From f565dca48035643e1c4b1d4985cef9de0de49857 Mon Sep 17 00:00:00 2001
From: Daniel <dhaavi@users.noreply.github.com>
Date: Mon, 10 Oct 2022 11:22:15 +0200
Subject: [PATCH] Improve logging

---
 firewall/interception/nfq/conntrack.go | 12 ++++++++----
 firewall/master.go                     |  2 +-
 network/api.go                         | 15 ++++++++++-----
 network/status.go                      |  4 ++--
 4 files changed, 21 insertions(+), 12 deletions(-)

diff --git a/firewall/interception/nfq/conntrack.go b/firewall/interception/nfq/conntrack.go
index 83d18ae6..ac25728d 100644
--- a/firewall/interception/nfq/conntrack.go
+++ b/firewall/interception/nfq/conntrack.go
@@ -20,19 +20,20 @@ func DeleteAllMarkedConnection() error {
 	defer func() { _ = nfct.Close() }()
 
 	// Delete all ipv4 marked connections
-	deleteMarkedConnections(nfct, ct.IPv4)
+	deleted := deleteMarkedConnections(nfct, ct.IPv4)
 
 	if netenv.IPv6Enabled() {
 		// Delete all ipv6 marked connections
-		deleteMarkedConnections(nfct, ct.IPv6)
+		deleted += deleteMarkedConnections(nfct, ct.IPv6)
 	}
 
+	log.Infof("nfq: deleted %d conntrack entries to reset permanent connection verdicts", deleted)
 	return nil
 }
 
-func deleteMarkedConnections(nfct *ct.Nfct, f ct.Family) {
+func deleteMarkedConnections(nfct *ct.Nfct, f ct.Family) (deleted int) {
 	// initialize variables
-	permanentFlags := [...]uint32{MarkAccept, MarkBlock, MarkDrop, MarkAcceptAlways, MarkBlockAlways, MarkDropAlways, MarkRerouteNS, MarkRerouteSPN}
+	permanentFlags := []uint32{MarkAcceptAlways, MarkBlockAlways, MarkDropAlways, MarkRerouteNS, MarkRerouteSPN}
 	filter := ct.FilterAttr{}
 	filter.MarkMask = []byte{0xFF, 0xFF, 0xFF, 0xFF}
 	filter.Mark = []byte{0x00, 0x00, 0x00, 0x00} // 4 zeros starting value
@@ -52,6 +53,8 @@ func deleteMarkedConnections(nfct *ct.Nfct, f ct.Family) {
 			deleteError = nfct.Delete(ct.Conntrack, ct.IPv4, connection)
 			if err != nil {
 				numberOfErrors++
+			} else {
+				deleted++
 			}
 		}
 	}
@@ -59,4 +62,5 @@ func deleteMarkedConnections(nfct *ct.Nfct, f ct.Family) {
 	if numberOfErrors > 0 {
 		log.Warningf("nfq: failed to delete %d conntrack entries last error is: %s", numberOfErrors, deleteError)
 	}
+	return deleted
 }
diff --git a/firewall/master.go b/firewall/master.go
index d53a50ba..957dc8d4 100644
--- a/firewall/master.go
+++ b/firewall/master.go
@@ -75,7 +75,7 @@ func DecideOnConnection(ctx context.Context, conn *network.Connection, pkt packe
 		conn.SaveWhenFinished()
 
 		// Reset verdict for connection.
-		log.Tracer(ctx).Infof("filter: re-evaluating verdict on %s", conn)
+		log.Tracer(ctx).Infof("filter: profile updated, re-evaluating verdict of %s", conn)
 
 		// Reset entity if it exists.
 		if conn.Entity != nil {
diff --git a/network/api.go b/network/api.go
index a9f6d993..aeb43ad7 100644
--- a/network/api.go
+++ b/network/api.go
@@ -120,9 +120,10 @@ func AddNetworkDebugData(di *debug.Info, profile, where string) {
 
 	// Collect matching connections.
 	var ( //nolint:prealloc // We don't know the size.
-		debugConns []*Connection
-		accepted   int
-		total      int
+		debugConns    []*Connection
+		accepted      int
+		total         int
+		transitioning int
 	)
 	for maybeConn := range it.Next {
 		// Switch to correct type.
@@ -158,6 +159,9 @@ func AddNetworkDebugData(di *debug.Info, profile, where string) {
 			VerdictRerouteToTunnel:
 			accepted++
 		}
+		if conn.Verdict.Active != conn.Verdict.Firewall {
+			transitioning++
+		}
 
 		// Add to list.
 		debugConns = append(debugConns, conn)
@@ -166,9 +170,10 @@ func AddNetworkDebugData(di *debug.Info, profile, where string) {
 	// Add it all.
 	di.AddSection(
 		fmt.Sprintf(
-			"Network: %d/%d Connections",
+			"Network: %d/%d [~%d] Connections",
 			accepted,
 			total,
+			transitioning,
 		),
 		debug.UseCodeSection|debug.AddContentLineBreaks,
 		buildNetworkDebugInfoData(debugConns),
@@ -232,7 +237,7 @@ func (conn *Connection) debugInfoLine() string {
 
 	return fmt.Sprintf(
 		"% 14s %s%- 25s %s-%s P#%d [%s] %s - by %s @ %s",
-		conn.Verdict.Current.Verb(),
+		conn.VerdictVerb(),
 		connectionData,
 		conn.fmtDomainComponent(),
 		time.Unix(conn.Started, 0).Format("15:04:05"),
diff --git a/network/status.go b/network/status.go
index ce68aace..1cd633fe 100644
--- a/network/status.go
+++ b/network/status.go
@@ -54,9 +54,9 @@ func (v Verdict) Verb() string {
 	case VerdictDrop:
 		return "dropped"
 	case VerdictRerouteToNameserver:
-		return "to nameserver"
+		return "redirected to nameserver"
 	case VerdictRerouteToTunnel:
-		return "to tunnel"
+		return "tunneled"
 	case VerdictFailed:
 		return "failed"
 	default: