feat(geoip/waf): IPinfo single-DB, threat-first enrichment, WAF→firewall offload, log hygiene#362
Open
pigri wants to merge 1 commit into
Open
feat(geoip/waf): IPinfo single-DB, threat-first enrichment, WAF→firewall offload, log hygiene#362pigri wants to merge 1 commit into
pigri wants to merge 1 commit into
Conversation
…, log hygiene GeoIP / threat: - geoip module decodes the IPinfo Lite combined DB (flat schema: "AS214472" ASN string, top-level country_code) in addition to MaxMind geoip2, detected by db_type. Single-database migration: one combined DB (IPinfo Lite or the merged GeoLite2-City-ASN) serves both country + ASN — the ASN lookup falls back to the primary country/city reader — while legacy 3-file configs keep working unchanged. Config switched to ipinfo_lite.mmdb (asn/city unused). - kernel_pump event enrichment is now threat-first: prefer the threat record's context geo/ASN, fall back to the geoip DB only on a miss (mirrors the proxy). WAF -> smart-firewall offload: - On a WAF Block (request/body/response phase), offload the real L4 peer to the kernel smart firewall for a bounded TTL so repeat blocks (e.g. threat-intel `block` IPs) are dropped pre-TLS at L3/L4 instead of re-evaluated at L7 every request. No-op unless proxy.waf_firewall_offload.enabled; hook enforces the safety allowlist; only Block (not Challenge) is offloaded. Logging: - blocked.log is now human-readable text (BlockEvent::to_log_line); the OTEL block_event telemetry remains the structured/SIEM stream. - Downgrade per-request/periodic chatter to debug: TLS SNI cert-selection, TCP-fingerprint collector, SSE config-push "re-fetching", GeoIP routine misses, and the WAF "blocked request" line. - Deprecate the per-type fingerprint/BPF logging config sections (bpf_stats, tcp/ssh/latency/tls/http_fingerprint) in favor of the unified fingerprint_log; sample configs ship them disabled.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bundles the geoip/threat + log-hygiene work from this session. Default behaviour is unchanged unless noted (opt-in flags, sample-config edits).
GeoIP / threat
geoipnow decodes the IPinfo Lite combined DB (flat schema —"AS214472"ASN string, top-levelcountry_code) in addition to MaxMind geoip2, detected viadb_type. One combined DB (IPinfo Lite or the mergedGeoLite2-City-ASN) serves both country + ASN: the ASN lookup falls back to the primary country/city reader when there's no dedicated ASN file. Legacy 3-file configs keep working unchanged. Verified against the real published mmdbs (IPv4 + IPv6 + private-IP skip).ipinfo_lite.mmdb(asn/cityunused).kernel_pump: prefer the threat record'scontext.geo/asn, fall back to the geoip DB only on a miss — mirrors the proxy path and removes "GeoIP no data" for threat-known IPs.WAF → smart-firewall offload
Block(request / body / response phase), offload the real L4 peer to the kernel smart firewall for a bounded TTL (WAF_BLOCK_OFFLOAD_TTL_SECS = 300), so repeat blocks (e.g. a scanner from a threat-intelblockIP) are dropped pre-TLS at L3/L4 instead of re-evaluated at L7 every request.proxy.waf_firewall_offload.enabled(+ a live firewall); the hook enforces the existing safety allowlist (no CGNAT/shared/own-listener IPs). OnlyBlockis offloaded, neverChallenge.Logging
blocked.logis now human-readable text (BlockEvent::to_log_line); the OTELblock_eventtelemetry remains the structured/SIEM stream (all layers incl.smart_firewall).debug: TLS SNI cert-selection, the TCP-fingerprint collector, SSE config-push "re-fetching", routine GeoIP misses, and the WAF "blocked request" line.bpf_stats,tcp/ssh/latency/tls/http_fingerprint) in favour of the unifiedfingerprint_log; sample configs ship them disabled.Test plan
cargo fmt --check,cargo clippyclean on all changed cratescargo test -p synapse-blocking-log -p synapse-coregreen (incl. geoip IPinfo-ASN parser)ipinfo_lite.mmdband mergedGeoLite2-City-ASN.mmdb(country + ASN, IPv4 + IPv6, private-IP skip)cargo build --release --bin synapseapp.log, human-readableblocked.log, and (withwaf_firewall_offload.enabled) kernel drop of repeat-blocked IPs