From 71be12fad53b728b0fa0cc87ed60a85acf561e20 Mon Sep 17 00:00:00 2001 From: Olivier Valentin Date: Mon, 22 Apr 2024 12:48:54 +0200 Subject: [PATCH 1/8] Detailed subnet configuration parameter --- collector/lib/CollectorConfig.cpp | 18 ++++++++++++++++++ collector/lib/CollectorConfig.h | 2 ++ collector/lib/CollectorService.cpp | 1 + collector/lib/ConnTracker.cpp | 13 ++++++++++--- collector/lib/ConnTracker.h | 2 ++ collector/test/ConnTrackerTest.cpp | 24 ++++++++++++++++++++++++ 6 files changed, 57 insertions(+), 3 deletions(-) diff --git a/collector/lib/CollectorConfig.cpp b/collector/lib/CollectorConfig.cpp index ce77bf69e2..5769dba51c 100644 --- a/collector/lib/CollectorConfig.cpp +++ b/collector/lib/CollectorConfig.cpp @@ -26,6 +26,9 @@ BoolEnvVar network_drop_ignored("ROX_NETWORK_DROP_IGNORED", true); // The default value contains link-local addresses for IPv4 (RFC3927) and IPv6 (RFC2462) StringListEnvVar ignored_networks("ROX_IGNORE_NETWORKS", std::vector({"169.254.0.0/16", "fe80::/10"})); +// Connection endpoints matching a network prefix listed here will never be aggregated. +StringListEnvVar detailed_networks("ROX_DETAIL_NETWORKS", std::vector()); + // If true, set curl to be verbose, adding further logging that might be useful for debugging. BoolEnvVar set_curl_verbose("ROX_COLLECTOR_SET_CURL_VERBOSE", false); @@ -185,6 +188,21 @@ void CollectorConfig::InitCollectorConfig(CollectorArgs* args) { } }); + std::for_each(detailed_networks.value().begin(), detailed_networks.value().end(), + [&detailed_networks = this->detailed_networks_](const std::string& str) { + if (str.empty()) + return; + + std::optional net = IPNet::parse(str); + + if (net) { + CLOG(INFO) << "Private network : " << *net; + detailed_networks.emplace_back(std::move(*net)); + } else { + CLOG(ERROR) << "Invalid network in ROX_DETAIL_NETWORKS : " << str; + } + }); + if (set_curl_verbose) { curl_verbose_ = true; } diff --git a/collector/lib/CollectorConfig.h b/collector/lib/CollectorConfig.h index c72ec2b91a..4f60a2efc6 100644 --- a/collector/lib/CollectorConfig.h +++ b/collector/lib/CollectorConfig.h @@ -65,6 +65,7 @@ class CollectorConfig { bool DisableNetworkFlows() const { return disable_network_flows_; } const UnorderedSet& IgnoredL4ProtoPortPairs() const { return ignored_l4proto_port_pairs_; } const std::vector& IgnoredNetworks() const { return ignored_networks_; } + const std::vector& DetailedNetworks() const { return detailed_networks_; } bool CurlVerbose() const { return curl_verbose_; } bool EnableAfterglow() const { return enable_afterglow_; } bool IsCoreDumpEnabled() const; @@ -100,6 +101,7 @@ class CollectorConfig { bool scrape_listen_endpoints_ = false; UnorderedSet ignored_l4proto_port_pairs_; std::vector ignored_networks_; + std::vector detailed_networks_; bool curl_verbose_ = false; HostConfig host_config_; diff --git a/collector/lib/CollectorService.cpp b/collector/lib/CollectorService.cpp index 1e1e68b16b..099c641f07 100644 --- a/collector/lib/CollectorService.cpp +++ b/collector/lib/CollectorService.cpp @@ -86,6 +86,7 @@ void CollectorService::RunForever() { UnorderedSet ignored_l4proto_port_pairs(config_.IgnoredL4ProtoPortPairs()); conn_tracker->UpdateIgnoredL4ProtoPortPairs(std::move(ignored_l4proto_port_pairs)); conn_tracker->UpdateIgnoredNetworks(config_.IgnoredNetworks()); + conn_tracker->UpdateDetailedNetworks(config_.DetailedNetworks()); conn_tracker->EnableExternalIPs(config_.EnableExternalIPs()); auto network_connection_info_service_comm = std::make_shared(config_.Hostname(), config_.grpc_channel); diff --git a/collector/lib/ConnTracker.cpp b/collector/lib/ConnTracker.cpp index 59eefc3933..f9351c2239 100644 --- a/collector/lib/ConnTracker.cpp +++ b/collector/lib/ConnTracker.cpp @@ -76,14 +76,15 @@ IPNet ConnectionTracker::NormalizeAddressNoLock(const Address& address) const { return {}; } - bool private_addr = !address.IsPublic(); + // We want to keep private addresses and explicitely requested ones. + bool keep_addr = !address.IsPublic() || !detailed_networks_.Find(address).IsNull(); const bool* known_private_networks_exists = Lookup(known_private_networks_exists_, address.family()); - if (private_addr && (known_private_networks_exists && !*known_private_networks_exists)) { + if (keep_addr && (known_private_networks_exists && !*known_private_networks_exists)) { return IPNet(address, 0, true); } const auto& network = known_ip_networks_.Find(address); - if (private_addr || Contains(known_public_ips_, address)) { + if (keep_addr || Contains(known_public_ips_, address)) { return IPNet(address, network.bits(), true); } @@ -330,6 +331,12 @@ void ConnectionTracker::UpdateIgnoredNetworks(const std::vector& network_ } } +void ConnectionTracker::UpdateDetailedNetworks(const std::vector& network_list) { + WITH_LOCK(mutex_) { + detailed_networks_ = NRadixTree(network_list); + } +} + // Increment the stat counter matching the connection's characteristics inline void ConnectionTracker::IncrementConnectionStats(Connection conn, ConnectionTracker::Stats& stats) const { auto& direction = conn.is_server() ? stats.inbound : stats.outbound; diff --git a/collector/lib/ConnTracker.h b/collector/lib/ConnTracker.h index 07dc07813f..1860fdd597 100644 --- a/collector/lib/ConnTracker.h +++ b/collector/lib/ConnTracker.h @@ -130,6 +130,7 @@ class ConnectionTracker { void EnableExternalIPs(bool enable) { enable_external_ips_ = enable; } void UpdateIgnoredL4ProtoPortPairs(UnorderedSet&& ignored_l4proto_port_pairs); void UpdateIgnoredNetworks(const std::vector& network_list); + void UpdateDetailedNetworks(const std::vector& network_list); // Emplace a connection into the state ConnMap, or update its timestamp if the supplied timestamp is more recent // than the stored one. @@ -200,6 +201,7 @@ class ConnectionTracker { UnorderedMap known_private_networks_exists_; UnorderedSet ignored_l4proto_port_pairs_; NRadixTree ignored_networks_; + NRadixTree detailed_networks_; Stats inserted_connections_counters_ = {}; }; diff --git a/collector/test/ConnTrackerTest.cpp b/collector/test/ConnTrackerTest.cpp index cb94b4cadd..6c6852af9c 100644 --- a/collector/test/ConnTrackerTest.cpp +++ b/collector/test/ConnTrackerTest.cpp @@ -171,6 +171,30 @@ TEST(ConnTrackerTest, TestUpdateIgnoredNetworks) { EXPECT_TRUE(tracker.FetchConnState().empty()); } +TEST(ConnTrackerTest, TestUpdateDetailedNetworks) { + Endpoint a(Address(192, 168, 1, 10), 9999); + Endpoint b(Address(245, 1, 1, 1), 80); + + Connection conn1("xyz", a, b, L4Proto::TCP, false); + + int64_t time_micros = 1000; + + Connection conn_aggregated("xyz", Endpoint(IPNet(Address(), 0, true), 0), Endpoint(IPNet(Address(255, 255, 255, 255), 0), 80), L4Proto::TCP, false); + Connection conn_detailed("xyz", Endpoint(IPNet(Address(), 0, true), 0), Endpoint(IPNet(Address(245, 1, 1, 1), 0, true), 80), L4Proto::TCP, false); + + ConnectionTracker tracker; + + tracker.Update({conn1}, {}, time_micros); + + auto state = tracker.FetchConnState(true); + EXPECT_THAT(state, UnorderedElementsAre(std::make_pair(conn_aggregated, ConnStatus(time_micros, true)))); + + tracker.UpdateDetailedNetworks({IPNet(Address(240, 0, 0, 0), 4)}); + + state = tracker.FetchConnState(true); + EXPECT_THAT(state, UnorderedElementsAre(std::make_pair(conn_detailed, ConnStatus(time_micros, true)))); +} + TEST(ConnTrackerTest, TestUpdateNormalized) { Endpoint a(Address(192, 168, 0, 1), 80); Endpoint b(Address(192, 168, 1, 10), 9999); From ebb8732d62d096c58f4aa679992f449de6f1d20e Mon Sep 17 00:00:00 2001 From: Olivier Valentin Date: Mon, 22 Apr 2024 15:25:38 +0200 Subject: [PATCH 2/8] Stale log statement after renaming --- collector/lib/CollectorConfig.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/collector/lib/CollectorConfig.cpp b/collector/lib/CollectorConfig.cpp index 5769dba51c..0885e7595a 100644 --- a/collector/lib/CollectorConfig.cpp +++ b/collector/lib/CollectorConfig.cpp @@ -196,7 +196,7 @@ void CollectorConfig::InitCollectorConfig(CollectorArgs* args) { std::optional net = IPNet::parse(str); if (net) { - CLOG(INFO) << "Private network : " << *net; + CLOG(INFO) << "Detail network : " << *net; detailed_networks.emplace_back(std::move(*net)); } else { CLOG(ERROR) << "Invalid network in ROX_DETAIL_NETWORKS : " << str; From 500b25b90327e6c439cebf39cd3cb93230855d12 Mon Sep 17 00:00:00 2001 From: Olivier Valentin Date: Thu, 4 Jul 2024 11:11:32 +0200 Subject: [PATCH 3/8] Rename detailed_networks to non_aggregated_networks --- collector/lib/CollectorConfig.cpp | 10 +++++----- collector/lib/CollectorConfig.h | 4 ++-- collector/lib/CollectorService.cpp | 2 +- collector/lib/ConnTracker.cpp | 6 +++--- collector/lib/ConnTracker.h | 4 ++-- collector/test/ConnTrackerTest.cpp | 4 ++-- 6 files changed, 15 insertions(+), 15 deletions(-) diff --git a/collector/lib/CollectorConfig.cpp b/collector/lib/CollectorConfig.cpp index 0885e7595a..5d4784740e 100644 --- a/collector/lib/CollectorConfig.cpp +++ b/collector/lib/CollectorConfig.cpp @@ -27,7 +27,7 @@ BoolEnvVar network_drop_ignored("ROX_NETWORK_DROP_IGNORED", true); StringListEnvVar ignored_networks("ROX_IGNORE_NETWORKS", std::vector({"169.254.0.0/16", "fe80::/10"})); // Connection endpoints matching a network prefix listed here will never be aggregated. -StringListEnvVar detailed_networks("ROX_DETAIL_NETWORKS", std::vector()); +StringListEnvVar non_aggregated_networks("ROX_NON_AGGREGATED_NETWORKS", std::vector()); // If true, set curl to be verbose, adding further logging that might be useful for debugging. BoolEnvVar set_curl_verbose("ROX_COLLECTOR_SET_CURL_VERBOSE", false); @@ -188,8 +188,8 @@ void CollectorConfig::InitCollectorConfig(CollectorArgs* args) { } }); - std::for_each(detailed_networks.value().begin(), detailed_networks.value().end(), - [&detailed_networks = this->detailed_networks_](const std::string& str) { + std::for_each(non_aggregated_networks.value().begin(), non_aggregated_networks.value().end(), + [&non_aggregated_networks = this->non_aggregated_networks_](const std::string& str) { if (str.empty()) return; @@ -197,9 +197,9 @@ void CollectorConfig::InitCollectorConfig(CollectorArgs* args) { if (net) { CLOG(INFO) << "Detail network : " << *net; - detailed_networks.emplace_back(std::move(*net)); + non_aggregated_networks.emplace_back(std::move(*net)); } else { - CLOG(ERROR) << "Invalid network in ROX_DETAIL_NETWORKS : " << str; + CLOG(ERROR) << "Invalid network in ROX_NON_AGGREGATED_NETWORKS : " << str; } }); diff --git a/collector/lib/CollectorConfig.h b/collector/lib/CollectorConfig.h index 4f60a2efc6..058e405417 100644 --- a/collector/lib/CollectorConfig.h +++ b/collector/lib/CollectorConfig.h @@ -65,7 +65,7 @@ class CollectorConfig { bool DisableNetworkFlows() const { return disable_network_flows_; } const UnorderedSet& IgnoredL4ProtoPortPairs() const { return ignored_l4proto_port_pairs_; } const std::vector& IgnoredNetworks() const { return ignored_networks_; } - const std::vector& DetailedNetworks() const { return detailed_networks_; } + const std::vector& NonAggregatedNetworks() const { return non_aggregated_networks_; } bool CurlVerbose() const { return curl_verbose_; } bool EnableAfterglow() const { return enable_afterglow_; } bool IsCoreDumpEnabled() const; @@ -101,7 +101,7 @@ class CollectorConfig { bool scrape_listen_endpoints_ = false; UnorderedSet ignored_l4proto_port_pairs_; std::vector ignored_networks_; - std::vector detailed_networks_; + std::vector non_aggregated_networks_; bool curl_verbose_ = false; HostConfig host_config_; diff --git a/collector/lib/CollectorService.cpp b/collector/lib/CollectorService.cpp index 099c641f07..5f9ff1cbba 100644 --- a/collector/lib/CollectorService.cpp +++ b/collector/lib/CollectorService.cpp @@ -86,7 +86,7 @@ void CollectorService::RunForever() { UnorderedSet ignored_l4proto_port_pairs(config_.IgnoredL4ProtoPortPairs()); conn_tracker->UpdateIgnoredL4ProtoPortPairs(std::move(ignored_l4proto_port_pairs)); conn_tracker->UpdateIgnoredNetworks(config_.IgnoredNetworks()); - conn_tracker->UpdateDetailedNetworks(config_.DetailedNetworks()); + conn_tracker->UpdateNonAggregatedNetworks(config_.NonAggregatedNetworks()); conn_tracker->EnableExternalIPs(config_.EnableExternalIPs()); auto network_connection_info_service_comm = std::make_shared(config_.Hostname(), config_.grpc_channel); diff --git a/collector/lib/ConnTracker.cpp b/collector/lib/ConnTracker.cpp index f9351c2239..7cc02dc6b2 100644 --- a/collector/lib/ConnTracker.cpp +++ b/collector/lib/ConnTracker.cpp @@ -77,7 +77,7 @@ IPNet ConnectionTracker::NormalizeAddressNoLock(const Address& address) const { } // We want to keep private addresses and explicitely requested ones. - bool keep_addr = !address.IsPublic() || !detailed_networks_.Find(address).IsNull(); + bool keep_addr = !address.IsPublic() || !non_aggregated_networks_.Find(address).IsNull(); const bool* known_private_networks_exists = Lookup(known_private_networks_exists_, address.family()); if (keep_addr && (known_private_networks_exists && !*known_private_networks_exists)) { return IPNet(address, 0, true); @@ -331,9 +331,9 @@ void ConnectionTracker::UpdateIgnoredNetworks(const std::vector& network_ } } -void ConnectionTracker::UpdateDetailedNetworks(const std::vector& network_list) { +void ConnectionTracker::UpdateNonAggregatedNetworks(const std::vector& network_list) { WITH_LOCK(mutex_) { - detailed_networks_ = NRadixTree(network_list); + non_aggregated_networks_ = NRadixTree(network_list); } } diff --git a/collector/lib/ConnTracker.h b/collector/lib/ConnTracker.h index 1860fdd597..5f5cdf9b53 100644 --- a/collector/lib/ConnTracker.h +++ b/collector/lib/ConnTracker.h @@ -130,7 +130,7 @@ class ConnectionTracker { void EnableExternalIPs(bool enable) { enable_external_ips_ = enable; } void UpdateIgnoredL4ProtoPortPairs(UnorderedSet&& ignored_l4proto_port_pairs); void UpdateIgnoredNetworks(const std::vector& network_list); - void UpdateDetailedNetworks(const std::vector& network_list); + void UpdateNonAggregatedNetworks(const std::vector& network_list); // Emplace a connection into the state ConnMap, or update its timestamp if the supplied timestamp is more recent // than the stored one. @@ -201,7 +201,7 @@ class ConnectionTracker { UnorderedMap known_private_networks_exists_; UnorderedSet ignored_l4proto_port_pairs_; NRadixTree ignored_networks_; - NRadixTree detailed_networks_; + NRadixTree non_aggregated_networks_; Stats inserted_connections_counters_ = {}; }; diff --git a/collector/test/ConnTrackerTest.cpp b/collector/test/ConnTrackerTest.cpp index 6c6852af9c..84a40ff93c 100644 --- a/collector/test/ConnTrackerTest.cpp +++ b/collector/test/ConnTrackerTest.cpp @@ -171,7 +171,7 @@ TEST(ConnTrackerTest, TestUpdateIgnoredNetworks) { EXPECT_TRUE(tracker.FetchConnState().empty()); } -TEST(ConnTrackerTest, TestUpdateDetailedNetworks) { +TEST(ConnTrackerTest, TestUpdateNonAggregatedNetworks) { Endpoint a(Address(192, 168, 1, 10), 9999); Endpoint b(Address(245, 1, 1, 1), 80); @@ -189,7 +189,7 @@ TEST(ConnTrackerTest, TestUpdateDetailedNetworks) { auto state = tracker.FetchConnState(true); EXPECT_THAT(state, UnorderedElementsAre(std::make_pair(conn_aggregated, ConnStatus(time_micros, true)))); - tracker.UpdateDetailedNetworks({IPNet(Address(240, 0, 0, 0), 4)}); + tracker.UpdateNonAggregatedNetworks({IPNet(Address(240, 0, 0, 0), 4)}); state = tracker.FetchConnState(true); EXPECT_THAT(state, UnorderedElementsAre(std::make_pair(conn_detailed, ConnStatus(time_micros, true)))); From f9468f19052b1e62fb10e84d122aea74c37c3bc9 Mon Sep 17 00:00:00 2001 From: Olivier Valentin Date: Thu, 4 Jul 2024 11:18:23 +0200 Subject: [PATCH 4/8] Use plain for loops to enhance readability --- collector/lib/CollectorConfig.cpp | 56 +++++++++++++++---------------- 1 file changed, 27 insertions(+), 29 deletions(-) diff --git a/collector/lib/CollectorConfig.cpp b/collector/lib/CollectorConfig.cpp index 5d4784740e..d6a6a3ae1f 100644 --- a/collector/lib/CollectorConfig.cpp +++ b/collector/lib/CollectorConfig.cpp @@ -173,35 +173,33 @@ void CollectorConfig::InitCollectorConfig(CollectorArgs* args) { ignored_l4proto_port_pairs_ = kIgnoredL4ProtoPortPairs; } - std::for_each(ignored_networks.value().begin(), ignored_networks.value().end(), - [&ignored_networks = this->ignored_networks_](const std::string& str) { - if (str.empty()) - return; - - std::optional net = IPNet::parse(str); - - if (net) { - CLOG(INFO) << "Ignore network : " << *net; - ignored_networks.emplace_back(std::move(*net)); - } else { - CLOG(ERROR) << "Invalid network in ROX_IGNORE_NETWORKS : " << str; - } - }); - - std::for_each(non_aggregated_networks.value().begin(), non_aggregated_networks.value().end(), - [&non_aggregated_networks = this->non_aggregated_networks_](const std::string& str) { - if (str.empty()) - return; - - std::optional net = IPNet::parse(str); - - if (net) { - CLOG(INFO) << "Detail network : " << *net; - non_aggregated_networks.emplace_back(std::move(*net)); - } else { - CLOG(ERROR) << "Invalid network in ROX_NON_AGGREGATED_NETWORKS : " << str; - } - }); + for (const std::string &str : ignored_networks.value()) { + if (str.empty()) + continue; + + std::optional net = IPNet::parse(str); + + if (net) { + CLOG(INFO) << "Ignore network : " << *net; + ignored_networks_.emplace_back(std::move(*net)); + } else { + CLOG(ERROR) << "Invalid network in ROX_IGNORE_NETWORKS : " << str; + } + } + + for (const std::string &str : non_aggregated_networks.value()) { + if (str.empty()) + continue; + + std::optional net = IPNet::parse(str); + + if (net) { + CLOG(INFO) << "Detail network : " << *net; + non_aggregated_networks_.emplace_back(std::move(*net)); + } else { + CLOG(ERROR) << "Invalid network in ROX_NON_AGGREGATED_NETWORKS : " << str; + } + } if (set_curl_verbose) { curl_verbose_ = true; From dd6048e1b05e3a796ec2c0e2b422de679c229f31 Mon Sep 17 00:00:00 2001 From: Olivier Valentin Date: Thu, 4 Jul 2024 11:38:35 +0200 Subject: [PATCH 5/8] Make it clearer which addresses we want to keep non-aggregated. --- collector/lib/ConnTracker.cpp | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/collector/lib/ConnTracker.cpp b/collector/lib/ConnTracker.cpp index 7cc02dc6b2..18ca75abda 100644 --- a/collector/lib/ConnTracker.cpp +++ b/collector/lib/ConnTracker.cpp @@ -76,8 +76,12 @@ IPNet ConnectionTracker::NormalizeAddressNoLock(const Address& address) const { return {}; } + bool private_addr = !address.IsPublic(); + bool do_not_aggregate_addr = !non_aggregated_networks_.Find(address).IsNull(); + // We want to keep private addresses and explicitely requested ones. - bool keep_addr = !address.IsPublic() || !non_aggregated_networks_.Find(address).IsNull(); + bool keep_addr = private_addr || do_not_aggregate_addr; + const bool* known_private_networks_exists = Lookup(known_private_networks_exists_, address.family()); if (keep_addr && (known_private_networks_exists && !*known_private_networks_exists)) { return IPNet(address, 0, true); From 17cabfcf8a15f6c922b48256c833a29f40b1f50b Mon Sep 17 00:00:00 2001 From: Olivier Valentin Date: Thu, 4 Jul 2024 11:50:55 +0200 Subject: [PATCH 6/8] formatting --- collector/lib/CollectorConfig.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/collector/lib/CollectorConfig.cpp b/collector/lib/CollectorConfig.cpp index d6a6a3ae1f..ec0ddcd46d 100644 --- a/collector/lib/CollectorConfig.cpp +++ b/collector/lib/CollectorConfig.cpp @@ -173,7 +173,7 @@ void CollectorConfig::InitCollectorConfig(CollectorArgs* args) { ignored_l4proto_port_pairs_ = kIgnoredL4ProtoPortPairs; } - for (const std::string &str : ignored_networks.value()) { + for (const std::string& str : ignored_networks.value()) { if (str.empty()) continue; @@ -187,7 +187,7 @@ void CollectorConfig::InitCollectorConfig(CollectorArgs* args) { } } - for (const std::string &str : non_aggregated_networks.value()) { + for (const std::string& str : non_aggregated_networks.value()) { if (str.empty()) continue; From 5344c047cef4be3b2678a8b86765b4c9805c90b5 Mon Sep 17 00:00:00 2001 From: Olivier Valentin Date: Thu, 4 Jul 2024 16:06:52 +0200 Subject: [PATCH 7/8] Missed a message while renaming --- collector/lib/CollectorConfig.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/collector/lib/CollectorConfig.cpp b/collector/lib/CollectorConfig.cpp index ec0ddcd46d..921b1bbc6d 100644 --- a/collector/lib/CollectorConfig.cpp +++ b/collector/lib/CollectorConfig.cpp @@ -194,7 +194,7 @@ void CollectorConfig::InitCollectorConfig(CollectorArgs* args) { std::optional net = IPNet::parse(str); if (net) { - CLOG(INFO) << "Detail network : " << *net; + CLOG(INFO) << "Non-aggregated network : " << *net; non_aggregated_networks_.emplace_back(std::move(*net)); } else { CLOG(ERROR) << "Invalid network in ROX_NON_AGGREGATED_NETWORKS : " << str; From a49a28bc6926a7bb08e3ee4779253a4981ce78d4 Mon Sep 17 00:00:00 2001 From: Olivier Valentin Date: Thu, 4 Jul 2024 16:22:39 +0200 Subject: [PATCH 8/8] Document ROX_NON_AGGREGATED_NETWORKS --- docs/references.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/references.md b/docs/references.md index eb4a861f82..ceed7cdcca 100644 --- a/docs/references.md +++ b/docs/references.md @@ -21,6 +21,12 @@ port pairs (at the moment only `udp/9`). The default is true. Any connection with a remote peer matching this list will not be reported. The default is `169.254.0.0/16,fe80::/10` +* `ROX_NON_AGGREGATED_NETWORKS`: A coma-separated list of network prefixes +indicating endpoints which should never be considered for aggregation. +This option can be useful when the CIDR blocks used for services or PODs are +not standard private subnets, as it will prevent Collector from handling them +as public IPs. + * `ROX_NETWORK_GRAPH_PORTS`: Controls whether to retrieve TCP listening sockets, while reading connection information from procfs. The default is true.