[syslog-ng] "not netmask(...)" not working
Balazs Scheidler
bazsi at balabit.hu
Mon May 8 11:26:56 CEST 2006
On Fri, 2006-05-05 at 16:20 +0100, Brian Candler wrote:
> Hello,
>
> I am using syslog-ng-1.6.11 under RHEL 4, using an RPM built from
> http://www.balabit.com/downloads/syslog-ng/1.6/src/syslog-ng-1.6.11.tar.gz
> [*]
>
> I tried to use the following rule to match all packets except those from
> certain host ranges:
>
> destination estate { file("/logs/estate.log" ); };
> filter f_estate { not netmask( "10.1.0.0/16" ) and
> not netmask( "172.17.0.0/24" ) and not netmask( "192.168.1.254" ); };
> log { source(s_sys); filter(f_estate); destination(estate); };
>
> but it didn't work. tcpdump showed packets from outside those ranges were
> being received, but syslog-ng did not log them.
>
> Now, inspecting the code, firstly it seems I should have written the
> expressions in dotted netmask form, i.e. "10.1.0.0/255.255.0.0". It would be
> nice if syslog-ng were to validate this a bit better :-) However when I
> fixed that nothing changed.
>
> Looking in the code, I think that a negation operation is missing for the
> netmask() function, perhaps something like this:
>
> --- src/filters.c.orig Fri May 5 13:19:18 2006
> +++ src/filters.c Fri May 5 13:24:44 2006
> @@ -272,10 +272,10 @@
> netw = self->network.s_addr;
> mask = self->netmask.s_addr;
>
> - return ((host & mask) == (netw & mask));
> + return ((host & mask) == (netw & mask)) ^ c->comp;
> }
> else {
> - return 0;
> + return c->comp;
> }
> }
>
> However, I don't understand why some of the functions use c->comp, and
> others use self->super.comp, so I'm a bit hesitant to modify in this way.
The fix is correct and I have committed a fix to my CVS tree.
--
Bazsi
More information about the syslog-ng
mailing list