Proxy Protocol: Pass through V2 TLVs to upstream (#24944)

Signed-off-by: Boteng Yao <boteng@google.com> Mirrored from https://github.com/envoyproxy/envoy @ 74508c8ccef52011609469be1317ef38723770d5
2 years ago · 40f6d786db
parent 2c1b6c1026
commit 40f6d786db
3 changed files with 34 additions and 1 deletions
--- a/envoy/config/core/v3/proxy_protocol.proto
+++ b/envoy/config/core/v3/proxy_protocol.proto
@ -3,6 +3,7 @@ syntax = "proto3";
 package envoy.config.core.v3;

 import "udpa/annotations/status.proto";
+import "validate/validate.proto";

 option java_package = "io.envoyproxy.envoy.config.core.v3";
 option java_outer_classname = "ProxyProtocolProto";
@ -12,6 +13,25 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;

 // [#protodoc-title: Proxy protocol]

+message ProxyProtocolPassThroughTLVs {
+  enum PassTLVsMatchType {
+    // Pass all TLVs.
+    INCLUDE_ALL = 0;
+
+    // Pass specific TLVs defined in tlv_type.
+    INCLUDE = 1;
+  }
+
+  // The strategy to pass through TLVs. Default is INCLUDE_ALL.
+  // If INCLUDE_ALL is set, all TLVs will be passed through no matter the tlv_type field.
+  PassTLVsMatchType match_type = 1;
+
+  // The TLV types that are applied based on match_type.
+  // TLV type is defined as uint8_t in proxy protocol. See `the spec
+  // <https://www.haproxy.org/download/2.1/doc/proxy-protocol.txt>`_ for details.
+  repeated uint32 tlv_type = 2 [(validate.rules).repeated = {items {uint32 {lt: 256}}}];
+}
+
 message ProxyProtocolConfig {
  enum Version {
    // PROXY protocol version 1. Human readable format.
@ -23,4 +43,8 @@ message ProxyProtocolConfig {

  // The PROXY protocol version to use. See https://www.haproxy.org/download/2.1/doc/proxy-protocol.txt for details
  Version version = 1;
+
+  // This config controls which TLVs can be passed to filter state if it is Proxy Protocol
+  // V2 header. If there is no setting for this field, no TLVs will be passed through.
+  ProxyProtocolPassThroughTLVs pass_through_tlvs = 2;
 }
--- a/envoy/extensions/filters/listener/proxy_protocol/v3/BUILD
+++ b/envoy/extensions/filters/listener/proxy_protocol/v3/BUILD
@ -5,5 +5,8 @@ load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
 licenses(["notice"])  # Apache 2

 api_proto_package(
-    deps = ["@com_github_cncf_udpa//udpa/annotations:pkg"],
+    deps = [
+        "//envoy/config/core/v3:pkg",
+        "@com_github_cncf_udpa//udpa/annotations:pkg",
+    ],
 )
--- a/envoy/extensions/filters/listener/proxy_protocol/v3/proxy_protocol.proto
+++ b/envoy/extensions/filters/listener/proxy_protocol/v3/proxy_protocol.proto
@ -2,6 +2,8 @@ syntax = "proto3";

 package envoy.extensions.filters.listener.proxy_protocol.v3;

+import "envoy/config/core/v3/proxy_protocol.proto";
+
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
 import "validate/validate.proto";
@ -58,4 +60,8 @@ message ProxyProtocol {
  //   signature will timeout (Envoy is unable to differentiate these requests
  //   from incomplete proxy protocol requests).
  bool allow_requests_without_proxy_protocol = 2;
+
+  // This config controls which TLVs can be passed to filter state if it is Proxy Protocol
+  // V2 header. If there is no setting for this field, no TLVs will be passed through.
+  config.core.v3.ProxyProtocolPassThroughTLVs pass_through_tlvs = 3;
 }