My MXs store about 300k addresses in block lists. Trying to export
them via the OPENBSD-PF-MIB::pfTblAddrTable oid is not working out.
It's also not sensible. snmpbulkwalk will eventually just time out and
while snmpd tries to export the tables it spins at 100% cpu.
This adds filter-pf-addresses similar to filter-routers to stop snmpd
from exporting under OPENBSD-PF-MIB::pfTblAddrTable.
(Happy to hear suggestions for a better name.)
I'm new to this, is this the right way to do this? Comments, OKs?
diff --git mib.c mib.c
index d626787c448..f537d27bb61 100644
--- mib.c
+++ mib.c
@@ -2218,6 +2218,9 @@ mib_pftableaddrs(struct oid *oid, struct ber_oid *o,
struct ber_element **elm)
struct pfr_astats as;
int tblidx;
+ if (snmpd_env->sc_pfaddrfilter)
+ return (-1);
+
tblidx = o->bo_id[OIDIDX_pfTblAddr + 1];
mps_decodeinaddr(o, &as.pfras_a.pfra_ip4addr, OIDIDX_pfTblAddr + 2);
as.pfras_a.pfra_net = o->bo_id[OIDIDX_pfTblAddr + 6];
@@ -2306,6 +2309,9 @@ mib_pftableaddrstable(struct oid *oid, struct ber_oid *o,
struct ber_oid *no)
struct oid a, b;
u_int32_t id, tblidx;
+ if (snmpd_env->sc_pfaddrfilter)
+ return (NULL);
+
bcopy(&oid->o_id, no, sizeof(*no));
id = oid->o_oidlen - 1;
diff --git parse.y parse.y
index 1a9547d85b2..c774bb131b0 100644
--- parse.y
+++ parse.y
@@ -133,7 +133,7 @@ typedef struct {
%token SYSTEM CONTACT DESCR LOCATION NAME OBJECTID SERVICES RTFILTER
%token READONLY READWRITE OCTETSTRING INTEGER COMMUNITY TRAP RECEIVER
%token SECLEVEL NONE AUTH ENC USER AUTHKEY ENCKEY ERROR DISABLED
-%token SOCKET RESTRICTED AGENTX HANDLE DEFAULT SRCADDR TCP UDP
+%token SOCKET RESTRICTED AGENTX HANDLE DEFAULT SRCADDR TCP UDP PFADDRFILTER
%token <v.string> STRING
%token <v.number> NUMBER
%type <v.string> hostcmn
@@ -273,6 +273,9 @@ main : LISTEN ON STRING proto {
else
conf->sc_rtfilter = 0;
}
+ | PFADDRFILTER yesno {
+ conf->sc_pfaddrfilter = $2;
+ }
| SECLEVEL seclevel {
conf->sc_min_seclevel = $2;
}
@@ -628,40 +631,41 @@ lookup(char *s)
{
/* this has to be sorted always */
static const struct keywords keywords[] = {
- { "agentx", AGENTX },
- { "auth", AUTH },
- { "authkey", AUTHKEY },
- { "community", COMMUNITY },
- { "contact", CONTACT },
- { "default", DEFAULT },
- { "description", DESCR },
- { "disabled", DISABLED},
- { "enc", ENC },
- { "enckey", ENCKEY },
- { "filter-routes", RTFILTER },
- { "handle", HANDLE },
- { "include", INCLUDE },
- { "integer", INTEGER },
- { "listen", LISTEN },
- { "location", LOCATION },
- { "name", NAME },
- { "none", NONE },
- { "oid", OBJECTID },
- { "on", ON },
- { "read-only", READONLY },
- { "read-write", READWRITE },
- { "receiver", RECEIVER },
- { "restricted", RESTRICTED },
- { "seclevel", SECLEVEL },
- { "services", SERVICES },
- { "socket", SOCKET },
- { "source-address", SRCADDR },
- { "string", OCTETSTRING },
- { "system", SYSTEM },
- { "tcp", TCP },
- { "trap", TRAP },
- { "udp", UDP },
- { "user", USER }
+ { "agentx", AGENTX },
+ { "auth", AUTH },
+ { "authkey", AUTHKEY },
+ { "community", COMMUNITY },
+ { "contact", CONTACT },
+ { "default", DEFAULT },
+ { "description", DESCR },
+ { "disabled", DISABLED},
+ { "enc", ENC },
+ { "enckey", ENCKEY },
+ { "filter-pf-addresses", PFADDRFILTER },
+ { "filter-routes", RTFILTER },
+ { "handle", HANDLE },
+ { "include", INCLUDE },
+ { "integer", INTEGER },
+ { "listen", LISTEN },
+ { "location", LOCATION },
+ { "name", NAME },
+ { "none", NONE },
+ { "oid", OBJECTID },
+ { "on", ON },
+ { "read-only", READONLY },
+ { "read-write", READWRITE },
+ { "receiver", RECEIVER },
+ { "restricted", RESTRICTED },
+ { "seclevel", SECLEVEL },
+ { "services", SERVICES },
+ { "socket", SOCKET },
+ { "source-address", SRCADDR },
+ { "string", OCTETSTRING },
+ { "system", SYSTEM },
+ { "tcp", TCP },
+ { "trap", TRAP },
+ { "udp", UDP },
+ { "user", USER }
};
const struct keywords *p;
diff --git snmpd.conf.5 snmpd.conf.5
index d06d267de34..f2bf18d1fdb 100644
--- snmpd.conf.5
+++ snmpd.conf.5
@@ -78,6 +78,15 @@ listen on $ext_addr
.Sh GLOBAL CONFIGURATION
The following options can be set globally:
.Bl -tag -width Ds
+.It Ic filter-pf-addresses Pq Ic yes | no
+If set to
+.Ic yes ,
+.Xr snmpd 8
+will filter out the OPENBSD-PF-MIB::pfTblAddrTable tree.
+Addresses stored in PF tables not be available, but CPU use will be
+reduced during bulk walks.
+The default is
+.Ic no .
.It Ic filter-routes Pq Ic yes | no
If set to
.Ic yes ,
diff --git snmpd.h snmpd.h
index 8e95e390bb8..36bd3e99269 100644
--- snmpd.h
+++ snmpd.h
@@ -593,6 +593,7 @@ struct snmpd {
int sc_ncpu;
int64_t *sc_cpustates;
int sc_rtfilter;
+ int sc_pfaddrfilter;
int sc_min_seclevel;
int sc_readonly;
--
I'm not entirely sure you are real.
