Improve logging

2025-09-01 10:09:11 +00:00 · 2022-10-10 11:22:15 +02:00 · 2022-10-10 11:22:15 +02:00 · f565dca480
commit f565dca480
parent e00131e937
4 changed files with 21 additions and 12 deletions
--- a/firewall/interception/nfq/conntrack.go
+++ b/firewall/interception/nfq/conntrack.go
@ -20,19 +20,20 @@ func DeleteAllMarkedConnection() error {
 	defer func() { _ = nfct.Close() }()

 	// Delete all ipv4 marked connections
-	deleteMarkedConnections(nfct, ct.IPv4)
+	deleted := deleteMarkedConnections(nfct, ct.IPv4)

 	if netenv.IPv6Enabled() {
 		// Delete all ipv6 marked connections
-		deleteMarkedConnections(nfct, ct.IPv6)
+		deleted += deleteMarkedConnections(nfct, ct.IPv6)
 	}

+	log.Infof("nfq: deleted %d conntrack entries to reset permanent connection verdicts", deleted)
 	return nil
 }

-func deleteMarkedConnections(nfct *ct.Nfct, f ct.Family) {
+func deleteMarkedConnections(nfct *ct.Nfct, f ct.Family) (deleted int) {
 	// initialize variables
-	permanentFlags := [...]uint32{MarkAccept, MarkBlock, MarkDrop, MarkAcceptAlways, MarkBlockAlways, MarkDropAlways, MarkRerouteNS, MarkRerouteSPN}
+	permanentFlags := []uint32{MarkAcceptAlways, MarkBlockAlways, MarkDropAlways, MarkRerouteNS, MarkRerouteSPN}
 	filter := ct.FilterAttr{}
 	filter.MarkMask = []byte{0xFF, 0xFF, 0xFF, 0xFF}
 	filter.Mark = []byte{0x00, 0x00, 0x00, 0x00} // 4 zeros starting value
@ -52,6 +53,8 @@ func deleteMarkedConnections(nfct *ct.Nfct, f ct.Family) {
 			deleteError = nfct.Delete(ct.Conntrack, ct.IPv4, connection)
 			if err != nil {
 				numberOfErrors++
+			} else {
+				deleted++
 			}
 		}
 	}
@ -59,4 +62,5 @@ func deleteMarkedConnections(nfct *ct.Nfct, f ct.Family) {
 	if numberOfErrors > 0 {
 		log.Warningf("nfq: failed to delete %d conntrack entries last error is: %s", numberOfErrors, deleteError)
 	}
+	return deleted
 }
--- a/firewall/master.go
+++ b/firewall/master.go
@ -75,7 +75,7 @@ func DecideOnConnection(ctx context.Context, conn *network.Connection, pkt packe
 		conn.SaveWhenFinished()

 		// Reset verdict for connection.
-		log.Tracer(ctx).Infof("filter: re-evaluating verdict on %s", conn)
+		log.Tracer(ctx).Infof("filter: profile updated, re-evaluating verdict of %s", conn)

 		// Reset entity if it exists.
 		if conn.Entity != nil {
--- a/network/api.go
+++ b/network/api.go
@ -120,9 +120,10 @@ func AddNetworkDebugData(di *debug.Info, profile, where string) {

 	// Collect matching connections.
 	var ( //nolint:prealloc // We don't know the size.
-		debugConns []*Connection
-		accepted   int
-		total      int
+		debugConns    []*Connection
+		accepted      int
+		total         int
+		transitioning int
 	)
 	for maybeConn := range it.Next {
 		// Switch to correct type.
@ -158,6 +159,9 @@ func AddNetworkDebugData(di *debug.Info, profile, where string) {
 			VerdictRerouteToTunnel:
 			accepted++
 		}
+		if conn.Verdict.Active != conn.Verdict.Firewall {
+			transitioning++
+		}

 		// Add to list.
 		debugConns = append(debugConns, conn)
@ -166,9 +170,10 @@ func AddNetworkDebugData(di *debug.Info, profile, where string) {
 	// Add it all.
 	di.AddSection(
 		fmt.Sprintf(
-			"Network: %d/%d Connections",
+			"Network: %d/%d [~%d] Connections",
 			accepted,
 			total,
+			transitioning,
 		),
 		debug.UseCodeSection|debug.AddContentLineBreaks,
 		buildNetworkDebugInfoData(debugConns),
@ -232,7 +237,7 @@ func (conn *Connection) debugInfoLine() string {

 	return fmt.Sprintf(
 		"% 14s %s%- 25s %s-%s P#%d [%s] %s - by %s @ %s",
-		conn.Verdict.Current.Verb(),
+		conn.VerdictVerb(),
 		connectionData,
 		conn.fmtDomainComponent(),
 		time.Unix(conn.Started, 0).Format("15:04:05"),
--- a/network/status.go
+++ b/network/status.go
@ -54,9 +54,9 @@ func (v Verdict) Verb() string {
 	case VerdictDrop:
 		return "dropped"
 	case VerdictRerouteToNameserver:
-		return "to nameserver"
+		return "redirected to nameserver"
 	case VerdictRerouteToTunnel:
-		return "to tunnel"
+		return "tunneled"
 	case VerdictFailed:
 		return "failed"
 	default: