Sophie: net-snmp-1:5.3.2.2-7.el5

net-snmp-5.3.2.2-7.el5_4.2.src.rpm

448664: snmp directive dontLogTCPWrappersConnects needs backporting

Source: upstream, SVN rev. 14431
Reviewed-by: Jan Safranek <jsafrane@redhat.com>

snmpd spams syslog with "Connection from UDP ..." messages on every connection.
This patch introduces new snmpd.conf option 'dontLogTCPWrappersConnects',
which turns it off.

diff -up net-snmp-5.3.2.2/agent/agent_read_config.c.dontlog net-snmp-5.3.2.2/agent/agent_read_config.c
--- net-snmp-5.3.2.2/agent/agent_read_config.c.dontlog	2007-05-07 22:23:23.000000000 +0200
+++ net-snmp-5.3.2.2/agent/agent_read_config.c	2008-08-05 14:47:17.000000000 +0200
@@ -255,6 +255,9 @@ init_agent_read_config(const char *app)
     netsnmp_ds_register_config(ASN_BOOLEAN, app, "leave_pidfile", 
 			       NETSNMP_DS_APPLICATION_ID,
 			       NETSNMP_DS_AGENT_LEAVE_PIDFILE);
+    netsnmp_ds_register_config(ASN_BOOLEAN, app, "dontLogTCPWrappersConnects",
+                               NETSNMP_DS_APPLICATION_ID,
+                               NETSNMP_DS_AGENT_DONT_LOG_TCPWRAPPERS_CONNECTS);
     netsnmp_ds_register_config(ASN_INTEGER, app, "maxGetbulkRepeats",
                                NETSNMP_DS_APPLICATION_ID,
                                NETSNMP_DS_AGENT_MAX_GETBULKREPEATS);
diff -up net-snmp-5.3.2.2/agent/snmp_agent.c.dontlog net-snmp-5.3.2.2/agent/snmp_agent.c
--- net-snmp-5.3.2.2/agent/snmp_agent.c.dontlog	2008-08-05 14:45:52.000000000 +0200
+++ net-snmp-5.3.2.2/agent/snmp_agent.c	2008-08-05 14:49:07.000000000 +0200
@@ -798,9 +798,20 @@ netsnmp_agent_check_packet(netsnmp_sessi
     char           *addr_string = NULL;
 #ifdef  USE_LIBWRAP
     char *tcpudpaddr, *name;
+    short not_log_connection;
 
-    name = netsnmp_ds_get_string(NETSNMP_DS_LIBRARY_ID, 
+    name = netsnmp_ds_get_string(NETSNMP_DS_LIBRARY_ID,
                                  NETSNMP_DS_LIB_APPTYPE);
+
+    /* not_log_connection will be 1 if we should skip the messages */
+    not_log_connection = netsnmp_ds_get_boolean(NETSNMP_DS_APPLICATION_ID,
+                                                NETSNMP_DS_AGENT_DONT_LOG_TCPWRAPPERS_CONNECTS);
+
+    /*
+     * handle the error case
+     * default to logging the messages
+     */
+    if (not_log_connection == SNMPERR_GENERR) not_log_connection = 0;
 #endif
 
     /*
@@ -831,7 +842,9 @@ netsnmp_agent_check_packet(netsnmp_sessi
             *xp = '\0';
  
         if (hosts_ctl(name, STRING_UNKNOWN, sbuf, STRING_UNKNOWN)) {
-            snmp_log(allow_severity, "Connection from %s\n", addr_string);
+            if (!not_log_connection) {
+                snmp_log(allow_severity, "Connection from %s\n", addr_string);
+            }
         } else {
             snmp_log(deny_severity, "Connection from %s REFUSED\n",
                      addr_string);
@@ -846,7 +859,9 @@ netsnmp_agent_check_packet(netsnmp_sessi
         if (0 == strncmp(addr_string, "callback", 8))
             ;
         else if (hosts_ctl(name, STRING_UNKNOWN, STRING_UNKNOWN, STRING_UNKNOWN)){
-            snmp_log(allow_severity, "Connection from <UNKNOWN> (%s)\n", addr_string);
+            if (!not_log_connection) {
+                snmp_log(allow_severity, "Connection from <UNKNOWN> (%s)\n", addr_string);
+            }
             SNMP_FREE(addr_string);
             addr_string = strdup("<UNKNOWN>");
         } else {
diff -up net-snmp-5.3.2.2/include/net-snmp/agent/ds_agent.h.dontlog net-snmp-5.3.2.2/include/net-snmp/agent/ds_agent.h
--- net-snmp-5.3.2.2/include/net-snmp/agent/ds_agent.h.dontlog	2007-05-07 22:23:23.000000000 +0200
+++ net-snmp-5.3.2.2/include/net-snmp/agent/ds_agent.h	2008-08-05 14:45:54.000000000 +0200
@@ -18,6 +18,7 @@
 #define NETSNMP_DS_AGENT_NO_CACHING     8       /* 1 = disable netsnmp_cache */
 #define NETSNMP_DS_AGENT_STRICT_DISMAN  9       /* 1 = "correct" object ordering */
 #define NETSNMP_DS_AGENT_DONT_RETAIN_NOTIFICATIONS 10   /* 1 = disable trap logging */
+#define NETSNMP_DS_AGENT_DONT_LOG_TCPWRAPPERS_CONNECTS 12   /* 1 = disable logging */
 #define NETSNMP_DS_APP_DONT_LOG         NETSNMP_DS_AGENT_DONT_RETAIN_NOTIFICATIONS /* compat */
 
 /* WARNING: The trap receiver uses DS flags and must not conflict with
diff -up net-snmp-5.3.2.2/man/snmpd.conf.5.def.dontlog net-snmp-5.3.2.2/man/snmpd.conf.5.def
--- net-snmp-5.3.2.2/man/snmpd.conf.5.def.dontlog	2007-05-07 22:23:23.000000000 +0200
+++ net-snmp-5.3.2.2/man/snmpd.conf.5.def	2008-08-05 14:45:54.000000000 +0200
@@ -1401,6 +1401,11 @@ for some reason is failing to implement 
 this module will convert all getbulk requests to
 getnext requests before the final module receives it.
 .RE
+.IP "dontLogTCPWrappersConnects"
+If the \fBsnmpd\fR was compiled with TCP Wrapper support, it
+logs every connection made to the agent. This setting disables
+the log messages for accepted connections. Denied connections will
+still be logged.
 .IP "Figuring out module names"
 To figure out which modules you can inject things into,
 run \fBsnmpwalk\fR on the \fCnsModuleTable\fR which will give