fix logging to match the max size supported by iptables

Author: ncode

outbound.go

@@ -44,7 +44,7 @@ var (
 	logger = slog.New(slog.NewTextHandler(io.Discard, nil))
 	// newIPTablesManager is a function pointer for creating an IPTablesManager (for mocking in tests).
 	newIPTablesManager = func(conf *PluginConf) (iptables.Manager, error) {
-		return iptables.NewIPTablesManager(conf.MainChainName, conf.DefaultAction, conf.DryRun, conf.LogDrops)
+		return iptables.NewIPTablesManager(conf.MainChainName, conf.DefaultAction, "", conf.DryRun, conf.LogDrops)
 	}
 	// metadata is used to store logging metadata (e.g., container ID).
 	metadata = map[string]string{}

pkg/iptables/iptables_manager.go

@@ -45,6 +45,7 @@ type IPTablesManager struct {
 	ipt           IPTablesWrapper
 	mainChainName string
 	defaultAction string
+	logIdentifier string
 	dryRun        bool
 	logDrops      bool
 }
@@ -55,7 +56,7 @@ var newIPTables = func() (IPTablesWrapper, error) {
 }
 
 // NewIPTablesManager constructs the IPTablesManager with the specified main chain, default action, etc.
-func NewIPTablesManager(mainChainName, defaultAction string, dryRun, logDrops bool) (Manager, error) {
+func NewIPTablesManager(mainChainName, defaultAction, logIdentifier string, dryRun, logDrops bool) (Manager, error) {
 	ipt, err := newIPTables()
 	if err != nil {
 		return nil, fmt.Errorf("failed to initialize iptables: %v", err)
@@ -72,6 +73,7 @@ func NewIPTablesManager(mainChainName, defaultAction string, dryRun, logDrops bo
 		ipt:           ipt,
 		mainChainName: mainChainName,
 		defaultAction: defaultAction,
+		logIdentifier: logIdentifier,
 		dryRun:        dryRun,
 		logDrops:      logDrops,
 	}, nil
@@ -116,7 +118,7 @@ func (m *IPTablesManager) CreateContainerChain(containerChain string) error {
 		// and then ACCEPT instead of dropping.
 		logSpec := []string{
 			"-j", "LOG",
-			"--log-prefix", fmt.Sprintf(`"[CNI-OUTBOUND-%s-%s]"`, containerChain, m.defaultAction),
+			"--log-prefix", fmt.Sprintf(`"%s-%s "`, m.defaultAction, m.logIdentifier),
 		}
 		if err := m.ipt.Append("filter", containerChain, logSpec...); err != nil {
 			return fmt.Errorf("failed to add default action logging rule: %v", err)
@@ -131,7 +133,7 @@ func (m *IPTablesManager) CreateContainerChain(containerChain string) error {
 			// Log before the drop
 			logSpec := []string{
 				"-j", "LOG",
-				"--log-prefix", fmt.Sprintf(`"[CNI-OUTBOUND-%s-DEFAULT-BLOCKED]"`, containerChain),
+				"--log-prefix", fmt.Sprintf(`"%s-%s "`, m.defaultAction, m.logIdentifier),
 			}
 			if err := m.ipt.Append("filter", containerChain, logSpec...); err != nil {
 				return fmt.Errorf("failed to add default DROP logging rule: %v", err)
@@ -147,15 +149,15 @@ func (m *IPTablesManager) CreateContainerChain(containerChain string) error {
 }
 
 // buildRuleSpecs prepares the iptables arguments for a single OutboundRule.
-func (m *IPTablesManager) buildRuleSpecs(chainName, host, proto, port, action string) [][]string {
+func (m *IPTablesManager) buildRuleSpecs(host, proto, port, action string) [][]string {
 	// Common rule spec
 	baseSpec := []string{"-d", host, "-p", proto, "--dport", port}
 
 	// If in dry-run, we log + ACCEPT
 	if m.dryRun {
 		return [][]string{
 			append(append([]string{}, baseSpec...), "-j", "LOG", "--log-prefix",
-				fmt.Sprintf(`"[CNI-OUTBOUND-%s-ACCEPTED]"`, chainName)),
+				fmt.Sprintf(`"%s-%s "`, action, m.logIdentifier)),
 			append(append([]string{}, baseSpec...), "-j", "ACCEPT"),
 		}
 	}
@@ -164,7 +166,7 @@ func (m *IPTablesManager) buildRuleSpecs(chainName, host, proto, port, action st
 	if m.logDrops && strings.EqualFold(action, "DROP") {
 		return [][]string{
 			append(append([]string{}, baseSpec...), "-j", "LOG", "--log-prefix",
-				fmt.Sprintf(`"[CNI-OUTBOUND-%s-BLOCKED]"`, chainName)),
+				fmt.Sprintf(`"%s-%s "`, action, m.logIdentifier)),
 			append(append([]string{}, baseSpec...), "-j", "DROP"),
 		}
 	}
@@ -177,7 +179,7 @@ func (m *IPTablesManager) buildRuleSpecs(chainName, host, proto, port, action st
 
 // AddRule inserts a new rule (or rules) into the chain.
 func (m *IPTablesManager) AddRule(chainName string, rule OutboundRule) error {
-	ruleSpecs := m.buildRuleSpecs(chainName, rule.Host, rule.Proto, rule.Port, rule.Action)
+	ruleSpecs := m.buildRuleSpecs(rule.Host, rule.Proto, rule.Port, rule.Action)
 
 	// Insert each spec at position 1 in reverse order so they appear in the chain in the correct sequence
 	for i := len(ruleSpecs) - 1; i >= 0; i-- {
@@ -263,17 +265,17 @@ func (m *IPTablesManager) VerifyRules(chainName string, rules []OutboundRule) er
 
 	// In dry run mode, we also expect a default logging rule
 	if m.dryRun {
-		defaultLogLine := fmt.Sprintf("-A %s -j LOG --log-prefix [CNI-OUTBOUND-DEFAULT-%s]", chainName, m.defaultAction)
+		defaultLogLine := fmt.Sprintf("-A %s -j LOG --log-prefix \"%s-%s \"", chainName, m.defaultAction, m.logIdentifier)
 		if !lineExistsInIptablesList(defaultLogLine, existingRules) {
-			return fmt.Errorf("default action logging rule not found")
+			return fmt.Errorf("default action [%s] logging rule not found", defaultLogLine)
 		}
 	}
 	return nil
 }
 
 // buildExpectedRuleLines constructs the lines we'll look for in `iptables -S <chain>` output.
 func (m *IPTablesManager) buildExpectedRuleLines(chainName, host, proto, port, action string) []string {
-	specs := m.buildRuleSpecs(chainName, host, proto, port, action)
+	specs := m.buildRuleSpecs(host, proto, port, action)
 	lines := make([]string, 0, len(specs))
 	for _, s := range specs {
 		// iptables -S lines typically: "-A <chain> <args>..."