udp: add router for UDP proxy

api/envoy/extensions/filters/udp/udp_proxy/v3/BUILD

@@ -6,7 +6,10 @@ licenses(["notice"])  # Apache 2
 
 api_proto_package(
     deps = [
+        "//envoy/annotations:pkg",
         "//envoy/config/core/v3:pkg",
         "@com_github_cncf_udpa//udpa/annotations:pkg",
+        "@com_github_cncf_udpa//xds/annotations/v3:pkg",
+        "@com_github_cncf_udpa//xds/type/matcher/v3:pkg",
     ],
 )

api/envoy/extensions/filters/udp/udp_proxy/v3/route.proto

@@ -0,0 +1,19 @@
+syntax = "proto3";
+
+package envoy.extensions.filters.udp.udp_proxy.v3;
+
+import "udpa/annotations/status.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.filters.udp.udp_proxy.v3";
+option java_outer_classname = "RouteProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: UDP proxy route configuration]
+// UDP proxy :ref:`configuration overview <config_udp_listener_filters_udp_proxy>`.
+
+message Route {
+  // Indicates the upstream cluster to which the request should be routed.
+  string cluster = 1 [(validate.rules).string = {min_len: 1}];
+}

api/envoy/extensions/filters/udp/udp_proxy/v3/udp_proxy.proto

@@ -6,6 +6,10 @@ import "envoy/config/core/v3/udp_socket_config.proto";
 
 import "google/protobuf/duration.proto";
 
+import "xds/annotations/v3/status.proto";
+import "xds/type/matcher/v3/matcher.proto";
+
+import "envoy/annotations/deprecation.proto";
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
 import "validate/validate.proto";
@@ -20,7 +24,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#extension: envoy.filters.udp_listener.udp_proxy]
 
 // Configuration for the UDP proxy filter.
-// [#next-free-field: 7]
+// [#next-free-field: 8]
 message UdpProxyConfig {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.filter.udp.udp_proxy.v2alpha.UdpProxyConfig";
@@ -50,7 +54,15 @@ message UdpProxyConfig {
     option (validate.required) = true;
 
     // The upstream cluster to connect to.
-    string cluster = 2 [(validate.rules).string = {min_len: 1}];
+    string cluster = 2 [
+      deprecated = true,
+      (validate.rules).string = {min_len: 1},
+      (envoy.annotations.deprecated_at_minor_version) = "3.0"
+    ];
+
+    // The match tree to use when resolving route actions for incoming requests.
+    xds.type.matcher.v3.Matcher matcher = 7
+        [(xds.annotations.v3.field_status).work_in_progress = true];
   }
 
   // The idle timeout for sessions. Idle is defined as no datagrams between received or sent by

api/envoy/type/matcher/v3/network_inputs.proto

@@ -0,0 +1,17 @@
+syntax = "proto3";
+
+package envoy.type.matcher.v3;
+
+import "udpa/annotations/status.proto";
+
+option java_package = "io.envoyproxy.envoy.type.matcher.v3";
+option java_outer_classname = "NetworkInputsProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: Common Network Inputs]
+
+// Match input indicates that matching should be done on a specific source IP.
+// [#comment:TODO(snowp): Link to unified matching docs.]
+message SourceIpMatchInput {
+}

docs/root/api-v3/types/types.rst

@@ -23,5 +23,6 @@ Types
   ../type/matcher/v3/struct.proto
   ../type/matcher/v3/value.proto
   ../type/matcher/v3/http_inputs.proto
+  ../type/matcher/v3/network_inputs.proto
   ../type/metadata/v3/metadata.proto
   ../type/tracing/v3/custom_tag.proto

docs/root/configuration/listeners/udp_filters/_include/udp-proxy.yaml

@@ -20,7 +20,26 @@ static_resources:
       typed_config:
         '@type': type.googleapis.com/envoy.extensions.filters.udp.udp_proxy.v3.UdpProxyConfig
         stat_prefix: service
-        cluster: service_udp
+        matcher:
+          matcher_tree:
+            input:
+              name: source-ip
+              typed_config:
+                '@type': type.googleapis.com/envoy.type.matcher.v3.SourceIpMatchInput
+            exact_match_map:
+              map:
+                "127.0.0.1":
+                  action:
+                    name: route
+                    typed_config:
+                      '@type': type.googleapis.com/envoy.extensions.filters.udp.udp_proxy.v3.Route
+                      cluster: service_udp
+          on_no_match:
+            action:
+              name: route
+              typed_config:
+                '@type': type.googleapis.com/envoy.extensions.filters.udp.udp_proxy.v3.Route
+                cluster: service_udp
         upstream_socket_config:
           max_rx_datagram_size: 9000
   clusters:

docs/root/version_history/current.rst

@@ -66,6 +66,7 @@ New Features
 * thrift_proxy: support subset lb when using request or route metadata.
 * transport_socket: added :ref:`envoy.transport_sockets.tcp_stats <envoy_v3_api_msg_extensions.transport_sockets.tcp_stats.v3.Config>` which generates additional statistics gathered from the OS TCP stack.
 * udp: add support for multiple listener filters.
+* udp_proxy: added :ref:`matcher <envoy_v3_api_field_extensions.filters.udp.udp_proxy.v3.UdpProxyConfig.matcher>` to support matching and routing to different clusters.
 * upstream: added the ability to :ref:`configure max connection duration <envoy_v3_api_field_config.core.v3.HttpProtocolOptions.max_connection_duration>` for upstream clusters.
 * vcl_socket_interface: added VCL socket interface extension for fd.io VPP integration to :ref:`contrib images <install_contrib>`. This can be enabled via :ref:`VCL <envoy_v3_api_msg_extensions.vcl.v3alpha.VclSocketInterface>` configuration.
 * xds: re-introduced unified delta and sotw xDS multiplexers that share most of the implementation. Added a new runtime config ``envoy.reloadable_features.unified_mux`` (disabled by default) that when enabled, switches xDS to use unified multiplexers.

envoy/network/filter.h

@@ -3,6 +3,7 @@
 #include <memory>
 
 #include "envoy/buffer/buffer.h"
+#include "envoy/network/address.h"
 #include "envoy/network/listen_socket.h"
 #include "envoy/network/transport_socket.h"
 #include "envoy/stream_info/stream_info.h"
@@ -209,6 +210,15 @@ using ReadFilterSharedPtr = std::shared_ptr<ReadFilter>;
 class Filter : public WriteFilter, public ReadFilter {};
 using FilterSharedPtr = std::shared_ptr<Filter>;
 
+class NetworkMatchingData {
+public:
+  static absl::string_view name() { return "network"; }
+
+  virtual ~NetworkMatchingData() = default;
+
+  virtual OptRef<const Address::Ip> sourceIp() const PURE;
+};
+
 /**
  * Interface for adding individual network filters to a manager.
  */

examples/udp/envoy.yaml

@@ -11,7 +11,26 @@ static_resources:
       typed_config:
         '@type': type.googleapis.com/envoy.extensions.filters.udp.udp_proxy.v3.UdpProxyConfig
         stat_prefix: service
-        cluster: service_udp
+        matcher:
+          matcher_tree:
+            input:
+              name: source-ip
+              typed_config:
+                '@type': type.googleapis.com/envoy.type.matcher.v3.SourceIpMatchInput
+            exact_match_map:
+              map:
+                "127.0.0.1":
+                  action:
+                    name: route
+                    typed_config:
+                      '@type': type.googleapis.com/envoy.extensions.filters.udp.udp_proxy.v3.Route
+                      cluster: service_udp
+          on_no_match:
+            action:
+              name: route
+              typed_config:
+                '@type': type.googleapis.com/envoy.extensions.filters.udp.udp_proxy.v3.Route
+                cluster: service_udp
 
   clusters:
   - name: service_udp

source/common/network/matching/BUILD

@@ -0,0 +1,29 @@
+load(
+    "//bazel:envoy_build_system.bzl",
+    "envoy_cc_library",
+    "envoy_package",
+)
+
+licenses(["notice"])  # Apache 2
+
+envoy_package()
+
+envoy_cc_library(
+    name = "data_impl_lib",
+    hdrs = ["data_impl.h"],
+    deps = [
+        "//envoy/network:filter_interface",
+    ],
+)
+
+envoy_cc_library(
+    name = "inputs_lib",
+    srcs = ["inputs.cc"],
+    hdrs = ["inputs.h"],
+    deps = [
+        ":data_impl_lib",
+        "//envoy/matcher:matcher_interface",
+        "//envoy/server:factory_context_interface",
+        "@envoy_api//envoy/type/matcher/v3:pkg_cc_proto",
+    ],
+)

source/common/network/matching/data_impl.h

@@ -0,0 +1,25 @@
+#pragma once
+
+#include "envoy/network/filter.h"
+
+namespace Envoy {
+namespace Network {
+namespace Matching {
+/**
+ * Implementation of NetworkMatchingData, providing network specific data to
+ * the match tree.
+ */
+class NetworkMatchingDataImpl : public NetworkMatchingData {
+public:
+  static absl::string_view name() { return "network"; }
+
+  NetworkMatchingDataImpl(const Address::Ip* source) : source_(source) {}
+
+  OptRef<const Address::Ip> sourceIp() const override { return makeOptRefFromPtr(source_); }
+
+private:
+  const Address::Ip* const source_{};
+};
+} // namespace Matching
+} // namespace Network
+} // namespace Envoy

source/common/network/matching/inputs.cc

@@ -0,0 +1,11 @@
+#include "source/common/network/matching/inputs.h"
+
+#include "envoy/registry/registry.h"
+
+namespace Envoy {
+namespace Network {
+namespace Matching {
+REGISTER_FACTORY(SourceIpDataInputFactory, Matcher::DataInputFactory<NetworkMatchingData>);
+} // namespace Matching
+} // namespace Network
+} // namespace Envoy

source/common/network/matching/inputs.h

@@ -0,0 +1,74 @@
+#pragma once
+
+#include <string>
+
+#include "envoy/matcher/matcher.h"
+#include "envoy/network/filter.h"
+#include "envoy/server/factory_context.h"
+#include "envoy/type/matcher/v3/network_inputs.pb.h"
+#include "envoy/type/matcher/v3/network_inputs.pb.validate.h"
+
+namespace Envoy {
+namespace Network {
+namespace Matching {
+/**
+ * Common base class for all the IP DataInputs.
+ */
+class IpDataInputBase : public Matcher::DataInput<NetworkMatchingData> {
+public:
+  explicit IpDataInputBase() = default;
+
+  virtual OptRef<const Address::Ip> select(const NetworkMatchingData& data) const PURE;
+
+  Matcher::DataInputGetResult get(const NetworkMatchingData& data) const override {
+    const auto ip = select(data);
+
+    if (!ip.has_value()) {
+      return {Matcher::DataInputGetResult::DataAvailability::NotAvailable, absl::nullopt};
+    }
+
+    return {Matcher::DataInputGetResult::DataAvailability::AllDataAvailable, ip->addressAsString()};
+  }
+};
+
+/**
+ * Common base class for all the IP DataInputsFactory.
+ */
+template <class DataInputType, class ProtoType>
+class IpDataInputFactoryBase : public Matcher::DataInputFactory<NetworkMatchingData> {
+public:
+  explicit IpDataInputFactoryBase(const std::string& name) : name_(name) {}
+
+  std::string name() const override { return name_; }
+
+  Matcher::DataInputFactoryCb<NetworkMatchingData>
+  createDataInputFactoryCb(const Protobuf::Message&, ProtobufMessage::ValidationVisitor&) override {
+    return [] { return std::make_unique<DataInputType>(); };
+  }
+  ProtobufTypes::MessagePtr createEmptyConfigProto() override {
+    return std::make_unique<ProtoType>();
+  }
+
+private:
+  const std::string name_;
+};
+
+class SourceIpDataInput : public IpDataInputBase {
+public:
+  explicit SourceIpDataInput() = default;
+
+  OptRef<const Address::Ip> select(const NetworkMatchingData& data) const override {
+    return data.sourceIp();
+  }
+};
+
+class SourceIpDataInputFactory
+    : public IpDataInputFactoryBase<SourceIpDataInput,
+                                    envoy::type::matcher::v3::SourceIpMatchInput> {
+public:
+  SourceIpDataInputFactory() : IpDataInputFactoryBase("source-ip") {}
+};
+
+} // namespace Matching
+} // namespace Network
+} // namespace Envoy

source/extensions/filters/udp/udp_proxy/BUILD

@@ -33,10 +33,12 @@ envoy_cc_library(
         "//envoy/network:listener_interface",
         "//envoy/upstream:cluster_manager_interface",
         "//source/common/api:os_sys_calls_lib",
+        "//source/common/common:empty_string",
         "//source/common/network:socket_lib",
         "//source/common/network:socket_option_factory_lib",
         "//source/common/network:utility_lib",
         "//source/common/upstream:load_balancer_lib",
+        "//source/extensions/filters/udp/udp_proxy/router:router_lib",
         "@envoy_api//envoy/extensions/filters/udp/udp_proxy/v3:pkg_cc_proto",
     ],
 )

source/extensions/filters/udp/udp_proxy/config.h

@@ -23,6 +23,7 @@ class UdpProxyFilterConfigFactory
                                Server::Configuration::ListenerFactoryContext& context) override {
     auto shared_config = std::make_shared<UdpProxyFilterConfig>(
         context.clusterManager(), context.timeSource(), context.scope(),
+        context.getServerFactoryContext(),
         MessageUtil::downcastAndValidate<
             const envoy::extensions::filters::udp::udp_proxy::v3::UdpProxyConfig&>(
             config, context.messageValidationVisitor()));

source/extensions/filters/udp/udp_proxy/router/BUILD

@@ -0,0 +1,29 @@
+load(
+    "//bazel:envoy_build_system.bzl",
+    "envoy_cc_library",
+    "envoy_extension_package",
+)
+
+licenses(["notice"])  # Apache 2
+
+envoy_extension_package()
+
+envoy_cc_library(
+    name = "router_interface",
+    hdrs = ["router.h"],
+)
+
+envoy_cc_library(
+    name = "router_lib",
+    srcs = ["router_impl.cc"],
+    hdrs = ["router_impl.h"],
+    deps = [
+        ":router_interface",
+        "//source/common/common:empty_string",
+        "//source/common/matcher:matcher_lib",
+        "//source/common/matcher:validation_visitor_lib",
+        "//source/common/network/matching:inputs_lib",
+        "@envoy_api//envoy/extensions/filters/udp/udp_proxy/v3:pkg_cc_proto",
+        "@envoy_api//envoy/type/matcher/v3:pkg_cc_proto",
+    ],
+)