[syslog-ng] spoof-source performance issues
Sandor Geller
Sandor.Geller at morganstanley.com
Tue Jun 29 11:30:07 CEST 2010
Hi,
Disabling checksums would be a very bad workaround. If you're using a
buggy libnet version then it is up to you to fix it - or build
syslog-ng against a fixed version as libnet is linked statically.
Linux distributors either ship a patched libnet 1.1.2.1 version or
ship 1.1.4 instead which doesn't have the checksum bug.
Regards,
Sandor
On Tue, Jun 29, 2010 at 4:31 AM, Martin Holste <mcholste at gmail.com> wrote:
> Actually, I did more research on this and found that two separate
> people back in 2007 had this same problem on the mailing list. See
> threads "Lost packets; UDP Checksum (chksum) errors; forwarding -
> source spoofing; libnet bug" as well as "Forwarding + Spoofing =
> Errors & Dropped Packets?" I believe I've definitively proven the
> problem to be invalid UDP checksums sent by libnet 1.1.2.1 as
> indicated in the first thread by Marvin Nipper. Further research
> shows that there is a Linux kernel-level setting that can act as a
> workaround by setting the socket option SO_NO_CHECK, which disables
> checksum verifications. So, either Syslog-NG needs to incorporate a
> newer, fixed libnet version (it was indicated that it did not compile
> using 1.1.3 Beta), or a socket option for receiving needs to be set or
> made as an available option to set like the receive buffer.
>
> On Mon, Jun 28, 2010 at 1:40 PM, Zoltán Pallagi <pzolee at balabit.hu> wrote:
>> Hi,
>>
>> I think it will be an udp kernel buffer problem (and not syslog problem),
>> see the earlier thread of "[syslog-ng] Tests using loggen - not receiving
>> all the packets" in this mail list.
>>
>>
>>
>>
>> 2010.06.28. 20:21 keltezéssel, Martin Holste írta:
>>>
>>> I'm finding that with a destination of udp("10.x.x.x", port(514)
>>> spoof_source(yes)) about half of messages get lost when going from one
>>> syslog-ng host to another at a high message rate (> 3k/sec). This is
>>> on 3.1 OSE and the hosts are on the same subnet and switch, so there
>>> shouldn't be any network devices interfering. Has anyone else had
>>> this same issue? My hunch is that it's either a performance issue
>>> with the way the libnet (I'm using 1.1.2.1 on SuSE 10.2) API is
>>> implemented or it's an issue within the libnet API. Has anyone else
>>> noticed performance problems when using spoof_source?
>>>
>>> ______________________________________________________________________________
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation:
>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>>
>>>
>>>
>>
>>
>> --
>> pzolee
>>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
More information about the syslog-ng
mailing list