From ce10f7c14cdfc9bdc1c1b26efd7f79d669968a32 Mon Sep 17 00:00:00 2001
From: Brad Fitzpatrick <bradfitz@tailscale.com>
Date: Fri, 14 Nov 2025 10:58:53 -0800
Subject: [PATCH] wgengine/wgcfg/nmcfg: reduce wireguard reconfig log spam

On the corp tailnet (using Mullvad exit nodes + bunch of expired
devices + subnet routers), these were generating big ~35 KB blobs of
logging regularly.

This logging shouldn't even exist at this level, and should be rate
limited at a higher level, but for now as a bandaid, make it less
spammy.

Updates #cleanup

Change-Id: I0b5e9e6e859f13df5f982cd71cd5af85b73f0c0a
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
---
 wgengine/wgcfg/nmcfg/nmcfg.go | 75 +++++++++++++++--------------------
 1 file changed, 31 insertions(+), 44 deletions(-)

diff --git a/wgengine/wgcfg/nmcfg/nmcfg.go b/wgengine/wgcfg/nmcfg/nmcfg.go
index 08b162730..28d5345d6 100644
--- a/wgengine/wgcfg/nmcfg/nmcfg.go
+++ b/wgengine/wgcfg/nmcfg/nmcfg.go
@@ -5,7 +5,8 @@
 package nmcfg
 
 import (
-	"bytes"
+	"bufio"
+	"cmp"
 	"fmt"
 	"net/netip"
 	"strings"
@@ -18,16 +19,7 @@ import (
 )
 
 func nodeDebugName(n tailcfg.NodeView) string {
-	name := n.Name()
-	if name == "" {
-		name = n.Hostinfo().Hostname()
-	}
-	if i := strings.Index(name, "."); i != -1 {
-		name = name[:i]
-	}
-	if name == "" && n.Addresses().Len() != 0 {
-		return n.Addresses().At(0).String()
-	}
+	name, _, _ := strings.Cut(cmp.Or(n.Name(), n.Hostinfo().Hostname()), ".")
 	return name
 }
 
@@ -77,10 +69,7 @@ func WGCfg(nm *netmap.NetworkMap, logf logger.Logf, flags netmap.WGConfigFlags,
 		}
 	}
 
-	// Logging buffers
-	skippedUnselected := new(bytes.Buffer)
-	skippedSubnets := new(bytes.Buffer)
-	skippedExpired := new(bytes.Buffer)
+	var skippedExitNode, skippedSubnetRouter, skippedExpired []tailcfg.NodeView
 
 	for _, peer := range nm.Peers {
 		if peer.DiscoKey().IsZero() && peer.HomeDERP() == 0 && !peer.IsWireGuardOnly() {
@@ -93,16 +82,7 @@ func WGCfg(nm *netmap.NetworkMap, logf logger.Logf, flags netmap.WGConfigFlags,
 		// anyway, since control intentionally breaks node keys for
 		// expired peers so that we can't discover endpoints via DERP.
 		if peer.Expired() {
-			if skippedExpired.Len() >= 1<<10 {
-				if !bytes.HasSuffix(skippedExpired.Bytes(), []byte("...")) {
-					skippedExpired.WriteString("...")
-				}
-			} else {
-				if skippedExpired.Len() > 0 {
-					skippedExpired.WriteString(", ")
-				}
-				fmt.Fprintf(skippedExpired, "%s/%v", peer.StableID(), peer.Key().ShortString())
-			}
+			skippedExpired = append(skippedExpired, peer)
 			continue
 		}
 
@@ -112,28 +92,22 @@ func WGCfg(nm *netmap.NetworkMap, logf logger.Logf, flags netmap.WGConfigFlags,
 		})
 		cpeer := &cfg.Peers[len(cfg.Peers)-1]
 
-		didExitNodeWarn := false
+		didExitNodeLog := false
 		cpeer.V4MasqAddr = peer.SelfNodeV4MasqAddrForThisPeer().Clone()
 		cpeer.V6MasqAddr = peer.SelfNodeV6MasqAddrForThisPeer().Clone()
 		cpeer.IsJailed = peer.IsJailed()
 		for _, allowedIP := range peer.AllowedIPs().All() {
 			if allowedIP.Bits() == 0 && peer.StableID() != exitNode {
-				if didExitNodeWarn {
+				if didExitNodeLog {
 					// Don't log about both the IPv4 /0 and IPv6 /0.
 					continue
 				}
-				didExitNodeWarn = true
-				if skippedUnselected.Len() > 0 {
-					skippedUnselected.WriteString(", ")
-				}
-				fmt.Fprintf(skippedUnselected, "%q (%v)", nodeDebugName(peer), peer.Key().ShortString())
+				didExitNodeLog = true
+				skippedExitNode = append(skippedExitNode, peer)
 				continue
 			} else if cidrIsSubnet(peer, allowedIP) {
 				if (flags & netmap.AllowSubnetRoutes) == 0 {
-					if skippedSubnets.Len() > 0 {
-						skippedSubnets.WriteString(", ")
-					}
-					fmt.Fprintf(skippedSubnets, "%v from %q (%v)", allowedIP, nodeDebugName(peer), peer.Key().ShortString())
+					skippedSubnetRouter = append(skippedSubnetRouter, peer)
 					continue
 				}
 			}
@@ -141,14 +115,27 @@ func WGCfg(nm *netmap.NetworkMap, logf logger.Logf, flags netmap.WGConfigFlags,
 		}
 	}
 
-	if skippedUnselected.Len() > 0 {
-		logf("[v1] wgcfg: skipped unselected default routes from: %s", skippedUnselected.Bytes())
-	}
-	if skippedSubnets.Len() > 0 {
-		logf("[v1] wgcfg: did not accept subnet routes: %s", skippedSubnets)
-	}
-	if skippedExpired.Len() > 0 {
-		logf("[v1] wgcfg: skipped expired peer: %s", skippedExpired)
+	logList := func(title string, nodes []tailcfg.NodeView) {
+		if len(nodes) == 0 {
+			return
+		}
+		logf("[v1] wgcfg: %s from %d nodes: %s", title, len(nodes), logger.ArgWriter(func(bw *bufio.Writer) {
+			const max = 5
+			for i, n := range nodes {
+				if i == max {
+					fmt.Fprintf(bw, "... +%d", len(nodes)-max)
+					return
+				}
+				if i > 0 {
+					bw.WriteString(", ")
+				}
+				fmt.Fprintf(bw, "%s (%s)", nodeDebugName(n), n.StableID())
+			}
+		}))
 	}
+	logList("skipped unselected exit nodes", skippedExitNode)
+	logList("did not accept subnet routes", skippedSubnetRouter)
+	logList("skipped expired peers", skippedExpired)
+
 	return cfg, nil
 }