listener: create generic listener filter timeout (#5231)

Move the hard-coded 15s timeout in TLS inspector into
the connection handler such that it covers all listener
filters. Also make it configurable as well as add useful
stats to see how many connections are currently undergoing
listener filter processing.

Fixes https://github.com/envoyproxy/envoy/issues/5217

Signed-off-by: Matt Klein <mklein@lyft.com>

Mirrored from https://github.com/envoyproxy/envoy @ e96425aabcce10ab2030de66f69cbb20a867322f

envoy/api/v2/lds.proto

@@ -10,6 +10,7 @@ import "envoy/api/v2/discovery.proto";
 import "envoy/api/v2/listener/listener.proto";
 
 import "google/api/annotations.proto";
+import "google/protobuf/duration.proto";
 import "google/protobuf/wrappers.proto";
 
 import "validate/validate.proto";
@@ -36,6 +37,7 @@ service ListenerDiscoveryService {
   }
 }
 
+// [#comment:next free field: 16]
 message Listener {
   // The unique name by which this listener is known. If no name is provided,
   // Envoy will allocate an internal UUID for the listener. If the listener is to be dynamically
@@ -120,6 +122,11 @@ message Listener {
   // before a connection is created.
   repeated listener.ListenerFilter listener_filters = 9 [(gogoproto.nullable) = false];
 
+  // The timeout to wait for all listener filters to complete operation. If the timeout is reached,
+  // the accepted socket is closed without a connection being created. Specify 0 to disable the
+  // timeout. If not specified, a default timeout of 15s is used.
+  google.protobuf.Duration listener_filters_timeout = 15 [(gogoproto.stdduration) = true];
+
   // Whether the listener should be set as a transparent socket.
   // When this flag is set to true, connections can be redirected to the listener using an
   // *iptables* *TPROXY* target, in which case the original source and destination addresses and