diff --git a/BUILD b/BUILD
index ff4e6094..51248b22 100644
--- a/BUILD
+++ b/BUILD
@@ -220,6 +220,7 @@ proto_library(
         "//envoy/extensions/internal_redirect/safe_cross_scheme/v3:pkg",
         "//envoy/extensions/key_value/file_based/v3:pkg",
         "//envoy/extensions/matching/common_inputs/environment_variable/v3:pkg",
+        "//envoy/extensions/matching/common_inputs/network/v3:pkg",
         "//envoy/extensions/matching/input_matchers/consistent_hashing/v3:pkg",
         "//envoy/extensions/matching/input_matchers/ip/v3:pkg",
         "//envoy/extensions/network/dns_resolver/apple/v3:pkg",
diff --git a/envoy/extensions/matching/common_inputs/network/v3/BUILD b/envoy/extensions/matching/common_inputs/network/v3/BUILD
new file mode 100644
index 00000000..ee92fb65
--- /dev/null
+++ b/envoy/extensions/matching/common_inputs/network/v3/BUILD
@@ -0,0 +1,9 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = ["@com_github_cncf_udpa//udpa/annotations:pkg"],
+)
diff --git a/envoy/extensions/matching/common_inputs/network/v3/network_inputs.proto b/envoy/extensions/matching/common_inputs/network/v3/network_inputs.proto
new file mode 100644
index 00000000..8f54d345
--- /dev/null
+++ b/envoy/extensions/matching/common_inputs/network/v3/network_inputs.proto
@@ -0,0 +1,88 @@
+syntax = "proto3";
+
+package envoy.extensions.matching.common_inputs.network.v3;
+
+import "udpa/annotations/status.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.matching.common_inputs.network.v3";
+option java_outer_classname = "NetworkInputsProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/matching/common_inputs/network/v3;networkv3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: Common Network Matching Inputs]
+
+// Specifies that matching should be performed by the destination IP address.
+message DestinationIPInput {
+}
+
+// Specifies that matching should be performed by the destination port.
+message DestinationPortInput {
+}
+
+// Specifies that matching should be performed by the source IP address.
+message SourceIPInput {
+}
+
+// Specifies that matching should be performed by the source port.
+message SourcePortInput {
+}
+
+// Input that matches by the directly connected source IP address (this
+// will only be different from the source IP address when using a listener
+// filter that overrides the source address, such as the :ref:`Proxy Protocol
+// listener filter <config_listener_filters_proxy_protocol>`).
+message DirectSourceIPInput {
+}
+
+// Input that matches by the source IP type.
+// Specifies the source IP match type. The values include:
+//
+// * ``local`` - matches a connection originating from the same host,
+message SourceTypeInput {
+}
+
+// Input that matches by the requested server name (e.g. SNI in TLS).
+//
+// :ref:`TLS Inspector <config_listener_filters_tls_inspector>` provides the requested server name based on SNI,
+// when TLS protocol is detected.
+message ServerNameInput {
+}
+
+// Input that matches by the transport protocol.
+//
+// Suggested values include:
+//
+// * ``raw_buffer`` - default, used when no transport protocol is detected,
+// * ``tls`` - set by :ref:`envoy.filters.listener.tls_inspector <config_listener_filters_tls_inspector>`
+//   when TLS protocol is detected.
+message TransportProtocolInput {
+}
+
+// List of quoted and comma-separated requested application protocols. The list consists of a
+// single negotiated application protocol once the network stream is established.
+//
+// Examples:
+//
+// * ``'h2','http/1.1'``
+// * ``'h2c'```
+//
+// Suggested values in the list include:
+//
+// * ``http/1.1`` - set by :ref:`envoy.filters.listener.tls_inspector
+//   <config_listener_filters_tls_inspector>` and :ref:`envoy.filters.listener.http_inspector
+//   <config_listener_filters_http_inspector>`,
+// * ``h2`` - set by :ref:`envoy.filters.listener.tls_inspector <config_listener_filters_tls_inspector>`
+// * ``h2c`` - set by :ref:`envoy.filters.listener.http_inspector <config_listener_filters_http_inspector>`
+//
+// .. attention::
+//
+//   Currently, :ref:`TLS Inspector <config_listener_filters_tls_inspector>` provides
+//   application protocol detection based on the requested
+//   `ALPN <https://en.wikipedia.org/wiki/Application-Layer_Protocol_Negotiation>`_ values.
+//
+//   However, the use of ALPN is pretty much limited to the HTTP/2 traffic on the Internet,
+//   and matching on values other than ``h2`` is going to lead to a lot of false negatives,
+//   unless all connecting clients are known to use ALPN.
+message ApplicationProtocolInput {
+}
diff --git a/versioning/BUILD b/versioning/BUILD
index 33971396..ec1462ad 100644
--- a/versioning/BUILD
+++ b/versioning/BUILD
@@ -159,6 +159,7 @@ proto_library(
         "//envoy/extensions/load_balancing_policies/round_robin/v3:pkg",
         "//envoy/extensions/load_balancing_policies/wrr_locality/v3:pkg",
         "//envoy/extensions/matching/common_inputs/environment_variable/v3:pkg",
+        "//envoy/extensions/matching/common_inputs/network/v3:pkg",
         "//envoy/extensions/matching/input_matchers/consistent_hashing/v3:pkg",
         "//envoy/extensions/matching/input_matchers/ip/v3:pkg",
         "//envoy/extensions/network/dns_resolver/apple/v3:pkg",