Hi,
I reproduced the issue by merely changing as below in TestAgent.java in the
SNMP4J-Agent project. Again, I'm attempting to exclude only sysDescr.0, but I
actually exclude that and everything else.
// Before
vacm.addViewTreeFamily(new OctetString("fullReadView"), new OID("1.3"),
new OctetString(), VacmMIB.vacmViewIncluded,
StorageType.nonVolatile);
// After
vacm.addViewTreeFamily(new OctetString("fullReadView"), new
OID("1.3.6.1.2.1.1.1.0"),
new OctetString(), VacmMIB.vacmViewExcluded,
StorageType.nonVolatile);
I first try sysDescr.0 and get the expected denial, then I am indirectly denied
again when attempting sysObjectID.0. Here is the result:
8803 [DefaultUDPTransportMapping_0.0.0.0/161] DEBUG
org.snmp4j.transport.DefaultUdpTransportMapping - Received message from
/127.0.0.1/51206 with length 43:
30:29:02:01:01:04:06:70:75:62:6c:69:63:a0:1c:02:04:18:56:78:81:02:01:00:02:01:00:30:0e:30:0c:06:08:2b:06:01:02:01:01:01:00:05:00
8815 [DefaultUDPTransportMapping_0.0.0.0/161] DEBUG org.snmp4j.Snmp - Fire
process PDU event: CommandResponderEvent[securityModel=2, securityLevel=1,
maxSizeResponsePDU=65535, pduHandle=PduHandle[408320129],
stateReference=StateReference[msgID=0,pduHandle=PduHandle[408320129],securityEngineID=null,securityModel=null,securityName=public,securityLevel=1,contextEngineID=null,contextName=null,retryMsgIDs=null],
pdu=GET[requestID=408320129, errorStatus=Success(0), errorIndex=0,
VBS[1.3.6.1.2.1.1.1.0 = Null]], messageProcessingModel=1, securityName=public,
processed=false, peerAddress=127.0.0.1/51206,
transportMapping=org.snmp4j.transport.DefaultUdpTransportMapping@77fddc31,
tmStateReference=null]
8815 [DefaultUDPTransportMapping_0.0.0.0/161] DEBUG
org.snmp4j.agent.mo.snmp.SnmpCommunityMIB - Looking up coexistence info for
'public'
8817 [DefaultUDPTransportMapping_0.0.0.0/161] DEBUG
org.snmp4j.agent.mo.snmp.SnmpCommunityMIB - Found coexistence info for
'public'=CoexistenceInfo[securityName=cpublic,contextEngineID=80:00:13:70:01:0a:0a:65:24,contextName=public,transportTag=]
8817 [DefaultUDPTransportMapping_0.0.0.0/161] DEBUG
org.snmp4j.agent.mo.snmp.SnmpCommunityMIB - Address 127.0.0.1/51206 passes
filter, because source address filtering is disabled
8822 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Found group name
'v1v2group' for secName 'cpublic' and secModel 2
8823 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Got views
[DefaultMOMutableRow2PC[index=9.118.49.118.50.103.114.111.117.112.6.112.117.98.108.105.99.0.1,values=[1,
fullReadView, fullWriteView, fullNotifyView, 3, 1]] for group name 'v1v2group'
8823 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Matching against
access entry
DefaultMOMutableRow2PC[index=9.118.49.118.50.103.114.111.117.112.6.112.117.98.108.105.99.0.1,values=[1,
fullReadView, fullWriteView, fullNotifyView, 3, 1] with
exactContextMatch=true, prefixMatch=false, matchSecModel=true and
matchSecLevel=true
8823 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Matching view
found for group name 'v1v2group' is 'fullReadView'
8826 [RequestPool.0] DEBUG org.snmp4j.agent.request.SnmpRequest - Created
subrequest 0 with scope
org.snmp4j.agent.DefaultMOContextScope[context=public,lowerBound=1.3.6.1.2.1.1.1.0,lowerIncluded=true,upperBound=1.3.6.1.2.1.1.1.0,upperIncluded=true]
from 1.3.6.1.2.1.1.1.0 = Null
8826 [RequestPool.0] DEBUG org.snmp4j.agent.request.SnmpRequest -
SnmpSubRequests initialized:
[org.snmp4j.agent.request.SnmpRequest$SnmpSubRequest[scope=org.snmp4j.agent.DefaultMOContextScope[context=public,lowerBound=1.3.6.1.2.1.1.1.0,lowerIncluded=true,upperBound=1.3.6.1.2.1.1.1.0,upperIncluded=true],vb=1.3.6.1.2.1.1.1.0
=
Null,status=org.snmp4j.agent.request.RequestStatus@6fc5f743,query=null,index=0,targetMO=null]]
8827 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Access denied
for view 'fullReadView' by subtree 1.3.6.1.2.1.1.1.0 for OID 1.3.6.1.2.1.1.1.0
8828 [RequestPool.0] DEBUG org.snmp4j.transport.DefaultUdpTransportMapping -
Sending message to 127.0.0.1/51206 with length 43:
30:29:02:01:01:04:06:70:75:62:6c:69:63:a2:1c:02:04:18:56:78:81:02:01:00:02:01:00:30:0e:30:0c:06:08:2b:06:01:02:01:01:01:00:80:00
16651 [DefaultUDPTransportMapping_0.0.0.0/161] DEBUG
org.snmp4j.transport.DefaultUdpTransportMapping - Received message from
/127.0.0.1/51207 with length 43:
30:29:02:01:01:04:06:70:75:62:6c:69:63:a0:1c:02:04:18:56:78:84:02:01:00:02:01:00:30:0e:30:0c:06:08:2b:06:01:02:01:01:02:00:05:00
16651 [DefaultUDPTransportMapping_0.0.0.0/161] DEBUG org.snmp4j.Snmp - Fire
process PDU event: CommandResponderEvent[securityModel=2, securityLevel=1,
maxSizeResponsePDU=65535, pduHandle=PduHandle[408320132],
stateReference=StateReference[msgID=0,pduHandle=PduHandle[408320132],securityEngineID=null,securityModel=null,securityName=public,securityLevel=1,contextEngineID=null,contextName=null,retryMsgIDs=null],
pdu=GET[requestID=408320132, errorStatus=Success(0), errorIndex=0,
VBS[1.3.6.1.2.1.1.2.0 = Null]], messageProcessingModel=1, securityName=public,
processed=false, peerAddress=127.0.0.1/51207,
transportMapping=org.snmp4j.transport.DefaultUdpTransportMapping@77fddc31,
tmStateReference=null]
16651 [DefaultUDPTransportMapping_0.0.0.0/161] DEBUG
org.snmp4j.agent.mo.snmp.SnmpCommunityMIB - Looking up coexistence info for
'public'
16652 [DefaultUDPTransportMapping_0.0.0.0/161] DEBUG
org.snmp4j.agent.mo.snmp.SnmpCommunityMIB - Found coexistence info for
'public'=CoexistenceInfo[securityName=cpublic,contextEngineID=80:00:13:70:01:0a:0a:65:24,contextName=public,transportTag=]
16652 [DefaultUDPTransportMapping_0.0.0.0/161] DEBUG
org.snmp4j.agent.mo.snmp.SnmpCommunityMIB - Address 127.0.0.1/51207 passes
filter, because source address filtering is disabled
16652 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Found group
name 'v1v2group' for secName 'cpublic' and secModel 2
16652 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Got views
[DefaultMOMutableRow2PC[index=9.118.49.118.50.103.114.111.117.112.6.112.117.98.108.105.99.0.1,values=[1,
fullReadView, fullWriteView, fullNotifyView, 3, 1]] for group name 'v1v2group'
16653 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Matching
against access entry
DefaultMOMutableRow2PC[index=9.118.49.118.50.103.114.111.117.112.6.112.117.98.108.105.99.0.1,values=[1,
fullReadView, fullWriteView, fullNotifyView, 3, 1] with
exactContextMatch=true, prefixMatch=false, matchSecModel=true and
matchSecLevel=true
16653 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Matching view
found for group name 'v1v2group' is 'fullReadView'
16653 [RequestPool.0] DEBUG org.snmp4j.agent.request.SnmpRequest - Created
subrequest 0 with scope
org.snmp4j.agent.DefaultMOContextScope[context=public,lowerBound=1.3.6.1.2.1.1.2.0,lowerIncluded=true,upperBound=1.3.6.1.2.1.1.2.0,upperIncluded=true]
from 1.3.6.1.2.1.1.2.0 = Null
16653 [RequestPool.0] DEBUG org.snmp4j.agent.request.SnmpRequest -
SnmpSubRequests initialized:
[org.snmp4j.agent.request.SnmpRequest$SnmpSubRequest[scope=org.snmp4j.agent.DefaultMOContextScope[context=public,lowerBound=1.3.6.1.2.1.1.2.0,lowerIncluded=true,upperBound=1.3.6.1.2.1.1.2.0,upperIncluded=true],vb=1.3.6.1.2.1.1.2.0
=
Null,status=org.snmp4j.agent.request.RequestStatus@58ecb281,query=null,index=0,targetMO=null]]
16654 [RequestPool.0] DEBUG org.snmp4j.transport.DefaultUdpTransportMapping -
Sending message to 127.0.0.1/51207 with length 43:
30:29:02:01:01:04:06:70:75:62:6c:69:63:a2:1c:02:04:18:56:78:84:02:01:00:02:01:00:30:0e:30:0c:06:08:2b:06:01:02:01:01:02:00:80:00
> Date: Sun, 27 Oct 2013 12:29:21 +0100
> From: f...@agentpp.com
> To: snmp4j@agentpp.org
> Subject: Re: [SNMP4J] Difficulty with vacmViewExcluded
>
> Hi,
>
> I cannot reproduce the issue. Are you sure that you have defined the views
> and groups consistently?
>
> Is the sysObjectID.0 instance not Null?
>
> Best regards,
> Frank
>
> Am 25.10.2013 17:11, schrieb m k:
> > Hello,
> >
> > I've been trying to restrict the user's read view of a subtree, with the
> > ultimate goal of filtering out everything from 1.3.6.1.6.3.16.*, so the
> > user could see everything but that VACM information. However, I can't seem
> > to limit my restriction. As a small experiment, I tried to filter out
> > sysDescr.0, while leaving everything else readable, as below:
> >
> >
> > I added the view tree family like so:
> >
> > vacm.addViewTreeFamily(new OctetString("fullReadView"), new
> > OID("1.3.6.1.2.1.1.1.0"),
> > new OctetString(), VacmMIB.vacmViewExcluded,
> > StorageType.nonVolatile);
> >
> > Now, when the user attempts to access sysDescr.0, the following debug info
> > shows they are denied access (as I expected):
> >
> > 23829 [DefaultUDPTransportMapping_127.0.0.1/161] DEBUG
> > org.snmp4j.transport.DefaultUdpTransportMapping - Received message from
> > localhost/127.0.0.1/50196 with length 43:
> > 30:29:02:01:01:04:06:70:75:62:6c:69:63:a0:1c:02:04:4d:85:9b:1c:02:01:00:02:01:00:30:0e:30:0c:06:08:2b:06:01:02:01:01:01:00:05:00
> > 23842 [DefaultUDPTransportMapping_127.0.0.1/161] DEBUG org.snmp4j.Snmp -
> > Fire process PDU event: CommandResponderEvent[securityModel=2,
> > securityLevel=1, maxSizeResponsePDU=65535, pduHandle=PduHandle[1300601628],
> > stateReference=StateReference[msgID=0,pduHandle=PduHandle[1300601628],securityEngineID=null,securityModel=null,securityName=public,securityLevel=1,contextEngineID=null,contextName=null,retryMsgIDs=null],
> > pdu=GET[requestID=1300601628, errorStatus=Success(0), errorIndex=0,
> > VBS[1.3.6.1.2.1.1.1.0 = Null]], messageProcessingModel=1,
> > securityName=public, processed=false, peerAddress=127.0.0.1/50196,
> > transportMapping=org.snmp4j.transport.DefaultUdpTransportMapping@11505881,
> > tmStateReference=null]
> > 23843 [DefaultUDPTransportMapping_127.0.0.1/161] DEBUG
> > org.snmp4j.agent.mo.snmp.SnmpCommunityMIB - Looking up coexistence info
> > for 'public'
> > 23845 [DefaultUDPTransportMapping_127.0.0.1/161] DEBUG
> > org.snmp4j.agent.mo.snmp.SnmpCommunityMIB - Found coexistence info for
> > 'public'=CoexistenceInfo[securityName=v1v2User,contextEngineID=80:00:13:70:01:0a:0a:65:24,contextName=,transportTag=]
> > 23845 [DefaultUDPTransportMapping_127.0.0.1/161] DEBUG
> > org.snmp4j.agent.mo.snmp.SnmpCommunityMIB - Address 127.0.0.1/50196 passes
> > filter, because source address filtering is disabled
> > 23851 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Found group
> > name 'v1v2ReadOnly' for secName 'v1v2User' and secModel 2
> > 23853 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Got views
> > [DefaultMOMutableRow2PC[index=12.118.49.118.50.82.101.97.100.79.110.108.121.0.0.1,values=[1,
> > fullReadView, restrictedWriteView, fullNotifyView, 3, 1]] for group name
> > 'v1v2ReadOnly'
> > 23853 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Matching
> > against access entry
> > DefaultMOMutableRow2PC[index=12.118.49.118.50.82.101.97.100.79.110.108.121.0.0.1,values=[1,
> > fullReadView, restrictedWriteView, fullNotifyView, 3, 1] with
> > exactContextMatch=true, prefixMatch=false, matchSecModel=true and
> > matchSecLevel=true
> > 23854 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Matching
> > view found for group name 'v1v2ReadOnly' is 'fullReadView'
> > 23859 [RequestPool.0] DEBUG org.snmp4j.agent.request.SnmpRequest - Created
> > subrequest 0 with scope
> > org.snmp4j.agent.DefaultMOContextScope[context=,lowerBound=1.3.6.1.2.1.1.1.0,lowerIncluded=true,upperBound=1.3.6.1.2.1.1.1.0,upperIncluded=true]
> > from 1.3.6.1.2.1.1.1.0 = Null
> > 23860 [RequestPool.0] DEBUG org.snmp4j.agent.request.SnmpRequest -
> > SnmpSubRequests initialized:
> > [org.snmp4j.agent.request.SnmpRequest$SnmpSubRequest[scope=org.snmp4j.agent.DefaultMOContextScope[context=,lowerBound=1.3.6.1.2.1.1.1.0,lowerIncluded=true,upperBound=1.3.6.1.2.1.1.1.0,upperIncluded=true],vb=1.3.6.1.2.1.1.1.0
> > =
> > Null,status=org.snmp4j.agent.request.RequestStatus@417f6125,query=null,index=0,targetMO=null]]
> > 23862 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Access
> > denied for view 'fullReadView' by subtree 1.3.6.1.2.1.1.1.0 for OID
> > 1.3.6.1.2.1.1.1.0
> > 23864 [RequestPool.0] DEBUG org.snmp4j.transport.DefaultUdpTransportMapping
> > - Sending message to 127.0.0.1/50196 with length 43:
> > 30:29:02:01:01:04:06:70:75:62:6c:69:63:a2:1c:02:04:4d:85:9b:1c:02:01:00:02:01:00:30:0e:30:0c:06:08:2b:06:01:02:01:01:01:00:80:00
> >
> > However, when the user attempts to access the very next OID, which I did
> > not intend to block, this is the result:
> >
> > 82799 [DefaultUDPTransportMapping_127.0.0.1/161] DEBUG
> > org.snmp4j.transport.DefaultUdpTransportMapping - Received message from
> > localhost/127.0.0.1/58177 with length 43:
> > 30:29:02:01:01:04:06:70:75:62:6c:69:63:a0:1c:02:04:4d:85:9b:1f:02:01:00:02:01:00:30:0e:30:0c:06:08:2b:06:01:02:01:01:02:00:05:00
> > 82800 [DefaultUDPTransportMapping_127.0.0.1/161] DEBUG org.snmp4j.Snmp -
> > Fire process PDU event: CommandResponderEvent[securityModel=2,
> > securityLevel=1, maxSizeResponsePDU=65535, pduHandle=PduHandle[1300601631],
> > stateReference=StateReference[msgID=0,pduHandle=PduHandle[1300601631],securityEngineID=null,securityModel=null,securityName=public,securityLevel=1,contextEngineID=null,contextName=null,retryMsgIDs=null],
> > pdu=GET[requestID=1300601631, errorStatus=Success(0), errorIndex=0,
> > VBS[1.3.6.1.2.1.1.2.0 = Null]], messageProcessingModel=1,
> > securityName=public, processed=false, peerAddress=127.0.0.1/58177,
> > transportMapping=org.snmp4j.transport.DefaultUdpTransportMapping@11505881,
> > tmStateReference=null]
> > 82800 [DefaultUDPTransportMapping_127.0.0.1/161] DEBUG
> > org.snmp4j.agent.mo.snmp.SnmpCommunityMIB - Looking up coexistence info
> > for 'public'
> > 82801 [DefaultUDPTransportMapping_127.0.0.1/161] DEBUG
> > org.snmp4j.agent.mo.snmp.SnmpCommunityMIB - Found coexistence info for
> > 'public'=CoexistenceInfo[securityName=v1v2User,contextEngineID=80:00:13:70:01:0a:0a:65:24,contextName=,transportTag=]
> > 82801 [DefaultUDPTransportMapping_127.0.0.1/161] DEBUG
> > org.snmp4j.agent.mo.snmp.SnmpCommunityMIB - Address 127.0.0.1/58177 passes
> > filter, because source address filtering is disabled
> > 82801 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Found group
> > name 'v1v2ReadOnly' for secName 'v1v2User' and secModel 2
> > 82802 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Got views
> > [DefaultMOMutableRow2PC[index=12.118.49.118.50.82.101.97.100.79.110.108.121.0.0.1,values=[1,
> > fullReadView, restrictedWriteView, fullNotifyView, 3, 1]] for group name
> > 'v1v2ReadOnly'
> > 82802 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Matching
> > against access entry
> > DefaultMOMutableRow2PC[index=12.118.49.118.50.82.101.97.100.79.110.108.121.0.0.1,values=[1,
> > fullReadView, restrictedWriteView, fullNotifyView, 3, 1] with
> > exactContextMatch=true, prefixMatch=false, matchSecModel=true and
> > matchSecLevel=true
> > 82803 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Matching
> > view found for group name 'v1v2ReadOnly' is 'fullReadView'
> > 82803 [RequestPool.0] DEBUG org.snmp4j.agent.request.SnmpRequest - Created
> > subrequest 0 with scope
> > org.snmp4j.agent.DefaultMOContextScope[context=,lowerBound=1.3.6.1.2.1.1.2.0,lowerIncluded=true,upperBound=1.3.6.1.2.1.1.2.0,upperIncluded=true]
> > from 1.3.6.1.2.1.1.2.0 = Null
> > 82803 [RequestPool.0] DEBUG org.snmp4j.agent.request.SnmpRequest -
> > SnmpSubRequests initialized:
> > [org.snmp4j.agent.request.SnmpRequest$SnmpSubRequest[scope=org.snmp4j.agent.DefaultMOContextScope[context=,lowerBound=1.3.6.1.2.1.1.2.0,lowerIncluded=true,upperBound=1.3.6.1.2.1.1.2.0,upperIncluded=true],vb=1.3.6.1.2.1.1.2.0
> > =
> > Null,status=org.snmp4j.agent.request.RequestStatus@316ce88a,query=null,index=0,targetMO=null]]
> > 82804 [RequestPool.0] DEBUG org.snmp4j.transport.DefaultUdpTransportMapping
> > - Sending message to 127.0.0.1/58177 with length 43:
> > 30:29:02:01:01:04:06:70:75:62:6c:69:63:a2:1c:02:04:4d:85:9b:1f:02:01:00:02:01:00:30:0e:30:0c:06:08:2b:06:01:02:01:01:02:00:80:00
> >
> > So, while they are not explicitly denied, it's the same failure result as
> > if they were. To be sure, if I change the previous code to this below, both
> > OIDs can be accessed and retrieved perfectly:
> >
> > // Works fine, but no restriction.
> > vacm.addViewTreeFamily(new OctetString("fullReadView"), new OID("1.3"),
> > new OctetString(), VacmMIB.vacmViewIncluded,
> > StorageType.nonVolatile);
> >
> > ...
> >
> > What might the problem be here, and how can I achieve the restriction I am
> > looking for? By the way, I'm using snmp4j-agent-2.0.10a.
> >
> >
> > Thanks for your help
> >
> > _______________________________________________
> > SNMP4J mailing list
> > SNMP4J@agentpp.org
> > http://lists.agentpp.org/mailman/listinfo/snmp4j
>
> --
> ---
> AGENT++
> Maximilian-Kolbe-Str. 10
> 73257 Koengen, Germany
> https://agentpp.com
> Phone: +49 7024 8688230
> Fax: +49 7024 8688231
>
> _______________________________________________
> SNMP4J mailing list
> SNMP4J@agentpp.org
> http://lists.agentpp.org/mailman/listinfo/snmp4j
_______________________________________________
SNMP4J mailing list
SNMP4J@agentpp.org
http://lists.agentpp.org/mailman/listinfo/snmp4j
