From ae5ee6ba6c506b42d942c98349b3a54181790ec8 Mon Sep 17 00:00:00 2001 From: Hans Dedecker Date: Mon, 27 Mar 2017 15:35:29 +0200 Subject: [PATCH] net-snmp: add inbound firewall rule support Add UCI section general which holds the uci parameter network defining on which interface(s) the snmp agent is reachable for inbound snmp requests in case the firewall zone does not allow INPUT traffic by default. For the different zones to which the different interfaces belong firewall procd input rules are created making the snmp agent reachable on udp port 161. Signed-off-by: Hans Dedecker --- net/net-snmp/Makefile | 2 +- net/net-snmp/files/snmpd.conf | 3 +++ net/net-snmp/files/snmpd.init | 30 ++++++++++++++++++++++++++++++ 3 files changed, 34 insertions(+), 1 deletion(-) diff --git a/net/net-snmp/Makefile b/net/net-snmp/Makefile index edc2c8a57..d9ffbbd0e 100644 --- a/net/net-snmp/Makefile +++ b/net/net-snmp/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=net-snmp PKG_VERSION:=5.7.3 -PKG_RELEASE:=4 +PKG_RELEASE:=5 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=@SF/net-snmp diff --git a/net/net-snmp/files/snmpd.conf b/net/net-snmp/files/snmpd.conf index ac152d83e..c32429400 100644 --- a/net/net-snmp/files/snmpd.conf +++ b/net/net-snmp/files/snmpd.conf @@ -87,3 +87,6 @@ config engineid # option engineid 'LEDE' option engineidtype '3' option engineidnic 'eth0' + +config snmpd general +# list network 'wan' diff --git a/net/net-snmp/files/snmpd.init b/net/net-snmp/files/snmpd.init index 7df67de28..08989744c 100644 --- a/net/net-snmp/files/snmpd.init +++ b/net/net-snmp/files/snmpd.init @@ -210,6 +210,28 @@ snmpd_engineid_add() { [ -n "$engineidnic" ] && echo "engineIDNic $engineidnic" >> $CONFIGFILE } +snmpd_setup_fw_rules() { + local net="$1" + local zone + + zone=$(fw3 -q network "$net" 2>/dev/null) + + local handled_zone + for handled_zone in $HANDLED_SNMP_ZONES; do + [ "$handled_zone" = "$zone" ] && return + done + + json_add_object "" + json_add_string type rule + json_add_string src "$zone" + json_add_string proto udp + json_add_string dest_port 161 + json_add_string target ACCEPT + json_close_object + + HANDLED_SNMP_ZONES="$HANDLED_SNMP_ZONES $zone" +} + start_service() { [ -f "$CONFIGFILE" ] && rm -f "$CONFIGFILE" @@ -243,6 +265,14 @@ start_service() { procd_append_param netdev "$iface" done + procd_open_data + + json_add_array firewall + config_list_foreach general network snmpd_setup_fw_rules + json_close_array + + procd_close_data + procd_close_instance }