<p dir="ltr">The AF_UNSPEC idea is good, that would basically mean ip-protocol(auto)</p>
<p dir="ltr">What about backporting ip-protocol to 3.4? That shouldn't be a big deal, and it's more of an omission than intended behavior.</p>
<div class="gmail_quote">On Jul 4, 2013 1:07 PM, "Gergely Nagy" <<a href="mailto:algernon@balabit.hu">algernon@balabit.hu</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Jeff Lange <<a href="mailto:jlange6648@gmail.com">jlange6648@gmail.com</a>> writes:<br>
<br>
> I'm attempting to setup a TCP IPv6 source declaration that uses TLS but<br>
> syslog-ng is not happy with the configuration file.<br>
<br>
Long story short: syslog-ng 3.3 and 3.4 does not support syslog() over<br>
IPv6, 3.5 does, see below.<br>
<br>
> The following is what I use for IPv4 and it works fine:<br>
><br>
> source s_tls<br>
> {<br>
> syslog( ip(0.0.0.0) port(6514)<br>
> transport( "tls" )<br>
> tls (<br>
> key_file("/srv/syslog-ng/certs/priv-key.pem")<br>
> cert_file("/srv/syslog-ng/certs/id-cert.pem")<br>
> ca_dir("/srv/syslog-ng/certs")<br>
> cipher_suite("SHA256:!aNULL:!eNULL:!ECDH:!DSS")<br>
> )<br>
> );<br>
> };<br>
><br>
> However the following is not valid:<br>
><br>
> source s_tls6 {<br>
> syslog( ip("::") port(6515)<br>
> transport( "tls" )<br>
> tls (<br>
> key_file("/srv/syslog-ng/certs/priv-key.pem")<br>
> cert_file("/srv/syslog-ng/certs/id-cert.pem")<br>
> ca_dir("/srv/syslog-ng/certs")<br>
> cipher_suite("SHA256:!aNULL:!eNULL:!ECDH:!DSS")<br>
> )<br>
> );<br>
> };<br>
><br>
> I've tried the ip with and without quotes with no luck. What am I doing<br>
> wrong?<br>
<br>
Unfortunately, syslog-ng defaults to IPv4, and even if you give it an<br>
IPv6 address, it will still try to handle it as if it was IPv4, unless<br>
you tell it not to.<br>
<br>
In syslog-ng 3.5, this is possible by adding ip-protocol(6) inside the<br>
syslog() statement. In versions prior to 3.5, it is not doable yet. But<br>
I'm considering teaching the host resolving code to not default to IPv4<br>
by default (by using AF_UNSPEC, unless specified otherwise via<br>
ip-protocol or something similar).<br>
<br>
The problem is, all the current sources and destinations make a<br>
distinction between ipv4 and ipv6: tcp(), udp() and syslog() all enforce<br>
ipv4, while tcp6() and udp6() enforce ipv6... and there is no syslog6().<br>
<br>
I do not want to change this in neither 3.3, nor 3.4, that would be too<br>
invasive, but for 3.5, I'd love to make the udp(), tcp() and syslog()<br>
statements ip protocol agnostic. That way, your config would just work<br>
out of the box, but would still allow one to limit to either ipv4 or<br>
ipv6 by specifying ip-protocol(N).<br>
<br>
--<br>
|8]<br>
<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div>