out_syslog: tls: io: Handle dtls protocol on out syslog

include/fluent-bit/flb_io.h

@@ -35,9 +35,11 @@
 #define FLB_IO_OPT_TLS     4  /* use TCP and optional TLS               */
 #define FLB_IO_ASYNC       8  /* use async mode (depends on event loop) */
 #define FLB_IO_TCP_KA     16  /* use async mode (depends on event loop) */
+#define FLB_IO_UDP        32  /* use plain UDP                          */
+#define FLB_IO_DTLS       64  /* use DTLS over UDP                      */
 
 /* Other features */
-#define FLB_IO_IPV6       32  /* network I/O uses IPv6                  */
+#define FLB_IO_IPV6      128  /* network I/O uses IPv6                  */
 
 struct flb_connection;
 

include/fluent-bit/flb_stream.h

@@ -136,7 +136,8 @@ static inline int flb_stream_is_keepalive(struct flb_stream *stream)
 
 static inline int flb_stream_is_secure(struct flb_stream *stream)
 {
-    return flb_stream_get_flag_status(stream, FLB_IO_TLS);
+    return flb_stream_get_flag_status(stream, FLB_IO_TLS) ||
+           flb_stream_get_flag_status(stream, FLB_IO_DTLS);
 }
 
 static inline int flb_stream_is_thread_safe(struct flb_stream *stream)
@@ -205,4 +206,4 @@ static inline int flb_stream_release_lock(struct flb_stream *stream)
     return result;
 }
 
-#endif
+#endif

include/fluent-bit/flb_upstream.h

@@ -41,6 +41,8 @@
  * --- flb_io.h ---
  *   #define  FLB_IO_TCP      1
  *   #define  FLB_IO_TLS      2
+ *   #define  FLB_IO_UDP     32
+ *   #define  FLB_IO_DTLS    64
  *   #define  FLB_IO_ASYNC    8
  *   #define  FLB_IO_TCP_KA  16
  * ---

include/fluent-bit/tls/flb_tls.h

@@ -46,6 +46,8 @@
 
 #define FLB_TLS_CLIENT_MODE 0
 #define FLB_TLS_SERVER_MODE 1
+#define FLB_TLS_CLIENT_MODE_DGRAM 2
+#define FLB_TLS_SERVER_MODE_DGRAM 3
 
 struct flb_tls;
 struct flb_connection;

plugins/out_syslog/syslog.c

@@ -25,6 +25,7 @@
 #include <fluent-bit/flb_pack.h>
 #include <fluent-bit/flb_sds.h>
 #include <fluent-bit/flb_log_event_decoder.h>
+#include <fluent-bit/tls/flb_tls.h>
 
 #include "syslog_conf.h"
 
@@ -101,6 +102,90 @@ static struct {
     { NULL,       0,-1  },
 };
 
+#ifdef FLB_HAVE_TLS
+static int syslog_configure_tls_options(struct flb_output_instance *ins)
+{
+    int ret;
+
+    if (ins->tls_verify_hostname == FLB_TRUE) {
+        ret = flb_tls_set_verify_hostname(ins->tls, ins->tls_verify_hostname);
+        if (ret == -1) {
+            return -1;
+        }
+    }
+
+    if (ins->tls_min_version != NULL || ins->tls_max_version != NULL) {
+        ret = flb_tls_set_minmax_proto(ins->tls,
+                                       ins->tls_min_version,
+                                       ins->tls_max_version);
+        if (ret != 0) {
+            return -1;
+        }
+    }
+
+    if (ins->tls_ciphers != NULL) {
+        ret = flb_tls_set_ciphers(ins->tls, ins->tls_ciphers);
+        if (ret != 0) {
+            return -1;
+        }
+    }
+
+#if defined(FLB_SYSTEM_WINDOWS)
+    if (ins->tls_win_use_enterprise_certstore) {
+        ret = flb_tls_set_use_enterprise_store(ins->tls,
+                                               ins->tls_win_use_enterprise_certstore);
+        if (ret == -1) {
+            return -1;
+        }
+    }
+
+    if (ins->tls_win_thumbprints) {
+        ret = flb_tls_set_client_thumbprints(ins->tls, ins->tls_win_thumbprints);
+        if (ret == -1) {
+            return -1;
+        }
+    }
+
+    if (ins->tls_win_certstore_name) {
+        ret = flb_tls_set_certstore_name(ins->tls, ins->tls_win_certstore_name);
+        if (ret == -1) {
+            return -1;
+        }
+
+        ret = flb_tls_load_system_certificates(ins->tls);
+        if (ret == -1) {
+            return -1;
+        }
+    }
+#endif
+
+    return 0;
+}
+
+static int syslog_configure_dtls_context(struct flb_output_instance *ins)
+{
+    if (ins->tls != NULL) {
+        flb_tls_destroy(ins->tls);
+        ins->tls = NULL;
+    }
+
+    ins->tls = flb_tls_create(FLB_TLS_CLIENT_MODE_DGRAM,
+                              ins->tls_verify,
+                              ins->tls_debug,
+                              ins->tls_vhost,
+                              ins->tls_ca_path,
+                              ins->tls_ca_file,
+                              ins->tls_crt_file,
+                              ins->tls_key_file,
+                              ins->tls_key_passwd);
+    if (ins->tls == NULL) {
+        return -1;
+    }
+
+    return syslog_configure_tls_options(ins);
+}
+#endif
+
 /* '"', '\' ']' */
 static char rfc5424_sp_value[256] = {
     0, 0, 0 , 0, 0, 0, 0, 0, 0, 0, 0, 0, 0  , 0 , 0, 0,
@@ -894,6 +979,7 @@ static void cb_syslog_flush(struct flb_event_chunk *event_chunk,
 static int cb_syslog_init(struct flb_output_instance *ins, struct flb_config *config,
                           void *data)
 {
+    int ret;
     int io_flags;
     struct flb_syslog *ctx = NULL;
 
@@ -926,9 +1012,30 @@ static int cb_syslog_init(struct flb_output_instance *ins, struct flb_config *co
         }
     }
     else {
+#ifdef FLB_HAVE_TLS
+        if (ctx->parsed_mode == FLB_SYSLOG_DTLS) {
+            ret = syslog_configure_dtls_context(ins);
+            if (ret != 0) {
+                flb_plg_error(ins, "could not initialize DTLS context");
+                flb_syslog_config_destroy(ctx);
+                return -1;
+            }
+        }
+#else
+        if (ctx->parsed_mode == FLB_SYSLOG_DTLS) {
+            flb_plg_error(ins, "could not initialize DTLS context");
+            flb_syslog_config_destroy(ctx);
+            return -1;
+        }
+#endif
 
-        /* use TLS ? */
-        if (ins->use_tls == FLB_TRUE) {
+        if (ctx->parsed_mode == FLB_SYSLOG_UDP) {
+            io_flags = FLB_IO_UDP;
+        }
+        else if (ctx->parsed_mode == FLB_SYSLOG_DTLS) {
+            io_flags = FLB_IO_DTLS;
+        }
+        else if (ins->use_tls == FLB_TRUE) {
             io_flags = FLB_IO_TLS;
         }
         else {
@@ -940,15 +1047,15 @@ static int cb_syslog_init(struct flb_output_instance *ins, struct flb_config *co
         }
 
         ctx->u = flb_upstream_create(config, ins->host.name, ins->host.port,
-                                             io_flags, ins->tls);
+                                     io_flags, ins->tls);
         if (!(ctx->u)) {
             flb_syslog_config_destroy(ctx);
             return -1;
         }
         flb_output_upstream_set(ctx->u, ins);
     }
 
-    /* Set the plugin context */
+    /* Set the plugin context for all modes, including UDP. */
     flb_output_set_context(ins, ctx);
 
     flb_plg_info(ctx->ins, "setup done for %s:%i (TLS=%s)",
@@ -1046,9 +1153,8 @@ static struct flb_config_map config_map[] = {
     {
      FLB_CONFIG_MAP_STR, "mode", "udp",
      0, FLB_TRUE, offsetof(struct flb_syslog, mode),
-     "Set the desired transport type, the available options are tcp and udp. If you need to "
-     "use a TLS secure channel, choose 'tcp' mode here and enable the 'tls' option separately. "
-     "DTLS over udp is not supported by this plugin."
+     "Set the desired transport type, the available options are udp, tcp, tls and dtls. "
+     "Use tls=on together with mode=dtls."
     },
 
     {

plugins/out_syslog/syslog_conf.c

@@ -87,9 +87,6 @@ struct flb_syslog *flb_syslog_config_create(struct flb_output_instance *ins,
         return NULL;
     }
 
-    /* Set context */
-    flb_output_set_context(ins, ctx);
-
     /* Config Mode */
     tmp = flb_output_get_property("mode", ins);
     if (tmp) {
@@ -102,6 +99,9 @@ struct flb_syslog *flb_syslog_config_create(struct flb_output_instance *ins,
         else if (!strcasecmp(tmp, "udp")) {
             ctx->parsed_mode = FLB_SYSLOG_UDP;
         }
+        else if (!strcasecmp(tmp, "dtls")) {
+            ctx->parsed_mode = FLB_SYSLOG_DTLS;
+        }
         else {
             flb_plg_error(ctx->ins, "unknown syslog mode %s", tmp);
             flb_syslog_config_destroy(ctx);
@@ -111,8 +111,15 @@ struct flb_syslog *flb_syslog_config_create(struct flb_output_instance *ins,
 
     if (ctx->parsed_mode == FLB_SYSLOG_UDP && ins->use_tls == FLB_TRUE) {
         flb_plg_error(ctx->ins,
-                      "invalid configuration: mode=udp with tls=on is unsupported "
-                      "(DTLS is not implemented)");
+                      "invalid configuration: mode=udp with tls=on is unsupported; "
+                      "use mode=dtls for secure datagram transport");
+        flb_syslog_config_destroy(ctx);
+        return NULL;
+    }
+
+    if (ctx->parsed_mode == FLB_SYSLOG_DTLS && ins->use_tls == FLB_FALSE) {
+        flb_plg_error(ctx->ins,
+                      "invalid configuration: mode=dtls requires tls=on");
         flb_syslog_config_destroy(ctx);
         return NULL;
     }
@@ -161,6 +168,9 @@ struct flb_syslog *flb_syslog_config_create(struct flb_output_instance *ins,
         }
     }
 
+    /* Set context after validation succeeds */
+    flb_output_set_context(ins, ctx);
+
     return ctx;
 }
 

plugins/out_syslog/syslog_conf.h

@@ -28,6 +28,7 @@
 #define FLB_SYSLOG_UDP 0
 #define FLB_SYSLOG_TCP 1
 #define FLB_SYSLOG_TLS 2
+#define FLB_SYSLOG_DTLS 3
 
 #define FLB_SYSLOG_RFC3164 0
 #define FLB_SYSLOG_RFC5424 1

src/flb_connection.c

@@ -97,11 +97,20 @@ static void compose_user_friendly_remote_host(struct flb_connection *connection)
                  connection->remote_port);
     }
     else if (connection_type == FLB_TRANSPORT_UDP) {
-        snprintf(connection->user_friendly_remote_host,
-                 sizeof(connection->user_friendly_remote_host),
-                 "udp://%s:%u",
-                 connection->remote_host,
-                 connection->remote_port);
+        if (flb_stream_get_flag_status(connection->stream, FLB_IO_DTLS)) {
+            snprintf(connection->user_friendly_remote_host,
+                     sizeof(connection->user_friendly_remote_host),
+                     "dtls://%s:%u",
+                     connection->remote_host,
+                     connection->remote_port);
+        }
+        else {
+            snprintf(connection->user_friendly_remote_host,
+                     sizeof(connection->user_friendly_remote_host),
+                     "udp://%s:%u",
+                     connection->remote_host,
+                     connection->remote_port);
+        }
     }
     else if (connection_type == FLB_TRANSPORT_UNIX_STREAM) {
         snprintf(connection->user_friendly_remote_host,
@@ -254,4 +263,4 @@ void flb_connection_unset_io_timeout(struct flb_connection *connection)
     assert(connection != NULL);
 
     connection->ts_io_timeout = -1;
-}
+}