syntax = "proto3"; package envoy.api.v3alpha; option java_outer_classname = "LdsProto"; option java_multiple_files = true; option java_package = "io.envoyproxy.envoy.api.v3alpha"; option java_generic_services = true; import "envoy/api/v3alpha/core/address.proto"; import "envoy/api/v3alpha/core/base.proto"; import "envoy/api/v3alpha/discovery.proto"; import "envoy/api/v3alpha/listener/listener.proto"; import "envoy/api/v3alpha/listener/udp_listener_config.proto"; import "envoy/config/listener/v2/api_listener.proto"; import "google/api/annotations.proto"; import "google/protobuf/duration.proto"; import "google/protobuf/wrappers.proto"; import "udpa/api/annotations/versioning.proto"; import "validate/validate.proto"; // [#protodoc-title: Listener] // Listener :ref:`configuration overview ` // The Envoy instance initiates an RPC at startup to discover a list of // listeners. Updates are delivered via streaming from the LDS server and // consist of a complete update of all listeners. Existing connections will be // allowed to drain from listeners that are no longer present. service ListenerDiscoveryService { rpc DeltaListeners(stream DeltaDiscoveryRequest) returns (stream DeltaDiscoveryResponse) { } rpc StreamListeners(stream DiscoveryRequest) returns (stream DiscoveryResponse) { } rpc FetchListeners(DiscoveryRequest) returns (DiscoveryResponse) { option (google.api.http) = { post: "/v3alpha/discovery:listeners" body: "*" }; } } // [#next-free-field: 21] message Listener { option (udpa.api.annotations.versioning).previous_message_type = "envoy.api.v2.Listener"; enum DrainType { // Drain in response to calling /healthcheck/fail admin endpoint (along with the health check // filter), listener removal/modification, and hot restart. DEFAULT = 0; // Drain in response to listener removal/modification and hot restart. This setting does not // include /healthcheck/fail. This setting may be desirable if Envoy is hosting both ingress // and egress listeners. MODIFY_ONLY = 1; } // [#not-implemented-hide:] message DeprecatedV1 { option (udpa.api.annotations.versioning).previous_message_type = "envoy.api.v2.Listener.DeprecatedV1"; // Whether the listener should bind to the port. A listener that doesn't // bind can only receive connections redirected from other listeners that // set use_original_dst parameter to true. Default is true. // // This is deprecated in v2, all Listeners will bind to their port. An // additional filter chain must be created for every original destination // port this listener may redirect to in v2, with the original port // specified in the FilterChainMatch destination_port field. // // [#comment:TODO(PiotrSikora): Remove this once verified that we no longer need it.] google.protobuf.BoolValue bind_to_port = 1; } // Configuration for listener connection balancing. message ConnectionBalanceConfig { option (udpa.api.annotations.versioning).previous_message_type = "envoy.api.v2.Listener.ConnectionBalanceConfig"; // A connection balancer implementation that does exact balancing. This means that a lock is // held during balancing so that connection counts are nearly exactly balanced between worker // threads. This is "nearly" exact in the sense that a connection might close in parallel thus // making the counts incorrect, but this should be rectified on the next accept. This balancer // sacrifices accept throughput for accuracy and should be used when there are a small number of // connections that rarely cycle (e.g., service mesh gRPC egress). message ExactBalance { option (udpa.api.annotations.versioning).previous_message_type = "envoy.api.v2.Listener.ConnectionBalanceConfig.ExactBalance"; } oneof balance_type { option (validate.required) = true; // If specified, the listener will use the exact connection balancer. ExactBalance exact_balance = 1; } } reserved 14, 4; reserved "use_original_dst"; // The unique name by which this listener is known. If no name is provided, // Envoy will allocate an internal UUID for the listener. If the listener is to be dynamically // updated or removed via :ref:`LDS ` a unique name must be provided. string name = 1; // The address that the listener should listen on. In general, the address must be unique, though // that is governed by the bind rules of the OS. E.g., multiple listeners can listen on port 0 on // Linux as the actual port will be allocated by the OS. core.Address address = 2 [(validate.rules).message = {required: true}]; // A list of filter chains to consider for this listener. The // :ref:`FilterChain ` with the most specific // :ref:`FilterChainMatch ` criteria is used // on a connection. // // Example using SNI for filter chain selection can be found in the // :ref:`FAQ entry `. repeated listener.FilterChain filter_chains = 3; // Soft limit on size of the listener’s new connection read and write buffers. // If unspecified, an implementation defined default is applied (1MiB). google.protobuf.UInt32Value per_connection_buffer_limit_bytes = 5; // Listener metadata. core.Metadata metadata = 6; // [#not-implemented-hide:] DeprecatedV1 deprecated_v1 = 7; // The type of draining to perform at a listener-wide level. DrainType drain_type = 8; // Listener filters have the opportunity to manipulate and augment the connection metadata that // is used in connection filter chain matching, for example. These filters are run before any in // :ref:`filter_chains `. Order matters as the // filters are processed sequentially right after a socket has been accepted by the listener, and // before a connection is created. // UDP Listener filters can be specified when the protocol in the listener socket address in // :ref:`protocol ` is :ref:`UDP // `. // UDP listeners currently support a single filter. repeated listener.ListenerFilter listener_filters = 9; // The timeout to wait for all listener filters to complete operation. If the timeout is reached, // the accepted socket is closed without a connection being created unless // `continue_on_listener_filters_timeout` is set to true. Specify 0 to disable the // timeout. If not specified, a default timeout of 15s is used. google.protobuf.Duration listener_filters_timeout = 15; // Whether a connection should be created when listener filters timeout. Default is false. // // .. attention:: // // Some listener filters, such as :ref:`Proxy Protocol filter // `, should not be used with this option. It will cause // unexpected behavior when a connection is created. bool continue_on_listener_filters_timeout = 17; // Whether the listener should be set as a transparent socket. // When this flag is set to true, connections can be redirected to the listener using an // *iptables* *TPROXY* target, in which case the original source and destination addresses and // ports are preserved on accepted connections. This flag should be used in combination with // :ref:`an original_dst ` :ref:`listener filter // ` to mark the connections' local // addresses as "restored." This can be used to hand off each redirected connection to another // listener associated with the connection's destination address. Direct connections to the socket // without using *TPROXY* cannot be distinguished from connections redirected using *TPROXY* and // are therefore treated as if they were redirected. When this flag is set to false, the // listener's socket is explicitly reset as non-transparent. Setting this flag requires Envoy to // run with the *CAP_NET_ADMIN* capability. When this flag is not set (default), the socket is not // modified, i.e. the transparent option is neither set nor reset. google.protobuf.BoolValue transparent = 10; // Whether the listener should set the *IP_FREEBIND* socket option. When this // flag is set to true, listeners can be bound to an IP address that is not // configured on the system running Envoy. When this flag is set to false, the // option *IP_FREEBIND* is disabled on the socket. When this flag is not set // (default), the socket is not modified, i.e. the option is neither enabled // nor disabled. google.protobuf.BoolValue freebind = 11; // Additional socket options that may not be present in Envoy source code or // precompiled binaries. repeated core.SocketOption socket_options = 13; // Whether the listener should accept TCP Fast Open (TFO) connections. // When this flag is set to a value greater than 0, the option TCP_FASTOPEN is enabled on // the socket, with a queue length of the specified size // (see `details in RFC7413 `_). // When this flag is set to 0, the option TCP_FASTOPEN is disabled on the socket. // When this flag is not set (default), the socket is not modified, // i.e. the option is neither enabled nor disabled. // // On Linux, the net.ipv4.tcp_fastopen kernel parameter must include flag 0x2 to enable // TCP_FASTOPEN. // See `ip-sysctl.txt `_. // // On macOS, only values of 0, 1, and unset are valid; other values may result in an error. // To set the queue length on macOS, set the net.inet.tcp.fastopen_backlog kernel parameter. google.protobuf.UInt32Value tcp_fast_open_queue_length = 12; // Specifies the intended direction of the traffic relative to the local Envoy. core.TrafficDirection traffic_direction = 16; // If the protocol in the listener socket address in :ref:`protocol // ` is :ref:`UDP // `, this field specifies the // actual udp listener to create, i.e. :ref:`udp_listener_name // ` = // "raw_udp_listener" for creating a packet-oriented UDP listener. If not present, treat it as // "raw_udp_listener". listener.UdpListenerConfig udp_listener_config = 18; // [#not-implemented-hide:] // Used to represent an API listener, which is used in non-proxy clients. The type of API // exposed to the non-proxy application depends on the type of API listener. // When this field is set, no other field except for // :ref:`name` should be set. // [#next-major-version: In the v3 API, instead of this messy approach where the socket // listener fields are directly in the top-level Listener message and the API listener types // are in the ApiListener message, the socket listener messages should be in their own message, // and the top-level Listener should essentially be a oneof that selects between the // socket listener and the various types of API listener. That way, a given Listener message // can structurally only contain the fields of the relevant type.] config.listener.v2.ApiListener api_listener = 19; // The listener's connection balancer configuration, currently only applicable to TCP listeners. // If no configuration is specified, Envoy will not attempt to balance active connections between // worker threads. ConnectionBalanceConfig connection_balance_config = 20; }