http: add ip src transparency

[klarose]

Description:
This PR contains the bulk of the IP Src Transparency work for #4128. It is missing one piece to tie it together so that it may be enabled. I'll integrate into into the PR, or submit a new PR, when #5035 is merged.

This PR can be viewed as three major chunks of work:

1. Some test code refactor to ease TDD of this feature. (Mainly splitting mocks out of big headers into their own).
2. The core of the feature -- the WrappedConnectionPool and the SrcIpTransparentMapper.
3. Integration of the core into Envoy's codebase.

The PR as it stands is very large. I'm willing to break it up if the reviewers so desire. Just let me know how you'd like me to go about doing it. We'd likely need to do the merges in the order I've provided above, though number 2 won't stand alone as described, since it itself requires a change or two to some public interfaces within envoy.

For the general approach, see Google Docs. While this does not 100% follow that document, the general approach matches.

In a nutshell:

We create a new type of ConnectionPool which wraps the Http connection pools. This connection pool uses abstract mapping logic to map a new stream request to one of many connection pools. These pools themselves are told at mapping time how to connect to their upstream using an interface added to the high level connection pool interface.

Connection pools are recycled into an "idle" list when all upstream connections on the pool have been drained. When a new stream is assigned to a pool, we try to use an idle stream first. If there are none, we assign a new one up to a limit. Multiple streams may be assigned to a pool if they are mapped to it concurrently.

General TODOs and notes:

1. The integration tests are mostly complete. I need to do some infrastructure work (Add build scripts to run tests under a privileged container #5246) first before they'll run in circle.
2. We cannot map http2 connections with the current approach . This is due to how I detect whether a pool is idle. I plan on reworking this part of the algorithm to distinguish between a pool being drained, and a pool being idle. The new approach will give performance benefits as well. But, I want to get this PR reviewed and merged before tackling that; it's already too large.
3. I plan on implementing source port transparency in the future by either extending or abstracting the SrcIpTransparentMapper
4. I also plan on refactoring the connection pool interface so that it applies to both http and tcp connections. This will allow us to reuse all of this logic for tcp just as well as http.
5. The limit on the number of concurrent connection pools needs to be configurable. Similarly, we need to expose it via stats.

Risk Level: Medium
This is a large change, but it cannot yet be enabled.

Testing:

• Fairly extensive unit tests of the new code.
• A dedicated integration test of the new module is almost complete. It just needs some infrastructure work before a PR makes sense.
• Some manual testing using envoy in a container talking to an http1 upstream in another container. I used a Proxy Protocol listener to control the fake source IP used by the upstream connection.

Docs Changes:
I need to document the feature:

• How it works.
• How to configure it.
• How to monitor it.
  I'll do this in a future PR.

Release Notes:
This will need a release note so people are aware of the feature. Doesn't make sense just yet though.

[zuercher]

@lizan can you take a first pass at this?

[lizan]

Sure I will take first pass.

@klarose definitely want to see 1. as a separate PR so it can be merged sooner. The gdoc in the description is 404, can you update?

[klarose]

@lizan thanks for taking a look. I've fixed the link. Let me know if you still have issues. It's a relatively long document, covering more than the work I've done here. So, if you want to focus on this, just look at the design section near the end. If anything is unclear, or you'd like more of an explanation, let me know. I'll update the document/we can chat about it.

As for 1. I'll try to get that up in the next few hours.

[jrajahalme]

@klarose @lizan Have you looked at the hashKey() method of Envoy::Network::Socket::Option? It is an existing method in Envoy that allows downstream connection metadata (options) to essentially divide upstream connection pools into sub-pools that each have a separate key (as accumulated from the hashKey() methods of Socket::Options). This feature is an extension of the method by which Envoy keeps different connection pools for each priority class, and as such added minimal additional logic to the upstream implementation.

This functionality is currently used by Cilium to separate the upstream connection pools by the SO_MARK option we set on the upstream connections, but would be similarly applicable to ensure that upstream connections are not shared across different source addresses.

I have recently prototyped multiplexed transport on top of a normal TCP listener, where the original 5-tuple is carried in the beginning of each frame. I used a Socket::Option to reset the upstream source address to be the original downstream address and to shard the upstream pools essentially per source address.

IMO this could be used to implement source transparency so that a Socket::Option instance would set the upstream Socket's localAddress (using setLocalAddress()), set the SO_TRANSPARENT on the socket, and return the bytes needed in hashKey() to keep the upstream connections separated by the source address. A listener filter can be created to add these options to the downstream connections, from where they are already carried over to the upstream connection constructors (e.g., dispatcher's createClientConnection() method).

So, it seems to me that a single-proxy version of source transparency could be implemented entirely using the existing extension mechanisms already built into Envoy. It could be one more listener filter in source/extensions/filters/listener/ and be exposed to users as a well known filter name they add to their listener configuration.

[klarose]

@jrajahalme That's certainly an interesting approach. I think it could work, as long as the pools are cleaned up fairly regularly. However, I have a few concerns with it that I think are addressed by the wrapped pool I have proposed:

1. We'd end up creating an extra connection pool for each new external connection all the time. There would never be any reuse of the pools, meaning that the overhead of pool creation and destruction is guaranteed.
2. There are no limits on the number of pools created this way. I worry that the map could bloat quite quickly. Obviously we could put some constraints on it, but then I'm not sure how we would work in the logic to give "pending" requests a chance without re implementing much of the pooling logic where it doesn't really belong.
3. It wouldn't necessarily help with other "partitioning" approaches such as SNI. @mattklein123 asked that I develop a solution which could be extended to allow pooling based on the SNI. I don't think it's appropriate to put the SNI into a socket option, though others could disagree with me. :)

At the surface, I think your proposed approach is nicer. It's simple, and it uses the existing mechanisms as you've suggested. However, I worry that it won't scale as well as we'd like, and that we may need to build something similar in the future anyway.

What do the others think? I'm willing to revisit the design.

[klarose]

@jrajahalme Out of curiosity, what are you using for the multiplexed transport? PROXY protocol?

[lizan]

It wouldn't necessarily help with other "partitioning" approaches such as SNI. @mattklein123 asked that I develop a solution which could be extended to allow pooling based on the SNI. I don't think it's appropriate to put the SNI into a socket option, though others could disagree with me. :)

#4973 adds TransportSocketOptions for SNI with hashKey approach to allow TcpConnectionPool connections to be partitioned by SNI, it left HTTP as a todo but similar approach based on that should work.

[klarose]

@lizan @jrajahalme Alright. You have me convinced. It's worth taking a look at. I'll see what I can do today to prove it out.

[klarose]

Hmm. I'm not sure this will cover all cases I'm interested in, at least as a listener filter. I want to be able to use the downstream remote address set by x-forwarder-for, which is set in void ConnectionManagerImpl::ActiveStream::decodeHeaders. This is a filter-chain filter, so it is invoked after the listener filters. Maybe I can make it work there...

EDIT: Looks like a network read filter may be the answer.

[jrajahalme]

@klarose Http ConnPoolImpl already takes in Network::ConnectionSocket::OptionsSharedPtr& as a parameter, you should be able to use that for this purpose.

[jrajahalme]

@klarose I've prototyped a multiplexed transport for kTLS, for which kernel-side eBPF program creates custom shim headers, basically just the 5-tuple and frame length in a binary representation. So, very similar to proxy protocol, but different :-)

[klarose]

@jrajahalme Thanks for the info. My current plan is to create a network filter which uses the ReadFilterCallbacks to get access to the socket option list. It'll add the option which sets the transparency/mark/etc as well as the source IP of the downstream.

Being a network filter, it can come after listener filters such as the proxy protocol filter, and the http connection manager (which sets the downstream from x-forwarded-for if it's trusted).

[jrajahalme]

@klarose Interesting, I never realized you can have network filters after the http connection manager, I've kind of assumed that it will consume the payload, but maybe it does not matter for setting metadata like this.

[klarose]

@jrajahalme Yeah, I think the filters work by doing some work up front when the connection is established, on all filters, then they proceed to do work with the data. I'll make these changes at connection establishment time. We'll see if it works. :)

[klarose]

@jrajahalme Looking at adding the new socket option to do this... Unfortunately, Socket::Option only has access to a Socket, which does not itself capture the concept of a local address -- a subclass of it (ConnectionSocket) does.

Ways around this I can think of offhand?

1. Extend the visitor with another setOption taking a ConnectionSocket. Unfortunately, applyOptions is static, so we can't use inheritance to use the more concrete version of setOption. I guess I could make it a virtual method. I'd only have to change a few places to call socket_.applyOptions(options, ....) rather than Network::Socket::applyOptions(socket_ options,...)
2. Use dynamic_cast (ick!)
3. Add a parallel set of socket options called ConnectionSocketOptions. I'd rather avoid doing this, since it would involve a bunch of integration work, which I think we're trying to avoid here.

What do you think? I prefer 1, even though it's a little gross to pollute an interface with knowledge of its subclasses... That's the visitor pattern for you, though... I guess it's not really the interface we're polluting, since Option is a separate class. It just happens to be nested in Socket.

[klarose]

It looks like createClientConnection doesn't use the sourceAddress of the connection. Should be simple to change, though.

    if (source_address != nullptr) {
      const Api::SysCallIntResult result = source_address->bind(fd());
      if (result.rc_ < 0) {
        ENVOY_LOG_MISC(debug, "Bind failure. Failed to bind to {}: {}", source_address->asString(),
                       strerror(result.errno_));
        bind_error_ = true;
        // Set a special error state to ensure asynchronous close to give the owner of the
        // ConnectionImpl a chance to add callbacks and detect the "disconnect".
        immediate_error_event_ = ConnectionEvent::LocalClose;

        // Trigger a write event to close this connection out-of-band.
        file_event_->activate(Event::FileReadyType::Write);
      }

sourceAddress comes from the clusterInfo. The pre-bind options are set just before this. So, I could check if the local address is not null. If it is, I'll override the cluster address.

[jrajahalme]

@klarose Network::Socket has the local address, but not the method to set it. IMO we should add a setLocalAddress(const Address::InstanceConstSharedPtr& local_address) method to Network::Socket.

I had used a dynamic_cast in the prototype, but did not remember that fact, sorry.

I'd also want to see a non-null value returned by Socket::localAddress() override the cluster's source address setting.

[klarose]

I have it working for PROXY protocol. However, it doesn't work when I want to consume the XFF. This makes sense, now that I think about it -- the XFF is only set once all the http headers have been parsed, and that's too late. So, I think I need to make two filters:

1. Listener filter, gets the address from remoteAddress of the connection
2. An http decoder filter, gets the address from StreamInfo::downstreamRemoteAddress.

The listener filter can be used with ProxyProtocol, for tcp or http. The http decoder can only be used for http.

Sad, because it's more work than I anticipated, and I need to do some refactoring, but that's life I guess. :/

I'll submit a PR for the listener one, so we can take a look, then get on to implementing the http one.

[klarose]

Cancelling this as it has been subsumed by the work for another approach (#5337)