Add support for PROXY protocol v2 #4211

bazsi · 2022-11-13T18:24:45Z

This PR adds support for PROXY protocol v2 as requested in #4205

@g-psantos I have tested this blindly, e.g. I wrote my own test program based on the specification, so it might not work in an actual environment, would be great if you could do some manual testing.

NOTE: This does adds some improvement to the existing code, but I feel PROXY v1 should have been done very differently. Instead of a LogProto implementation that combines the PROXY protocol and RFC3164 -like transport over TCP, this should have been a LogTransport implementation that can be combined with any LogProto instances easily. I did NOT address this architectural problem with this PR. I am also not sure that the key-value pairs we are adding to the message (e.g. PROXIED_SRCIP) are the right choice when handling this kind of transport protocol. But I didn't want to extend the scope of this PR too much. This potentially addresses an imminent use-case, hopefully solving it, so I didn't want to complicate things further. I have other things on my plate too :)

@p-gsantos let me know if this indeed solves your use-case. Thanks.

github-actions · 2022-11-13T18:24:57Z

No news file has been detected. Please write one, if applicable.

kira-syslogng · 2022-11-13T18:29:49Z

Build FAILURE

mitzkia · 2022-11-16T09:14:28Z

Do we want to update Light testcases for Proxy protocol under:
https://github.com/syslog-ng/syslog-ng/tree/master/tests/light/functional_tests/source_drivers/network_source/proxyprotocol

If it helps I can work on it in my free time.

bazsi · 2022-11-17T08:17:51Z

Do we want to update Light testcases for Proxy protocol under: https://github.com/syslog-ng/syslog-ng/tree/master/tests/light/functional_tests/source_drivers/network_source/proxyprotocol

this would be great. This C program generates the required binary payload. You don't have to use this program in the tests, rather just copy-paste the output into the testcase.

#include <stdio.h>
#include <stdint.h>
#include <string.h>
#include <unistd.h>
#include <arpa/inet.h>

struct proxy_hdr_v2 {
    uint8_t sig[12];  /* hex 0D 0A 0D 0A 00 0D 0A 51 55 49 54 0A */
    uint8_t ver_cmd;  /* protocol version and command */
    uint8_t fam;      /* protocol family and address */
    uint16_t len;     /* number of following bytes part of the header */
};

union proxy_addr {
    struct {        /* for TCP/UDP over IPv4, len = 12 */
        uint32_t src_addr;
        uint32_t dst_addr;
        uint16_t src_port;
        uint16_t dst_port;
    } ipv4_addr;
    struct {        /* for TCP/UDP over IPv6, len = 36 */
         uint8_t  src_addr[16];
         uint8_t  dst_addr[16];
         uint16_t src_port;
         uint16_t dst_port;
    } ipv6_addr;
    struct {        /* for AF_UNIX sockets, len = 216 */
         uint8_t src_addr[108];
         uint8_t dst_addr[108];
    } unix_addr;
};


int main(int argc, char *argv[])
{
  char buf[1500];
  struct proxy_hdr_v2 *proxy_hdr = (struct proxy_hdr_v2 *) buf;
  union proxy_addr *proxy_adr = (union proxy_addr *) (proxy_hdr+1);
  char *msg = ((char *) proxy_adr) + sizeof(proxy_adr->ipv4_addr);
  
  memcpy(proxy_hdr->sig, "\x0D\x0A\x0D\x0A\x00\x0D\x0A\x51\x55\x49\x54\x0A\x02", 12);
  proxy_hdr->ver_cmd = 0x21;
  proxy_hdr->fam = 0x11;
  proxy_hdr->len = htons(sizeof(proxy_adr->ipv4_addr));
  inet_aton("1.2.3.4", (struct in_addr *) &proxy_adr->ipv4_addr.src_addr);
  inet_aton("4.3.2.1", (struct in_addr *) &proxy_adr->ipv4_addr.dst_addr);
  proxy_adr->ipv4_addr.src_port = htons(33333);
  proxy_adr->ipv4_addr.dst_port = htons(44444);
  
  strcpy(msg, "foo bar baz");
  size_t len = msg + strlen(msg) - buf;
  
  if (write(1, buf, len) < 0)
    perror("write!");
}

mitzkia · 2022-11-17T08:40:35Z

Thanks, the result was the following:

$ ./syslog-ng-proxyprotocolv2 



QUIT
!
 �5��foo bar baz

I will test this as an input with the PR and if everything is fine I will add new testcases for Proxy Protocol v2.

mitzkia · 2022-11-17T08:43:55Z

The output from strace

write(1, "\r\n\r\n\0\r\nQUIT\n!\21\0\f\1\2\3\4\4\3\2\1\2025\255\234foo bar baz", 39

mitzkia · 2022-11-17T08:48:55Z

I will also read the related latest documentation:
https://www.haproxy.org/download/2.7/doc/proxy-protocol.txt

mitzkia · 2022-11-18T08:50:01Z

I have checked the input with syslog-ng and I have got the following result, should this be the expected? It seems correct for me. (input message was: "\r\n\r\n\0\r\nQUIT\n!\21\0\f\1\2\3\4\4\3\2\1\2025\255\234foo bar baz")

[2022-11-18T08:46:27.182514] Initializing PROXY protocol source driver; driver='0x55844ef80320'
[2022-11-18T08:46:27.182562] Syslog connection accepted; fd='13', client='AF_INET(127.0.0.1:34058)', local='AF_INET(127.0.0.1:30001)'
[2022-11-18T08:46:27.182695] PROXY protocol header received; version='2', header='<binary_data>'
[2022-11-18T08:46:27.182706] PROXY protocol header parsed successfully;
[2022-11-18T08:46:27.182829] EOF occurred while reading; fd='13'
[2022-11-18T08:46:27.182860] Incoming log entry; input='�foo bar baz', msg='0x7f480c004000', rcptid='1'
[2022-11-18T08:46:27.182868] Setting value; name='MESSAGE', value='�foo bar baz', type='string', msg='0x7f480c004000', rcptid='1'
[2022-11-18T08:46:27.182897] Setting value; name='PROXIED_SRCIP', value='1.2.3.4', type='string', msg='0x7f480c004000', rcptid='1'
[2022-11-18T08:46:27.182902] Setting value; name='PROXIED_DSTIP', value='4.3.2.1', type='string', msg='0x7f480c004000', rcptid='1'
[2022-11-18T08:46:27.182906] Setting value; name='PROXIED_SRCPORT', value='49794', type='string', msg='0x7f480c004000', rcptid='1'
[2022-11-18T08:46:27.182923] Setting value; name='PROXIED_DSTPORT', value='13762', type='string', msg='0x7f480c004000', rcptid='1'
[2022-11-18T08:46:27.182926] Setting value; name='PROXIED_IP_VERSION', value='4', type='string', msg='0x7f480c004000', rcptid='1'
[2022-11-18T08:46:27.182933] >>>>>> Source side message processing begin; instance='proxied-tcp,127.0.0.1', location='syslog_ng_server.conf:4:5', msg='0x7f480c004000', rcptid='1'
[2022-11-18T08:46:27.182963] Setting value; name='HOST_FROM', value='localhost', type='string', msg='0x7f480c004000', rcptid='1'
[2022-11-18T08:46:27.182970] Setting value; name='HOST', value='localhost', type='string', msg='0x7f480c004000', rcptid='1'
[2022-11-18T08:46:27.182974] Setting tag; name='.source.source_227548333628901111505367134784799626167', value='1', msg='0x7f480c004000'
[2022-11-18T08:46:27.182979] Setting value; name='SOURCE', value='source_227548333628901111505367134784799626167', type='string', msg='0x7f480c004000', rcptid='1'
[2022-11-18T08:46:27.183006] Initializing destination file writer; template='output.log', filename='output.log', symlink_as='(null)'
[2022-11-18T08:46:27.183047] affile_open_file; path='output.log', fd='16'
[2022-11-18T08:46:27.183072] <<<<<< Source side message processing finish; instance='proxied-tcp,127.0.0.1', location='syslog_ng_server.conf:4:5', msg='0x7f480c004000', rcptid='1'
[2022-11-18T08:46:27.183088] Syslog connection closed; fd='13', client='AF_INET(127.0.0.1:34058)', local='AF_INET(127.0.0.1:30001)'
[2022-11-18T08:46:27.183095] Freeing PROXY protocol source driver; driver='0x55844ef80320'
[2022-11-18T08:46:27.183125] Closing log transport fd; fd='13'
[2022-11-18T08:46:27.183164] Outgoing message; message='1.2.3.4 4.3.2.1 49794 13762 4 �foo bar baz\x0a'
[2022-11-18T08:46:27.183180] Window size adjustment; old_window_size='99', window_size_increment='1', suspended_before_increment='FALSE', last_ack_type_is_suspended='FALSE'
[2022-11-18T08:46:27.212493] Running application hooks; hook='3'
[2022-11-18T08:46:27.212510] syslog-ng shutting down; version='3.38.1.209.g93434d7'
[2022-11-18T08:46:27.212564] EOF on control channel, closing connection;
[2022-11-18T08:46:27.312792] Closing log transport fd; fd='16'

mitzkia · 2022-11-18T09:27:59Z

In the output: "Outgoing message; message='1.2.3.4 4.3.2.1 49794 13762 4 �foo bar baz\x0a'"
before the: "foo bar baz" there is a byte sequence: <U+009C> Should it be part of the output?

bazsi · 2022-11-21T13:23:54Z

In the output: "Outgoing message; message='1.2.3.4 4.3.2.1 49794 13762 4 �foo bar baz\x0a'" before the: "foo bar baz" there is a byte sequence: <U+009C> Should it be part of the output?

I don't have that binary character in my local environment, but it's definitely strange. I have now manually rechecked the code and also run strace on syslog-ng how it consumed the bytes from the test program, and it seems to invoke these recvfrom() calls early on:

579817 recvfrom(13, "\r\n\r\n\0", 5, 0, NULL, NULL) = 5
579817 recvfrom(13, "\r\nQUIT\n!\21\0\f", 11, 0, NULL, NULL) = 11
579817 recvfrom(13, "\1\2\3\4\4\3\2\1\2025\255\234", 12, 0, NULL, NULL) = 12
579817 recvfrom(13, "foo bar baz", 65536, 0, NULL, NULL) = 11

So it does not have the binary character in front of "foo". It's not even part of the "Incoming log entry" message:
Incoming log entry; input='foo bar baz', msg='0x7ffff0014220', rcptid='70'

mitzkia · 2022-11-21T13:29:05Z

Thanks, I will re-check my environment, and test input again.

mitzkia · 2022-11-22T07:43:26Z

Unfortunately it still did not work for me.
My syslog-ng configuration is:

@version: 3.35

source source_57084744503937290189031249694188141810 {
    network (
        ip(localhost)
        port(30002)
        transport("proxied-tcp")
        flags(no-parse)
    );
};

destination destination_301994708398757415217086203699648596485 {
    file (
        output.log
        template("${PROXIED_SRCIP} ${PROXIED_DSTIP} ${PROXIED_SRCPORT} ${PROXIED_DSTPORT} ${PROXIED_IP_VERSION} ${MESSAGE}\n")
    );
};

log {
    source(source_57084744503937290189031249694188141810);
    destination(destination_301994708398757415217086203699648596485);
};

Input message:

"\r\n\r\n\0\r\nQUIT\n!\21\0\f\1\2\3\4\4\3\2\1\2025\255\234foo bar baz"

I send input with loggen:

/install/bin/loggen --inet --stream --dont-parse --read-file=loggen_input_147930440155197378701184596055398432048.txt --permanent localhost 30002

How syslog-ng process the input:

recvfrom(13, "\r\n\r\n\0", 5, 0, NULL, NULL) = 5 <0.000045>
recvfrom(13, "\r\nQUIT\n!\21\0\f", 11, 0, NULL, NULL) = 11 <0.000006>
recvfrom(13, "\1\2\3\4\4\3\2\1\302\2025\302", 12, 0, NULL, NULL) = 12 <0.000006>
recvfrom(13, "\255\302\234foo bar baz", 65536, 0, NULL, NULL) = 14 <0.000007>
recvfrom(13, "", 65522, 0, NULL, NULL) = 0 <0.000007>

Syslog-ng's console output:

[2022-11-22T07:33:39.672420] Initializing PROXY protocol source driver; driver='0x55bdb5404130'
[2022-11-22T07:33:39.672683] Syslog connection accepted; fd='13', client='AF_INET(127.0.0.1:34030)', local='AF_INET(127.0.0.1:30002)'
[2022-11-22T07:33:39.673938] PROXY protocol header received; version='2', header='<binary_data>'
[2022-11-22T07:33:39.673996] PROXY protocol header parsed successfully;
[2022-11-22T07:33:39.674480] EOF occurred while reading; fd='13'
[2022-11-22T07:33:39.674589] Incoming log entry; input='�foo bar baz', msg='0x7fa21c004000', rcptid='1'
[2022-11-22T07:33:39.674633] Setting value; name='MESSAGE', value='�foo bar baz', type='string', msg='0x7fa21c004000', rcptid='1'
[2022-11-22T07:33:39.674683] Setting value; name='PROXIED_SRCIP', value='1.2.3.4', type='string', msg='0x7fa21c004000', rcptid='1'
[2022-11-22T07:33:39.674739] Setting value; name='PROXIED_DSTIP', value='4.3.2.1', type='string', msg='0x7fa21c004000', rcptid='1'
[2022-11-22T07:33:39.674779] Setting value; name='PROXIED_SRCPORT', value='49794', type='string', msg='0x7fa21c004000', rcptid='1'
[2022-11-22T07:33:39.674805] Setting value; name='PROXIED_DSTPORT', value='13762', type='string', msg='0x7fa21c004000', rcptid='1'
[2022-11-22T07:33:39.674830] Setting value; name='PROXIED_IP_VERSION', value='4', type='string', msg='0x7fa21c004000', rcptid='1'
[2022-11-22T07:33:39.674866] >>>>>> Source side message processing begin; instance='proxied-tcp,127.0.0.1', location='syslog_ng_server.conf:4:5', msg='0x7fa21c004000', rcptid='1'
[2022-11-22T07:33:39.675080] Setting value; name='HOST_FROM', value='localhost', type='string', msg='0x7fa21c004000', rcptid='1'
[2022-11-22T07:33:39.675116] Setting value; name='HOST', value='localhost', type='string', msg='0x7fa21c004000', rcptid='1'
[2022-11-22T07:33:39.675145] Setting tag; name='.source.source_57084744503937290189031249694188141810', value='1', msg='0x7fa21c004000'
[2022-11-22T07:33:39.675191] Setting value; name='SOURCE', value='source_57084744503937290189031249694188141810', type='string', msg='0x7fa21c004000', rcptid='1'
[2022-11-22T07:33:39.675295] Initializing destination file writer; template='output.log', filename='output.log', symlink_as='(null)'
[2022-11-22T07:33:39.675517] affile_open_file; path='output.log', fd='16'
[2022-11-22T07:33:39.675652] <<<<<< Source side message processing finish; instance='proxied-tcp,127.0.0.1', location='syslog_ng_server.conf:4:5', msg='0x7fa21c004000', rcptid='1'
[2022-11-22T07:33:39.676129] Syslog connection closed; fd='13', client='AF_INET(127.0.0.1:34030)', local='AF_INET(127.0.0.1:30002)'
[2022-11-22T07:33:39.676171] Freeing PROXY protocol source driver; driver='0x55bdb5404130'
[2022-11-22T07:33:39.676177] Outgoing message; message='1.2.3.4 4.3.2.1 49794 13762 4 �foo bar baz\x0a'
[2022-11-22T07:33:39.676327] Closing log transport fd; fd='13'

This is my last commit id: 93434d7

mitzkia · 2022-11-22T07:50:23Z

I assume that the input in the (loggen) file is not correct. It has written via Python from Light. I will check this part.

mitzkia · 2022-11-22T08:27:45Z

I think the input is malformed somehow. There is a strange '\302' character. I will check this later

mitzkia · 2022-11-22T09:07:50Z

If I replace the loggen input with the original output of the given c script (which I redirected into a file) everything is fine. I could use this written file in Light testcases. So I could go forward with the testcase updates.

mitzkia · 2022-11-24T06:18:29Z

While I am working on Light testcases of proxy protocol v2 I have found that our loggen has an internal implementation for

syslog-ng/tests/loggen/ssl_plugin/ssl_plugin.c

Line 328 in bc48493

if(proxied_tls_passthrough)

and

syslog-ng/tests/loggen/ssl_plugin/ssl_plugin.c

Line 293 in bc48493

    
           send_plaintext_proxy_header(ThreadData *thread_context, int sock_fd, char *buf, size_t buf_size)

Light testcases uses proxied_tls_passthrough parameter of loggen, which for now always generates a v1 header for my inputs.

My use-case would be the following:

generating a fille which contains a proper v2 header and a payload
send this file with loggen to syslog-ng with the following parameters (this works well for me when SSL is not used):

(if the above would work, I assume that I could drop the external input file generation, loggen would do everything for me, am I right?)

/install/bin/loggen --use-ssl --dont-parse --read-file=/source/tests/light/reports/2022-11-24-06-08-05-625062/test_pp_tls_passthrough_pp_v2_/message0_input --proxied-tls-passthrough --debug --number=1 localhost 30002

My source config for syslog-ng

source source_67674173725322721703918758720504068388 {
    network (
        ip(localhost)
        port(30002)
        transport("proxied-tls-passthrough")
        flags(no-parse)
        tls(
        key-file(/source/tests/light/reports/2022-11-24-06-08-05-625062/test_pp_tls_passthrough_pp_v2_/server.key)
        cert-file(/source/tests/light/reports/2022-11-24-06-08-05-625062/test_pp_tls_passthrough_pp_v2_/server.crt)
        peer-verify("optional-untrusted")
        )
    );
};

Thanks.

bazsi · 2022-11-24T07:14:20Z

Hi,

On Thu, Nov 24, 2022, 07:18 Andras Mitzki ***@***.***> wrote: Should the actual implementation work for SSL case also?

Yes, the implementation is right next to the existing one, e.g. all transport options should work the same. While I am working on Light testcases of proxy protocol v2 I have found

that our loggen has an inner implementation for https://github.com/syslog-ng/syslog-ng/blob/bc48493db0fc8b6eba87bf2f146ac68fc14c18f9/tests/loggen/ssl_plugin/ssl_plugin.c#L328

I'll check that out if I can add a client implementation there. Light testcases uses proxied_tls_passthrough parameter of loggen, which for

…

now always generates a v1 header for my inputs. My use-case would be the following: - generating a fille which contains a proper v2 header and a payload - send this file with loggen to syslog-ng with the following parameters (this works well for me when SSL is not used): /install/bin/loggen --use-ssl --dont-parse --read-file=/source/tests/light/reports/2022-11-24-06-08-05-625062/test_pp_tls_passthrough_pp_v2_/message0_input --proxied-tls-passthrough --debug --number=1 localhost 30002 My source config for syslog-ng source source_67674173725322721703918758720504068388 { network ( ip(localhost) port(30002) transport("proxied-tls-passthrough") flags(no-parse) tls( key-file(/source/tests/light/reports/2022-11-24-06-08-05-625062/test_pp_tls_passthrough_pp_v2_/server.key) cert-file(/source/tests/light/reports/2022-11-24-06-08-05-625062/test_pp_tls_passthrough_pp_v2_/server.crt) peer-verify("optional-untrusted") ) ); }; Thanks. — Reply to this email directly, view it on GitHub <#4211 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAFOK5TOSOF4ENB6BDSOFQLWJ4CD7ANCNFSM6AAAAAAR7EVOPE> . You are receiving this because you authored the thread.Message ID: ***@***.***>

bazsi · 2022-12-01T19:20:42Z

I have now updated loggen to support proxy v2 headers using the -H command line argument, e.g. -H 2 is how you request v2 proxy headers.

$ loggen --inet -H 2 --proxy-dst-ip 9.8.7.6 --proxy-src-ip 5.6.7.8 --proxy-src-port 9999 --proxy-dst-port 8888 127.0.0.1 2000

mitzkia · 2022-12-02T07:59:23Z

Thanks for the loggen update.
I will continue to update Light testcases for Proxy Protocol V2.

tests/loggen/loggen.c

tests/loggen/ssl_plugin/ssl_plugin.c

mitzkia · 2022-12-03T19:24:25Z

I have tested syslog-ng and loggen behaviour for PROXY protocols and I have some findings.

I have created a separate branch with new Light testcases (commit)(the branch currently is in progress), but it could reproduce the issues.

Finding-1 (this could be an issue):

This case is about PROXY protocol v2 with TLS mode (non TLS mode works fine)
loggen sends PP v2 message with TLS to syslog-ng
message arrives to syslog-ng, but it could not separate binary header correctly (check "Incoming log entry" lines below)

syslog-ng config for TLS mode:

source source_15187006108793859882824973638716283917 {
    network (
        ip(localhost)
        port(30001)
        transport("proxied-tls-passthrough")
        flags(no-parse)
        tls(
        key-file(/source/tests/light/reports/2022-12-03-16-19-40-452969/test_pp_acceptance_1-native-tls-1_/server.key)
        cert-file(/source/tests/light/reports/2022-12-03-16-19-40-452969/test_pp_acceptance_1-native-tls-1_/server.crt)
        peer-verify("optional-untrusted")
        )
    );
};

loggen start: /install/bin/loggen --use-ssl --proxied=2 --proxied-tls-passthrough --debug --number=2 localhost 30001

loggen strace output (for sendto):

strace_loggen.7780:1670093615.774847 sendto(3, "\r\n\r\n\0\r\nQUIT\n!\21\0\f\300\250\1-\300\250\1\16\30v\2\2", 28, 0, NULL, 0) = 28

syslog-ng strace output (for recvfrom):

strace_syslog-ng.7781:1670093615.781061 recvfrom(13, "\r\n\r\n\0", 5, 0, NULL, NULL) = 5
strace_syslog-ng.7781:1670093615.781281 recvfrom(13, "\r\nQUIT\n!\21\0\f", 11, 0, NULL, NULL) = 11
strace_syslog-ng.7781:1670093615.781443 recvfrom(13, "\300\250\1-\300\250\1\16\30v\2\2", 12, 0, NULL, NULL) = 12

syslog-ng console log:

[2022-12-03T18:53:35.777463] Initializing PROXY protocol source driver; driver='0x561be3886330'
[2022-12-03T18:53:35.778477] Syslog connection accepted; fd='13', client='AF_INET(127.0.0.1:35094)', local='AF_INET(127.0.0.1:30001)'
[2022-12-03T18:53:35.781603] PROXY protocol header received; version='2', header='<binary_data>'
[2022-12-03T18:53:35.781771] PROXY protocol header parsed successfully;
[2022-12-03T18:53:35.781944] Transport switch requested; active-transport='socket', requested-transport='tls'
[2022-12-03T18:53:35.782992] Transport switch succeeded; new-active-transport='tls'
[2022-12-03T18:53:35.783129] proxied-tls switch to TLS: OK;
[2022-12-03T18:53:35.811117] Incoming log entry; input='QUIT', msg='0x7f3da402fc70', rcptid='38000'
[2022-12-03T18:53:35.811164] Setting value; name='MESSAGE', value='QUIT', type='string', msg='0x7f3da402fc70', rcptid='38000'
[2022-12-03T18:53:35.811245] Setting value; name='PROXIED_SRCIP', value='192.168.1.45', type='string', msg='0x7f3da402fc70', rcptid='38000'
[2022-12-03T18:53:35.811300] Setting value; name='PROXIED_DSTIP', value='192.168.1.14', type='string', msg='0x7f3da402fc70', rcptid='38000'
[2022-12-03T18:53:35.811373] Setting value; name='PROXIED_SRCPORT', value='6262', type='string', msg='0x7f3da402fc70', rcptid='38000'
[2022-12-03T18:53:35.811428] Setting value; name='PROXIED_DSTPORT', value='514', type='string', msg='0x7f3da402fc70', rcptid='38000'
[2022-12-03T18:53:35.811480] Setting value; name='PROXIED_IP_VERSION', value='4', type='string', msg='0x7f3da402fc70', rcptid='38000'
[2022-12-03T18:53:35.811560] >>>>>> Source side message processing begin; instance='proxied-tls-passthrough,127.0.0.1', location='syslog_ng_server.conf:7:5', msg='0x7f3da402fc70', rcptid='38000'
[2022-12-03T18:53:35.811918] Setting value; name='HOST_FROM', value='localhost', type='string', msg='0x7f3da402fc70', rcptid='38000'
[2022-12-03T18:53:35.811954] Setting value; name='HOST', value='localhost', type='string', msg='0x7f3da402fc70', rcptid='38000'
[2022-12-03T18:53:35.812011] Setting tag; name='.source.source_17147780097804847872464853926640936017', value='1', msg='0x7f3da402fc70'
[2022-12-03T18:53:35.812056] Setting value; name='SOURCE', value='source_17147780097804847872464853926640936017', type='string', msg='0x7f3da402fc70', rcptid='38000'
[2022-12-03T18:53:35.812292] Initializing destination file writer; template='output.log', filename='output.log', symlink_as='(null)'
[2022-12-03T18:53:35.812494] affile_open_file; path='output.log', fd='16'
[2022-12-03T18:53:35.812638] <<<<<< Source side message processing finish; instance='proxied-tls-passthrough,127.0.0.1', location='syslog_ng_server.conf:7:5', msg='0x7f3da402fc70', rcptid='38000'
[2022-12-03T18:53:35.812739] Incoming log entry; input='!\x11', msg='0x7f3da4024090', rcptid='38001'
[2022-12-03T18:53:35.812785] Setting value; name='MESSAGE', value='!\x11', type='string', msg='0x7f3da4024090', rcptid='38001'
[2022-12-03T18:53:35.812830] Setting value; name='PROXIED_SRCIP', value='192.168.1.45', type='string', msg='0x7f3da4024090', rcptid='38001'
[2022-12-03T18:53:35.812870] Setting value; name='PROXIED_DSTIP', value='192.168.1.14', type='string', msg='0x7f3da4024090', rcptid='38001'
[2022-12-03T18:53:35.812923] Setting value; name='PROXIED_SRCPORT', value='6262', type='string', msg='0x7f3da4024090', rcptid='38001'
[2022-12-03T18:53:35.812960] Setting value; name='PROXIED_DSTPORT', value='514', type='string', msg='0x7f3da4024090', rcptid='38001'
[2022-12-03T18:53:35.813004] Setting value; name='PROXIED_IP_VERSION', value='4', type='string', msg='0x7f3da4024090', rcptid='38001'
[2022-12-03T18:53:35.813043] >>>>>> Source side message processing begin; instance='proxied-tls-passthrough,127.0.0.1', location='syslog_ng_server.conf:7:5', msg='0x7f3da4024090', rcptid='38001'
[2022-12-03T18:53:35.813088] Setting value; name='HOST_FROM', value='localhost', type='string', msg='0x7f3da4024090', rcptid='38001'
[2022-12-03T18:53:35.813126] Setting value; name='HOST', value='localhost', type='string', msg='0x7f3da4024090', rcptid='38001'
[2022-12-03T18:53:35.813186] Setting tag; name='.source.source_17147780097804847872464853926640936017', value='1', msg='0x7f3da4024090'
[2022-12-03T18:53:35.813234] Setting value; name='SOURCE', value='source_17147780097804847872464853926640936017', type='string', msg='0x7f3da4024090', rcptid='38001'
[2022-12-03T18:53:35.813281] <<<<<< Source side message processing finish; instance='proxied-tls-passthrough,127.0.0.1', location='syslog_ng_server.conf:7:5', msg='0x7f3da4024090', rcptid='38001'
[2022-12-03T18:53:35.813425] Incoming log entry; input='\x0c��\x01\��\x01\x08$=\x02\x02<38>2022-12-03T18:53:35 localhost prg00000[1234]: seq: 0000000001, thread: 0000, runid: 1670093615, stamp: 2022-12-03T18:53:35 PADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADD', msg='0x7f3da40243c0', rcptid='38002'
[2022-12-03T18:53:35.813467] Setting value; name='MESSAGE', value='\x0c��\x01\��\x01\x08$=\x02\x02<38>2022-12-03T18:53:35 localhost prg00000[1234]: seq: 0000000001, thread: 0000, runid: 1670093615, stamp: 2022-12-03T18:53:35 PADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADD', type='string', msg='0x7f3da40243c0', rcptid='38002'
[2022-12-03T18:53:35.813514] Setting value; name='PROXIED_SRCIP', value='192.168.1.45', type='string', msg='0x7f3da40243c0', rcptid='38002'
[2022-12-03T18:53:35.813555] Setting value; name='PROXIED_DSTIP', value='192.168.1.14', type='string', msg='0x7f3da40243c0', rcptid='38002'
[2022-12-03T18:53:35.813612] Setting value; name='PROXIED_SRCPORT', value='6262', type='string', msg='0x7f3da40243c0', rcptid='38002'
[2022-12-03T18:53:35.813662] Setting value; name='PROXIED_DSTPORT', value='514', type='string', msg='0x7f3da40243c0', rcptid='38002'
[2022-12-03T18:53:35.813710] Setting value; name='PROXIED_IP_VERSION', value='4', type='string', msg='0x7f3da40243c0', rcptid='38002'
[2022-12-03T18:53:35.813765] >>>>>> Source side message processing begin; instance='proxied-tls-passthrough,127.0.0.1', location='syslog_ng_server.conf:7:5', msg='0x7f3da40243c0', rcptid='38002'
[2022-12-03T18:53:35.813810] Setting value; name='HOST_FROM', value='localhost', type='string', msg='0x7f3da40243c0', rcptid='38002'
[2022-12-03T18:53:35.813854] Setting value; name='HOST', value='localhost', type='string', msg='0x7f3da40243c0', rcptid='38002'
[2022-12-03T18:53:35.813896] Setting tag; name='.source.source_17147780097804847872464853926640936017', value='1', msg='0x7f3da40243c0'
[2022-12-03T18:53:35.813943] Setting value; name='SOURCE', value='source_17147780097804847872464853926640936017', type='string', msg='0x7f3da40243c0', rcptid='38002'
[2022-12-03T18:53:35.814011] <<<<<< Source side message processing finish; instance='proxied-tls-passthrough,127.0.0.1', location='syslog_ng_server.conf:7:5', msg='0x7f3da40243c0', rcptid='38002'
[2022-12-03T18:53:35.814218] EOF occurred while reading; fd='13'
[2022-12-03T18:53:35.814331] Syslog connection closed; fd='13', client='AF_INET(127.0.0.1:35094)', local='AF_INET(127.0.0.1:30001)'
[2022-12-03T18:53:35.814367] Freeing PROXY protocol source driver; driver='0x561be3886330'
[2022-12-03T18:53:35.814439] Closing log transport fd; fd='13'
[2022-12-03T18:53:35.814545] stats-aggregator-cps; name='source_17147780097804847872464853926640936017#0_proxied-tls-passthrough,127.0.0.1_eps_last_1h', sum='3', divisor='1', cps='3', delta_time_since_start='0'
[2022-12-03T18:53:35.814577] stats-aggregator-cps; name='source_17147780097804847872464853926640936017#0_proxied-tls-passthrough,127.0.0.1_eps_last_24h', sum='3', divisor='1', cps='3', delta_time_since_start='0'
[2022-12-03T18:53:35.814644] stats-aggregator-cps; name='source_17147780097804847872464853926640936017#0_proxied-tls-passthrough,127.0.0.1_eps_since_start', sum='3', divisor='1', cps='3', delta_time_since_start='0'
[2022-12-03T18:53:35.814782] Outgoing message; message='192.168.1.45 192.168.1.14 6262 514 4 QUIT\x0a'
[2022-12-03T18:53:35.814819] Outgoing message; message='192.168.1.45 192.168.1.14 6262 514 4 !\x11\x0a'
[2022-12-03T18:53:35.814876] Outgoing message; message='192.168.1.45 192.168.1.14 6262 514 4 \x0c��\x01\��\x01\x08$=\x02\x02<38>2022-12-03T18:53:35 localhost prg00000[1234]: seq: 0000000001, thread: 0000, runid: 1670093615, stamp: 2022-12-03T18:53:35 PADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADD\x0a'

Finding-2 (maybe this is only a minor issue):

I think this is not a regression, but interesting
there is a difference between "non TLS" and "TLS" mode (PROXY protocol v1 is used in my reproduction, but v2 probably also affected) when only 1 message is sent
the difference is that in both mode syslog-ng receives only PROXY protocol header information (-n=1), this is because how loggen counts messages (when -n=2 loggen sends payload too)
but only in case of TLS mode syslog-ng forwards it to the destination driver. In case of non TLS mode syslog-ng just receives it even "Incoming log entry" does not created in this case.
syslog-ng config for non TLS mode:

source source_13623417896372744656615218673371878507 {
    network (
        ip(localhost)
        port(30001)
        transport("proxied-tcp")
        flags(no-parse)
    );
};

loggen start: /install/bin/loggen --inet --proxied=1 --debug --number=1 localhost 30001

syslog-ng console log:

[2022-12-03T16:19:40.549883] Initializing PROXY protocol source driver; driver='0x5588a92d2350'
[2022-12-03T16:19:40.550089] PROXY header params; params='192.168.1.78 192.168.1.8 7044 514'
[2022-12-03T16:19:40.550107] PROXY protocol header received; version='1', header='PROXY TCP4 192.168.1.78 192.168.1.8 7044 514'
[2022-12-03T16:19:40.550110] PROXY protocol header parsed successfully;
[2022-12-03T16:19:40.550279] Freeing PROXY protocol source driver; driver='0x5588a92d2350'

syslog-ng config for TLS mode:

source source_15187006108793859882824973638716283917 {
    network (
        ip(localhost)
        port(30002)
        transport("proxied-tls-passthrough")
        flags(no-parse)
        tls(
        key-file(/source/tests/light/reports/2022-12-03-16-19-40-452969/test_pp_acceptance_1-native-tls-1_/server.key)
        cert-file(/source/tests/light/reports/2022-12-03-16-19-40-452969/test_pp_acceptance_1-native-tls-1_/server.crt)
        peer-verify("optional-untrusted")
        )
    );
};

loggen start: /install/bin/loggen --use-ssl --proxied=1 --proxied-tls-passthrough --debug --number=1 localhost 30002

syslog-ng console log:

[2022-12-03T16:19:43.782945] Initializing PROXY protocol source driver; driver='0x55a1a33e1250'
[2022-12-03T16:19:43.783147] PROXY header params; params='192.168.1.32 192.168.1.88 7966 514'
[2022-12-03T16:19:43.783165] PROXY protocol header received; version='1', header='PROXY TCP4 192.168.1.32 192.168.1.88 7966 514'
[2022-12-03T16:19:43.783168] PROXY protocol header parsed successfully;
[2022-12-03T16:19:43.791152] Incoming log entry; input='PROXY TCP4 192.168.1.98 192.168.1.62 5036 514', msg='0x7f44e0004000', rcptid='1'
[2022-12-03T16:19:43.791173] Setting value; name='MESSAGE', value='PROXY TCP4 192.168.1.98 192.168.1.62 5036 514', type='string', msg='0x7f44e0004000', rcptid='1'
[2022-12-03T16:19:43.791564] Freeing PROXY protocol source driver; driver='0x55a1a33e1250'
[2022-12-03T16:19:43.791633] Outgoing message; message='192.168.1.32 192.168.1.88 7966 514 4 PROXY TCP4 192.168.1.98 192.168.1.62 5036 514\x0a'

bazsi · 2022-12-04T07:54:06Z

There was an issue that loggen sent the PROXY header twice in --proxied-tls-passthrough mode, which I have now fixed.

But honestly, there's a BIG layering violation inside loggen, as the normal proxy header (and not the passthrough one) is generated as the part of the message stream, causing counters to be off by one.

I could add a hack to remove this from the counts, but that would just complicate stuff, the real solution would be to move the sending of the proxy header outside of the message stream.

loggen would definitely need some love, there's a lot of duplication in ssl_plugin/socket_plugin that could be shared and this is also an architectural problem. I made an attempt to at least fix this, but it's a larger scale change, unfortunately.

This is not a regression, both the duplication of the proxy header and the counting of messages have been there before I've added proxy v2 support.

So I would just merge this and get back to these issues at a later point.

mitzkia · 2022-12-05T08:05:29Z

Ok, thanks for the change and the clarification.
I can go further with the Light testcases (basic tests are passed for both TLS and non TLS cases), perhaps 1-2 days are needed.
What do you think separate branch for the Light testcases would be fine or you would like to add testcases on top of this branch?

bazsi · 2022-12-05T09:41:52Z

Ok, thanks for the change and the clarification. I can go further with the Light testcases (basic tests are passed for both TLS and non TLS cases), perhaps 1-2 days are needed. What do you think separate branch for the Light testcases would be fine or you would like to add testcases on top of this branch?

I have now added a simple unit test case to cover the v2 parsing code, so I think we can split off the light tests. These days as review capacity is pretty limited, I think it is easier to manage smaller PRs.

MrAnno · 2023-01-13T16:28:26Z

@kira-syslogng retest this please

lib/transport/logtransport.c

lib/logproto/logproto-proxied-text-server.c

MrAnno · 2023-03-02T15:18:02Z

I'm investigating a conditional jump/move on uninitialized value reported by valgrind:

==201328== Conditional jump or move depends on uninitialised value(s)
==201328==    at 0x5CE0D7A: ???
==201328==    by 0x68D0660: ???

MrAnno · 2023-03-02T15:27:43Z

It's an unrelated issue with a filter. LGTM otherwise.