1 MIDCOM-MIB DEFINITIONS ::= BEGIN
4 MODULE-IDENTITY, OBJECT-TYPE,
5 NOTIFICATION-TYPE, Unsigned32,
6 Counter32, Gauge32, mib-2
7 FROM SNMPv2-SMI -- RFC 2578
9 TEXTUAL-CONVENTION, TruthValue,
10 StorageType, RowStatus
11 FROM SNMPv2-TC -- RFC 2579
13 MODULE-COMPLIANCE, OBJECT-GROUP,
15 FROM SNMPv2-CONF -- RFC 2580
18 FROM SNMP-FRAMEWORK-MIB -- RFC 3411
20 InetAddressType, InetAddress,
22 InetAddressPrefixLength
23 FROM INET-ADDRESS-MIB -- RFC 4001
30 FROM IF-MIB -- RFC 2863
33 FROM NAT-MIB; -- RFC 4008
35 midcomMIB MODULE-IDENTITY
36 LAST-UPDATED "200708091011Z" -- August 09, 2007
37 ORGANIZATION "IETF Middlebox Communication Working Group"
40 http://www.ietf.org/html.charters/midcom-charter.html
43 General Discussion: midcom@ietf.org
44 To Subscribe: midcom-request@ietf.org
45 In Body: subscribe your_email_address
53 Tel: +49 6221 4342-115
54 Email: quittek@nw.neclab.eu
62 Tel: +49 6221 4342-113
63 Email: stiemerling@nw.neclab.eu
69 Mountain View, CA 94043
72 Email: srisuresh@yahoo.com"
75 "This MIB module defines a set of basic objects for
76 configuring middleboxes, such as firewalls and network
80 address translators, in order to enable communication
83 Managed objects defined in this MIB module are structured
84 in three kinds of objects:
85 - transaction objects required according to the MIDCOM
86 protocol requirements defined in RFC 3304 and according
87 to the MIDCOM protocol semantics defined in RFC 3989,
88 - configuration objects that can be used for retrieving or
89 setting parameters of the implementation of transaction
91 - optional monitoring objects that provide information
92 about used resource and statistics
94 The transaction objects are organized in two subtrees:
95 - objects modeling MIDCOM policy rules in the
97 - objects modeling MIDCOM policy rule groups in the
100 Note that typically, configuration objects are not intended
101 to be written by MIDCOM clients. In general, write access
102 to these objects needs to be restricted more strictly than
103 write access to objects in the transaction subtrees.
105 Copyright (C) The Internet Society (2008). This version
106 of this MIB module is part of RFC 5190; see the RFC
107 itself for full legal notices."
109 REVISION "200708091011Z" -- August 09, 2007
110 DESCRIPTION "Initial version, published as RFC 5190."
114 -- main components of this MIB module
117 midcomNotifications OBJECT IDENTIFIER ::= { midcomMIB 0 }
118 midcomObjects OBJECT IDENTIFIER ::= { midcomMIB 1 }
119 midcomConformance OBJECT IDENTIFIER ::= { midcomMIB 2 }
121 -- Transaction objects required according to the MIDCOM
122 -- protocol requirements defined in RFC 3304 and according to
123 -- the MIDCOM protocol semantics defined in RFC 3989
124 midcomTransaction OBJECT IDENTIFIER ::= { midcomObjects 1 }
126 -- Configuration objects that can be used for retrieving
127 -- middlebox capability information (mandatory) and for
131 -- setting parameters of the implementation of transaction
132 -- objects (optional)
133 midcomConfig OBJECT IDENTIFIER ::= { midcomObjects 2 }
135 -- Optional monitoring objects that provide information about
136 -- used resource and statistics
137 midcomMonitoring OBJECT IDENTIFIER ::= { midcomObjects 3 }
140 -- Transaction Objects
142 -- Transaction objects are structured according to the MIDCOM
143 -- protocol semantics into two groups:
144 -- - objects modeling MIDCOM policy rules in the midcomRuleTable
145 -- - objects modeling MIDCOM policy rule groups in the
149 -- Policy rule subtree
151 -- The midcomRuleTable lists policy rules
152 -- including policy reserve rules and policy enable rules.
155 midcomRuleTable OBJECT-TYPE
156 SYNTAX SEQUENCE OF MidcomRuleEntry
157 MAX-ACCESS not-accessible
160 "This table lists policy rules.
162 It is indexed by the midcomRuleOwner, the
163 midcomGroupIndex, and the midcomRuleIndex.
164 This implies that a rule is a member of exactly
165 one group and that group membership cannot
168 Entries can be deleted by writing to
169 midcomGroupLifetime or midcomRuleLifetime
170 and potentially also to midcomRuleStorageTime."
171 ::= { midcomTransaction 3 }
173 midcomRuleEntry OBJECT-TYPE
174 SYNTAX MidcomRuleEntry
175 MAX-ACCESS not-accessible
178 "An entry describing a particular MIDCOM policy rule."
182 INDEX { midcomRuleOwner, midcomGroupIndex, midcomRuleIndex }
183 ::= { midcomRuleTable 1 }
185 MidcomRuleEntry ::= SEQUENCE {
186 midcomRuleOwner SnmpAdminString,
187 midcomRuleIndex Unsigned32,
188 midcomRuleAdminStatus INTEGER,
189 midcomRuleOperStatus INTEGER,
190 midcomRuleStorageType StorageType,
191 midcomRuleStorageTime Unsigned32,
192 midcomRuleError SnmpAdminString,
193 midcomRuleInterface InterfaceIndexOrZero,
194 midcomRuleFlowDirection INTEGER,
195 midcomRuleMaxIdleTime Unsigned32,
196 midcomRuleTransportProtocol Unsigned32,
197 midcomRulePortRange INTEGER,
198 midcomRuleInternalIpVersion InetAddressType,
199 midcomRuleExternalIpVersion InetAddressType,
200 midcomRuleInternalIpAddr InetAddress,
201 midcomRuleInternalIpPrefixLength InetAddressPrefixLength,
202 midcomRuleInternalPort InetPortNumber,
203 midcomRuleExternalIpAddr InetAddress,
204 midcomRuleExternalIpPrefixLength InetAddressPrefixLength,
205 midcomRuleExternalPort InetPortNumber,
206 midcomRuleInsideIpAddr InetAddress,
207 midcomRuleInsidePort InetPortNumber,
208 midcomRuleOutsideIpAddr InetAddress,
209 midcomRuleOutsidePort InetPortNumber,
210 midcomRuleLifetime Unsigned32,
211 midcomRuleRowStatus RowStatus
214 midcomRuleOwner OBJECT-TYPE
215 SYNTAX SnmpAdminString (SIZE (0..32))
216 MAX-ACCESS not-accessible
219 "The manager who owns this row in the midcomRuleTable.
221 This object SHOULD uniquely identify an authenticated
222 MIDCOM client. This object is part of the table index to
223 allow for the use of the SNMPv3 View-based Access Control
224 Model (VACM, RFC 3415)."
225 ::= { midcomRuleEntry 1 }
227 midcomRuleIndex OBJECT-TYPE
228 SYNTAX Unsigned32 (1..4294967295)
229 MAX-ACCESS not-accessible
235 "The value of this object must be unique in
236 combination with the values of the objects
237 midcomRuleOwner and midcomGroupIndex in this row."
238 ::= { midcomRuleEntry 3 }
240 midcomRuleAdminStatus OBJECT-TYPE
246 MAX-ACCESS read-create
249 "The value of this object indicates the desired status of
250 the policy rule. See the definition of midcomRuleOperStatus
251 for a description of the values.
253 When a midcomRuleEntry is created without explicitly setting
254 this object, its value will be notSet(3).
256 However, a SET request can only set this object to either
257 reserve(1) or enable(2). Attempts to set this object to
258 notSet(3) will always fail with an 'inconsistentValue'
259 error. Note that this error code is SNMP specific. If the
260 MIB module is used with other protocols than SNMP, errors
261 with similar semantics specific to those protocols should
264 When the midcomRuleAdminStatus object is set, then the
265 MIDCOM-MIB implementation will try to read the respective
266 relevant objects of the entry and try to achieve the
267 corresponding midcomRuleOperStatus.
269 Setting midcomRuleAdminStatus to value reserve(1) when
270 object midcomRuleOperStatus has a value of reserved(7)
271 does not have any effect on the policy rule.
272 Setting midcomRuleAdminStatus to value enable(2) when
273 object midcomRuleOperStatus has a value of enabled(8)
274 does not have any effect on the policy rule.
276 Depending on whether the midcomRuleAdminStatus is set to
277 reserve(1) or enable(2), several objects must be set in
278 advance. They serve as parameters of the policy rule to be
284 When object midcomRuleAdminStatus is set to reserve(1),
285 then the following objects in the same entry are of
287 - midcomRuleInterface
288 - midcomRuleTransportProtocol
289 - midcomRulePortRange
290 - midcomRuleInternalIpVersion
291 - midcomRuleExternalIpVersion
292 - midcomRuleInternalIpAddr
293 - midcomRuleInternalIpPrefixLength
294 - midcomRuleInternalPort
297 MIDCOM-MIB implementation may also consider the value
298 of object midcomRuleMaxIdleTime when establishing
301 When object midcomRuleAdminStatus is set to enable(2),
302 then the following objects in the same entry are of
304 - midcomRuleInterface
305 - midcomRuleFlowDirection
306 - midcomRuleMaxIdleTime
307 - midcomRuleTransportProtocol
308 - midcomRulePortRange
309 - midcomRuleInternalIpVersion
310 - midcomRuleExternalIpVersion
311 - midcomRuleInternalIpAddr
312 - midcomRuleInternalIpPrefixLength
313 - midcomRuleInternalPort
314 - midcomRuleExternalIpAddr
315 - midcomRuleExternalIpPrefixLength
316 - midcomRuleExternalPort
319 When retrieved, the object returns the last set value.
320 If no value has been set, it returns the default value
323 ::= { midcomRuleEntry 4 }
325 midcomRuleOperStatus OBJECT-TYPE
331 processingRequest(5),
339 terminatedOnRequest(10),
346 "The actual status of the policy rule. The
347 midcomRuleOperStatus object may have the following values:
349 - newEntry(1) indicates that the entry in the
350 midcomRuleTable was created, but not modified yet.
351 Such an entry needs to be filled with values specifying
354 - setting(2) indicates that the entry has been already
355 modified after generating it, but no request was made
358 - checkingRequest(3) indicates that midcomRuleAdminStatus
359 has recently been set and that the MIDCOM-MIB
360 implementation is currently checking the parameters of
361 the request. This is a transient state. The value of
362 this object will change to either incorrectRequest(4)
363 or processingRequest(5) without any external
364 interaction. A MIDCOM-MIB implementation MAY return
365 this value while checking request parameters.
367 - incorrectRequest(4) indicates that checking a request
368 resulted in detecting an incorrect value in one of the
369 objects containing request parameters. The failure
370 reason is indicated by the value of midcomRuleError.
372 - processingRequest(5) indicates that
373 midcomRuleAdminStatus has recently been set and that
374 the MIDCOM-MIB implementation is currently processing
375 the request and trying to configure the middlebox
376 accordingly. This is a transient state. The value of
377 this object will change to either requestRejected(6),
378 reserved(7), or enabled(8) without any external
379 interaction. A MIDCOM-MIB implementation MAY return
380 this value while processing a request.
382 - requestRejected(6) indicates that a request to establish
386 a policy rule specified by the entry was rejected. The
387 reason for rejection is indicated by the value of
390 - reserved(7) indicates that the entry describes an
391 established policy reserve rule.
392 These values of MidcomRuleEntry are meaningful
393 for a reserved policy rule:
394 - midcomRuleMaxIdleTime
395 - midcomRuleInterface
396 - midcomRuleTransportProtocol
397 - midcomRulePortRange
398 - midcomRuleInternalIpVersion
399 - midcomRuleExternalIpVersion
400 - midcomRuleInternalIpAddr
401 - midcomRuleInternalIpPrefixLength
402 - midcomRuleInternalPort
403 - midcomRuleOutsideIpAddr
404 - midcomRuleOutsidePort
407 - enabled(8) indicates that the entry describes an
408 established policy enable rule.
409 These values of MidcomRuleEntry are meaningful
410 for an enabled policy rule:
412 - midcomRuleFlowDirection
413 - midcomRuleInterface
414 - midcomRuleMaxIdleTime
415 - midcomRuleTransportProtocol
416 - midcomRulePortRange
417 - midcomRuleInternalIpVersion
418 - midcomRuleExternalIpVersion
419 - midcomRuleInternalIpAddr
420 - midcomRuleInternalIpPrefixLength
421 - midcomRuleInternalPort
422 - midcomRuleExternalIpAddr
423 - midcomRuleExternalIpPrefixLength
424 - midcomRuleExternalPort
425 - midcomRuleInsideIpAddr
426 - midcomRuleInsidePort
427 - midcomRuleOutsideIpAddr
428 - midcomRuleOutsidePort
431 - timedOut(9) indicates that the lifetime of a previously
432 established policy rule has expired and that the policy
433 rule is terminated for this reason.
437 - terminatedOnRequest(10) indicates that a previously
438 established policy rule was terminated by an SNMP
439 manager setting the midcomRuleLifetime to 0 or
440 setting midcomGroupLifetime to 0.
442 - terminated(11) indicates that a previously established
443 policy rule was terminated by the MIDCOM-MIB
444 implementation for a reason other than lifetime
445 expiration or an explicit request from a MIDCOM client.
447 - genericError(12) indicates that the policy rule
448 specified by the entry is not established due to
449 an error condition not listed above.
451 The states timedOut(9), terminatedOnRequest(10), and
452 terminated(11) are referred to as termination states.
454 The states incorrectRequest(4), requestRejected(6),
455 and genericError(12) are referred to as error states.
457 The checkingRequest(3) and processingRequest(5)
458 states are transient states, which will lead to either
459 one of the error states or the reserved(7) state or the
460 enabled(8) state. MIDCOM-MIB implementations MAY return
461 these values when checking or processing requests."
463 ::= { midcomRuleEntry 5 }
465 midcomRuleStorageType OBJECT-TYPE
467 MAX-ACCESS read-create
470 "When retrieved, this object returns the storage
471 type of the policy rule. Writing to this object can
472 change the storage type of the particular row from
473 volatile(2) to nonVolatile(3) or vice versa.
475 Attempts to set this object to permanent will always
476 fail with an 'inconsistentValue' error. Note that this
477 error code is SNMP specific. If the MIB module is used
478 with other protocols than SNMP, errors with similar
479 semantics specific to those protocols should be
482 If midcomRuleStorageType has the value permanent(4),
483 then all objects in this row whose MAX-ACCESS value
484 is read-create must be read-only."
489 ::= { midcomRuleEntry 6 }
491 midcomRuleStorageTime OBJECT-TYPE
494 MAX-ACCESS read-create
497 "The value of this object specifies how long this row
498 can exist in the midcomRuleTable after the
499 midcomRuleOperStatus switched to a termination state or
500 to an error state. This object returns the remaining
501 time that the row may exist before it is aged out.
503 After expiration or termination of the context, the value
504 of this object ticks backwards. The entry in the
505 midcomRuleTable is destroyed when the value reaches 0.
507 The value of this object may be set in order to increase
508 or reduce the remaining time that the row may exist.
509 Setting the value to 0 will destroy this entry as soon as
510 the midcomRuleOperStatus switched to a termination state
511 or to an error state.
513 Note that there is no guarantee that the row is stored as
514 long as this object indicates. At any time, the MIDCOM-
515 MIB implementation may decide to remove a row describing
516 a terminated policy rule before the storage time of the
517 corresponding row in the midcomRuleTable reaches the
518 value of 0. In this case, the information stored in this
519 row is not available anymore.
521 If object midcomRuleStorageType indicates that the policy
522 rule has the storage type permanent(4), then this object has
523 a constant value of 4294967295."
525 ::= { midcomRuleEntry 7 }
527 midcomRuleError OBJECT-TYPE
528 SYNTAX SnmpAdminString
532 "This object contains a descriptive error message if
533 the transition into the operational status reserved(7)
534 or enabled(8) failed. Implementations must reset the
535 error message to a zero-length string when a new
539 attempt to change the policy rule status to reserved(7)
540 or enabled(8) is started.
542 RECOMMENDED values to be returned in particular cases
544 - 'lack of IP addresses'
545 - 'lack of port numbers'
546 - 'lack of resources'
547 - 'specified NAT interface does not exist'
548 - 'specified NAT interface does not support NAT'
549 - 'conflict with already existing policy rule'
550 - 'no internal IP wildcarding allowed'
551 - 'no external IP wildcarding allowed'
553 The semantics of these error messages and the corresponding
554 behavior of the MIDCOM-MIB implementation are specified
555 in sections 2.3.9 and 2.3.10 of RFC 3989."
557 "RFC 3989, sections 2.3.9 and 2.3.10"
559 ::= { midcomRuleEntry 8 }
561 midcomRuleInterface OBJECT-TYPE
562 SYNTAX InterfaceIndexOrZero
563 MAX-ACCESS read-create
566 "This object indicates the IP interface for which
567 enforcement of a policy rule is requested or performed,
570 The interface is identified by its index in the ifTable
571 (see IF-MIB in RFC 2863). If the object has a value of 0,
572 then no particular interface is indicated.
574 This object is used as input to a request for establishing
575 a policy rule as well as for indicating the properties of
576 an established policy rule.
578 If object midcomRuleOperStatus of the same entry has the
579 value newEntry(1) or setting(2), then this object can be
580 written by a manager in order to request its preference
581 concerning the interface at which it requests NAT service.
582 The default value of 0 indicates that the manager does not
583 have a preferred interface or does not have sufficient
584 topology information for specifying one. Writing to this
585 object in any state other than newEntry(1) or setting(2)
586 will always fail with an 'inconsistentValue' error.
590 Note that this error code is SNMP specific. If the MIB
591 module is used with other protocols than SNMP, errors with
592 similar semantics specific to those protocols should be
595 If object midcomRuleOperStatus of the same entry has the
596 value reserved(7) or enabled(8), then this object indicates
597 the interface at which NAT service for this rule is
598 performed. If NAT service is not required for enforcing
599 the policy rule, then the value of this object is 0. Also,
600 if the MIDCOM-MIB implementation cannot indicate an
601 interface, because it does not have this information or
602 because NAT service is not offered at a particular single
603 interface, then the value of the object is 0.
605 Note that the index of a particular interface in the
606 ifTable may change after a re-initialization of the
607 middlebox, for example, after adding another interface to
608 it. In such a case, the value of this object may change,
609 but the interface referred to by the MIDCOM-MIB MUST still
610 be the same. If, after a re-initialization of the
611 middlebox, the interface referred to before
612 re-initialization cannot be uniquely mapped anymore to a
613 particular entry in the ifTable, then the value of object
614 midcomRuleOperStatus of the same entry MUST be changed to
617 If object midcomRuleOperStatus of the same entry has a
618 value other than newEntry(1), setting(2), reserved(7), or
619 enabled(8), then the value of this object is irrelevant."
621 ::= { midcomRuleEntry 9 }
623 midcomRuleFlowDirection OBJECT-TYPE
629 MAX-ACCESS read-create
632 "This parameter specifies the direction of enabled
633 communication, either inbound(1), outbound(2), or
636 The semantics of this object depends on the protocol
637 the rule relates to. If the rule is independent of
641 the transport protocol (midcomRuleTransportProtocol
642 has a value of 0) or if the transport protocol is UDP,
643 then the value of midcomRuleFlowDirection indicates
644 the direction of packets traversing the middlebox.
646 In this case, value inbound(1) indicates that packets
647 are traversing from outside to inside, value outbound(2)
648 indicates that packets are traversing from inside to
649 outside. For both values, inbound(1) and outbound(2)
650 packets can traverse the middlebox only unidirectional.
651 A bidirectional flow is indicated by value
654 If the transport protocol is TCP, the packet flow is
655 always bidirectional, but the value of
656 midcomRuleFlowDirection indicates that:
658 - inbound(1): bidirectional TCP packet flow.
659 First packet, with TCP SYN flag set, must arrive
660 at an outside interface of the middlebox.
662 - outbound(2): bidirectional TCP packet flow.
663 First packet, with TCP SYN flag set, must arrive
664 at an inside interface of the middlebox.
666 - biDirectional(3): bidirectional TCP packet flow.
667 First packet, with TCP SYN flag set, may arrive
668 at an inside or an outside interface of the middlebox.
670 This object is used as input to a request for
671 establishing a policy enable rule as well as for
672 indicating the properties of an established policy rule.
674 If object midcomRuleOperStatus of the same entry has a
675 value of either newEntry(1), setting(2), or reserved(7),
676 then this object can be written by a manager in order to
677 specify a requested direction to be enabled by a policy
678 rule. Writing to this object in any state other than
679 newEntry(1), setting(2), or reserved(7) will always fail
680 with an 'inconsistentValue' error.
682 Note that this error code is SNMP specific. If the MIB
683 module is used with other protocols than SNMP, errors with
684 similar semantics specific to those protocols should be
687 If object midcomRuleOperStatus of the same entry has the
688 value enabled(8), then this object indicates the enabled
694 If object midcomRuleOperStatus of the same entry has a
695 value other than newEntry(1), setting(2), reserved(7), or
696 enabled(8), then the value of this object is irrelevant."
698 ::= { midcomRuleEntry 10 }
700 midcomRuleMaxIdleTime OBJECT-TYPE
703 MAX-ACCESS read-create
706 "Maximum idle time of the policy rule in seconds.
708 If no packet to which the policy rule applies passes the
709 middlebox for the specified midcomRuleMaxIdleTime, then
710 the policy rule enters the termination state timedOut(9).
712 A value of 0 indicates that the policy does not require
713 an individual idle time and that instead, a default idle
714 time chosen by the middlebox is used.
716 A value of 4294967295 ( = 2^32 - 1 ) indicates that the
717 policy does not time out if it is idle.
719 This object is used as input to a request for
720 establishing a policy enable rule as well as for
721 indicating the properties of an established policy rule.
723 If object midcomRuleOperStatus of the same entry has a
724 value of either newEntry(1), setting(2), or reserved(7),
725 then this object can be written by a manager in order to
726 specify a maximum idle time for the policy rule to be
727 requested. Writing to this object in any state others
728 than newEntry(1), setting(2), or reserved(7) will always
729 fail with an 'inconsistentValue' error.
731 Note that this error code is SNMP specific. If the MIB
732 module is used with other protocols than SNMP, errors with
733 similar semantics specific to those protocols should be
736 If object midcomRuleOperStatus of the same entry has the
737 value enabled(8), then this object indicates the maximum
738 idle time of the policy rule. Note that even if a maximum
739 idle time greater than zero was requested, the middlebox
743 may not be able to support maximum idle times and set the
744 value of this object to zero when entering state
747 If object midcomRuleOperStatus of the same entry has a
748 value other than newEntry(1), setting(2), reserved(7), or
749 enabled(8), then the value of this object is irrelevant."
751 ::= { midcomRuleEntry 11 }
753 midcomRuleTransportProtocol OBJECT-TYPE
754 SYNTAX Unsigned32 (0..255)
755 MAX-ACCESS read-create
758 "The transport protocol.
760 Valid values for midcomRuleTransportProtocol
761 other than zero are defined at:
762 http://www.iana.org/assignments/protocol-numbers
764 This object is used as input to a request for establishing
765 a policy rule as well as for indicating the properties of
766 an established policy rule.
768 If object midcomRuleOperStatus of the same entry has a
769 value of either newEntry(1) or setting(2), then this
770 object can be written by a manager in order to specify a
771 requested transport protocol. If translation of an IP
772 address only is requested, then this object must have the
773 default value 0. Writing to this object in any state
774 other than newEntry(1) or setting(2) will always fail
775 with an 'inconsistentValue' error.
777 Note that this error code is SNMP specific. If the MIB
778 module is used with other protocols than SNMP, errors with
779 similar semantics specific to those protocols should be
782 If object midcomRuleOperStatus of the same entry has the
783 value reserved(7) or enabled(8), then this object
784 indicates which transport protocol is enforced by this
785 policy rule. A value of 0 indicates a rule acting on IP
788 If object midcomRuleOperStatus of the same entry has a
789 value other than newEntry(1), setting(2), reserved(7), or
790 enabled(8), then the value of this object is irrelevant."
795 ::= { midcomRuleEntry 12 }
797 midcomRulePortRange OBJECT-TYPE
802 MAX-ACCESS read-create
805 "The range of port numbers.
807 This object is used as input to a request for establishing
808 a policy rule as well as for indicating the properties of
809 an established policy rule. It is relevant to the
810 operation of the MIDCOM-MIB implementation only if the
811 value of object midcomTransportProtocol in the same entry
812 has a value other than 0.
814 If object midcomRuleOperStatus of the same entry has the
815 value newEntry(1) or setting(2), then this object can be
816 written by a manager in order to specify the requested
817 size of the port range. With single(1) just a single
818 port number is requested, with pair(2) a consecutive pair
819 of port numbers is requested with the lower number being
820 even. Requesting a consecutive pair of port numbers may
821 be used by RTP [RFC3550] and may even be required to
822 support older RTP applications.
824 Writing to this object in any state other than
825 newEntry(1), setting(2) or reserved(7) will always fail
826 with an 'inconsistentValue' error.
828 Note that this error code is SNMP specific. If the MIB
829 module is used with other protocols than SNMP, errors with
830 similar semantics specific to those protocols should be
833 If object midcomRuleOperStatus of the same entry has a
834 value of either reserved(7) or enabled(8), then this
835 object will have the value that it had before the
836 transition to this state.
838 If object midcomRuleOperStatus of the same entry has a
839 value other than newEntry(1), setting(2), reserved(7), or
840 enabled(8), then the value of this object is irrelevant."
845 ::= { midcomRuleEntry 13}
847 midcomRuleInternalIpVersion OBJECT-TYPE
848 SYNTAX InetAddressType
849 MAX-ACCESS read-create
852 "IP version of the internal address (A0) and the inside
853 address (A1). Allowed values are ipv4(1), ipv6(2),
854 ipv4z(3), and ipv6z(4).
856 This object is used as input to a request for establishing
857 a policy rule as well as for indicating the properties of
858 an established policy rule.
860 If object midcomRuleOperStatus of the same entry has the
861 value newEntry(1) or setting(2), then this object can be
862 written by a manager in order to specify the IP version
863 required at the inside of the middlebox. Writing to this
864 object in any state other than newEntry(1) or setting(2)
865 will always fail with an 'inconsistentValue' error.
867 Note that this error code is SNMP specific. If the MIB
868 module is used with other protocols than SNMP, errors with
869 similar semantics specific to those protocols should be
872 If object midcomRuleOperStatus of the same entry has the
873 value reserved(7) or enabled(8), then this object
874 indicates the internal/inside IP version.
876 If object midcomRuleOperStatus of the same entry has a
877 value other than newEntry(1), setting(2), reserved(7), or
878 enabled(8), then the value of this object is irrelevant."
880 ::= { midcomRuleEntry 14 }
882 midcomRuleExternalIpVersion OBJECT-TYPE
883 SYNTAX InetAddressType
884 MAX-ACCESS read-create
887 "IP version of the external address (A3) and the outside
888 address (A2). Allowed values are ipv4(1) and ipv6(2).
890 This object is used as input to a request for establishing
891 a policy rule as well as for indicating the properties of
892 an established policy rule.
896 If object midcomRuleOperStatus of the same entry has the
897 value newEntry(1) or setting(2), then this object can be
898 written by a manager in order to specify the IP version
899 required at the outside of the middlebox. Writing to
900 this object in any state other than newEntry(1) or
901 setting(2) will always fail with an 'inconsistentValue'
903 Note that this error code is SNMP specific. If the MIB
904 module is used with other protocols than SNMP, errors with
905 similar semantics specific to those protocols should be
908 If object midcomRuleOperStatus of the same entry has the
909 value reserved(7) or enabled(8), then this object
910 indicates the external/outside IP version.
912 If object midcomRuleOperStatus of the same entry has a
913 value other than newEntry(1), setting(2), reserved(7) or
914 enabled(8), then the value of this object is irrelevant."
916 ::= { midcomRuleEntry 15 }
918 midcomRuleInternalIpAddr OBJECT-TYPE
920 MAX-ACCESS read-create
923 "The internal IP address (A0).
925 This object is used as input to a request for establishing
926 a policy rule as well as for indicating the properties of
927 an established policy rule.
929 If object midcomRuleOperStatus of the same entry has the
930 value newEntry(1) or setting(2), then this object can be
931 written by a manager in order to specify the internal IP
932 address for which a reserve policy rule or a enable policy
933 rule is requested to be established. Writing to this
934 object in any state other than newEntry(1) or setting(2)
935 will always fail with an 'inconsistentValue' error.
936 Note that this error code is SNMP specific. If the MIB
937 module is used with other protocols than SNMP, errors with
938 similar semantics specific to those protocols should be
941 If object midcomRuleOperStatus of the same entry has the
942 value reserved(7) or enabled(8), then this object will
943 have the value which it had before the transition to this
949 If object midcomRuleOperStatus of the same entry has a
950 value other than newEntry(1), setting(2), reserved(7) or
951 enabled(8), then the value of this object is irrelevant."
952 ::= { midcomRuleEntry 16 }
954 midcomRuleInternalIpPrefixLength OBJECT-TYPE
955 SYNTAX InetAddressPrefixLength
956 MAX-ACCESS read-create
959 "The prefix length of the internal IP address used for
960 wildcarding. A value of 0 indicates a full wildcard;
961 in this case, the value of midcomRuleInternalIpAddr is
962 irrelevant. If midcomRuleInternalIpVersion has a value
963 of ipv4(1), then a value > 31 indicates no wildcarding
964 at all. If midcomRuleInternalIpVersion has a value
965 of ipv4(2), then a value > 127 indicates no wildcarding
966 at all. A MIDCOM-MIB implementation that does not
967 support IP address wildcarding MUST implement this object
968 as read-only with a value of 128. A MIDCOM that does
969 not support wildcarding based on prefix length MAY
970 restrict allowed values for this object to 0 and 128.
972 This object is used as input to a request for establishing
973 a policy rule as well as for indicating the properties of
974 an established policy rule.
976 If object midcomRuleOperStatus of the same entry has the
977 value newEntry(1) or setting(2), then this object can be
978 written by a manager in order to specify the prefix length
979 of the internal IP address for which a reserve policy rule
980 or an enable policy rule is requested to be established.
981 Writing to this object in any state other than newEntry(1)
982 or setting(2) will always fail with an 'inconsistentValue'
985 Note that this error code is SNMP specific. If the MIB
986 module is used with other protocols than SNMP, errors with
987 similar semantics specific to those protocols should be
990 If object midcomRuleOperStatus of the same entry has the
991 value reserved(7) or enabled(8), then this object will
992 have the value which it had before the transition to this
998 If object midcomRuleOperStatus of the same entry has a
999 value other than newEntry(1), setting(2), reserved(7), or
1000 enabled(8), then the value of this object is irrelevant."
1002 ::= { midcomRuleEntry 17 }
1004 midcomRuleInternalPort OBJECT-TYPE
1005 SYNTAX InetPortNumber
1006 MAX-ACCESS read-create
1009 "The internal port number. A value of 0 is a wildcard.
1011 This object is used as input to a request for establishing
1012 a policy rule as well as for indicating the properties of
1013 an established policy rule. It is relevant to the
1014 operation of the MIDCOM-MIB implementation only if the
1015 value of object midcomTransportProtocol in the same entry
1016 has a value other than 0.
1018 If object midcomRuleOperStatus of the same entry has the
1019 value newEntry(1) or setting(2), then this object can be
1020 written by a manager in order to specify the internal port
1021 number for which a reserve policy rule or an enable policy
1022 rule is requested to be established. Writing to this
1023 object in any state other than newEntry(1) or setting(2)
1024 will always fail with an 'inconsistentValue' error.
1026 Note that this error code is SNMP specific. If the MIB
1027 module is used with other protocols than SNMP, errors with
1028 similar semantics specific to those protocols should be
1031 If object midcomRuleOperStatus of the same entry has the
1032 value reserved(7) or enabled(8), then this object will
1033 have the value that it had before the transition to this
1036 If object midcomRuleOperStatus of the same entry has a
1037 value other than newEntry(1), setting(2), reserved(7), or
1038 enabled(8), then the value of this object is irrelevant."
1040 ::= { midcomRuleEntry 18 }
1042 midcomRuleExternalIpAddr OBJECT-TYPE
1044 MAX-ACCESS read-create
1050 "The external IP address (A3).
1052 This object is used as input to a request for establishing
1053 a policy rule as well as for indicating the properties of
1054 an established policy rule.
1056 If object midcomRuleOperStatus of the same entry has the
1057 value newEntry(1), setting(2), or reserved(7), then this
1058 object can be written by a manager in order to specify the
1059 external IP address for which an enable policy rule is
1060 requested to be established. Writing to this object in
1061 any state other than newEntry(1), setting(2), or reserved(7)
1062 will always fail with an 'inconsistentValue' error.
1064 Note that this error code is SNMP specific. If the MIB
1065 module is used with other protocols than SNMP, errors with
1066 similar semantics specific to those protocols should be
1069 If object midcomRuleOperStatus of the same entry has the
1070 value enabled(8), then this object will have the value
1071 that it had before the transition to this state.
1073 If object midcomRuleOperStatus of the same entry has a
1074 value other than newEntry(1), setting(2), reserved(7), or
1075 enabled(8), then the value of this object is irrelevant."
1076 ::= { midcomRuleEntry 19 }
1078 midcomRuleExternalIpPrefixLength OBJECT-TYPE
1079 SYNTAX InetAddressPrefixLength
1080 MAX-ACCESS read-create
1083 "The prefix length of the external IP address used for
1084 wildcarding. A value of 0 indicates a full wildcard;
1085 in this case, the value of midcomRuleExternalIpAddr is
1086 irrelevant. If midcomRuleExternalIpVersion has a value
1087 of ipv4(1), then a value > 31 indicates no wildcarding
1088 at all. If midcomRuleExternalIpVersion has a value
1089 of ipv4(2), then a value > 127 indicates no wildcarding
1090 at all. A MIDCOM-MIB implementation that does not
1091 support IP address wildcarding MUST implement this object
1092 as read-only with a value of 128. A MIDCOM that does
1093 not support wildcarding based on prefix length MAY
1094 restrict allowed values for this object to 0 and 128.
1096 This object is used as input to a request for establishing
1100 a policy rule as well as for indicating the properties of
1101 an established policy rule.
1103 If object midcomRuleOperStatus of the same entry has the
1104 value newEntry(1), setting(2), or reserved(7), then this
1105 object can be written by a manager in order to specify the
1106 prefix length of the external IP address for which an
1107 enable policy rule is requested to be established.
1108 Writing to this object in any state other than
1109 newEntry(1), setting(2), or reserved(7) will always fail
1110 with an 'inconsistentValue' error.
1112 Note that this error code is SNMP specific. If the MIB
1113 module is used with other protocols than SNMP, errors with
1114 similar semantics specific to those protocols should be
1117 If object midcomRuleOperStatus of the same entry has the
1118 value enabled(8), then this object will have the value
1119 that it had before the transition to this state.
1121 If object midcomRuleOperStatus of the same entry has a
1122 value other than newEntry(1), setting(2), reserved(7), or
1123 enabled(8), then the value of this object is irrelevant."
1125 ::= { midcomRuleEntry 20 }
1127 midcomRuleExternalPort OBJECT-TYPE
1128 SYNTAX InetPortNumber
1129 MAX-ACCESS read-create
1132 "The external port number. A value of 0 is a wildcard.
1134 This object is used as input to a request for establishing
1135 a policy rule as well as for indicating the properties of
1136 an established policy rule. It is relevant to the
1137 operation of the MIDCOM-MIB implementation only if the
1138 value of object midcomTransportProtocol in the same entry
1139 has a value other than 0.
1141 If object midcomRuleOperStatus of the same entry has the
1142 value newEntry(1), setting(2) or reserved(7), then this
1143 object can be written by a manager in order to specify the
1144 external port number for which an enable policy rule is
1145 requested to be established. Writing to this object in
1146 any state other than newEntry(1), setting(2) or reserved(7)
1147 will always fail with an 'inconsistentValue' error.
1151 Note that this error code is SNMP specific. If the MIB
1152 module is used with other protocols than SNMP, errors with
1153 similar semantics specific to those protocols should be
1156 If object midcomRuleOperStatus of the same entry has the
1157 value enabled(8), then this object will have the value
1158 which it had before the transition to this state.
1160 If object midcomRuleOperStatus of the same entry has a
1161 value other than newEntry(1), setting(2), reserved(7) or
1162 enabled(8), then the value of this object is irrelevant."
1164 ::= { midcomRuleEntry 21 }
1166 midcomRuleInsideIpAddr OBJECT-TYPE
1168 MAX-ACCESS read-only
1171 "The inside IP address at the middlebox (A1).
1173 The value of this object is relevant only if
1174 object midcomRuleOperStatus of the same entry has
1175 a value of either reserved(7) or enabled(8)."
1176 ::= { midcomRuleEntry 22 }
1178 midcomRuleInsidePort OBJECT-TYPE
1179 SYNTAX InetPortNumber
1180 MAX-ACCESS read-only
1183 "The inside port number at the middlebox.
1184 A value of 0 is a wildcard.
1186 The value of this object is relevant only if
1187 object midcomRuleOperStatus of the same entry has
1188 a value of either reserved(7) or enabled(8)."
1189 ::= { midcomRuleEntry 23 }
1191 midcomRuleOutsideIpAddr OBJECT-TYPE
1193 MAX-ACCESS read-only
1196 "The outside IP address at the middlebox (A2).
1198 The value of this object is relevant only if
1202 object midcomRuleOperStatus of the same entry has
1203 a value of either reserved(7) or enabled(8)."
1204 ::= { midcomRuleEntry 24 }
1206 midcomRuleOutsidePort OBJECT-TYPE
1207 SYNTAX InetPortNumber
1208 MAX-ACCESS read-only
1211 "The outside port number at the middlebox.
1212 A value of 0 is a wildcard.
1214 The value of this object is relevant only if
1215 object midcomRuleOperStatus of the same entry has
1216 a value of either reserved(7) or enabled(8)."
1217 ::= { midcomRuleEntry 25 }
1219 midcomRuleLifetime OBJECT-TYPE
1222 MAX-ACCESS read-create
1225 "The remaining lifetime in seconds of this policy rule.
1227 Lifetime of a policy rule starts when object
1228 midcomRuleOperStatus in the same entry enters either
1229 state reserved(7) or state enabled(8).
1231 This object is used as input to a request for establishing
1232 a policy rule as well as for indicating the properties of
1233 an established policy rule.
1235 If object midcomRuleOperStatus of the same entry has a
1236 value of either newEntry(1) or setting(2), then this
1237 object can be written by a manager in order to specify
1238 the requested lifetime of a policy rule to be established.
1240 If object midcomRuleOperStatus of the same entry has a
1241 value of either reserved(7) or enabled(8), then this
1242 object indicates the (continuously decreasing) remaining
1243 lifetime of the established policy rule. Note that when
1244 entering state reserved(7) or enabled(8), the MIDCOM-MIB
1245 implementation can choose a lifetime shorter than the one
1248 Unlike other parameters of the policy rule, this parameter
1249 can still be written in state reserved(7) and enabled(8).
1253 Writing to this object is processed by the MIDCOM-MIB
1254 implementation by choosing a lifetime value that is
1255 greater than 0 and less than or equal to the minimum of
1256 the requested value and the value specified by object
1257 midcomConfigMaxLifetime:
1259 0 <= lt_granted <= MINIMUM(lt_requested, lt_maximum)
1262 - lt_granted is the actually granted lifetime by the
1263 MIDCOM-MIB implementation
1264 - lt_requested is the requested lifetime of the MIDCOM
1266 - lt_maximum is the value of object
1267 midcomConfigMaxLifetime
1269 SNMP SET requests to this object may be rejected or the
1270 value of the object after an accepted SET operation may be
1271 less than the value that was contained in the SNMP SET
1274 Successfully writing a value of 0 terminates the policy
1275 rule. Note that after a policy rule is terminated, still
1276 the entry will exist as long as indicated by the value of
1277 midcomRuleStorageTime.
1279 Writing to this object in any state other than
1280 newEntry(1), setting(2), reserved(7), or enabled(7)
1281 will always fail with an 'inconsistentValue' error.
1283 Note that this error code is SNMP specific. If the MIB
1284 module is used with other protocols than SNMP, errors with
1285 similar semantics specific to those protocols should be
1288 If object midcomRuleOperStatus of the same entry has a
1289 value other than newEntry(1), setting(2), reserved(7), or
1290 enabled(8), then the value of this object is irrelevant."
1292 ::= { midcomRuleEntry 26 }
1294 midcomRuleRowStatus OBJECT-TYPE
1296 MAX-ACCESS read-create
1299 "A control that allows entries to be added and removed from
1304 Entries can also be removed from this table by setting
1305 objects midcomRuleLifetime and midcomRuleStorageTime of
1308 Attempts to set a row notInService(2) where the value
1309 of the midcomRuleStorageType object is permanent(4) or
1310 readOnly(5) will result in an 'notWritable' error.
1312 Note that this error code is SNMP specific. If the MIB
1313 module is used with other protocols than SNMP, errors with
1314 similar semantics specific to those protocols should be
1317 The value of this object has no effect on whether other
1318 objects in this conceptual row can be modified."
1319 ::= { midcomRuleEntry 27 }
1322 -- Policy rule group subtree
1324 -- The midcomGroupTable lists all current policy rule groups.
1327 midcomGroupTable OBJECT-TYPE
1328 SYNTAX SEQUENCE OF MidcomGroupEntry
1329 MAX-ACCESS not-accessible
1332 "This table lists all current policy rule groups.
1334 Entries in this table are created or removed
1335 implicitly when entries in the midcomRuleTable are
1336 created or removed, respectively. A group entry
1337 in this table only exists as long as there are
1338 member rules of this group in the midcomRuleTable.
1340 The table serves for listing the existing groups and
1341 their remaining lifetimes and for changing lifetimes
1342 of groups and implicitly of all group members.
1343 Groups and all their member policy rules can only be
1344 deleted by deleting all member policies in the
1347 Setting midcomGroupLifetime will result in setting
1348 the lifetime of all policy members to the same value."
1349 ::= { midcomTransaction 4 }
1351 midcomGroupEntry OBJECT-TYPE
1355 SYNTAX MidcomGroupEntry
1356 MAX-ACCESS not-accessible
1359 "An entry describing properties of a particular
1360 MIDCOM policy rule group."
1361 INDEX { midcomRuleOwner, midcomGroupIndex }
1362 ::= { midcomGroupTable 1 }
1364 MidcomGroupEntry ::= SEQUENCE {
1365 midcomGroupIndex Unsigned32,
1366 midcomGroupLifetime Unsigned32
1369 midcomGroupIndex OBJECT-TYPE
1370 SYNTAX Unsigned32 (1..4294967295)
1371 MAX-ACCESS not-accessible
1374 "The index of this group for the midcomRuleOwner.
1375 A group is identified by the combination of
1376 midcomRuleOwner and midcomGroupIndex.
1378 The value of this index must be unique per
1380 ::= { midcomGroupEntry 2 }
1382 midcomGroupLifetime OBJECT-TYPE
1385 MAX-ACCESS read-write
1388 "When retrieved, this object delivers the maximum
1389 lifetime in seconds of all member rules of this group,
1390 i.e., of all rows in the midcomRuleTable that have the
1391 same values for midcomRuleOwner and midcomGroupIndex.
1393 Successfully writing to this object modifies the
1394 lifetime of all member policies. Successfully
1395 writing a value of 0 terminates all member policies
1396 and implicitly deletes the group as soon as all member
1397 entries are removed from the midcomRuleTable.
1399 Note that after a group's lifetime is expired or is
1400 set to 0, still the corresponding entry in the
1401 midcomGroupTable will exist as long as terminated
1402 member policy rules are stored as entries in the
1408 Writing to this object is processed by the MIDCOM-MIB
1409 implementation by choosing a lifetime value that is
1410 greater than 0 and less than or equal to the minimum of
1411 the requested value and the value specified by object
1412 midcomConfigMaxLifetime:
1414 0 <= lt_granted <= MINIMUM(lt_requested, lt_maximum)
1417 - lt_granted is the actually granted lifetime by the
1418 MIDCOM-MIB implementation
1419 - lt_requested is the requested lifetime of the MIDCOM
1421 - lt_maximum is the value of object
1422 midcomConfigMaxLifetime
1424 SNMP SET requests to this object may be rejected or the
1425 value of the object after an accepted SET operation may be
1426 less than the value that was contained in the SNMP SET
1428 ::= { midcomGroupEntry 3 }
1431 -- Configuration Objects
1433 -- Configuration objects that can be used for retrieving
1434 -- middlebox capability information (mandatory) and for
1435 -- setting parameters of the implementation of transaction
1436 -- objects (optional).
1438 -- Note that typically configuration objects are not intended
1439 -- to be written by MIDCOM clients. In general, write access
1440 -- to these objects needs to be restricted more strictly than
1441 -- write access to transaction objects.
1445 -- Capabilities subtree
1447 -- This subtree contains objects to which MIDCOM clients should
1448 -- have read access.
1451 midcomConfigMaxLifetime OBJECT-TYPE
1457 MAX-ACCESS read-write
1460 "When retrieved, this object returns the maximum lifetime,
1461 in seconds, that this middlebox allows policy rules to
1463 ::= { midcomConfig 1 }
1465 midcomConfigPersistentRules OBJECT-TYPE
1467 MAX-ACCESS read-write
1470 "When retrieved, this object returns true(1) if the
1471 MIDCOM-MIB implementation can store policy rules
1472 persistently. Otherwise, it returns false(2).
1474 A value of true(1) indicates that there may be
1475 entries in the midcomRuleTable with object
1476 midcomRuleStorageType set to value nonVolatile(3)."
1477 ::= { midcomConfig 2 }
1479 midcomConfigIfTable OBJECT-TYPE
1480 SYNTAX SEQUENCE OF MidcomConfigIfEntry
1481 MAX-ACCESS not-accessible
1484 "This table indicates capabilities of the MIDCOM-MIB
1485 implementation per IP interface.
1487 The table is indexed by the object midcomConfigIfIndex.
1489 For indexing a single interface, this object contains
1490 the value of the ifIndex object that is associated
1491 with the interface. If an entry with
1492 midcomConfigIfIndex = 0 occurs, then bits set in
1493 objects of this entry apply to all interfaces for which
1494 there is no entry in this table with the interface's
1496 ::= { midcomConfig 3 }
1498 midcomConfigIfEntry OBJECT-TYPE
1499 SYNTAX MidcomConfigIfEntry
1500 MAX-ACCESS not-accessible
1503 "An entry describing the capabilities of a middlebox
1504 with respect to the indexed IP interface."
1508 INDEX { midcomConfigIfIndex }
1509 ::= { midcomConfigIfTable 1 }
1511 MidcomConfigIfEntry ::= SEQUENCE {
1512 midcomConfigIfIndex InterfaceIndexOrZero,
1513 midcomConfigIfBits BITS,
1514 midcomConfigIfEnabled TruthValue
1517 midcomConfigIfIndex OBJECT-TYPE
1518 SYNTAX InterfaceIndexOrZero
1519 MAX-ACCESS not-accessible
1522 "The index of an entry in the midcomConfigIfTable.
1524 For values different from zero, this object
1525 identifies an IP interface by containing the same
1526 value as the ifIndex object associated with the
1529 Note that the index of a particular interface in the
1530 ifTable may change after a re-initialization of the
1531 middlebox, for example, after adding another interface to
1532 it. In such a case, the value of this object may change,
1533 but the interface referred to by the MIDCOM-MIB MUST still
1534 be the same. If, after a re-initialization of the
1535 middlebox, the interface referred to before
1536 re-initialization cannot be uniquely mapped anymore to a
1537 particular entry in the ifTable, then the value of object
1538 midcomConfigIfEnabled of the same entry MUST be changed to
1541 If the object has a value of 0, then values
1542 specified by further objects of the same entry
1543 apply to all interfaces for which there is no
1544 explicit entry in the midcomConfigIfTable."
1545 ::= { midcomConfigIfEntry 1 }
1547 midcomConfigIfBits OBJECT-TYPE
1551 addressWildcards(2),
1559 protocolTranslation(7),
1563 MAX-ACCESS read-only
1566 "When retrieved, this object returns a set of bits
1567 indicating the capabilities (or configuration) of
1568 the middlebox with respect to the referenced IP interface.
1569 If the index equals 0, then all set bits apply to all
1572 If the ipv4(0) bit is set, then the middlebox supports
1573 IPv4 at the indexed IP interface.
1575 If the ipv6(1) bit is set, then the middlebox supports
1576 IPv6 at the indexed IP interface.
1578 If the addressWildcards(2) bit is set, then the
1579 middlebox supports IP address wildcarding at the indexed
1582 If the portWildcards(3) bit is set, then the
1583 middlebox supports port wildcarding at the indexed
1586 If the firewall(4) bit is set, then the middlebox offers
1587 firewall functionality at the indexed interface.
1589 If the nat(5) bit is set, then the middlebox offers
1590 network address translation service at the indexed
1593 If the portTranslation(6) bit is set, then the middlebox
1594 offers port translation service at the indexed interface.
1595 This bit is only relevant if nat(5) is set.
1597 If the protocolTranslation(7) bit is set, then the
1598 middlebox offers protocol translation service between
1599 IPv4 and IPv6 at the indexed interface. This bit is only
1600 relevant if nat(5) is set.
1602 If the twiceNat(8) bit is set, then the middlebox offers
1603 twice network address translation service at the indexed
1604 interface. This bit is only relevant if nat(5) is set.
1606 If the inside(9) bit is set, then the indexed interface is
1610 an inside interface with respect to NAT functionality.
1611 Otherwise, it is an outside interface. This bit is only
1612 relevant if nat(5) is set. An SNMP agent supporting both
1613 the MIDCOM-MIB module and the NAT-MIB module SHOULD ensure
1614 that the value of this object is consistent with the values
1615 of corresponding objects in the NAT-MIB module."
1616 ::= { midcomConfigIfEntry 2 }
1618 midcomConfigIfEnabled OBJECT-TYPE
1620 MAX-ACCESS read-write
1623 "The value of this object indicates the availability of
1624 the middlebox service described by midcomConfigIfBits
1625 at the indexed IP interface.
1627 By writing to this object, the MIDCOM support for the
1628 entire IP interface can be switched on or off. Setting
1629 this object to false(2) immediately stops middlebox
1630 support at the indexed IP interface. This implies that
1631 all policy rules that use NAT or firewall resources at
1632 the indexed IP interface are terminated immediately.
1633 In this case, the MIDCOM agent MUST send
1634 midcomUnsolicitedRuleEvent to all MIDCOM clients that
1635 have access to one of the terminated rules."
1637 ::= { midcomConfigIfEntry 3 }
1642 -- This subtree contains the firewall configuration table
1645 midcomConfigFirewallTable OBJECT-TYPE
1646 SYNTAX SEQUENCE OF MidcomConfigFirewallEntry
1647 MAX-ACCESS not-accessible
1650 "This table lists the firewall configuration per IP interface.
1652 It can be used for configuring how policy rules created by
1653 MIDCOM clients are realized as firewall rules of a firewall
1654 implementation. Particularly, the priority used for MIDCOM
1655 policy rules can be configured. For a single firewall
1656 implementation at a particular IP interface, all MIDCOM
1657 policy rules are realized as firewall rules with the same
1661 priority. Also, a firewall rule group name can be
1664 The table is indexed by the object midcomConfigFirewallIndex.
1665 For indexing a single interface, this object contains the
1666 value of the ifIndex object that is associated with the
1667 interface. If an entry with midcomConfigFirewallIndex = 0
1668 occurs, then bits set in objects of this entry apply to all
1669 interfaces for which there is no entry in this table for the
1671 ::= { midcomConfig 4 }
1673 midcomConfigFirewallEntry OBJECT-TYPE
1674 SYNTAX MidcomConfigFirewallEntry
1675 MAX-ACCESS not-accessible
1678 "An entry describing a particular set of
1679 firewall resources."
1680 INDEX { midcomConfigFirewallIndex }
1681 ::= { midcomConfigFirewallTable 1 }
1683 MidcomConfigFirewallEntry ::= SEQUENCE {
1684 midcomConfigFirewallIndex InterfaceIndexOrZero,
1685 midcomConfigFirewallGroupId SnmpAdminString,
1686 midcomConfigFirewallPriority Unsigned32
1689 midcomConfigFirewallIndex OBJECT-TYPE
1690 SYNTAX InterfaceIndexOrZero
1691 MAX-ACCESS not-accessible
1694 "The index of an entry in the midcomConfigFirewallTable.
1696 For values different from 0, this object identifies an
1697 IP interface by containing the same value as the ifIndex
1698 object associated with the interface.
1700 Note that the index of a particular interface in the
1701 ifTable may change after a re-initialization of the
1702 middlebox, for example, after adding another interface to
1703 it. In such a case, the value of this object may change,
1704 but the interface referred to by the MIDCOM-MIB MUST still
1705 be the same. If, after a re-initialization of the
1706 middlebox, the interface referred to before
1707 re-initialization cannot be uniquely mapped anymore to a
1708 particular entry in the ifTable, then the entry in the
1712 midcomConfigFirewallTable MUST be deleted.
1714 If the object has a value of 0, then values specified by
1715 further objects of the same entry apply to all interfaces
1716 for which there is no explicit entry in the
1717 midcomConfigFirewallTable."
1718 ::= { midcomConfigFirewallEntry 1 }
1720 midcomConfigFirewallGroupId OBJECT-TYPE
1721 SYNTAX SnmpAdminString
1722 MAX-ACCESS read-write
1725 "The firewall rule group to which all firewall rules are
1726 assigned that the MIDCOM server creates for the interface
1727 indicated by object midcomConfigFirewallIndex. If the
1728 value of object midcomConfigFirewallIndex is 0, then all
1729 firewall rules of the MIDCOM server that are created for
1730 interfaces with no specific entry in the
1731 midcomConfigFirewallTable are assigned to the firewall
1732 rule group indicated by the value of this object."
1733 ::= { midcomConfigFirewallEntry 2 }
1735 midcomConfigFirewallPriority OBJECT-TYPE
1737 MAX-ACCESS read-write
1740 "The priority assigned to all firewall rules that the
1741 MIDCOM server creates for the interface indicated by
1742 object midcomConfigFirewallIndex. If the value of object
1743 midcomConfigFirewallIndex is 0, then this priority is
1744 assigned to all firewall rules of the MIDCOM server that
1745 are created for interfaces for which there is no specific
1746 entry in the midcomConfigFirewallTable."
1747 ::= { midcomConfigFirewallEntry 3 }
1750 -- Monitoring Objects
1752 -- Monitoring objects are structured into two groups,
1753 -- the midcomResourceGroup providing information about used
1754 -- resources and the midcomStatisticsGroup providing information
1755 -- about MIDCOM transaction statistics.
1758 -- Resources subtree
1763 -- The MIDCOM resources subtree contains a set of managed
1764 -- objects describing the currently used resources of NAT
1765 -- and firewall implementations.
1769 -- Textual conventions for objects of the resource subtree
1772 MidcomNatBindMode ::= TEXTUAL-CONVENTION
1775 "An indicator of the kind of NAT resources used by a policy
1776 rule. This definition corresponds to the definition of
1777 NatBindMode in the NAT-MIB (RFC 4008). Value none(3) can
1778 be used to indicate that the policy rule does not use
1787 MidcomNatSessionIdOrZero ::= TEXTUAL-CONVENTION
1791 "A unique ID that is assigned to each NAT session by
1792 a NAT implementation. This definition corresponds to
1793 the definition of NatSessionId in the NAT-MIB (RFC 4008).
1794 Value 0 can be used to indicate that the policy rule does
1795 not use any NAT binding."
1799 -- The MIDCOM resource table
1802 midcomResourceTable OBJECT-TYPE
1803 SYNTAX SEQUENCE OF MidcomResourceEntry
1804 MAX-ACCESS not-accessible
1807 "This table lists all used middlebox resources per
1810 The midcomResourceTable augments the
1815 ::= { midcomMonitoring 1 }
1817 midcomResourceEntry OBJECT-TYPE
1818 SYNTAX MidcomResourceEntry
1819 MAX-ACCESS not-accessible
1822 "An entry describing a particular set of middlebox
1824 AUGMENTS { midcomRuleEntry }
1825 ::= { midcomResourceTable 1 }
1827 MidcomResourceEntry ::= SEQUENCE {
1828 midcomRscNatInternalAddrBindMode MidcomNatBindMode,
1829 midcomRscNatInternalAddrBindId NatBindIdOrZero,
1830 midcomRscNatInsideAddrBindMode MidcomNatBindMode,
1831 midcomRscNatInsideAddrBindId NatBindIdOrZero,
1832 midcomRscNatSessionId1 MidcomNatSessionIdOrZero,
1833 midcomRscNatSessionId2 MidcomNatSessionIdOrZero,
1834 midcomRscFirewallRuleId Unsigned32
1837 midcomRscNatInternalAddrBindMode OBJECT-TYPE
1838 SYNTAX MidcomNatBindMode
1839 MAX-ACCESS read-only
1842 "An indication of whether this policy rule uses an address
1843 NAT bind or an address-port NAT bind for binding the
1846 If the MIDCOM-MIB module is operated together with
1847 the NAT-MIB module (RFC 4008) then object
1848 midcomRscNatInternalAddrBindMode contains the same
1849 value as the corresponding object
1850 natSessionPrivateSrcEPBindMode of the NAT-MIB module."
1851 ::= { midcomResourceEntry 4 }
1853 midcomRscNatInternalAddrBindId OBJECT-TYPE
1854 SYNTAX NatBindIdOrZero
1855 MAX-ACCESS read-only
1858 "This object references to the allocated internal NAT
1859 bind that is used by this policy rule. A NAT bind
1860 describes the mapping of internal addresses to
1861 outside addresses. MIDCOM-MIB implementations can
1865 read this object to learn the corresponding NAT bind
1866 resource for this particular policy rule.
1868 If the MIDCOM-MIB module is operated together with
1869 the NAT-MIB module (RFC 4008) then object
1870 midcomRscNatInternalAddrBindId contains the same
1871 value as the corresponding object
1872 natSessionPrivateSrcEPBindId of the NAT-MIB module."
1873 ::= { midcomResourceEntry 5 }
1875 midcomRscNatInsideAddrBindMode OBJECT-TYPE
1876 SYNTAX MidcomNatBindMode
1877 MAX-ACCESS read-only
1880 "An indication of whether this policy rule uses an address
1881 NAT bind or an address-port NAT bind for binding the
1884 If the MIDCOM-MIB module is operated together with
1885 the NAT-MIB module (RFC 4008), then object
1886 midcomRscNatInsideAddrBindMode contains the same
1887 value as the corresponding object
1888 natSessionPrivateDstEPBindMode of the NAT-MIB module."
1889 ::= { midcomResourceEntry 6 }
1891 midcomRscNatInsideAddrBindId OBJECT-TYPE
1892 SYNTAX NatBindIdOrZero
1893 MAX-ACCESS read-only
1896 "This object refers to the allocated external NAT
1897 bind that is used by this policy rule. A NAT bind
1898 describes the mapping of external addresses to
1899 inside addresses. MIDCOM-MIB implementations can
1900 read this object to learn the corresponding NAT bind
1901 resource for this particular policy rule.
1903 If the MIDCOM-MIB module is operated together with the
1904 NAT-MIB module (RFC 4008), then object
1905 midcomRscNatInsideAddrBindId contains the same
1906 value as the corresponding object
1907 natSessionPrivateDstEPBindId of the NAT-MIB module."
1908 ::= { midcomResourceEntry 7 }
1910 midcomRscNatSessionId1 OBJECT-TYPE
1911 SYNTAX MidcomNatSessionIdOrZero
1912 MAX-ACCESS read-only
1918 "This object refers to the first allocated NAT session for
1919 this policy rule. MIDCOM-MIB implementations can read this
1920 object to learn whether or not a NAT session for a
1921 particular policy rule is used. A value of 0 means that no
1922 NAT session is allocated for this policy rule. A value
1923 other than 0 refers to the NAT session."
1924 ::= { midcomResourceEntry 8 }
1926 midcomRscNatSessionId2 OBJECT-TYPE
1927 SYNTAX MidcomNatSessionIdOrZero
1928 MAX-ACCESS read-only
1931 "This object refers to the second allocated NAT session for
1932 this policy rule. MIDCOM-MIB implementations can read this
1933 object to learn whether or not a NAT session for a
1934 particular policy rule is used. A value of 0 means that no
1935 NAT session is allocated for this policy rule. A value
1936 other than 0 refers to the NAT session."
1937 ::= { midcomResourceEntry 9 }
1939 midcomRscFirewallRuleId OBJECT-TYPE
1941 MAX-ACCESS read-only
1944 "This object refers to the allocated firewall
1945 rule in the firewall engine for this policy rule.
1946 MIDCOM-MIB implementations can read this value to
1947 learn whether a firewall rule for this particular
1948 policy rule is used or not. A value of 0 means that
1949 no firewall rule is allocated for this policy rule.
1950 A value other than 0 refers to the firewall rule
1951 number within the firewall engine."
1952 ::= { midcomResourceEntry 10 }
1955 -- Statistics subtree
1957 -- The MIDCOM statistics subtree contains a set of managed
1958 -- objects providing statistics about the usage of transaction
1962 midcomStatistics OBJECT IDENTIFIER ::= { midcomMonitoring 2 }
1967 midcomCurrentOwners OBJECT-TYPE
1969 MAX-ACCESS read-only
1972 "The number of different values for midcomRuleOwner
1973 for all current entries in the midcomRuleTable."
1974 ::= { midcomStatistics 1 }
1976 midcomTotalRejectedRuleEntries OBJECT-TYPE
1978 MAX-ACCESS read-only
1981 "The total number of failed attempts to create an entry
1982 in the midcomRuleTable."
1983 ::= { midcomStatistics 2 }
1985 midcomCurrentRulesIncomplete OBJECT-TYPE
1987 MAX-ACCESS read-only
1990 "The current number of policy rules that are incomplete.
1992 Policy rules are loaded via row entries in the
1993 midcomRuleTable. This object counts policy rules that are
1994 loaded but not fully specified, i.e., they are in state
1995 newEntry(1) or setting(2)."
1996 ::= { midcomStatistics 3 }
1998 midcomTotalIncorrectReserveRules OBJECT-TYPE
2000 MAX-ACCESS read-only
2003 "The total number of policy reserve rules that failed
2004 parameter check and entered state incorrectRequest(4)."
2005 ::= { midcomStatistics 4 }
2007 midcomTotalRejectedReserveRules OBJECT-TYPE
2009 MAX-ACCESS read-only
2012 "The total number of policy reserve rules that failed
2013 while being processed and entered state requestRejected(6)."
2014 ::= { midcomStatistics 5 }
2018 midcomCurrentActiveReserveRules OBJECT-TYPE
2020 MAX-ACCESS read-only
2023 "The number of currently active policy reserve rules."
2024 ::= { midcomStatistics 6 }
2026 midcomTotalExpiredReserveRules OBJECT-TYPE
2028 MAX-ACCESS read-only
2031 "The total number of expired policy reserve rules
2032 (entered termination state timedOut(9))."
2033 ::= { midcomStatistics 7 }
2035 midcomTotalTerminatedOnRqReserveRules OBJECT-TYPE
2037 MAX-ACCESS read-only
2040 "The total number of policy reserve rules that were
2041 terminated on request (entered termination state
2042 terminatedOnRequest(10))."
2043 ::= { midcomStatistics 8 }
2045 midcomTotalTerminatedReserveRules OBJECT-TYPE
2047 MAX-ACCESS read-only
2050 "The total number of policy reserve rules that were
2051 terminated, but not on request (entered termination state
2053 ::= { midcomStatistics 9 }
2055 midcomTotalIncorrectEnableRules OBJECT-TYPE
2057 MAX-ACCESS read-only
2060 "The total number of policy enable rules that failed
2061 parameter check and entered state incorrectRequest(4)."
2062 ::= { midcomStatistics 10 }
2064 midcomTotalRejectedEnableRules OBJECT-TYPE
2069 MAX-ACCESS read-only
2072 "The total number of policy enable rules that failed
2073 while being processed and entered state requestRejected(6)."
2074 ::= { midcomStatistics 11 }
2075 midcomCurrentActiveEnableRules OBJECT-TYPE
2077 MAX-ACCESS read-only
2080 "The number of currently active policy enable rules."
2081 ::= { midcomStatistics 12 }
2083 midcomTotalExpiredEnableRules OBJECT-TYPE
2085 MAX-ACCESS read-only
2088 "The total number of expired policy enable rules
2089 (entered termination state timedOut(9))."
2090 ::= { midcomStatistics 13 }
2092 midcomTotalTerminatedOnRqEnableRules OBJECT-TYPE
2094 MAX-ACCESS read-only
2097 "The total number of policy enable rules that were
2098 terminated on request (entered termination state
2099 terminatedOnRequest(10))."
2100 ::= { midcomStatistics 14 }
2102 midcomTotalTerminatedEnableRules OBJECT-TYPE
2104 MAX-ACCESS read-only
2107 "The total number of policy enable rules that were
2108 terminated, but not on request (entered termination state
2110 ::= { midcomStatistics 15 }
2116 midcomUnsolicitedRuleEvent NOTIFICATION-TYPE
2120 OBJECTS { midcomRuleOperStatus, midcomRuleLifetime }
2123 "This notification is generated whenever the value of
2124 midcomRuleOperStatus enters any error state or any
2125 termination state without an explicit trigger by a
2127 ::= { midcomNotifications 1 }
2129 midcomSolicitedRuleEvent NOTIFICATION-TYPE
2130 OBJECTS { midcomRuleOperStatus, midcomRuleLifetime }
2133 "This notification is generated whenever the value
2134 of midcomRuleOperStatus enters one of the states
2135 {reserved, enabled, any error state, any termination state}
2136 as a result of a MIDCOM agent writing successfully to
2137 object midcomRuleAdminStatus.
2139 In addition, it is generated when the lifetime of
2140 a rule was changed by successfully writing to object
2141 midcomRuleLifetime."
2142 ::= { midcomNotifications 2 }
2144 midcomSolicitedGroupEvent NOTIFICATION-TYPE
2145 OBJECTS { midcomGroupLifetime }
2148 "This notification is generated for indicating that the
2149 lifetime of all member rules of the group was changed by
2150 successfully writing to object midcomGroupLifetime.
2152 Note that this notification is only sent if the lifetime
2153 of a group was changed by successfully writing to object
2154 midcomGroupLifetime. No notification is sent
2155 - if a group's lifetime is changed by writing to object
2156 midcomRuleLifetime of any of its member policies,
2157 - if a group's lifetime expires (in this case,
2158 notifications are sent for all member policies), or
2159 - if the group is terminated by terminating the last
2160 of its member policies without writing to object
2161 midcomGroupLifetime."
2162 ::= { midcomNotifications 3 }
2165 -- Conformance information
2171 midcomCompliances OBJECT IDENTIFIER ::= { midcomConformance 1 }
2172 midcomGroups OBJECT IDENTIFIER ::= { midcomConformance 2 }
2175 -- compliance statements
2178 -- This is the MIDCOM compliance definition ...
2182 midcomCompliance MODULE-COMPLIANCE
2185 "The compliance statement for implementations of the
2188 Note that compliance with this compliance
2189 statement requires compliance with the
2190 ifCompliance3 MODULE-COMPLIANCE statement of the
2192 MODULE -- this module
2195 midcomNotificationsGroup,
2196 midcomCapabilitiesGroup,
2197 midcomStatisticsGroup
2199 GROUP midcomConfigFirewallGroup
2201 "A compliant implementation does not have to implement
2202 the midcomConfigFirewallGroup."
2203 GROUP midcomResourceGroup
2205 "A compliant implementation does not have to implement
2206 the midcomResourceGroup."
2207 OBJECT midcomRuleInternalIpPrefixLength
2208 MIN-ACCESS read-only
2210 "Write access is not required. When write access is
2211 not supported, return 128 as the value of this object.
2212 A value of 128 means that the function represented by
2213 this option is not supported."
2214 OBJECT midcomRuleExternalIpPrefixLength
2215 MIN-ACCESS read-only
2217 "Write access is not required. When write access is
2218 not supported, return 128 as the value of this object.
2222 A value of 128 means that the function represented by
2223 this option is not supported."
2224 OBJECT midcomRuleMaxIdleTime
2225 MIN-ACCESS read-only
2227 "Write access is not required. When write access is
2228 not supported, return 0 as the value of this object.
2229 A value of 0 means that the function represented by
2230 this option is not supported."
2231 OBJECT midcomRuleInterface
2232 MIN-ACCESS read-only
2234 "Write access is not required."
2235 OBJECT midcomConfigMaxLifetime
2236 MIN-ACCESS read-only
2238 "Write access is not required."
2239 OBJECT midcomConfigPersistentRules
2240 MIN-ACCESS read-only
2242 "Write access is not required."
2243 OBJECT midcomConfigIfEnabled
2244 MIN-ACCESS read-only
2246 "Write access is not required."
2247 OBJECT midcomConfigFirewallGroupId
2248 MIN-ACCESS read-only
2250 "Write access is not required."
2251 OBJECT midcomConfigFirewallPriority
2252 MIN-ACCESS read-only
2254 "Write access is not required."
2255 ::= { midcomCompliances 1 }
2257 midcomRuleGroup OBJECT-GROUP
2259 midcomRuleAdminStatus,
2260 midcomRuleOperStatus,
2261 midcomRuleStorageType,
2262 midcomRuleStorageTime,
2264 midcomRuleInterface,
2265 midcomRuleFlowDirection,
2266 midcomRuleMaxIdleTime,
2267 midcomRuleTransportProtocol,
2268 midcomRulePortRange,
2269 midcomRuleInternalIpVersion,
2273 midcomRuleExternalIpVersion,
2274 midcomRuleInternalIpAddr,
2275 midcomRuleInternalIpPrefixLength,
2276 midcomRuleInternalPort,
2277 midcomRuleExternalIpAddr,
2278 midcomRuleExternalIpPrefixLength,
2279 midcomRuleExternalPort,
2280 midcomRuleInsideIpAddr,
2281 midcomRuleInsidePort,
2282 midcomRuleOutsideIpAddr,
2283 midcomRuleOutsidePort,
2285 midcomRuleRowStatus,
2290 "A collection of objects providing information about
2291 policy rules and policy rule groups."
2292 ::= { midcomGroups 1 }
2294 midcomCapabilitiesGroup OBJECT-GROUP
2296 midcomConfigMaxLifetime,
2297 midcomConfigPersistentRules,
2299 midcomConfigIfEnabled
2303 "A collection of objects providing information about
2304 the capabilities of a middlebox."
2305 ::= { midcomGroups 2 }
2307 midcomConfigFirewallGroup OBJECT-GROUP
2309 midcomConfigFirewallGroupId,
2310 midcomConfigFirewallPriority
2314 "A collection of objects providing information about
2315 the firewall rule group and firewall rule priority to
2316 be used by firewalls loaded through MIDCOM."
2317 ::= { midcomGroups 3 }
2319 midcomResourceGroup OBJECT-GROUP
2324 midcomRscNatInternalAddrBindMode,
2325 midcomRscNatInternalAddrBindId,
2326 midcomRscNatInsideAddrBindMode,
2327 midcomRscNatInsideAddrBindId,
2328 midcomRscNatSessionId1,
2329 midcomRscNatSessionId2,
2330 midcomRscFirewallRuleId
2334 "A collection of objects providing information about
2335 the used NAT and firewall resources."
2336 ::= { midcomGroups 4 }
2338 midcomStatisticsGroup OBJECT-GROUP
2340 midcomCurrentOwners,
2341 midcomTotalRejectedRuleEntries,
2342 midcomCurrentRulesIncomplete,
2343 midcomTotalIncorrectReserveRules,
2344 midcomTotalRejectedReserveRules,
2345 midcomCurrentActiveReserveRules,
2346 midcomTotalExpiredReserveRules,
2347 midcomTotalTerminatedOnRqReserveRules,
2348 midcomTotalTerminatedReserveRules,
2349 midcomTotalIncorrectEnableRules,
2350 midcomTotalRejectedEnableRules,
2351 midcomCurrentActiveEnableRules,
2352 midcomTotalExpiredEnableRules,
2353 midcomTotalTerminatedOnRqEnableRules,
2354 midcomTotalTerminatedEnableRules
2358 "A collection of objects providing statistical
2359 information about the MIDCOM server."
2360 ::= { midcomGroups 5 }
2375 midcomNotificationsGroup NOTIFICATION-GROUP
2377 midcomUnsolicitedRuleEvent,
2378 midcomSolicitedRuleEvent,
2379 midcomSolicitedGroupEvent
2383 "The notifications emitted by the midcomMIB."
2384 ::= { midcomGroups 6 }