Date: Fri, 22 Jun 2018 22:28:55 +0200 From: Ed Schouten <ed@nuxi.nl> To: Michael Grimm <trashcan@ellael.org> Cc: FreeBSD-STABLE Mailing List <freebsd-stable@freebsd.org>, theis@gmx.at, Gleb Smirnoff <glebius@freebsd.org>, "ed@FreeBSD.org" <ed@freebsd.org>, Mailing List FreeBSD Ports <freebsd-ports@freebsd.org> Subject: Re: py-fail2ban turned silent after syslogd rollout (r335059, stable/11) Message-ID: <CABh_MKnGLVtaDZ0_0p2N2JEOBHrOV%2Bryz2bf_1yCJjQHoCJ9OQ@mail.gmail.com> In-Reply-To: <1A5B44D8-28B0-49C9-B88D-EE6EBEE8788D@ellael.org> References: <590A1B87-464D-455C-A03D-9908EB7AF286@ellael.org> <20180622155922.GA61217@plan-b.pwste.edu.pl> <697FFEFE-6AFB-45CE-ADCD-4DB10286E68B@ellael.org> <CABh_MKkdObTmbNXnKrudyHjkd8s3aukUUC=Vee%2BRShJepWpwNg@mail.gmail.com> <851C065F-0E02-425C-B4AF-8FCE0E405F8E@ellael.org> <1A5B44D8-28B0-49C9-B88D-EE6EBEE8788D@ellael.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
Hi Michael,
2018-06-22 22:06 GMT+02:00 Michael Grimm <trashcan@ellael.org>:
> After applying your patch:
> Jun 22 21:22:01 HOSTNAME <daemon.notice> [31033]: NOTICE [JAILNAME] Unban x.x.x.x
>
> Watch: 'fail2ban.actions' -the service- is missing.
That's likely due to the fact that it now interprets the first word in
the message as the remote hostname, which gets discarded.
Attached is a somewhat refined patch that only tries to parse the
hostname in remote messages if they are preceded by a timestamp. If
the timestamp is missing, it assumes the entire payload is the
message. Can you give this one a try? Thanks!
--
Ed Schouten <ed@nuxi.nl>
Nuxi, 's-Hertogenbosch, the Netherlands
[-- Attachment #2 --]
Index: usr.sbin/syslogd/syslogd.c
===================================================================
--- usr.sbin/syslogd/syslogd.c (revision 335314)
+++ usr.sbin/syslogd/syslogd.c (working copy)
@@ -1172,69 +1172,71 @@
size_t i, msglen;
char line[MAXLINE + 1];
- /* Parse the timestamp provided by the remote side. */
- if (strptime(msg, RFC3164_DATEFMT, &tm_parsed) !=
- msg + RFC3164_DATELEN || msg[RFC3164_DATELEN] != ' ') {
- dprintf("Failed to parse TIMESTAMP from %s: %s\n", from, msg);
- return;
- }
- msg += RFC3164_DATELEN + 1;
+ /*
+ * Parse the TIMESTAMP provided by the remote side. If none is
+ * found, assume this is not an RFC 3164 formatted message,
+ * only containing a TAG and a MSG.
+ */
+ timestamp = NULL;
+ if (strptime(msg, RFC3164_DATEFMT, &tm_parsed) ==
+ msg + RFC3164_DATELEN && msg[RFC3164_DATELEN] == ' ') {
+ msg += RFC3164_DATELEN + 1;
+ if (!RemoteAddDate) {
+ struct tm tm_now;
+ time_t t_now;
+ int year;
- if (!RemoteAddDate) {
- struct tm tm_now;
- time_t t_now;
- int year;
+ /*
+ * As the timestamp does not contain the year
+ * number, daylight saving time information, nor
+ * a time zone, attempt to infer it. Due to
+ * clock skews, the timestamp may even be part
+ * of the next year. Use the last year for which
+ * the timestamp is at most one week in the
+ * future.
+ *
+ * This loop can only run for at most three
+ * iterations before terminating.
+ */
+ t_now = time(NULL);
+ localtime_r(&t_now, &tm_now);
+ for (year = tm_now.tm_year + 1;; --year) {
+ assert(year >= tm_now.tm_year - 1);
+ timestamp_remote.tm = tm_parsed;
+ timestamp_remote.tm.tm_year = year;
+ timestamp_remote.tm.tm_isdst = -1;
+ timestamp_remote.usec = 0;
+ if (mktime(×tamp_remote.tm) <
+ t_now + 7 * 24 * 60 * 60)
+ break;
+ }
+ timestamp = ×tamp_remote;
+ }
/*
- * As the timestamp does not contain the year number,
- * daylight saving time information, nor a time zone,
- * attempt to infer it. Due to clock skews, the
- * timestamp may even be part of the next year. Use the
- * last year for which the timestamp is at most one week
- * in the future.
- *
- * This loop can only run for at most three iterations
- * before terminating.
+ * A single space character MUST also follow the HOSTNAME field.
*/
- t_now = time(NULL);
- localtime_r(&t_now, &tm_now);
- for (year = tm_now.tm_year + 1;; --year) {
- assert(year >= tm_now.tm_year - 1);
- timestamp_remote.tm = tm_parsed;
- timestamp_remote.tm.tm_year = year;
- timestamp_remote.tm.tm_isdst = -1;
- timestamp_remote.usec = 0;
- if (mktime(×tamp_remote.tm) <
- t_now + 7 * 24 * 60 * 60)
+ msglen = strlen(msg);
+ for (i = 0; i < MIN(MAXHOSTNAMELEN, msglen); i++) {
+ if (msg[i] == ' ') {
+ if (RemoteHostname) {
+ msg[i] = '\0';
+ from = msg;
+ }
+ msg += i + 1;
break;
- }
- timestamp = ×tamp_remote;
- } else
- timestamp = NULL;
-
- /*
- * A single space character MUST also follow the HOSTNAME field.
- */
- msglen = strlen(msg);
- for (i = 0; i < MIN(MAXHOSTNAMELEN, msglen); i++) {
- if (msg[i] == ' ') {
- if (RemoteHostname) {
- msg[i] = '\0';
- from = msg;
}
- msg += i + 1;
- break;
+ /*
+ * Support non RFC compliant messages, without hostname.
+ */
+ if (msg[i] == ':')
+ break;
}
- /*
- * Support non RFC compliant messages, without hostname.
- */
- if (msg[i] == ':')
- break;
+ if (i == MIN(MAXHOSTNAMELEN, msglen)) {
+ dprintf("Invalid HOSTNAME from %s: %s\n", from, msg);
+ return;
+ }
}
- if (i == MIN(MAXHOSTNAMELEN, msglen)) {
- dprintf("Invalid HOSTNAME from %s: %s\n", from, msg);
- return;
- }
/* Remove the TAG, if present. */
parsemsg_rfc3164_app_name_procid(&msg, &app_name, &procid);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CABh_MKnGLVtaDZ0_0p2N2JEOBHrOV%2Bryz2bf_1yCJjQHoCJ9OQ>