[syslog-ng] spoof_source not working
Balazs Scheidler
bazsi at balabit.hu
Fri Oct 14 17:35:13 CEST 2005
On Thu, 2005-10-13 at 15:57 -0400, Chance Ellis wrote:
> Ok,
>
> I copied the the Solaris 8 libnet-config file to the /tmp/foo folder
> on Solaris 9. I then ran:
>
> LD_LIBRARY_PATH=/tmp/foo:$LD_LIBRARY_PATH
> truss /usr/local/sbin/syslog-ng -f /usr/local/etc/syslog-ng.conf -F &
>
>
> I get the same result... Whenever I apply the spoof_source(yes) to the
> config I do not get any messages forwarded to the destination. If I
> remove the spoof_source(yes) messages flow but with the source IP
> address from the syslog-ng server...
>
> The truss output is quite huge! Is there any piece of the truss output
> that would help me to troubleshoot this? Is libnet-config the only
> thing I need or do I need something in addition to libnet-config?
libnet-config is not used at all while running syslog-ng, it is a
build-time script that is invoked to query header location and linking
information about the libnet library.
libnet is usually linked statically, so there's no point in setting
LD_LIBRARY_PATH either, you can check which one syslog-ng is using by
using "ldd" and/or checking if you have a libnet.a file (static), or
libnet.so file (dynamic), or both. If you have both, the linking
parameters determine which one is used by syslog-ng, in this case ldd
should tell you the truth.
To analyze the truss path, you should look for the pattern of the
message that should be sent out with a spoofed source address, and then
you should see system calls like recvmsg() when the message is received
and either send() or write() when it is sent. libnet uses raw sockets to
send messages, syslog-ng is probably opening AF_INET, SOCK_RAW sockets
in that case.
Although Solaris uses socket emulation and thus the actual system calls
you see in the truss output might not be the same as in Linux, this is
pretty straightforward. By the way, it might be easier to analyze the
truss output if you are running a syslog-ng instance which does not
actually deliver a lot of messages, but only a single one, this way the
truss output will not be so large.
--
Bazsi
More information about the syslog-ng
mailing list