[syslog-ng] spoof-source performance issues

Martin Holste mcholste at gmail.com
Tue Jun 29 16:52:30 CEST 2010


I agree that is a better solution.  So I should have no problems
compiling against 1.1.4?  I'm on SuSE 10.2 which has 1.1.2.1
(apparently unpatched), so I guess some vendors are behind.  I looked
at the src rpm for SuSE 11 and it is also missing the correct checksum
code, so as far as I can tell, spoof_source will never work correctly
on SuSE without manual patching.

On Tue, Jun 29, 2010 at 4:30 AM, Sandor Geller
<Sandor.Geller at morganstanley.com> wrote:
> Hi,
>
> Disabling checksums would be a very bad workaround. If you're using a
> buggy libnet version then it is up to you to fix it - or build
> syslog-ng against a fixed version as libnet is linked statically.
> Linux distributors either ship a patched libnet 1.1.2.1 version or
> ship 1.1.4 instead which doesn't have the checksum bug.
>
> Regards,
>
> Sandor
>
> On Tue, Jun 29, 2010 at 4:31 AM, Martin Holste <mcholste at gmail.com> wrote:
>> Actually, I did more research on this and found that two separate
>> people back in 2007 had this same problem on the mailing list.  See
>> threads "Lost packets; UDP Checksum (chksum) errors; forwarding -
>> source spoofing; libnet bug" as well as "Forwarding + Spoofing =
>> Errors & Dropped Packets?"  I believe I've definitively proven the
>> problem to be invalid UDP checksums sent by libnet 1.1.2.1 as
>> indicated in the first thread by Marvin Nipper.  Further research
>> shows that there is a Linux kernel-level setting that can act as a
>> workaround by setting the socket option SO_NO_CHECK, which disables
>> checksum verifications.  So, either Syslog-NG needs to incorporate a
>> newer, fixed libnet version (it was indicated that it did not compile
>> using 1.1.3 Beta), or a socket option for receiving needs to be set or
>> made as an available option to set like the receive buffer.
>>
>> On Mon, Jun 28, 2010 at 1:40 PM, Zoltán Pallagi <pzolee at balabit.hu> wrote:
>>> Hi,
>>>
>>> I think it will be an udp kernel buffer problem (and not syslog problem),
>>> see the earlier thread of "[syslog-ng] Tests using loggen - not receiving
>>> all the packets" in this mail list.
>>>
>>>
>>>
>>>
>>> 2010.06.28. 20:21 keltezéssel, Martin Holste írta:
>>>>
>>>> I'm finding that with a destination of udp("10.x.x.x", port(514)
>>>> spoof_source(yes)) about half of messages get lost when going from one
>>>> syslog-ng host to another at a high message rate (>  3k/sec).  This is
>>>> on 3.1 OSE and the hosts are on the same subnet and switch, so there
>>>> shouldn't be any network devices interfering.  Has anyone else had
>>>> this same issue?  My hunch is that it's either a performance issue
>>>> with the way the libnet (I'm using 1.1.2.1 on SuSE 10.2) API is
>>>> implemented or it's an issue within the libnet API.  Has anyone else
>>>> noticed performance problems when using spoof_source?
>>>>
>>>> ______________________________________________________________________________
>>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>> Documentation:
>>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> pzolee
>>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>
>>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>


More information about the syslog-ng mailing list