[syslog-ng] Packet fragmentation issue

Balazs Scheidler bazsi at balabit.hu
Sun Mar 18 13:15:53 CET 2012


On Tue, 2012-03-06 at 11:42 +0100, Sandor Geller wrote:
> Hi,
> 
> There is no syslog-ng 2.4.1 version, the last 2.x version was 2.1.4
> which is pretty much obsolete. Anyway, syslog-ng and any syslog daemon
> in general isn't a transport mechanism for arbitrary content so some
> limitations are in place. You're using spoofing which means UDP. The
> 64k size limitation of a single UDP datagram is definitely a limiting
> factor. What is log_msg_size in your config? How long are the lines in
> the logfiles which end up splitted into multiple messages on the other
> end?

Yup, checking the code in question, it prepares a single UDP datagram,
and sends it off fire-and-forget, without thinking a little bit about
MTU settings.

I'm not sure how libnet/kernel processes these packets, it might simply
truncate them or drop it altogether.

If the kernel chooses to refragment such packets (which might easily
happen if you are using connection tracking on Linux, even if the core
kernel doesn't do it), it should properly produce well correct IP
addresses in the 2nd and subsequent fragments.

-- 
Bazsi




More information about the syslog-ng mailing list