Add a (Listener)FilterStatus::Error?

[lambdai]

I find we might miss a return value of ListenerFilter::onAccept(ListenerFilterCallbacks& cb)

See the return type below.

enum class FilterStatus {
  // Continue to further filters.
  Continue,
  // Stop executing further filters.
  StopIteration
};

So it's impossible to express that onAccept find an error.

Currently if a listener filter wants to report an error, it must

• return StopIteration at onAccept
• register an event
• the callback of the above event call cb.continueFilterChain

The drawback of this detour is that we have to report that error at the second event cycle.
What's worse, as long as it potentially report error, we have to wait another event cycle. See

envoy/source/extensions/filters/listener/tls_inspector/tls_inspector.cc

Lines 71 to 92 in b3c1306

	Network::FilterStatus Filter::onAccept(Network::ListenerFilterCallbacks& cb) {
	ENVOY_LOG(debug, "tls inspector: new connection accepted");
	Network::ConnectionSocket& socket = cb.socket();
	ASSERT(file_event_ == nullptr);
	file_event_ = cb.dispatcher().createFileEvent(
	socket.ioHandle().fd(),
	[this](uint32_t events) {
	if (events & Event::FileReadyType::Closed) {
	config_->stats().connection_closed_.inc();
	done(false);
	return;
	}
	ASSERT(events == Event::FileReadyType::Read);
	onRead();
	},
	Event::FileTriggerType::Edge, Event::FileReadyType::Read | Event::FileReadyType::Closed);
	cb_ = &cb;
	return Network::FilterStatus::StopIteration;
	}

I am proposing

add a FilterStatus::Error

allow onAccept return it, and handle this value in ActiveSocket::continueFilterChain

Alternatively, since the FilterStatus type is also used by NetworkFilter, we can let onAccept return a new ListenerFilterStatus and only add Error here.

The benefits: we can save one epoll cycle on tls_inspector and http_inspector each, every time a connection is connected on listener which owns such filter.

@lizan @PiotrSikora thoughts?

[lizan]

@silentdai wondering in what case you want to return an error without reading anything in onAccept from tls_inspector or http_inspector?

[mattklein123]

I'm also confused. If there is an error don't you want to close the connection?

[lambdai]

@lizan The idea is if onAccept is allowed to return error, onAccept can read, instead of schedule another callback using the file event.

So another way to ask the question: why cannot onAccept inline the read()?

[mattklein123]

@silentdai can you succinctly explain what you are actually trying to accomplish? Thanks.

[lambdai]

I'm also confused. If there is an error don't you want to close the connection?

Not sure if there is such error. I didn't find an example to close connection in a listener filter. The existing code use cb_->continueFilterChain(success /* could be false */) to report the error. And let the ActiveSocket to close the connection

[lambdai]

@mattklein123 Sorry for the unclear.
My goal is to to allow onAccept inline the read()/recv()/peek() in listener filter.
Since the read/recv/peek may lead to error, I am proposing the solution to allow onAccept return a value named Error.

[lambdai]

Question, take tls_inspector for example

1. do you agree that read at the onAccept would reduce the latency?
2. Return error at onAccept and let the caller ActiveSocket do the clean up, or close the connection directly in tls_inspector? IMHO I think the former can avoid the connection close spread every where

[mattklein123]

OK I see. For better or worse the pattern we have used elsewhere is to just have the filter close the socket/connection and then detect that in the connection handler and deal with it properly. IMO we could do that pretty easily without any API changes but will defer to @lizan and @PiotrSikora