Handle accept logs (#23)

README.md

@@ -1,16 +1,17 @@
 # Droptailer
 
-Droptailer gathers packet drops from different machines, enriches them with data from kubernetes api resources and makes them accessible by kubernetes means.
+Droptailer gathers firewall drop or accept logs from different machines, enriches them with data from kubernetes api resources and makes them accessible by kubernetes means.
 
 ## Client
 
-- reads the systemd journal for kernel log messages about packet drops
+- reads the systemd journal for kernel log messages about packet drops or accepts
 - pushes them with gRPC to the `droptail` server
 
 environment variables:
 
 - `DROPTAILER_SERVER_ADDRESS`: endpoint for the server
 - `DROPTAILER_PREFIXES_OF_DROPS`: prefixes that identify drop messages in the journal
+- `DROPTAILER_PREFIXES_OF_ACCEPTS`: prefixes that identify drop messages in the journal
 
 ## Generating certificates
 
@@ -71,6 +72,7 @@ metalstack/droptailer-client
 # Watch for drops
 stern -n firewall drop
 
-# Generate a sample message for the systemd journal that gets catched by the droptailer-client
+# Generate sample messages for the systemd journal that is caught by the droptailer-client
 sudo logger -t kernel "nftables-metal-dropped: IN=vrf09 OUT= MAC=12:99:fd:3b:ce:f8:1a:ae:e9:a7:95:50:08:00 SRC=1.2.3.4 DST=4.3.2.1 LEN=40 TOS=0x00 PREC=0x00 TTL=238 ID=46474 PROTO=TCP SPT=59265 DPT=445 WINDOW=1024 RES=0x00 SYN URGP=0"
+sudo logger -t kernel "nftables-metal-accepted: IN=vrf10 OUT=vrf11 MAC=12:99:fd:3b:ce:f8:1a:ae:e9:a7:95:50:08:00 SRC=5.6.7.8 DST=8.7.6.5 LEN=40 TOS=0x00 PREC=0x00 TTL=238 ID=46474 PROTO=TCP SPT=59265 DPT=445 WINDOW=1024 RES=0x00 SYN URGP=0 ItIs=OnlyText"
 ```

client/main.go

@@ -18,6 +18,7 @@ const (
 )
 
 var defaultPrefixesOfDrops = []string{"nftables-metal-dropped: ", "nftables-firewall-dropped: "}
+var defaultPrefixesOfAccepts = []string{"nftables-metal-accepted: ", "nftables-firewall-accepted: "}
 
 func main() {
 	// address should be in the form of: dns://localhost:53/droptailer:50051
@@ -43,6 +44,12 @@ func main() {
 		prefixesOfDrops = strings.Split(prefixesOfDropsEnv, ",")
 	}
 
+	prefixesOfAccepts := defaultPrefixesOfAccepts
+	prefixesOfAcceptsEnv := os.Getenv("DROPTAILER_PREFIXES_OF_ACCEPTS")
+	if prefixesOfAcceptsEnv != "" {
+		prefixesOfAccepts = strings.Split(prefixesOfAcceptsEnv, ",")
+	}
+
 	caCertificate := os.Getenv("DROPTAILER_CA_CERTIFICATE")
 	if caCertificate == "" {
 		caCertificate = defaultCaCertificate
@@ -56,8 +63,9 @@ func main() {
 		clientKey = defaultClientKey
 	}
 	c := client.Client{
-		ServerAddress:   address,
-		PrefixesOfDrops: prefixesOfDrops,
+		ServerAddress:     address,
+		PrefixesOfDrops:   prefixesOfDrops,
+		PrefixesOfAccepts: prefixesOfAccepts,
 		Certificates: client.Certificates{
 			CaCertificate:     caCertificate,
 			ClientCertificate: clientCertificate,

pkg/client/client.go

@@ -18,9 +18,10 @@ import (
 
 // Client sends drops of the journal to the droptailer server.
 type Client struct {
-	ServerAddress   string
-	PrefixesOfDrops []string
-	Certificates    Certificates
+	ServerAddress     string
+	PrefixesOfDrops   []string
+	PrefixesOfAccepts []string
+	Certificates      Certificates
 }
 
 type Certificates struct {
@@ -91,9 +92,10 @@ func (c Client) Start() error {
 	}
 	defer jr.Close()
 	df := &dropforwarder{
-		jr:       jr,
-		dsc:      dsc,
-		prefixes: c.PrefixesOfDrops,
+		jr:             jr,
+		dsc:            dsc,
+		dropPrefixes:   c.PrefixesOfDrops,
+		acceptPrefixes: c.PrefixesOfAccepts,
 	}
 	df.run()
 	return nil

pkg/client/forwarder.go

@@ -17,9 +17,10 @@ import (
 )
 
 type dropforwarder struct {
-	jr       *sdjournal.JournalReader
-	dsc      pb.DroptailerClient
-	prefixes []string
+	jr             *sdjournal.JournalReader
+	dsc            pb.DroptailerClient
+	dropPrefixes   []string
+	acceptPrefixes []string
 }
 
 func (d *dropforwarder) run() {
@@ -45,7 +46,7 @@ func (d *dropforwarder) writeTo(r io.ReadCloser) {
 			r.Close()
 			break
 		}
-		cr := checkLine(string(line), d.prefixes)
+		cr := checkLine(string(line), d.dropPrefixes, d.acceptPrefixes)
 		if cr.skip {
 			continue
 		}
@@ -73,7 +74,7 @@ type checkResult struct {
 	ts                   int64
 }
 
-func checkLine(l string, prefixes []string) checkResult {
+func checkLine(l string, dropPrefixes, acceptPrefixes []string) checkResult {
 	parts := strings.Split(string(l), "@")
 	if len(parts) < 2 {
 		return checkResult{skip: true}
@@ -84,10 +85,16 @@ func checkLine(l string, prefixes []string) checkResult {
 		return checkResult{skip: true}
 	}
 	msg := parts[1]
-	for _, prefix := range prefixes {
+	for _, prefix := range dropPrefixes {
 		if strings.HasPrefix(msg, prefix) {
 			m := strings.TrimPrefix(msg, prefix)
-			return checkResult{skip: false, messageWithoutPrefix: m, ts: ts}
+			return checkResult{skip: false, messageWithoutPrefix: m + " ACTION=drop", ts: ts}
+		}
+	}
+	for _, prefix := range acceptPrefixes {
+		if strings.HasPrefix(msg, prefix) {
+			m := strings.TrimPrefix(msg, prefix)
+			return checkResult{skip: false, messageWithoutPrefix: m + " ACTION=accept", ts: ts}
 		}
 	}
 	return checkResult{skip: true}