diff --git a/nflux.toml b/nflux.toml index 7ce3d96..8686d91 100644 --- a/nflux.toml +++ b/nflux.toml @@ -3,7 +3,7 @@ log_level = "info" # trace, debug, info, warn, or error (default: info) log_type = "text" # text or json (default: text) [firewall] -enabled = "true" # Decide if the firewall is enabled or not +enabled = "false" # Decide if the firewall is enabled or not interfaces = ["wlp2s0"] # Interfaces to protect (can be only physical interfaces) icmp_ping = "true" # Allow or deny ICMP ping requests @@ -17,7 +17,8 @@ icmp_ping = "true" # Allow or deny ICMP ping requests [egress] # By the moment, working with physical interfaces (not virtual, like VPNs) enabled = "true" -interfaces = ["wlp2s0"] +interfaces = ["wlo1"] +log_private_connections = "false" # Do not show private connections in the logs #[egress_rules] # TODO: filter outgoint traffic (block/deny) diff --git a/nflux/src/config.rs b/nflux/src/config.rs index 9440380..694f034 100644 --- a/nflux/src/config.rs +++ b/nflux/src/config.rs @@ -40,6 +40,8 @@ pub struct Firewall { pub struct Egress { pub enabled: IsEnabled, pub interfaces: Vec, + #[allow(dead_code)] + pub log_private_connections: IsEnabled, } // Generic rule for both IPv4 and IPv6 diff --git a/nflux/src/egress.rs b/nflux/src/egress.rs index 0167c53..7f85bb8 100644 --- a/nflux/src/egress.rs +++ b/nflux/src/egress.rs @@ -5,9 +5,10 @@ use aya::maps::MapData; use aya::maps::perf::{AsyncPerfEventArrayBuffer, PerfBufferError}; use aya::programs::{tc, SchedClassifier, TcAttachType}; use bytes::BytesMut; -use tracing::{error, info, warn}; +use tracing::{debug, error, info, warn}; use nflux_common::{convert_protocol, EgressEvent}; -use crate::utils::lookup_address; +use crate::config::IsEnabled; +use crate::utils::{is_private_ip, lookup_address}; pub fn attach_tc_egress_program(bpf: &mut Ebpf, interface_names: &[String]) -> anyhow::Result<()>{ // Retrieve the eBPF program @@ -63,6 +64,7 @@ pub fn attach_tc_egress_program(bpf: &mut Ebpf, interface_names: &[String]) -> a pub async fn process_egress_events( mut buf: AsyncPerfEventArrayBuffer, cpu_id: u32, + log_private_connections: &IsEnabled, ) -> Result<(), PerfBufferError> { let mut buffers = vec![BytesMut::with_capacity(1024); 10]; @@ -75,14 +77,30 @@ pub async fn process_egress_events( let buf = &buffers[i]; match parse_egress_event(buf) { Ok(event) => { - info!( - "program=tc_egress protocol={}, ip={}, src_port={}, dst_port={}, fqdn={}", - convert_protocol(event.protocol), - Ipv4Addr::from(event.dst_ip), - event.src_port, - event.dst_port, - lookup_address(event.dst_ip), - ); + match log_private_connections { + IsEnabled::True => { + info!( + "program=tc_egress protocol={}, ip={}, src_port={}, dst_port={}, fqdn={}", + convert_protocol(event.protocol), + Ipv4Addr::from(event.dst_ip), + event.src_port, + event.dst_port, + "Private IP", + ); + } + IsEnabled::False => { + if ! is_private_ip(event.dst_ip) { + info!( + "program=tc_egress protocol={}, ip={}, src_port={}, dst_port={}, fqdn={}", + convert_protocol(event.protocol), + Ipv4Addr::from(event.dst_ip), + event.src_port, + event.dst_port, + lookup_address(event.dst_ip), + ); + } + } + } } Err(e) => error!("Failed to parse egress event on CPU {}: {}", cpu_id, e), } diff --git a/nflux/src/main.rs b/nflux/src/main.rs index 38bf07f..8d2d256 100644 --- a/nflux/src/main.rs +++ b/nflux/src/main.rs @@ -92,7 +92,7 @@ async fn main() -> anyhow::Result<()> { // Spawn task for egress events { let buf = egress_events.open(cpu_id, None)?; - task::spawn(process_egress_events(buf, cpu_id)); + task::spawn(process_egress_events(buf, cpu_id, &IsEnabled::False)); } }