448664: snmp directive dontLogTCPWrappersConnects needs backporting Source: upstream, SVN rev. 14431 Reviewed-by: Jan Safranek <jsafrane@redhat.com> snmpd spams syslog with "Connection from UDP ..." messages on every connection. This patch introduces new snmpd.conf option 'dontLogTCPWrappersConnects', which turns it off. diff -up net-snmp-5.3.2.2/agent/agent_read_config.c.dontlog net-snmp-5.3.2.2/agent/agent_read_config.c --- net-snmp-5.3.2.2/agent/agent_read_config.c.dontlog 2007-05-07 22:23:23.000000000 +0200 +++ net-snmp-5.3.2.2/agent/agent_read_config.c 2008-08-05 14:47:17.000000000 +0200 @@ -255,6 +255,9 @@ init_agent_read_config(const char *app) netsnmp_ds_register_config(ASN_BOOLEAN, app, "leave_pidfile", NETSNMP_DS_APPLICATION_ID, NETSNMP_DS_AGENT_LEAVE_PIDFILE); + netsnmp_ds_register_config(ASN_BOOLEAN, app, "dontLogTCPWrappersConnects", + NETSNMP_DS_APPLICATION_ID, + NETSNMP_DS_AGENT_DONT_LOG_TCPWRAPPERS_CONNECTS); netsnmp_ds_register_config(ASN_INTEGER, app, "maxGetbulkRepeats", NETSNMP_DS_APPLICATION_ID, NETSNMP_DS_AGENT_MAX_GETBULKREPEATS); diff -up net-snmp-5.3.2.2/agent/snmp_agent.c.dontlog net-snmp-5.3.2.2/agent/snmp_agent.c --- net-snmp-5.3.2.2/agent/snmp_agent.c.dontlog 2008-08-05 14:45:52.000000000 +0200 +++ net-snmp-5.3.2.2/agent/snmp_agent.c 2008-08-05 14:49:07.000000000 +0200 @@ -798,9 +798,20 @@ netsnmp_agent_check_packet(netsnmp_sessi char *addr_string = NULL; #ifdef USE_LIBWRAP char *tcpudpaddr, *name; + short not_log_connection; - name = netsnmp_ds_get_string(NETSNMP_DS_LIBRARY_ID, + name = netsnmp_ds_get_string(NETSNMP_DS_LIBRARY_ID, NETSNMP_DS_LIB_APPTYPE); + + /* not_log_connection will be 1 if we should skip the messages */ + not_log_connection = netsnmp_ds_get_boolean(NETSNMP_DS_APPLICATION_ID, + NETSNMP_DS_AGENT_DONT_LOG_TCPWRAPPERS_CONNECTS); + + /* + * handle the error case + * default to logging the messages + */ + if (not_log_connection == SNMPERR_GENERR) not_log_connection = 0; #endif /* @@ -831,7 +842,9 @@ netsnmp_agent_check_packet(netsnmp_sessi *xp = '\0'; if (hosts_ctl(name, STRING_UNKNOWN, sbuf, STRING_UNKNOWN)) { - snmp_log(allow_severity, "Connection from %s\n", addr_string); + if (!not_log_connection) { + snmp_log(allow_severity, "Connection from %s\n", addr_string); + } } else { snmp_log(deny_severity, "Connection from %s REFUSED\n", addr_string); @@ -846,7 +859,9 @@ netsnmp_agent_check_packet(netsnmp_sessi if (0 == strncmp(addr_string, "callback", 8)) ; else if (hosts_ctl(name, STRING_UNKNOWN, STRING_UNKNOWN, STRING_UNKNOWN)){ - snmp_log(allow_severity, "Connection from <UNKNOWN> (%s)\n", addr_string); + if (!not_log_connection) { + snmp_log(allow_severity, "Connection from <UNKNOWN> (%s)\n", addr_string); + } SNMP_FREE(addr_string); addr_string = strdup("<UNKNOWN>"); } else { diff -up net-snmp-5.3.2.2/include/net-snmp/agent/ds_agent.h.dontlog net-snmp-5.3.2.2/include/net-snmp/agent/ds_agent.h --- net-snmp-5.3.2.2/include/net-snmp/agent/ds_agent.h.dontlog 2007-05-07 22:23:23.000000000 +0200 +++ net-snmp-5.3.2.2/include/net-snmp/agent/ds_agent.h 2008-08-05 14:45:54.000000000 +0200 @@ -18,6 +18,7 @@ #define NETSNMP_DS_AGENT_NO_CACHING 8 /* 1 = disable netsnmp_cache */ #define NETSNMP_DS_AGENT_STRICT_DISMAN 9 /* 1 = "correct" object ordering */ #define NETSNMP_DS_AGENT_DONT_RETAIN_NOTIFICATIONS 10 /* 1 = disable trap logging */ +#define NETSNMP_DS_AGENT_DONT_LOG_TCPWRAPPERS_CONNECTS 12 /* 1 = disable logging */ #define NETSNMP_DS_APP_DONT_LOG NETSNMP_DS_AGENT_DONT_RETAIN_NOTIFICATIONS /* compat */ /* WARNING: The trap receiver uses DS flags and must not conflict with diff -up net-snmp-5.3.2.2/man/snmpd.conf.5.def.dontlog net-snmp-5.3.2.2/man/snmpd.conf.5.def --- net-snmp-5.3.2.2/man/snmpd.conf.5.def.dontlog 2007-05-07 22:23:23.000000000 +0200 +++ net-snmp-5.3.2.2/man/snmpd.conf.5.def 2008-08-05 14:45:54.000000000 +0200 @@ -1401,6 +1401,11 @@ for some reason is failing to implement this module will convert all getbulk requests to getnext requests before the final module receives it. .RE +.IP "dontLogTCPWrappersConnects" +If the \fBsnmpd\fR was compiled with TCP Wrapper support, it +logs every connection made to the agent. This setting disables +the log messages for accepted connections. Denied connections will +still be logged. .IP "Figuring out module names" To figure out which modules you can inject things into, run \fBsnmpwalk\fR on the \fCnsModuleTable\fR which will give