listener: add an option to continue on listener filters timeout

[lizan]

Signed-off-by: Lizan Zhou lizan@tetrate.io

Description:
Add an option to continue on listener filters timeout.

Risk Level: Med (mostly guarded by config)
Testing: unittest
Docs Changes: Added
Release Notes: Added
Fixes #7195

[lizan]

no test yet, cc @silentdai

[repokitteh-read-only]

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to api/.

🐱

Caused by: #7859 was synchronize by lizan.

see: more, trace.

[repokitteh-read-only]

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to api/.

🐱

Caused by: #7859 was synchronize by lizan.

see: more, trace.

[repokitteh-read-only]

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to api/.

🐱

Caused by: #7859 was synchronize by lizan.

see: more, trace.

[repokitteh-read-only]

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to api/.

🐱

Caused by: #7859 was synchronize by lizan.

see: more, trace.

[lizan]

This is ready to review, PTAL

[lambdai]

If listener option is the solution, can you add the document that a listener with proxy_protocol should not set continue_on_listener_filters_timeout?
The reason is that proxy_protocol may consume bytes instead of PEEK.

That is the initial motivation of the my PR: It's harmless for the listener to decide to close the socket, but only listener filter itself can decide whether it's appropriate to continue.

LGTM if the above case is omitted

[rshriram]

This works as well!

[mattklein123]

Thanks, LGTM with some small nits.

/wait

[repokitteh-read-only]

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to api/.

🐱

Caused by: #7859 was synchronize by lizan.

see: more, trace.

[repokitteh-read-only]

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to api/.

🐱

Caused by: #7859 was synchronize by lizan.

see: more, trace.

[repokitteh-read-only]

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to api/.

🐱

Caused by: #7859 was synchronize by lizan.

see: more, trace.

[mattklein123]

LGTM, also needs a format fix.

/wait

[repokitteh-read-only]

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to api/.

🐱

Caused by: #7859 was synchronize by lizan.

see: more, trace.

[repokitteh-read-only]

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to api/.

🐱

Caused by: #7859 was synchronize by lizan.

see: more, trace.

[mattklein123]

Nice!

[htuch]

One random thought, thinking about the use case that @silentdai had, would it make sense to have a timeout in the listener filter config as well to enable override on a per-filter basis? In theory you might want to have different timeouts for TLS vs. some other filter. I think the point is probably moot right now, because folks have shallow (maybe typically 1 deep) filter chains, but just a consideration for future.

[lizan]

A listener filter can still do their own timeout, to continue or fail, from their opaque config, such as @silentdai did in #7853. This option applies only to when listener level timeout happens.

[lambdai]

Thank you for the update!
/approve