Skip to content

chore(egress): reduce outbound log#964

Open
Pangjiping wants to merge 2 commits into
alibaba:mainfrom
Pangjiping:chore/egress-log-dedup
Open

chore(egress): reduce outbound log#964
Pangjiping wants to merge 2 commits into
alibaba:mainfrom
Pangjiping:chore/egress-log-dedup

Conversation

@Pangjiping
Copy link
Copy Markdown
Collaborator

@Pangjiping Pangjiping commented May 31, 2026

Summary

  • reduce outbound log

Testing

  • Not run (explain why)
  • Unit tests
  • Integration tests
  • e2e / manual verification

Breaking Changes

  • None
  • Yes (describe impact and migration path)

Checklist

  • Linked Issue or clearly described motivation
  • Added/updated docs (if needed)
  • Added/updated tests (if needed)
  • Security impact considered
  • Backward compatibility considered

Pangjiping and others added 2 commits May 31, 2026 09:56
@Pangjiping @claude
chore(egress): reduce log noise on dns errors and always-rules reload
740a542 
Drop duplicate Warn at dnsproxy forward-error path; error already
surfaces via the structured `egress.outbound` event field.

Dedup periodic always-rules reload Info by fingerprinting the merged
deny+allow rule set (fnv64a over sorted action|target keys, with a
separator byte between deny and allow to avoid cross-set collisions).
Log only when the fingerprint changes vs the last applied set, and
include the fingerprint in the message for audit cross-checks.

Adds unit tests for fingerprintRules covering order-independence,
deny/allow set separation, add/remove detection, action flips, and
empty-slice stability.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@Pangjiping @claude
feat(egress): suppress outbound DNS log per operator-supplied host list
65fe005 
Reads /var/egress/rules/log_skip.always once at startup. Each line is
either an exact domain (foo.com) or a wildcard subdomain pattern
(*.foo.com); blank lines and `#` comments are ignored, IP/CIDR entries
are rejected. The proxy stores the compiled set under an atomic pointer
so the per-query check stays lock-free, and only the success path of
serveDNS consults it — error lookups still log so audit is unaffected.

The set is one-shot: hot reload is intentionally not wired because this
list targets stable infra hostnames (cluster DNS, cloud metadata) that
don't churn at runtime.

Includes DomainSet wrapper around the existing compiledDomainIndex
(case-insensitive, trailing-dot tolerant) and unit coverage for the
matcher, the file parser, and the proxy skip plumbing.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@Pangjiping Pangjiping added feature New feature or request component/egress labels May 31, 2026
@Pangjiping Pangjiping marked this pull request as ready for review May 31, 2026 02:46
@Pangjiping Pangjiping requested review from hittyt and jwx0925 as code owners May 31, 2026 02:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hittyt hittyt Awaiting requested review from hittyt hittyt is a code owner

@jwx0925 jwx0925 Awaiting requested review from jwx0925 jwx0925 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@hittyt hittyt

Labels

component/egress feature New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Pangjiping @hittyt