Saturday, February 03, 2007

spoof-source added to 2.0.x

As a commenter missed spoof-source support from 2.0, I got my act together for an afternoon hacking session and implemented it in the 2.0.x tree.

The packet generation for IPv4 packets was straightforward, I could simply "forward-port" it from 1.6.x, after creating the proper place for it in the 2.0.x tree. IPv6 support was a bit more difficult as libnet has a nasty bug with IPv6 and UDP. I was looking at my code for hours, when I tried Google codesearch to check whether I was doing something wrong. Then I've found this. Note the comment above the libnet_build_ipv6() call. I also disabled UDP checksumming and now it works like a charm. The last libnet release was almost 3 years ago, it is not reassuring that its webpage is also down. Too bad, libnet is a fine piece of software, but now as its website is down where can I point syslog-ng users to download libnet from?

By the way, I did not announce syslog-ng 2.0.2 here, it was released about a week ago. Nothing fancy, primarily portability fixes and a more important fix in the usertty() destination. Grab it from the usual place.

3 comments:

Anonymous said...

Thank you! Thank you! Thank you!
For adding the spoof source back in. In case you think people don't notice or appreciate it, we certainly do!!

Thanks again!

Anonymous said...

Thank you! Thank you! Thank you!
For adding the spoof source back in. In case you think people don't notice or appreciate it, we certainly do!!

Thanks again!

Anonymous said...

Use syslog-ng at the centre of your logging and archiving environment. I have tested it at about 20000 event/sec at the core of our logging environment on a dell 2850 running suse linux. With spoof source you can forward events to analysis engines that require the source address and separate out archiving from analysis. All of the analysis products on the market that I have tested die at this rate of logging so syslog-ng ability to filter band aids this problem.