Hi, Disabling checksums would be a very bad workaround. If you're using a buggy libnet version then it is up to you to fix it - or build syslog-ng against a fixed version as libnet is linked statically. Linux distributors either ship a patched libnet 1.1.2.1 version or ship 1.1.4 instead which doesn't have the checksum bug. Regards, Sandor On Tue, Jun 29, 2010 at 4:31 AM, Martin Holste <mcholste@gmail.com> wrote:
Actually, I did more research on this and found that two separate people back in 2007 had this same problem on the mailing list. See threads "Lost packets; UDP Checksum (chksum) errors; forwarding - source spoofing; libnet bug" as well as "Forwarding + Spoofing = Errors & Dropped Packets?" I believe I've definitively proven the problem to be invalid UDP checksums sent by libnet 1.1.2.1 as indicated in the first thread by Marvin Nipper. Further research shows that there is a Linux kernel-level setting that can act as a workaround by setting the socket option SO_NO_CHECK, which disables checksum verifications. So, either Syslog-NG needs to incorporate a newer, fixed libnet version (it was indicated that it did not compile using 1.1.3 Beta), or a socket option for receiving needs to be set or made as an available option to set like the receive buffer.
On Mon, Jun 28, 2010 at 1:40 PM, Zoltán Pallagi <pzolee@balabit.hu> wrote:
Hi,
I think it will be an udp kernel buffer problem (and not syslog problem), see the earlier thread of "[syslog-ng] Tests using loggen - not receiving all the packets" in this mail list.
2010.06.28. 20:21 keltezéssel, Martin Holste írta:
I'm finding that with a destination of udp("10.x.x.x", port(514) spoof_source(yes)) about half of messages get lost when going from one syslog-ng host to another at a high message rate (> 3k/sec). This is on 3.1 OSE and the hosts are on the same subnet and switch, so there shouldn't be any network devices interfering. Has anyone else had this same issue? My hunch is that it's either a performance issue with the way the libnet (I'm using 1.1.2.1 on SuSE 10.2) API is implemented or it's an issue within the libnet API. Has anyone else noticed performance problems when using spoof_source?
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- pzolee
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html