tcp_proxy: Add filter state envoy.tcp_proxy.receive_before_connect

[jrajahalme]

Commit Message:

Add filter state object envoy.tcp_proxy.receive_before_connect that TcpProxy
filter checks for and when set to 'true' will not set readDisable=true on the
downstream connection before upstream connection is established.

proxy_receive_before_connect needs to be set a read filter's
initializeReadFilterCallbacks() as tcp_proxy checks for this in its
initializeReadFilterCallbacks() that is called when the filter chain is created,
but after all the other filters as tcp_proxy is the last filter in the chain.

This change allows advanced cases where a network read filter needs to
receive (and possibly send) downstream data that may change the
destination of the upstream TCP connection, e.g. via metadata set based
on the received data. If this is the case, then the read filter preceding
the tcp_proxy filter must return StopIteration from its onNewConnection()
call, causing tcp_proxy filter to postpone its upstream connection
establishment until onData() returns Continue.

Any data reaching the tcp_proxy filter before the upstream connection is
established is buffered so that the downstream filters do not see the
same data again which would be the case if it would remaining in the buffer
and more data is received. This also allows downstream filters inject
data before the upstream connection is established; such injected data
would be lost if tcp_proxy would not buffer it while connection
establishment is still ongoing.

An existing dynamic metadata integration test is modified to use
proxy_receive_before_connect=true. This makes the use case less
reliant on the tcp_proxy internal detail, such as balancing and timing of
the readDisable() calls on the downstream connection.

Additional Description:
Risk Level: Low
Testing: Existing test is enhanced to cover the new code
Docs Changes:
Release Notes: Tcp proxy filter can now be configured to receive data from downstream connection before the upstream connection is established with the new receive_before_connect configuration option.
Platform Specific Features:

[repokitteh-read-only]

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to (api/envoy/|docs/root/api-docs/).
envoyproxy/api-shepherds assignee is @markdroth
CC @envoyproxy/api-watchers: FYI only for changes made to (api/envoy/|docs/root/api-docs/).

🐱

Caused by: #25804 was opened by jrajahalme.

see: more, trace.

[jrajahalme]

Force-pushed to fix format.

[jrajahalme]

Force pushed to fix spelling

[botengyao]

Thanks! Overall reasonable for me, but we need @ggreenway's input as well I think.

[botengyao]

This is not the early data buffer you create in Tcp proxy, right? It is a little bit confusing for the comment, like we stop the filter chain iteration at InjectDynamicMetadata::onData() when just receives pri. Tcp proxy cannot get the onData call before the InjectDynamicMetadata continues the filter chain.

And writing a new set of integration tests maybe more clear here to make sure the original behavior is also tested. We should also add some situations that trigger early_data_buffer_ when connection is not created, but seems not easy to test.

[ggreenway]

@jrajahalme please address this.

[botengyao]

Actually we can read-enable here, seems this PR will only buy some time back between the initialization and onNewConnection?

[jrajahalme]

This PR does two things:

1. asks the (TCP) proxy to not read-disable in the first place, so that other filters do not need to know the exact spots where to read-enable and disable again. This enables filters receiving data before and while the upstream connection setup takes place.

2. adds early data buffering to the tcp_proxy filter, so that filters can write (early) data after tcp_proxy has started connect() system call, but the connection has not yet been established. As of now tcp_proxy will assert-fail if it receives data before the connection has been established. This allows filters that read data enabled by point (1) to pass it on without buffering and waiting for connection setup to complete.

[botengyao]

/assign @ggreenway

[ggreenway]

This is basically a compatibility problem between different filters. In my opinion, it would be nicer to do this mechanism via some communication between the filters (maybe a FilterState), not via a config knob. The user shouldn't have to keep track of whether their other network filter requires this tcp_proxy setting. And accidentally setting this when the other network filters aren't handling the data will result in buggy behavior.

/wait

[jrajahalme]

This is basically a compatibility problem between different filters. In my opinion, it would be nicer to do this mechanism via some communication between the filters (maybe a FilterState), not via a config knob. The user shouldn't have to keep track of whether their other network filter requires this tcp_proxy setting. And accidentally setting this when the other network filters aren't handling the data will result in buggy behavior.

Changed to introduce a new filter state instead as suggested here. Since reverting API changes in a new commit could have been confusing, I force pushed the code with the new approach, hope this is OK.

[jrajahalme]

@ggreenway Care to take another look?

[ggreenway]

/wait

[ggreenway]

I don't think we need a new class for this; you can use StreamInfo::BoolAccessor. Also, the definition of the key belongs in source/common/tcp_proxy/tcp_proxy.h.

Related example that was recently added: constexpr absl::string_view DisableTunnelingFilterStateKey = "envoy.tcp_proxy.disable_tunneling";.

[jrajahalme]

Thanks for the pointers, changed!

[ggreenway]

Should there be a limit on how much data can be buffered here? Or do you depend on the earlier network filter to readDisable() if there's too much data?

[jrajahalme]

Did not consider this, so maybe the latter? Of should I change the boolean metadata to be an integral maximum buffer size instead?

[ggreenway]

You could probably use one of the existing connection buffer size settings for the value. But if you want the other filter to specify how much data to buffer, that's fine too.

[ggreenway]

Can you add a test that causes a high watermark on the upstream here, to make sure that any callbacks that re-renter this class have the correct state?

[jrajahalme]

Could you point to a test that is close enough to use for inspiration to what you mean here?

[kyessenov]

Side-note - could we use this to solve #9023, assuming we have some way to detect the end of the downstream TLS handshake.

[jrajahalme]

@ggreenway Sorry for the delay, addressed your comment on use of BoolAccessor & asked for more context on the rest.

[mattklein123]

Friendly ping @ggreenway

[jrajahalme]

Added docs.

[jrajahalme]

Rebased to resolve conflict on changelogs.

[jrajahalme]

fixed doc format

[jrajahalme]

Rebased to fix conflict on changelogs/current.yaml

[jrajahalme]

@ggreenway Do I need to be rebasing this to resolve the conflict on changelogs/current.yaml or will that be handled automatically on merge?

[ggreenway]

/wait

[ggreenway]

@jrajahalme please address this.

[ggreenway]

In the case of receive_before_connect_, now that earlier filters have seen whatever data they need and allowed the filter chain to continue, should tcp_proxy readDisable(true) to prevent additional data from getting buffered while the upstream connection is established?

If not, then I think there needs to be some limit to the data enforced. One option is to leave it in the Connection buffer so that flow control can be triggered.

[ggreenway]

@ggreenway Do I need to be rebasing this to resolve the conflict on changelogs/current.yaml or will that be handled automatically on merge?

There's a merge conflict, so merge main into your PR branch and resolve conflict there.

[jrajahalme]

@ggreenway merged main, conflicts resolved.

[jrajahalme]

@ggreenway Can you re-trigger presubmit checks? The fail seems to be in examples/ext_authz which is not even using tcp_proxy filter, so it is likely unrelated to this PR.

[jrajahalme]

Pushed another main merge to rerun tests.

[ggreenway]

This still needs some buffer-limit/flow-control added to it.

Also, need to address https://github.com/envoyproxy/envoy/pull/25804/files#r1125129552.

/wait

[ggreenway]

You could probably use one of the existing connection buffer size settings for the value. But if you want the other filter to specify how much data to buffer, that's fine too.

[github-actions]

This pull request has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions!

[github-actions]

This pull request has been automatically closed because it has not had activity in the last 37 days. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions!

[akshita31]

Hi @jrajahalme would you be able to re-work this PR ? Our team also has a use case where we have RBAC before TCP_Proxy and TCP_Proxy is opening connection to upstream before RBAC is performed which is not ideal for us. So having this filter state will be very useful for our case as well.