/
listener_components.proto
287 lines (245 loc) · 11.5 KB
/
listener_components.proto
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
syntax = "proto3";
package envoy.api.v2.listener;
import "envoy/api/v2/auth/tls.proto";
import "envoy/api/v2/core/address.proto";
import "envoy/api/v2/core/base.proto";
import "envoy/type/range.proto";
import "google/protobuf/any.proto";
import "google/protobuf/struct.proto";
import "google/protobuf/wrappers.proto";
import "udpa/annotations/migrate.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.api.v2.listener";
option java_outer_classname = "ListenerComponentsProto";
option java_multiple_files = true;
option csharp_namespace = "Envoy.Api.V2.ListenerNS";
option ruby_package = "Envoy.Api.V2.ListenerNS";
option (udpa.annotations.file_migrate).move_to_package = "envoy.config.listener.v3";
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: Listener components]
// Listener :ref:`configuration overview <config_listeners>`
message Filter {
reserved 3;
// The name of the filter to instantiate. The name must match a
// :ref:`supported filter <config_network_filters>`.
string name = 1 [(validate.rules).string = {min_bytes: 1}];
// Filter specific configuration which depends on the filter being
// instantiated. See the supported filters for further documentation.
oneof config_type {
google.protobuf.Struct config = 2 [deprecated = true];
google.protobuf.Any typed_config = 4;
}
}
// Specifies the match criteria for selecting a specific filter chain for a
// listener.
//
// In order for a filter chain to be selected, *ALL* of its criteria must be
// fulfilled by the incoming connection, properties of which are set by the
// networking stack and/or listener filters.
//
// The following order applies:
//
// 1. Destination port.
// 2. Destination IP address.
// 3. Server name (e.g. SNI for TLS protocol),
// 4. Transport protocol.
// 5. Application protocols (e.g. ALPN for TLS protocol).
// 6. Source type (e.g. any, local or external network).
// 7. Source IP address.
// 8. Source port.
//
// For criteria that allow ranges or wildcards, the most specific value in any
// of the configured filter chains that matches the incoming connection is going
// to be used (e.g. for SNI ``www.example.com`` the most specific match would be
// ``www.example.com``, then ``*.example.com``, then ``*.com``, then any filter
// chain without ``server_names`` requirements).
//
// [#comment: Implemented rules are kept in the preference order, with deprecated fields
// listed at the end, because that's how we want to list them in the docs.
//
// [#comment:TODO(PiotrSikora): Add support for configurable precedence of the rules]
// [#next-free-field: 13]
message FilterChainMatch {
enum ConnectionSourceType {
// Any connection source matches.
ANY = 0;
// Match a connection originating from the same host.
LOCAL = 1 [(udpa.annotations.enum_value_migrate).rename = "SAME_IP_OR_LOOPBACK"];
// Match a connection originating from a different host.
EXTERNAL = 2;
}
reserved 1;
// Optional destination port to consider when use_original_dst is set on the
// listener in determining a filter chain match.
google.protobuf.UInt32Value destination_port = 8 [(validate.rules).uint32 = {lte: 65535 gte: 1}];
// If non-empty, an IP address and prefix length to match addresses when the
// listener is bound to 0.0.0.0/:: or when use_original_dst is specified.
repeated core.CidrRange prefix_ranges = 3;
// If non-empty, an IP address and suffix length to match addresses when the
// listener is bound to 0.0.0.0/:: or when use_original_dst is specified.
// [#not-implemented-hide:]
string address_suffix = 4;
// [#not-implemented-hide:]
google.protobuf.UInt32Value suffix_len = 5;
// Specifies the connection source IP match type. Can be any, local or external network.
ConnectionSourceType source_type = 12 [(validate.rules).enum = {defined_only: true}];
// The criteria is satisfied if the source IP address of the downstream
// connection is contained in at least one of the specified subnets. If the
// parameter is not specified or the list is empty, the source IP address is
// ignored.
repeated core.CidrRange source_prefix_ranges = 6;
// The criteria is satisfied if the source port of the downstream connection
// is contained in at least one of the specified ports. If the parameter is
// not specified, the source port is ignored.
repeated uint32 source_ports = 7
[(validate.rules).repeated = {items {uint32 {lte: 65535 gte: 1}}}];
// If non-empty, a list of server names (e.g. SNI for TLS protocol) to consider when determining
// a filter chain match. Those values will be compared against the server names of a new
// connection, when detected by one of the listener filters.
//
// The server name will be matched against all wildcard domains, i.e. ``www.example.com``
// will be first matched against ``www.example.com``, then ``*.example.com``, then ``*.com``.
//
// Note that partial wildcards are not supported, and values like ``*w.example.com`` are invalid.
//
// .. attention::
//
// See the :ref:`FAQ entry <faq_how_to_setup_sni>` on how to configure SNI for more
// information.
repeated string server_names = 11;
// If non-empty, a transport protocol to consider when determining a filter chain match.
// This value will be compared against the transport protocol of a new connection, when
// it's detected by one of the listener filters.
//
// Suggested values include:
//
// * ``raw_buffer`` - default, used when no transport protocol is detected,
// * ``tls`` - set by :ref:`envoy.filters.listener.tls_inspector <config_listener_filters_tls_inspector>`
// when TLS protocol is detected.
string transport_protocol = 9;
// If non-empty, a list of application protocols (e.g. ALPN for TLS protocol) to consider when
// determining a filter chain match. Those values will be compared against the application
// protocols of a new connection, when detected by one of the listener filters.
//
// Suggested values include:
//
// * ``http/1.1`` - set by :ref:`envoy.filters.listener.tls_inspector
// <config_listener_filters_tls_inspector>`,
// * ``h2`` - set by :ref:`envoy.filters.listener.tls_inspector <config_listener_filters_tls_inspector>`
//
// .. attention::
//
// Currently, only :ref:`TLS Inspector <config_listener_filters_tls_inspector>` provides
// application protocol detection based on the requested
// `ALPN <https://en.wikipedia.org/wiki/Application-Layer_Protocol_Negotiation>`_ values.
//
// However, the use of ALPN is pretty much limited to the HTTP/2 traffic on the Internet,
// and matching on values other than ``h2`` is going to lead to a lot of false negatives,
// unless all connecting clients are known to use ALPN.
repeated string application_protocols = 10;
}
// A filter chain wraps a set of match criteria, an option TLS context, a set of filters, and
// various other parameters.
// [#next-free-field: 8]
message FilterChain {
// The criteria to use when matching a connection to this filter chain.
FilterChainMatch filter_chain_match = 1;
// The TLS context for this filter chain.
//
// .. attention::
//
// **This field is deprecated**. Use `transport_socket` with name `tls` instead. If both are
// set, `transport_socket` takes priority.
auth.DownstreamTlsContext tls_context = 2 [deprecated = true];
// A list of individual network filters that make up the filter chain for
// connections established with the listener. Order matters as the filters are
// processed sequentially as connection events happen. Note: If the filter
// list is empty, the connection will close by default.
repeated Filter filters = 3;
// Whether the listener should expect a PROXY protocol V1 header on new
// connections. If this option is enabled, the listener will assume that that
// remote address of the connection is the one specified in the header. Some
// load balancers including the AWS ELB support this option. If the option is
// absent or set to false, Envoy will use the physical peer address of the
// connection as the remote address.
google.protobuf.BoolValue use_proxy_proto = 4;
// [#not-implemented-hide:] filter chain metadata.
core.Metadata metadata = 5;
// Optional custom transport socket implementation to use for downstream connections.
// To setup TLS, set a transport socket with name `tls` and
// :ref:`DownstreamTlsContext <envoy_api_msg_auth.DownstreamTlsContext>` in the `typed_config`.
// If no transport socket configuration is specified, new connections
// will be set up with plaintext.
core.TransportSocket transport_socket = 6;
// [#not-implemented-hide:] The unique name (or empty) by which this filter chain is known. If no
// name is provided, Envoy will allocate an internal UUID for the filter chain. If the filter
// chain is to be dynamically updated or removed via FCDS a unique name must be provided.
string name = 7;
}
// Listener filter chain match configuration. This is a recursive structure which allows complex
// nested match configurations to be built using various logical operators.
//
// Examples:
//
// * Matches if the destination port is 3306.
//
// .. code-block:: yaml
//
// destination_port_range:
// start: 3306
// end: 3307
//
// * Matches if the destination port is 3306 or 15000.
//
// .. code-block:: yaml
//
// or_match:
// rules:
// - destination_port_range:
// start: 3306
// end: 3306
// - destination_port_range:
// start: 15000
// end: 15001
//
// [#next-free-field: 6]
message ListenerFilterChainMatchPredicate {
// A set of match configurations used for logical operations.
message MatchSet {
// The list of rules that make up the set.
repeated ListenerFilterChainMatchPredicate rules = 1
[(validate.rules).repeated = {min_items: 2}];
}
oneof rule {
option (validate.required) = true;
// A set that describes a logical OR. If any member of the set matches, the match configuration
// matches.
MatchSet or_match = 1;
// A set that describes a logical AND. If all members of the set match, the match configuration
// matches.
MatchSet and_match = 2;
// A negation match. The match configuration will match if the negated match condition matches.
ListenerFilterChainMatchPredicate not_match = 3;
// The match configuration will always match.
bool any_match = 4 [(validate.rules).bool = {const: true}];
// Match destination port. Particularly, the match evaluation must use the recovered local port if
// the owning listener filter is after :ref:`an original_dst listener filter <config_listener_filters_original_dst>`.
type.Int32Range destination_port_range = 5;
}
}
message ListenerFilter {
// The name of the filter to instantiate. The name must match a
// :ref:`supported filter <config_listener_filters>`.
string name = 1 [(validate.rules).string = {min_bytes: 1}];
// Filter specific configuration which depends on the filter being instantiated.
// See the supported filters for further documentation.
oneof config_type {
google.protobuf.Struct config = 2 [deprecated = true];
google.protobuf.Any typed_config = 3;
}
// Optional match predicate used to disable the filter. The filter is enabled when this field is empty.
// See :ref:`ListenerFilterChainMatchPredicate <envoy_api_msg_listener.ListenerFilterChainMatchPredicate>`
// for further examples.
ListenerFilterChainMatchPredicate filter_disabled = 4;
}