On Fri, 2006-05-05 at 16:20 +0100, Brian Candler wrote:
Hello,
I am using syslog-ng-1.6.11 under RHEL 4, using an RPM built from http://www.balabit.com/downloads/syslog-ng/1.6/src/syslog-ng-1.6.11.tar.gz [*]
I tried to use the following rule to match all packets except those from certain host ranges:
destination estate { file("/logs/estate.log" ); }; filter f_estate { not netmask( "10.1.0.0/16" ) and not netmask( "172.17.0.0/24" ) and not netmask( "192.168.1.254" ); }; log { source(s_sys); filter(f_estate); destination(estate); };
but it didn't work. tcpdump showed packets from outside those ranges were being received, but syslog-ng did not log them.
Now, inspecting the code, firstly it seems I should have written the expressions in dotted netmask form, i.e. "10.1.0.0/255.255.0.0". It would be nice if syslog-ng were to validate this a bit better :-) However when I fixed that nothing changed.
Looking in the code, I think that a negation operation is missing for the netmask() function, perhaps something like this:
--- src/filters.c.orig Fri May 5 13:19:18 2006 +++ src/filters.c Fri May 5 13:24:44 2006 @@ -272,10 +272,10 @@ netw = self->network.s_addr; mask = self->netmask.s_addr;
- return ((host & mask) == (netw & mask)); + return ((host & mask) == (netw & mask)) ^ c->comp; } else { - return 0; + return c->comp; } }
However, I don't understand why some of the functions use c->comp, and others use self->super.comp, so I'm a bit hesitant to modify in this way.
The fix is correct and I have committed a fix to my CVS tree. -- Bazsi