IP Matcher on a list of CIDR ranges#16592
Conversation
Signed-off-by: Adrien Guinet <adrien@reblaze.com>
|
CC @envoyproxy/api-shepherds: Your approval is needed for changes made to |
|
I have a question about https://github.com/envoyproxy/envoy/pull/16592/files#diff-2b3a93adfb5a23333aaf5113d8a99f142a8187735140781c49aeacd8c6c03795R23 : according to envoy/source/common/network/cidr_range.h Lines 76 to 84 in d304a2f CidrRange::create can return an invalid range, hence this check.
The "problem" is that I didn't manage to create such an invalid range. Indeed, if a invalid IP address prefix is given, envoy/source/common/network/cidr_range.cc Lines 104 to 114 in d304a2f truncateIpAddressAndLength, I don't see how an invalid range could be returned, because parseInternetAddress will throw if it doesn't return an ipv4/ipv6 address (according to envoy/source/common/network/utility.cc Lines 129 to 155 in d304a2f Am I missing a corner case? Thanks! |
adisuissa
left a comment
adisuissa
left a comment
There was a problem hiding this comment.
API review - overall looks good, couple of small comments.
| // the paper `IP-address lookup using LC-tries | ||
| // <https://www.nada.kth.se/~snilsson/publications/IP-address-lookup-using-LC-tries/>`_ | ||
| // by S. Nilsson and G. Karlsson. | ||
| message IP { |
There was a problem hiding this comment.
Naming convention suggests this should be Ip.
| // <https://www.nada.kth.se/~snilsson/publications/IP-address-lookup-using-LC-tries/>`_ | ||
| // by S. Nilsson and G. Karlsson. | ||
| message IP { | ||
| // Match if the IP belongs to any of these CIDR ranges |
There was a problem hiding this comment.
nit: end comments with a period.
There was a problem hiding this comment.
Fixed in 16c5477 . Thanks for the review!
Review by @adisuissa Signed-off-by: Adrien Guinet <adrien@reblaze.com>
Signed-off-by: Adrien Guinet <adrien@reblaze.com>
Signed-off-by: Adrien Guinet <adrien@reblaze.com>
|
There's something I'm not sure I should fix in the CI: https://dev.azure.com/cncf/envoy/_build/results?buildId=77178&view=logs&j=91e633a5-4907-5da1-5862-92a79fe2387a&t=f29e24e7-a093-5724-80bd-d79975d268cb&l=295 tells me that I shouldn't add Is there an error message I am missing? cc @adisuissa |
Signed-off-by: Adrien Guinet <adrien@reblaze.com>
Signed-off-by: Adrien Guinet <adrien@reblaze.com>
snowp
left a comment
snowp
left a comment
There was a problem hiding this comment.
Thanks for adding this! Looks pretty good overall, just a few comments
cc @phlax |
|
hi @aguinet - we can probs improve the error messaging here the problem is that the extension needs to be added to the error is here https://dev.azure.com/cncf/envoy/_build/results?buildId=77574&view=logs&j=c5dd2866-6ab3-5f3c-3a44-4cef0ec909b5&t=a9eb66d6-8944-5769-b3f7-476949dadcb8&l=469 this interface/registration has just changed - so the ci link you posted is now out-of-date |
Signed-off-by: Adrien Guinet <adrien@reblaze.com>
|
Thanks a lot @phlax for the hints! I added the extension to |
Signed-off-by: Adrien Guinet <adrien@reblaze.com>
Signed-off-by: Adrien Guinet <adrien@reblaze.com>
Signed-off-by: Adrien Guinet <adrien@reblaze.com>
Signed-off-by: Adrien Guinet <adrien@reblaze.com>
Signed-off-by: Adrien Guinet <adrien@reblaze.com>
snowp
left a comment
snowp
left a comment
There was a problem hiding this comment.
Thanks, this is looking good just a few more comments.
Could you also add a release note for this extension?
| } | ||
|
|
||
| return std::make_unique<Matcher>(std::move(ranges)); | ||
| const auto stat_prefix = ip_config.stat_prefix(); |
There was a problem hiding this comment.
nit: this incurs an additional copy, either const auto& or just pass this inline
There was a problem hiding this comment.
Fixed in 551ddcb , by using an explicit string_view
| if (stats_) { | ||
| stats_->ip_parsing_failed_.inc(); | ||
| } | ||
| ENVOY_LOG(warn, "IP matcher: unable to parse address '{}'", ip_str); |
There was a problem hiding this comment.
I'd suggest dropping down this down to debug or use one of the rate limited loggers, this could be extremely spammy if deployed with bad configuration which would impact proxy performance.
| // If specified, emits statistics using this prefix. | ||
| string stat_prefix = 2; |
There was a problem hiding this comment.
Could we include docs that explain what stats are emitted? Normally we'd have a RST page explaining this extension, but I think inlining these docs in the proto file is fine for now
| if (!stat_prefix.empty()) { | ||
| stats_.emplace(generateStats(stat_prefix, stat_scope)); | ||
| } |
There was a problem hiding this comment.
I think its more common to emit stats by default for extensions, so maybe make stats_prefix required so that it's always set? Or is there a good reason to avoid emitting this stat?
There was a problem hiding this comment.
I've seen this in another extension, so I just made the same :) I have no other rational than this, I'm happy to make it mandatory!
|
@snowp I merged with main. I have a question though. In ff91bae#diff-2b3a93adfb5a23333aaf5113d8a99f142a8187735140781c49aeacd8c6c03795R30, is the reference to Edit: release note in ea28e0d |
Signed-off-by: Adrien Guinet <adrien@reblaze.com>
|
Can you look at coverage? Seems like the build is failing due to this new code being slightly below the coverage threshold /wait |
Signed-off-by: Adrien Guinet <adrien@reblaze.com>
So the coverage problem is that I don't reach https://github.com/envoyproxy/envoy/pull/16592/files#diff-2b3a93adfb5a23333aaf5113d8a99f142a8187735140781c49aeacd8c6c03795R24 . It is basically the issue I explain here #16592 (comment) . I can remove the check, but I would like another POV on this :) |
|
It seems like isValid just checks that the length is greater than 0, is it possible to hit that? If not, I think we can just replace it with an ASSERT with a comment explaining why this can't happen |
Signed-off-by: Adrien Guinet <adrien@reblaze.com>
I didn't manage to hit it. We always at least have one IP (with /32 on ipv4 for instance). I added an ASSERT with a comment here ff53fe4 |
adisuissa
left a comment
adisuissa
left a comment
There was a problem hiding this comment.
/lgtm api
Added a suggestion to clarify docs.
|
|
||
| // The human readable prefix to use when emitting statistics for the IP input | ||
| // matcher. | ||
| // |
There was a problem hiding this comment.
Nit: clarify the the following counters will be concatenated to the stat_prefix
|
LGTM with @adisuissa's nit |
Suggestion by @adisuissa Signed-off-by: Adrien Guinet <adrien@reblaze.com>
|
/lgtm api |
|
Okay I forgot to regenerate the API.. Will fix it soon |
Signed-off-by: Adrien Guinet <adrien@reblaze.com>
Fixed in 13fd781 |
|
Thanks for the merge and everyone for the reviews! |
Input matcher that checks that an IP{v4,v6} belongs to a list of CIDR ranges
Signed-off-by: Adrien Guinet <adrien@reblaze.com>
Signed-off-by: chris.xin <xinchuantao@qq.com>
Input matcher that checks that an IP{v4,v6} belongs to a list of CIDR ranges
Signed-off-by: Adrien Guinet <adrien@reblaze.com>
4 participants
Commit Message: Input matcher that checks that an IP{v4,v6} belongs to a list of CIDR ranges
Additional Description:
This input matcher takes an IPv4 or v6 address as input and returns true if it belongs to a list of given CIDR ranges. It uses the existing LcTrie facility.
See issue #16568
Risk Level: Medium
Testing: Unit tests for the extension are added
Docs Changes: N/A
Release Notes: N/A
Platform Specific Features: N/A