Skip to content

A·M4 slice: Prometheus /metrics endpoint#94

Merged
vxfemboy merged 5 commits into
mainfrom
sp-a-metrics
Jul 3, 2026
Merged

A·M4 slice: Prometheus /metrics endpoint#94
vxfemboy merged 5 commits into
mainfrom
sp-a-metrics

Conversation

@vxfemboy

@vxfemboy vxfemboy commented Jul 3, 2026

Copy link
Copy Markdown
Member

Closes #93. Operational visibility for the dev-net run — the second of the two pre-deployment hardening increments (after #92).

What

  • A metrics listen=<ip:port> config directive → Policy.metrics_listen.
  • A hand-rolled GET /metrics server (Prometheus text 0.0.4) over tokio::net::TcpListenerno HTTP/metrics framework (per the agreed minimal-deps decision). New blackwall-metrics crate holds the pure exposition renderer (unit-tested); blackwalld/metrics.rs is the thin-IO server/gather (coverage-excluded).
  • Collector gained CollectorMetrics (datagrams / decode-errors); run_collector bumps them.
  • Store::detection_count() added (mirrors session_count/audit_count).

Metrics

bgp_session_state, bgp_reconnects_total (when rtbh is set), flow_datagrams_total, flow_decode_errors_total, rtbh_active, flowspec_active, {rtbh,flowspec}_requests_pending, detections_total, deception_sessions_total, audit_total. DB-backed gauges read at scrape time — a failing query is logged + its metric omitted, never crashing the endpoint.

Verification

  • fmt + clippy --workspace --all-targets --deny warnings clean; cargo test --workspace 46 suites; coverage 95.08% (renderer + config covered; server/queries excluded).
  • Smoke-tested live: ran blackwalld flow with a metrics block, curl localhost:9109/metrics returned the full exposition (integers render clean, BGP metrics correctly omitted with no rtbh), POST → 405.
  • No as casts (u64→f64 via a hi/lo 32-bit split); no bare #[allow].

Bind to localhost/trusted mgmt net — no auth/TLS yet (a follow-on), as is a live deception in-flight gauge.

🤖 Generated with Claude Code

vxfemboy added 5 commits July 3, 2026 16:48
Policy.metrics_listen: Option<SocketAddr> from a new independent 'metrics
listen=ip:port' directive; Store::detection_count mirrors session_count/
audit_count. Every Policy{..} literal gains metrics_listen: None. Feeds the
Prometheus endpoint.
…code counters

New blackwall-metrics crate: pure render_prometheus (Metric/MetricKind → text
exposition 0.0.4, integer-valued floats drop the decimal). blackwall-flow gains
CollectorMetrics (datagrams/decode_errors atomics); run_collector takes an
optional handle and bumps them per datagram / decode failure (existing callers
pass None).
metrics.rs (coverage-excluded thin-IO): a TcpListener GET /metrics server that
gathers BGP session-state/reconnects (when rtbh is configured), collector
datagram/decode counters, and on-scrape DB gauges (rtbh/flowspec active + pending,
detections, sessions, audit) and renders them via blackwall-metrics. u64->f64
without an as-cast (hi/lo 32-bit split). Command::Flow spawns it when
policy.metrics_listen is set. Verified end to end: GET serves the exposition,
POST -> 405. (Also: unique target + >= assertion in the detection_count test so
it can't race the shared detections table.)
@vxfemboy vxfemboy merged commit 614a825 into main Jul 3, 2026
2 checks passed
@vxfemboy vxfemboy deleted the sp-a-metrics branch July 3, 2026 21:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

A·M4 (slice): Prometheus metrics endpoint for blackwalld

1 participant