Bugzilla – Bug 147363
syslog-ng don't filter firewall messages anymore
Last modified: 2006-02-08 17:37:53 UTC
with b3 (default installation) i have again the SFW2-* messages in /var/log/messages. Configuration file looks ok for me.
I've installed b3 and will take a look what happends there tomorrow.
This is not a bug of syslog(-ng) or klogd, but of the GLIBC. The klogd receives the messages with "<4>" (LOG_KERNEL,LOG_WARNING), and sends them using openlog()/syslog() with same facility and level, but they are forwarded to syslog with "<12>" (LOG_USER,LOG_WARNING): linux:/etc/syslog-ng # strace -f -p 3104 Process 3104 attached - interrupt to quit read(0, "<4>SFW2-INext-DROP-DEFLT IN=eth0"..., 131071) = 204 time(NULL) = 1139364989 stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=837, ...}) = 0 stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=837, ...}) = 0 stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=837, ...}) = 0 send(1, "<12>Feb 8 03:16:29 klogd: SFW2-"..., 227, MSG_NOSIGNAL) = 227 read(0, "<4>SFW2-INext-DROP-DEFLT IN=eth0"..., 131071) = 204 time(NULL) = 1139364989 stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=837, ...}) = 0 stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=837, ...}) = 0 stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=837, ...}) = 0 send(1, "<12>Feb 8 03:16:29 klogd: SFW2-"..., 227, MSG_NOSIGNAL) = 227 The klogd uses openlog() and [v]syslog() functions to forward it, but "somebody" sits in the middle means to have to improve it.
It seems that open the socket /dev/log cause the linker to put two functions into the communication between klogd and syslogd/syslogd-ng : /suse/werner> nm -D /sbin/klogd | grep log U __syslog_chk U __vsyslog_chk 00000000000035d0 T closelog U klogctl 0000000000003600 T openlog 00000000000035b0 T setlogmask 0000000000003ad0 T syslog 00000000000036f0 T vsyslog this is for any other user program a nice feature but to have a working klogd: how to disable this ``feature'' ... there is no documentation in the info page of the (g)libc.
As userland application you are not allowed to use LOG_KERN in openlog. From glibc documentation: @c Internally, there is also LOG_KERN, but LOG_KERN == 0, which means @c if you try to use it here, just selects default. Else everybody could fake kernel alerts. klogd has use his own functions if he wish to use it. As you should know "nm -D" does not show you that the linker is putting two functions into the communication. Nothing is changing the level, it does not exist in userland.
Thanks for not reading my comment. I've show that klogd uses its own openlog()/syslog()/closelog() due to the fact that glibc is not willingly to support at least one user space program to be able to forward kernel messages.
I've tried out the hint of Thorsten of disabbling the FORTIFY_SOURCE cpp macro. Marius? Can you tell me which architecture you're using? I'd like to attach a new klogd for testing.
Created attachment 67000 [details] /sbin/klogd for INTEL i586 or higher
Created attachment 67006 [details] /sbin/klogd for AMD x86_64
(In reply to comment #7) > /sbin/klogd for INTEL i586 or higher works fine now.
could i convince you to just use " #undef syslog #undef vsyslog on top of klogd.c (after #include <syslog.h>) ?
OK, done