Re: [EXTERNAL] Export IPsec flows via snmpd(8)
Marco's reference to RFC4807 looks interesting. I started reading it yesterday afternoon, it appears to be much more extensive, including packet filter information. -Original Message- From: Martin Pieuchot [mailto:m...@openbsd.org] Sent: Wednesday, December 20, 2017 4:22 AM To: Eichert, Diana Cc: tech@openbsd.org Subject: Re: [EXTERNAL] Export IPsec flows via snmpd(8) On 19/12/17(Tue) 13:40, Eichert, Diana wrote: > tech lurker here, long time NMS/EMS admin > > I did not see diffs to an OpenBSD MIB file. I assume that will be included > in a "more complete solution"? Yes, I did not want to spend some time writing a MIB if the format is going to change. I know that many readers on this list already have their own way to export IPsecs data via SNMP, so I hope to get some inputs/recommendations.
Re: [EXTERNAL] Export IPsec flows via snmpd(8)
On 19/12/17(Tue) 13:40, Eichert, Diana wrote: > tech lurker here, long time NMS/EMS admin > > I did not see diffs to an OpenBSD MIB file. I assume that will be included > in a "more complete solution"? Yes, I did not want to spend some time writing a MIB if the format is going to change. I know that many readers on this list already have their own way to export IPsecs data via SNMP, so I hope to get some inputs/recommendations.
Re: [EXTERNAL] Export IPsec flows via snmpd(8)
If I can find a free hour or so I can put something together for the
MIB file. That seems about the right sort of information to me anyway -
lifetimes might be useful too though.
On 2017/12/19 13:40, Eichert, Diana wrote:
> tech lurker here, long time NMS/EMS admin
>
> I did not see diffs to an OpenBSD MIB file. I assume that will be included
> in a "more complete solution"?
>
> diana
>
> -Original Message-
> From: owner-t...@openbsd.org [mailto:owner-t...@openbsd.org] On Behalf Of
> Martin Pieuchot
> Sent: Tuesday, December 19, 2017 4:44 AM
> To: tech@openbsd.org
> Subject: [EXTERNAL] Export IPsec flows via snmpd(8)
>
> I'd like to see some information about my tunnels in my NMS. The problem is
> that there's not standard MIB for this and most vendor MIBs are huge and are
> not easy to implement.
>
> So here's a diff that export the equivalent of "$ ipsecctl -s flow".
> I'm basically gluing ipsecctl(8) internals into snmpd(8).
>
> It can be considered as a first step towards a more complete solution.
> So I'd like to hear from people interested to export IPsec information via
> SNMP, what would like to see and do you have a preferred format?
>
> Comments? Oks?
>
> SNIP
>
> ===
> RCS file: /cvs/src/usr.sbin/snmpd/mib.c,v retrieving revision 1.85 diff -u -p
> -r1.85 mib.c
> --- mib.c 18 Dec 2017 05:51:53 - 1.85
> +++ mib.c 19 Dec 2017 11:29:01 -
> @@ -1422,6 +1422,7 @@ int mib_carpifnum(struct oid *, struct
> struct carpif
> *mib_carpifget(u_int);
> int mib_memiftable(struct oid *, struct ber_oid *, struct ber_element **);
> +int mib_ipsecflow(struct oid *, struct ber_oid *, struct ber_element **);
>
> static struct oid openbsd_mib[] = {
> { MIB(pfMIBObjects),OID_MIB },
> @@ -1633,6 +1634,26 @@ static struct oid openbsd_mib[] = {
> { MIB(carpIfAdvbase), OID_TRD, mib_carpiftable },
> { MIB(carpIfAdvskew), OID_TRD, mib_carpiftable },
> { MIB(carpIfState), OID_TRD, mib_carpiftable },
> + { MIB(ipsecMIBObjects), OID_MIB },
> + { MIB(ipsecFlowSAType), OID_TRD, mib_ipsecflow },
> + { MIB(ipsecFlowDirection), OID_TRD, mib_ipsecflow },
> + { MIB(ipsecFlowFromAddr), OID_TRD, mib_ipsecflow },
> + { MIB(ipsecFlowFromMask), OID_TRD, mib_ipsecflow },
> + { MIB(ipsecFlowSPort), OID_TRD, mib_ipsecflow },
> + { MIB(ipsecFlowToAddr), OID_TRD, mib_ipsecflow },
> + { MIB(ipsecFlowToMask), OID_TRD, mib_ipsecflow },
> + { MIB(ipsecFlowDPort), OID_TRD, mib_ipsecflow },
> +#if notyet
> + /* Unprivileged user cannot see commented out information. */
> + { MIB(ipsecFlowLocal), OID_TRD, mib_ipsecflow },
> +#endif
> + { MIB(ipsecFlowPeer), OID_TRD, mib_ipsecflow },
> +#if notyet
> + { MIB(ipsecFlowAuthSrcID), OID_TRD, mib_ipsecflow },
> + { MIB(ipsecFlowAuthDstID), OID_TRD, mib_ipsecflow },
> + { MIB(ipsecFlowAuthType), OID_TRD, mib_ipsecflow },
> +#endif
> + { MIB(ipsecFlowType), OID_TRD, mib_ipsecflow },
> { MIB(memMIBObjects), OID_MIB },
> { MIB(memMIBVersion), OID_RD, mps_getint, NULL, NULL,
> OIDVER_OPENBSD_MEM },
> @@ -2831,7 +2852,6 @@ mib_carpiftable(struct oid *oid, struct
>
> /* Get and verify the current row index */
> idx = o->bo_id[OIDIDX_carpIfEntry];
> -
> if ((cif = mib_carpifget(idx)) == NULL)
> return (1);
>
> @@ -2877,10 +2897,12 @@ mib_memiftable(struct oid *oid, struct b
> u_int32_tidx = 0;
> struct kif *kif;
>
> + /* Get and verify the current row index */
> idx = o->bo_id[OIDIDX_memIfEntry];
> if ((kif = mib_ifget(idx)) == NULL)
> return (1);
>
> + /* Tables need to prepend the OID on their own */
> o->bo_id[OIDIDX_memIfEntry] = kif->if_index;
> ber = ber_add_oid(ber, o);
>
> @@ -2891,6 +2913,110 @@ mib_memiftable(struct oid *oid, struct b
> case 2:
> ber = ber_add_integer(ber, 0);
> ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
> + break;
> + default:
> + return (-1);
> + }
> +
> + return (0);
> +}
> +
> +#include "ipsec.h"
> +
> +int
> +mib_ipsecflow(struct oid *oid, struct ber_oid *o, struct ber_element
> +**elm) {
> + struct ber_element *ber = *elm;
> + struct ipsec_rule *
Re: [EXTERNAL] Export IPsec flows via snmpd(8)
tech lurker here, long time NMS/EMS admin
I did not see diffs to an OpenBSD MIB file. I assume that will be included in
a "more complete solution"?
diana
-Original Message-
From: owner-t...@openbsd.org [mailto:owner-t...@openbsd.org] On Behalf Of
Martin Pieuchot
Sent: Tuesday, December 19, 2017 4:44 AM
To: tech@openbsd.org
Subject: [EXTERNAL] Export IPsec flows via snmpd(8)
I'd like to see some information about my tunnels in my NMS. The problem is
that there's not standard MIB for this and most vendor MIBs are huge and are
not easy to implement.
So here's a diff that export the equivalent of "$ ipsecctl -s flow".
I'm basically gluing ipsecctl(8) internals into snmpd(8).
It can be considered as a first step towards a more complete solution.
So I'd like to hear from people interested to export IPsec information via
SNMP, what would like to see and do you have a preferred format?
Comments? Oks?
SNIP
===
RCS file: /cvs/src/usr.sbin/snmpd/mib.c,v retrieving revision 1.85 diff -u -p
-r1.85 mib.c
--- mib.c 18 Dec 2017 05:51:53 - 1.85
+++ mib.c 19 Dec 2017 11:29:01 -
@@ -1422,6 +1422,7 @@ intmib_carpifnum(struct oid *, struct
struct carpif
*mib_carpifget(u_int);
int mib_memiftable(struct oid *, struct ber_oid *, struct ber_element **);
+int mib_ipsecflow(struct oid *, struct ber_oid *, struct ber_element **);
static struct oid openbsd_mib[] = {
{ MIB(pfMIBObjects),OID_MIB },
@@ -1633,6 +1634,26 @@ static struct oid openbsd_mib[] = {
{ MIB(carpIfAdvbase), OID_TRD, mib_carpiftable },
{ MIB(carpIfAdvskew), OID_TRD, mib_carpiftable },
{ MIB(carpIfState), OID_TRD, mib_carpiftable },
+ { MIB(ipsecMIBObjects), OID_MIB },
+ { MIB(ipsecFlowSAType), OID_TRD, mib_ipsecflow },
+ { MIB(ipsecFlowDirection), OID_TRD, mib_ipsecflow },
+ { MIB(ipsecFlowFromAddr), OID_TRD, mib_ipsecflow },
+ { MIB(ipsecFlowFromMask), OID_TRD, mib_ipsecflow },
+ { MIB(ipsecFlowSPort), OID_TRD, mib_ipsecflow },
+ { MIB(ipsecFlowToAddr), OID_TRD, mib_ipsecflow },
+ { MIB(ipsecFlowToMask), OID_TRD, mib_ipsecflow },
+ { MIB(ipsecFlowDPort), OID_TRD, mib_ipsecflow },
+#if notyet
+ /* Unprivileged user cannot see commented out information. */
+ { MIB(ipsecFlowLocal), OID_TRD, mib_ipsecflow },
+#endif
+ { MIB(ipsecFlowPeer), OID_TRD, mib_ipsecflow },
+#if notyet
+ { MIB(ipsecFlowAuthSrcID), OID_TRD, mib_ipsecflow },
+ { MIB(ipsecFlowAuthDstID), OID_TRD, mib_ipsecflow },
+ { MIB(ipsecFlowAuthType), OID_TRD, mib_ipsecflow },
+#endif
+ { MIB(ipsecFlowType), OID_TRD, mib_ipsecflow },
{ MIB(memMIBObjects), OID_MIB },
{ MIB(memMIBVersion), OID_RD, mps_getint, NULL, NULL,
OIDVER_OPENBSD_MEM },
@@ -2831,7 +2852,6 @@ mib_carpiftable(struct oid *oid, struct
/* Get and verify the current row index */
idx = o->bo_id[OIDIDX_carpIfEntry];
-
if ((cif = mib_carpifget(idx)) == NULL)
return (1);
@@ -2877,10 +2897,12 @@ mib_memiftable(struct oid *oid, struct b
u_int32_tidx = 0;
struct kif *kif;
+ /* Get and verify the current row index */
idx = o->bo_id[OIDIDX_memIfEntry];
if ((kif = mib_ifget(idx)) == NULL)
return (1);
+ /* Tables need to prepend the OID on their own */
o->bo_id[OIDIDX_memIfEntry] = kif->if_index;
ber = ber_add_oid(ber, o);
@@ -2891,6 +2913,110 @@ mib_memiftable(struct oid *oid, struct b
case 2:
ber = ber_add_integer(ber, 0);
ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64);
+ break;
+ default:
+ return (-1);
+ }
+
+ return (0);
+}
+
+#include "ipsec.h"
+
+int
+mib_ipsecflow(struct oid *oid, struct ber_oid *o, struct ber_element
+**elm) {
+ struct ber_element *ber = *elm;
+ struct ipsec_rule *r;
+ u_int32_tval, idx = 0;
+
+ /* Get and verify the current row index */
+ idx = o->bo_id[OIDIDX_ipsecFlowEntry];
+ if ((r = ipsec_get_rule(idx)) == NULL)
+ return (1);
+
+ /* Tables need to prepend the OID on their own */
+ o->bo_id[OIDIDX_ipsecFlowEntry] = r->nr;
+ ber = ber_add_oid(ber, o);
+
+ switch (o->bo_id[OIDIDX_ipsecFlow]) {
+ case 1: /* satype */
+ ber = ber_add_string(ber, satype[r->satype]);
+ break;
+ case 2: /* direction */
+ ber = ber_add_string(ber, direction[r->direction]);
+ brea
