On Thu, 26 Feb 2009, Rainer Gerhards wrote: > On Sun, 2009-03-01 at 23:56 -0800, [email protected] wrote: >> On Fri, 27 Feb 2009, [email protected] wrote: >> >>> On Thu, 26 Feb 2009, [email protected] wrote: >>> >>>> >>>> this works for reopening the socket each time, but if I uncomment the bind >>>> the sendto fails (error 22, invalid input) >>>> >>>> I haven't yet figured out what I'm missing on the bind that's causing this >>> >>> a little more testing and I find that the bind succeeds, but no traffic goes >>> out unless the source IP exists somewhere on the box (it can be bound to >>> lo:0, but it needs to exist) >>> >>> so the non-local-bind approach may not work :-( >>> >>> it's just hit midnight here, so I'm going to call it a night and try again >>> tomorrow. >> >> I abandoned this approach and spent the weekend learning how to do raw >> sockets. I found a library that makes it not that bad to do (at least for >> the IPv4 that I've done so far, IPv6 adds some wrinkles) >> >> the one thing thats not clear to me at this point is how to find the >> original source IP of the message. Is that available in a variable inside >> UDPSend, or is it something that I will have to get earlier in the process >> and then pass explicitly to UDPSend? > > Actually, output modules do not receive access to the full message > object. This was originally done for security reasons (do not pass more > than needed). All they can receive is the strings that are passed to > them. So the module would need to be modified so that a second string > (like ommail) is passed and that string needs to be defined as the > to-be-spoofed IP (what also enables to rewrite the source IP).
I will look into this. >> From all the discussion, it may make sense to start with a different > output plugin that may later be merged back into the original one... Ok, I won't try to have it do everything and just concentrate on doing the forging. forging on an all IPv4 network is very simple, on an all IPv6 network just a bit harder, it's not clear what to do for a mixed network (for a IPv6 destination and IPv4 source you can do a mapping, but what is the right thing to do for an IPv6 source with a IPv4 destination?) note that the other item (closing the output socket every X messages) should be pretty trivial to add into the existing module and is useful for both TCP and UDP. David Lang > Rainer >> >> David Lang >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
