snmpd's normal socket is pretty much deprecated and the restricted
variant is even more useless. In other words lets pick it apart one
step at a time. This diff removes the restricted keyword and related
code.
While here I also removed the unimplemented IMSG_CTL_RELOAD logic.
For those wondering why I removed the CTL_CONN_LOCKED flag: It's only
checked in control_dispatch_imsg, so there's no point in setting it on
agentx sockets.
OK?
martijn@
Index: control.c
===================================================================
--- control.c (revision 1)
+++ control.c (working copy)
@@ -80,7 +80,7 @@
return (-1);
}
- if (cs->cs_restricted || cs->cs_agentx) {
+ if (cs->cs_agentx) {
old_umask = umask(S_IXUSR|S_IXGRP|S_IXOTH);
mode = S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH;
} else {
@@ -174,7 +174,6 @@
log_warn("%s: agentx", __func__);
return;
}
- c->flags |= CTL_CONN_LOCKED;
c->iev.handler = control_dispatch_agentx;
TAILQ_INIT(&c->oids);
} else
@@ -249,21 +248,6 @@
if (n == 0)
break;
- if (cs->cs_restricted || (c->flags & CTL_CONN_LOCKED)) {
- switch (imsg.hdr.type) {
- case IMSG_SNMP_AGENTX:
- case IMSG_SNMP_ELEMENT:
- case IMSG_SNMP_END:
- case IMSG_SNMP_LOCK:
- break;
- default:
- control_close(c,
- "client requested restricted command",
- &imsg);
- return;
- }
- }
-
control_imsg_forward(&imsg);
switch (imsg.hdr.type) {
@@ -282,14 +266,6 @@
c->flags |= CTL_CONN_NOTIFY;
break;
- case IMSG_SNMP_LOCK:
- if (IMSG_DATA_SIZE(&imsg))
- return control_close(c, "invalid size", &imsg);
-
- /* enable restricted control mode */
- c->flags |= CTL_CONN_LOCKED;
- break;
-
case IMSG_SNMP_AGENTX:
if (IMSG_DATA_SIZE(&imsg))
return control_close(c, "invalid size", &imsg);
@@ -313,7 +289,6 @@
}
/* disable IMSG notifications */
c->flags &= ~CTL_CONN_NOTIFY;
- c->flags |= CTL_CONN_LOCKED;
c->iev.handler = control_dispatch_agentx;
break;
@@ -330,11 +305,7 @@
proc_forward_imsg(&env->sc_ps, &imsg, i, -1);
}
break;
- case IMSG_CTL_RELOAD:
- if (IMSG_DATA_SIZE(&imsg))
- return control_close(c, "invalid size", &imsg);
- proc_forward_imsg(&env->sc_ps, &imsg, PROC_PARENT, -1);
- break;
+
default:
control_close(c, "invalid type", &imsg);
return;
Index: parse.y
===================================================================
--- parse.y (revision 1)
+++ parse.y (working copy)
@@ -51,11 +51,6 @@
#include "snmpd.h"
#include "mib.h"
-enum socktype {
- SOCK_TYPE_RESTRICTED = 1,
- SOCK_TYPE_AGENTX = 2
-};
-
TAILQ_HEAD(files, file) files = TAILQ_HEAD_INITIALIZER(files);
static struct file {
TAILQ_ENTRY(file) entry;
@@ -133,7 +128,7 @@
%token SYSTEM CONTACT DESCR LOCATION NAME OBJECTID SERVICES RTFILTER
%token READONLY READWRITE OCTETSTRING INTEGER COMMUNITY TRAP RECEIVER
%token SECLEVEL NONE AUTH ENC USER AUTHKEY ENCKEY ERROR DISABLED
-%token SOCKET RESTRICTED AGENTX HANDLE DEFAULT SRCADDR TCP UDP PFADDRFILTER
+%token SOCKET AGENTX HANDLE DEFAULT SRCADDR TCP UDP PFADDRFILTER
%token <v.string> STRING
%token <v.number> NUMBER
%type <v.string> hostcmn
@@ -305,10 +300,7 @@
YYERROR;
}
rcsock->cs_name = $2;
- if ($3 == SOCK_TYPE_RESTRICTED)
- rcsock->cs_restricted = 1;
- else if ($3 == SOCK_TYPE_AGENTX)
- rcsock->cs_agentx = 1;
+ rcsock->cs_agentx = 1;
TAILQ_INSERT_TAIL(&conf->sc_ps.ps_rcsocks,
rcsock, cs_entry);
} else {
@@ -541,8 +533,7 @@
}
;
-socktype : RESTRICTED { $$ = SOCK_TYPE_RESTRICTED; }
- | AGENTX { $$ = SOCK_TYPE_AGENTX; }
+socktype : AGENTX { $$ = 1; }
| /* nothing */ { $$ = 0; }
;
@@ -655,7 +646,6 @@
{ "read-only", READONLY },
{ "read-write", READWRITE },
{ "receiver", RECEIVER },
- { "restricted", RESTRICTED },
{ "seclevel", SECLEVEL },
{ "services", SERVICES },
{ "socket", SOCKET },
Index: snmp.h
===================================================================
--- snmp.h (revision 1)
+++ snmp.h (working copy)
@@ -29,7 +29,6 @@
#define SNMP_MAX_OID_STRLEN 128 /* max size of the OID _string_ */
#define SNMP_SOCKET "/var/run/snmpd.sock"
#define AGENTX_SOCKET "/var/run/agentx.sock"
-#define SNMP_RESTRICTED_SOCKET "/var/run/snmpd.rsock"
enum snmp_type {
SNMP_IPADDR = 0,
@@ -51,9 +50,6 @@
enum snmp_imsg_ctl {
IMSG_SNMP_DUMMY = 1000, /* something that works everywhere */
- IMSG_SNMP_ELEMENT,
- IMSG_SNMP_END,
- IMSG_SNMP_LOCK, /* enable restricted mode */
IMSG_SNMP_AGENTX
};
Index: snmpd.c
===================================================================
--- snmpd.c (revision 1)
+++ snmpd.c (working copy)
@@ -300,8 +300,6 @@
snmpd_dispatch_snmpe(int fd, struct privsep_proc *p, struct imsg *imsg)
{
switch (imsg->hdr.type) {
- case IMSG_CTL_RELOAD:
- /* XXX notyet */
default:
break;
}
Index: snmpd.conf.5
===================================================================
--- snmpd.conf.5 (revision 1)
+++ snmpd.conf.5 (working copy)
@@ -133,23 +133,18 @@
.Xr snmpd 8
will accept only SNMPv3 requests since older versions neither support
authentication nor encryption.
-.It Ic socket Qo Ar path Qc Op Ic restricted | agentx
+.It Ic socket Qo Ar path Qc Op Ic agentx
Create a control socket at
.Ar path .
If
-.Ic restricted
-is specified, a restricted control socket will be created.
-If
.Ic agentx
is specified, a socket which speaks the AgentX protocol will be created.
Multiple
-.Ic restricted
-and
.Ic agentx
sockets may be created.
-By default
+By default only control socket
.Pa /var/run/snmpd.sock
-is created and no other sockets are created.
+is created.
.It Ic system contact Ar string
Specify the name or description of the system contact, typically a
name or an email address.
Index: snmpd.h
===================================================================
--- snmpd.h (revision 1)
+++ snmpd.h (working copy)
@@ -83,10 +83,8 @@
IMSG_NONE,
IMSG_CTL_OK, /* answer to snmpctl requests */
IMSG_CTL_FAIL,
- IMSG_CTL_END,
IMSG_CTL_NOTIFY,
IMSG_CTL_VERBOSE,
- IMSG_CTL_RELOAD,
IMSG_CTL_PROCFD,
IMSG_ALERT
};
@@ -113,7 +111,6 @@
struct event cs_ev;
struct event cs_evt;
int cs_fd;
- int cs_restricted;
int cs_agentx;
void *cs_env;
@@ -357,7 +354,6 @@
TAILQ_ENTRY(ctl_conn) entry;
u_int8_t flags;
#define CTL_CONN_NOTIFY 0x01
-#define CTL_CONN_LOCKED 0x02 /* restricted mode */
struct imsgev iev;
struct control_sock *cs;
struct agentx_handle *handle;
