[Bug 203] New: patterndb rule tag can not have a hyphen in the class attribute
https://bugzilla.balabit.com/show_bug.cgi?id=203 Summary: patterndb rule tag can not have a hyphen in the class attribute Product: syslog-ng Version: 3.3.x Platform: PC OS/Version: Linux Status: NEW Severity: normal Priority: unspecified Component: syslog-ng AssignedTo: bazsi@balabit.hu ReportedBy: erempel@uvic.ca Type of the Report: --- Estimated Hours: 0.0 Just seems odd that the rule tag can not have a hyphen in the class attribute. The error is element rule: Schemas validity error : Element 'rule', attribute 'class': [facet 'pattern'] The value 'sm-mta' is not accepted by the pattern '[a-zA-Z0-9_\.]+'. I would expect (and prefer) that the pattern should be '[a-zA-Z0-9_/\.+:-]' <ruleset name="sm-mta" id="RS-8e86ff39-2db4-48b6-bbe0-f980d9afebf0"> <pattern>sm-mta</pattern> <rules> <rule id="8e86ff39-2db4-48b6-bbe0-f980d9afebf0" class="sm-mta" provider="UVic"> <patterns> <pattern>whatever pattern</pattern> </patterns> </rule> </rules> </ruleset"> will reproduce this error. -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
https://bugzilla.balabit.com/show_bug.cgi?id=203 Gergely Nagy <algernon@balabit.hu> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |algernon@balabit.hu AssignedTo|bazsi@balabit.hu |algernon@balabit.hu --- Comment #1 from Gergely Nagy <algernon@balabit.hu> 2012-10-11 12:43:04 --- (In reply to comment #0)
Just seems odd that the rule tag can not have a hyphen in the class attribute. [...] I would expect (and prefer) that the pattern should be '[a-zA-Z0-9_/\.+:-]'
Quickly glancing through the code, I did not find any use of the class value other than as a value: there's no ${.class.this-or-that} variable or anything like it, so the restriction sounds far too strict to me. On a first blink, I'd remove the restriction completely. I'll see if I can find any other reason why the restriction may be present - if there's none, it should be removed or at least weakened to your suggestion. -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
https://bugzilla.balabit.com/show_bug.cgi?id=203 Gergely Nagy <algernon@balabit.hu> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
https://bugzilla.balabit.com/show_bug.cgi?id=203 Balazs Scheidler <bazsi@balabit.hu> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bazsi@balabit.hu Resolution| |FIXED Status|ASSIGNED |RESOLVED --- Comment #2 from Balazs Scheidler <bazsi@balabit.hu> 2012-10-13 10:31:05 --- I think it makes sense to match the class name against a regexp and not allow completely arbitrary strings. Allowing dash is perfectly ok for me. Fixed in 3.4 commit 6dcb116996310400ac94e6cd3a7c321a3c595e49 Author: Balazs Scheidler <bazsi@balabit.hu> Date: Sat Oct 13 10:30:09 2012 +0200 db-parser: allow dash in class names Reported-By: Evan Rempel <erempel@uvic.ca> Signed-off-by: Balazs Scheidler <bazsi@balabit.hu> -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
For our own purposes we will be adding a few parsers to the patterndb syntax, and will be contributing them back to Balabit, so I wanted to choose reasonable/acceptable names for these. Feedback on what these do and/or the name of the parser would be appreciated. HOSTNAME This is really the same as @STRING:xxx:.-_@ but makes the pattern much more readable. I am still considering if any triailing period should be consumed but dropped. This would make it easier to parse a hostname that comes at the end of a log line where the log line ends in a period, as well as forced FQDN names that are logged. EMAIL email addresses are difficult to parse because they have an @ symbol in them. This parser would accept a list of characters that would be dropped beginning and end of the match. such as "erempel@uvic.ca" or <erempel@uvic.ca> and return just the e-mail address erempel@uvic.ca in the specified tag name. MACETH Parse upper/lower case ethernet MAC addresses such as 78:2B:CB:70:49:73 MACIB Parse upper/lower case infiniband addresses such as 80:00:00:48:fe:80:00:00:00:00:00:00:00:02:c9:03:00:05:bc:15 MACFC Parse upper/lower case fibre channel addresses (these are fibre channel (w)orld (w)ide (n)ames often refered to as WWN but in keeping with the (m)edia (a)ccess (c)ontrol layer names I have chosen for MACETH and MACIB I thought that MACFC was more consistent. Thanks for your feedback. Evan.
Evan Rempel <erempel@uvic.ca> writes:
MACETH
Parse upper/lower case ethernet MAC addresses such as 78:2B:CB:70:49:73
3.4 has this already, under the name MACADDR. I'd rename that to MACETH (perhaps with an alias kept for MACADDR), because with the rest of the MAC* stuff, MACETH is more appropriate. I like the rest of the names too. -- |8]
----- Original message -----
For our own purposes we will be adding a few parsers to the patterndb syntax, and will be contributing them back to Balabit, so I wanted to choose reasonable/acceptable names for these. Feedback on what these do and/or the name of the parser would be appreciated.
HOSTNAME
This is really the same as @STRING:xxx:.-_@ but makes the pattern much more readable. I am still considering if any triailing period should be consumed but dropped. This would make it easier to parse a hostname that comes at the end of a log line where the log line ends in a period, as well as forced FQDN names that are logged.
sounds good.
email addresses are difficult to parse because they have an @ symbol in them. This parser would accept a list of characters that would be dropped beginning and end of the match. such as "erempel@uvic.ca" or <erempel@uvic.ca> and return just the e-mail address erempel@uvic.ca in the specified tag name.
good idea.
MACETH
Parse upper/lower case ethernet MAC addresses such as 78:2B:CB:70:49:73
there's already a parser for this in 3.4, iirc it is called macaddr
MACIB
Parse upper/lower case infiniband addresses such as 80:00:00:48:fe:80:00:00:00:00:00:00:00:02:c9:03:00:05:bc:15
MACFC
Parse upper/lower case fibre channel addresses (these are fibre channel (w)orld (w)ide (n)ames often refered to as WWN but in keeping with the (m)edia (a)ccess (c)ontrol layer names I have chosen for MACETH and MACIB I thought that MACFC was more consistent.
I wouldn't use MAC prefix for either of these, only if it's really that usual to call these macs.
Thanks for your feedback.
some refactoring in the parser area is dearly needed, the pattern parsing code is ugly. I'm not sure when I get there to refactor that, i just wanted to warn you :) or if you could split that huge function to smaller ones and use a lookup table instead of the if-else-if mess, that would be appreciated. thanks for considering this. these ideas are great
Hi Evan, On 10/13/2012 06:48 PM, Evan Rempel wrote:
email addresses are difficult to parse because they have an @ symbol in them. This parser would accept a list of characters that would be dropped beginning and end of the match. such as "erempel@uvic.ca" or <erempel@uvic.ca> and return just the e-mail address erempel@uvic.ca in the specified tag name. I had the attached patch lying around in one of my git stashes, I still wanted to do some work on it, before sending it in (like full RFC compliancy check), but you might be able use that as a starting point for your own implementation.
Balint
These set of patches are cumulative and require the dbparser SET patch. They have been build againstthe 3.3 release but should be fairly clean on the 3.4 branch They should be applied in the order of EMAIL HOSTNAME LLATTR -- Evan
The last set of patches I posted contained an error that would result in segmentation fault. I forgot to check if the parameter was defined before using it. These fixed patches don't have the error. Evan Rempel wrote:
These set of patches are cumulative and require the dbparser SET patch. They have been build against the 3.3 release but should be fairly clean on the 3.4 branch
They should be applied in the order of
EMAIL HOSTNAME LLATTR
-- Evan
Evan Rempel <erempel@uvic.ca> writes:
The last set of patches I posted contained an error that would result in segmentation fault. I forgot to check if the parameter was defined before using it.
These fixed patches don't have the error.
I only had a quick glance, but I liked what I saw, thanks! However, since 3.4 already has a MACADDR parser, I was thinking it'd make sense to move that over to be a light wrapper around LLADDR, appropriately parameterised? (I can do that once I get around to pull your patches into my sandbox tree, but if it was done before I merge the patches, that'd make my life a tiny bit easier :) -- |8]
hi, thanks for the patches. these are what make syslog-ng go forward. :) I'm going to review/integrate them once I get to my computer (merging patches on a phone where I'm typing this email is not feasible :) ----- Original message -----
These set of patches are cumulative and require the dbparser SET patch. They have been build againstthe 3.3 release but should be fairly clean on the 3.4 branch
They should be applied in the order of
EMAIL HOSTNAME LLATTR
-- Evan
<Attachment> syslog-ng_3.3.6.91.parser_email.patch <Attachment> syslog-ng_3.3.6.91.parser_hostname.patch <Attachment> syslog-ng_3.3.6.91.parser_lladdr.patch
Evan Rempel <erempel@uvic.ca> writes:
These set of patches are cumulative and require the dbparser SET patch. They have been build againstthe 3.3 release but should be fairly clean on the 3.4 branch
I ported these to 3.4 (was fairly clean indeed), applied a few coding style changes, and made it so that MACADDR is an alias to LLADDR:16. All tests pass (I wrote a few simple ones for LLADDR:20 and HOSTNAME). The result is currently on my feature/3.4/dbparser-additions branch, I'll merge it into merge-queue/3.4 and sandbox/3.4 once I've done some code cleanups. There are a few things I believe could be done better (eg, the MACADDR parser we have in 3.4 now is, I believe a tiny bit more efficient than the LLADDR parser, so I want to fix that and make the latter perform just aswell). Thanks for the patches! -- |8]
On Thu, 2012-10-18 at 16:43 +0200, Gergely Nagy wrote:
Evan Rempel <erempel@uvic.ca> writes:
These set of patches are cumulative and require the dbparser SET patch. They have been build againstthe 3.3 release but should be fairly clean on the 3.4 branch
I ported these to 3.4 (was fairly clean indeed), applied a few coding style changes, and made it so that MACADDR is an alias to LLADDR:16. All tests pass (I wrote a few simple ones for LLADDR:20 and HOSTNAME).
The result is currently on my feature/3.4/dbparser-additions branch, I'll merge it into merge-queue/3.4 and sandbox/3.4 once I've done some code cleanups. There are a few things I believe could be done better (eg, the MACADDR parser we have in 3.4 now is, I believe a tiny bit more efficient than the LLADDR parser, so I want to fix that and make the latter perform just aswell).
Thanks for the patches!
Hi, If I understand correctly you still want to do some stuff on these patches. I'll wait for them then. Thanks. -- Bazsi
Balazs Scheidler <bazsi@balabit.hu> writes:
If I understand correctly you still want to do some stuff on these patches. I'll wait for them then.
Yes. I wanted to finish it up today, but a few more 3.3 blockers fell in :( I'll merge them to the merge-queue/3.4 branch once I'm happy with them (either tomorrow, or next friday). -- |8]
Gergely Nagy <algernon@balabit.hu> writes:
Balazs Scheidler <bazsi@balabit.hu> writes:
If I understand correctly you still want to do some stuff on these patches. I'll wait for them then.
Yes. I wanted to finish it up today, but a few more 3.3 blockers fell in :(
I'll merge them to the merge-queue/3.4 branch once I'm happy with them (either tomorrow, or next friday).
Time traveller reporting in! Reworked the LLADDR parser a bit, fixing a few bugs I introduced (in the MACADDR emulation, as well as in LLADDR itself). It is pretty much the exact same code MACADDR was, except the length is configurable, and MACADDR is a very light wrapper around it. I updated the tests to actually test what they're supposed to, and not accept invalid results. They now pass, and I'm happy with the code, pushed out a merge-queue/3.4 with these patches applied. -- |8]
Pulled, thanks. On Sat, 2012-10-27 at 16:46 +0200, Gergely Nagy wrote:
Gergely Nagy <algernon@balabit.hu> writes:
Balazs Scheidler <bazsi@balabit.hu> writes:
If I understand correctly you still want to do some stuff on these patches. I'll wait for them then.
Yes. I wanted to finish it up today, but a few more 3.3 blockers fell in :(
I'll merge them to the merge-queue/3.4 branch once I'm happy with them (either tomorrow, or next friday).
Time traveller reporting in!
Reworked the LLADDR parser a bit, fixing a few bugs I introduced (in the MACADDR emulation, as well as in LLADDR itself). It is pretty much the exact same code MACADDR was, except the length is configurable, and MACADDR is a very light wrapper around it.
I updated the tests to actually test what they're supposed to, and not accept invalid results. They now pass, and I'm happy with the code, pushed out a merge-queue/3.4 with these patches applied.
-- Bazsi
participants (6)
-
Balazs Scheidler
-
Balazs Scheidler
-
Balint Kovacs
-
bugzilla@bugzilla.balabit.com
-
Evan Rempel
-
Gergely Nagy