listener: add filter chain match support for direct source address#17118
listener: add filter chain match support for direct source address#17118ggreenway merged 8 commits intoenvoyproxy:mainfrom
Conversation
Signed-off-by: Greg Greenway <ggreenway@apple.com>
|
CC @envoyproxy/api-shepherds: Your approval is needed for changes made to |
|
I believe Matt is out this week; un-assigning him, and adding a different api shepherd. |
|
Assigning @htuch or @lizan for API-shepherd, and @alyssawilk to review the code (since her and I briefly discussed it on slack). |
|
/retest |
|
Retrying Azure Pipelines: |
alyssawilk
left a comment
alyssawilk
left a comment
There was a problem hiding this comment.
Sorry for lag - I'll do a full pass Monday. @lambdai git blame tells me you did much of this code - if so would you be up for first pass?
| addFilterChainForSourceTypes(direct_source_ips_map[EMPTY_STRING], source_type, source_ips, | ||
| source_ports, filter_chain); | ||
| } else { | ||
| for (const auto& direct_source_ip : direct_source_ips) { |
There was a problem hiding this comment.
Should we (or do we) have API docs somewhere that talk about the O(size) addition here?
There was a problem hiding this comment.
Is the question on how do we describe hte memory overheads of building up the nested tries for matching?
If so, I think maybe we should have some discussion on this in the top-level FilterChainMatch message comment.
There was a problem hiding this comment.
I think it may be worth documenting, but probably outside the scope of this PR; this doesn't fundamentally change how it scales, and adds negligible additional memory usage when the new feature isn't being used.
alyssawilk
left a comment
alyssawilk
left a comment
There was a problem hiding this comment.
sorry about the delay - here's first pass comments :-)
| const Network::ConnectionSocket& socket) const { | ||
| auto address = socket.addressProvider().directRemoteAddress(); | ||
| if (address->type() != Network::Address::Type::Ip) { | ||
| address = fakeAddress(); |
There was a problem hiding this comment.
To test my understanding, this is just a placeholder address so the matching code won't crash and will always fail the match (if a match is requested) right?
I know it's not your code but if I understand it right can you update the comments at fakeAddress to expand UDS -> unix domain socket and note it's just creating an address which should never match?
Also do we have a unit test for this?
There was a problem hiding this comment.
Yes, your understanding is correct. Nearly all of this code is copy/pasted from the SourceIP matching. I'll add comments and make sure there's a test for this.
lambdai
left a comment
lambdai
left a comment
There was a problem hiding this comment.
LGTM. Only nits. Feel free to take it or leave it!
|
|
||
| void FilterChainManagerImpl::addFilterChainForSourceTypes( | ||
| SourceTypesArray& source_types_array, | ||
| SourceTypesArraySharedPtr& source_types_array_ptr, |
There was a problem hiding this comment.
super nit: previous it‘s caller get the arg ready.
| const auto& cidr_range = Network::Address::CidrRange::create(destination_ip); | ||
| destination_ips.push_back(cidr_range.asString()); | ||
| } | ||
| auto createAddressVector = [](const auto& prefix_ranges) -> std::vector<std::string> { |
|
|
||
| SourceTypesArray& source_types_array = *source_types_array_ptr; | ||
| if (source_ips.empty()) { | ||
| addFilterChainForSourceIPs(source_types_array[source_type].first, EMPTY_STRING, source_ports, |
There was a problem hiding this comment.
Take me a few time to realize this mututes the the upper entry so the allocated SourceTypesArray is not destroyed by end of this function.
This is literally correct.
Signed-off-by: Greg Greenway <ggreenway@apple.com>
Signed-off-by: Greg Greenway <ggreenway@apple.com>
CI appears to be failing on api_listener_impl.cc, even though I didn't touch it, so I'm pulling out the bits that it needs from the code I did touch to isolate the changes. Signed-off-by: Greg Greenway <ggreenway@apple.com>
|
I merged main, but didn't make any further api changes; no need for re-review by api-shepherds. |
|
Are CI failures expected/flakes or should I wait until those are sorted to take a look? |
This reverts commit 48e2d28. Signed-off-by: Greg Greenway <ggreenway@apple.com>
Thanks to @sotiris for helping me fix this. Signed-off-by: Greg Greenway <ggreenway@apple.com>
|
clang_cl error this time was NOT the same issue. Failed to download a dep from github.com; spurious error I'm sure. |
|
/retest |
|
Retrying Azure Pipelines: |
|
@alyssawilk CI looks good now; please review. |
alyssawilk
left a comment
alyssawilk
left a comment
There was a problem hiding this comment.
LGTM with the caveat I'm not convinced I'd catch errors this deep in loops (though the tests make me happier this is WAI) =P
There was a problem hiding this comment.
wow, that must have been "fun" to find :-P
There was a problem hiding this comment.
Big thank you to @wrowe and @davinci26 for helping me figure out what was going wrong and how to fix it!
| addFilterChainForSourceTypes(direct_source_ips_map[EMPTY_STRING], source_type, source_ips, | ||
| source_ports, filter_chain); | ||
| } else { | ||
| for (const auto& direct_source_ip : direct_source_ips) { |
* main: (51 commits) listener: add filter chain match support for direct source address (envoyproxy#17118) Increase common/common coverage (envoyproxy#17193) crash_dump: Added local_end_stream_ to crash dump for H2. (envoyproxy#17199) codeql: improve Ubuntu dependency installation (envoyproxy#16556) ci: Move tooling tests to tooling job (envoyproxy#17071) Fix issue with Windows container image (envoyproxy#17113) fix filter linking urls (envoyproxy#17185) bug fix: fix bug that check_format.py will check files which are ignored (envoyproxy#17195) tls: moving the server name into SocketAddressProvider (envoyproxy#16574) network: Use std::make_unique and std::make_shared in source/common/network instead of bare new() (envoyproxy#17177) Revert "alpha matching: support generic action factory context (envoyproxy#17025)" (envoyproxy#17191) ci: Dont clone filter example where not required (envoyproxy#17182) alpha matching: support generic action factory context (envoyproxy#17025) xds: Clarify comment for RouteMatch.case_sensitive field. (envoyproxy#17176) ci: Only publish the required docker image (envoyproxy#17080) coverage: fixing flake (envoyproxy#17190) api: add cluster_specifier_plugin to RouteAction (envoyproxy#16944) wasm: update V8 to v9.2.230.13. (envoyproxy#17183) wasm: update Proxy-Wasm C++ Host and SDK to latest (2021-06-24). (envoyproxy#17174) owners: add Piotr as senior extension maintainer (envoyproxy#17175) ... Signed-off-by: Garrett Bourg <bourg@squareup.com>
…nvoyproxy#17118) Signed-off-by: Greg Greenway <ggreenway@apple.com> Signed-off-by: chris.xin <xinchuantao@qq.com>
…nvoyproxy#17118) Signed-off-by: Greg Greenway <ggreenway@apple.com>
6 participants
Signed-off-by: Greg Greenway ggreenway@apple.com
Commit Message:
Additional Description:
Risk Level: Low
Testing: Added tests
Docs Changes: In protos
Release Notes: added
Platform Specific Features: none
[Optional Runtime guard:]
[Optional Fixes #Issue]
[Optional Deprecated:]
[Optional API Considerations:]