[syslog-ng] IPv6 TLS source question

Balazs Scheidler bazsi77 at gmail.com
Fri Jul 5 19:36:32 CEST 2013


The AF_UNSPEC idea is good, that would basically mean ip-protocol(auto)

What about backporting ip-protocol to 3.4? That shouldn't be a big deal,
and it's more of an omission than intended behavior.
On Jul 4, 2013 1:07 PM, "Gergely Nagy" <algernon at balabit.hu> wrote:

> Jeff Lange <jlange6648 at gmail.com> writes:
>
> > I'm attempting to setup a TCP IPv6 source declaration that uses TLS but
> > syslog-ng is not happy with the configuration file.
>
> Long story short: syslog-ng 3.3 and 3.4 does not support syslog() over
> IPv6, 3.5 does, see below.
>
> > The following is what I use for IPv4 and it works fine:
> >
> > source s_tls
> > {
> >   syslog( ip(0.0.0.0) port(6514)
> >     transport( "tls" )
> >     tls (
> >       key_file("/srv/syslog-ng/certs/priv-key.pem")
> >       cert_file("/srv/syslog-ng/certs/id-cert.pem")
> >       ca_dir("/srv/syslog-ng/certs")
> >       cipher_suite("SHA256:!aNULL:!eNULL:!ECDH:!DSS")
> >     )
> >    );
> > };
> >
> > However the following is not valid:
> >
> > source s_tls6 {
> >   syslog( ip("::") port(6515)
> >     transport( "tls" )
> >     tls (
> >       key_file("/srv/syslog-ng/certs/priv-key.pem")
> >       cert_file("/srv/syslog-ng/certs/id-cert.pem")
> >       ca_dir("/srv/syslog-ng/certs")
> >       cipher_suite("SHA256:!aNULL:!eNULL:!ECDH:!DSS")
> >     )
> >   );
> > };
> >
> > I've tried the ip with and without quotes with no luck. What am I doing
> > wrong?
>
> Unfortunately, syslog-ng defaults to IPv4, and even if you give it an
> IPv6 address, it will still try to handle it as if it was IPv4, unless
> you tell it not to.
>
> In syslog-ng 3.5, this is possible by adding ip-protocol(6) inside the
> syslog() statement. In versions prior to 3.5, it is not doable yet. But
> I'm considering teaching the host resolving code to not default to IPv4
> by default (by using AF_UNSPEC, unless specified otherwise via
> ip-protocol or something similar).
>
> The problem is, all the current sources and destinations make a
> distinction between ipv4 and ipv6: tcp(), udp() and syslog() all enforce
> ipv4, while tcp6() and udp6() enforce ipv6... and there is no syslog6().
>
> I do not want to change this in neither 3.3, nor 3.4, that would be too
> invasive, but for 3.5, I'd love to make the udp(), tcp() and syslog()
> statements ip protocol agnostic. That way, your config would just work
> out of the box, but would still allow one to limit to either ipv4 or
> ipv6 by specifying ip-protocol(N).
>
> --
> |8]
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20130705/e071c707/attachment.htm 


More information about the syslog-ng mailing list