Buffer Factory: Add configurability of BufferFactory.

.bazelrc

@@ -220,7 +220,7 @@ build:remote --strategy=Javac=remote,sandboxed,local
 build:remote --strategy=Closure=remote,sandboxed,local
 build:remote --strategy=Genrule=remote,sandboxed,local
 build:remote --remote_timeout=7200
-build:remote --auth_enabled=true
+build:remote --google_default_credentials=true
 build:remote --remote_download_toplevel
 
 # Windows bazel does not allow sandboxed as a spawn strategy
@@ -229,7 +229,7 @@ build:remote-windows --strategy=Javac=remote,local
 build:remote-windows --strategy=Closure=remote,local
 build:remote-windows --strategy=Genrule=remote,local
 build:remote-windows --remote_timeout=7200
-build:remote-windows --auth_enabled=true
+build:remote-windows --google_default_credentials=true
 build:remote-windows --remote_download_toplevel
 
 build:remote-clang --config=remote

api/BUILD

@@ -1,3 +1,5 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
 load("@rules_proto//proto:defs.bzl", "proto_library")
 
 licenses(["notice"])  # Apache 2

api/envoy/config/bootstrap/v3/bootstrap.proto

@@ -40,7 +40,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // <config_overview_bootstrap>` for more detail.
 
 // Bootstrap :ref:`configuration overview <config_overview_bootstrap>`.
-// [#next-free-field: 33]
+// [#next-free-field: 34]
 message Bootstrap {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.bootstrap.v2.Bootstrap";
@@ -219,6 +219,8 @@ message Bootstrap {
     (udpa.annotations.security).configure_for_untrusted_upstream = true
   ];
 
+  BufferFactoryConfig buffer_factory_config = 33;
+
   // Enable :ref:`stats for event dispatcher <operations_performance>`, defaults to false.
   // Note that this records a value for each iteration of the event loop on every thread. This
   // should normally be minimal overhead, but when using
@@ -642,3 +644,16 @@ message CustomInlineHeader {
   // The type of the header that is expected to be set as the inline header.
   InlineHeaderType inline_header_type = 2 [(validate.rules).enum = {defined_only: true}];
 }
+
+// Configuration for the Buffer Factories that create Buffers and Accounts.
+message BufferFactoryConfig {
+  // The minimum account size at which Envoy starts tracking a stream.
+  // This *MUST* be a power of two.
+  //
+  // Envoy has 8 power of two buckets starting from this value.
+  // Concretely the 1st bucket contains accounts for streams that use
+  // [account_tracking_threshold_bytes, 2 * account_tracking_threshold_bytes).
+  // With the 8th bucket tracking accounts
+  // >= 128 * account_tracking_threshold_bytes.
+  uint32 account_tracking_threshold_bytes = 1 [(validate.rules).uint32 = {gt: 0}];
+}

api/envoy/config/rbac/v3/BUILD

@@ -10,6 +10,7 @@ api_proto_package(
         "//envoy/config/core/v3:pkg",
         "//envoy/config/route/v3:pkg",
         "//envoy/type/matcher/v3:pkg",
+        "//envoy/type/v3:pkg",
         "@com_github_cncf_udpa//udpa/annotations:pkg",
         "@com_google_googleapis//google/api/expr/v1alpha1:checked_proto",
         "@com_google_googleapis//google/api/expr/v1alpha1:syntax_proto",

api/envoy/config/rbac/v3/rbac.proto

@@ -7,6 +7,7 @@ import "envoy/config/route/v3/route_components.proto";
 import "envoy/type/matcher/v3/metadata.proto";
 import "envoy/type/matcher/v3/path.proto";
 import "envoy/type/matcher/v3/string.proto";
+import "envoy/type/v3/range.proto";
 
 import "google/api/expr/v1alpha1/checked.proto";
 import "google/api/expr/v1alpha1/syntax.proto";
@@ -145,7 +146,7 @@ message Policy {
 }
 
 // Permission defines an action (or actions) that a principal can take.
-// [#next-free-field: 11]
+// [#next-free-field: 12]
 message Permission {
   option (udpa.annotations.versioning).previous_message_type = "envoy.config.rbac.v2.Permission";
 
@@ -185,6 +186,9 @@ message Permission {
     // A port number that describes the destination port connecting to.
     uint32 destination_port = 6 [(validate.rules).uint32 = {lte: 65535}];
 
+    // A port number range that describes a range of destination ports connecting to.
+    type.v3.Int32Range destination_port_range = 11;
+
     // Metadata that describes additional information about the action.
     type.matcher.v3.MetadataMatcher metadata = 7;
 

docs/root/version_history/current.rst

@@ -56,8 +56,8 @@ New Features
 * bootstrap: added :ref:`inline_headers <envoy_v3_api_field_config.bootstrap.v3.Bootstrap.inline_headers>` in the bootstrap to make custom inline headers bootstrap configurable.
 * http: added :ref:`string_match <envoy_v3_api_field_config.route.v3.HeaderMatcher.string_match>` in the header matcher.
 * http: added support for :ref:`max_requests_per_connection <envoy_v3_api_field_config.core.v3.HttpProtocolOptions.max_requests_per_connection>` for both upstream and downstream connections.
-
 * jwt_authn: added support for :ref:`Jwt Cache <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.jwt_cache_config>` and its size can be specified by :ref:`jwt_cache_size <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtCacheConfig.jwt_cache_size>`.
+* rbac: added :ref:`destination_port_range <envoy_v3_api_field_config.rbac.v3.Permission.destination_port_range>` for matching range of destination ports.
 
 Deprecated
 ----------

envoy/api/BUILD

@@ -18,6 +18,7 @@ envoy_cc_library(
         "//envoy/filesystem:filesystem_interface",
         "//envoy/server:process_context_interface",
         "//envoy/thread:thread_interface",
+        "@envoy_api//envoy/config/bootstrap/v3:pkg_cc_proto",
     ],
 )
 

envoy/api/api.h

@@ -5,6 +5,7 @@
 
 #include "envoy/common/random_generator.h"
 #include "envoy/common/time.h"
+#include "envoy/config/bootstrap/v3/bootstrap.pb.h"
 #include "envoy/event/dispatcher.h"
 #include "envoy/event/scaled_range_timer_manager.h"
 #include "envoy/filesystem/filesystem.h"
@@ -83,6 +84,11 @@ class Api {
    * @return an optional reference to the ProcessContext
    */
   virtual ProcessContextOptRef processContext() PURE;
+
+  /**
+   * @return the bootstrap Envoy started with.
+   */
+  virtual const envoy::config::bootstrap::v3::Bootstrap& bootstrap() const PURE;
 };
 
 using ApiPtr = std::unique_ptr<Api>;

envoy/buffer/BUILD

@@ -16,6 +16,7 @@ envoy_cc_library(
     ],
     deps = [
         "//envoy/api:os_sys_calls_interface",
+        "//envoy/http:stream_reset_handler_interface",
         "//source/common/common:assert_lib",
         "//source/common/common:byte_order_lib",
         "//source/common/common:utility_lib",

envoy/buffer/buffer.h

@@ -9,6 +9,7 @@
 #include "envoy/common/exception.h"
 #include "envoy/common/platform.h"
 #include "envoy/common/pure.h"
+#include "envoy/http/stream_reset_handler.h"
 
 #include "source/common/common/assert.h"
 #include "source/common/common/byte_order.h"
@@ -109,6 +110,19 @@ class BufferMemoryAccount {
    * @param amount the amount to credit.
    */
   virtual void credit(uint64_t amount) PURE;
+
+  /**
+   * Clears the associated downstream with this account.
+   * After this has been called, calls to reset the downstream become no-ops.
+   * Must be called before downstream is deleted.
+   */
+  virtual void clearDownstream() PURE;
+
+  /**
+   * Reset the downstream stream associated with this account. Resetting the downstream stream
+   * should trigger a reset of the corresponding upstream stream if it exists.
+   */
+  virtual void resetDownstream() PURE;
 };
 
 using BufferMemoryAccountSharedPtr = std::shared_ptr<BufferMemoryAccount>;
@@ -480,7 +494,8 @@ class Instance {
 using InstancePtr = std::unique_ptr<Instance>;
 
 /**
- * A factory for creating buffers which call callbacks when reaching high and low watermarks.
+ * An abstract factory for creating watermarked buffers and buffer memory
+ * accounts. The factory also supports tracking active memory accounts.
  */
 class WatermarkFactory {
 public:
@@ -497,6 +512,15 @@ class WatermarkFactory {
   virtual InstancePtr createBuffer(std::function<void()> below_low_watermark,
                                    std::function<void()> above_high_watermark,
                                    std::function<void()> above_overflow_watermark) PURE;
+
+  /**
+   * Create and returns a buffer memory account.
+   *
+   * @param reset_handler supplies the stream_reset_handler the account will
+   * invoke to reset the stream.
+   * @return a BufferMemoryAccountSharedPtr of the newly created account.
+   */
+  virtual BufferMemoryAccountSharedPtr createAccount(Http::StreamResetHandler& reset_handler) PURE;
 };
 
 using WatermarkFactoryPtr = std::unique_ptr<WatermarkFactory>;

envoy/http/BUILD

@@ -43,6 +43,7 @@ envoy_cc_library(
         ":header_map_interface",
         ":metadata_interface",
         ":protocol_interface",
+        ":stream_reset_handler_interface",
         "//envoy/buffer:buffer_interface",
         "//envoy/grpc:status",
         "//envoy/network:address_interface",
@@ -51,6 +52,11 @@ envoy_cc_library(
     ],
 )
 
+envoy_cc_library(
+    name = "stream_reset_handler_interface",
+    hdrs = ["stream_reset_handler.h"],
+)
+
 envoy_cc_library(
     name = "codes_interface",
     hdrs = ["codes.h"],

envoy/http/codec.h

@@ -11,6 +11,7 @@
 #include "envoy/http/header_map.h"
 #include "envoy/http/metadata_interface.h"
 #include "envoy/http/protocol.h"
+#include "envoy/http/stream_reset_handler.h"
 #include "envoy/network/address.h"
 #include "envoy/stream_info/stream_info.h"
 
@@ -263,32 +264,6 @@ class ResponseDecoder : public virtual StreamDecoder {
   virtual void dumpState(std::ostream& os, int indent_level = 0) const PURE;
 };
 
-/**
- * Stream reset reasons.
- */
-enum class StreamResetReason {
-  // If a local codec level reset was sent on the stream.
-  LocalReset,
-  // If a local codec level refused stream reset was sent on the stream (allowing for retry).
-  LocalRefusedStreamReset,
-  // If a remote codec level reset was received on the stream.
-  RemoteReset,
-  // If a remote codec level refused stream reset was received on the stream (allowing for retry).
-  RemoteRefusedStreamReset,
-  // If the stream was locally reset by a connection pool due to an initial connection failure.
-  ConnectionFailure,
-  // If the stream was locally reset due to connection termination.
-  ConnectionTermination,
-  // The stream was reset because of a resource overflow.
-  Overflow,
-  // Either there was an early TCP error for a CONNECT request or the peer reset with CONNECT_ERROR
-  ConnectError,
-  // Received payload did not conform to HTTP protocol.
-  ProtocolError,
-  // If the stream was locally reset by the Overload Manager.
-  OverloadManager
-};
-
 /**
  * Callbacks that fire against a stream.
  */
@@ -319,10 +294,8 @@ class StreamCallbacks {
 /**
  * An HTTP stream (request, response, and push).
  */
-class Stream {
+class Stream : public StreamResetHandler {
 public:
-  virtual ~Stream() = default;
-
   /**
    * Add stream callbacks.
    * @param callbacks supplies the callbacks to fire on stream events.
@@ -335,12 +308,6 @@ class Stream {
    */
   virtual void removeCallbacks(StreamCallbacks& callbacks) PURE;
 
-  /**
-   * Reset the stream. No events will fire beyond this point.
-   * @param reason supplies the reset reason.
-   */
-  virtual void resetStream(StreamResetReason reason) PURE;
-
   /**
    * Enable/disable further data from this stream.
    * Cessation of data may not be immediate. For example, for HTTP/2 this may stop further flow