listener: add filter chain match support for direct source address

api/envoy/config/listener/v3/listener_components.proto

@@ -64,9 +64,12 @@ message Filter {
 // 3. Server name (e.g. SNI for TLS protocol),
 // 4. Transport protocol.
 // 5. Application protocols (e.g. ALPN for TLS protocol).
-// 6. Source type (e.g. any, local or external network).
-// 7. Source IP address.
-// 8. Source port.
+// 6. Directly connected source IP address (this will only be different from the source IP address
+//    when using a listener filter that overrides the source address, such as the :ref:`Proxy Protocol
+//    listener filter <config_listener_filters_proxy_protocol>`).
+// 7. Source type (e.g. any, local or external network).
+// 8. Source IP address.
+// 9. Source port.
 //
 // For criteria that allow ranges or wildcards, the most specific value in any
 // of the configured filter chains that matches the incoming connection is going
@@ -90,7 +93,7 @@ message Filter {
 // listed at the end, because that's how we want to list them in the docs.
 //
 // [#comment:TODO(PiotrSikora): Add support for configurable precedence of the rules]
-// [#next-free-field: 13]
+// [#next-free-field: 14]
 message FilterChainMatch {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.api.v2.listener.FilterChainMatch";
@@ -124,6 +127,11 @@ message FilterChainMatch {
   // [#not-implemented-hide:]
   google.protobuf.UInt32Value suffix_len = 5;
 
+  // The criteria is satisfied if the directly connected source IP address of the downstream
+  // connection is contained in at least one of the specified subnets. If the parameter is not
+  // specified or the list is empty, the directly connected source IP address is ignored.
+  repeated core.v3.CidrRange direct_source_prefix_ranges = 13;
+
   // Specifies the connection source IP match type. Can be any, local or external network.
   ConnectionSourceType source_type = 12 [(validate.rules).enum = {defined_only: true}];
 

docs/root/version_history/current.rst

@@ -107,6 +107,7 @@ New Features
 * input matcher: a new input matcher that :ref:`matches an IP address against a list of CIDR ranges <envoy_v3_api_file_envoy/extensions/matching/input_matchers/ip/v3/ip.proto>`.
 * jwt_authn: added support to fetch remote jwks asynchronously specified by :ref:`async_fetch <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.RemoteJwks.async_fetch>`.
 * listener: added ability to change an existing listener's address.
+* listener: added filter chain match support for :ref:`direct source address <envoy_v3_api_field_config.listener.v3.FilterChainMatch.direct_source_prefix_ranges>`.
 * local_rate_limit_filter: added suppoort for locally rate limiting http requests on a per connection basis. This can be enabled by setting the :ref:`local_rate_limit_per_downstream_connection <envoy_v3_api_field_extensions.filters.http.local_ratelimit.v3.LocalRateLimit.local_rate_limit_per_downstream_connection>` field to true.
 * metric service: added support for sending metric tags as labels. This can be enabled by setting the :ref:`emit_tags_as_labels <envoy_v3_api_field_config.metrics.v3.MetricsServiceConfig.emit_tags_as_labels>` field to true.
 * proxy protocol: added support for generating the header while using the :ref:`HTTP connection manager <config_http_conn_man>`. This is done using the using the :ref:`Proxy Protocol Transport Socket <extension_envoy.transport_sockets.upstream_proxy_protocol>` on upstream clusters.