wgengine: add exit destination logging enable for wgengine logger

Updates tailscale/corp#18625
3 weeks ago · 3322a18516
parent 9258bcc360
commit 3322a18516
6 changed files with 214 additions and 9 deletions
--- a/wgengine/netlog/logger.go
+++ b/wgengine/netlog/logger.go
@ -92,7 +92,7 @@ var testClient *http.Client
 // The IP protocol and source port are always zero.
 // The sock is used to populated the PhysicalTraffic field in Message.
 // The netMon parameter is optional; if non-nil it's used to do faster interface lookups.
-func (nl *Logger) Startup(nodeID tailcfg.StableNodeID, nodeLogID, domainLogID logid.PrivateID, tun, sock Device, netMon *netmon.Monitor) error {
+func (nl *Logger) Startup(nodeID tailcfg.StableNodeID, nodeLogID, domainLogID logid.PrivateID, tun, sock Device, netMon *netmon.Monitor, exitDstEnabled bool) error {
 	nl.mu.Lock()
 	defer nl.mu.Unlock()
 	if nl.logger != nil {
@ -130,7 +130,7 @@ func (nl *Logger) Startup(nodeID tailcfg.StableNodeID, nodeLogID, domainLogID lo
 		addrs := nl.addrs
 		prefixes := nl.prefixes
 		nl.mu.Unlock()
-		recordStatistics(nl.logger, nodeID, start, end, virtual, physical, addrs, prefixes)
+		recordStatistics(nl.logger, nodeID, start, end, virtual, physical, addrs, prefixes, exitDstEnabled)
 	})

 	// Register the connection tracker into the TUN device.
@ -150,7 +150,7 @@ func (nl *Logger) Startup(nodeID tailcfg.StableNodeID, nodeLogID, domainLogID lo
 	return nil
 }

-func recordStatistics(logger *logtail.Logger, nodeID tailcfg.StableNodeID, start, end time.Time, connstats, sockStats map[netlogtype.Connection]netlogtype.Counts, addrs map[netip.Addr]bool, prefixes map[netip.Prefix]bool) {
+func recordStatistics(logger *logtail.Logger, nodeID tailcfg.StableNodeID, start, end time.Time, connstats, sockStats map[netlogtype.Connection]netlogtype.Counts, addrs map[netip.Addr]bool, prefixes map[netip.Prefix]bool, exitDstEnabled bool) {
 	m := netlogtype.Message{NodeID: nodeID, Start: start.UTC(), End: end.UTC()}

 	classifyAddr := func(a netip.Addr) (isTailscale, withinRoute bool) {
@ -179,7 +179,7 @@ func recordStatistics(logger *logtail.Logger, nodeID tailcfg.StableNodeID, start
 			m.SubnetTraffic = append(m.SubnetTraffic, netlogtype.ConnectionCounts{Connection: conn, Counts: cnts})
 		default:
 			const anonymize = true
-			if anonymize {
+			if anonymize && !exitDstEnabled {
 				// Only preserve the address if it is a Tailscale IP address.
 				srcOrig, dstOrig := conn.Src, conn.Dst
 				conn = netlogtype.Connection{} // scrub everything by default
--- a/wgengine/userspace.go
+++ b/wgengine/userspace.go
@ -941,8 +941,9 @@ func (e *userspaceEngine) Reconfig(cfg *wgcfg.Config, routerCfg *router.Config,
 	if netLogRunning && !e.networkLogger.Running() {
 		nid := cfg.NetworkLogging.NodeID
 		tid := cfg.NetworkLogging.DomainID
+		exitDstEnabled := cfg.NetworkLogging.ExitDstEnabled
 		e.logf("wgengine: Reconfig: starting up network logger (node:%s tailnet:%s)", nid.Public(), tid.Public())
-		if err := e.networkLogger.Startup(cfg.NodeID, nid, tid, e.tundev, e.magicConn, e.netMon); err != nil {
+		if err := e.networkLogger.Startup(cfg.NodeID, nid, tid, e.tundev, e.magicConn, e.netMon, exitDstEnabled); err != nil {
 			e.logf("wgengine: Reconfig: error starting up network logger: %v", err)
 		}
 		e.networkLogger.ReconfigRoutes(routerCfg)
--- a/wgengine/wgcfg/config.go
+++ b/wgengine/wgcfg/config.go
@ -28,8 +28,9 @@ type Config struct {
 	// NetworkLogging enables network logging.
 	// It is disabled if either ID is the zero value.
 	NetworkLogging struct {
-		NodeID   logid.PrivateID
-		DomainID logid.PrivateID
+		NodeID         logid.PrivateID
+		DomainID       logid.PrivateID
+		ExitDstEnabled bool
 	}
 }

--- a/wgengine/wgcfg/nmcfg/nmcfg.go
+++ b/wgengine/wgcfg/nmcfg/nmcfg.go
@ -63,6 +63,7 @@ func WGCfg(nm *netmap.NetworkMap, logf logger.Logf, flags netmap.WGConfigFlags,
 	if nm.SelfNode.Valid() {
 		cfg.NodeID = nm.SelfNode.StableID()
 		canNetworkLog := nm.SelfNode.HasCap(tailcfg.CapabilityDataPlaneAuditLogs)
+		enableExitDst := nm.SelfNode.HasCap(tailcfg.NodeAttrExitDstNetworkFlowLog)
 		if canNetworkLog && nm.SelfNode.DataPlaneAuditLogID() != "" && nm.DomainAuditLogID != "" {
 			nodeID, errNode := logid.ParsePrivateID(nm.SelfNode.DataPlaneAuditLogID())
 			if errNode != nil {
@ -75,6 +76,7 @@ func WGCfg(nm *netmap.NetworkMap, logf logger.Logf, flags netmap.WGConfigFlags,
 			if errNode == nil && errDomain == nil {
 				cfg.NetworkLogging.NodeID = nodeID
 				cfg.NetworkLogging.DomainID = domainID
+				cfg.NetworkLogging.ExitDstEnabled = enableExitDst
 			}
 		}
 	}
--- a/wgengine/wgcfg/wgcfg_clone.go
+++ b/wgengine/wgcfg/wgcfg_clone.go
@ -43,8 +43,9 @@ var _ConfigCloneNeedsRegeneration = Config(struct {
 	DNS            []netip.Addr
 	Peers          []Peer
 	NetworkLogging struct {
-		NodeID   logid.PrivateID
-		DomainID logid.PrivateID
+		NodeID         logid.PrivateID
+		DomainID       logid.PrivateID
+		ExitDstEnabled bool
 	}
 }{})

@ -76,3 +77,30 @@ var _PeerCloneNeedsRegeneration = Peer(struct {
 	PersistentKeepalive uint16
 	WGEndpoint          key.NodePublic
 }{})
+
+// Clone duplicates src into dst and reports whether it succeeded.
+// To succeed, <src, dst> must be of types <*T, *T> or <*T, **T>,
+// where T is one of Config,Peer.
+func Clone(dst, src any) bool {
+	switch src := src.(type) {
+	case *Config:
+		switch dst := dst.(type) {
+		case *Config:
+			*dst = *src.Clone()
+			return true
+		case **Config:
+			*dst = src.Clone()
+			return true
+		}
+	case *Peer:
+		switch dst := dst.(type) {
+		case *Peer:
+			*dst = *src.Clone()
+			return true
+		case **Peer:
+			*dst = src.Clone()
+			return true
+		}
+	}
+	return false
+}
--- a/wgengine/wgcfg/wgcfg_view.go
+++ b/wgengine/wgcfg/wgcfg_view.go
@ -0,0 +1,173 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+// Code generated by tailscale/cmd/viewer; DO NOT EDIT.
+
+package wgcfg
+
+import (
+	"encoding/json"
+	"errors"
+	"net/netip"
+
+	"tailscale.com/tailcfg"
+	"tailscale.com/types/key"
+	"tailscale.com/types/logid"
+	"tailscale.com/types/views"
+)
+
+//go:generate go run tailscale.com/cmd/cloner  -clonefunc=true -type=Config,Peer
+
+// View returns a readonly view of Config.
+func (p *Config) View() ConfigView {
+	return ConfigView{ж: p}
+}
+
+// ConfigView provides a read-only view over Config.
+//
+// Its methods should only be called if `Valid()` returns true.
+type ConfigView struct {
+	// ж is the underlying mutable value, named with a hard-to-type
+	// character that looks pointy like a pointer.
+	// It is named distinctively to make you think of how dangerous it is to escape
+	// to callers. You must not let callers be able to mutate it.
+	ж *Config
+}
+
+// Valid reports whether underlying value is non-nil.
+func (v ConfigView) Valid() bool { return v.ж != nil }
+
+// AsStruct returns a clone of the underlying value which aliases no memory with
+// the original.
+func (v ConfigView) AsStruct() *Config {
+	if v.ж == nil {
+		return nil
+	}
+	return v.ж.Clone()
+}
+
+func (v ConfigView) MarshalJSON() ([]byte, error) { return json.Marshal(v.ж) }
+
+func (v *ConfigView) UnmarshalJSON(b []byte) error {
+	if v.ж != nil {
+		return errors.New("already initialized")
+	}
+	if len(b) == 0 {
+		return nil
+	}
+	var x Config
+	if err := json.Unmarshal(b, &x); err != nil {
+		return err
+	}
+	v.ж = &x
+	return nil
+}
+
+func (v ConfigView) Name() string                         { return v.ж.Name }
+func (v ConfigView) NodeID() tailcfg.StableNodeID         { return v.ж.NodeID }
+func (v ConfigView) PrivateKey() key.NodePrivate          { return v.ж.PrivateKey }
+func (v ConfigView) Addresses() views.Slice[netip.Prefix] { return views.SliceOf(v.ж.Addresses) }
+func (v ConfigView) MTU() uint16                          { return v.ж.MTU }
+func (v ConfigView) DNS() views.Slice[netip.Addr]         { return views.SliceOf(v.ж.DNS) }
+func (v ConfigView) Peers() Peer                          { panic("unsupported") }
+func (v ConfigView) NetworkLogging() struct {
+	NodeID         logid.PrivateID
+	DomainID       logid.PrivateID
+	ExitDstEnabled bool
+} {
+	return v.ж.NetworkLogging
+}
+
+// A compilation failure here means this code must be regenerated, with the command at the top of this file.
+var _ConfigViewNeedsRegeneration = Config(struct {
+	Name           string
+	NodeID         tailcfg.StableNodeID
+	PrivateKey     key.NodePrivate
+	Addresses      []netip.Prefix
+	MTU            uint16
+	DNS            []netip.Addr
+	Peers          []Peer
+	NetworkLogging struct {
+		NodeID         logid.PrivateID
+		DomainID       logid.PrivateID
+		ExitDstEnabled bool
+	}
+}{})
+
+// View returns a readonly view of Peer.
+func (p *Peer) View() PeerView {
+	return PeerView{ж: p}
+}
+
+// PeerView provides a read-only view over Peer.
+//
+// Its methods should only be called if `Valid()` returns true.
+type PeerView struct {
+	// ж is the underlying mutable value, named with a hard-to-type
+	// character that looks pointy like a pointer.
+	// It is named distinctively to make you think of how dangerous it is to escape
+	// to callers. You must not let callers be able to mutate it.
+	ж *Peer
+}
+
+// Valid reports whether underlying value is non-nil.
+func (v PeerView) Valid() bool { return v.ж != nil }
+
+// AsStruct returns a clone of the underlying value which aliases no memory with
+// the original.
+func (v PeerView) AsStruct() *Peer {
+	if v.ж == nil {
+		return nil
+	}
+	return v.ж.Clone()
+}
+
+func (v PeerView) MarshalJSON() ([]byte, error) { return json.Marshal(v.ж) }
+
+func (v *PeerView) UnmarshalJSON(b []byte) error {
+	if v.ж != nil {
+		return errors.New("already initialized")
+	}
+	if len(b) == 0 {
+		return nil
+	}
+	var x Peer
+	if err := json.Unmarshal(b, &x); err != nil {
+		return err
+	}
+	v.ж = &x
+	return nil
+}
+
+func (v PeerView) PublicKey() key.NodePublic             { return v.ж.PublicKey }
+func (v PeerView) DiscoKey() key.DiscoPublic             { return v.ж.DiscoKey }
+func (v PeerView) AllowedIPs() views.Slice[netip.Prefix] { return views.SliceOf(v.ж.AllowedIPs) }
+func (v PeerView) V4MasqAddr() *netip.Addr {
+	if v.ж.V4MasqAddr == nil {
+		return nil
+	}
+	x := *v.ж.V4MasqAddr
+	return &x
+}
+
+func (v PeerView) V6MasqAddr() *netip.Addr {
+	if v.ж.V6MasqAddr == nil {
+		return nil
+	}
+	x := *v.ж.V6MasqAddr
+	return &x
+}
+
+func (v PeerView) PersistentKeepalive() uint16 { return v.ж.PersistentKeepalive }
+func (v PeerView) WGEndpoint() key.NodePublic  { return v.ж.WGEndpoint }
+
+// A compilation failure here means this code must be regenerated, with the command at the top of this file.
+var _PeerViewNeedsRegeneration = Peer(struct {
+	PublicKey           key.NodePublic
+	DiscoKey            key.DiscoPublic
+	AllowedIPs          []netip.Prefix
+	V4MasqAddr          *netip.Addr
+	V6MasqAddr          *netip.Addr
+	PersistentKeepalive uint16
+	WGEndpoint          key.NodePublic
+}{})