IP Matcher on a list of CIDR ranges (#16592)

Input matcher that checks that an IP{v4,v6} belongs to a list of CIDR ranges Signed-off-by: Adrien Guinet <adrien@reblaze.com> Mirrored from https://github.com/envoyproxy/envoy @ 6cd6a0cab68c757c785e62e0d73d881f57c97839
3 years ago · 7a2b442171
parent efc1a59d1a
commit 7a2b442171
4 changed files with 52 additions and 0 deletions
--- a/1
+++ b/1
@ -195,6 +195,7 @@ proto_library(
        "//envoy/extensions/internal_redirect/safe_cross_scheme/v3:pkg",
        "//envoy/extensions/matching/common_inputs/environment_variable/v3:pkg",
        "//envoy/extensions/matching/input_matchers/consistent_hashing/v3:pkg",
+        "//envoy/extensions/matching/input_matchers/ip/v3:pkg",
        "//envoy/extensions/network/socket_interface/v3:pkg",
        "//envoy/extensions/quic/crypto_stream/v3:pkg",
        "//envoy/extensions/quic/proof_source/v3:pkg",
--- a/envoy/extensions/matching/input_matchers/ip/v3/BUILD
+++ b/envoy/extensions/matching/input_matchers/ip/v3/BUILD
@ -0,0 +1,12 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = [
+        "//envoy/config/core/v3:pkg",
+        "@com_github_cncf_udpa//udpa/annotations:pkg",
+    ],
+)
--- a/envoy/extensions/matching/input_matchers/ip/v3/ip.proto
+++ b/envoy/extensions/matching/input_matchers/ip/v3/ip.proto
@ -0,0 +1,38 @@
+syntax = "proto3";
+
+package envoy.extensions.matching.input_matchers.ip.v3;
+
+import "envoy/config/core/v3/address.proto";
+
+import "udpa/annotations/status.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.matching.input_matchers.ip.v3";
+option java_outer_classname = "IpProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: IP matcher]
+// [#extension: envoy.matching.input_matchers.ip]
+
+// This input matcher matches IPv4 or IPv6 addresses against a list of CIDR
+// ranges. It returns true if and only if the input IP belongs to at least one
+// of these CIDR ranges. Internally, it uses a Level-Compressed trie, as
+// described in the paper `IP-address lookup using LC-tries
+// <https://www.nada.kth.se/~snilsson/publications/IP-address-lookup-using-LC-tries/>`_
+// by S. Nilsson and G. Karlsson. For "big" lists of IPs, this matcher is more
+// efficient than multiple single IP matcher, that would have a linear cost.
+message Ip {
+  // Match if the IP belongs to any of these CIDR ranges.
+  repeated config.core.v3.CidrRange cidr_ranges = 1 [(validate.rules).repeated = {min_items: 1}];
+
+  // The human readable prefix to use when emitting statistics for the IP input
+  // matcher. Names in the table below are concatenated to this prefix.
+  //
+  // .. csv-table::
+  //    :header: Name, Type, Description
+  //    :widths: 1, 1, 2
+  //
+  //    ip_parsing_failed, Counter, Total number of IP addresses the matcher was unable to parse
+  string stat_prefix = 2 [(validate.rules).string = {min_len: 1}];
+}
--- a/versioning/BUILD
+++ b/versioning/BUILD
@ -140,6 +140,7 @@ proto_library(
        "//envoy/extensions/internal_redirect/safe_cross_scheme/v3:pkg",
        "//envoy/extensions/matching/common_inputs/environment_variable/v3:pkg",
        "//envoy/extensions/matching/input_matchers/consistent_hashing/v3:pkg",
+        "//envoy/extensions/matching/input_matchers/ip/v3:pkg",
        "//envoy/extensions/network/socket_interface/v3:pkg",
        "//envoy/extensions/quic/crypto_stream/v3:pkg",
        "//envoy/extensions/quic/proof_source/v3:pkg",