diff --git a/docs/root/configuration/access_log.rst b/docs/root/configuration/access_log.rst index 1e73b3f4..3904bc9c 100644 --- a/docs/root/configuration/access_log.rst +++ b/docs/root/configuration/access_log.rst @@ -135,6 +135,8 @@ The following command operators are supported: If the original connection was redirected by iptables REDIRECT, this represents the original destination address restored by the :ref:`Original Destination Filter ` using SO_ORIGINAL_DST socket option. + If the original connection was redirected by iptables TPROXY, and the listener's transparent + option was set to true, this represents the original destination address and port. %DOWNSTREAM_LOCAL_ADDRESS_WITHOUT_PORT% Same as **%DOWNSTREAM_LOCAL_ADDRESS%** excluding port if the address is an IP address. diff --git a/docs/root/configuration/http_conn_man/headers.rst b/docs/root/configuration/http_conn_man/headers.rst index 3b9b8341..9c86ed19 100644 --- a/docs/root/configuration/http_conn_man/headers.rst +++ b/docs/root/configuration/http_conn_man/headers.rst @@ -454,6 +454,8 @@ Supported variable names are: If the original connection was redirected by iptables REDIRECT, this represents the original destination address restored by the :ref:`Original Destination Filter ` using SO_ORIGINAL_DST socket option. + If the original connection was redirected by iptables TPROXY, and the listener's transparent + option was set to true, this represents the original destination address and port. %DOWNSTREAM_LOCAL_ADDRESS_WITHOUT_PORT% Same as **%DOWNSTREAM_LOCAL_ADDRESS%** excluding port if the address is an IP address. diff --git a/docs/root/intro/arch_overview/service_discovery.rst b/docs/root/intro/arch_overview/service_discovery.rst index da93760d..ae69b505 100644 --- a/docs/root/intro/arch_overview/service_discovery.rst +++ b/docs/root/intro/arch_overview/service_discovery.rst @@ -57,10 +57,10 @@ Original destination ^^^^^^^^^^^^^^^^^^^^ Original destination cluster can be used when incoming connections are redirected to Envoy either -via an iptables REDIRECT rule or with Proxy Protocol. In these cases requests routed to an original -destination cluster are forwarded to upstream hosts as addressed by the redirection metadata, -without any explicit host configuration or upstream host discovery. Connections to upstream hosts -are pooled and unused hosts are flushed out when they have been idle longer than +via an iptables REDIRECT or TPROXY target or with Proxy Protocol. In these cases requests routed +to an original destination cluster are forwarded to upstream hosts as addressed by the redirection +metadata, without any explicit host configuration or upstream host discovery. Connections to +upstream hosts are pooled and unused hosts are flushed out when they have been idle longer than :ref:`*cleanup_interval_ms* `, which defaults to 5000ms. If the original destination address is is not available, no upstream connection is opened. Original destination service discovery must be used with the original destination :ref:`load diff --git a/envoy/api/v2/lds.proto b/envoy/api/v2/lds.proto index b3d01745..5cd21ce8 100644 --- a/envoy/api/v2/lds.proto +++ b/envoy/api/v2/lds.proto @@ -126,4 +126,10 @@ message Listener { // filters are processed sequentially right after a socket has been accepted by the listener, and // before a connection is created. repeated listener.ListenerFilter listener_filters = 9 [(gogoproto.nullable) = false]; + + // Whether the listener should be set as a transparent socket. When this flag is set to true, + // connections can be redirected to the listener using an *iptables* *TPROXY* target, in which + // case the original source and destination addresses and ports are preserved on accepted + // connections. Requires Envoy to run with the *CAP_NET_ADMIN* capability. Defaults to false. + bool transparent = 10; }