"not netmask(...)" not working
Hello, I am using syslog-ng-1.6.11 under RHEL 4, using an RPM built from http://www.balabit.com/downloads/syslog-ng/1.6/src/syslog-ng-1.6.11.tar.gz [*] I tried to use the following rule to match all packets except those from certain host ranges: destination estate { file("/logs/estate.log" ); }; filter f_estate { not netmask( "10.1.0.0/16" ) and not netmask( "172.17.0.0/24" ) and not netmask( "192.168.1.254" ); }; log { source(s_sys); filter(f_estate); destination(estate); }; but it didn't work. tcpdump showed packets from outside those ranges were being received, but syslog-ng did not log them. Now, inspecting the code, firstly it seems I should have written the expressions in dotted netmask form, i.e. "10.1.0.0/255.255.0.0". It would be nice if syslog-ng were to validate this a bit better :-) However when I fixed that nothing changed. Looking in the code, I think that a negation operation is missing for the netmask() function, perhaps something like this: --- src/filters.c.orig Fri May 5 13:19:18 2006 +++ src/filters.c Fri May 5 13:24:44 2006 @@ -272,10 +272,10 @@ netw = self->network.s_addr; mask = self->netmask.s_addr; - return ((host & mask) == (netw & mask)); + return ((host & mask) == (netw & mask)) ^ c->comp; } else { - return 0; + return c->comp; } } However, I don't understand why some of the functions use c->comp, and others use self->super.comp, so I'm a bit hesitant to modify in this way. I was able to workaround by rewriting the expression thus: destination estate { file("/logs/estate.log" ); }; filter f_not_estate { netmask( "10.1.0.0/255.255.0.0" ) or netmask( "172.17.0.0/255.255.255.0" ) or netmask( "192.168.1.254" ); }; filter f_estate { not filter("f_not_estate"); }; log { source(s_sys); filter(f_estate); destination(estate); }; but perhaps someone who understands the expression parser could look at fixing this properly? Thanks, Brian. [*] I had to use syslog-ng.spec.bb, because syslog-ng.spec references a number of non-existent files, such as Source3: mysql-syslog.pipe Source4: mysql-syslog.buffer) With a small change to syslog-ng.bb, changing an underscore to dash, it was happy.
On Fri, 2006-05-05 at 16:20 +0100, Brian Candler wrote:
Hello,
I am using syslog-ng-1.6.11 under RHEL 4, using an RPM built from http://www.balabit.com/downloads/syslog-ng/1.6/src/syslog-ng-1.6.11.tar.gz [*]
I tried to use the following rule to match all packets except those from certain host ranges:
destination estate { file("/logs/estate.log" ); }; filter f_estate { not netmask( "10.1.0.0/16" ) and not netmask( "172.17.0.0/24" ) and not netmask( "192.168.1.254" ); }; log { source(s_sys); filter(f_estate); destination(estate); };
but it didn't work. tcpdump showed packets from outside those ranges were being received, but syslog-ng did not log them.
Now, inspecting the code, firstly it seems I should have written the expressions in dotted netmask form, i.e. "10.1.0.0/255.255.0.0". It would be nice if syslog-ng were to validate this a bit better :-) However when I fixed that nothing changed.
Looking in the code, I think that a negation operation is missing for the netmask() function, perhaps something like this:
--- src/filters.c.orig Fri May 5 13:19:18 2006 +++ src/filters.c Fri May 5 13:24:44 2006 @@ -272,10 +272,10 @@ netw = self->network.s_addr; mask = self->netmask.s_addr;
- return ((host & mask) == (netw & mask)); + return ((host & mask) == (netw & mask)) ^ c->comp; } else { - return 0; + return c->comp; } }
However, I don't understand why some of the functions use c->comp, and others use self->super.comp, so I'm a bit hesitant to modify in this way.
The fix is correct and I have committed a fix to my CVS tree. -- Bazsi
participants (2)
-
Balazs Scheidler
-
Brian Candler