-
Notifications
You must be signed in to change notification settings - Fork 5.5k
IP Matcher on a list of CIDR ranges #16592
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from 13 commits
cd38be7
16c5477
ef8fe28
bdc5274
6d7f90b
e940002
a0360a7
e027a05
04b5afe
c4b0f24
354ac87
d565e78
3b2391d
7960aa3
5fac922
551ddcb
6365fea
ff91bae
ea28e0d
700187a
ff53fe4
5aaaa86
13fd781
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| # DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. | ||
|
|
||
| load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") | ||
|
|
||
| licenses(["notice"]) # Apache 2 | ||
|
|
||
| api_proto_package( | ||
| deps = [ | ||
| "//envoy/config/core/v3:pkg", | ||
| "@com_github_cncf_udpa//udpa/annotations:pkg", | ||
| ], | ||
| ) |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| syntax = "proto3"; | ||
|
|
||
| package envoy.extensions.matching.input_matchers.ip.v3; | ||
|
|
||
| import "envoy/config/core/v3/address.proto"; | ||
|
|
||
| import "udpa/annotations/status.proto"; | ||
| import "validate/validate.proto"; | ||
|
|
||
| option java_package = "io.envoyproxy.envoy.extensions.matching.input_matchers.ip.v3"; | ||
| option java_outer_classname = "IpProto"; | ||
| option java_multiple_files = true; | ||
| option (udpa.annotations.file_status).package_version_status = ACTIVE; | ||
|
|
||
| // [#protodoc-title: IP matcher] | ||
| // [#extension: envoy.matching.input_matchers.ip] | ||
|
|
||
| // This input matcher matches IPv4 or IPv6 addresses against a list of CIDR | ||
| // ranges. It returns true if and only if the input IP belongs to at least one | ||
| // of these CIDR ranges. Internally, it uses a Level-Compressed trie, as | ||
| // described in the paper `IP-address lookup using LC-tries | ||
| // <https://www.nada.kth.se/~snilsson/publications/IP-address-lookup-using-LC-tries/>`_ | ||
| // by S. Nilsson and G. Karlsson. For "big" lists of IPs, this matcher is more | ||
| // efficient than multiple single IP matcher, that would have a linear cost. | ||
| message Ip { | ||
| // Match if the IP belongs to any of these CIDR ranges. | ||
| repeated config.core.v3.CidrRange cidr_ranges = 1 [(validate.rules).repeated = {min_items: 1}]; | ||
|
|
||
| // If specified, emits statistics using this prefix. | ||
| string stat_prefix = 2; | ||
| } | ||
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| load( | ||
| "//bazel:envoy_build_system.bzl", | ||
| "envoy_cc_extension", | ||
| "envoy_cc_library", | ||
| "envoy_extension_package", | ||
| ) | ||
|
|
||
| licenses(["notice"]) # Apache 2 | ||
|
|
||
| envoy_extension_package() | ||
|
|
||
| envoy_cc_library( | ||
| name = "ip_lib", | ||
| srcs = ["matcher.cc"], | ||
| hdrs = ["matcher.h"], | ||
| deps = [ | ||
| "//envoy/matcher:matcher_interface", | ||
| "//source/common/network:lc_trie_lib", | ||
| ], | ||
| ) | ||
|
|
||
| envoy_cc_extension( | ||
| name = "config", | ||
| srcs = ["config.cc"], | ||
| hdrs = ["config.h"], | ||
| deps = [ | ||
| ":ip_lib", | ||
| "//envoy/matcher:matcher_interface", | ||
| "//envoy/registry", | ||
| "//envoy/server:factory_context_interface", | ||
| "@envoy_api//envoy/extensions/matching/input_matchers/ip/v3:pkg_cc_proto", | ||
| ], | ||
| ) |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,41 @@ | ||
| #include "source/extensions/matching/input_matchers/ip/config.h" | ||
|
|
||
| namespace Envoy { | ||
| namespace Extensions { | ||
| namespace Matching { | ||
| namespace InputMatchers { | ||
| namespace IP { | ||
|
|
||
| Envoy::Matcher::InputMatcherPtr | ||
| Config::createInputMatcher(const Protobuf::Message& config, | ||
| Server::Configuration::FactoryContext& context) { | ||
| const auto& ip_config = MessageUtil::downcastAndValidate< | ||
| const envoy::extensions::matching::input_matchers::ip::v3::Ip&>( | ||
| config, context.messageValidationVisitor()); | ||
|
|
||
| const auto& cidr_ranges = ip_config.cidr_ranges(); | ||
| std::vector<Network::Address::CidrRange> ranges; | ||
| ranges.reserve(cidr_ranges.size()); | ||
| for (const auto& cidr_range : cidr_ranges) { | ||
| const std::string& address = cidr_range.address_prefix(); | ||
| const uint32_t prefix_len = cidr_range.prefix_len().value(); | ||
| const auto range = Network::Address::CidrRange::create(address, prefix_len); | ||
| if (!range.isValid()) { | ||
| throw EnvoyException(fmt::format("ip range {}/{} is invalid", address, prefix_len)); | ||
| } | ||
| ranges.emplace_back(std::move(range)); | ||
| } | ||
|
|
||
| const auto stat_prefix = ip_config.stat_prefix(); | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. nit: this incurs an additional copy, either
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Fixed in 551ddcb , by using an explicit |
||
| return std::make_unique<Matcher>(std::move(ranges), stat_prefix, context.scope()); | ||
| } | ||
| /** | ||
| * Static registration for the consistent hashing matcher. @see RegisterFactory. | ||
| */ | ||
| REGISTER_FACTORY(Config, Envoy::Matcher::InputMatcherFactory); | ||
|
|
||
| } // namespace IP | ||
| } // namespace InputMatchers | ||
| } // namespace Matching | ||
| } // namespace Extensions | ||
| } // namespace Envoy | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| #pragma once | ||
|
|
||
| #include "envoy/extensions/matching/input_matchers/ip/v3/ip.pb.h" | ||
| #include "envoy/extensions/matching/input_matchers/ip/v3/ip.pb.validate.h" | ||
| #include "envoy/matcher/matcher.h" | ||
| #include "envoy/server/factory_context.h" | ||
|
|
||
| #include "source/common/protobuf/utility.h" | ||
| #include "source/extensions/matching/input_matchers/ip/matcher.h" | ||
|
|
||
| namespace Envoy { | ||
| namespace Extensions { | ||
| namespace Matching { | ||
| namespace InputMatchers { | ||
| namespace IP { | ||
|
|
||
| class Config : public Envoy::Matcher::InputMatcherFactory { | ||
| public: | ||
| Envoy::Matcher::InputMatcherPtr | ||
| createInputMatcher(const Protobuf::Message& config, | ||
| Server::Configuration::FactoryContext& factory_context) override; | ||
|
|
||
| std::string name() const override { return "envoy.matching.matchers.ip"; } | ||
|
|
||
| ProtobufTypes::MessagePtr createEmptyConfigProto() override { | ||
| return std::make_unique<envoy::extensions::matching::input_matchers::ip::v3::Ip>(); | ||
| } | ||
| }; | ||
| } // namespace IP | ||
| } // namespace InputMatchers | ||
| } // namespace Matching | ||
| } // namespace Extensions | ||
| } // namespace Envoy |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,50 @@ | ||
| #include "source/extensions/matching/input_matchers/ip/matcher.h" | ||
|
|
||
| #include "source/common/network/utility.h" | ||
|
|
||
| namespace Envoy { | ||
| namespace Extensions { | ||
| namespace Matching { | ||
| namespace InputMatchers { | ||
| namespace IP { | ||
|
|
||
| Matcher::Matcher(std::vector<Network::Address::CidrRange>&& ranges, absl::string_view stat_prefix, | ||
| Stats::Scope& stat_scope) | ||
| : // We could put "false" instead of "true". What matters is that the IP | ||
| // belongs to the trie. We could further optimize the storage of LcTrie in | ||
| // this case by implementing an LcTrie<void> specialization that doesn't | ||
| // store any associated data. | ||
| trie_({{true, std::move(ranges)}}) { | ||
| if (!stat_prefix.empty()) { | ||
| stats_.emplace(generateStats(stat_prefix, stat_scope)); | ||
| } | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think its more common to emit stats by default for extensions, so maybe make stats_prefix required so that it's always set? Or is there a good reason to avoid emitting this stat?
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I've seen this in another extension, so I just made the same :) I have no other rational than this, I'm happy to make it mandatory!
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Done in 7960aa3 ! |
||
| } | ||
|
|
||
| MatcherStats Matcher::generateStats(absl::string_view prefix, Stats::Scope& scope) { | ||
| return MatcherStats{IP_MATCHER_STATS(POOL_COUNTER_PREFIX(scope, prefix))}; | ||
| } | ||
|
|
||
| bool Matcher::match(absl::optional<absl::string_view> input) { | ||
| if (!input) { | ||
| return false; | ||
| } | ||
| const absl::string_view ip_str = *input; | ||
| if (ip_str.empty()) { | ||
| return false; | ||
| } | ||
| const auto ip = Network::Utility::parseInternetAddressNoThrow(std::string{ip_str}); | ||
| if (!ip) { | ||
| if (stats_) { | ||
| stats_->ip_parsing_failed_.inc(); | ||
| } | ||
| ENVOY_LOG(warn, "IP matcher: unable to parse address '{}'", ip_str); | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'd suggest dropping down this down to debug or use one of the rate limited loggers, this could be extremely spammy if deployed with bad configuration which would impact proxy performance.
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Dropped down to debug in 551ddcb |
||
| return false; | ||
| } | ||
| return !trie_.getData(ip).empty(); | ||
| } | ||
|
|
||
| } // namespace IP | ||
| } // namespace InputMatchers | ||
| } // namespace Matching | ||
| } // namespace Extensions | ||
| } // namespace Envoy | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,41 @@ | ||
| #pragma once | ||
|
|
||
| #include <vector> | ||
|
|
||
| #include "envoy/matcher/matcher.h" | ||
| #include "envoy/network/address.h" | ||
| #include "envoy/stats/stats_macros.h" | ||
|
|
||
| #include "source/common/network/lc_trie.h" | ||
|
|
||
| namespace Envoy { | ||
| namespace Extensions { | ||
| namespace Matching { | ||
| namespace InputMatchers { | ||
| namespace IP { | ||
|
|
||
| #define IP_MATCHER_STATS(COUNTER) COUNTER(ip_parsing_failed) | ||
|
|
||
| struct MatcherStats { | ||
| IP_MATCHER_STATS(GENERATE_COUNTER_STRUCT); | ||
| }; | ||
|
|
||
| class Matcher : public Envoy::Matcher::InputMatcher, Logger::Loggable<Logger::Id::filter> { | ||
| public: | ||
| Matcher(std::vector<Network::Address::CidrRange>&& ranges, absl::string_view stat_prefix, | ||
| Stats::Scope& stat_scope); | ||
| bool match(absl::optional<absl::string_view> input) override; | ||
| absl::optional<const MatcherStats> stats() const { return stats_; } | ||
|
|
||
| private: | ||
| MatcherStats generateStats(absl::string_view prefix, Stats::Scope& scope); | ||
|
|
||
| const Network::LcTrie::LcTrie<bool> trie_; | ||
| absl::optional<MatcherStats> stats_; | ||
| }; | ||
|
|
||
| } // namespace IP | ||
| } // namespace InputMatchers | ||
| } // namespace Matching | ||
| } // namespace Extensions | ||
| } // namespace Envoy |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| load( | ||
| "//bazel:envoy_build_system.bzl", | ||
| "envoy_package", | ||
| ) | ||
| load( | ||
| "//test/extensions:extensions_build_system.bzl", | ||
| "envoy_extension_cc_test", | ||
| ) | ||
|
|
||
| licenses(["notice"]) # Apache 2 | ||
|
|
||
| envoy_package() | ||
|
|
||
| envoy_extension_cc_test( | ||
| name = "config_test", | ||
| srcs = ["config_test.cc"], | ||
| extension_name = "envoy.matching.input_matchers.ip", | ||
| deps = [ | ||
| "//source/extensions/matching/input_matchers/ip:config", | ||
| "//test/mocks/server:factory_context_mocks", | ||
| ], | ||
| ) | ||
|
|
||
| envoy_extension_cc_test( | ||
| name = "matcher_test", | ||
| srcs = ["matcher_test.cc"], | ||
| extension_name = "envoy.matching.input_matchers.ip", | ||
| deps = [ | ||
| "//source/extensions/matching/input_matchers/ip:ip_lib", | ||
| ], | ||
| ) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we include docs that explain what stats are emitted? Normally we'd have a RST page explaining this extension, but I think inlining these docs in the proto file is fine for now
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed in 7960aa3