Pluggable listener pre-connection filters

[jrajahalme]

Envoy currently supports SO_ORIGINAL_DST and proxy protocol version 1 for supplying connection metadata (original connection destination, and source in case of proxy protocol). If both are configured, it is somewhat unclear what should be done, even though current implementation will search for alternative listener based on the SO_ORIGINAL_DST, but then use remote and destination information from proxy protocol when creating the connection.

It would be nice to make the listener optional functionality like these pluggable, allowing a listener to be configured with an explicitly specified set of "pre-connection filters" that process the incoming connection before a Connection object is created. This would also allow plugging in new connection metadata providers without adding new hard-wired options into the Listener implementation. Each "pre-connection" filter should have their own json configuration so that the main Listener configuration would not need to be extended for new kinds of metadata providers.

Further integrating SSL/TLS termination into this new plugin framework could allow SSL/TLS metadata to be provided from proxy protocol version 2 TLVs for Envoy logging and access control purposes.

This is not a "feature request" as such but intended to find out if any thoughts on this front are out there.

[mattklein123]

This seems reasonable to me. We now have a fairly generic extension registration system that can be used to build this. If you feel like working on this it would be good to do a bit longer form design in terms of what the config would look like (also needs v2 analog in proto) and the extension interfaces.

cc @htuch @dnoe

[htuch]

It might make sense to try and intercept the v2 LDS API with this, see https://github.com/lyft/envoy-api/blob/master/api/lds.proto. We already have an explicit notion of metadata in the Listener and FilterChain messages that can be used to provide opaque data for stats/logging or other filters, essentially what we're adding here is a way to provide additional sources of the metadata, beyond explicit statement in the config protos (or JSON).

We could also potentially do something similar to what we did with EDS and LB, add a notion of metadata match to FilterChainMatch if it's useful.

[jrajahalme]

On Jul 18, 2017, at 8:05 AM, Matt Klein ***@***.***> wrote: This seems reasonable to me. We now have a fairly generic extension registration system that can be used to build this. If you feel like working on this it would be good to do a bit longer form design in terms of what the config would look like (also needs v2 analog in proto) and the extension interfaces.

Cool! I have plans of adding additional metadata sources, so working on this makes perfect sense. I’m new enough to hot have noticed Envoy API v2 work or plans before, is there something on the approach, goals, timeline, etc. on v2? Jarno

[jrajahalme]

On Jul 18, 2017, at 8:08 AM, htuch ***@***.***> wrote: It might make sense to try and intercept the v2 LDS API with this, see https://github.com/lyft/envoy-api/blob/master/api/lds.proto <https://github.com/lyft/envoy-api/blob/master/api/lds.proto>. We already have an explicit notion of metadata in the Listener and FilterChain messages that can be used to provide opaque data for stats/logging or other filters, essentially what we're adding here is a way to provide additional sources of the metadata, beyond explicit statement in the config protos (or JSON). We could also potentially do something similar to what we did with EDS and LB, add a notion of metadata match to FilterChainMatch if it's useful.

Is this also v2, or is there any of this in the current Envoy? Jarno

[mattklein123]

@jrajahalme please take a look through https://github.com/lyft/envoy-api

[htuch]

Yeah, as Matt points out, the repo has all the approach/goals stuff. In terms of timeline, we're working on locking down the API and implementing the subset of it that matches v1 right now. I'm hoping we'll have the v1 subset of v2 implemented within roughly a month.

After that, we need to plumb in all the additional v2 features that weren't in v1. I've started to track these at https://github.com/lyft/envoy/issues?q=is%3Aopen+is%3Aissue+label%3A%22v2+API%22, but there's a bunch missing there, I'll be adding them as time allows in the next week or two.

[htuch]

@jrajahalme Are you still after something like this post #1246? If so, are you interested in working on this?

[jrajahalme]

Yes, I’ll prototype something locally first. Could you give me a pointer to the plugin registration mechanism mentioned in this thread before? Jarno

…

On Aug 10, 2017, at 2:20 AM, htuch ***@***.***> wrote: @jrajahalme <https://github.com/jrajahalme> Are you still after something like this post #1246 <#1246>? If so, are you interested in working on this? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#1276 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AGN128Djvx4etrgPG4vVsNPO-EgQkE8qks5sWstxgaJpZM4ObFmx>.

[htuch]

@jrajahalme Great! See https://github.com/lyft/envoy/blob/master/include/envoy/registry/registry.h for the factory registration bit.