From 2327c6b05f04823e02866122ddad3177f7d3ecec Mon Sep 17 00:00:00 2001
From: Joe Tsai <joetsai@digital-static.net>
Date: Wed, 2 Nov 2022 14:25:31 -0700
Subject: [PATCH] wgengine/netlog: preserve Tailscale addresses for exit
 traffic (#6165)

Exit node traffic is aggregated to protect the privacy
of those using an exit node. However, it is reasonable to
at least log which nodes are making most use of an exit node.

For a node using an exit node,
the source will be the taiscale IP address of itself,
while the destination will be zeroed out.

For a node that serves as an exit node,
the source will be zeroed out,
while the destination will be tailscale IP address
of the node that initiated the exit traffic.

Signed-off-by: Joe Tsai <joetsai@digital-static.net>
---
 wgengine/netlog/logger.go | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/wgengine/netlog/logger.go b/wgengine/netlog/logger.go
index 9767d88a9..3d14da0f0 100644
--- a/wgengine/netlog/logger.go
+++ b/wgengine/netlog/logger.go
@@ -187,11 +187,13 @@ func recordStatistics(logger *logtail.Logger, nodeID tailcfg.StableNodeID, start
 		for p := range prefixes {
 			if p.Contains(a) && p.Bits() > 0 {
 				withinRoute = true
+				break
 			}
 		}
 		return withinRoute && tsaddr.IsTailscaleIP(a), withinRoute && !tsaddr.IsTailscaleIP(a)
 	}
 
+	exitTraffic := make(map[netlogtype.Connection]netlogtype.Counts)
 	for conn, cnts := range tunStats {
 		srcIsTailscaleIP, srcWithinSubnet := classifyAddr(conn.Src.Addr())
 		dstIsTailscaleIP, dstWithinSubnet := classifyAddr(conn.Dst.Addr())
@@ -203,15 +205,22 @@ func recordStatistics(logger *logtail.Logger, nodeID tailcfg.StableNodeID, start
 		default:
 			const anonymize = true
 			if anonymize {
-				if len(m.ExitTraffic) == 0 {
-					m.ExitTraffic = []netlogtype.ConnectionCounts{{}}
+				// Only preserve the address if it is a Tailscale IP address.
+				srcOrig, dstOrig := conn.Src, conn.Dst
+				conn = netlogtype.Connection{} // scrub everything by default
+				if srcIsTailscaleIP {
+					conn.Src = netip.AddrPortFrom(srcOrig.Addr(), 0)
+				}
+				if dstIsTailscaleIP {
+					conn.Dst = netip.AddrPortFrom(dstOrig.Addr(), 0)
 				}
-				m.ExitTraffic[0].Counts = m.ExitTraffic[0].Counts.Add(cnts)
-			} else {
-				m.ExitTraffic = append(m.ExitTraffic, netlogtype.ConnectionCounts{Connection: conn, Counts: cnts})
 			}
+			exitTraffic[conn] = exitTraffic[conn].Add(cnts)
 		}
 	}
+	for conn, cnts := range exitTraffic {
+		m.ExitTraffic = append(m.ExitTraffic, netlogtype.ConnectionCounts{Connection: conn, Counts: cnts})
+	}
 	for conn, cnts := range sockStats {
 		m.PhysicalTraffic = append(m.PhysicalTraffic, netlogtype.ConnectionCounts{Connection: conn, Counts: cnts})
 	}