You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
153 lines
7.7 KiB
153 lines
7.7 KiB
syntax = "proto3"; |
|
|
|
package envoy.api.v2; |
|
|
|
option java_generic_services = true; |
|
|
|
import "envoy/api/v2/core/address.proto"; |
|
import "envoy/api/v2/core/base.proto"; |
|
import "envoy/api/v2/discovery.proto"; |
|
import "envoy/api/v2/listener/listener.proto"; |
|
|
|
import "google/api/annotations.proto"; |
|
import "google/protobuf/wrappers.proto"; |
|
|
|
import "validate/validate.proto"; |
|
import "gogoproto/gogo.proto"; |
|
|
|
option (gogoproto.equal_all) = true; |
|
|
|
// [#protodoc-title: Listener] |
|
// Listener :ref:`configuration overview <config_listeners>` |
|
|
|
// The Envoy instance initiates an RPC at startup to discover a list of |
|
// listeners. Updates are delivered via streaming from the LDS server and |
|
// consist of a complete update of all listeners. Existing connections will be |
|
// allowed to drain from listeners that are no longer present. |
|
service ListenerDiscoveryService { |
|
rpc StreamListeners(stream DiscoveryRequest) returns (stream DiscoveryResponse) { |
|
} |
|
|
|
rpc FetchListeners(DiscoveryRequest) returns (DiscoveryResponse) { |
|
option (google.api.http) = { |
|
post: "/v2/discovery:listeners" |
|
body: "*" |
|
}; |
|
} |
|
} |
|
|
|
message Listener { |
|
// The unique name by which this listener is known. If no name is provided, |
|
// Envoy will allocate an internal UUID for the listener. If the listener is to be dynamically |
|
// updated or removed via :ref:`LDS <config_listeners_lds>` a unique name must be provided. |
|
// By default, the maximum length of a listener's name is limited to 60 characters. This limit can |
|
// be increased by setting the :option:`--max-obj-name-len` command line argument to the desired |
|
// value. |
|
string name = 1; |
|
|
|
// The address that the listener should listen on. In general, the address must be unique, though |
|
// that is governed by the bind rules of the OS. E.g., multiple listeners can listen on port 0 on |
|
// Linux as the actual port will be allocated by the OS. |
|
core.Address address = 2 [(validate.rules).message.required = true, (gogoproto.nullable) = false]; |
|
|
|
// A list of filter chains to consider for this listener. The |
|
// :ref:`FilterChain <envoy_api_msg_listener.FilterChain>` with the most specific |
|
// :ref:`FilterChainMatch <envoy_api_msg_listener.FilterChainMatch>` criteria is used on a |
|
// connection. |
|
// |
|
// .. attention:: |
|
// |
|
// In the current version, multiple filter chains are supported **only** so that SNI can be |
|
// configured. See the :ref:`FAQ entry <faq_how_to_setup_sni>` on how to configure SNI for more |
|
// information. When multiple filter chains are configured, each filter chain must have an |
|
// **identical** set of :ref:`filters <envoy_api_field_listener.FilterChain.filters>`. If the |
|
// filters differ, the configuration will fail to load. In the future, this limitation will be |
|
// relaxed such that different filters can be used depending on which filter chain matches |
|
// (based on SNI or some other parameter). |
|
repeated listener.FilterChain filter_chains = 3 |
|
[(validate.rules).repeated .min_items = 1, (gogoproto.nullable) = false]; |
|
|
|
// If a connection is redirected using *iptables*, the port on which the proxy |
|
// receives it might be different from the original destination address. When this flag is set to |
|
// true, the listener hands off redirected connections to the listener associated with the |
|
// original destination address. If there is no listener associated with the original destination |
|
// address, the connection is handled by the listener that receives it. Defaults to false. |
|
// |
|
// .. attention:: |
|
// |
|
// This field is deprecated. Use :ref:`an original_dst <config_listener_filters_original_dst>` |
|
// :ref:`listener filter <envoy_api_field_Listener.listener_filters>` instead. |
|
// |
|
// Note that hand off to another listener is *NOT* performed without this flag. Once |
|
// :ref:`FilterChainMatch <envoy_api_msg_listener.FilterChainMatch>` is implemented this flag |
|
// will be removed, as filter chain matching can be used to select a filter chain based on the |
|
// restored destination address. |
|
google.protobuf.BoolValue use_original_dst = 4 [deprecated = true]; |
|
|
|
// Soft limit on size of the listener’s new connection read and write buffers. |
|
// If unspecified, an implementation defined default is applied (1MiB). |
|
google.protobuf.UInt32Value per_connection_buffer_limit_bytes = 5; |
|
|
|
// Listener metadata. |
|
core.Metadata metadata = 6; |
|
|
|
// [#not-implemented-hide:] |
|
message DeprecatedV1 { |
|
// Whether the listener should bind to the port. A listener that doesn’t |
|
// bind can only receive connections redirected from other listeners that |
|
// set use_original_dst parameter to true. Default is true. |
|
// |
|
// [V2-API-DIFF] This is deprecated in v2, all Listeners will bind to their |
|
// port. An additional filter chain must be created for every original |
|
// destination port this listener may redirect to in v2, with the original |
|
// port specified in the FilterChainMatch destination_port field. |
|
google.protobuf.BoolValue bind_to_port = 1; |
|
} |
|
|
|
// [#not-implemented-hide:] |
|
DeprecatedV1 deprecated_v1 = 7; |
|
|
|
enum DrainType { |
|
// Drain in response to calling /healthcheck/fail admin endpoint (along with the health check |
|
// filter), listener removal/modification, and hot restart. |
|
DEFAULT = 0; |
|
// Drain in response to listener removal/modification and hot restart. This setting does not |
|
// include /healthcheck/fail. This setting may be desirable if Envoy is hosting both ingress |
|
// and egress listeners. |
|
MODIFY_ONLY = 1; |
|
} |
|
|
|
// The type of draining to perform at a listener-wide level. |
|
DrainType drain_type = 8; |
|
|
|
// Listener filters have the opportunity to manipulate and augment the connection metadata that |
|
// is used in connection filter chain matching, for example. These filters are run before any in |
|
// :ref:`filter_chains <envoy_api_field_Listener.filter_chains>`. Order matters as the |
|
// filters are processed sequentially right after a socket has been accepted by the listener, and |
|
// before a connection is created. |
|
repeated listener.ListenerFilter listener_filters = 9 [(gogoproto.nullable) = false]; |
|
|
|
// Whether the listener should be set as a transparent socket. |
|
// When this flag is set to true, connections can be redirected to the listener using an |
|
// *iptables* *TPROXY* target, in which case the original source and destination addresses and |
|
// ports are preserved on accepted connections. This flag should be used in combination with |
|
// :ref:`an original_dst <config_listener_filters_original_dst>` :ref:`listener filter |
|
// <envoy_api_field_Listener.listener_filters>` to mark the connections' local addresses as |
|
// "restored." This can be used to hand off each redirected connection to another listener |
|
// associated with the connection's destination address. Direct connections to the socket without |
|
// using *TPROXY* cannot be distinguished from connections redirected using *TPROXY* and are |
|
// therefore treated as if they were redirected. |
|
// When this flag is set to false, the listener's socket is explicitly reset as non-transparent. |
|
// Setting this flag requires Envoy to run with the *CAP_NET_ADMIN* capability. |
|
// When this flag is not set (default), the socket is not modified, i.e. the transparent option |
|
// is neither set nor reset. |
|
google.protobuf.BoolValue transparent = 10; |
|
|
|
// Whether the listener should set the *IP_FREEBIND* socket option. When this |
|
// flag is set to true, listeners can be bound to an IP address that is not |
|
// configured on the system running Envoy. When this flag is set to false, the |
|
// option *IP_FREEBIND* is disabled on the socket. When this flag is not set |
|
// (default), the socket is not modified, i.e. the option is neither enabled |
|
// nor disabled. |
|
google.protobuf.BoolValue freebind = 11; |
|
}
|
|
|