Enhance ext_proc filter to support MXN streaming (#34942)

This PR is for issue: https://github.com/envoyproxy/envoy/issues/32090.
One of the use case is, like compression by the external processing.

This is to let the ext_proc server be able to buffer M request body
chunks from Envoy first, processing them, then send N chunks back to
Envoy in the STREAMED mode. It also let the server buffer the entire
message, i.e, header, body, trailer, before sending back any response.

The ext_proc MXN streaming works this way:

1) Enable the MXN streaming by configuring the body mode to be
FULL_DUPLEX_STREAMED in the ext_proc filter config.
2) Config the trailer mode to be SEND  in the ext_proc filter config.

With above config, Envoy will send body to the ext_proc server as they
arrival. The server can buffer the entire or partial of the body (M
chunks) then streaming the mutated body(may need to split into N
chunks), back to Envoy.

---------

Signed-off-by: Yanjun Xiang <yanjunxiang@google.com>

Mirrored from https://github.com/envoyproxy/envoy @ 72a20671ae70db520226388bfd351e817393d66e

bazel/repository_locations.bzl

@@ -163,6 +163,8 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         urls = ["https://github.com/norbjd/protoc-gen-jsonschema/archive/{version}.zip"],
         use_category = ["build"],
         release_date = "2023-05-30",
+        license = "Apache-2.0",
+        license_url = "https://github.com/norbjd/protoc-gen-jsonschema/blob/{version}/LICENSE",
     ),
     dev_cel = dict(
         project_name = "CEL",
@@ -174,19 +176,21 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         urls = ["https://github.com/google/cel-spec/archive/v{version}.tar.gz"],
         use_category = ["api"],
         release_date = "2024-10-23",
+        license = "Apache-2.0",
+        license_url = "https://github.com/google/cel-spec/blob/v{version}/LICENSE",
     ),
     envoy_toolshed = dict(
         project_name = "envoy_toolshed",
         project_desc = "Tooling, libraries, runners and checkers for Envoy proxy's CI",
         project_url = "https://github.com/envoyproxy/toolshed",
-        version = "0.1.13",
-        sha256 = "5210866866fccb8e94f2a921c8452d7ea2ae1bf2b2b9520ab0e0cd1df36e7ad5",
+        version = "0.1.15",
+        sha256 = "b235526a20ef7a74e908c8827da40c32182bf18635a70e836dcad2a561eb3e6d",
         strip_prefix = "toolshed-bazel-v{version}/bazel",
         urls = ["https://github.com/envoyproxy/toolshed/archive/bazel-v{version}.tar.gz"],
         use_category = ["build"],
-        release_date = "2024-10-29",
+        release_date = "2024-11-04",
         cpe = "N/A",
         license = "Apache-2.0",
-        license_url = "https://github.com/envoyproxy/envoy/blob/bazel-v{version}/LICENSE",
+        license_url = "https://github.com/envoyproxy/toolshed/blob/bazel-v{version}/LICENSE",
     ),
 )

contrib/envoy/extensions/filters/network/kafka_broker/v3/kafka_broker.proto

@@ -15,7 +15,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#protodoc-title: Kafka Broker]
 // Kafka Broker :ref:`configuration overview <config_network_filters_kafka_broker>`.
 // [#extension: envoy.filters.network.kafka_broker]
-
+// [#next-free-field: 6]
 message KafkaBroker {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.filter.network.kafka_broker.v2alpha1.KafkaBroker";
@@ -39,6 +39,16 @@ message KafkaBroker {
     // Broker address rewrite rules that match by broker ID.
     IdBasedBrokerRewriteSpec id_based_broker_address_rewrite_spec = 3;
   }
+
+  // Optional list of allowed Kafka API keys. Only requests with provided API keys will be
+  // routed, otherwise the connection will be closed. No effect if empty.
+  repeated uint32 api_keys_allowed = 4
+      [(validate.rules).repeated = {items {uint32 {lte: 32767 gte: 0}}}];
+
+  // Optional list of denied Kafka API keys. Requests with API keys matching this list will have
+  // the connection closed. No effect if empty.
+  repeated uint32 api_keys_denied = 5
+      [(validate.rules).repeated = {items {uint32 {lte: 32767 gte: 0}}}];
 }
 
 // Collection of rules matching by broker ID.

envoy/config/core/v3/base.proto

@@ -453,6 +453,7 @@ message HeaderValueOption {
 message HeaderMap {
   option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.HeaderMap";
 
+  // A list of header names and their values.
   repeated HeaderValue headers = 1;
 }
 

envoy/config/filter/network/kafka_broker/v2alpha1/kafka_broker.proto

@@ -17,7 +17,7 @@ option (udpa.annotations.file_status).package_version_status = FROZEN;
 // [#protodoc-title: Kafka Broker]
 // Kafka Broker :ref:`configuration overview <config_network_filters_kafka_broker>`.
 // [#extension: envoy.filters.network.kafka_broker]
-
+// [#next-free-field: 6]
 message KafkaBroker {
   // The prefix to use when emitting :ref:`statistics <config_network_filters_kafka_broker_stats>`.
   string stat_prefix = 1 [(validate.rules).string = {min_bytes: 1}];
@@ -38,6 +38,16 @@ message KafkaBroker {
     // Broker address rewrite rules that match by broker ID.
     IdBasedBrokerRewriteSpec id_based_broker_address_rewrite_spec = 3;
   }
+
+  // Optional list of allowed Kafka API keys. Only requests with provided API keys will be
+  // routed, otherwise the connection will be closed. No effect if empty.
+  repeated uint32 api_keys_allowed = 4
+      [(validate.rules).repeated = {items {uint32 {lte: 32767 gte: 0}}}];
+
+  // Optional list of denied Kafka API keys. Requests with API keys matching this list will have
+  // the connection closed. No effect if empty.
+  repeated uint32 api_keys_denied = 5
+      [(validate.rules).repeated = {items {uint32 {lte: 32767 gte: 0}}}];
 }
 
 // Collection of rules matching by broker ID.

envoy/extensions/filters/http/ext_proc/v3/processing_mode.proto

@@ -36,11 +36,12 @@ message ProcessingMode {
 
   // Control how the request and response bodies are handled
   // When body mutation by external processor is enabled, ext_proc filter will always remove
-  // the content length header in three cases below because content length can not be guaranteed
+  // the content length header in four cases below because content length can not be guaranteed
   // to be set correctly:
   // 1) STREAMED BodySendMode: header processing completes before body mutation comes back.
   // 2) BUFFERED_PARTIAL BodySendMode: body is buffered and could be injected in different phases.
   // 3) BUFFERED BodySendMode + SKIP HeaderSendMode: header processing (e.g., update content-length) is skipped.
+  // 4) FULL_DUPLEX_STREAMED BodySendMode: header processing completes before body mutation comes back.
   //
   // In Envoy's http1 codec implementation, removing content length will enable chunked transfer
   // encoding whenever feasible. The recipient (either client or server) must be able
@@ -68,6 +69,37 @@ message ProcessingMode {
     // chunk. If the body exceeds the configured buffer limit, then the body contents
     // up to the buffer limit will be sent.
     BUFFERED_PARTIAL = 3;
+
+    // [#not-implemented-hide:]
+    // Envoy streams the body to the server in pieces as they arrive.
+    //
+    // 1) The server may choose to buffer any number chunks of data before processing them.
+    // After it finishes buffering, the server processes the buffered data. Then it splits the processed
+    // data into any number of chunks, and streams them back to Envoy one by one.
+    // The server may continuously do so until the complete body is processed.
+    // The individual response chunk size is recommended to be no greater than 64K bytes, or
+    // :ref:`max_receive_message_length <envoy_v3_api_field_config.core.v3.GrpcService.EnvoyGrpc.max_receive_message_length>`
+    // if EnvoyGrpc is used.
+    //
+    // 2) The server may also choose to buffer the entire message, including the headers (if header mode is
+    // ``SEND``), the entire body, and the trailers (if present), before sending back any response.
+    // The server response has to maintain the headers-body-trailers ordering.
+    //
+    // 3) Note that the server might also choose not to buffer data. That is, upon receiving a
+    // body request, it could process the data and send back a body response immediately.
+    //
+    // In this body mode:
+    // * The corresponding trailer mode has to be set to ``SEND``.
+    // * Envoy will send body and trailers (if present) to the server as they arrive.
+    //   Sending the trailers (if present) is to inform the server the complete body arrives.
+    //   In case there are no trailers, then Envoy will set
+    //   :ref:`end_of_stream <envoy_v3_api_field_service.ext_proc.v3.HttpBody.end_of_stream>`
+    //   to true as part of the last body chunk request to notify the server that no other data is to be sent.
+    // * The server needs to send
+    //   :ref:`StreamedBodyResponse <envoy_v3_api_msg_service.ext_proc.v3.StreamedBodyResponse>`
+    //   to Envoy in the body response.
+    // * Envoy will stream the body chunks in the responses from the server to the upstream/downstream as they arrive.
+    FULL_DUPLEX_STREAMED = 4;
   }
 
   // How to handle the request header. Default is "SEND".

envoy/extensions/filters/http/ip_tagging/v3/ip_tagging.proto

@@ -18,6 +18,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // IP tagging :ref:`configuration overview <config_http_filters_ip_tagging>`.
 // [#extension: envoy.filters.http.ip_tagging]
 
+// [#next-free-field: 6]
 message IPTagging {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.filter.http.ip_tagging.v2.IPTagging";
@@ -52,6 +53,38 @@ message IPTagging {
     repeated config.core.v3.CidrRange ip_list = 2;
   }
 
+  // Specify to which header the tags will be written.
+  message IpTagHeader {
+    // Describes how to apply the tags to the headers.
+    enum HeaderAction {
+      // (DEFAULT) The header specified in :ref:`ip_tag_header <envoy_v3_api_field_extensions.filters.http.ip_tagging.v3.IPTagging.ip_tag_header>`
+      // will be dropped, before the tags are applied. The incoming header will be "sanitized" regardless of whether the request is internal or external.
+      //
+      // Note that the header will be visible unsanitized to any filters that are invoked before the ip-tag-header filter, unless it has an *x-envoy* prefix.
+      SANITIZE = 0;
+
+      // Tags will be appended to the header specified in
+      // :ref:`ip_tag_header <envoy_v3_api_field_extensions.filters.http.ip_tagging.v3.IPTagging.ip_tag_header>`.
+      //
+      // Please note that this could cause the header to retain values set by the http client regardless of whether the request is internal or external.
+      APPEND_IF_EXISTS_OR_ADD = 1;
+    }
+
+    // Header to use for ip-tagging.
+    //
+    // This header will be sanitized based on the config in
+    // :ref:`action <envoy_v3_api_field_extensions.filters.http.ip_tagging.v3.IPTagging.IpTagHeader.action>`
+    // rather than the defaults for x-envoy prefixed headers.
+    string header = 1
+        [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}];
+
+    // Control if the :ref:`header <envoy_v3_api_field_extensions.filters.http.ip_tagging.v3.IPTagging.IpTagHeader.header>`
+    // will be sanitized, or be appended to.
+    //
+    // Default: *SANITIZE*.
+    HeaderAction action = 2;
+  }
+
   // The type of request the filter should apply to.
   RequestType request_type = 1 [(validate.rules).enum = {defined_only: true}];
 
@@ -59,4 +92,9 @@ message IPTagging {
   // Tracked by issue https://github.com/envoyproxy/envoy/issues/2695]
   // The set of IP tags for the filter.
   repeated IPTag ip_tags = 4 [(validate.rules).repeated = {min_items: 1}];
+
+  // Specify to which header the tags will be written.
+  //
+  // If left unspecified, the tags will be appended to the ``x-envoy-ip-tags`` header.
+  IpTagHeader ip_tag_header = 5;
 }

envoy/extensions/network/dns_resolver/cares/v3/cares_dns_resolver.proto

@@ -8,6 +8,7 @@ import "envoy/config/core/v3/resolver.proto";
 import "google/protobuf/wrappers.proto";
 
 import "udpa/annotations/status.proto";
+import "validate/validate.proto";
 
 option java_package = "io.envoyproxy.envoy.extensions.network.dns_resolver.cares.v3";
 option java_outer_classname = "CaresDnsResolverProto";
@@ -19,7 +20,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#extension: envoy.network.dns_resolver.cares]
 
 // Configuration for c-ares DNS resolver.
-// [#next-free-field: 6]
+// [#next-free-field: 8]
 message CaresDnsResolverConfig {
   // A list of dns resolver addresses.
   // :ref:`use_resolvers_as_fallback<envoy_v3_api_field_extensions.network.dns_resolver.cares.v3.CaresDnsResolverConfig.use_resolvers_as_fallback>`
@@ -47,4 +48,17 @@ message CaresDnsResolverConfig {
   // This option allows for number of UDP based DNS queries to be capped. Note, this
   // is only applicable to c-ares DNS resolver currently.
   google.protobuf.UInt32Value udp_max_queries = 5;
+
+  // The number of seconds each name server is given to respond to a query on the first try of any given server.
+  //
+  // Note: While the c-ares library defaults to 2 seconds, Envoy's default (if this field is unset) is 5 seconds.
+  // This adjustment was made to maintain the previous behavior after users reported an increase in DNS resolution times.
+  google.protobuf.UInt64Value query_timeout_seconds = 6 [(validate.rules).uint64 = {gte: 1}];
+
+  // The maximum number of query attempts the resolver will make before giving up.
+  // Each attempt may use a different name server.
+  //
+  // Note: While the c-ares library defaults to 3 attempts, Envoy's default (if this field is unset) is 4 attempts.
+  // This adjustment was made to maintain the previous behavior after users reported an increase in DNS resolution times.
+  google.protobuf.UInt32Value query_tries = 7 [(validate.rules).uint32 = {gte: 1}];
 }

envoy/service/ext_proc/v3/external_processor.proto

@@ -45,7 +45,6 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // In other words, the process is a request/response conversation, but
 // using a gRPC stream to make it easier for the server to
 // maintain state.
-
 service ExternalProcessor {
   // This begins the bidirectional stream that Envoy will use to
   // give the server control over what the filter does. The actual
@@ -129,6 +128,7 @@ message ProcessingRequest {
 // set to false, the server must send back exactly one ProcessingResponse message.
 // [#next-free-field: 11]
 message ProcessingResponse {
+  // The response type that is sent by the server.
   oneof response {
     option (validate.required) = true;
 
@@ -220,19 +220,25 @@ message HttpHeaders {
   map<string, google.protobuf.Struct> attributes = 2
       [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"];
 
-  // If true, then there is no message body associated with this
+  // If ``true``, then there is no message body associated with this
   // request or response.
   bool end_of_stream = 3;
 }
 
-// This message contains the message body that Envoy sends to the external server.
+// This message is sent to the external server when the HTTP request and
+// response bodies are received.
 message HttpBody {
+  // The contents of the body in the HTTP request/response. Note that in
+  // streaming mode multiple ``HttpBody`` messages may be sent.
   bytes body = 1;
 
+  // If ``true``, this will be the last ``HttpBody`` message that will be sent and no
+  // trailers will be sent for the current request/response.
   bool end_of_stream = 2;
 }
 
-// This message contains the trailers.
+// This message is sent to the external server when the HTTP request and
+// response trailers are received.
 message HttpTrailers {
   // The header value is encoded in the
   // :ref:`raw_value <envoy_v3_api_field_config.core.v3.HeaderValue.raw_value>` field.
@@ -241,25 +247,34 @@ message HttpTrailers {
 
 // The following are messages that may be sent back by the server.
 
-// This message must be sent in response to an HttpHeaders message.
+// This message is sent by the external server to Envoy after ``HttpHeaders`` was
+// sent to it.
 message HeadersResponse {
+  // Details the modifications (if any) to be made by Envoy to the current
+  // request/response.
   CommonResponse response = 1;
 }
 
-// This message must be sent in response to an HttpTrailers message.
-message TrailersResponse {
-  // Instructions on how to manipulate the trailers
-  HeaderMutation header_mutation = 1;
-}
-
-// This message must be sent in response to an HttpBody message.
+// This message is sent by the external server to Envoy after ``HttpBody`` was
+// sent to it.
 message BodyResponse {
+  // Details the modifications (if any) to be made by Envoy to the current
+  // request/response.
   CommonResponse response = 1;
 }
 
+// This message is sent by the external server to Envoy after ``HttpTrailers`` was
+// sent to it.
+message TrailersResponse {
+  // Details the modifications (if any) to be made by Envoy to the current
+  // request/response trailers.
+  HeaderMutation header_mutation = 1;
+}
+
 // This message contains common fields between header and body responses.
 // [#next-free-field: 6]
 message CommonResponse {
+  // The status of the response.
   enum ResponseStatus {
     // Apply the mutation instructions in this message to the
     // request or response, and then continue processing the filter
@@ -322,7 +337,7 @@ message CommonResponse {
 // to the downstream codec, or reset the stream.
 // [#next-free-field: 6]
 message ImmediateResponse {
-  // The response code to return
+  // The response code to return.
   type.v3.HttpStatus status = 1 [(validate.rules).message = {required: true}];
 
   // Apply changes to the default headers, which will include content-type.
@@ -343,7 +358,7 @@ message ImmediateResponse {
 
 // This message specifies a gRPC status for an ImmediateResponse message.
 message GrpcStatus {
-  // The actual gRPC status
+  // The actual gRPC status.
   uint32 status = 1;
 }
 
@@ -362,14 +377,39 @@ message HeaderMutation {
   repeated string remove_headers = 2;
 }
 
-// Replace the entire message body chunk received in the corresponding
-// HttpBody message with this new body, or clear the body.
+// [#not-implemented-hide:]
+// The body response message corresponding to FULL_DUPLEX_STREAMED body mode.
+message StreamedBodyResponse {
+  // The body response chunk that will be passed to the upstream/downstream by Envoy.
+  bytes body = 1;
+
+  // The server sets this flag to true if it has received a body request with
+  // :ref:`end_of_stream <envoy_v3_api_field_service.ext_proc.v3.HttpBody.end_of_stream>` set to true,
+  // and this is the last chunk of body responses.
+  bool end_of_stream = 2;
+}
+
+// This message specifies the body mutation the server sends to Envoy.
 message BodyMutation {
+  // The type of mutation for the body.
   oneof mutation {
-    // The entire body to replace
+    // The entire body to replace.
+    // Should only be used when the corresponding ``BodySendMode`` in the
+    // :ref:`processing_mode <envoy_v3_api_field_extensions.filters.http.ext_proc.v3.ExternalProcessor.processing_mode>`
+    // is not set to ``FULL_DUPLEX_STREAMED``.
     bytes body = 1;
 
-    // Clear the corresponding body chunk
+    // Clear the corresponding body chunk.
+    // Should only be used when the corresponding ``BodySendMode`` in the
+    // :ref:`processing_mode <envoy_v3_api_field_extensions.filters.http.ext_proc.v3.ExternalProcessor.processing_mode>`
+    // is not set to ``FULL_DUPLEX_STREAMED``.
+    // Clear the corresponding body chunk.
     bool clear_body = 2;
+
+    // [#not-implemented-hide:]
+    // Must be used when the corresponding ``BodySendMode`` in the
+    // :ref:`processing_mode <envoy_v3_api_field_extensions.filters.http.ext_proc.v3.ExternalProcessor.processing_mode>`
+    // is set to ``FULL_DUPLEX_STREAMED``.
+    StreamedBodyResponse streamed_response = 3;
   }
 }

envoy/type/v3/http_status.proto

@@ -21,116 +21,172 @@ enum StatusCode {
   // `enum` type.
   Empty = 0;
 
+  // Continue - ``100`` status code.
   Continue = 100;
 
+  // OK - ``200`` status code.
   OK = 200;
 
+  // Created - ``201`` status code.
   Created = 201;
 
+  // Accepted - ``202`` status code.
   Accepted = 202;
 
+  // NonAuthoritativeInformation - ``203`` status code.
   NonAuthoritativeInformation = 203;
 
+  // NoContent - ``204`` status code.
   NoContent = 204;
 
+  // ResetContent - ``205`` status code.
   ResetContent = 205;
 
+  // PartialContent - ``206`` status code.
   PartialContent = 206;
 
+  // MultiStatus - ``207`` status code.
   MultiStatus = 207;
 
+  // AlreadyReported - ``208`` status code.
   AlreadyReported = 208;
 
+  // IMUsed - ``226`` status code.
   IMUsed = 226;
 
+  // MultipleChoices - ``300`` status code.
   MultipleChoices = 300;
 
+  // MovedPermanently - ``301`` status code.
   MovedPermanently = 301;
 
+  // Found - ``302`` status code.
   Found = 302;
 
+  // SeeOther - ``303`` status code.
   SeeOther = 303;
 
+  // NotModified - ``304`` status code.
   NotModified = 304;
 
+  // UseProxy - ``305`` status code.
   UseProxy = 305;
 
+  // TemporaryRedirect - ``307`` status code.
   TemporaryRedirect = 307;
 
+  // PermanentRedirect - ``308`` status code.
   PermanentRedirect = 308;
 
+  // BadRequest - ``400`` status code.
   BadRequest = 400;
 
+  // Unauthorized - ``401`` status code.
   Unauthorized = 401;
 
+  // PaymentRequired - ``402`` status code.
   PaymentRequired = 402;
 
+  // Forbidden - ``403`` status code.
   Forbidden = 403;
 
+  // NotFound - ``404`` status code.
   NotFound = 404;
 
+  // MethodNotAllowed - ``405`` status code.
   MethodNotAllowed = 405;
 
+  // NotAcceptable - ``406`` status code.
   NotAcceptable = 406;
 
+  // ProxyAuthenticationRequired - ``407`` status code.
   ProxyAuthenticationRequired = 407;
 
+  // RequestTimeout - ``408`` status code.
   RequestTimeout = 408;
 
+  // Conflict - ``409`` status code.
   Conflict = 409;
 
+  // Gone - ``410`` status code.
   Gone = 410;
 
+  // LengthRequired - ``411`` status code.
   LengthRequired = 411;
 
+  // PreconditionFailed - ``412`` status code.
   PreconditionFailed = 412;
 
+  // PayloadTooLarge - ``413`` status code.
   PayloadTooLarge = 413;
 
+  // URITooLong - ``414`` status code.
   URITooLong = 414;
 
+  // UnsupportedMediaType - ``415`` status code.
   UnsupportedMediaType = 415;
 
+  // RangeNotSatisfiable - ``416`` status code.
   RangeNotSatisfiable = 416;
 
+  // ExpectationFailed - ``417`` status code.
   ExpectationFailed = 417;
 
+  // MisdirectedRequest - ``421`` status code.
   MisdirectedRequest = 421;
 
+  // UnprocessableEntity - ``422`` status code.
   UnprocessableEntity = 422;
 
+  // Locked - ``423`` status code.
   Locked = 423;
 
+  // FailedDependency - ``424`` status code.
   FailedDependency = 424;
 
+  // UpgradeRequired - ``426`` status code.
   UpgradeRequired = 426;
 
+  // PreconditionRequired - ``428`` status code.
   PreconditionRequired = 428;
 
+  // TooManyRequests - ``429`` status code.
   TooManyRequests = 429;
 
+  // RequestHeaderFieldsTooLarge - ``431`` status code.
   RequestHeaderFieldsTooLarge = 431;
 
+  // InternalServerError - ``500`` status code.
   InternalServerError = 500;
 
+  // NotImplemented - ``501`` status code.
   NotImplemented = 501;
 
+  // BadGateway - ``502`` status code.
   BadGateway = 502;
 
+  // ServiceUnavailable - ``503`` status code.
   ServiceUnavailable = 503;
 
+  // GatewayTimeout - ``504`` status code.
   GatewayTimeout = 504;
 
+  // HTTPVersionNotSupported - ``505`` status code.
   HTTPVersionNotSupported = 505;
 
+  // VariantAlsoNegotiates - ``506`` status code.
   VariantAlsoNegotiates = 506;
 
+  // InsufficientStorage - ``507`` status code.
   InsufficientStorage = 507;
 
+  // LoopDetected - ``508`` status code.
   LoopDetected = 508;
 
+  // NotExtended - ``510`` status code.
   NotExtended = 510;
 
+  // NetworkAuthenticationRequired - ``511`` status code.
   NetworkAuthenticationRequired = 511;
 }