From e0287a4b33bb300798e4dbf7ce94997b81669df7 Mon Sep 17 00:00:00 2001 From: Claire Wang Date: Thu, 2 May 2024 13:55:05 -0400 Subject: [PATCH] wgengine: add exit destination logging enable for wgengine logger (#11952) Updates tailscale/corp#18625 Co-authored-by: Kevin Liang Signed-off-by: Claire Wang --- wgengine/netlog/logger.go | 8 ++++---- wgengine/userspace.go | 3 ++- wgengine/wgcfg/config.go | 6 ++++-- wgengine/wgcfg/nmcfg/nmcfg.go | 2 ++ wgengine/wgcfg/wgcfg_clone.go | 5 +++-- 5 files changed, 15 insertions(+), 9 deletions(-) diff --git a/wgengine/netlog/logger.go b/wgengine/netlog/logger.go index 4614caf24..3a696b246 100644 --- a/wgengine/netlog/logger.go +++ b/wgengine/netlog/logger.go @@ -93,7 +93,7 @@ func (nl *Logger) Running() bool { // The IP protocol and source port are always zero. // The sock is used to populated the PhysicalTraffic field in Message. // The netMon parameter is optional; if non-nil it's used to do faster interface lookups. -func (nl *Logger) Startup(nodeID tailcfg.StableNodeID, nodeLogID, domainLogID logid.PrivateID, tun, sock Device, netMon *netmon.Monitor, health *health.Tracker) error { +func (nl *Logger) Startup(nodeID tailcfg.StableNodeID, nodeLogID, domainLogID logid.PrivateID, tun, sock Device, netMon *netmon.Monitor, health *health.Tracker, logExitFlowEnabledEnabled bool) error { nl.mu.Lock() defer nl.mu.Unlock() if nl.logger != nil { @@ -131,7 +131,7 @@ func (nl *Logger) Startup(nodeID tailcfg.StableNodeID, nodeLogID, domainLogID lo addrs := nl.addrs prefixes := nl.prefixes nl.mu.Unlock() - recordStatistics(nl.logger, nodeID, start, end, virtual, physical, addrs, prefixes) + recordStatistics(nl.logger, nodeID, start, end, virtual, physical, addrs, prefixes, logExitFlowEnabledEnabled) }) // Register the connection tracker into the TUN device. @@ -151,7 +151,7 @@ func (nl *Logger) Startup(nodeID tailcfg.StableNodeID, nodeLogID, domainLogID lo return nil } -func recordStatistics(logger *logtail.Logger, nodeID tailcfg.StableNodeID, start, end time.Time, connstats, sockStats map[netlogtype.Connection]netlogtype.Counts, addrs map[netip.Addr]bool, prefixes map[netip.Prefix]bool) { +func recordStatistics(logger *logtail.Logger, nodeID tailcfg.StableNodeID, start, end time.Time, connstats, sockStats map[netlogtype.Connection]netlogtype.Counts, addrs map[netip.Addr]bool, prefixes map[netip.Prefix]bool, logExitFlowEnabled bool) { m := netlogtype.Message{NodeID: nodeID, Start: start.UTC(), End: end.UTC()} classifyAddr := func(a netip.Addr) (isTailscale, withinRoute bool) { @@ -180,7 +180,7 @@ func recordStatistics(logger *logtail.Logger, nodeID tailcfg.StableNodeID, start m.SubnetTraffic = append(m.SubnetTraffic, netlogtype.ConnectionCounts{Connection: conn, Counts: cnts}) default: const anonymize = true - if anonymize { + if anonymize && !logExitFlowEnabled { // Only preserve the address if it is a Tailscale IP address. srcOrig, dstOrig := conn.Src, conn.Dst conn = netlogtype.Connection{} // scrub everything by default diff --git a/wgengine/userspace.go b/wgengine/userspace.go index 3981a53ef..b7fa9d02e 100644 --- a/wgengine/userspace.go +++ b/wgengine/userspace.go @@ -965,8 +965,9 @@ func (e *userspaceEngine) Reconfig(cfg *wgcfg.Config, routerCfg *router.Config, if netLogRunning && !e.networkLogger.Running() { nid := cfg.NetworkLogging.NodeID tid := cfg.NetworkLogging.DomainID + logExitFlowEnabled := cfg.NetworkLogging.LogExitFlowEnabled e.logf("wgengine: Reconfig: starting up network logger (node:%s tailnet:%s)", nid.Public(), tid.Public()) - if err := e.networkLogger.Startup(cfg.NodeID, nid, tid, e.tundev, e.magicConn, e.netMon, e.health); err != nil { + if err := e.networkLogger.Startup(cfg.NodeID, nid, tid, e.tundev, e.magicConn, e.netMon, e.health, logExitFlowEnabled); err != nil { e.logf("wgengine: Reconfig: error starting up network logger: %v", err) } e.networkLogger.ReconfigRoutes(routerCfg) diff --git a/wgengine/wgcfg/config.go b/wgengine/wgcfg/config.go index 76583a8e8..f5ba994a7 100644 --- a/wgengine/wgcfg/config.go +++ b/wgengine/wgcfg/config.go @@ -27,9 +27,11 @@ type Config struct { // NetworkLogging enables network logging. // It is disabled if either ID is the zero value. + // LogExitFlowEnabled indicates whether or not exit flows should be logged. NetworkLogging struct { - NodeID logid.PrivateID - DomainID logid.PrivateID + NodeID logid.PrivateID + DomainID logid.PrivateID + LogExitFlowEnabled bool } } diff --git a/wgengine/wgcfg/nmcfg/nmcfg.go b/wgengine/wgcfg/nmcfg/nmcfg.go index d4cb8b042..ec37e1038 100644 --- a/wgengine/wgcfg/nmcfg/nmcfg.go +++ b/wgengine/wgcfg/nmcfg/nmcfg.go @@ -63,6 +63,7 @@ func WGCfg(nm *netmap.NetworkMap, logf logger.Logf, flags netmap.WGConfigFlags, if nm.SelfNode.Valid() { cfg.NodeID = nm.SelfNode.StableID() canNetworkLog := nm.SelfNode.HasCap(tailcfg.CapabilityDataPlaneAuditLogs) + logExitFlowEnabled := nm.SelfNode.HasCap(tailcfg.NodeAttrLogExitFlows) if canNetworkLog && nm.SelfNode.DataPlaneAuditLogID() != "" && nm.DomainAuditLogID != "" { nodeID, errNode := logid.ParsePrivateID(nm.SelfNode.DataPlaneAuditLogID()) if errNode != nil { @@ -75,6 +76,7 @@ func WGCfg(nm *netmap.NetworkMap, logf logger.Logf, flags netmap.WGConfigFlags, if errNode == nil && errDomain == nil { cfg.NetworkLogging.NodeID = nodeID cfg.NetworkLogging.DomainID = domainID + cfg.NetworkLogging.LogExitFlowEnabled = logExitFlowEnabled } } } diff --git a/wgengine/wgcfg/wgcfg_clone.go b/wgengine/wgcfg/wgcfg_clone.go index 4a2288f1e..51384639a 100644 --- a/wgengine/wgcfg/wgcfg_clone.go +++ b/wgengine/wgcfg/wgcfg_clone.go @@ -43,8 +43,9 @@ func (src *Config) Clone() *Config { DNS []netip.Addr Peers []Peer NetworkLogging struct { - NodeID logid.PrivateID - DomainID logid.PrivateID + NodeID logid.PrivateID + DomainID logid.PrivateID + LogExitFlowEnabled bool } }{})