From: Michael Brown <mcb30@ipxe.org>
Date: Mon, 9 Feb 2026 12:06:36 +0000 (+0000)
Subject: [syslog] Allow port number to be specified for encrypted syslog server
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cd9b44e574340f234c9c0e968de30794469df613;p=thirdparty%2Fipxe.git

[syslog] Allow port number to be specified for encrypted syslog server

The original implementation in commit 943b300 ("[syslog] Add basic
support for encrypted syslog via TLS") was based on examples found in
the rsyslog documentation rather than on RFC 5425, and unfortunately
used the default syslog port number 514 rather than the syslog-tls
port number 6514 defined in the RFC.

Extend parsing of the syslog server name to allow for an optional port
number (in the relatively intuitive format "server[:port]").  Retain
the existing (and incorrect) default port number to avoid breaking
backwards compatibility with existing setups.

Reported-by: Christian Nilsson <nikize@gmail.com>
Signed-off-by: Michael Brown <mcb30@ipxe.org>
---

diff --git a/src/include/ipxe/errfile.h b/src/include/ipxe/errfile.h
index 8379adb13..27c2bb97c 100644
--- a/src/include/ipxe/errfile.h
+++ b/src/include/ipxe/errfile.h
@@ -322,6 +322,7 @@ FILE_SECBOOT ( PERMITTED );
 #define ERRFILE_lldp			( ERRFILE_NET | 0x004c0000 )
 #define ERRFILE_eap_md5			( ERRFILE_NET | 0x004d0000 )
 #define ERRFILE_eap_mschapv2		( ERRFILE_NET | 0x004e0000 )
+#define ERRFILE_syslogs			( ERRFILE_NET | 0x004f0000 )
 
 #define ERRFILE_image		      ( ERRFILE_IMAGE | 0x00000000 )
 #define ERRFILE_elf		      ( ERRFILE_IMAGE | 0x00010000 )
diff --git a/src/net/tcp/syslogs.c b/src/net/tcp/syslogs.c
index eff53ea94..78bc97519 100644
--- a/src/net/tcp/syslogs.c
+++ b/src/net/tcp/syslogs.c
@@ -33,6 +33,7 @@ FILE_SECBOOT ( PERMITTED );
 #include <stdint.h>
 #include <stdlib.h>
 #include <string.h>
+#include <errno.h>
 #include <byteswap.h>
 #include <ipxe/xfer.h>
 #include <ipxe/open.h>
@@ -54,9 +55,7 @@ FILE_SECBOOT ( PERMITTED );
 struct console_driver syslogs_console __console_driver;
 
 /** The encrypted syslog server */
-static struct sockaddr_tcpip logserver = {
-	.st_port = htons ( SYSLOG_PORT ),
-};
+static struct sockaddr_tcpip logserver;
 
 /**
  * Handle encrypted syslog TLS interface close
@@ -211,6 +210,9 @@ const struct setting syslogs_setting __setting ( SETTING_MISC, syslogs ) = {
 static int apply_syslogs_settings ( void ) {
 	static char *old_server;
 	char *server;
+	char *sep;
+	char *end;
+	unsigned int port;
 	int rc;
 
 	/* Fetch log server */
@@ -236,7 +238,22 @@ static int apply_syslogs_settings ( void ) {
 		rc = 0;
 		goto out_no_server;
 	}
-	DBG ( "SYSLOGS using log server %s\n", server );
+
+	/* Identify port */
+	port = SYSLOG_PORT;
+	if ( ( sep = strrchr ( server, ':' ) ) &&
+	     ( server[ strlen ( server ) - 1 ] != ']' ) ) {
+		*(sep++) = '\0';
+		port = strtoul ( sep, &end, 0 );
+		if ( *end || ( ! *sep ) ) {
+			DBG ( "SYSLOGS log server %s:%s has invalid port\n",
+			      server, sep );
+			rc = -EINVAL;
+			goto err_port;
+		}
+	}
+	logserver.st_port = htons ( port );
+	DBG ( "SYSLOGS using log server %s:%d\n", server, port );
 
 	/* Connect to log server */
 	if ( ( rc = xfer_open_named_socket ( &syslogs, SOCK_STREAM,
@@ -256,12 +273,15 @@ static int apply_syslogs_settings ( void ) {
 
 	/* Record log server */
 	old_server = server;
+	if ( sep )
+		*(--sep) = ':';
 
 	return 0;
 
  err_add_tls:
  err_open_named_socket:
 	syslogs_close ( &syslogs, rc );
+ err_port:
  out_no_server:
  out_no_change:
 	free ( server );