:50:01 trap: send_trap -1 -1 iso.3.6.1.4.1.8072.3.2.10
2024-03-05 12:50:01 trap: sending trap type=12, version=193 to Local IPC:
/var/agentx/master
2024-03-05 12:50:01 agentx_build: packet built okay
test trap send_v3trap send
2024-03-05 12:50:01 trap: send_trap -1 -1 iso.3.6.1.4.1.8072.3.2.10
2024-03-05 12:50:01 trap: sending trap type=12, version=193 to Local IPC:
/var/agentx/master
2024-03-05 12:50:01 agentx_build: packet built okay
test trap send_v3trap send
2024-03-05 12:50:01 trap: send_trap -1 -1 iso.3.6.1.4.1.8072.3.2.10
2024-03-05 12:50:01 trap: sending trap type=12, version=193 to Local IPC:
/var/agentx/master
2024-03-05 12:50:01 agentx_build: packet built okay
test trap send_v3trap send
2024-03-05 12:50:02 agentx_build: packet built okay
2024-03-05 12:50:02 trap: handle_inform_response for session UNKNOWN
2024-03-05 12:50:02 trap: resending an inform for reqid=1933228917
2024-03-05 12:50:02 agentx_build: packet built okay
2024-03-05 12:50:02 trap: handle_inform_response for session UNKNOWN
2024-03-05 12:50:02 trap: resending an inform for reqid=1933228919
2024-03-05 12:50:02 trap: handle_inform_response for session UNKNOWN
2024-03-05 12:50:02 trap: received the inform response for reqid=1933228917
2024-03-05 12:50:02 trap: handle_inform_response for session UNKNOWN
2024-03-05 12:50:02 trap: received the inform response for reqid=1933228919
2024-03-05 12:50:02 agentx_build: packet built okay
2024-03-05 12:50:02 trap: handle_inform_response for session UNKNOWN
2024-03-05 12:50:02 trap: resending an inform for reqid=1933228921
2024-03-05 12:50:02 trap: handle_inform_response for session UNKNOWN
2024-03-05 12:50:02 trap: received the inform response for reqid=1933228921
2024-03-05 12:50:02 agentx_build: packet built okay
2024-03-05 12:50:02 trap: handle_inform_response for session UNKNOWN
2024-03-05 12:50:02 trap: resending an inform for reqid=1933228923
2024-03-05 12:50:02 trap: handle_inform_response for session UNKNOWN
2024-03-05 12:50:02 trap: received the inform response for reqid=1933228923

After reading some comments from the community my understanding is that
since snmp is not thread safe so the trap api must be called from subagent
thread context i.e. the while loop.
It solves my duplicate trap issue, but the problem now is that main thread
needs to wait for 15 seconds (ping timeout) when the
agent_check_and_process(1) unblocks and then send the traps.

I can run the agent_check_and_process(0) and make some sleep after, in
worst case introducing a delay of some x milliseconds

Therefore I want to ask 2 questions:
1. Is is possible to send the traps from different thread context (from
subagent), if yes then how ?
2. If not, then somehow is it possible to set the timeout on the
agent_check_and_process(int) api ? //I do not think decreasing the ping
timeout is a good idea
3. If also not possible to set the timeout, then is there some other way /
example like snmp_select_info ?


Cheers
Prankur


-- 
Cheers
Prankur

Re: [*Newsletter*] snmpv3 inform packets

[Mostafa K. <mos...@da...>]

In SNMP v3, any message that requires that the receiver sends back a reply, the sender must use the receiver engine id. Engine Id is a  unique value that identifies a specific SNMP device.

For example, get, set, walk .... from the SNMP manager require that the manager use the agent engine id.

An inform requires that the sender must use the receiver engine id because the receiver must acknowledge the inform.

The way to determine the receiver engine id is to send a  discovery packet which is a get with specific PDU values (see the link below).

So, my guess is:
#1 is a discovery message.
# 2 a report message from the receiver with its engine id.
#3 The actual inform message (However, I am a bit hazy about whether #3 needs the boot number and system uptime or not for it to be a valid inform. My understanding is that the actual boot and system uptime are required for the receiver to determine if this is a new message or an old, stalled message. Please somebody correct me if I am wrong).
#4 Acknowledgement from the receiver.

I don't have access to your messages to determine if the above is correct.

Read this https://www.dialogic.com/generatedpdfs/bn-sbc/bordernet_sbc_3-8-1/SNMP-Guide.pdf specifically section 2.3 which explains the discovery mechanism.

Also, check the function:
 int snmpv3_probe_contextEngineID_rfc5343(struct session_list *slp, netsnmp_session *session)   and the one above it static struct session_list * snmp_sess_copy(netsnmp_session * pss)  in the snmp_api.c file.

I also read somewhere that you can send inform with null or wrong engine id and the receiver will send you an error message, but it will contain its engine Id which you can use for subsequent inform message sending.

I hope this is clear, I would appreciate any correction to what I wrote above.

All the best,

Mostafa Kassem







________________________________
From: Pushpa Thimmaiah <pus...@gm...>
Sent: Friday, February 23, 2024 3:24 AM
To: Net-SNMP Coders <net...@li...>
Subject: [*Newsletter*] snmpv3 inform packets

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

Hi All,

I have noticed that there are four packets exchange between snmp-agent and trap-receiver for snmpv3-inform.
I would like to know what are information exchanged.
1. get request : Agent---> Receiver
2. Response :   Agent <---- Receiver ( PDU contain receiver's engineID but boot and enginetime are zero)
3. send trap :   Agent -----> Receiver (trap pdu has snmpv3 user credentials and  receiver's engineID, but boot and enginetime are zero)
4. ACK?? :       Agent <----- Receiver (PDU contain receiver's engineID, also boot and engineTime )

Kindly provide more details. It will help me to understand snmpv3 informs.

Thank You,
Pushpa.T

snmpv3 inform packets

[Pushpa T. <pus...@gm...>]

Hi All,

I have noticed that there are four packets exchange between snmp-agent and
trap-receiver for snmpv3-inform.
I would like to know what are information exchanged.
1. get request : Agent---> Receiver
2. Response :   Agent <---- Receiver ( PDU contain receiver's engineID but
boot and enginetime are zero)
3. send trap :   Agent -----> Receiver (trap pdu has snmpv3 user
credentials and  receiver's engineID, but boot and enginetime are zero)
4. ACK?? :       Agent <----- Receiver (PDU contain receiver's engineID,
also boot and engineTime )

Kindly provide more details. It will help me to understand snmpv3 informs.

Thank You,
Pushpa.T

Memory leak with net-snmp agent v3 ?

[Vincent G. <vin...@ov...>]

Hi,

I managed to do a secure DTLS comm between my laptop (snmpget) and my embedded device net-snmp agent.

But I noticed there's somewhere a memory leak on the Agent (embedded device) side : I see some 12KB amount of memory taken by the agent each time it successfully handles such request, and it seems to never be released/freed.

(( As it's huge, I tried to disabled the logging system with --disable-debugging on configure script, but it changes nothing ))

I don't absolutely know where to look at into the code...

Does this ring a bell to anyone ?
Thank you !

--> Here's my configure options
./configure --prefix=$(INSTALL_PREFIX) --host=$(HOST) \
  --disable-applications --enable-debugging --disable-embedded-perl --without-perl-modules \
  --enable-reentrant \
  --with-cc=$(CC) --with-linkcc=$(CC) --with-ar=$(AR) --with-ldflags="$(LDFLAGS)" --with-cflags="$(CFLAGS_EXT)" \
  --with-openssl=$(LIB_DIRS) \
  --without-rpm \
  --with-logfile="/tmp/var/snmpd.log" \
  --with-default-snmp-version="3" \
  --with-transports="UDP,TCP,DTLSUDP,TLSTCP" --with-security-modules="usm,tsm" \
 --with-persistent-directory="/var/net-snmp" \
  --enable-shared=yes --enable-static=no --enable-tagCC-libtool

Re: Inclusion of UCD MIBs in other projects

[Martijn v. D. <ne...@li...>]

ping

On Thu, 2024-01-18 at 18:07 +0100, Martijn van Duren wrote:
> hello coders@,
> 
> First let me introduce myself. I'm ma...@op... and the current
> maintainer of OpenBSD's own snmp stack.
> 
> I would like to include UCD-DISKIO-MIB and it's dependency UCD-SNMP-MIB
> into OpenBSD base and would like explicit permission before doing so.
> 
> My motivation for this is that in OpenBSD the name<->OID translations
> are hardcoded in mib.h, which is limiting and error-prone in multiple
> ways. To this end I've written (intial) SMIv2 support for snmpd(8)[0]
> and would like to include the MIBs (partially) supported native by
> OpenBSD's base system. Most of these are by IETF/IANA and to the best of
> my knowledge can be included without any problems. However, OpenBSD also
> partially supports the UCD-DISKIO-MIB metrics, of which I'm not sure.
> 
> Thanks in advance.
> 
> Sincerely,
> 
> Martijn van Duren
> 
> [0] https://marc.info/?l=openbsd-tech&m=170386489813398&w=2
>     https://marc.info/?l=openbsd-tech&m=170386526013565&w=2
>     https://marc.info/?l=openbsd-tech&m=170386517313548&w=2
>     https://marc.info/?l=openbsd-tech&m=170386524813562&w=2
>     https://marc.info/?l=openbsd-tech&m=170386531513578&w=2
> 
> 
> _______________________________________________
> Net-snmp-coders mailing list
> Net...@li...
> https://lists.sourceforge.net/lists/listinfo/net-snmp-coders

Re: SIGHUP for changing snmpv3 context

[Bill F. <fe...@gm...>]

Hi Vivek,

There are some types of configuration that can only be applied with a
restart, because the option to change them has not yet been implemented.
There is nothing fundamental that prevents this from being implemented, but
it is not a simple fix, which is why it hasn't been done yet.

  Bill


On Tue, Jan 9, 2024 at 1:58 AM Vivek Aditya <viv...@gm...> wrote:

> Hi Team,
>
> I want the snmpv3 context to change without snmpd restart. When I checked
> with SIGHUP, looks like adding a new snmpv3 context, SIGHUP works; But
> deleting the context and sending a SIGHUP, the context does not get deleted
> and still able to perform walk with that context.
>
> Is there a way to do it or has this issue already been resolved? Any help
> would be appreciated
>
> --
> Warm Regards,
> Vivek Aditya
> _______________________________________________
> Net-snmp-coders mailing list
> Net...@li...
> https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
>

Certificate configuration ( snmpd.conf )

[Vincent G. <vin...@ov...>]

Hi,
I'm struggle with agent to be configured for DTLS, so could you confirm my snmpd.conf file is OK ? :

Here it is -->

createUser vincent MD5 "myPassPhrase" DES "myPrivPhrase"

agentAddress dtlsudp:10161

dtls enable
dtls serverCert /usr/local/etc/snmp/certs/server.pem
dtls privateKey /usr/local/etc/snmp/certs/server_key.pem
[snmp] x509CRLFile /var/mydev/cacrl.pem
[snmp] serverCert A4:D9:BB:CD:38:79:17:1A:74:A2:19:4D:B1:4E:2A:D4:EE:0D:DC:C7

view viewallmibs included .1
access grptbox "" any priv exact viewallmibs viewallmibs none
access grptbox_unsec "" any auth exact viewallmibs none none

group grptbox tsm vincent
rwuser -s tsm vincent priv -V viewallmibs
certSecName 10 F5:DC:34:45:30:41:A6:39:33:74:EF:8E:23:E8:4C:F2:96:D7:DB:13 --sn vincent

-->
More specific questions ;
- Do I have to use "trustCert" ?
- Man does not specify "[snmp] serverCert", or dtls , or dtls serverCert or dtls privateKey ... So I'm not sure. Could you confirm I can and this is correct ? And if not, how could I specify the server certificate location ?
- I don't have to give to the agent the clients certificates, because I provide the fingerprints : am I correct ?

Thanks a lot !