No subject
Tue Jul 24 14:58:45 CEST 2007
vi src/libnet_checksum.c
Then, you will need to locate this section of code:
libnet_in_cksum(u_int16_t *addr, int len)
{
int sum;
sum = 0;
while (len > 1)
{
sum += *addr++;
len -= 2;
}
if (len == 1)
{
sum += *(u_int16_t *)addr;
}
return (sum);
}
Now, replace that section with the following (and save/quit from the
editor):
libnet_in_cksum(u_int16_t *addr, int len)
{
int sum;
u_int16_t last_byte;
sum = 0;
last_byte = 0;
while (len > 1)
{
sum += *addr++;
len -= 2;
}
if (len == 1)
{
*(u_int8_t*)&last_byte = *(u_int8_t*)addr;
sum += last_byte;
}
return (sum);
}
--------------------------------------
Obviously, there are only a couple of lines of code modified in there, but
for my purposes, it was simpler to just replace the section. I am NOT a C
programmer (although I used to program in a lot of other older
languages!). I can't speak to whether this is the "best" solution, or not
(in terms of efficiency or coding techniques). BUT, bottom line... Once I
made this change, it appears that I'm no longer receiving any packet loss
at all. The sample captures that I've done, and then loaded into
Wireshark, are showing no checksum errors.
Whether you use this coding solution, or work up one of your own, the
bottom line is that 1.1.2.1 absolutely needs to be modified, in order to
make source-spoofed forwarding work as intended.
Let me know if you have any questions about the above information. I'll
do my best to provide answers.
I'd be remiss if I didn't also take this opportunity to say THANKS for all
of your syslog-ng efforts. It's a fine product.
-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu
[mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of bazsi at balabit.hu
Sent: Wednesday, August 29, 2007 7:06 AM
To: syslog-ng at lists.balabit.hu
Subject: Re: [syslog-ng] Lost packets; UDP Checksum (chksum) errors;
forwarding - source spoofing; libnet bug
On Wed, 2007-08-29 at 06:58 -0600, Marvin.Nipper at Stream.com wrote:
> OK. I've only posted here a couple of times, but I've googled this
> list (for help) extensively in the past. Before I waste everyone's
> time, I just wanted to find out if I'm the only one who "didn't
> already know" that there's a nasty bug in libnet-1.1.2.1, such that
> anybody doing source-spoofed forwarding of UDP-based syslog packets
> will likely end up losing large volumes of packets in the process (in
> my case a 2/3 loss of packets).
>
> Again. I thought that I had searched the mailing list archives
> properly, and that I didn't see a mention of this issue (as I've been
> fighting my way through figuring this out, over a multi-week period),
> BUT, as this would seem to impact a lot of syslog-ng users, I keep
> thinking that I've just missed something, and everyone else already
> knows about this. Before I waste time writing a detailed message on
> the topic, I figured that I'd ask first.
I would appreciate if you could write about this. I don't know about
anything related.
--
Bazsi
_______________________________________________
syslog-ng maillist - syslog-ng at lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
More information about the syslog-ng
mailing list