Skip to content

feat: support invert in source match#8407

Merged
rudrakhp merged 1 commit intoenvoyproxy:mainfrom
rudrakhp:source_match_invert
Mar 30, 2026
Merged

feat: support invert in source match#8407
rudrakhp merged 1 commit intoenvoyproxy:mainfrom
rudrakhp:source_match_invert

Conversation

@rudrakhp
Copy link
Copy Markdown
Member

@rudrakhp rudrakhp commented Mar 4, 2026
edited
Loading

What type of PR is this?
feat: support invert in source match

What this PR does / why we need it:
This PR is needed to support usecases that need invert SourceMatch. For example rate limit all IPs except those matching a CIDR. To do this following changes were made:

  1. Move to the newer RemoteAddressMatch rate limit action from MaskedRemoteAddress and RemoteAddress actions.
  2. The AddressMatcher has an flag to invert matches that allows to define a white list to not apply rate limits on.
  3. Improves data plane latency, especially for global rate limit usecases as rate limit descriptors are not generated for IPs that don't satisfy the address matching criteria. Without this change, all requests used to generate rate limit descriptors and decision to rate limit was being taken at RLS/local rate limiter.

Which issue(s) this PR fixes:

Fixes #4385
Related Envoy PRs: envoyproxy/envoy#42845 envoyproxy/envoy#43320

Reviewer notes:

  • Added a new API param Invert under SourceMatch.
  • Most of the changes in ratelimit.go and local_ratelimit.go.
  • Added two E2Es to test invert functionality. Existing E2Es for ensuring no regression.

Release Notes: Yes

@netlify
Copy link
Copy Markdown

netlify bot commented Mar 4, 2026
edited
Loading

Deploy Preview for cerulean-figolla-1f9435 ready!

Name Link
🔨 Latest commit 2ebeb85
🔍 Latest deploy log https://app.netlify.com/projects/cerulean-figolla-1f9435/deploys/69ca249c429d0900087b1617
😎 Deploy Preview https://deploy-preview-8407--cerulean-figolla-1f9435.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@codecov
Copy link
Copy Markdown

codecov bot commented Mar 4, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 92.45283% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 74.35%. Comparing base (945fe9f) to head (2ebeb85).
⚠️ Report is 2 commits behind head on main.

Files with missing lines Patch % Lines
internal/ir/xds.go 42.85% 2 Missing and 2 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #8407      +/-   ##
==========================================
+ Coverage   74.33%   74.35%   +0.01%     
==========================================
  Files         243      243              
  Lines       38155    38164       +9     
==========================================
+ Hits        28364    28377      +13     
+ Misses       7802     7801       -1     
+ Partials     1989     1986       -3

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@rudrakhp rudrakhp marked this pull request as ready for review March 4, 2026 15:12
@rudrakhp rudrakhp requested a review from a team as a code owner March 4, 2026 15:12
@rudrakhp rudrakhp force-pushed the source_match_invert branch 4 times, most recently from edcb51b to 0581fdc Compare March 5, 2026 15:36
@rudrakhp rudrakhp added this to the v1.8.0-rc.1 Release milestone Mar 15, 2026
@rudrakhp rudrakhp force-pushed the source_match_invert branch from 0581fdc to 039f88c Compare March 15, 2026 08:56
@rudrakhp rudrakhp removed this from the v1.8.0-rc.1 Release milestone Mar 15, 2026
@rudrakhp rudrakhp force-pushed the source_match_invert branch from 039f88c to cf12bb7 Compare March 17, 2026 06:26
@rudrakhp rudrakhp force-pushed the source_match_invert branch from cf12bb7 to 30aca46 Compare March 26, 2026 03:21
kkk777-7
kkk777-7 previously approved these changes Mar 26, 2026
View reviewed changes
@kkk777-7
Copy link
Copy Markdown
Member

kkk777-7 commented Mar 26, 2026

thanks, Overall LGTM!

@rudrakhp rudrakhp requested review from a team March 26, 2026 12:18
zhaohuabing
zhaohuabing reviewed Mar 27, 2026
View reviewed changes
@rudrakhp rudrakhp force-pushed the source_match_invert branch from 30aca46 to 2b0c630 Compare March 27, 2026 14:57
@rudrakhp rudrakhp requested a review from zhaohuabing March 27, 2026 15:04
zhaohuabing
zhaohuabing reviewed Mar 30, 2026
View reviewed changes
@rudrakhp
feat: support invert in source match
2ebeb85 
Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com>
@rudrakhp rudrakhp force-pushed the source_match_invert branch from 2b0c630 to 2ebeb85 Compare March 30, 2026 07:22
@zhaohuabing
Copy link
Copy Markdown
Member

zhaohuabing commented Mar 30, 2026

/retest

zhaohuabing
zhaohuabing approved these changes Mar 30, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@zhaohuabing zhaohuabing left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks!

@rudrakhp rudrakhp merged commit 4f300b7 into envoyproxy:main Mar 30, 2026
59 of 62 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zhaohuabing zhaohuabing zhaohuabing approved these changes

@kkk777-7 kkk777-7 Awaiting requested review from kkk777-7

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Set ratelimiting to all cidrs with exceptions

3 participants

@rudrakhp @kkk777-7 @zhaohuabing