wgengine: add exit destination logging enable for wgengine logger (#11952)
Updates tailscale/corp#18625 Co-authored-by: Kevin Liang <kevinliang@tailscale.com> Signed-off-by: Claire Wang <claire@tailscale.com>
This commit is contained in:
parent
19b31ac9a6
commit
e0287a4b33
|
@ -93,7 +93,7 @@ var testClient *http.Client
|
||||||
// The IP protocol and source port are always zero.
|
// The IP protocol and source port are always zero.
|
||||||
// The sock is used to populated the PhysicalTraffic field in Message.
|
// The sock is used to populated the PhysicalTraffic field in Message.
|
||||||
// The netMon parameter is optional; if non-nil it's used to do faster interface lookups.
|
// The netMon parameter is optional; if non-nil it's used to do faster interface lookups.
|
||||||
func (nl *Logger) Startup(nodeID tailcfg.StableNodeID, nodeLogID, domainLogID logid.PrivateID, tun, sock Device, netMon *netmon.Monitor, health *health.Tracker) error {
|
func (nl *Logger) Startup(nodeID tailcfg.StableNodeID, nodeLogID, domainLogID logid.PrivateID, tun, sock Device, netMon *netmon.Monitor, health *health.Tracker, logExitFlowEnabledEnabled bool) error {
|
||||||
nl.mu.Lock()
|
nl.mu.Lock()
|
||||||
defer nl.mu.Unlock()
|
defer nl.mu.Unlock()
|
||||||
if nl.logger != nil {
|
if nl.logger != nil {
|
||||||
|
@ -131,7 +131,7 @@ func (nl *Logger) Startup(nodeID tailcfg.StableNodeID, nodeLogID, domainLogID lo
|
||||||
addrs := nl.addrs
|
addrs := nl.addrs
|
||||||
prefixes := nl.prefixes
|
prefixes := nl.prefixes
|
||||||
nl.mu.Unlock()
|
nl.mu.Unlock()
|
||||||
recordStatistics(nl.logger, nodeID, start, end, virtual, physical, addrs, prefixes)
|
recordStatistics(nl.logger, nodeID, start, end, virtual, physical, addrs, prefixes, logExitFlowEnabledEnabled)
|
||||||
})
|
})
|
||||||
|
|
||||||
// Register the connection tracker into the TUN device.
|
// Register the connection tracker into the TUN device.
|
||||||
|
@ -151,7 +151,7 @@ func (nl *Logger) Startup(nodeID tailcfg.StableNodeID, nodeLogID, domainLogID lo
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func recordStatistics(logger *logtail.Logger, nodeID tailcfg.StableNodeID, start, end time.Time, connstats, sockStats map[netlogtype.Connection]netlogtype.Counts, addrs map[netip.Addr]bool, prefixes map[netip.Prefix]bool) {
|
func recordStatistics(logger *logtail.Logger, nodeID tailcfg.StableNodeID, start, end time.Time, connstats, sockStats map[netlogtype.Connection]netlogtype.Counts, addrs map[netip.Addr]bool, prefixes map[netip.Prefix]bool, logExitFlowEnabled bool) {
|
||||||
m := netlogtype.Message{NodeID: nodeID, Start: start.UTC(), End: end.UTC()}
|
m := netlogtype.Message{NodeID: nodeID, Start: start.UTC(), End: end.UTC()}
|
||||||
|
|
||||||
classifyAddr := func(a netip.Addr) (isTailscale, withinRoute bool) {
|
classifyAddr := func(a netip.Addr) (isTailscale, withinRoute bool) {
|
||||||
|
@ -180,7 +180,7 @@ func recordStatistics(logger *logtail.Logger, nodeID tailcfg.StableNodeID, start
|
||||||
m.SubnetTraffic = append(m.SubnetTraffic, netlogtype.ConnectionCounts{Connection: conn, Counts: cnts})
|
m.SubnetTraffic = append(m.SubnetTraffic, netlogtype.ConnectionCounts{Connection: conn, Counts: cnts})
|
||||||
default:
|
default:
|
||||||
const anonymize = true
|
const anonymize = true
|
||||||
if anonymize {
|
if anonymize && !logExitFlowEnabled {
|
||||||
// Only preserve the address if it is a Tailscale IP address.
|
// Only preserve the address if it is a Tailscale IP address.
|
||||||
srcOrig, dstOrig := conn.Src, conn.Dst
|
srcOrig, dstOrig := conn.Src, conn.Dst
|
||||||
conn = netlogtype.Connection{} // scrub everything by default
|
conn = netlogtype.Connection{} // scrub everything by default
|
||||||
|
|
|
@ -965,8 +965,9 @@ func (e *userspaceEngine) Reconfig(cfg *wgcfg.Config, routerCfg *router.Config,
|
||||||
if netLogRunning && !e.networkLogger.Running() {
|
if netLogRunning && !e.networkLogger.Running() {
|
||||||
nid := cfg.NetworkLogging.NodeID
|
nid := cfg.NetworkLogging.NodeID
|
||||||
tid := cfg.NetworkLogging.DomainID
|
tid := cfg.NetworkLogging.DomainID
|
||||||
|
logExitFlowEnabled := cfg.NetworkLogging.LogExitFlowEnabled
|
||||||
e.logf("wgengine: Reconfig: starting up network logger (node:%s tailnet:%s)", nid.Public(), tid.Public())
|
e.logf("wgengine: Reconfig: starting up network logger (node:%s tailnet:%s)", nid.Public(), tid.Public())
|
||||||
if err := e.networkLogger.Startup(cfg.NodeID, nid, tid, e.tundev, e.magicConn, e.netMon, e.health); err != nil {
|
if err := e.networkLogger.Startup(cfg.NodeID, nid, tid, e.tundev, e.magicConn, e.netMon, e.health, logExitFlowEnabled); err != nil {
|
||||||
e.logf("wgengine: Reconfig: error starting up network logger: %v", err)
|
e.logf("wgengine: Reconfig: error starting up network logger: %v", err)
|
||||||
}
|
}
|
||||||
e.networkLogger.ReconfigRoutes(routerCfg)
|
e.networkLogger.ReconfigRoutes(routerCfg)
|
||||||
|
|
|
@ -27,9 +27,11 @@ type Config struct {
|
||||||
|
|
||||||
// NetworkLogging enables network logging.
|
// NetworkLogging enables network logging.
|
||||||
// It is disabled if either ID is the zero value.
|
// It is disabled if either ID is the zero value.
|
||||||
|
// LogExitFlowEnabled indicates whether or not exit flows should be logged.
|
||||||
NetworkLogging struct {
|
NetworkLogging struct {
|
||||||
NodeID logid.PrivateID
|
NodeID logid.PrivateID
|
||||||
DomainID logid.PrivateID
|
DomainID logid.PrivateID
|
||||||
|
LogExitFlowEnabled bool
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -63,6 +63,7 @@ func WGCfg(nm *netmap.NetworkMap, logf logger.Logf, flags netmap.WGConfigFlags,
|
||||||
if nm.SelfNode.Valid() {
|
if nm.SelfNode.Valid() {
|
||||||
cfg.NodeID = nm.SelfNode.StableID()
|
cfg.NodeID = nm.SelfNode.StableID()
|
||||||
canNetworkLog := nm.SelfNode.HasCap(tailcfg.CapabilityDataPlaneAuditLogs)
|
canNetworkLog := nm.SelfNode.HasCap(tailcfg.CapabilityDataPlaneAuditLogs)
|
||||||
|
logExitFlowEnabled := nm.SelfNode.HasCap(tailcfg.NodeAttrLogExitFlows)
|
||||||
if canNetworkLog && nm.SelfNode.DataPlaneAuditLogID() != "" && nm.DomainAuditLogID != "" {
|
if canNetworkLog && nm.SelfNode.DataPlaneAuditLogID() != "" && nm.DomainAuditLogID != "" {
|
||||||
nodeID, errNode := logid.ParsePrivateID(nm.SelfNode.DataPlaneAuditLogID())
|
nodeID, errNode := logid.ParsePrivateID(nm.SelfNode.DataPlaneAuditLogID())
|
||||||
if errNode != nil {
|
if errNode != nil {
|
||||||
|
@ -75,6 +76,7 @@ func WGCfg(nm *netmap.NetworkMap, logf logger.Logf, flags netmap.WGConfigFlags,
|
||||||
if errNode == nil && errDomain == nil {
|
if errNode == nil && errDomain == nil {
|
||||||
cfg.NetworkLogging.NodeID = nodeID
|
cfg.NetworkLogging.NodeID = nodeID
|
||||||
cfg.NetworkLogging.DomainID = domainID
|
cfg.NetworkLogging.DomainID = domainID
|
||||||
|
cfg.NetworkLogging.LogExitFlowEnabled = logExitFlowEnabled
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -43,8 +43,9 @@ var _ConfigCloneNeedsRegeneration = Config(struct {
|
||||||
DNS []netip.Addr
|
DNS []netip.Addr
|
||||||
Peers []Peer
|
Peers []Peer
|
||||||
NetworkLogging struct {
|
NetworkLogging struct {
|
||||||
NodeID logid.PrivateID
|
NodeID logid.PrivateID
|
||||||
DomainID logid.PrivateID
|
DomainID logid.PrivateID
|
||||||
|
LogExitFlowEnabled bool
|
||||||
}
|
}
|
||||||
}{})
|
}{})
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue