[Packetbeat] Offer a config option to select default route interface as 'device'

[andrewkroh]

Describe the enhancement:

When configuring Packetbeat you must specify a network interface to monitor (see docs for device). For example,

packetbeat.interfaces.device: eth0

This enhancement idea to allow users to specify a special default_route value, and Packetbeat would monitoring the interface associated with the default route.

packetbeat.interfaces.device: default_route     # PROPOSED

The interface associated with the default route can change (e.g. switching from wifi to ethernet) so ideally Packetbeat would "watch" the routing configuration and react to changes.

Describe a specific use case for the enhancement or feature:

When on Windows and macOS, the special any interface is not an option. This default_route option would provide a default value behaves as most users expect. This could be used as the default value in Windows and macOS packetbeat.yml files. And it could be used as the default value in the Network Packet Capture integration since it works for all operating systems.

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[efd6]

What would be the behaviour wrt choice of IPv4/IPv6? Maybe make options default_route (first default found in {IPv4,IPv6}), default_route_ipv4 (first default route found for IPv4) and default_route_ipv6 (the obvious action).

This should catch >99% of use cases, but will fail in interesting ways for people with multiple default routes or where services that are being monitored are specifically routed, so this should be documented clearly.

[andrewkroh]

Maybe make options default_route (first default found in {IPv4,IPv6}), default_route_ipv4 (first default route found for IPv4) and default_route_ipv6

I think that is a great idea.

[efd6]

The majority of the work has been done for this — feature is complete, but I am leaving it open to ensure that the clean-ups requested in #32732 and #32933 are not forgotten.

• use unpacker for interface configs packetbeat/config: allow multiple interfaces to be specified in the config #32732 (comment) abandoned
  it is not clear how to implement the changes here with u-cfg.
• rename InterfacesConfig to InterfaceConfig packetbeat/config: allow multiple interfaces to be specified in the config #32732 (comment)
• merge done chan logic into context cancellation logic packetbeat/sniffer: allow multiple interface devices to be followed #32933 (comment) abandoned
  the logic handled by the done chan and the context cancellation are distinct and are simpler wilthout merging

[efd6]

Closing after offline discussion agreeing to abandon remaining tasks — reasons provided in #31905 (comment).