Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 200215 - ~net-analyzer/net-snmp-5.4.1 clientaddr patch breaks tcp wrappers
Summary: ~net-analyzer/net-snmp-5.4.1 clientaddr patch breaks tcp wrappers
Status: RESOLVED OBSOLETE
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: x86 Linux
: High minor (vote)
Assignee: Gentoo Netmon project
URL: https://sourceforge.net/mailarchive/f...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-11-24 17:28 UTC by Brian Kroth
Modified: 2012-08-19 02:25 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
fix for the bug (netsnmp-fix-src-dst-madness.patch,926 bytes, patch)
2008-10-08 19:21 UTC, Krzysztof Olędzki
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Brian Kroth 2007-11-24 17:28:11 UTC
With the patch included in net-snmpd-5.4.1-r1 and USE=tcpd, hosts.allow requires the local hosts's public IP address to be listed for the snmpd daemon.

Previous to 5.4.1-r1 I had the following in my hosts.allow, hosts.deny:

hosts.allow:
  snmpd : monitoring_hosts_ip

hosts.deny:
  ALL : ALL EXCEPT localhost

with 5.4.1-r1 it logs "connection refused" unless I change hosts.allow to:

  snmpd : monitoring_hosts_ip localhosts_public_ip

If the clientaddr is omitted, the original hosts.* files work as before.

Reproducible: Always

Steps to Reproduce:
Comment 1 Jakub Moc (RETIRED) gentoo-dev 2007-11-24 17:34:28 UTC
So tell upstream, they've accepted the patch.

https://sourceforge.net/tracker/?func=detail&atid=312694&aid=1775124&group_id=12694
Comment 2 Brian Kroth 2007-11-24 17:39:23 UTC
I did.  I thought I should inform people here as well since it doesn't seem to have been included in the official source yet and the ebuild explicitly calls the patch.
Comment 3 Peter Volkov (RETIRED) gentoo-dev 2007-12-27 17:13:47 UTC
Brian, could you try net-snmp-5.4.1-r2.ebuild. It fixes some problems with clineaddr patch. If the problem persists I'll take a look at the problem. Thank you.
Comment 4 Brian Kroth 2007-12-28 17:37:19 UTC
(In reply to comment #3)
> Brian, could you try net-snmp-5.4.1-r2.ebuild. It fixes some problems with
> clineaddr patch. If the problem persists I'll take a look at the problem. Thank
> you.
> 
-r2 has already been replaced with -r3, but the problem still exists.

For now I've just added this to hosts.deny:

ALL EXCEPT snmpd : ALL EXCEPT localhost

Thanks,
Brian
Comment 5 Peter Volkov (RETIRED) gentoo-dev 2007-12-31 08:32:27 UTC
Seems that usage of IP addresses instead of hostnames workarounds the problem.
Comment 6 Brian Kroth 2008-01-02 14:55:23 UTC
(In reply to comment #5)
> Seems that usage of IP addresses instead of hostnames workarounds the problem.
> 

Where?  I'm a little confused by what you mean here, so I'll try to clarify the problem:

My original example was meant to imply the usage of IP addresses in the hosts.allow.  The problem is that for every host you must include its local IP address(es) that is/are serving snmpd requests to remote hosts.  Now consider that you have >50 hosts and so need to maintain >50 hosts.allow.  That's a pain to deal with and prior to this release was unnecessary.  Since I don't want to have to manage all of those hosts.allow separately I left hosts.allow and changed hosts.deny to the following:

hosts.allow:
 snmpd : the_monitoring_hosts_ip

hosts.deny:
 ALL EXCEPT snmpd : ALL EXCEPT localhost

meaning that the default should be to deny traffic to anything but the localhost, except for snmpd, which needs an exception due to the patch.  After that the hosts.allow seems to be honored as expected.

Make sense?

This is an acceptable workaround from my point of view, it just changed from one version to the next and I thought someone else should be aware of it.  If you want to close it feel free, otherwise I'm happy to try more tweaks.

Thanks,
Brian
Comment 7 Krzysztof Olędzki 2008-10-08 19:21:19 UTC
Created attachment 167654 [details, diff]
fix for the bug

OK, here is a fix I have just proposed to the upstream.
Comment 8 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2008-10-10 08:25:06 UTC
Krzysztof Olędzki: please link to the thread where you proposed the new patch.

netmon: your bug again, i'll check later if you're busy.
Comment 9 Krzysztof Olędzki 2008-10-11 21:40:22 UTC
http://42.pl/u/15MV (sorry for the two typos I have made)
http://sourceforge.net/tracker/?group_id=12694&atid=312694
Comment 10 Marcel Meckel 2009-02-26 22:13:49 UTC
Seems to be related to #250429