Sorry folks, have not worked on this topic since March - but I never forget ;)
> -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of [email protected] > Sent: Wednesday, March 04, 2009 8:17 AM > To: rsyslog-users > Subject: Re: [rsyslog] UDP source forging. > > Ok, here is a diff that works. > I have integrated David's UDP spoofing patch into v5-devel (master branch) as a separate output module (named omudpspoof). I have extracted the necessary functionality from omfwd and it now works quite well. However, the configuration is not yet as typically found in rsyslog (not that I find it very elegant, but consistency is a plus ;)). Also, doc is missing. My next steps will be to address these issues. However, for those interested, I just wanted to tell you that the git master branch now contains a version capable of spoofing (I have verified this with both an rsyslog receiver as well as Wireshark - hopefully I can also add an automated test for this functionality, but this is not trivial). > it cycles the source IP address from 32000-42000 (since we are just > sending, and not creating a normal socket this should not matter) > > it needs LIBS = /usr/lib/libnet.a in the Makefile in tools > > to use it create a template that puts the hostname-ip ahead of what you > want to send, similar to > > $template TraditionalFwdFormat,"%fromhost-ip% <%pri%>%timegenerated% > %HOSTNAME% %syslogtag%%msg%\n" > > *.* @10.0.0.100;TraditionalFwdFormat > > the one problem right now is that any logs sent from the local box will go > out with a source IP of 127.0.0.1 > > I wasted a bit of time trying to setup filters to use a different template > if $myhostname == $fromhost, but apparently the filtering doesn't allow > comparing two properties I overlooked this in march. The script-based filter engine does not even know that what is being compared are properties, so there is no restriction in what can be compared. So this must either have been a config issue or a bug. I just wanted to tell you should you come into a similar situation again. >, and then I realized that you have a very > high-performance name cache now, so you could easily replace my trivial > inet_pton(AF_INET, source_text_ip, &(source_ip.sin_addr)); > line with a call to the name lookup and then the %fromhost-ip% could be > replaced by %fromhost% in the template and everything would work sanely > (assuming forward and reverse name resolution are sane ;-) And another point to stress: rsyslogd does *not* yet have a high-performance cache. All it does is cache the last host (and only the last host). This works exceptionally well if a large bunch of messages arrive from the same host, but "cache" performance can easily be thrashed with multiple senders. All in all, in practice, it works reasonably well, as on a busy system at least a couple of messages are usually from the same sender. I plan to add a real cache some time later, personally I would hope to see it this summer. > > I haven't tried to do IPv6 yet, I know that it requires more effort to set > the IP layer options, but I don't know exactly what yet. Omudpspoof is kept IPv4 only and I plan to work on IPv6 only if real demand shows up. Even then, I consider it to be low priority except given very good reasoning ;) Rainer > > I wanted to float this first to see what you think before spending much > more time on it. > > David Lang _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
