Extend RouteMatch to support matching based on the request source

[georgi-d]

We have a use case where for the same virtual host different the request needs to be routed differently based on the source of the request.

There are two different ways to distinguish the source:

1. Whether the the request comes from the same node where Envoy is running. Where for the request socket: tcp.src_address == tcp.dst_address. This check catches local connections on all interfaces.
2. The request's tcp.src_address belongs to a specific subnet ex. 192.168.0.0/24

One possible solution I see is to extend the RouteMatch structure with:

message RouteMatch {
  ...
  enun RequestSourceType {
    // Request is comming from withing the same network node as Envoy
    SAME_HOST = 0,
    // Request is comming from outside of the node
    EXTERNAL_HOST = 1,
  }
  oneof source {
    RequestSourceType source_type;
    repeated string source_subnet;
  } 
}

Thanks

[georgi-d]

@nickolaev

[mattklein123]

This sounds reasonable but please see how we are doing CIDR matching elsewhere in RBAC, filter chain matching, etc. We should use the same constructs.

[mattklein123]

Also, I'm not sure I agree we should support the "same host" semantics. IMO this can be configured by the operator with appropriate CIDR matches?

[georgi-d]

@mattklein123

I assume you are talking about: https://www.envoyproxy.io/docs/envoy/v1.7.0/api-v2/config/rbac/v2alpha/rbac.proto

I am fine with using the same constructs as in RBAC for the matching.

The same host is crucial for my use case. I am not there is a way to achieve this without explicit support from envoy. It is not possible to pre-configure all the IPs that are on the host because interfaces and IPs can change at runtime and there is no stable way to monitor the changes.

The simple check src_ip == dest_ip is guaranteed to work and correctly identify local connections.
There already is a functionality for this in Envoy: Network::Utility::isLocalConnection()

[mattklein123]

OK fair enough re: same host. Sounds like it might be generally useful. Can you propose the final config changes so we can discuss if you are planning on doing the work?

[georgi-d]

I will think over it and propose final changes most likely tomorrow.

Thanks

[nickolaev]

After some discussions with @georgi-d we came up with the following proposal:

{
.....
  enum RequestSourceType {
    // Request does not originate from the node where Envoy is running
    EXTERNAL_HOST = 0;
    // Request originates from the node where Envoy is running
    SAME_HOST = 1;
  }

  message SourceMatch {
    oneof source_specifier {
      // Specifies the source IP match type. Can be same or external host
      RequestSourceType source_type = 10 [(validate.rules).enum.defined_only = true];
      // Specifies the optional external host subnet to match the sopurce IP.
      // Used when source_type is EXTERNAL_HOST
      envoy.api.v2.core.CidrRange source_subnet = 11;
    }
  }

  // Optionally specifies a source address match
  repeated SourceMatch source_matches = 12;
}

@mattklein123 what do you think?

[mattklein123]

This sounds reasonable to me. How are you going to concretely determine SAME_HOST? It should work regardless of address type and platform. cc @envoyproxy/maintainers

[ggreenway]

It should also work in the presence of multiple host ip addresses, eg a host having 127.0.0.1, ::1, 10.0.0.2, and 1.2.3.4. A connection from any of those should match this new option.

[htuch]

The alternative is you have distinct listeners for same host vs. external and then two distinct route tables. Would this solve the problem while preserving economy of mechanism?

[nickolaev]

@htuch Wouldn't comparing Network::Connection's localAddress() and remoteAddress() be sufficient enough in this case?

[htuch]

@nickolaev I'm curious if we can make this happen without any code changes today. The idea is you would have two distinct filter chains.