[NPM-4291] Add config to exclude subnets from dynamic path (#35035)

Co-authored-by: Bryce Eadie <[email protected]>

Author: pimlu

comp/networkpath/npcollector/npcollectorimpl/config.go

@@ -25,6 +25,8 @@ type collectorConfigs struct {
 	reverseDNSTimeout            time.Duration
 	disableIntraVPCCollection    bool
 	networkDevicesNamespace      string
+	sourceExcludedConns          map[string][]string
+	destExcludedConns            map[string][]string
 }
 
 func newConfig(agentConfig config.Component) *collectorConfigs {
@@ -46,6 +48,8 @@ func newConfig(agentConfig config.Component) *collectorConfigs {
 		reverseDNSEnabled:         agentConfig.GetBool("network_path.collector.reverse_dns_enrichment.enabled"),
 		reverseDNSTimeout:         agentConfig.GetDuration("network_path.collector.reverse_dns_enrichment.timeout") * time.Millisecond,
 		disableIntraVPCCollection: agentConfig.GetBool("network_path.collector.disable_intra_vpc_collection"),
+		sourceExcludedConns:       agentConfig.GetStringMapStringSlice("network_path.collector.source_excludes"),
+		destExcludedConns:         agentConfig.GetStringMapStringSlice("network_path.collector.dest_excludes"),
 		networkDevicesNamespace:   agentConfig.GetString("network_devices.namespace"),
 	}
 }

comp/networkpath/npcollector/npcollectorimpl/npcollector.go

@@ -12,6 +12,7 @@ import (
 	"errors"
 	"fmt"
 	"net"
+	"net/netip"
 	"time"
 
 	model "github.com/DataDog/agent-payload/v5/process"
@@ -25,6 +26,7 @@ import (
 	"github.com/DataDog/datadog-agent/comp/networkpath/npcollector/npcollectorimpl/pathteststore"
 	rdnsquerier "github.com/DataDog/datadog-agent/comp/rdnsquerier/def"
 	"github.com/DataDog/datadog-agent/pkg/logs/message"
+	filter "github.com/DataDog/datadog-agent/pkg/network/tracer/networkfilter"
 	"github.com/DataDog/datadog-agent/pkg/networkpath/payload"
 	"github.com/DataDog/datadog-agent/pkg/networkpath/traceroute"
 	"github.com/DataDog/datadog-agent/pkg/networkpath/traceroute/config"
@@ -40,7 +42,10 @@ const (
 )
 
 type npCollectorImpl struct {
+	// config related
 	collectorConfigs *collectorConfigs
+	sourceExcludes   []*filter.ConnectionFilter
+	destExcludes     []*filter.ConnectionFilter
 
 	// Deps
 	epForwarder  eventplatform.Forwarder
@@ -84,26 +89,17 @@ func newNoopNpCollectorImpl() *npCollectorImpl {
 }
 
 func newNpCollectorImpl(epForwarder eventplatform.Forwarder, collectorConfigs *collectorConfigs, logger log.Component, telemetrycomp telemetryComp.Component, rdnsquerier rdnsquerier.Component, statsd ddgostatsd.ClientInterface) *npCollectorImpl {
-	logger.Infof("New NpCollector (workers=%d timeout=%d max_ttl=%d input_chan_size=%d processing_chan_size=%d pathtest_contexts_limit=%d pathtest_ttl=%s pathtest_interval=%s max_per_minute=%d flush_interval=%s reverse_dns_enabled=%t reverse_dns_timeout=%d)",
-		collectorConfigs.workers,
-		collectorConfigs.timeout,
-		collectorConfigs.maxTTL,
-		collectorConfigs.pathtestInputChanSize,
-		collectorConfigs.pathtestProcessingChanSize,
-		collectorConfigs.storeConfig.ContextsLimit,
-		collectorConfigs.storeConfig.TTL,
-		collectorConfigs.storeConfig.Interval,
-		collectorConfigs.storeConfig.MaxPerMinute,
-		collectorConfigs.flushInterval,
-		collectorConfigs.reverseDNSEnabled,
-		collectorConfigs.reverseDNSTimeout,
-	)
+	logger.Infof("New NpCollector %+v", collectorConfigs)
 
 	return &npCollectorImpl{
-		epForwarder:      epForwarder,
 		collectorConfigs: collectorConfigs,
-		rdnsquerier:      rdnsquerier,
-		logger:           logger,
+		sourceExcludes:   filter.ParseConnectionFilters(collectorConfigs.sourceExcludedConns),
+		destExcludes:     filter.ParseConnectionFilters(collectorConfigs.destExcludedConns),
+
+		epForwarder:  epForwarder,
+		logger:       logger,
+		statsdClient: statsd,
+		rdnsquerier:  rdnsquerier,
 
 		pathtestStore:          pathteststore.NewPathtestStore(collectorConfigs.storeConfig, logger, statsd, time.Now),
 		pathtestInputChan:      make(chan *common.Pathtest, collectorConfigs.pathtestInputChanSize),
@@ -124,7 +120,6 @@ func newNpCollectorImpl(epForwarder eventplatform.Forwarder, collectorConfigs *c
 		flushLoopDone: make(chan struct{}),
 
 		runTraceroute: runTraceroute,
-		statsdClient:  statsd,
 	}
 }
 
@@ -157,15 +152,57 @@ func makePathtest(conn *model.Connection, dns map[string]*model.DNSEntry) common
 	}
 }
 
-func doSubnetsContainIP(subnets []*net.IPNet, ip net.IP) bool {
+func doSubnetsContainIP(subnets []*net.IPNet, ip netip.Addr) bool {
 	for _, subnet := range subnets {
-		if subnet.Contains(ip) {
+		if subnet.Contains(net.IP(ip.AsSlice())) {
 			return true
 		}
 	}
 	return false
 }
 
+func (s *npCollectorImpl) checkPassesConnCIDRFilters(conn *model.Connection, vpcSubnets []*net.IPNet) bool {
+	if len(vpcSubnets) == 0 && len(s.sourceExcludes) == 0 && len(s.destExcludes) == 0 {
+		// this should be most customers - parsing IPs is not necessary
+		return true
+	}
+
+	sourceAddr, err := netip.ParseAddr(conn.Laddr.Ip)
+	if err != nil {
+		s.statsdClient.Incr(netpathConnsSkippedMetricName, []string{"reason:failed_parse_source_ip"}, 1) //nolint:errcheck
+		return false
+	}
+	source := netip.AddrPortFrom(sourceAddr, uint16(conn.Laddr.Port))
+
+	translatedDest := conn.Raddr.Ip
+	// prefer IP translation if it's available
+	if conn.IpTranslation != nil && conn.IpTranslation.ReplDstIP != "" {
+		translatedDest = conn.IpTranslation.ReplDstIP
+	}
+	destAddr, err := netip.ParseAddr(translatedDest)
+	if err != nil {
+		s.statsdClient.Incr(netpathConnsSkippedMetricName, []string{"reason:failed_parse_dest_ip"}, 1) //nolint:errcheck
+		return false
+	}
+	dest := netip.AddrPortFrom(destAddr, uint16(conn.Raddr.Port))
+
+	if doSubnetsContainIP(vpcSubnets, dest.Addr()) {
+		s.statsdClient.Incr(netpathConnsSkippedMetricName, []string{"reason:skip_intra_vpc"}, 1) //nolint:errcheck
+		return false
+	}
+
+	filterable := filter.FilterableConnection{
+		Type:   conn.Type,
+		Source: source,
+		Dest:   dest,
+	}
+	if filter.IsExcludedConnection(s.sourceExcludes, s.destExcludes, filterable) {
+		s.statsdClient.Incr(netpathConnsSkippedMetricName, []string{"reason:skip_cidr_excluded"}, 1) //nolint:errcheck
+		return false
+	}
+	return true
+
+}
 func (s *npCollectorImpl) shouldScheduleNetworkPathForConn(conn *model.Connection, vpcSubnets []*net.IPNet) bool {
 	if conn == nil {
 		return false
@@ -183,22 +220,8 @@ func (s *npCollectorImpl) shouldScheduleNetworkPathForConn(conn *model.Connectio
 		s.statsdClient.Incr(netpathConnsSkippedMetricName, []string{"reason:skip_ipv6"}, 1) //nolint:errcheck
 		return false
 	}
-	translatedDest := conn.Raddr.Ip
-	// prefer IP translation if it's available
-	if conn.IpTranslation != nil && conn.IpTranslation.ReplDstIP != "" {
-		translatedDest = conn.IpTranslation.ReplDstIP
-	}
-	remoteIP := net.ParseIP(translatedDest)
-	if remoteIP.IsLoopback() {
-		// is this case possible, given that we already filter out IntraHost?
-		s.statsdClient.Incr(netpathConnsSkippedMetricName, []string{"reason:skip_loopback"}, 1) //nolint:errcheck
-		return false
-	}
-	if doSubnetsContainIP(vpcSubnets, remoteIP) {
-		s.statsdClient.Incr(netpathConnsSkippedMetricName, []string{"reason:skip_intra_vpc"}, 1) //nolint:errcheck
-		return false
-	}
-	return true
+
+	return s.checkPassesConnCIDRFilters(conn, vpcSubnets)
 }
 
 func (s *npCollectorImpl) getVPCSubnets() ([]*net.IPNet, error) {

comp/networkpath/npcollector/npcollectorimpl/npcollector_test.go

@@ -891,14 +891,18 @@ func Test_npCollectorImpl_getReverseDNSResult(t *testing.T) {
 }
 
 var subnetSkippedStat = teststatsd.MetricsArgs{Name: netpathConnsSkippedMetricName, Value: 1, Tags: []string{"reason:skip_intra_vpc"}, Rate: 1}
+var cidrExcludedStat = teststatsd.MetricsArgs{Name: netpathConnsSkippedMetricName, Value: 1, Tags: []string{"reason:skip_cidr_excluded"}, Rate: 1}
 
 func Test_npCollectorImpl_shouldScheduleNetworkPathForConn(t *testing.T) {
 	tests := []struct {
-		name           string
-		conn           *model.Connection
-		vpcSubnets     []*net.IPNet
-		shouldSchedule bool
-		subnetSkipped  bool
+		name               string
+		conn               *model.Connection
+		vpcSubnets         []*net.IPNet
+		shouldSchedule     bool
+		subnetSkipped      bool
+		sourceExcludes     map[string][]string
+		destExcludes       map[string][]string
+		connectionExcluded bool
 	}{
 		{
 			name: "should schedule",
@@ -946,6 +950,7 @@ func Test_npCollectorImpl_shouldScheduleNetworkPathForConn(t *testing.T) {
 				Raddr:     &model.Addr{Ip: "127.0.0.2", Port: int32(80)},
 				Direction: model.ConnectionDirection_outgoing,
 				Family:    model.ConnectionFamily_v4,
+				IntraHost: true, // loopback is always IntraHost
 			},
 			shouldSchedule: false,
 		},
@@ -1025,13 +1030,110 @@ func Test_npCollectorImpl_shouldScheduleNetworkPathForConn(t *testing.T) {
 			shouldSchedule: false,
 			subnetSkipped:  true,
 		},
+		// connection exclusion tests
+		{
+			name: "exclusion: block dest exactly",
+			conn: &model.Connection{
+				Laddr:     &model.Addr{Ip: "10.0.0.1", Port: int32(30000)},
+				Raddr:     &model.Addr{Ip: "10.0.0.2", Port: int32(80)},
+				Direction: model.ConnectionDirection_outgoing,
+			},
+			destExcludes: map[string][]string{
+				"10.0.0.2": {"80"},
+			},
+			shouldSchedule:     false,
+			connectionExcluded: true,
+		},
+		{
+			name: "exclusion: block dest but different port",
+			conn: &model.Connection{
+				Laddr:     &model.Addr{Ip: "10.0.0.1", Port: int32(30000)},
+				Raddr:     &model.Addr{Ip: "10.0.0.2", Port: int32(80)},
+				Direction: model.ConnectionDirection_outgoing,
+			},
+			destExcludes: map[string][]string{
+				"10.0.0.2": {"42"},
+			},
+			shouldSchedule:     true,
+			connectionExcluded: false,
+		},
+		{
+			name: "exclusion: block source with port range",
+			conn: &model.Connection{
+				Laddr:     &model.Addr{Ip: "10.0.0.1", Port: int32(30000)},
+				Raddr:     &model.Addr{Ip: "10.0.0.2", Port: int32(80)},
+				Direction: model.ConnectionDirection_outgoing,
+			},
+			sourceExcludes: map[string][]string{
+				"10.0.0.1": {"30000-30005"},
+			},
+			shouldSchedule:     false,
+			connectionExcluded: true,
+		},
+		{
+			name: "exclusion: block dest subnet",
+			conn: &model.Connection{
+				Laddr:     &model.Addr{Ip: "10.0.0.1", Port: int32(30000)},
+				Raddr:     &model.Addr{Ip: "10.0.0.2", Port: int32(80)},
+				Direction: model.ConnectionDirection_outgoing,
+			},
+			destExcludes: map[string][]string{
+				"10.0.0.0/8": {"*"},
+			},
+			shouldSchedule:     false,
+			connectionExcluded: true,
+		},
+		{
+			name: "exclusion: block dest subnet, no match",
+			conn: &model.Connection{
+				Laddr:     &model.Addr{Ip: "10.0.0.1", Port: int32(30000)},
+				Raddr:     &model.Addr{Ip: "192.168.1.1", Port: int32(80)},
+				Direction: model.ConnectionDirection_outgoing,
+			},
+			destExcludes: map[string][]string{
+				"10.0.0.0/8": {"*"},
+			},
+			shouldSchedule:     true,
+			connectionExcluded: false,
+		},
+		{
+			name: "exclusion: only UDP, matching case",
+			conn: &model.Connection{
+				Type:      model.ConnectionType_udp,
+				Laddr:     &model.Addr{Ip: "10.0.0.1", Port: int32(30000)},
+				Raddr:     &model.Addr{Ip: "10.0.0.2", Port: int32(123)},
+				Direction: model.ConnectionDirection_outgoing,
+			},
+			sourceExcludes: map[string][]string{
+				"10.0.0.0/8": {"udp *"},
+			},
+			shouldSchedule:     false,
+			connectionExcluded: true,
+		},
+		{
+			name: "exclusion: only UDP, non-matching case",
+			conn: &model.Connection{
+				// (tcp is 0 so this doesn't actually do anything)
+				Type:      model.ConnectionType_tcp,
+				Laddr:     &model.Addr{Ip: "10.0.0.1", Port: int32(30000)},
+				Raddr:     &model.Addr{Ip: "10.0.0.2", Port: int32(123)},
+				Direction: model.ConnectionDirection_outgoing,
+			},
+			sourceExcludes: map[string][]string{
+				"10.0.0.0/8": {"udp *"},
+			},
+			shouldSchedule:     true,
+			connectionExcluded: false,
+		},
 	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			agentConfigs := map[string]any{
 				"network_path.connections_monitoring.enabled":         true,
 				"network_path.collector.disable_intra_vpc_collection": true,
+				"network_path.collector.source_excludes":              tt.sourceExcludes,
+				"network_path.collector.dest_excludes":                tt.destExcludes,
 			}
 			stats := &teststatsd.Client{}
 			_, npCollector := newTestNpCollector(t, agentConfigs, stats)
@@ -1043,6 +1145,11 @@ func Test_npCollectorImpl_shouldScheduleNetworkPathForConn(t *testing.T) {
 			} else {
 				require.NotContains(t, stats.CountCalls, subnetSkippedStat)
 			}
+			if tt.connectionExcluded {
+				require.Contains(t, stats.CountCalls, cidrExcludedStat)
+			} else {
+				require.NotContains(t, stats.CountCalls, cidrExcludedStat)
+			}
 		})
 	}
 }

pkg/config/setup/config.go

@@ -492,6 +492,8 @@ func InitConfig(config pkgconfigmodel.Setup) {
 	config.BindEnvAndSetDefault("network_path.collector.reverse_dns_enrichment.enabled", true)
 	config.BindEnvAndSetDefault("network_path.collector.reverse_dns_enrichment.timeout", 5000)
 	config.BindEnvAndSetDefault("network_path.collector.disable_intra_vpc_collection", false)
+	config.BindEnvAndSetDefault("network_path.collector.source_excludes", map[string][]string{})
+	config.BindEnvAndSetDefault("network_path.collector.dest_excludes", map[string][]string{})
 	bindEnvAndSetLogsConfigKeys(config, "network_path.forwarder.")
 
 	// HA Agent

pkg/network/encoding/marshal/format.go

@@ -76,7 +76,7 @@ func FormatConnection(builder *model.ConnectionBuilder, conn network.ConnectionS
 		w.SetContainerId(containerID)
 	})
 	builder.SetFamily(uint64(formatFamily(conn.Family)))
-	builder.SetType(uint64(formatType(conn.Type)))
+	builder.SetType(uint64(FormatType(conn.Type)))
 	builder.SetIsLocalPortEphemeral(uint64(formatEphemeralType(conn.SPortIsEphemeral)))
 	builder.SetLastBytesSent(conn.Last.SentBytes)
 	builder.SetLastBytesReceived(conn.Last.RecvBytes)
@@ -191,7 +191,8 @@ func formatFamily(f network.ConnectionFamily) model.ConnectionFamily {
 	}
 }
 
-func formatType(f network.ConnectionType) model.ConnectionType {
+// FormatType converts a network.ConnectionType to a protobuf model.ConnectionType
+func FormatType(f network.ConnectionType) model.ConnectionType {
 	switch f {
 	case network.TCP:
 		return model.ConnectionType_tcp