filter_chain_match difference between {} and null is confusing/under documented

[howardjohn]

If I have config (example 1):

match:
  app_protocols: [h2]
match: {}

All h2 traffic matches filter 1, and everything else matches filter 2. If I then change this to (example 2)

match:
  app_protocols: [h2]
  transport_protocol: tls
match: {}

No traffic matches filter 2. I would expect filter 2 to still catch all unmatched traffic. It seems in order to do this, I need to specify: (example 3)

match:
  app_protocols: [h2]
  transport_protocol: tls
match: null

I think this contradicts the docs a bit. Transport protocol says "If non-empty, a transport protocol to consider when determining a filter chain match.". In the example 2, I have set transport_protocol to "", yet it still seems to be considering transport protocol.

Even more contradicting is that changing one FCM (seems to) impacts the matching logic of another FCM! My expectation would be that a match config is independent. If I have {} it would always match the same inputs (from my reading, match everything, but at least should be consistent), regardless of other FCMs - other FCMs may have higher priority, but not actually prevent this one from matching.

cc @lizan @rshriram

[howardjohn]

Actually original issue was not fully accurate. If my matches are like:

{
  "transportProtocol": "raw_buffer",
  "applicationProtocols": [
    "http/1.0",
    "http/1.1",
    "h2c"
  ]
}
null

Raw TCP traffic traffic will match neither

In order to get it to match I need to set up two matches:

{
  "transportProtocol": "raw_buffer",
  "applicationProtocols": [
    "http/1.0",
    "http/1.1",
    "h2c"
  ]
}
{
  "transportProtocol": "tls"
}
{
  "transportProtocol": "raw_buffer"
}

I have not yet found a way to have a real "match everything" FCM

[lizan]

Yes I was confused a lot by this, I think we also need to revisit whole FCM proto. cc @envoyproxy/api-shepherds

[lambdai]

Even more contradicting is that changing one FCM (seems to) impacts the matching logic of another FCM!

It's the natural of "best match" implemented by decision tree. I can explain match mechanism using sieve mode which is less confusing than
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener_components.proto.html?highlight=filterchainmatch#config-listener-v3-filterchainmatch

Let me write an formal one

[mattklein123]

I will admit I don't fully grok the details here but just from my quick read it sounds confusing. If there is any way we can fix this without proto changes that would be really appreciated.

[htuch]

I'm not sure why this is so complicated or hard to understand. The current documentation seems clear. You first match transport protocol, and then match on ALPN. In your first example, definitely the ALPN one doesn't work for pure TCP. I'm not sure about the null; this is not part of the FCM match algorithm. We should clarify semantics around that.

[howardjohn]

@htuch all I want to do is have a "fallback" filter chain that will match everything not matched by a previous chain. As far as I can tell this is not actually possible although the doc implies it is by leaving all fields empty and it does not mention that someone changing a different FC impacts others matching behavior.

The doc suggests an empty application protocol will match any application protocol, however this doesn't seem to be the case as my tcp traffic matches neither the h2 one (expected) or the empty one (unexpected)

[lambdai]

From istio's point of view, a fallback filter chain could save lots of logic.

I am not sure once we introduce the "fallback" filter chain to the listener, how could we support the case to reject a connection

[howardjohn]

@lambdai the whole point of having a "match everything"/"fallback" filter chain is that we do not ever want to reject it

[howardjohn]

So based on the sieve model in #12587, my understand is if I want two filter chains:

• FC 1 matches on some complex criteria, say destination_port=80,transport_protocol=tls,application_protocols=[h2]
• FC 2 matches everything else

If I want to do this, instead of a single FC2, I need to make every possible permutation of FCMs? So I need 65535 (destination ports) * 2 (transport_protocols) * infinity (all permutations of ALPN, which is unbounded?

Am I understanding this right? @lambdai

[lambdai]

If I want to do this, instead of a single FC2, I need to make every possible permutation of FCMs? So I need 65535 (destination ports) * 2 (transport_protocols) * infinity (all permutations of ALPN, which is unbounded?

A little bit less: we need

1. FC 2 with no destination port. So FC2 matches any port other than 80.
2. FC 3 with destination_port=80, nothing else. FC3 matches destination_port=80 and transport_protocol != tls
3. FC 4 with destination_port=80, transport_protocol=tls, and nothing else. FC3 matches destination_port=80 and transport_protocol = tls, and alpn != h2