[syslog-ng]tcp_keepalive and tcp_wrapper patch

Rule, Ted syslog-ng@lists.balabit.hu
Tue, 24 Feb 2004 10:47:44 -0000

As part of preparing to glue a pair of syslog-ng servers together via=20
a TCP connection, I've made some slight tweaks to the afinet.c code
on my running system. This is all for a 1.6.0rc3 code version.

Because I can't find any reference to the option elsewhere in the libol
or syslog-ng code, I've forced the SO_KEEPALIVE socket on for both
sender and receiver in a TCP connection. The issue here is mainly where
the client mysteriously disappears, and the server seemingly never
bothers to close down the half-open socket. Forcing the SO_KEEPALIVE
flag on the socket should, I believe, tidy this up in the worst case

I know that the socket can remain half-open, because I've seen TCP
connections from a PIX in ESTABLISHED state, even when the PIX only
has one live connection to the syslog-ng server.

The other tweak is to enforce tcp_wrapper operation on TCP connections
only. This may be redundant code, but I honestly can't follow the source
sufficiently to know whether the tcp_wrapper code is called for a udp
connection. Since logging the fault condition for a udp connection
uses up almost as many resources as actually processing the packet,
and performing the tcp_wrapper call is overkill for every successful
udp connection, it seemed not worth the bother to call the wrapper
code for udp connections and only enforce TCP lockdowns.

It's also probably possible to avoid the getsockopt() call by determining
socket type from client->super somehow, but I wasn't sure exactly how
to do this.

Patch diff below. Comments welcome.


$ sudo diff -u afinet.c-1.6.0rc3.orig afinet.c-1.6.0rc3.patched
--- afinet.c-1.6.0rc3.orig      Tue Feb 24 09:20:01 2004
+++ afinet.c-1.6.0rc3.patched   Tue Feb 24 10:10:09 2004
@@ -28,6 +28,8 @@
 #include "cfgfile.h"
 #include "pkt_buffer.h"
+#include <sys/socket.h>
+#include <sys/types.h>
 #include <errno.h>
 #include <string.h>
 #include <assert.h>
@@ -217,8 +219,13 @@
        CAST(afinet_source, self, c);
        struct afsocket_source_connection *conn;
        UINT32 res;
+       int socklen,sockval;
+       socklen=3Dsizeof(sockval);
+       if ( ( getsockopt(client->super.fd, SOL_SOCKET, SO_TYPE, &sockval, =
&socklen) =3D=3D 0 ) &&
+                                                               ( sockval =
=3D=3D SOCK_STREAM ) ) {
-       {
+          {
                struct request_info req;
                request_init(&req, RQ_DAEMON, "syslog-ng", RQ_FILE, client-=
>super.fd, 0);
@@ -230,9 +237,19 @@
                        close_fd(&client->super, 0);
                        return ST_OK | ST_GOON;
+          }
+       sockval=3D1; socklen=3Dsizeof(sockval);
+       if ( setsockopt(client->super.fd, SOL_SOCKET, SO_KEEPALIVE, &sockva=
l, socklen) < 0 ) {
+               notice("setsockopt SO_KEEPALIVE failure during do_open_afin=
+       } else {
+               notice("setsockopt SO_KEEPALIVE Ok in do_open_afinet_connec=
- =20
+       }
+ =20
        if (c->num_connections >=3D c->max_connections) {
                CAST(inet_address_info, inet_addr, client_addr);
@@ -250,8 +267,6 @@
                return res;
 static int=20
@@ -488,6 +503,17 @@
        if (self->conn_fd) {
                return ST_OK | ST_GOON;
+               if ( (self->super.flags & 0x0003) =3D=3D AFSOCKET_STREAM ) =
+                       int sockval=3D1;
+                       if ( setsockopt(fd, SOL_SOCKET, SO_KEEPALIVE, &sock=
val, sizeof(sockval)) < 0 ) {
+                               notice("setsockopt SO_KEEPALIVE failure dur=
ing do_init_afinet_dest()");
+                       } else {
+                               notice("setsockopt SO_KEEPALIVE Ok in do_in=
+                       }
+               }
        else {

This E-mail message, including any attachments, is intended only for the pe=
or entity to which it is addressed, and may contain confidential informatio=
If you are not the intended recipient, any review, retransmission, disclosu=
copying, modification or other use of this E-mail message or attachments is
strictly forbidden.
If you have received this E-mail message in error, please contact the autho=
r and
delete the message and any attachments from your computer.
You are also advised that the views and opinions expressed in this E-mail
message and any attachments are the author's own, and may not reflect the v=
and opinions of FLEXTECH Television Limited.