diff --git a/envoy/api/v2/lds.proto b/envoy/api/v2/lds.proto index 7780fea2..e3a5c8a4 100644 --- a/envoy/api/v2/lds.proto +++ b/envoy/api/v2/lds.proto @@ -55,15 +55,8 @@ message Listener { // :ref:`FilterChainMatch ` criteria is used on a // connection. // - // .. attention:: - // - // In the current version, multiple filter chains are supported **only** so that SNI can be - // configured. See the :ref:`FAQ entry ` on how to configure SNI for more - // information. When multiple filter chains are configured, each filter chain must have an - // **identical** set of :ref:`filters `. If the - // filters differ, the configuration will fail to load. In the future, this limitation will be - // relaxed such that different filters can be used depending on which filter chain matches - // (based on SNI or some other parameter). + // Example using SNI for filter chain selection can be found in the + // :ref:`FAQ entry `. repeated listener.FilterChain filter_chains = 3 [(validate.rules).repeated .min_items = 1, (gogoproto.nullable) = false]; diff --git a/envoy/api/v2/listener/listener.proto b/envoy/api/v2/listener/listener.proto index 6889b467..d459f201 100644 --- a/envoy/api/v2/listener/listener.proto +++ b/envoy/api/v2/listener/listener.proto @@ -47,12 +47,32 @@ message Filter { // Specifies the match criteria for selecting a specific filter chain for a // listener. +// +// In order for a filter chain to be selected, *ALL* of its criteria must be +// fulfilled by the incoming connection, properties of which are set by the +// networking stack and/or listener filters. +// +// The following order applies: +// +// [#comment:TODO(PiotrSikora): destination IP / ranges are going to be 1.] +// 1. Server name (e.g. SNI for TLS protocol), +// 2. Transport protocol. +// [#comment:TODO(PiotrSikora): application protocols are going to be 4.] +// +// For criterias that allow ranges or wildcards, the most specific value in any +// of the configured filter chains that matches the incoming connection is going +// to be used (e.g. for SNI ``www.example.com`` the most specific match would be +// ``www.example.com``, then ``*.example.com``, then any filter chain without +// ``sni_domains`` requirements). +// +// [#comment:TODO(PiotrSikora): Add support for configurable precedence of the rules] message FilterChainMatch { // If non-empty, the SNI domain names to consider. May contain a wildcard prefix for - // the bottom-level domain of a domain name, e.g. ``*.example.com``. Note that - // ``foo.example.com`` will be matched by ``foo.example.com`` and ``*.example.com`` - // SNI domain names, but **not** by ``*foo.example.com``, ``*oo.example.com``, - // ``*example.com``, ``*.com`` or ``*``. + // the bottom-level domain of a domain name, e.g. ``*.example.com``. + // + // Note that ``foo.example.com`` will be matched by ``foo.example.com`` + // and ``*.example.com`` SNI domain names, but **not** by ``*foo.example.com``, + // ``*oo.example.com``, ``*example.com``, ``*.com`` or ``*``. // // .. attention:: // @@ -90,6 +110,17 @@ message FilterChainMatch { // listener in determining a filter chain match. // [#not-implemented-hide:] google.protobuf.UInt32Value destination_port = 8; + + // If non-empty, a transport protocol to consider when determining a filter chain match. + // This value will be compared against the transport protocol of a new connection, when + // it's detected by one of the listener filters (this needs to be configured separately). + // + // Valid values include: + // + // * ``raw_buffer`` - default, used when no transport protocol is detected, + // * ``tls`` - set by :ref:`envoy.listener.tls_inspector ` + // when TLS protocol is detected. + string transport_protocol = 9; } // A filter chain wraps a set of match criteria, an option TLS context, a set of filters, and