I started to submit this via sendbug, but I wanted to make sure I
wasn't missing something obvious. This is reproducible on OpenBSD
3.7, 3.8 and 3.9 releases.
Description:
=============
When using nc to proxy syslog packets, inetd spawns excessive nc
processes. It creates anywhere from 16 to 160 (random) instances
as soon as it sees the first syslog packet. This is repeatable on
both OpenBSD 3.7 and 3.8, but not 3.9. The example configuration
from inetd.conf, where syslog logs to 10.70.0.1:8514...
# local int_if = 10.70.0.1
# remote syslog = 10.0.0.202
10.70.0.1:8514 dgram udp nowait nobody \
/usr/bin/nc nc -u -s 10.70.0.1 10.0.0.202 514
I have replaced this functionality with the following PF rdr rule...
rdr on lo0 proto udp from 10.70.0.1 port 514 to 10.70.0.1 port 8514 \
-> 10.0.0.202 port 514
The reason for this is to route syslog packets from remote firewalls
over their corresponding VPN tunnels to a centralized syslog server.
How-To-Repeat:
=============
1) Add entry to inetd.conf as described above.
2) Send a HUP to inetd.
3) Edit syslog.conf to send logs to the internal address
(10.70.0.1:8514).
4) Send a HUP to syslogd.
5) `echo test | logger`
6) `ps ax | grep nc`
Fix:
=============
Remove inetd entry, replace with PF rdr as mentioned above.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
