diff --git a/wgengine/netlog/logger.go b/wgengine/netlog/logger.go index 5eaa52375..462e5ca6c 100644 --- a/wgengine/netlog/logger.go +++ b/wgengine/netlog/logger.go @@ -92,7 +92,7 @@ var testClient *http.Client // The IP protocol and source port are always zero. // The sock is used to populated the PhysicalTraffic field in Message. // The netMon parameter is optional; if non-nil it's used to do faster interface lookups. -func (nl *Logger) Startup(nodeID tailcfg.StableNodeID, nodeLogID, domainLogID logid.PrivateID, tun, sock Device, netMon *netmon.Monitor) error { +func (nl *Logger) Startup(nodeID tailcfg.StableNodeID, nodeLogID, domainLogID logid.PrivateID, tun, sock Device, netMon *netmon.Monitor, exitDstEnabled bool) error { nl.mu.Lock() defer nl.mu.Unlock() if nl.logger != nil { @@ -130,7 +130,7 @@ func (nl *Logger) Startup(nodeID tailcfg.StableNodeID, nodeLogID, domainLogID lo addrs := nl.addrs prefixes := nl.prefixes nl.mu.Unlock() - recordStatistics(nl.logger, nodeID, start, end, virtual, physical, addrs, prefixes) + recordStatistics(nl.logger, nodeID, start, end, virtual, physical, addrs, prefixes, exitDstEnabled) }) // Register the connection tracker into the TUN device. @@ -150,7 +150,7 @@ func (nl *Logger) Startup(nodeID tailcfg.StableNodeID, nodeLogID, domainLogID lo return nil } -func recordStatistics(logger *logtail.Logger, nodeID tailcfg.StableNodeID, start, end time.Time, connstats, sockStats map[netlogtype.Connection]netlogtype.Counts, addrs map[netip.Addr]bool, prefixes map[netip.Prefix]bool) { +func recordStatistics(logger *logtail.Logger, nodeID tailcfg.StableNodeID, start, end time.Time, connstats, sockStats map[netlogtype.Connection]netlogtype.Counts, addrs map[netip.Addr]bool, prefixes map[netip.Prefix]bool, exitDstEnabled bool) { m := netlogtype.Message{NodeID: nodeID, Start: start.UTC(), End: end.UTC()} classifyAddr := func(a netip.Addr) (isTailscale, withinRoute bool) { @@ -179,7 +179,7 @@ func recordStatistics(logger *logtail.Logger, nodeID tailcfg.StableNodeID, start m.SubnetTraffic = append(m.SubnetTraffic, netlogtype.ConnectionCounts{Connection: conn, Counts: cnts}) default: const anonymize = true - if anonymize { + if anonymize && !exitDstEnabled { // Only preserve the address if it is a Tailscale IP address. srcOrig, dstOrig := conn.Src, conn.Dst conn = netlogtype.Connection{} // scrub everything by default diff --git a/wgengine/userspace.go b/wgengine/userspace.go index 73de66393..edf4bcf51 100644 --- a/wgengine/userspace.go +++ b/wgengine/userspace.go @@ -941,8 +941,9 @@ func (e *userspaceEngine) Reconfig(cfg *wgcfg.Config, routerCfg *router.Config, if netLogRunning && !e.networkLogger.Running() { nid := cfg.NetworkLogging.NodeID tid := cfg.NetworkLogging.DomainID + exitDstEnabled := cfg.NetworkLogging.ExitDstEnabled e.logf("wgengine: Reconfig: starting up network logger (node:%s tailnet:%s)", nid.Public(), tid.Public()) - if err := e.networkLogger.Startup(cfg.NodeID, nid, tid, e.tundev, e.magicConn, e.netMon); err != nil { + if err := e.networkLogger.Startup(cfg.NodeID, nid, tid, e.tundev, e.magicConn, e.netMon, exitDstEnabled); err != nil { e.logf("wgengine: Reconfig: error starting up network logger: %v", err) } e.networkLogger.ReconfigRoutes(routerCfg) diff --git a/wgengine/wgcfg/config.go b/wgengine/wgcfg/config.go index 76583a8e8..fe804d5bb 100644 --- a/wgengine/wgcfg/config.go +++ b/wgengine/wgcfg/config.go @@ -28,8 +28,9 @@ type Config struct { // NetworkLogging enables network logging. // It is disabled if either ID is the zero value. NetworkLogging struct { - NodeID logid.PrivateID - DomainID logid.PrivateID + NodeID logid.PrivateID + DomainID logid.PrivateID + ExitDstEnabled bool } } diff --git a/wgengine/wgcfg/nmcfg/nmcfg.go b/wgengine/wgcfg/nmcfg/nmcfg.go index 229512d4c..00fe1c228 100644 --- a/wgengine/wgcfg/nmcfg/nmcfg.go +++ b/wgengine/wgcfg/nmcfg/nmcfg.go @@ -63,6 +63,7 @@ func WGCfg(nm *netmap.NetworkMap, logf logger.Logf, flags netmap.WGConfigFlags, if nm.SelfNode.Valid() { cfg.NodeID = nm.SelfNode.StableID() canNetworkLog := nm.SelfNode.HasCap(tailcfg.CapabilityDataPlaneAuditLogs) + enableExitDst := nm.SelfNode.HasCap(tailcfg.NodeAttrExitDstNetworkFlowLog) if canNetworkLog && nm.SelfNode.DataPlaneAuditLogID() != "" && nm.DomainAuditLogID != "" { nodeID, errNode := logid.ParsePrivateID(nm.SelfNode.DataPlaneAuditLogID()) if errNode != nil { @@ -75,6 +76,7 @@ func WGCfg(nm *netmap.NetworkMap, logf logger.Logf, flags netmap.WGConfigFlags, if errNode == nil && errDomain == nil { cfg.NetworkLogging.NodeID = nodeID cfg.NetworkLogging.DomainID = domainID + cfg.NetworkLogging.ExitDstEnabled = enableExitDst } } } diff --git a/wgengine/wgcfg/wgcfg_clone.go b/wgengine/wgcfg/wgcfg_clone.go index 4a2288f1e..0463685c3 100644 --- a/wgengine/wgcfg/wgcfg_clone.go +++ b/wgengine/wgcfg/wgcfg_clone.go @@ -43,8 +43,9 @@ var _ConfigCloneNeedsRegeneration = Config(struct { DNS []netip.Addr Peers []Peer NetworkLogging struct { - NodeID logid.PrivateID - DomainID logid.PrivateID + NodeID logid.PrivateID + DomainID logid.PrivateID + ExitDstEnabled bool } }{}) @@ -76,3 +77,30 @@ var _PeerCloneNeedsRegeneration = Peer(struct { PersistentKeepalive uint16 WGEndpoint key.NodePublic }{}) + +// Clone duplicates src into dst and reports whether it succeeded. +// To succeed, must be of types <*T, *T> or <*T, **T>, +// where T is one of Config,Peer. +func Clone(dst, src any) bool { + switch src := src.(type) { + case *Config: + switch dst := dst.(type) { + case *Config: + *dst = *src.Clone() + return true + case **Config: + *dst = src.Clone() + return true + } + case *Peer: + switch dst := dst.(type) { + case *Peer: + *dst = *src.Clone() + return true + case **Peer: + *dst = src.Clone() + return true + } + } + return false +} diff --git a/wgengine/wgcfg/wgcfg_view.go b/wgengine/wgcfg/wgcfg_view.go new file mode 100644 index 000000000..3e3b05eb6 --- /dev/null +++ b/wgengine/wgcfg/wgcfg_view.go @@ -0,0 +1,173 @@ +// Copyright (c) Tailscale Inc & AUTHORS +// SPDX-License-Identifier: BSD-3-Clause + +// Code generated by tailscale/cmd/viewer; DO NOT EDIT. + +package wgcfg + +import ( + "encoding/json" + "errors" + "net/netip" + + "tailscale.com/tailcfg" + "tailscale.com/types/key" + "tailscale.com/types/logid" + "tailscale.com/types/views" +) + +//go:generate go run tailscale.com/cmd/cloner -clonefunc=true -type=Config,Peer + +// View returns a readonly view of Config. +func (p *Config) View() ConfigView { + return ConfigView{ж: p} +} + +// ConfigView provides a read-only view over Config. +// +// Its methods should only be called if `Valid()` returns true. +type ConfigView struct { + // ж is the underlying mutable value, named with a hard-to-type + // character that looks pointy like a pointer. + // It is named distinctively to make you think of how dangerous it is to escape + // to callers. You must not let callers be able to mutate it. + ж *Config +} + +// Valid reports whether underlying value is non-nil. +func (v ConfigView) Valid() bool { return v.ж != nil } + +// AsStruct returns a clone of the underlying value which aliases no memory with +// the original. +func (v ConfigView) AsStruct() *Config { + if v.ж == nil { + return nil + } + return v.ж.Clone() +} + +func (v ConfigView) MarshalJSON() ([]byte, error) { return json.Marshal(v.ж) } + +func (v *ConfigView) UnmarshalJSON(b []byte) error { + if v.ж != nil { + return errors.New("already initialized") + } + if len(b) == 0 { + return nil + } + var x Config + if err := json.Unmarshal(b, &x); err != nil { + return err + } + v.ж = &x + return nil +} + +func (v ConfigView) Name() string { return v.ж.Name } +func (v ConfigView) NodeID() tailcfg.StableNodeID { return v.ж.NodeID } +func (v ConfigView) PrivateKey() key.NodePrivate { return v.ж.PrivateKey } +func (v ConfigView) Addresses() views.Slice[netip.Prefix] { return views.SliceOf(v.ж.Addresses) } +func (v ConfigView) MTU() uint16 { return v.ж.MTU } +func (v ConfigView) DNS() views.Slice[netip.Addr] { return views.SliceOf(v.ж.DNS) } +func (v ConfigView) Peers() Peer { panic("unsupported") } +func (v ConfigView) NetworkLogging() struct { + NodeID logid.PrivateID + DomainID logid.PrivateID + ExitDstEnabled bool +} { + return v.ж.NetworkLogging +} + +// A compilation failure here means this code must be regenerated, with the command at the top of this file. +var _ConfigViewNeedsRegeneration = Config(struct { + Name string + NodeID tailcfg.StableNodeID + PrivateKey key.NodePrivate + Addresses []netip.Prefix + MTU uint16 + DNS []netip.Addr + Peers []Peer + NetworkLogging struct { + NodeID logid.PrivateID + DomainID logid.PrivateID + ExitDstEnabled bool + } +}{}) + +// View returns a readonly view of Peer. +func (p *Peer) View() PeerView { + return PeerView{ж: p} +} + +// PeerView provides a read-only view over Peer. +// +// Its methods should only be called if `Valid()` returns true. +type PeerView struct { + // ж is the underlying mutable value, named with a hard-to-type + // character that looks pointy like a pointer. + // It is named distinctively to make you think of how dangerous it is to escape + // to callers. You must not let callers be able to mutate it. + ж *Peer +} + +// Valid reports whether underlying value is non-nil. +func (v PeerView) Valid() bool { return v.ж != nil } + +// AsStruct returns a clone of the underlying value which aliases no memory with +// the original. +func (v PeerView) AsStruct() *Peer { + if v.ж == nil { + return nil + } + return v.ж.Clone() +} + +func (v PeerView) MarshalJSON() ([]byte, error) { return json.Marshal(v.ж) } + +func (v *PeerView) UnmarshalJSON(b []byte) error { + if v.ж != nil { + return errors.New("already initialized") + } + if len(b) == 0 { + return nil + } + var x Peer + if err := json.Unmarshal(b, &x); err != nil { + return err + } + v.ж = &x + return nil +} + +func (v PeerView) PublicKey() key.NodePublic { return v.ж.PublicKey } +func (v PeerView) DiscoKey() key.DiscoPublic { return v.ж.DiscoKey } +func (v PeerView) AllowedIPs() views.Slice[netip.Prefix] { return views.SliceOf(v.ж.AllowedIPs) } +func (v PeerView) V4MasqAddr() *netip.Addr { + if v.ж.V4MasqAddr == nil { + return nil + } + x := *v.ж.V4MasqAddr + return &x +} + +func (v PeerView) V6MasqAddr() *netip.Addr { + if v.ж.V6MasqAddr == nil { + return nil + } + x := *v.ж.V6MasqAddr + return &x +} + +func (v PeerView) PersistentKeepalive() uint16 { return v.ж.PersistentKeepalive } +func (v PeerView) WGEndpoint() key.NodePublic { return v.ж.WGEndpoint } + +// A compilation failure here means this code must be regenerated, with the command at the top of this file. +var _PeerViewNeedsRegeneration = Peer(struct { + PublicKey key.NodePublic + DiscoKey key.DiscoPublic + AllowedIPs []netip.Prefix + V4MasqAddr *netip.Addr + V6MasqAddr *netip.Addr + PersistentKeepalive uint16 + WGEndpoint key.NodePublic +}{})