filter chain match: support source CIDRs and ports (#7064)

This PR also fully deprecates the tcp_proxy v1 configuration.
This will be deleted following the standard deprecation cycle.
All new uses should use filter chain matching.

Fixes https://github.com/envoyproxy/envoy/issues/4457

Signed-off-by: Matt Klein <mklein@lyft.com>

Mirrored from https://github.com/envoyproxy/envoy @ 866d0438d12ce9d39afb35ba200b0107bf3d6de3
pull/620/head
data-plane-api(CircleCI) 6 years ago
parent dc1cbfa9f7
commit 1b104aa7e2
  1. 6
      envoy/api/v2/listener/listener.proto
  2. 61
      envoy/config/filter/network/tcp_proxy/v2/tcp_proxy.proto

@ -64,6 +64,8 @@ message Filter {
// 4. Transport protocol. // 4. Transport protocol.
// 5. Application protocols (e.g. ALPN for TLS protocol). // 5. Application protocols (e.g. ALPN for TLS protocol).
// 6. Source type (e.g. any, local or external network). // 6. Source type (e.g. any, local or external network).
// 7. Source IP address.
// 8. Source port.
// //
// For criteria that allow ranges or wildcards, the most specific value in any // For criteria that allow ranges or wildcards, the most specific value in any
// of the configured filter chains that matches the incoming connection is going // of the configured filter chains that matches the incoming connection is going
@ -108,14 +110,12 @@ message FilterChainMatch {
// connection is contained in at least one of the specified subnets. If the // connection is contained in at least one of the specified subnets. If the
// parameter is not specified or the list is empty, the source IP address is // parameter is not specified or the list is empty, the source IP address is
// ignored. // ignored.
// [#not-implemented-hide:]
repeated core.CidrRange source_prefix_ranges = 6; repeated core.CidrRange source_prefix_ranges = 6;
// The criteria is satisfied if the source port of the downstream connection // The criteria is satisfied if the source port of the downstream connection
// is contained in at least one of the specified ports. If the parameter is // is contained in at least one of the specified ports. If the parameter is
// not specified, the source port is ignored. // not specified, the source port is ignored.
// [#not-implemented-hide:] repeated uint32 source_ports = 7 [(validate.rules).repeated .items.uint32 = {gte: 1, lte: 65535}];
repeated google.protobuf.UInt32Value source_ports = 7;
// If non-empty, a list of server names (e.g. SNI for TLS protocol) to consider when determining // If non-empty, a list of server names (e.g. SNI for TLS protocol) to consider when determining
// a filter chain match. Those values will be compared against the server names of a new // a filter chain match. Those values will be compared against the server names of a new

@ -30,25 +30,11 @@ message TcpProxy {
// The upstream cluster to connect to. // The upstream cluster to connect to.
// //
// .. note::
//
// Complex routing (based on connection properties) is being implemented in listeners. Once
// fully implemented, this field (or `weighted_clusters`) will be the only way to configure
// the target cluster. In the interim, complex routing requires using a :ref:`deprecated_v1
// <envoy_api_field_config.filter.network.tcp_proxy.v2.TcpProxy.deprecated_v1>` configuration.
// This field is ignored if a `deprecated_v1` configuration is set.
//
string cluster = 2; string cluster = 2;
// Multiple upstream clusters can be specified for a given route. The // Multiple upstream clusters can be specified for a given route. The
// request is routed to one of the upstream clusters based on weights // request is routed to one of the upstream clusters based on weights
// assigned to each cluster. // assigned to each cluster.
//
// .. note::
//
// This field is ignored if the :ref:`deprecated_v1
// <envoy_api_field_config.filter.network.tcp_proxy.v2.TcpProxy.deprecated_v1>`
// configuration is set.
WeightedCluster weighted_clusters = 10; WeightedCluster weighted_clusters = 10;
} }
@ -79,9 +65,8 @@ message TcpProxy {
// emitted by the this tcp_proxy. // emitted by the this tcp_proxy.
repeated envoy.config.filter.accesslog.v2.AccessLog access_log = 5; repeated envoy.config.filter.accesslog.v2.AccessLog access_log = 5;
// TCP Proxy filter configuration using V1 format, until Envoy gets the // [#not-implemented-hide:] Deprecated.
// ability to match source/destination at the listener level (called // TCP Proxy filter configuration using V1 format.
// :ref:`filter chain match <envoy_api_msg_listener.FilterChainMatch>`).
message DeprecatedV1 { message DeprecatedV1 {
// A TCP proxy route consists of a set of optional L4 criteria and the // A TCP proxy route consists of a set of optional L4 criteria and the
// name of a cluster. If a downstream connection matches all the // name of a cluster. If a downstream connection matches all the
@ -134,46 +119,8 @@ message TcpProxy {
repeated TCPRoute routes = 1 [(validate.rules).repeated .min_items = 1]; repeated TCPRoute routes = 1 [(validate.rules).repeated .min_items = 1];
} }
// TCP Proxy filter configuration using deprecated V1 format. This is required for complex // [#not-implemented-hide:] Deprecated.
// routing until filter chain matching in the listener is implemented. DeprecatedV1 deprecated_v1 = 6 [deprecated = true];
//
// Example:
//
// .. code-block:: yaml
//
// - name: "envoy.tcp_proxy"
// config:
// deprecated_v1: true
// value:
// stat_prefix: "prefix"
// access_log:
// - ...
// route_config:
// routes:
// - cluster: "cluster"
// destination_ip_list:
// - "10.1.0.0/8"
// destination_ports: "8080"
// source_ip_list:
// - "10.1.0.0/16"
// - "2001:db8::/32"
// source_ports: "8000,9000-9999"
//
// .. attention::
//
// Using the deprecated V1 configuration excludes the use of any V2 configuration options. Only
// the V1 configuration is used. All available fields are shown in the example, although the
// access log configuration is omitted for simplicity. The access log configuration uses the
// :repo:`deprecated V1 access log configuration<source/common/json/config_schemas.cc>`.
//
// .. attention::
//
// In the deprecated V1 configuration, source and destination CIDR ranges are specified as a
// list of strings with each string in CIDR notation. Source and destination ports are
// specified as single strings containing a comma-separated list of ports and/or port ranges.
//
// Deprecation pending https://github.com/envoyproxy/envoy/issues/4457
DeprecatedV1 deprecated_v1 = 6;
// The maximum number of unsuccessful connection attempts that will be made before // The maximum number of unsuccessful connection attempts that will be made before
// giving up. If the parameter is not specified, 1 connection attempt will be made. // giving up. If the parameter is not specified, 1 connection attempt will be made.

Loading…
Cancel
Save