ROX-19605: new feature-flag to control aggregation of unmatched IPs

ROX_COLLECTOR_AGGREGATE_UNMATCHED_IP defaults to 'true'

collector/lib/CollectorConfig.cpp

@@ -38,6 +38,8 @@ BoolEnvVar set_import_users("ROX_COLLECTOR_SET_IMPORT_USERS", false);
 
 BoolEnvVar collect_connection_status("ROX_COLLECT_CONNECTION_STATUS", true);
 
+BoolEnvVar aggregate_unmatched_ip("ROX_COLLECTOR_AGGREGATE_UNMATCHED_IP", true);
+
 }  // namespace
 
 constexpr bool CollectorConfig::kTurnOffScrape;
@@ -58,6 +60,7 @@ CollectorConfig::CollectorConfig(CollectorArgs* args) {
   core_bpf_hardfail_ = core_bpf_hardfail.value();
   import_users_ = set_import_users.value();
   collect_connection_status_ = collect_connection_status.value();
+  aggregate_unmatched_ip_ = aggregate_unmatched_ip.value();
 
   for (const auto& syscall : kSyscalls) {
     syscalls_.push_back(syscall);
@@ -236,7 +239,8 @@ std::ostream& operator<<(std::ostream& os, const CollectorConfig& c) {
          << ", processesListeningOnPorts:" << c.IsProcessesListeningOnPortsEnabled()
          << ", logLevel:" << c.LogLevel()
          << ", set_import_users:" << c.ImportUsers()
-         << ", collect_connection_status:" << c.CollectConnectionStatus();
+         << ", collect_connection_status:" << c.CollectConnectionStatus()
+         << ", aggregate_unmatched_ip:" << c.AggregateUnmatchedIp();
 }
 
 }  // namespace collector

collector/lib/CollectorConfig.h

@@ -72,6 +72,7 @@ class CollectorConfig {
   bool CoReBPFHardfail() const { return core_bpf_hardfail_; }
   bool ImportUsers() const { return import_users_; }
   bool CollectConnectionStatus() const { return collect_connection_status_; }
+  bool AggregateUnmatchedIp() const { return aggregate_unmatched_ip_; }
 
   std::shared_ptr<grpc::Channel> grpc_channel;
 
@@ -95,6 +96,7 @@ class CollectorConfig {
   bool core_bpf_hardfail_;
   bool import_users_;
   bool collect_connection_status_;
+  bool aggregate_unmatched_ip_;
 
   Json::Value tls_config_;
 };

collector/lib/CollectorService.cpp

@@ -79,6 +79,7 @@ void CollectorService::RunForever() {
     conn_tracker = std::make_shared<ConnectionTracker>();
     UnorderedSet<L4ProtoPortPair> ignored_l4proto_port_pairs(config_.IgnoredL4ProtoPortPairs());
     conn_tracker->UpdateIgnoredL4ProtoPortPairs(std::move(ignored_l4proto_port_pairs));
+    conn_tracker->AggregateUnmatchedIp(config_.AggregateUnmatchedIp());
 
     auto network_connection_info_service_comm = std::make_shared<NetworkConnectionInfoServiceComm>(config_.Hostname(), config_.grpc_channel);
 

collector/lib/ConnTracker.cpp

@@ -91,15 +91,19 @@ IPNet ConnectionTracker::NormalizeAddressNoLock(const Address& address) const {
     return network;
   }
 
-  // Otherwise, associate it to "rest of the internet".
-  switch (address.family()) {
-    case Address::Family::IPV4:
-      return IPNet(canonical_external_ipv4_addr, 0, true);
-    case Address::Family::IPV6:
-      return IPNet(canonical_external_ipv6_addr, 0, true);
-    default:
-      return {};
+  if (aggregateUnmatchedIp_) {
+    // associate it to "rest of the internet".
+    switch (address.family()) {
+      case Address::Family::IPV4:
+        return IPNet(canonical_external_ipv4_addr, 0, true);
+      case Address::Family::IPV6:
+        return IPNet(canonical_external_ipv6_addr, 0, true);
+      default:
+        return {};
+    }
   }
+
+  return IPNet(address, 0, true);
 }
 
 Connection ConnectionTracker::NormalizeConnectionNoLock(const Connection& conn) const {

collector/lib/ConnTracker.h

@@ -127,6 +127,7 @@ class ConnectionTracker {
 
   void UpdateKnownPublicIPs(UnorderedSet<Address>&& known_public_ips);
   void UpdateKnownIPNetworks(UnorderedMap<Address::Family, std::vector<IPNet>>&& known_ip_networks);
+  void AggregateUnmatchedIp(bool aggregate) { aggregateUnmatchedIp_ = aggregate; }
   void UpdateIgnoredL4ProtoPortPairs(UnorderedSet<L4ProtoPortPair>&& ignored_l4proto_port_pairs);
 
   // Emplace a connection into the state ConnMap, or update its timestamp if the supplied timestamp is more recent
@@ -176,6 +177,7 @@ class ConnectionTracker {
 
   UnorderedSet<Address> known_public_ips_;
   NRadixTree known_ip_networks_;
+  bool aggregateUnmatchedIp_ = true;
   UnorderedMap<Address::Family, bool> known_private_networks_exists_;
   UnorderedSet<L4ProtoPortPair> ignored_l4proto_port_pairs_;
 };