%!s(int64=2) %!d(string=hai) anos · b9e598226e
--- a/common/net.go
+++ b/common/net.go
@@ -4,12 +4,15 @@ import (
 
				 	"github.com/coroot/coroot-node-agent/flags"
			
 
				 	"inet.af/netaddr"
			
 
				 	"k8s.io/klog/v2"
			
 
				+	"strconv"
			
 
				+	"strings"
			
 
				 )
			
 
				 
			
 
				 var (
			
 
				 	ConnectionFilter = connectionFilter{
			
 
				 		whitelist: map[string]netaddr.IPPrefix{},
			
 
				 	}
			
 
				+	PortFilter *portFilter
			
 
				 )
			
 
				 
			
 
				 func init() {
			
@@ -22,6 +25,28 @@ func init() {
 
				 			ConnectionFilter.WhitelistPrefix(p)
			
 
				 		}
			
 
				 	}
			
 
				+	if r := flags.EphemeralPortRange; r != nil && *r != "" {
			
 
				+		klog.Infoln("ephemeral-port-range:", *r)
			
 
				+		parts := strings.Split(*r, "-")
			
 
				+		if len(parts) != 2 {
			
 
				+			klog.Fatalf("invalid port range: %s", *r)
			
 
				+		}
			
 
				+		from, err := strconv.ParseUint(parts[0], 10, 16)
			
 
				+		if err != nil {
			
 
				+			klog.Fatalf("invalid port range: %s", *r)
			
 
				+		}
			
 
				+		to, err := strconv.ParseUint(parts[1], 10, 16)
			
 
				+		if err != nil {
			
 
				+			klog.Fatalf("invalid port range: %s", *r)
			
 
				+		}
			
 
				+		if from > to {
			
 
				+			klog.Fatalf("invalid port range: %s", *r)
			
 
				+		}
			
 
				+		PortFilter = &portFilter{
			
 
				+			from: uint16(from),
			
 
				+			to:   uint16(to),
			
 
				+		}
			
 
				+	}
			
 
				 }
			
 
				 
			
 
				 func IsIpPrivate(ip netaddr.IP) bool {
			
@@ -75,3 +100,15 @@ func (f connectionFilter) ShouldBeSkipped(dst, actualDst netaddr.IP) bool {
 
				 	}
			
 
				 	return true
			
 
				 }
			
 
				+
			
 
				+type portFilter struct {
			
 
				+	from uint16
			
 
				+	to   uint16
			
 
				+}
			
 
				+
			
 
				+func (f *portFilter) ShouldBeSkipped(port uint16) bool {
			
 
				+	if f == nil {
			
 
				+		return false
			
 
				+	}
			
 
				+	return port >= f.from && port <= f.to
			
 
				+}
			
--- a/containers/container.go
+++ b/containers/container.go
@@ -439,6 +439,9 @@ func (c *Container) onFileOpen(pid uint32, fd uint64) {
 
				 }
			
 
				 
			
 
				 func (c *Container) onListenOpen(pid uint32, addr netaddr.IPPort, safe bool) {
			
 
				+	if common.PortFilter.ShouldBeSkipped(addr.Port()) {
			
 
				+		return
			
 
				+	}
			
 
				 	if !safe {
			
 
				 		c.lock.Lock()
			
 
				 		defer c.lock.Unlock()
			
@@ -484,6 +487,9 @@ func (c *Container) onListenClose(pid uint32, addr netaddr.IPPort) {
 
				 }
			
 
				 
			
 
				 func (c *Container) onConnectionOpen(pid uint32, fd uint64, src, dst netaddr.IPPort, timestamp uint64, failed bool) {
			
 
				+	if common.PortFilter.ShouldBeSkipped(dst.Port()) {
			
 
				+		return
			
 
				+	}
			
 
				 	p := c.processes[pid]
			
 
				 	if p == nil {
			
 
				 		return
			
--- a/containers/dockerd.go
+++ b/containers/dockerd.go
@@ -78,6 +78,9 @@ func DockerdInspect(containerID string) (*ContainerMetadata, error) {
 
				 		if len(addrs) > 0 {
			
 
				 			s := make([]netaddr.IPPort, 0, len(addrs))
			
 
				 			for addr := range addrs {
			
 
				+				if common.PortFilter.ShouldBeSkipped(addr.Port()) {
			
 
				+					continue
			
 
				+				}
			
 
				 				s = append(s, addr)
			
 
				 			}
			
 
				 			res.hostListens["dockerd"] = s
			
--- a/flags/flags.go
+++ b/flags/flags.go
@@ -7,13 +7,14 @@ import (
 
				 )
			
 
				 
			
 
				 var (
			
 
				-	ListenAddress     = kingpin.Flag("listen", "Listen address - ip:port or :port").Default("0.0.0.0:80").String()
			
 
				-	CgroupRoot        = kingpin.Flag("cgroupfs-root", "The mount point of the host cgroupfs root").Default("/sys/fs/cgroup").String()
			
 
				-	DisableLogParsing = kingpin.Flag("disable-log-parsing", "Disable container log parsing").Default("false").Bool()
			
 
				-	DisablePinger     = kingpin.Flag("disable-pinger", "Don't ping upstreams").Default("false").Bool()
			
 
				-	DisableL7Tracing  = kingpin.Flag("disable-l7-tracing", "Disable L7 tracing").Default("false").Bool()
			
 
				+	ListenAddress     = kingpin.Flag("listen", "Listen address - ip:port or :port").Default("0.0.0.0:80").Envar("LISTEN").String()
			
 
				+	CgroupRoot        = kingpin.Flag("cgroupfs-root", "The mount point of the host cgroupfs root").Default("/sys/fs/cgroup").Envar("CGROUPFS_ROOT").String()
			
 
				+	DisableLogParsing = kingpin.Flag("disable-log-parsing", "Disable container log parsing").Default("false").Envar("DISABLE_LOG_PARSING").Bool()
			
 
				+	DisablePinger     = kingpin.Flag("disable-pinger", "Don't ping upstreams").Default("false").Envar("DISABLE_PINGER").Bool()
			
 
				+	DisableL7Tracing  = kingpin.Flag("disable-l7-tracing", "Disable L7 tracing").Default("false").Envar("DISABLE_L7_TRACING").Bool()
			
 
				 
			
 
				-	ExternalNetworksWhitelist = kingpin.Flag("track-public-network", "Allow track connections to the specified IP networks, all private networks are allowed by default (e.g., Y.Y.Y.Y/mask)").Strings()
			
 
				+	ExternalNetworksWhitelist = kingpin.Flag("track-public-network", "Allow track connections to the specified IP networks, all private networks are allowed by default (e.g., Y.Y.Y.Y/mask)").Envar("TRACK_PUBLIC_NETWORK").Strings()
			
 
				+	EphemeralPortRange        = kingpin.Flag("ephemeral-port-range", "Destination and Listen TCP ports from this range will be skipped").Default("32768-60999").Envar("EPHEMERAL_PORT_RANGE").String()
			
 
				 
			
 
				 	Provider          = kingpin.Flag("provider", "`provider` label for `node_cloud_info` metric").Envar("PROVIDER").String()
			
 
				 	Region            = kingpin.Flag("region", "`region` label for `node_cloud_info` metric").Envar("REGION").String()