[syslog-ng] "not netmask(...)" not working

Brian Candler B.Candler at pobox.com
Fri May 5 17:20:02 CEST 2006 

Hello,

I am using syslog-ng-1.6.11 under RHEL 4, using an RPM built from
http://www.balabit.com/downloads/syslog-ng/1.6/src/syslog-ng-1.6.11.tar.gz
[*]

I tried to use the following rule to match all packets except those from
certain host ranges:

  destination estate                      { file("/logs/estate.log" ); };
  filter f_estate { not netmask( "10.1.0.0/16" ) and
    not netmask( "172.17.0.0/24" ) and not netmask( "192.168.1.254" ); };
  log { source(s_sys); filter(f_estate); destination(estate); };

but it didn't work. tcpdump showed packets from outside those ranges were
being received, but syslog-ng did not log them.

Now, inspecting the code, firstly it seems I should have written the
expressions in dotted netmask form, i.e. "10.1.0.0/255.255.0.0". It would be
nice if syslog-ng were to validate this a bit better :-) However when I
fixed that nothing changed.

Looking in the code, I think that a negation operation is missing for the
netmask() function, perhaps something like this:

--- src/filters.c.orig  Fri May  5 13:19:18 2006
+++ src/filters.c       Fri May  5 13:24:44 2006
@@ -272,10 +272,10 @@
                netw = self->network.s_addr;
                mask = self->netmask.s_addr;

-               return ((host & mask) == (netw & mask));
+               return ((host & mask) == (netw & mask)) ^ c->comp;
        }
        else {
-               return 0;
+               return c->comp;
        }
 }

However, I don't understand why some of the functions use c->comp, and
others use self->super.comp, so I'm a bit hesitant to modify in this way.

I was able to workaround by rewriting the expression thus:

  destination estate                      { file("/logs/estate.log" ); };
  filter f_not_estate                     { netmask( "10.1.0.0/255.255.0.0" )
    or netmask( "172.17.0.0/255.255.255.0" ) or netmask( "192.168.1.254" ); };
  filter f_estate                         { not filter("f_not_estate"); };
  log { source(s_sys); filter(f_estate); destination(estate); };

but perhaps someone who understands the expression parser could look at
fixing this properly?

Thanks,

Brian.

[*] I had to use syslog-ng.spec.bb, because syslog-ng.spec references a
number of non-existent files, such as

Source3:           mysql-syslog.pipe
Source4:           mysql-syslog.buffer)

With a small change to syslog-ng.bb, changing an underscore to dash, it was
happy.

More information about the syslog-ng mailing list