Hi, Again, I cannot reproduce this. You must have other modifications of the SNMP4J sources in place than just the vacmViewExcluded statement or the sysObjectID.0 instance is Null?
Normally you should see the following logging output as I do:64773 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Access allowed for view 'fullReadView' by subtree 1.3 for OID 1.3.6.1.2.1.1.2.0
Best regards, Frank Am 31.10.2013 21:51, schrieb m k:
Hi, I reproduced the issue by merely changing as below in TestAgent.java in the SNMP4J-Agent project. Again, I'm attempting to exclude only sysDescr.0, but I actually exclude that and everything else.// Beforevacm.addViewTreeFamily(new OctetString("fullReadView"), new OID("1.3"), new OctetString(), VacmMIB.vacmViewIncluded, StorageType.nonVolatile); // After vacm.addViewTreeFamily(new OctetString("fullReadView"), new OID("1.3.6.1.2.1.1.1.0"), new OctetString(), VacmMIB.vacmViewExcluded, StorageType.nonVolatile); I first try sysDescr.0 and get the expected denial, then I am indirectly denied again when attempting sysObjectID.0. Here is the result: 8803 [DefaultUDPTransportMapping_0.0.0.0/161] DEBUG org.snmp4j.transport.DefaultUdpTransportMapping - Received message from /127.0.0.1/51206 with length 43: 30:29:02:01:01:04:06:70:75:62:6c:69:63:a0:1c:02:04:18:56:78:81:02:01:00:02:01:00:30:0e:30:0c:06:08:2b:06:01:02:01:01:01:00:05:00 8815 [DefaultUDPTransportMapping_0.0.0.0/161] DEBUG org.snmp4j.Snmp - Fire process PDU event: CommandResponderEvent[securityModel=2, securityLevel=1, maxSizeResponsePDU=65535, pduHandle=PduHandle[408320129], stateReference=StateReference[msgID=0,pduHandle=PduHandle[408320129],securityEngineID=null,securityModel=null,securityName=public,securityLevel=1,contextEngineID=null,contextName=null,retryMsgIDs=null], pdu=GET[requestID=408320129, errorStatus=Success(0), errorIndex=0, VBS[1.3.6.1.2.1.1.1.0 = Null]], messageProcessingModel=1, securityName=public, processed=false, peerAddress=127.0.0.1/51206, transportMapping=org.snmp4j.transport.DefaultUdpTransportMapping@77fddc31, tmStateReference=null] 8815 [DefaultUDPTransportMapping_0.0.0.0/161] DEBUG org.snmp4j.agent.mo.snmp.SnmpCommunityMIB - Looking up coexistence info for 'public' 8817 [DefaultUDPTransportMapping_0.0.0.0/161] DEBUG org.snmp4j.agent.mo.snmp.SnmpCommunityMIB - Found coexistence info for 'public'=CoexistenceInfo[securityName=cpublic,contextEngineID=80:00:13:70:01:0a:0a:65:24,contextName=public,transportTag=] 8817 [DefaultUDPTransportMapping_0.0.0.0/161] DEBUG org.snmp4j.agent.mo.snmp.SnmpCommunityMIB - Address 127.0.0.1/51206 passes filter, because source address filtering is disabled 8822 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Found group name 'v1v2group' for secName 'cpublic' and secModel 2 8823 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Got views [DefaultMOMutableRow2PC[index=9.118.49.118.50.103.114.111.117.112.6.112.117.98.108.105.99.0.1,values=[1, fullReadView, fullWriteView, fullNotifyView, 3, 1]] for group name 'v1v2group' 8823 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Matching against access entry DefaultMOMutableRow2PC[index=9.118.49.118.50.103.114.111.117.112.6.112.117.98.108.105.99.0.1,values=[1, fullReadView, fullWriteView, fullNotifyView, 3, 1] with exactContextMatch=true, prefixMatch=false, matchSecModel=true and matchSecLevel=true 8823 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Matching view found for group name 'v1v2group' is 'fullReadView' 8826 [RequestPool.0] DEBUG org.snmp4j.agent.request.SnmpRequest - Created subrequest 0 with scope org.snmp4j.agent.DefaultMOContextScope[context=public,lowerBound=1.3.6.1.2.1.1.1.0,lowerIncluded=true,upperBound=1.3.6.1.2.1.1.1.0,upperIncluded=true] from 1.3.6.1.2.1.1.1.0 = Null 8826 [RequestPool.0] DEBUG org.snmp4j.agent.request.SnmpRequest - SnmpSubRequests initialized: [org.snmp4j.agent.request.SnmpRequest$SnmpSubRequest[scope=org.snmp4j.agent.DefaultMOContextScope[context=public,lowerBound=1.3.6.1.2.1.1.1.0,lowerIncluded=true,upperBound=1.3.6.1.2.1.1.1.0,upperIncluded=true],vb=1.3.6.1.2.1.1.1.0 = Null,status=org.snmp4j.agent.request.RequestStatus@6fc5f743,query=null,index=0,targetMO=null]] 8827 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Access denied for view 'fullReadView' by subtree 1.3.6.1.2.1.1.1.0 for OID 1.3.6.1.2.1.1.1.0 8828 [RequestPool.0] DEBUG org.snmp4j.transport.DefaultUdpTransportMapping - Sending message to 127.0.0.1/51206 with length 43: 30:29:02:01:01:04:06:70:75:62:6c:69:63:a2:1c:02:04:18:56:78:81:02:01:00:02:01:00:30:0e:30:0c:06:08:2b:06:01:02:01:01:01:00:80:00 16651 [DefaultUDPTransportMapping_0.0.0.0/161] DEBUG org.snmp4j.transport.DefaultUdpTransportMapping - Received message from /127.0.0.1/51207 with length 43: 30:29:02:01:01:04:06:70:75:62:6c:69:63:a0:1c:02:04:18:56:78:84:02:01:00:02:01:00:30:0e:30:0c:06:08:2b:06:01:02:01:01:02:00:05:00 16651 [DefaultUDPTransportMapping_0.0.0.0/161] DEBUG org.snmp4j.Snmp - Fire process PDU event: CommandResponderEvent[securityModel=2, securityLevel=1, maxSizeResponsePDU=65535, pduHandle=PduHandle[408320132], stateReference=StateReference[msgID=0,pduHandle=PduHandle[408320132],securityEngineID=null,securityModel=null,securityName=public,securityLevel=1,contextEngineID=null,contextName=null,retryMsgIDs=null], pdu=GET[requestID=408320132, errorStatus=Success(0), errorIndex=0, VBS[1.3.6.1.2.1.1.2.0 = Null]], messageProcessingModel=1, securityName=public, processed=false, peerAddress=127.0.0.1/51207, transportMapping=org.snmp4j.transport.DefaultUdpTransportMapping@77fddc31, tmStateReference=null] 16651 [DefaultUDPTransportMapping_0.0.0.0/161] DEBUG org.snmp4j.agent.mo.snmp.SnmpCommunityMIB - Looking up coexistence info for 'public' 16652 [DefaultUDPTransportMapping_0.0.0.0/161] DEBUG org.snmp4j.agent.mo.snmp.SnmpCommunityMIB - Found coexistence info for 'public'=CoexistenceInfo[securityName=cpublic,contextEngineID=80:00:13:70:01:0a:0a:65:24,contextName=public,transportTag=] 16652 [DefaultUDPTransportMapping_0.0.0.0/161] DEBUG org.snmp4j.agent.mo.snmp.SnmpCommunityMIB - Address 127.0.0.1/51207 passes filter, because source address filtering is disabled 16652 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Found group name 'v1v2group' for secName 'cpublic' and secModel 2 16652 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Got views [DefaultMOMutableRow2PC[index=9.118.49.118.50.103.114.111.117.112.6.112.117.98.108.105.99.0.1,values=[1, fullReadView, fullWriteView, fullNotifyView, 3, 1]] for group name 'v1v2group' 16653 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Matching against access entry DefaultMOMutableRow2PC[index=9.118.49.118.50.103.114.111.117.112.6.112.117.98.108.105.99.0.1,values=[1, fullReadView, fullWriteView, fullNotifyView, 3, 1] with exactContextMatch=true, prefixMatch=false, matchSecModel=true and matchSecLevel=true 16653 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Matching view found for group name 'v1v2group' is 'fullReadView' 16653 [RequestPool.0] DEBUG org.snmp4j.agent.request.SnmpRequest - Created subrequest 0 with scope org.snmp4j.agent.DefaultMOContextScope[context=public,lowerBound=1.3.6.1.2.1.1.2.0,lowerIncluded=true,upperBound=1.3.6.1.2.1.1.2.0,upperIncluded=true] from 1.3.6.1.2.1.1.2.0 = Null 16653 [RequestPool.0] DEBUG org.snmp4j.agent.request.SnmpRequest - SnmpSubRequests initialized: [org.snmp4j.agent.request.SnmpRequest$SnmpSubRequest[scope=org.snmp4j.agent.DefaultMOContextScope[context=public,lowerBound=1.3.6.1.2.1.1.2.0,lowerIncluded=true,upperBound=1.3.6.1.2.1.1.2.0,upperIncluded=true],vb=1.3.6.1.2.1.1.2.0 = Null,status=org.snmp4j.agent.request.RequestStatus@58ecb281,query=null,index=0,targetMO=null]] 16654 [RequestPool.0] DEBUG org.snmp4j.transport.DefaultUdpTransportMapping - Sending message to 127.0.0.1/51207 with length 43: 30:29:02:01:01:04:06:70:75:62:6c:69:63:a2:1c:02:04:18:56:78:84:02:01:00:02:01:00:30:0e:30:0c:06:08:2b:06:01:02:01:01:02:00:80:00Date: Sun, 27 Oct 2013 12:29:21 +0100 From: [email protected] To: [email protected] Subject: Re: [SNMP4J] Difficulty with vacmViewExcluded Hi, I cannot reproduce the issue. Are you sure that you have defined the views and groups consistently? Is the sysObjectID.0 instance not Null? Best regards, Frank Am 25.10.2013 17:11, schrieb m k:Hello, I've been trying to restrict the user's read view of a subtree, with the ultimate goal of filtering out everything from 1.3.6.1.6.3.16.*, so the user could see everything but that VACM information. However, I can't seem to limit my restriction. As a small experiment, I tried to filter out sysDescr.0, while leaving everything else readable, as below: I added the view tree family like so: vacm.addViewTreeFamily(new OctetString("fullReadView"), new OID("1.3.6.1.2.1.1.1.0"), new OctetString(), VacmMIB.vacmViewExcluded, StorageType.nonVolatile); Now, when the user attempts to access sysDescr.0, the following debug info shows they are denied access (as I expected): 23829 [DefaultUDPTransportMapping_127.0.0.1/161] DEBUG org.snmp4j.transport.DefaultUdpTransportMapping - Received message from localhost/127.0.0.1/50196 with length 43: 30:29:02:01:01:04:06:70:75:62:6c:69:63:a0:1c:02:04:4d:85:9b:1c:02:01:00:02:01:00:30:0e:30:0c:06:08:2b:06:01:02:01:01:01:00:05:00 23842 [DefaultUDPTransportMapping_127.0.0.1/161] DEBUG org.snmp4j.Snmp - Fire process PDU event: CommandResponderEvent[securityModel=2, securityLevel=1, maxSizeResponsePDU=65535, pduHandle=PduHandle[1300601628], stateReference=StateReference[msgID=0,pduHandle=PduHandle[1300601628],securityEngineID=null,securityModel=null,securityName=public,securityLevel=1,contextEngineID=null,contextName=null,retryMsgIDs=null], pdu=GET[requestID=1300601628, errorStatus=Success(0), errorIndex=0, VBS[1.3.6.1.2.1.1.1.0 = Null]], messageProcessingModel=1, securityName=public, processed=false, peerAddress=127.0.0.1/50196, transportMapping=org.snmp4j.transport.DefaultUdpTransportMapping@11505881, tmStateReference=null] 23843 [DefaultUDPTransportMapping_127.0.0.1/161] DEBUG org.snmp4j.agent.mo.snmp.SnmpCommunityMIB - Looking up coexistence info for 'public' 23845 [DefaultUDPTransportMapping_127.0.0.1/161] DEBUG org.snmp4j.agent.mo.snmp.SnmpCommunityMIB - Found coexistence info for 'public'=CoexistenceInfo[securityName=v1v2User,contextEngineID=80:00:13:70:01:0a:0a:65:24,contextName=,transportTag=] 23845 [DefaultUDPTransportMapping_127.0.0.1/161] DEBUG org.snmp4j.agent.mo.snmp.SnmpCommunityMIB - Address 127.0.0.1/50196 passes filter, because source address filtering is disabled 23851 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Found group name 'v1v2ReadOnly' for secName 'v1v2User' and secModel 2 23853 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Got views [DefaultMOMutableRow2PC[index=12.118.49.118.50.82.101.97.100.79.110.108.121.0.0.1,values=[1, fullReadView, restrictedWriteView, fullNotifyView, 3, 1]] for group name 'v1v2ReadOnly' 23853 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Matching against access entry DefaultMOMutableRow2PC[index=12.118.49.118.50.82.101.97.100.79.110.108.121.0.0.1,values=[1, fullReadView, restrictedWriteView, fullNotifyView, 3, 1] with exactContextMatch=true, prefixMatch=false, matchSecModel=true and matchSecLevel=true 23854 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Matching view found for group name 'v1v2ReadOnly' is 'fullReadView' 23859 [RequestPool.0] DEBUG org.snmp4j.agent.request.SnmpRequest - Created subrequest 0 with scope org.snmp4j.agent.DefaultMOContextScope[context=,lowerBound=1.3.6.1.2.1.1.1.0,lowerIncluded=true,upperBound=1.3.6.1.2.1.1.1.0,upperIncluded=true] from 1.3.6.1.2.1.1.1.0 = Null 23860 [RequestPool.0] DEBUG org.snmp4j.agent.request.SnmpRequest - SnmpSubRequests initialized: [org.snmp4j.agent.request.SnmpRequest$SnmpSubRequest[scope=org.snmp4j.agent.DefaultMOContextScope[context=,lowerBound=1.3.6.1.2.1.1.1.0,lowerIncluded=true,upperBound=1.3.6.1.2.1.1.1.0,upperIncluded=true],vb=1.3.6.1.2.1.1.1.0 = Null,status=org.snmp4j.agent.request.RequestStatus@417f6125,query=null,index=0,targetMO=null]] 23862 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Access denied for view 'fullReadView' by subtree 1.3.6.1.2.1.1.1.0 for OID 1.3.6.1.2.1.1.1.0 23864 [RequestPool.0] DEBUG org.snmp4j.transport.DefaultUdpTransportMapping - Sending message to 127.0.0.1/50196 with length 43: 30:29:02:01:01:04:06:70:75:62:6c:69:63:a2:1c:02:04:4d:85:9b:1c:02:01:00:02:01:00:30:0e:30:0c:06:08:2b:06:01:02:01:01:01:00:80:00 However, when the user attempts to access the very next OID, which I did not intend to block, this is the result: 82799 [DefaultUDPTransportMapping_127.0.0.1/161] DEBUG org.snmp4j.transport.DefaultUdpTransportMapping - Received message from localhost/127.0.0.1/58177 with length 43: 30:29:02:01:01:04:06:70:75:62:6c:69:63:a0:1c:02:04:4d:85:9b:1f:02:01:00:02:01:00:30:0e:30:0c:06:08:2b:06:01:02:01:01:02:00:05:00 82800 [DefaultUDPTransportMapping_127.0.0.1/161] DEBUG org.snmp4j.Snmp - Fire process PDU event: CommandResponderEvent[securityModel=2, securityLevel=1, maxSizeResponsePDU=65535, pduHandle=PduHandle[1300601631], stateReference=StateReference[msgID=0,pduHandle=PduHandle[1300601631],securityEngineID=null,securityModel=null,securityName=public,securityLevel=1,contextEngineID=null,contextName=null,retryMsgIDs=null], pdu=GET[requestID=1300601631, errorStatus=Success(0), errorIndex=0, VBS[1.3.6.1.2.1.1.2.0 = Null]], messageProcessingModel=1, securityName=public, processed=false, peerAddress=127.0.0.1/58177, transportMapping=org.snmp4j.transport.DefaultUdpTransportMapping@11505881, tmStateReference=null] 82800 [DefaultUDPTransportMapping_127.0.0.1/161] DEBUG org.snmp4j.agent.mo.snmp.SnmpCommunityMIB - Looking up coexistence info for 'public' 82801 [DefaultUDPTransportMapping_127.0.0.1/161] DEBUG org.snmp4j.agent.mo.snmp.SnmpCommunityMIB - Found coexistence info for 'public'=CoexistenceInfo[securityName=v1v2User,contextEngineID=80:00:13:70:01:0a:0a:65:24,contextName=,transportTag=] 82801 [DefaultUDPTransportMapping_127.0.0.1/161] DEBUG org.snmp4j.agent.mo.snmp.SnmpCommunityMIB - Address 127.0.0.1/58177 passes filter, because source address filtering is disabled 82801 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Found group name 'v1v2ReadOnly' for secName 'v1v2User' and secModel 2 82802 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Got views [DefaultMOMutableRow2PC[index=12.118.49.118.50.82.101.97.100.79.110.108.121.0.0.1,values=[1, fullReadView, restrictedWriteView, fullNotifyView, 3, 1]] for group name 'v1v2ReadOnly' 82802 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Matching against access entry DefaultMOMutableRow2PC[index=12.118.49.118.50.82.101.97.100.79.110.108.121.0.0.1,values=[1, fullReadView, restrictedWriteView, fullNotifyView, 3, 1] with exactContextMatch=true, prefixMatch=false, matchSecModel=true and matchSecLevel=true 82803 [RequestPool.0] DEBUG org.snmp4j.agent.mo.snmp.VacmMIB - Matching view found for group name 'v1v2ReadOnly' is 'fullReadView' 82803 [RequestPool.0] DEBUG org.snmp4j.agent.request.SnmpRequest - Created subrequest 0 with scope org.snmp4j.agent.DefaultMOContextScope[context=,lowerBound=1.3.6.1.2.1.1.2.0,lowerIncluded=true,upperBound=1.3.6.1.2.1.1.2.0,upperIncluded=true] from 1.3.6.1.2.1.1.2.0 = Null 82803 [RequestPool.0] DEBUG org.snmp4j.agent.request.SnmpRequest - SnmpSubRequests initialized: [org.snmp4j.agent.request.SnmpRequest$SnmpSubRequest[scope=org.snmp4j.agent.DefaultMOContextScope[context=,lowerBound=1.3.6.1.2.1.1.2.0,lowerIncluded=true,upperBound=1.3.6.1.2.1.1.2.0,upperIncluded=true],vb=1.3.6.1.2.1.1.2.0 = Null,status=org.snmp4j.agent.request.RequestStatus@316ce88a,query=null,index=0,targetMO=null]] 82804 [RequestPool.0] DEBUG org.snmp4j.transport.DefaultUdpTransportMapping - Sending message to 127.0.0.1/58177 with length 43: 30:29:02:01:01:04:06:70:75:62:6c:69:63:a2:1c:02:04:4d:85:9b:1f:02:01:00:02:01:00:30:0e:30:0c:06:08:2b:06:01:02:01:01:02:00:80:00 So, while they are not explicitly denied, it's the same failure result as if they were. To be sure, if I change the previous code to this below, both OIDs can be accessed and retrieved perfectly: // Works fine, but no restriction. vacm.addViewTreeFamily(new OctetString("fullReadView"), new OID("1.3"), new OctetString(), VacmMIB.vacmViewIncluded, StorageType.nonVolatile); ... What might the problem be here, and how can I achieve the restriction I am looking for? By the way, I'm using snmp4j-agent-2.0.10a. Thanks for your help _______________________________________________ SNMP4J mailing list [email protected] http://lists.agentpp.org/mailman/listinfo/snmp4j-- --- AGENT++ Maximilian-Kolbe-Str. 10 73257 Koengen, Germany https://agentpp.com Phone: +49 7024 8688230 Fax: +49 7024 8688231 _______________________________________________ SNMP4J mailing list [email protected] http://lists.agentpp.org/mailman/listinfo/snmp4j_______________________________________________ SNMP4J mailing list [email protected] http://lists.agentpp.org/mailman/listinfo/snmp4j
-- --- AGENT++ Maximilian-Kolbe-Str. 10 73257 Koengen, Germany https://agentpp.com Phone: +49 7024 8688230 Fax: +49 7024 8688231 _______________________________________________ SNMP4J mailing list [email protected] http://lists.agentpp.org/mailman/listinfo/snmp4j
