tech lurker here, long time NMS/EMS admin I did not see diffs to an OpenBSD MIB file. I assume that will be included in a "more complete solution"?
diana -----Original Message----- From: owner-t...@openbsd.org [mailto:owner-t...@openbsd.org] On Behalf Of Martin Pieuchot Sent: Tuesday, December 19, 2017 4:44 AM To: tech@openbsd.org Subject: [EXTERNAL] Export IPsec flows via snmpd(8) I'd like to see some information about my tunnels in my NMS. The problem is that there's not standard MIB for this and most vendor MIBs are huge and are not easy to implement. So here's a diff that export the equivalent of "$ ipsecctl -s flow". I'm basically gluing ipsecctl(8) internals into snmpd(8). It can be considered as a first step towards a more complete solution. So I'd like to hear from people interested to export IPsec information via SNMP, what would like to see and do you have a preferred format? Comments? Oks? SNIP =================================================================== RCS file: /cvs/src/usr.sbin/snmpd/mib.c,v retrieving revision 1.85 diff -u -p -r1.85 mib.c --- mib.c 18 Dec 2017 05:51:53 -0000 1.85 +++ mib.c 19 Dec 2017 11:29:01 -0000 @@ -1422,6 +1422,7 @@ int mib_carpifnum(struct oid *, struct struct carpif *mib_carpifget(u_int); int mib_memiftable(struct oid *, struct ber_oid *, struct ber_element **); +int mib_ipsecflow(struct oid *, struct ber_oid *, struct ber_element **); static struct oid openbsd_mib[] = { { MIB(pfMIBObjects), OID_MIB }, @@ -1633,6 +1634,26 @@ static struct oid openbsd_mib[] = { { MIB(carpIfAdvbase), OID_TRD, mib_carpiftable }, { MIB(carpIfAdvskew), OID_TRD, mib_carpiftable }, { MIB(carpIfState), OID_TRD, mib_carpiftable }, + { MIB(ipsecMIBObjects), OID_MIB }, + { MIB(ipsecFlowSAType), OID_TRD, mib_ipsecflow }, + { MIB(ipsecFlowDirection), OID_TRD, mib_ipsecflow }, + { MIB(ipsecFlowFromAddr), OID_TRD, mib_ipsecflow }, + { MIB(ipsecFlowFromMask), OID_TRD, mib_ipsecflow }, + { MIB(ipsecFlowSPort), OID_TRD, mib_ipsecflow }, + { MIB(ipsecFlowToAddr), OID_TRD, mib_ipsecflow }, + { MIB(ipsecFlowToMask), OID_TRD, mib_ipsecflow }, + { MIB(ipsecFlowDPort), OID_TRD, mib_ipsecflow }, +#if notyet + /* Unprivileged user cannot see commented out information. */ + { MIB(ipsecFlowLocal), OID_TRD, mib_ipsecflow }, +#endif + { MIB(ipsecFlowPeer), OID_TRD, mib_ipsecflow }, +#if notyet + { MIB(ipsecFlowAuthSrcID), OID_TRD, mib_ipsecflow }, + { MIB(ipsecFlowAuthDstID), OID_TRD, mib_ipsecflow }, + { MIB(ipsecFlowAuthType), OID_TRD, mib_ipsecflow }, +#endif + { MIB(ipsecFlowType), OID_TRD, mib_ipsecflow }, { MIB(memMIBObjects), OID_MIB }, { MIB(memMIBVersion), OID_RD, mps_getint, NULL, NULL, OIDVER_OPENBSD_MEM }, @@ -2831,7 +2852,6 @@ mib_carpiftable(struct oid *oid, struct /* Get and verify the current row index */ idx = o->bo_id[OIDIDX_carpIfEntry]; - if ((cif = mib_carpifget(idx)) == NULL) return (1); @@ -2877,10 +2897,12 @@ mib_memiftable(struct oid *oid, struct b u_int32_t idx = 0; struct kif *kif; + /* Get and verify the current row index */ idx = o->bo_id[OIDIDX_memIfEntry]; if ((kif = mib_ifget(idx)) == NULL) return (1); + /* Tables need to prepend the OID on their own */ o->bo_id[OIDIDX_memIfEntry] = kif->if_index; ber = ber_add_oid(ber, o); @@ -2891,6 +2913,110 @@ mib_memiftable(struct oid *oid, struct b case 2: ber = ber_add_integer(ber, 0); ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_COUNTER64); + break; + default: + return (-1); + } + + return (0); +} + +#include "ipsec.h" + +int +mib_ipsecflow(struct oid *oid, struct ber_oid *o, struct ber_element +**elm) { + struct ber_element *ber = *elm; + struct ipsec_rule *r; + u_int32_t val, idx = 0; + + /* Get and verify the current row index */ + idx = o->bo_id[OIDIDX_ipsecFlowEntry]; + if ((r = ipsec_get_rule(idx)) == NULL) + return (1); + + /* Tables need to prepend the OID on their own */ + o->bo_id[OIDIDX_ipsecFlowEntry] = r->nr; + ber = ber_add_oid(ber, o); + + switch (o->bo_id[OIDIDX_ipsecFlow]) { + case 1: /* satype */ + ber = ber_add_string(ber, satype[r->satype]); + break; + case 2: /* direction */ + ber = ber_add_string(ber, direction[r->direction]); + break; + case 3: /* from address */ + val = r->src->address.v4.s_addr; + ber = ber_add_nstring(ber, (char *)&val, sizeof(val)); + ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_IPADDR); + break; + case 4: /* from netmask */ + val = r->src->mask.v4.s_addr; + ber = ber_add_nstring(ber, (char *)&val, sizeof(val)); + ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_IPADDR); + break; + case 5: /* sport */ + ber = ber_add_integer(ber, ntohs(r->sport)); + break; + case 6: /* to address */ + val = r->dst->address.v4.s_addr; + ber = ber_add_nstring(ber, (char *)&val, sizeof(val)); + ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_IPADDR); + break; + case 7: /* to netmask */ + val = r->dst->mask.v4.s_addr; + ber = ber_add_nstring(ber, (char *)&val, sizeof(val)); + ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_IPADDR); + break; + case 8: /* dport */ + ber = ber_add_integer(ber, ntohs(r->dport)); + break; +#if notyet + case 9: /* local*/ + if (r->local == NULL) { + ber = ber_add_string(ber, ""); + break; + } + val = r->local->address.v4.s_addr; + ber = ber_add_nstring(ber, (char *)&val, sizeof(val)); + ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_IPADDR); + break; +#endif + case 10: /* peer */ + if (r->peer == NULL) { + ber = ber_add_string(ber, ""); + break; + } + val = r->peer->address.v4.s_addr; + ber = ber_add_nstring(ber, (char *)&val, sizeof(val)); + ber_set_header(ber, BER_CLASS_APPLICATION, SNMP_T_IPADDR); + break; +#if notyet + case 11: /* srcid */ + if (r->auth == NULL || r->auth->srcid == NULL) { + ber = ber_add_string(ber, ""); + break; + } + ber = ber_add_string(ber, r->auth->srcid); + break; + case 12: /* dstid */ + if (r->auth == NULL || r->auth->dstid == NULL) { + ber = ber_add_string(ber, ""); + break; + } + ber = ber_add_string(ber, r->auth->dstid); + break; + case 13: /* auth type */ + if (r->auth == NULL || r->auth->type == 0) { + ber = ber_add_string(ber, ""); + break; + } + ber = ber_add_string(ber, auth[r->auth->type]); + break; +#endif + case 14: /* type */ + ber = ber_add_string(ber, flowtype[r->flowtype]); break; default: return (-1); Index: mib.h =================================================================== RCS file: /cvs/src/usr.sbin/snmpd/mib.h,v retrieving revision 1.38 diff -u -p -r1.38 mib.h --- mib.h 7 Mar 2016 19:33:26 -0000 1.38 +++ mib.h 19 Dec 2017 11:29:32 -0000 @@ -677,6 +677,25 @@ #define MIB_relaydHostTrapRetry MIB_relaydHostTrap, 8 #define MIB_relaydHostTrapRetryCount MIB_relaydHostTrap, 9 #define MIB_ipsecMIBObjects MIB_openBSD, 4 +#define MIB_ipsecFlowTable MIB_ipsecMIBObjects, 1 +#define MIB_ipsecFlowEntry MIB_ipsecFlowTable, 1 +#define OIDIDX_ipsecFlow 10 +#define OIDIDX_ipsecFlowEntry 11 +#define MIB_ipsecFlowSAType MIB_ipsecFlowEntry, 1 +#define MIB_ipsecFlowDirection MIB_ipsecFlowEntry, 2 +#define MIB_ipsecFlowFromAddr MIB_ipsecFlowEntry, 3 +#define MIB_ipsecFlowFromMask MIB_ipsecFlowEntry, 4 +#define MIB_ipsecFlowSPort MIB_ipsecFlowEntry, 5 +#define MIB_ipsecFlowToAddr MIB_ipsecFlowEntry, 6 +#define MIB_ipsecFlowToMask MIB_ipsecFlowEntry, 7 +#define MIB_ipsecFlowDPort MIB_ipsecFlowEntry, 8 +#define MIB_ipsecFlowLocal MIB_ipsecFlowEntry, 9 +#define MIB_ipsecFlowPeer MIB_ipsecFlowEntry, 10 +#define MIB_ipsecFlowAuthSrcID MIB_ipsecFlowEntry, 11 +#define MIB_ipsecFlowAuthDstID MIB_ipsecFlowEntry, 12 +#define MIB_ipsecFlowAuthType MIB_ipsecFlowEntry, 13 +#define MIB_ipsecFlowType MIB_ipsecFlowEntry, 14 + #define MIB_memMIBObjects MIB_openBSD, 5 #define MIB_memMIBVersion MIB_memMIBObjects, 1 #define OIDVER_OPENBSD_MEM 1 @@ -1234,6 +1253,19 @@ { MIBDECL(sensorValue) }, \ { MIBDECL(sensorUnits) }, \ { MIBDECL(sensorStatus) }, \ + { MIBDECL(ipsecMIBObjects) }, \ + { MIBDECL(ipsecFlowTable) }, \ + { MIBDECL(ipsecFlowEntry) }, \ + { MIBDECL(ipsecFlowSAType) }, \ + { MIBDECL(ipsecFlowDirection) }, \ + { MIBDECL(ipsecFlowFromAddr) }, \ + { MIBDECL(ipsecFlowFromMask) }, \ + { MIBDECL(ipsecFlowSPort) }, \ + { MIBDECL(ipsecFlowToAddr) }, \ + { MIBDECL(ipsecFlowToMask) }, \ + { MIBDECL(ipsecFlowDPort) }, \ + { MIBDECL(ipsecFlowPeer) }, \ + { MIBDECL(ipsecFlowType) }, \ { MIBDECL(memMIBObjects) }, \ { MIBDECL(memMIBVersion) }, \ { MIBDECL(memIfTable) }, \
