listener: add filter chain match support for direct source address (#17118)

Signed-off-by: Greg Greenway <ggreenway@apple.com>

Mirrored from https://github.com/envoyproxy/envoy @ 97eb8e5cfd102712c0e7685c6c72ff054b75fe55
pull/624/head
data-plane-api(Azure Pipelines) 3 years ago
parent ebadea993d
commit b13f3a24bd
  1. 16
      envoy/config/listener/v3/listener_components.proto
  2. 16
      envoy/config/listener/v4alpha/listener_components.proto

@ -64,9 +64,12 @@ message Filter {
// 3. Server name (e.g. SNI for TLS protocol), // 3. Server name (e.g. SNI for TLS protocol),
// 4. Transport protocol. // 4. Transport protocol.
// 5. Application protocols (e.g. ALPN for TLS protocol). // 5. Application protocols (e.g. ALPN for TLS protocol).
// 6. Source type (e.g. any, local or external network). // 6. Directly connected source IP address (this will only be different from the source IP address
// 7. Source IP address. // when using a listener filter that overrides the source address, such as the :ref:`Proxy Protocol
// 8. Source port. // listener filter <config_listener_filters_proxy_protocol>`).
// 7. Source type (e.g. any, local or external network).
// 8. Source IP address.
// 9. Source port.
// //
// For criteria that allow ranges or wildcards, the most specific value in any // For criteria that allow ranges or wildcards, the most specific value in any
// of the configured filter chains that matches the incoming connection is going // of the configured filter chains that matches the incoming connection is going
@ -90,7 +93,7 @@ message Filter {
// listed at the end, because that's how we want to list them in the docs. // listed at the end, because that's how we want to list them in the docs.
// //
// [#comment:TODO(PiotrSikora): Add support for configurable precedence of the rules] // [#comment:TODO(PiotrSikora): Add support for configurable precedence of the rules]
// [#next-free-field: 13] // [#next-free-field: 14]
message FilterChainMatch { message FilterChainMatch {
option (udpa.annotations.versioning).previous_message_type = option (udpa.annotations.versioning).previous_message_type =
"envoy.api.v2.listener.FilterChainMatch"; "envoy.api.v2.listener.FilterChainMatch";
@ -124,6 +127,11 @@ message FilterChainMatch {
// [#not-implemented-hide:] // [#not-implemented-hide:]
google.protobuf.UInt32Value suffix_len = 5; google.protobuf.UInt32Value suffix_len = 5;
// The criteria is satisfied if the directly connected source IP address of the downstream
// connection is contained in at least one of the specified subnets. If the parameter is not
// specified or the list is empty, the directly connected source IP address is ignored.
repeated core.v3.CidrRange direct_source_prefix_ranges = 13;
// Specifies the connection source IP match type. Can be any, local or external network. // Specifies the connection source IP match type. Can be any, local or external network.
ConnectionSourceType source_type = 12 [(validate.rules).enum = {defined_only: true}]; ConnectionSourceType source_type = 12 [(validate.rules).enum = {defined_only: true}];

@ -63,9 +63,12 @@ message Filter {
// 3. Server name (e.g. SNI for TLS protocol), // 3. Server name (e.g. SNI for TLS protocol),
// 4. Transport protocol. // 4. Transport protocol.
// 5. Application protocols (e.g. ALPN for TLS protocol). // 5. Application protocols (e.g. ALPN for TLS protocol).
// 6. Source type (e.g. any, local or external network). // 6. Directly connected source IP address (this will only be different from the source IP address
// 7. Source IP address. // when using a listener filter that overrides the source address, such as the :ref:`Proxy Protocol
// 8. Source port. // listener filter <config_listener_filters_proxy_protocol>`).
// 7. Source type (e.g. any, local or external network).
// 8. Source IP address.
// 9. Source port.
// //
// For criteria that allow ranges or wildcards, the most specific value in any // For criteria that allow ranges or wildcards, the most specific value in any
// of the configured filter chains that matches the incoming connection is going // of the configured filter chains that matches the incoming connection is going
@ -89,7 +92,7 @@ message Filter {
// listed at the end, because that's how we want to list them in the docs. // listed at the end, because that's how we want to list them in the docs.
// //
// [#comment:TODO(PiotrSikora): Add support for configurable precedence of the rules] // [#comment:TODO(PiotrSikora): Add support for configurable precedence of the rules]
// [#next-free-field: 13] // [#next-free-field: 14]
message FilterChainMatch { message FilterChainMatch {
option (udpa.annotations.versioning).previous_message_type = option (udpa.annotations.versioning).previous_message_type =
"envoy.config.listener.v3.FilterChainMatch"; "envoy.config.listener.v3.FilterChainMatch";
@ -123,6 +126,11 @@ message FilterChainMatch {
// [#not-implemented-hide:] // [#not-implemented-hide:]
google.protobuf.UInt32Value suffix_len = 5; google.protobuf.UInt32Value suffix_len = 5;
// The criteria is satisfied if the directly connected source IP address of the downstream
// connection is contained in at least one of the specified subnets. If the parameter is not
// specified or the list is empty, the directly connected source IP address is ignored.
repeated core.v4alpha.CidrRange direct_source_prefix_ranges = 13;
// Specifies the connection source IP match type. Can be any, local or external network. // Specifies the connection source IP match type. Can be any, local or external network.
ConnectionSourceType source_type = 12 [(validate.rules).enum = {defined_only: true}]; ConnectionSourceType source_type = 12 [(validate.rules).enum = {defined_only: true}];

Loading…
Cancel
Save