[management,proxy,client] Add L4 capabilities (TLS/TCP/UDP) (#5530)

2026-04-18 08:16:39 +00:00 · 2026-03-14 01:36:44 +08:00
parent fe9b844511
commit 3e6baea405
90 changed files with 9611 additions and 1397 deletions
--- a/management/internals/modules/reverseproxy/accesslogs/accesslogentry.go
+++ b/management/internals/modules/reverseproxy/accesslogs/accesslogentry.go
@@ -10,6 +10,15 @@ import (
 	"github.com/netbirdio/netbird/shared/management/proto"
 )

+// AccessLogProtocol identifies the transport protocol of an access log entry.
+type AccessLogProtocol string
+
+const (
+	AccessLogProtocolHTTP AccessLogProtocol = "http"
+	AccessLogProtocolTCP  AccessLogProtocol = "tcp"
+	AccessLogProtocolUDP  AccessLogProtocol = "udp"
+)
+
 type AccessLogEntry struct {
 	ID             string        `gorm:"primaryKey"`
 	AccountID      string        `gorm:"index"`
@@ -22,10 +31,11 @@ type AccessLogEntry struct {
 	Duration       time.Duration `gorm:"index"`
 	StatusCode     int           `gorm:"index"`
 	Reason         string
-	UserId         string `gorm:"index"`
-	AuthMethodUsed string `gorm:"index"`
-	BytesUpload    int64  `gorm:"index"`
-	BytesDownload  int64  `gorm:"index"`
+	UserId         string            `gorm:"index"`
+	AuthMethodUsed string            `gorm:"index"`
+	BytesUpload    int64             `gorm:"index"`
+	BytesDownload  int64             `gorm:"index"`
+	Protocol       AccessLogProtocol `gorm:"index"`
 }

 // FromProto creates an AccessLogEntry from a proto.AccessLog
@@ -43,17 +53,22 @@ func (a *AccessLogEntry) FromProto(serviceLog *proto.AccessLog) {
 	a.AccountID = serviceLog.GetAccountId()
 	a.BytesUpload = serviceLog.GetBytesUpload()
 	a.BytesDownload = serviceLog.GetBytesDownload()
+	a.Protocol = AccessLogProtocol(serviceLog.GetProtocol())

 	if sourceIP := serviceLog.GetSourceIp(); sourceIP != "" {
-		if ip, err := netip.ParseAddr(sourceIP); err == nil {
-			a.GeoLocation.ConnectionIP = net.IP(ip.AsSlice())
+		if addr, err := netip.ParseAddr(sourceIP); err == nil {
+			addr = addr.Unmap()
+			a.GeoLocation.ConnectionIP = net.IP(addr.AsSlice())
 		}
 	}

-	if !serviceLog.GetAuthSuccess() {
-		a.Reason = "Authentication failed"
-	} else if serviceLog.GetResponseCode() >= 400 {
-		a.Reason = "Request failed"
+	// Only set reason for HTTP entries. L4 entries have no auth or status code.
+	if a.Protocol == "" || a.Protocol == AccessLogProtocolHTTP {
+		if !serviceLog.GetAuthSuccess() {
+			a.Reason = "Authentication failed"
+		} else if serviceLog.GetResponseCode() >= 400 {
+			a.Reason = "Request failed"
+		}
 	}
 }

@@ -90,6 +105,12 @@ func (a *AccessLogEntry) ToAPIResponse() *api.ProxyAccessLog {
 		cityName = &a.GeoLocation.CityName
 	}

+	var protocol *string
+	if a.Protocol != "" {
+		p := string(a.Protocol)
+		protocol = &p
+	}
+
 	return &api.ProxyAccessLog{
 		Id:             a.ID,
 		ServiceId:      a.ServiceID,
@@ -107,5 +128,6 @@ func (a *AccessLogEntry) ToAPIResponse() *api.ProxyAccessLog {
 		CityName:       cityName,
 		BytesUpload:    a.BytesUpload,
 		BytesDownload:  a.BytesDownload,
+		Protocol:       protocol,
 	}
 }