Skip to content

Per connection local rate limiting #15843

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
htuch merged 374 commits into from
May 25, 2021
Merged

Per connection local rate limiting #15843

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
374 commits
Select commit Hold shift + click to select a range
dc475ff
server: fix TAP validation mode (#15932)
Apr 20, 2021
24ba562
Minor cleanup. (#16082)
KBaichoo Apr 20, 2021
476e5d7
Buffer: Track number of allocated bytes across buffers. (#15859)
KBaichoo Apr 20, 2021
e8f8e83
http: refactor out stream rate limiter to common (#14828)
nitgoy Apr 20, 2021
745bf66
grpc_json_transcoder: Switch tests to compare JSON objects (#16085)
nareddyt Apr 20, 2021
840742a
protos: Remove (more) redundant imports (#16086)
phlax Apr 21, 2021
edb7ab8
upgrade rules_go to v0.27.0 (#16065) (#16083)
QIvan Apr 21, 2021
9300cea
udp listener fuzzer (#15974)
DavidKorczynski Apr 21, 2021
b256ffd
Bring parity to the docker images on the install docs pages (#16038)
Apr 22, 2021
6351e40
xray: fix the default sampling rate for AWS X-Ray tracer (#15958)
Apr 22, 2021
5bdf0f9
runtime: remove HCM stream error runtime override (#16040)
akonradi Apr 22, 2021
efc3a07
tooling: Add all pytests checker (#16031)
phlax Apr 22, 2021
eca4c02
Update QUICHE dependency (#16100)
DavidSchinazi Apr 23, 2021
a79905a
Add a missing work to WASM filter doc (#16106)
peterj Apr 23, 2021
8656cd7
fix (#16135)
asraa Apr 23, 2021
6c77508
jwt_authn refactory: move threadlocal from JwksCache into JwksDataImp…
qiwzhang Apr 23, 2021
bbc11c2
Revert "honour routes timeout if max stream duration is set with out …
Apr 23, 2021
3d850ef
dependabot: Resolve updates (#16094)
phlax Apr 23, 2021
443def6
disable tls resumption (#16147)
danzh2010 Apr 23, 2021
35f35aa
api: Update xds_protocol doc to remove v2 and cleanup (#16097)
phlax Apr 24, 2021
b3e1702
Fix protoleak. (#16101)
KBaichoo Apr 26, 2021
564571a
python: Switch to exclusive list for flake8 (#16159)
phlax Apr 26, 2021
8719660
deprecating allow_500_after_100 (#16171)
alyssawilk Apr 26, 2021
9e43177
http: removing envoy.reloadable_features.unify_grpc_handling (#16173)
alyssawilk Apr 26, 2021
4e239f9
http3: turning up more tests (#16175)
alyssawilk Apr 26, 2021
9bfcf1a
metric service: add support for sending tags as labels (#16125)
Apr 26, 2021
489d66c
apple dns: fix crash on invalid dns name (#16028)
junr03 Apr 26, 2021
fcf83d8
docs: Update refs: v2 -> v3 (#16163)
phlax Apr 26, 2021
44e4e45
dependabot: Resolve updates (#16169)
phlax Apr 27, 2021
f38f0a7
Fix tests that link all extensions so that gcc can compile them (#16187)
yanavlasov Apr 27, 2021
0e95698
http: raise max_request_headers_kb limit to 8192 KiB (8MiB) from 96 K…
anirudhaps Apr 27, 2021
eb71d7b
grid: Add a new class for tracking alternate protocols for a connect…
RyanTheOptimist Apr 27, 2021
972758d
docs: Use intersphinx to map old versions and cleanup version history…
phlax Apr 27, 2021
8faa072
Make the members of Upstream::HostDescriptionImpl private. (#16192)
RyanTheOptimist Apr 27, 2021
1c3ec7a
DebugString() -> ShortDebugString() (#16172)
Apr 27, 2021
d1397ac
update zk filter proxy (#16190)
JaredTan95 Apr 27, 2021
91c8ca2
wasm: update proxy-wasm-cpp-host to use refactored code around runtim…
mathetake Apr 27, 2021
533254a
Build win32_scm_test with just core extensions (#16193)
yanavlasov Apr 27, 2021
9ff513b
configs: Validate dynamic xds config (#16145)
phlax Apr 27, 2021
61b464a
http: removing envoy.reloadable_features.http_match_on_all_headers (#…
alyssawilk Apr 28, 2021
2054d3e
h3 config examples (#15987)
alyssawilk Apr 28, 2021
e2c2280
wasm: use in_vm_context_created_ flag for http contexts. (#16202)
mathetake Apr 28, 2021
3ad96b8
Log actual admin port. (#16197)
Apr 28, 2021
0aec425
api: add NonForwardingAction route action type (#16144)
markdroth Apr 28, 2021
79afd6b
shellcheck: Enable and cleanup .github file (#16206)
phlax Apr 28, 2021
676588a
tracing: bump cpp2sky v0.2.1 (#15782)
Shikugawa Apr 28, 2021
fb2178e
http: removing envoy.reloadable_features.http_set_copy_replace_all_he…
alyssawilk Apr 28, 2021
e29dc13
owners: add @phlax as maintainer. (#16212)
htuch Apr 28, 2021
8cb5806
delta-xds: avoid sending resource names for wildcard requests on stre…
adisuissa Apr 28, 2021
99e941a
http: removing envoy.reloadable features.always apply route header ru…
alyssawilk Apr 28, 2021
9a00865
grid: Add a new class for tracking HTTP/3 status (#16067)
RyanTheOptimist Apr 28, 2021
e4eba7c
docs: Improve style for inline literals and update contrib guidance (…
phlax Apr 28, 2021
5876f6c
ext_proc: Support trailer callbacks (#16102)
gbrail Apr 29, 2021
ef28b68
http local_ratelimit: add request_headers_to_add option (#16178)
williamsfu99 Apr 29, 2021
0e4b716
Listener: respect the connection balancer of the redirected listener …
lambdai Apr 29, 2021
725816f
server: fix fips_mode stat (#16140)
raakella Apr 29, 2021
83500a7
http: port stripping for CONNECT (#15975)
alyssawilk Apr 29, 2021
2960c69
quiche: use max header size configured in HCM (#15912)
danzh2010 Apr 29, 2021
67eb5e2
quiche: handle stream blockage during decodeHeaders and decodeTrailer…
danzh2010 Apr 29, 2021
875e059
runtime: refresh QUIC flags when a new runtime config is loaded. (#16…
RenjieTang Apr 29, 2021
8c7e0c0
test: Deflake tsan //test/integration:integration_test (#16238)
yanavlasov Apr 29, 2021
98fb985
add %REQUEST_TX_DURATION% to the access log (#16207)
WeavingGao Apr 29, 2021
37d353f
tools: (mostly) enforcing flag alpha order (#16182)
alyssawilk Apr 29, 2021
32f82c5
python: Revert buggy gitpython version (#16156)
phlax Apr 30, 2021
44bbf4d
wasm: update V8 to v9.1.269.18. (#16220)
PiotrSikora Apr 30, 2021
443fdc9
hcm config: Reject filterchains with unmet decode dependencies (#15462)
Apr 30, 2021
174431b
Config proto for Secure Session Agent (S2A) transport socket extensio…
tavishvaidya Apr 30, 2021
166241d
Typo in test comment and release note (#16245)
Apr 30, 2021
707d3b9
Fix warning in the docs (#16242)
Apr 30, 2021
aa4832e
Matcher: add a "not" matcher (#16149)
aguinet Apr 30, 2021
93ca37a
wasm: Simplify example config and fix docs (#16142)
phlax Apr 30, 2021
0cb5c40
protos: Move simple_http_cache config proto to api (#16230)
phlax May 2, 2021
263a0a8
docs: add fuzzing improvement report. (#16232)
DavidKorczynski May 2, 2021
3df15d2
tls: update BoringSSL to c5ad6dcb (4491). (#16104)
PiotrSikora May 2, 2021
c2dd672
docs: Remove api v2 (#16077)
phlax May 2, 2021
8119596
udp: add new key based hash policy (#15967)
davidkornel May 3, 2021
7366497
Adding distroless image to Envoy CI pipeline (#16268)
oleksiyp May 3, 2021
fcf28ca
http3: respecting header number limits (#15970)
alyssawilk May 3, 2021
bcf0348
dns_cache: Remove getCacheManager() (#16273)
RyanTheOptimist May 3, 2021
ac1d176
protos: Update style guide to try and prevent redundant imports (#16231)
phlax May 3, 2021
cfa681a
thrift_proxy router: fix bug when charging upstream rq_time before (#…
williamsfu99 May 3, 2021
b5be190
docs: Cleanup inline literals (#16280)
phlax May 3, 2021
a921fee
quiche: make flow control configurable (#15865)
danzh2010 May 3, 2021
33ee0c4
bootstrap/runtime: remove support for v2 bootstrap runtime field. (#1…
htuch May 4, 2021
d2f6f8f
tools: allow generate_go_protobuf.py to skip syncing with go-control-…
jamesmulcahy May 4, 2021
7bbec8c
access_log: refactored SubstitutionFormatParser::parseCommand (#16121)
cpakulski May 4, 2021
fe8d26e
[filter]: Add option to disable fault filter stats that trace downstr…
chaoqin-li1123 May 4, 2021
fdfd990
http3: turn up the last upstream tests! (#16279)
alyssawilk May 4, 2021
5ca8184
quic: fix missing cast in assertions (#16301)
goaway May 4, 2021
dfcc7bb
docs: fix type_url for v3.TlsInspector (#16290)
ch-plattner May 4, 2021
89ed219
alts: Fix TsiSocket doWrite on short writes (#15962)
yihuazhang May 4, 2021
8f0f92f
dependabot: Aggregate updates (#16228)
phlax May 4, 2021
7efd4fa
udp: log when BPF is not attempted (#16304)
alyssawilk May 4, 2021
0082d5a
per conn rate limiting
Apr 2, 2021
d202a27
proto changes
Apr 5, 2021
dd5eaf5
Use dispatcher from filter_config
Apr 6, 2021
8c85cec
fix format
Apr 7, 2021
199cb5a
generate api shadow file
Apr 8, 2021
0dd325d
Copy the proto config object
Apr 9, 2021
f00c9fd
clang_tidy format
Apr 9, 2021
c93f6fe
refactor method name
Apr 13, 2021
9b4fef0
add tests
Apr 20, 2021
eccaba5
add unit tests
Apr 22, 2021
ad0242d
Add doc for the proto changes
Apr 23, 2021
8711bd4
use thread local event disptacher
Apr 26, 2021
9e9dfab
refactor config name to be more descriptive
May 3, 2021
a857dd3
eliminate full proto copy and store individual fields under FilterCon…
May 3, 2021
6b0235c
add docs and fix format
May 3, 2021
0417587
Remove auto generated changes to api/BUILD file due to the v2 freeze
May 4, 2021
e6408bb
per conn rate limiting
Apr 2, 2021
9f17367
Use dispatcher from filter_config
Apr 6, 2021
2f603d8
fix format
Apr 7, 2021
562be5e
Copy the proto config object
Apr 9, 2021
add870b
clang_tidy format
Apr 9, 2021
6bf6698
refactor method name
Apr 13, 2021
f7aa00d
use thread local event disptacher
Apr 26, 2021
f712bc8
eliminate full proto copy and store individual fields under FilterCon…
May 3, 2021
0dd2f98
add docs and fix format
May 3, 2021
454fa95
Remove auto generated changes to api/BUILD file due to the v2 freeze
May 4, 2021
65fb735
per conn rate limiting
Apr 2, 2021
ed858b4
proto changes
Apr 5, 2021
badf219
Use dispatcher from filter_config
Apr 6, 2021
26e73c4
fix format
Apr 7, 2021
8e338b2
generate api shadow file
Apr 8, 2021
fbcf203
Copy the proto config object
Apr 9, 2021
33bedd1
clang_tidy format
Apr 9, 2021
0566b86
refactor method name
Apr 13, 2021
762fb6a
add tests
Apr 20, 2021
5a91170
add unit tests
Apr 22, 2021
633098c
Add doc for the proto changes
Apr 23, 2021
1ab6a0c
use thread local event disptacher
Apr 26, 2021
44ae575
refactor config name to be more descriptive
May 3, 2021
1741a79
eliminate full proto copy and store individual fields under FilterCon…
May 3, 2021
50307b6
add docs and fix format
May 3, 2021
41fd116
Remove auto generated changes to api/BUILD file due to the v2 freeze
May 4, 2021
1ff2c4b
per conn rate limiting
Apr 2, 2021
2916b64
proto changes
Apr 5, 2021
27460f6
Use dispatcher from filter_config
Apr 6, 2021
bc12ea0
fix format
Apr 7, 2021
64bb450
generate api shadow file
Apr 8, 2021
cdf57ee
Copy the proto config object
Apr 9, 2021
bb2e153
clang_tidy format
Apr 9, 2021
0e17903
refactor method name
Apr 13, 2021
f921dc5
add tests
Apr 20, 2021
4e54def
add unit tests
Apr 22, 2021
99a6c6c
Add doc for the proto changes
Apr 23, 2021
74fcf4e
use thread local event disptacher
Apr 26, 2021
8e9880a
refactor config name to be more descriptive
May 3, 2021
eacc127
eliminate full proto copy and store individual fields under FilterCon…
May 3, 2021
13577b9
add docs and fix format
May 3, 2021
c014687
Remove auto generated changes to api/BUILD file due to the v2 freeze
May 4, 2021
f75eb68
Return a reference to LocalRateLimiterImpl instead of a shared_ptr
May 5, 2021
f5bae8e
wasm: fix support for non-cloneable Wasm runtimes. (#16263)
PiotrSikora May 4, 2021
a57014f
wasm: fix fail-close streams on VM failure. (#16112)
mathetake May 4, 2021
0e2843c
Win32 docs FAQ (#16176)
May 5, 2021
eb93f69
skywalking: skip gRPC cluster validation by default (#16203)
Shikugawa May 5, 2021
ded5417
skywalking: fix string_view UB while span reporting (#16264)
Shikugawa May 5, 2021
06aa1d8
http::cache: Adds serving HEAD requests from cache. (#15910)
ekiziv May 5, 2021
3146b6a
remove backtrace (#16285)
danzh2010 May 5, 2021
e5065e7
api: Fix generated_api_shadow BUILD (#16330)
phlax May 5, 2021
7eae147
quic: add support for client-side QUIC 0-RTT (#16260)
DavidSchinazi May 5, 2021
d522352
listener: allow changing address (#16134)
tbarrella May 5, 2021
59bd835
protos: Readd v2 legacy protos in v3 (#16338)
phlax May 5, 2021
5d3f343
Support starttls for client connections (#15443)
May 5, 2021
3ce48c8
ext_proc: Support clearing the route cache (#16288)
gbrail May 5, 2021
24be394
test: disabling flaky test (#16341)
alyssawilk May 5, 2021
b6e3303
Cleanup: Remove WatermarkBuffer::setWatermarks(low,high). (#16307)
KBaichoo May 5, 2021
188b61f
delta-xds: avoid sending resource names for wildcard requests on stre…
adisuissa Apr 28, 2021
70ee15b
ext_proc: Support trailer callbacks (#16102)
gbrail Apr 29, 2021
47380a8
http local_ratelimit: add request_headers_to_add option (#16178)
williamsfu99 Apr 29, 2021
14b1705
Listener: respect the connection balancer of the redirected listener …
lambdai Apr 29, 2021
f68f942
quiche: use max header size configured in HCM (#15912)
danzh2010 Apr 29, 2021
cda66d3
quiche: handle stream blockage during decodeHeaders and decodeTrailer…
danzh2010 Apr 29, 2021
c452d32
docs: Remove api v2 (#16077)
phlax May 2, 2021
6ace0e0
http3: respecting header number limits (#15970)
alyssawilk May 3, 2021
7bf71a4
quiche: make flow control configurable (#15865)
danzh2010 May 3, 2021
47d4acc
http3: turn up the last upstream tests! (#16279)
alyssawilk May 4, 2021
4c8af40
per conn rate limiting
Apr 2, 2021
b7db037
proto changes
Apr 5, 2021
6966d3e
Use dispatcher from filter_config
Apr 6, 2021
eda8994
fix format
Apr 7, 2021
a0afd00
generate api shadow file
Apr 8, 2021
99849a0
Copy the proto config object
Apr 9, 2021
1ab83de
clang_tidy format
Apr 9, 2021
420fa93
refactor method name
Apr 13, 2021
22e72c9
add tests
Apr 20, 2021
c67e4ba
add unit tests
Apr 22, 2021
aeeae43
Add doc for the proto changes
Apr 23, 2021
b2322d5
use thread local event disptacher
Apr 26, 2021
1bb38e4
refactor config name to be more descriptive
May 3, 2021
09ff689
eliminate full proto copy and store individual fields under FilterCon…
May 3, 2021
1ac2759
add docs and fix format
May 3, 2021
4c85898
Remove auto generated changes to api/BUILD file due to the v2 freeze
May 4, 2021
9a4dd7b
per conn rate limiting
Apr 2, 2021
c0944a6
Use dispatcher from filter_config
Apr 6, 2021
45a3a17
fix format
Apr 7, 2021
a5d5136
Copy the proto config object
Apr 9, 2021
33cf77c
clang_tidy format
Apr 9, 2021
89ba8f7
refactor method name
Apr 13, 2021
adddd73
use thread local event disptacher
Apr 26, 2021
1a995bb
eliminate full proto copy and store individual fields under FilterCon…
May 3, 2021
cbc0a36
add docs and fix format
May 3, 2021
7b8c058
Remove auto generated changes to api/BUILD file due to the v2 freeze
May 4, 2021
8522075
per conn rate limiting
Apr 2, 2021
6de3b44
proto changes
Apr 5, 2021
293060d
Use dispatcher from filter_config
Apr 6, 2021
5febd9c
fix format
Apr 7, 2021
c8e32e2
generate api shadow file
Apr 8, 2021
d64c987
Copy the proto config object
Apr 9, 2021
671559b
clang_tidy format
Apr 9, 2021
df340bf
refactor method name
Apr 13, 2021
ffe87db
add tests
Apr 20, 2021
1e44f09
add unit tests
Apr 22, 2021
bebdce7
Add doc for the proto changes
Apr 23, 2021
0b047ae
use thread local event disptacher
Apr 26, 2021
4603b74
refactor config name to be more descriptive
May 3, 2021
9d95544
eliminate full proto copy and store individual fields under FilterCon…
May 3, 2021
5861909
add docs and fix format
May 3, 2021
7ca878b
Remove auto generated changes to api/BUILD file due to the v2 freeze
May 4, 2021
39c389f
per conn rate limiting
Apr 2, 2021
d44697c
proto changes
Apr 5, 2021
aab4d01
Use dispatcher from filter_config
Apr 6, 2021
e405cf9
fix format
Apr 7, 2021
e061e08
generate api shadow file
Apr 8, 2021
d7471ea
Copy the proto config object
Apr 9, 2021
14d6198
clang_tidy format
Apr 9, 2021
de06957
refactor method name
Apr 13, 2021
a8b8d4c
add tests
Apr 20, 2021
1d36b8c
add unit tests
Apr 22, 2021
ea3fe62
Add doc for the proto changes
Apr 23, 2021
57bd864
use thread local event disptacher
Apr 26, 2021
fc0415e
refactor config name to be more descriptive
May 3, 2021
52ffa87
eliminate full proto copy and store individual fields under FilterCon…
May 3, 2021
7525e6d
add docs and fix format
May 3, 2021
d4e077a
Remove auto generated changes to api/BUILD file due to the v2 freeze
May 4, 2021
2e77edd
Return a reference to LocalRateLimiterImpl instead of a shared_ptr
May 5, 2021
323eb26
http::cache: Adds serving HEAD requests from cache. (#15910)
ekiziv May 5, 2021
95d8f9a
api: Fix generated_api_shadow BUILD (#16330)
phlax May 5, 2021
318c4dc
quic: add support for client-side QUIC 0-RTT (#16260)
DavidSchinazi May 5, 2021
b076788
listener: allow changing address (#16134)
tbarrella May 5, 2021
8a53a6d
protos: Readd v2 legacy protos in v3 (#16338)
phlax May 5, 2021
a1d6427
ext_proc: Support clearing the route cache (#16288)
gbrail May 5, 2021
43648c2
test: disabling flaky test (#16341)
alyssawilk May 5, 2021
9c76913
Merge branch 'perconn_rl_15637' of github.com:gokulnair/envoy into pe…
May 6, 2021
c1d49bf
Fix version history doc
May 6, 2021
2d12dae
resolve merge conflict
May 6, 2021
c288dc6
code style changes
May 11, 2021
a6b15b0
Merge remote-tracking branch 'origin/main' into perconn_rl_15637
May 20, 2021
d994fee
docs and cleanup
May 21, 2021
b2b2d67
api shadow file
May 21, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 10 additions & 1 deletion api/envoy/extensions/filters/http/local_ratelimit/v3/local_rate_limit.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
// Local Rate limit :ref:`configuration overview <config_http_filters_local_rate_limit>`.
// [#extension: envoy.filters.http.local_ratelimit]

// [#next-free-field: 11]
// [#next-free-field: 12]
message LocalRateLimit {
// The human readable prefix to use when emitting stats.
string stat_prefix = 1 [(validate.rules).string = {min_len: 1}];
Expand Down Expand Up @@ -97,4 +97,13 @@ message LocalRateLimit {
//
// The filter supports a range of 0 - 10 inclusively for stage numbers.
uint32 stage = 9 [(validate.rules).uint32 = {lte: 10}];

// Specifies the scope of the rate limiter's token bucket.
// If set to false, the token bucket is shared across all worker threads,
// thus the rate limits are applied per Envoy process.
// If set to true, a token bucket is allocated for each connection.
// Thus the rate limits are applied per connection thereby allowing
// one to rate limit requests on a per connection basis.
// If unspecified, the default value is false.
bool local_rate_limit_per_downstream_connection = 11;
Copy link
Copy Markdown
Contributor

@antoniovicente antoniovicente May 20, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it possible for a proxy to have both per-process and per downstream connection rate limits, or just one or the other?

Another potential question is if we should consider some additional rate limit criteria in the future like downstream IP or HTTP Cookie. If we expect additional criteria in the future, we may want to make this an enum field.

Copy link
Copy Markdown
Contributor Author

@gokulnair gokulnair May 20, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's definitely one or the other as it stands currently as I'm not sure the added complexity of dealing with potentially conflicting token bucket quotas between the per process and per connection configurations and the precedence rules we'd have to handle buys us much in the way of functionality.

We did indeed consider an enum initially but it didn't seem like there were very many realistic use cases mainly because a lot of the toggles that were based on certain request characteristics such as IP, Cookie etc can be handled today by rate limiting on request descriptors ...

}
6 changes: 4 additions & 2 deletions docs/root/configuration/http/http_filters/local_rate_limit_filter.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,8 +22,9 @@ configured to be returned.
<envoy_v3_api_field_extensions.filters.http.local_ratelimit.v3.LocalRateLimit.request_headers_to_add_when_not_enforced>` can be
configured to be added to forwarded requests to the upstream when the local rate limit filter is enabled but not enforced.

.. note::
The token bucket is shared across all workers, thus the rate limits are applied per Envoy process.
Depending on the value of the config :ref:`local_rate_limit_per_downstream_connection <envoy_v3_api_field_extensions.filters.http.local_ratelimit.v3.LocalRateLimit.local_rate_limit_per_downstream_connection>`,
the token bucket is either shared across all workers or on a per connection basis. This results in the local rate limits being applied either per Envoy process or per downstream connection.
By default the rate limits are applied per Envoy process.

Example configuration
---------------------
Expand Down Expand Up @@ -55,6 +56,7 @@ Example filter configuration for a globally set rate limiter (e.g.: all vhosts/r
header:
key: x-local-rate-limit
value: 'true'
local_rate_limit_per_downstream_connection: false


Example filter configuration for a globally disabled rate limiter but enabled for a specific route:
Expand Down
1 change: 1 addition & 0 deletions docs/root/version_history/current.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,7 @@ New Features
* http: added the ability to :ref:`unescape slash sequences<envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.path_with_escaped_slashes_action>` in the path. Requests with unescaped slashes can be proxied, rejected or redirected to the new unescaped path. By default this feature is disabled. The default behavior can be overridden through :ref:`http_connection_manager.path_with_escaped_slashes_action<config_http_conn_man_runtime_path_with_escaped_slashes_action>` runtime variable. This action can be selectively enabled for a portion of requests by setting the :ref:`http_connection_manager.path_with_escaped_slashes_action_sampling<config_http_conn_man_runtime_path_with_escaped_slashes_action_enabled>` runtime variable.
* http: added upstream and downstream alpha HTTP/3 support! See :ref:`quic_options <envoy_v3_api_field_config.listener.v3.UdpListenerConfig.quic_options>` for downstream and the new http3_protocol_options in :ref:`http_protocol_options <envoy_v3_api_msg_extensions.upstreams.http.v3.HttpProtocolOptions>` for upstream HTTP/3.
* listener: added ability to change an existing listener's address.
* local_rate_limit_filter: added suppoort for locally rate limiting http requests on a per connection basis. This can be enabled by setting the :ref:`local_rate_limit_per_downstream_connection <envoy_v3_api_field_extensions.filters.http.local_ratelimit.v3.LocalRateLimit.local_rate_limit_per_downstream_connection>` field to true.
* metric service: added support for sending metric tags as labels. This can be enabled by setting the :ref:`emit_tags_as_labels <envoy_v3_api_field_config.metrics.v3.MetricsServiceConfig.emit_tags_as_labels>` field to true.
* tcp: added support for :ref:`preconnecting <v1.18.0:envoy_v3_api_msg_config.cluster.v3.Cluster.PreconnectPolicy>`. Preconnecting is off by default, but recommended for clusters serving latency-sensitive traffic.
* udp_proxy: added :ref:`key <envoy_v3_api_msg_extensions.filters.udp.udp_proxy.v3.UdpProxyConfig.HashPolicy>` as another hash policy to support hash based routing on any given key.
Expand Down
11 changes: 10 additions & 1 deletion generated_api_shadow/envoy/extensions/filters/http/local_ratelimit/v3/local_rate_limit.proto
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

46 changes: 40 additions & 6 deletions source/extensions/filters/http/local_ratelimit/local_ratelimit.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,18 +13,24 @@ namespace Extensions {
namespace HttpFilters {
namespace LocalRateLimitFilter {

const std::string& PerConnectionRateLimiter::key() {
CONSTRUCT_ON_FIRST_USE(std::string, "per_connection_local_rate_limiter");
}

FilterConfig::FilterConfig(
const envoy::extensions::filters::http::local_ratelimit::v3::LocalRateLimit& config,
const LocalInfo::LocalInfo& local_info, Event::Dispatcher& dispatcher, Stats::Scope& scope,
Runtime::Loader& runtime, const bool per_route)
: status_(toErrorCode(config.status().code())),
stats_(generateStats(config.stat_prefix(), scope)),
fill_interval_(std::chrono::milliseconds(
PROTOBUF_GET_MS_OR_DEFAULT(config.token_bucket(), fill_interval, 0))),
max_tokens_(config.token_bucket().max_tokens()),
tokens_per_fill_(PROTOBUF_GET_WRAPPED_OR_DEFAULT(config.token_bucket(), tokens_per_fill, 1)),
descriptors_(config.descriptors()),
rate_limit_per_connection_(config.local_rate_limit_per_downstream_connection()),
rate_limiter_(Filters::Common::LocalRateLimit::LocalRateLimiterImpl(
std::chrono::milliseconds(
PROTOBUF_GET_MS_OR_DEFAULT(config.token_bucket(), fill_interval, 0)),
config.token_bucket().max_tokens(),
PROTOBUF_GET_WRAPPED_OR_DEFAULT(config.token_bucket(), tokens_per_fill, 1), dispatcher,
config.descriptors())),
fill_interval_, max_tokens_, tokens_per_fill_, dispatcher, descriptors_)),
local_info_(local_info), runtime_(runtime),
filter_enabled_(
config.has_filter_enabled()
Expand Down Expand Up @@ -84,7 +90,7 @@ Http::FilterHeadersStatus Filter::decodeHeaders(Http::RequestHeaderMap& headers,
populateDescriptors(descriptors, headers);
}

if (config->requestAllowed(descriptors)) {
if (requestAllowed(descriptors)) {
config->stats().ok_.inc();
return Http::FilterHeadersStatus::Continue;
}
Expand All @@ -109,6 +115,34 @@ Http::FilterHeadersStatus Filter::decodeHeaders(Http::RequestHeaderMap& headers,
return Http::FilterHeadersStatus::StopIteration;
}

bool Filter::requestAllowed(absl::Span<const RateLimit::LocalDescriptor> request_descriptors) {
const auto* config = getConfig();
return config->rateLimitPerConnection()
? getPerConnectionRateLimiter().requestAllowed(request_descriptors)
: config->requestAllowed(request_descriptors);
}

const Filters::Common::LocalRateLimit::LocalRateLimiterImpl& Filter::getPerConnectionRateLimiter() {
const auto* config = getConfig();
Copy link
Copy Markdown
Member

@rgs1 rgs1 May 10, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

move this closer to where it's used, e.g.: just before decoder_callbacks_->streamInfo().filterState()->setData()

Copy link
Copy Markdown
Contributor Author

@gokulnair gokulnair May 21, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Moved it back up a couple of lines to add an assertion.

ASSERT(config->rateLimitPerConnection());

if (!decoder_callbacks_->streamInfo().filterState()->hasData<PerConnectionRateLimiter>(
PerConnectionRateLimiter::key())) {
decoder_callbacks_->streamInfo().filterState()->setData(
PerConnectionRateLimiter::key(),
std::make_unique<PerConnectionRateLimiter>(
config->fillInterval(), config->maxTokens(), config->tokensPerFill(),
decoder_callbacks_->dispatcher(), config->descriptors()),
StreamInfo::FilterState::StateType::ReadOnly,
StreamInfo::FilterState::LifeSpan::Connection);
}

return decoder_callbacks_->streamInfo()
.filterState()
->getDataReadOnly<PerConnectionRateLimiter>(PerConnectionRateLimiter::key())
.value();
}

void Filter::populateDescriptors(std::vector<RateLimit::LocalDescriptor>& descriptors,
Http::RequestHeaderMap& headers) {
Router::RouteConstSharedPtr route = decoder_callbacks_->route();
Expand Down
35 changes: 35 additions & 0 deletions source/extensions/filters/http/local_ratelimit/local_ratelimit.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,23 @@ struct LocalRateLimitStats {
ALL_LOCAL_RATE_LIMIT_STATS(GENERATE_COUNTER_STRUCT)
};

class PerConnectionRateLimiter : public StreamInfo::FilterState::Object {
public:
PerConnectionRateLimiter(
const std::chrono::milliseconds& fill_interval, uint32_t max_tokens, uint32_t tokens_per_fill,
Envoy::Event::Dispatcher& dispatcher,
const Protobuf::RepeatedPtrField<
envoy::extensions::common::ratelimit::v3::LocalRateLimitDescriptor>& descriptor)
: rate_limiter_(fill_interval, max_tokens, tokens_per_fill, dispatcher, descriptor) {}
static const std::string& key();
const Filters::Common::LocalRateLimit::LocalRateLimiterImpl& value() const {
return rate_limiter_;
}

private:
Filters::Common::LocalRateLimit::LocalRateLimiterImpl rate_limiter_;
};

/**
* Global configuration for the HTTP local rate limit filter.
*/
Expand All @@ -62,6 +79,15 @@ class FilterConfig : public Router::RouteSpecificFilterConfig {
Http::Code status() const { return status_; }
uint64_t stage() const { return stage_; }
bool hasDescriptors() const { return has_descriptors_; }
const std::chrono::milliseconds& fillInterval() const { return fill_interval_; }
uint32_t maxTokens() const { return max_tokens_; }
uint32_t tokensPerFill() const { return tokens_per_fill_; }
const Protobuf::RepeatedPtrField<
envoy::extensions::common::ratelimit::v3::LocalRateLimitDescriptor>&
descriptors() const {
return descriptors_;
}
bool rateLimitPerConnection() const { return rate_limit_per_connection_; }

private:
friend class FilterTest;
Expand All @@ -78,6 +104,13 @@ class FilterConfig : public Router::RouteSpecificFilterConfig {

const Http::Code status_;
mutable LocalRateLimitStats stats_;
const std::chrono::milliseconds fill_interval_;
const uint32_t max_tokens_;
const uint32_t tokens_per_fill_;
const Protobuf::RepeatedPtrField<
envoy::extensions::common::ratelimit::v3::LocalRateLimitDescriptor>
descriptors_;
const bool rate_limit_per_connection_;
Filters::Common::LocalRateLimit::LocalRateLimiterImpl rate_limiter_;
const LocalInfo::LocalInfo& local_info_;
Runtime::Loader& runtime_;
Expand Down Expand Up @@ -108,6 +141,8 @@ class Filter : public Http::PassThroughFilter {

void populateDescriptors(std::vector<RateLimit::LocalDescriptor>& descriptors,
Http::RequestHeaderMap& headers);
const Filters::Common::LocalRateLimit::LocalRateLimiterImpl& getPerConnectionRateLimiter();
bool requestAllowed(absl::Span<const RateLimit::LocalDescriptor> request_descriptors);

const FilterConfig* getConfig() const;
FilterConfigSharedPtr config_;
Expand Down
Loading