Hi, I reproduced the issue by merely changing as below in TestAgent.java in the SNMP4J-Agent project. Again, I'm attempting to exclude only sysDescr.0, but I actually exclude that and everything else. // Before vacm.addViewTreeFamily(new OctetString("fullReadView"), new OID("1.3"), new OctetString(), VacmMIB.vacmViewIncluded, StorageType.nonVolatile);
// After vacm.addViewTreeFamily(new OctetString("fullReadView"), new OID("1.3.6.1.2.1.1.1.0"), new OctetString(), VacmMIB.vacmViewExcluded, StorageType.nonVolatile); I first try sysDescr.0 and get the expected denial, then I am indirectly denied again when attempting sysObjectID.0. Here is the result: 8803 [DefaultUDPTransportMapping_0.0.0.0/161] DEBUG org.snmp4j.transport.DefaultUdpTransportMapping - Received message from /127.0.0.1/51206 with length 43: 30:29:02:01:01:04:06:70:75:62:6c:69:63:a0:1c:02:04:18:56:78:81:02:01:00:02:01:00:30:0e:30:0c:06:08:2b:06:01:02:01:01:01:00:05:00 8815 [DefaultUDPTransportMapping_0.0.0.0/161] DEBUG org.snmp4j.Snmp - Fire process PDU event: CommandResponderEvent[securityModel=2, securityLevel=1, maxSizeResponsePDU=65535, pduHandle=PduHandle[408320129], stateReference=StateReference[msgID=0,pduHandle=PduHandle[408320129],securityEngineID=null,securityModel=null,securityName=public,securityLevel=1,contextEngineID=null,contextName=null,retryMsgIDs=null], pdu=GET[requestID=408320129, errorStatus=Success(0), errorIndex=0, VBS[1.3.6.1.2.1.1.1.0 = Null]], messageProcessingModel=1, securityName=public, processed=false, peerAddress=127.0.0.1/51206, transportMapping=org.snmp4j.transport.DefaultUdpTransportMapping@77fddc31, tmStateReference=null] 8815 [DefaultUDPTransportMapping_0.0.0.0/161] DEBUG org.snmp4j.agent.mo.snmp.SnmpCommunityMIB - Looking up coexistence info for 'public' 8817 [DefaultUDPTransportMapping_0.0.0.0/161] DEBUG org.snmp4j.agent.mo.snmp.SnmpCommunityMIB - Found coexistence info for 'public'=CoexistenceInfo[securityName=cpublic,contextEngineID=80:00:13:70:01:0a:0a:65:24,contextName=public,transportTag=] 8817 [DefaultUDPTransportMapping_0.0.0.0/161] DEBUG org.snmp4j.agent.mo.snmp.SnmpCommunityMIB - Address 127.0.0.1/51206 passes filter, because source address filtering is disabled 8822 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Found group name 'v1v2group' for secName 'cpublic' and secModel 2 8823 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Got views [DefaultMOMutableRow2PC[index=9.118.49.118.50.103.114.111.117.112.6.112.117.98.108.105.99.0.1,values=[1, fullReadView, fullWriteView, fullNotifyView, 3, 1]] for group name 'v1v2group' 8823 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Matching against access entry DefaultMOMutableRow2PC[index=9.118.49.118.50.103.114.111.117.112.6.112.117.98.108.105.99.0.1,values=[1, fullReadView, fullWriteView, fullNotifyView, 3, 1] with exactContextMatch=true, prefixMatch=false, matchSecModel=true and matchSecLevel=true 8823 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Matching view found for group name 'v1v2group' is 'fullReadView' 8826 [RequestPool.0] DEBUG org.snmp4j.agent.request.SnmpRequest - Created subrequest 0 with scope org.snmp4j.agent.DefaultMOContextScope[context=public,lowerBound=1.3.6.1.2.1.1.1.0,lowerIncluded=true,upperBound=1.3.6.1.2.1.1.1.0,upperIncluded=true] from 1.3.6.1.2.1.1.1.0 = Null 8826 [RequestPool.0] DEBUG org.snmp4j.agent.request.SnmpRequest - SnmpSubRequests initialized: [org.snmp4j.agent.request.SnmpRequest$SnmpSubRequest[scope=org.snmp4j.agent.DefaultMOContextScope[context=public,lowerBound=1.3.6.1.2.1.1.1.0,lowerIncluded=true,upperBound=1.3.6.1.2.1.1.1.0,upperIncluded=true],vb=1.3.6.1.2.1.1.1.0 = Null,status=org.snmp4j.agent.request.RequestStatus@6fc5f743,query=null,index=0,targetMO=null]] 8827 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Access denied for view 'fullReadView' by subtree 1.3.6.1.2.1.1.1.0 for OID 1.3.6.1.2.1.1.1.0 8828 [RequestPool.0] DEBUG org.snmp4j.transport.DefaultUdpTransportMapping - Sending message to 127.0.0.1/51206 with length 43: 30:29:02:01:01:04:06:70:75:62:6c:69:63:a2:1c:02:04:18:56:78:81:02:01:00:02:01:00:30:0e:30:0c:06:08:2b:06:01:02:01:01:01:00:80:00 16651 [DefaultUDPTransportMapping_0.0.0.0/161] DEBUG org.snmp4j.transport.DefaultUdpTransportMapping - Received message from /127.0.0.1/51207 with length 43: 30:29:02:01:01:04:06:70:75:62:6c:69:63:a0:1c:02:04:18:56:78:84:02:01:00:02:01:00:30:0e:30:0c:06:08:2b:06:01:02:01:01:02:00:05:00 16651 [DefaultUDPTransportMapping_0.0.0.0/161] DEBUG org.snmp4j.Snmp - Fire process PDU event: CommandResponderEvent[securityModel=2, securityLevel=1, maxSizeResponsePDU=65535, pduHandle=PduHandle[408320132], stateReference=StateReference[msgID=0,pduHandle=PduHandle[408320132],securityEngineID=null,securityModel=null,securityName=public,securityLevel=1,contextEngineID=null,contextName=null,retryMsgIDs=null], pdu=GET[requestID=408320132, errorStatus=Success(0), errorIndex=0, VBS[1.3.6.1.2.1.1.2.0 = Null]], messageProcessingModel=1, securityName=public, processed=false, peerAddress=127.0.0.1/51207, transportMapping=org.snmp4j.transport.DefaultUdpTransportMapping@77fddc31, tmStateReference=null] 16651 [DefaultUDPTransportMapping_0.0.0.0/161] DEBUG org.snmp4j.agent.mo.snmp.SnmpCommunityMIB - Looking up coexistence info for 'public' 16652 [DefaultUDPTransportMapping_0.0.0.0/161] DEBUG org.snmp4j.agent.mo.snmp.SnmpCommunityMIB - Found coexistence info for 'public'=CoexistenceInfo[securityName=cpublic,contextEngineID=80:00:13:70:01:0a:0a:65:24,contextName=public,transportTag=] 16652 [DefaultUDPTransportMapping_0.0.0.0/161] DEBUG org.snmp4j.agent.mo.snmp.SnmpCommunityMIB - Address 127.0.0.1/51207 passes filter, because source address filtering is disabled 16652 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Found group name 'v1v2group' for secName 'cpublic' and secModel 2 16652 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Got views [DefaultMOMutableRow2PC[index=9.118.49.118.50.103.114.111.117.112.6.112.117.98.108.105.99.0.1,values=[1, fullReadView, fullWriteView, fullNotifyView, 3, 1]] for group name 'v1v2group' 16653 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Matching against access entry DefaultMOMutableRow2PC[index=9.118.49.118.50.103.114.111.117.112.6.112.117.98.108.105.99.0.1,values=[1, fullReadView, fullWriteView, fullNotifyView, 3, 1] with exactContextMatch=true, prefixMatch=false, matchSecModel=true and matchSecLevel=true 16653 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Matching view found for group name 'v1v2group' is 'fullReadView' 16653 [RequestPool.0] DEBUG org.snmp4j.agent.request.SnmpRequest - Created subrequest 0 with scope org.snmp4j.agent.DefaultMOContextScope[context=public,lowerBound=1.3.6.1.2.1.1.2.0,lowerIncluded=true,upperBound=1.3.6.1.2.1.1.2.0,upperIncluded=true] from 1.3.6.1.2.1.1.2.0 = Null 16653 [RequestPool.0] DEBUG org.snmp4j.agent.request.SnmpRequest - SnmpSubRequests initialized: [org.snmp4j.agent.request.SnmpRequest$SnmpSubRequest[scope=org.snmp4j.agent.DefaultMOContextScope[context=public,lowerBound=1.3.6.1.2.1.1.2.0,lowerIncluded=true,upperBound=1.3.6.1.2.1.1.2.0,upperIncluded=true],vb=1.3.6.1.2.1.1.2.0 = Null,status=org.snmp4j.agent.request.RequestStatus@58ecb281,query=null,index=0,targetMO=null]] 16654 [RequestPool.0] DEBUG org.snmp4j.transport.DefaultUdpTransportMapping - Sending message to 127.0.0.1/51207 with length 43: 30:29:02:01:01:04:06:70:75:62:6c:69:63:a2:1c:02:04:18:56:78:84:02:01:00:02:01:00:30:0e:30:0c:06:08:2b:06:01:02:01:01:02:00:80:00 > Date: Sun, 27 Oct 2013 12:29:21 +0100 > From: f...@agentpp.com > To: snmp4j@agentpp.org > Subject: Re: [SNMP4J] Difficulty with vacmViewExcluded > > Hi, > > I cannot reproduce the issue. Are you sure that you have defined the views > and groups consistently? > > Is the sysObjectID.0 instance not Null? > > Best regards, > Frank > > Am 25.10.2013 17:11, schrieb m k: > > Hello, > > > > I've been trying to restrict the user's read view of a subtree, with the > > ultimate goal of filtering out everything from 1.3.6.1.6.3.16.*, so the > > user could see everything but that VACM information. However, I can't seem > > to limit my restriction. As a small experiment, I tried to filter out > > sysDescr.0, while leaving everything else readable, as below: > > > > > > I added the view tree family like so: > > > > vacm.addViewTreeFamily(new OctetString("fullReadView"), new > > OID("1.3.6.1.2.1.1.1.0"), > > new OctetString(), VacmMIB.vacmViewExcluded, > > StorageType.nonVolatile); > > > > Now, when the user attempts to access sysDescr.0, the following debug info > > shows they are denied access (as I expected): > > > > 23829 [DefaultUDPTransportMapping_127.0.0.1/161] DEBUG > > org.snmp4j.transport.DefaultUdpTransportMapping - Received message from > > localhost/127.0.0.1/50196 with length 43: > > 30:29:02:01:01:04:06:70:75:62:6c:69:63:a0:1c:02:04:4d:85:9b:1c:02:01:00:02:01:00:30:0e:30:0c:06:08:2b:06:01:02:01:01:01:00:05:00 > > 23842 [DefaultUDPTransportMapping_127.0.0.1/161] DEBUG org.snmp4j.Snmp - > > Fire process PDU event: CommandResponderEvent[securityModel=2, > > securityLevel=1, maxSizeResponsePDU=65535, pduHandle=PduHandle[1300601628], > > stateReference=StateReference[msgID=0,pduHandle=PduHandle[1300601628],securityEngineID=null,securityModel=null,securityName=public,securityLevel=1,contextEngineID=null,contextName=null,retryMsgIDs=null], > > pdu=GET[requestID=1300601628, errorStatus=Success(0), errorIndex=0, > > VBS[1.3.6.1.2.1.1.1.0 = Null]], messageProcessingModel=1, > > securityName=public, processed=false, peerAddress=127.0.0.1/50196, > > transportMapping=org.snmp4j.transport.DefaultUdpTransportMapping@11505881, > > tmStateReference=null] > > 23843 [DefaultUDPTransportMapping_127.0.0.1/161] DEBUG > > org.snmp4j.agent.mo.snmp.SnmpCommunityMIB - Looking up coexistence info > > for 'public' > > 23845 [DefaultUDPTransportMapping_127.0.0.1/161] DEBUG > > org.snmp4j.agent.mo.snmp.SnmpCommunityMIB - Found coexistence info for > > 'public'=CoexistenceInfo[securityName=v1v2User,contextEngineID=80:00:13:70:01:0a:0a:65:24,contextName=,transportTag=] > > 23845 [DefaultUDPTransportMapping_127.0.0.1/161] DEBUG > > org.snmp4j.agent.mo.snmp.SnmpCommunityMIB - Address 127.0.0.1/50196 passes > > filter, because source address filtering is disabled > > 23851 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Found group > > name 'v1v2ReadOnly' for secName 'v1v2User' and secModel 2 > > 23853 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Got views > > [DefaultMOMutableRow2PC[index=12.118.49.118.50.82.101.97.100.79.110.108.121.0.0.1,values=[1, > > fullReadView, restrictedWriteView, fullNotifyView, 3, 1]] for group name > > 'v1v2ReadOnly' > > 23853 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Matching > > against access entry > > DefaultMOMutableRow2PC[index=12.118.49.118.50.82.101.97.100.79.110.108.121.0.0.1,values=[1, > > fullReadView, restrictedWriteView, fullNotifyView, 3, 1] with > > exactContextMatch=true, prefixMatch=false, matchSecModel=true and > > matchSecLevel=true > > 23854 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Matching > > view found for group name 'v1v2ReadOnly' is 'fullReadView' > > 23859 [RequestPool.0] DEBUG org.snmp4j.agent.request.SnmpRequest - Created > > subrequest 0 with scope > > org.snmp4j.agent.DefaultMOContextScope[context=,lowerBound=1.3.6.1.2.1.1.1.0,lowerIncluded=true,upperBound=1.3.6.1.2.1.1.1.0,upperIncluded=true] > > from 1.3.6.1.2.1.1.1.0 = Null > > 23860 [RequestPool.0] DEBUG org.snmp4j.agent.request.SnmpRequest - > > SnmpSubRequests initialized: > > [org.snmp4j.agent.request.SnmpRequest$SnmpSubRequest[scope=org.snmp4j.agent.DefaultMOContextScope[context=,lowerBound=1.3.6.1.2.1.1.1.0,lowerIncluded=true,upperBound=1.3.6.1.2.1.1.1.0,upperIncluded=true],vb=1.3.6.1.2.1.1.1.0 > > = > > Null,status=org.snmp4j.agent.request.RequestStatus@417f6125,query=null,index=0,targetMO=null]] > > 23862 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Access > > denied for view 'fullReadView' by subtree 1.3.6.1.2.1.1.1.0 for OID > > 1.3.6.1.2.1.1.1.0 > > 23864 [RequestPool.0] DEBUG org.snmp4j.transport.DefaultUdpTransportMapping > > - Sending message to 127.0.0.1/50196 with length 43: > > 30:29:02:01:01:04:06:70:75:62:6c:69:63:a2:1c:02:04:4d:85:9b:1c:02:01:00:02:01:00:30:0e:30:0c:06:08:2b:06:01:02:01:01:01:00:80:00 > > > > However, when the user attempts to access the very next OID, which I did > > not intend to block, this is the result: > > > > 82799 [DefaultUDPTransportMapping_127.0.0.1/161] DEBUG > > org.snmp4j.transport.DefaultUdpTransportMapping - Received message from > > localhost/127.0.0.1/58177 with length 43: > > 30:29:02:01:01:04:06:70:75:62:6c:69:63:a0:1c:02:04:4d:85:9b:1f:02:01:00:02:01:00:30:0e:30:0c:06:08:2b:06:01:02:01:01:02:00:05:00 > > 82800 [DefaultUDPTransportMapping_127.0.0.1/161] DEBUG org.snmp4j.Snmp - > > Fire process PDU event: CommandResponderEvent[securityModel=2, > > securityLevel=1, maxSizeResponsePDU=65535, pduHandle=PduHandle[1300601631], > > stateReference=StateReference[msgID=0,pduHandle=PduHandle[1300601631],securityEngineID=null,securityModel=null,securityName=public,securityLevel=1,contextEngineID=null,contextName=null,retryMsgIDs=null], > > pdu=GET[requestID=1300601631, errorStatus=Success(0), errorIndex=0, > > VBS[1.3.6.1.2.1.1.2.0 = Null]], messageProcessingModel=1, > > securityName=public, processed=false, peerAddress=127.0.0.1/58177, > > transportMapping=org.snmp4j.transport.DefaultUdpTransportMapping@11505881, > > tmStateReference=null] > > 82800 [DefaultUDPTransportMapping_127.0.0.1/161] DEBUG > > org.snmp4j.agent.mo.snmp.SnmpCommunityMIB - Looking up coexistence info > > for 'public' > > 82801 [DefaultUDPTransportMapping_127.0.0.1/161] DEBUG > > org.snmp4j.agent.mo.snmp.SnmpCommunityMIB - Found coexistence info for > > 'public'=CoexistenceInfo[securityName=v1v2User,contextEngineID=80:00:13:70:01:0a:0a:65:24,contextName=,transportTag=] > > 82801 [DefaultUDPTransportMapping_127.0.0.1/161] DEBUG > > org.snmp4j.agent.mo.snmp.SnmpCommunityMIB - Address 127.0.0.1/58177 passes > > filter, because source address filtering is disabled > > 82801 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Found group > > name 'v1v2ReadOnly' for secName 'v1v2User' and secModel 2 > > 82802 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Got views > > [DefaultMOMutableRow2PC[index=12.118.49.118.50.82.101.97.100.79.110.108.121.0.0.1,values=[1, > > fullReadView, restrictedWriteView, fullNotifyView, 3, 1]] for group name > > 'v1v2ReadOnly' > > 82802 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Matching > > against access entry > > DefaultMOMutableRow2PC[index=12.118.49.118.50.82.101.97.100.79.110.108.121.0.0.1,values=[1, > > fullReadView, restrictedWriteView, fullNotifyView, 3, 1] with > > exactContextMatch=true, prefixMatch=false, matchSecModel=true and > > matchSecLevel=true > > 82803 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Matching > > view found for group name 'v1v2ReadOnly' is 'fullReadView' > > 82803 [RequestPool.0] DEBUG org.snmp4j.agent.request.SnmpRequest - Created > > subrequest 0 with scope > > org.snmp4j.agent.DefaultMOContextScope[context=,lowerBound=1.3.6.1.2.1.1.2.0,lowerIncluded=true,upperBound=1.3.6.1.2.1.1.2.0,upperIncluded=true] > > from 1.3.6.1.2.1.1.2.0 = Null > > 82803 [RequestPool.0] DEBUG org.snmp4j.agent.request.SnmpRequest - > > SnmpSubRequests initialized: > > [org.snmp4j.agent.request.SnmpRequest$SnmpSubRequest[scope=org.snmp4j.agent.DefaultMOContextScope[context=,lowerBound=1.3.6.1.2.1.1.2.0,lowerIncluded=true,upperBound=1.3.6.1.2.1.1.2.0,upperIncluded=true],vb=1.3.6.1.2.1.1.2.0 > > = > > Null,status=org.snmp4j.agent.request.RequestStatus@316ce88a,query=null,index=0,targetMO=null]] > > 82804 [RequestPool.0] DEBUG org.snmp4j.transport.DefaultUdpTransportMapping > > - Sending message to 127.0.0.1/58177 with length 43: > > 30:29:02:01:01:04:06:70:75:62:6c:69:63:a2:1c:02:04:4d:85:9b:1f:02:01:00:02:01:00:30:0e:30:0c:06:08:2b:06:01:02:01:01:02:00:80:00 > > > > So, while they are not explicitly denied, it's the same failure result as > > if they were. To be sure, if I change the previous code to this below, both > > OIDs can be accessed and retrieved perfectly: > > > > // Works fine, but no restriction. > > vacm.addViewTreeFamily(new OctetString("fullReadView"), new OID("1.3"), > > new OctetString(), VacmMIB.vacmViewIncluded, > > StorageType.nonVolatile); > > > > ... > > > > What might the problem be here, and how can I achieve the restriction I am > > looking for? By the way, I'm using snmp4j-agent-2.0.10a. > > > > > > Thanks for your help > > > > _______________________________________________ > > SNMP4J mailing list > > SNMP4J@agentpp.org > > http://lists.agentpp.org/mailman/listinfo/snmp4j > > -- > --- > AGENT++ > Maximilian-Kolbe-Str. 10 > 73257 Koengen, Germany > https://agentpp.com > Phone: +49 7024 8688230 > Fax: +49 7024 8688231 > > _______________________________________________ > SNMP4J mailing list > SNMP4J@agentpp.org > http://lists.agentpp.org/mailman/listinfo/snmp4j _______________________________________________ SNMP4J mailing list SNMP4J@agentpp.org http://lists.agentpp.org/mailman/listinfo/snmp4j