exclude reporting of `container_net_tcp_*` metrics for TCP ports within the ephemeral port range (32768-60999)

common/net.go

@@ -4,12 +4,15 @@ import (
 	"github.com/coroot/coroot-node-agent/flags"
 	"inet.af/netaddr"
 	"k8s.io/klog/v2"
+	"strconv"
+	"strings"
 )
 
 var (
 	ConnectionFilter = connectionFilter{
 		whitelist: map[string]netaddr.IPPrefix{},
 	}
+	PortFilter *portFilter
 )
 
 func init() {
@@ -22,6 +25,28 @@ func init() {
 			ConnectionFilter.WhitelistPrefix(p)
 		}
 	}
+	if r := flags.EphemeralPortRange; r != nil && *r != "" {
+		klog.Infoln("ephemeral-port-range:", *r)
+		parts := strings.Split(*r, "-")
+		if len(parts) != 2 {
+			klog.Fatalf("invalid port range: %s", *r)
+		}
+		from, err := strconv.ParseUint(parts[0], 10, 16)
+		if err != nil {
+			klog.Fatalf("invalid port range: %s", *r)
+		}
+		to, err := strconv.ParseUint(parts[1], 10, 16)
+		if err != nil {
+			klog.Fatalf("invalid port range: %s", *r)
+		}
+		if from > to {
+			klog.Fatalf("invalid port range: %s", *r)
+		}
+		PortFilter = &portFilter{
+			from: uint16(from),
+			to:   uint16(to),
+		}
+	}
 }
 
 func IsIpPrivate(ip netaddr.IP) bool {
@@ -75,3 +100,15 @@ func (f connectionFilter) ShouldBeSkipped(dst, actualDst netaddr.IP) bool {
 	}
 	return true
 }
+
+type portFilter struct {
+	from uint16
+	to   uint16
+}
+
+func (f *portFilter) ShouldBeSkipped(port uint16) bool {
+	if f == nil {
+		return false
+	}
+	return port >= f.from && port <= f.to
+}

containers/container.go

@@ -439,6 +439,9 @@ func (c *Container) onFileOpen(pid uint32, fd uint64) {
 }
 
 func (c *Container) onListenOpen(pid uint32, addr netaddr.IPPort, safe bool) {
+	if common.PortFilter.ShouldBeSkipped(addr.Port()) {
+		return
+	}
 	if !safe {
 		c.lock.Lock()
 		defer c.lock.Unlock()
@@ -484,6 +487,9 @@ func (c *Container) onListenClose(pid uint32, addr netaddr.IPPort) {
 }
 
 func (c *Container) onConnectionOpen(pid uint32, fd uint64, src, dst netaddr.IPPort, timestamp uint64, failed bool) {
+	if common.PortFilter.ShouldBeSkipped(dst.Port()) {
+		return
+	}
 	p := c.processes[pid]
 	if p == nil {
 		return

containers/dockerd.go

@@ -78,6 +78,9 @@ func DockerdInspect(containerID string) (*ContainerMetadata, error) {
 		if len(addrs) > 0 {
 			s := make([]netaddr.IPPort, 0, len(addrs))
 			for addr := range addrs {
+				if common.PortFilter.ShouldBeSkipped(addr.Port()) {
+					continue
+				}
 				s = append(s, addr)
 			}
 			res.hostListens["dockerd"] = s

flags/flags.go

@@ -7,13 +7,14 @@ import (
 )
 
 var (
-	ListenAddress     = kingpin.Flag("listen", "Listen address - ip:port or :port").Default("0.0.0.0:80").String()
-	CgroupRoot        = kingpin.Flag("cgroupfs-root", "The mount point of the host cgroupfs root").Default("/sys/fs/cgroup").String()
-	DisableLogParsing = kingpin.Flag("disable-log-parsing", "Disable container log parsing").Default("false").Bool()
-	DisablePinger     = kingpin.Flag("disable-pinger", "Don't ping upstreams").Default("false").Bool()
-	DisableL7Tracing  = kingpin.Flag("disable-l7-tracing", "Disable L7 tracing").Default("false").Bool()
+	ListenAddress     = kingpin.Flag("listen", "Listen address - ip:port or :port").Default("0.0.0.0:80").Envar("LISTEN").String()
+	CgroupRoot        = kingpin.Flag("cgroupfs-root", "The mount point of the host cgroupfs root").Default("/sys/fs/cgroup").Envar("CGROUPFS_ROOT").String()
+	DisableLogParsing = kingpin.Flag("disable-log-parsing", "Disable container log parsing").Default("false").Envar("DISABLE_LOG_PARSING").Bool()
+	DisablePinger     = kingpin.Flag("disable-pinger", "Don't ping upstreams").Default("false").Envar("DISABLE_PINGER").Bool()
+	DisableL7Tracing  = kingpin.Flag("disable-l7-tracing", "Disable L7 tracing").Default("false").Envar("DISABLE_L7_TRACING").Bool()
 
-	ExternalNetworksWhitelist = kingpin.Flag("track-public-network", "Allow track connections to the specified IP networks, all private networks are allowed by default (e.g., Y.Y.Y.Y/mask)").Strings()
+	ExternalNetworksWhitelist = kingpin.Flag("track-public-network", "Allow track connections to the specified IP networks, all private networks are allowed by default (e.g., Y.Y.Y.Y/mask)").Envar("TRACK_PUBLIC_NETWORK").Strings()
+	EphemeralPortRange        = kingpin.Flag("ephemeral-port-range", "Destination and Listen TCP ports from this range will be skipped").Default("32768-60999").Envar("EPHEMERAL_PORT_RANGE").String()
 
 	Provider          = kingpin.Flag("provider", "`provider` label for `node_cloud_info` metric").Envar("PROVIDER").String()
 	Region            = kingpin.Flag("region", "`region` label for `node_cloud_info` metric").Envar("REGION").String()