[syslog-ng] netmask filter issue

Evan Rempel erempel at uvic.ca
Tue Oct 15 00:32:37 UTC 2024 

First off, to write a CIDR address correctly you need to use something of the form w.x.y.z/M
Your specification is missing the ".z" prtion of the ip address.

I think there is also some confusion regarding how netmasks work.

The ip address 192.168.128.0 (I assume you want a .0 at the end) written in binary is 11000000.10101000.10000000.00000000

The /17 subnet mask written in binary is  11111111.11111111.10000000.00000000

If we perform a binary AND of these two addresses we get  11000000.10101000.10000000.000000 written in decimal is 192.168.128.0
This means that the FIRST address of this range is 192.168.128.0

If we perform the binary NOT of the subnet mask we get 00000000.00000000.01111111.11111111
When we take the binary OR of this with the IP address (w.x.y.z) we get 11000000.10101000.11111111.1111111 in decimal is 192.168.255.255 which is the last address if the range.

The result is that 192.168.1.0/17 means the range 192.168.128.0 -- 192.168.255.255

I hope that helps.



--
Evan

________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of brian hoffman <brianhoffman at yahoo.com>
Sent: October 14, 2024 11:27 AM
To: syslog-ng at lists.balabit.hu <syslog-ng at lists.balabit.hu>
Subject: [syslog-ng] netmask filter issue

You don't often get email from brianhoffman at yahoo.com. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification>
I set up a filter to send certain messages matching an IP range to a destination (a simplified version of my actual config).
filter f_siem {
netmask(192.168.128/17) or
};

For some reason this is picking up the address 192.168.63.41, even though it's not in the range. 192.168.63.41 (10101100.00010111.0) does not match the network portion of 192.168.128.0/17 (10101100.00010111.1) but for some reason it's still getting picked up.  I know for sure that it is this particular line because when I comment it out the messages are no longer forwarded for that device.

Is there something different about the way this netmask directive works in syslog-ng that would cause it to get matched by this filter?
-Brian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20241015/6711bcd1/attachment.htm>

More information about the syslog-ng mailing list