Need a way to set socket options for replies to individual down-streams of listeners

[VivekSubr]

Need a way to set socket options for replies to individual down-streams of listeners

Description:
We have a requirement to set dscp socket option for traffic outbound from istio gateway, we are able to set for outbound traffic using cluster names, as follows ->

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
spec:
  configPatches:
  - applyTo: CLUSTER
    match:
      cluster:
        name: outbound|80||testcluster
    patch:
      operation: MERGE
      value:
        upstream_bind_config:
          socket_options:
          - int_value: 64
            level: 0
            name: 1
            state: STATE_PREBIND
          source_address:
            address: 0.0.0.0
            port_value: 0

However, how to do this for replies to downstream? (HTTP replies in our case) There's no cluster names for that, it's only possible to set one socket_options once for listener.

We've been working around that by patching envoy to read dscp value from http header for replies,

diff -urNp envoy/source/common/router/router.cc envoy-patched/source/common/router/router.cc
--- envoy/source/common/router/router.cc	2024-11-26 13:27:07.779636678 +0000
+++ envoy-patched/source/common/router/router.cc	2025-01-10 09:19:59.583055171 +0000

@@ -1685,6 +1687,41 @@ void Filter::onUpstreamHeaders(uint64_t
   // provide finalizeResponseHeaders functions on the Router::Config and VirtualHost interfaces.
   route_entry_->finalizeResponseHeaders(*headers, callbacks_->streamInfo());
 
+  static constexpr const char* dscpHeaderStr = "x-differentiated-services-code-point";
+  static const Http::LowerCaseString s_dscpHdrStr(dscpHeaderStr);
+  auto getResult = headers->get(s_dscpHdrStr);
+  if (!getResult.empty())
+  {
+    uint64_t dscp = 0;
+    if (absl::SimpleAtoi(getResult[0]->value().getStringView(), &dscp)) {
+      auto connection = const_cast<Network::Connection*>(callbacks_->connection().ptr());
+
+      dscp = (dscp << 2);
+      std::unique_ptr<Network::Socket::Options> options = std::make_unique<Network::Socket::Options>();
+      options->push_back(std::make_shared<Network::AddrFamilyAwareSocketOptionImpl>(
+        envoy::config::core::v3::SocketOption::STATE_PREBIND,
+        ENVOY_SOCKET_IP_TOS,
+        ENVOY_SOCKET_IPV6_TCLASS,
+        dscp));
+
+      dynamic_cast<Network::ConnectionImpl*>(connection)->setSocketOptions(std::move(options),
+                                   envoy::config::core::v3::SocketOption::STATE_PREBIND);
+    }
+    headers->remove(s_dscpHdrStr);
+  }

We wanted to know ->

• Is there any way to configure socket_options for connections made by listener to different downstreams?
• If not, would it okay to implement this in a filter? Perhaps a http filter that does something like the above code snippet?

[alyssawilk]

For socket options per listener does the per-listener config not work?
api/envoy/config/listener/v3/listener.proto has a socket_options field

It's always ok to do things with filters, however by guidelines you can either build that internally, land it as a contrib extension, or find a maintainer to sponsor.

[VivekSubr]

@alyssawilk - we need it to be per downstream, not one for all connections of the listener... for listener something like this can be done:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: ingress-dscp-socketoptions
  namespace: istio-system
spec:
  workloadSelector:
    labels:
      app: istio-ingressgateway
  configPatches:
  - applyTo: LISTENER
    match:
      context: GATEWAY
      listener:
        portNumber: 8443
    patch:
      operation: MERGE
      value:
        socket_options:   
        - level: 0       
          name: 1        
          int_value: 64   
          state: STATE_PREBIND  

But what I want is a finer grained match condition, where's it able to decide to apply or not based on what it is connecting to.

ie, combining the cluster one, something like,

    match:
      context: GATEWAY
      listener:
        portNumber: 8443
      downstreamName: name: outbound|80||testcluster

If it has to be a filter, do http filters have access to the connection socket?

[github-actions]

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.

[VivekSubr]

Hi @alyssawilk .... could someone comment on whether adding optional downstreamhost to match of listener sounds okay? Or should this be handled as a http filter or something?

[VivekSubr]

Hi @mathetake... was looking into the new dynamic modules feature you merged (https://github.com/envoyproxy/envoy/tree/main/source/extensions/dynamic_modules)

and I was wondering whether I could use that. Basically, would it be possible to write a http filter using your feature that will have access to the underlying socket? Basically - the filter will setsockopt based on http headers.

This is not possible at all with webassembly since envoy doesn't implement the 'system' apis.

[mathetake]

not yet is the answer but should be doable

[VivekSubr]

@mathetake ... thanks, so can I make this ask a feature request on dynamic_modules? To have a way to access sockets in http filter?

[VivekSubr]

Closing in favor of #38739