Listener FilterChainMatch using connection metadata

api/envoy/config/filter/http/jwt_authn/v2alpha/config.proto

@@ -391,8 +391,7 @@ message FilterStateRule {
 
   // A map of string keys to requirements. The string key is the string value
   // in the FilterState with the name specified in the *name* field above.
-  map<string, JwtRequirement>
-  requires = 3;
+  map<string, JwtRequirement> requires = 3;
 }
 
 // This is the Envoy HTTP filter config for JWT authentication.

api/envoy/config/listener/v3/listener_components.proto

@@ -94,7 +94,7 @@ message Filter {
 // listed at the end, because that's how we want to list them in the docs.
 //
 // [#comment:TODO(PiotrSikora): Add support for configurable precedence of the rules]
-// [#next-free-field: 14]
+// [#next-free-field: 101]
 message FilterChainMatch {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.api.v2.listener.FilterChainMatch";
@@ -112,6 +112,9 @@ message FilterChainMatch {
 
   reserved 1;
 
+  // The Connection Metadata of the connection to match against.
+  string connection_metadata = 100;
+
   // Optional destination port to consider when use_original_dst is set on the
   // listener in determining a filter chain match.
   google.protobuf.UInt32Value destination_port = 8 [(validate.rules).uint32 = {lte: 65535 gte: 1}];

api/envoy/extensions/filters/http/jwt_authn/v3/config.proto

@@ -583,8 +583,7 @@ message FilterStateRule {
 
   // A map of string keys to requirements. The string key is the string value
   // in the FilterState with the name specified in the *name* field above.
-  map<string, JwtRequirement>
-  requires = 3;
+  map<string, JwtRequirement> requires = 3;
 }
 
 // This is the Envoy HTTP filter config for JWT authentication.

envoy/network/listen_socket.h

@@ -69,6 +69,16 @@ class ConnectionSocket : public virtual Socket, public virtual ScopeTrackedObjec
    */
   virtual absl::string_view ja3Hash() const PURE;
 
+  /**
+   * Set Connection Metadata.
+   */
+  virtual void setConnectionMetadata(absl::string_view connection_metadata) PURE;
+
+  /**
+   * @return Connection Metadata.
+   */
+  virtual absl::string_view connectionMetadata() const PURE;
+
   /**
    *  @return absl::optional<std::chrono::milliseconds> An optional of the most recent round-trip
    *  time of the connection. If the platform does not support this, then an empty optional is

envoy/network/socket.h

@@ -78,6 +78,11 @@ class ConnectionInfoProvider {
    */
   virtual absl::string_view requestedServerName() const PURE;
 
+  /**
+   * @return Connection Metadatafor downstream client.
+   */
+  virtual absl::string_view connectionMetadata() const PURE;
+
   /**
    * @return Connection ID of the downstream connection, or unset if not available.
    **/
@@ -142,6 +147,11 @@ class ConnectionInfoSetter : public ConnectionInfoProvider {
    */
   virtual void setRequestedServerName(const absl::string_view requested_server_name) PURE;
 
+  /**
+   * @param Connection Metadata.
+   */
+  virtual void setConnectionMetadata(const absl::string_view connection_metadata) PURE;
+
   /**
    * @param id Connection ID of the downstream connection.
    **/

source/common/http/filter_manager.h

@@ -627,6 +627,9 @@ class OverridableRemoteConnectionInfoSetterStreamInfo : public StreamInfo::Strea
   absl::string_view requestedServerName() const override {
     return StreamInfoImpl::downstreamAddressProvider().requestedServerName();
   }
+  absl::string_view connectionMetadata() const override {
+    return StreamInfoImpl::downstreamAddressProvider().connectionMetadata();
+  }
   absl::optional<uint64_t> connectionID() const override {
     return StreamInfoImpl::downstreamAddressProvider().connectionID();
   }

source/common/network/listen_socket_impl.h

@@ -224,6 +224,14 @@ class ConnectionSocketImpl : public SocketImpl, public ConnectionSocket {
   }
   absl::string_view ja3Hash() const override { return connectionInfoProvider().ja3Hash(); }
 
+  void setConnectionMetadata(absl::string_view connection_metadata) override {
+    // Always keep the connection_metadata as lower case.
+    connectionInfoProvider().setConnectionMetadata(absl::AsciiStrToLower(connection_metadata));
+  }
+  absl::string_view connectionMetadata() const override {
+    return connectionInfoProvider().connectionMetadata();
+  }
+
   absl::optional<std::chrono::milliseconds> lastRoundTripTime() override {
     return ioHandle().lastRoundTripTime();
   }

source/common/network/socket_impl.h

@@ -50,6 +50,10 @@ class ConnectionInfoSetterImpl : public ConnectionInfoSetter {
   void setRequestedServerName(const absl::string_view requested_server_name) override {
     server_name_ = std::string(requested_server_name);
   }
+  absl::string_view connectionMetadata() const override { return connection_metadata_; }
+  void setConnectionMetadata(const absl::string_view connection_metadata) override {
+    connection_metadata_ = std::string(connection_metadata);
+  }
   absl::optional<uint64_t> connectionID() const override { return connection_id_; }
   void setConnectionID(uint64_t id) override { connection_id_ = id; }
   absl::optional<absl::string_view> interfaceName() const override { return interface_name_; }
@@ -70,6 +74,7 @@ class ConnectionInfoSetterImpl : public ConnectionInfoSetter {
   Address::InstanceConstSharedPtr remote_address_;
   Address::InstanceConstSharedPtr direct_remote_address_;
   std::string server_name_;
+  std::string connection_metadata_;
   absl::optional<uint64_t> connection_id_;
   absl::optional<std::string> interface_name_;
   Ssl::ConnectionInfoConstSharedPtr ssl_info_;

source/server/filter_chain_manager_impl.cc

@@ -225,8 +225,8 @@ void FilterChainManagerImpl::addFilterChains(
       ++new_filter_chain_size;
     }
 
-    addFilterChainForDestinationPorts(
-        destination_ports_map_,
+    addFilterChainForConnectionMetadata(
+        connection_metadata_map_, absl::AsciiStrToLower(filter_chain_match.connection_metadata()),
         PROTOBUF_GET_WRAPPED_OR_DEFAULT(filter_chain_match, destination_port, 0), destination_ips,
         server_names, filter_chain_match.transport_protocol(),
         filter_chain_match.application_protocols(), direct_source_ips,
@@ -275,6 +275,25 @@ void FilterChainManagerImpl::copyOrRebuildDefaultFilterChain(
   }
 }
 
+void FilterChainManagerImpl::addFilterChainForConnectionMetadata(
+    ConnectionMetadataMap& connection_metadata_map, const std::string& connection_metadata,
+    uint16_t destination_port, const std::vector<std::string>& destination_ips,
+    const absl::Span<const std::string> server_names, const std::string& transport_protocol,
+    const absl::Span<const std::string* const> application_protocols,
+    const std::vector<std::string>& direct_source_ips,
+    const envoy::config::listener::v3::FilterChainMatch::ConnectionSourceType source_type,
+    const std::vector<std::string>& source_ips,
+    const absl::Span<const Protobuf::uint32> source_ports,
+    const Network::FilterChainSharedPtr& filter_chain) {
+  if (connection_metadata_map.find(connection_metadata) == connection_metadata_map.end()) {
+    connection_metadata_map[connection_metadata] = DestinationPortsMap{};
+  }
+  addFilterChainForDestinationPorts(connection_metadata_map[connection_metadata], destination_port,
+                                    destination_ips, server_names, transport_protocol,
+                                    application_protocols, direct_source_ips, source_type,
+                                    source_ips, source_ports, filter_chain);
+}
+
 void FilterChainManagerImpl::addFilterChainForDestinationPorts(
     DestinationPortsMap& destination_ports_map, uint16_t destination_port,
     const std::vector<std::string>& destination_ips,
@@ -468,13 +487,46 @@ std::pair<T, std::vector<Network::Address::CidrRange>> makeCidrListEntry(const s
 
 const Network::FilterChain*
 FilterChainManagerImpl::findFilterChain(const Network::ConnectionSocket& socket) const {
+  const auto& connection_metadata =
+      absl::AsciiStrToLower(socket.connectionInfoProvider().connectionMetadata());
+
+  const Network::FilterChain* best_match_filter_chain = nullptr;
+  const auto connection_metadata_match = connection_metadata_map_.find(connection_metadata);
+  if (connection_metadata_match != connection_metadata_map_.end()) {
+    best_match_filter_chain =
+        findFilterChainForDestinationPort(connection_metadata_match->second, socket);
+    if (best_match_filter_chain != nullptr) {
+      return best_match_filter_chain;
+    } else {
+      // There is entry for specific tenant ID but none of the filter chain matches. Instead of
+      // matching catch-all tenant ID "", the fallback filter chain is returned.
+      return default_filter_chain_.get();
+    }
+  }
+
+  // Match on a filter chain without tenant ID requirements.
+  const auto connection_metadata_catchall_match = connection_metadata_map_.find(EMPTY_STRING);
+  if (connection_metadata_catchall_match != connection_metadata_map_.end()) {
+    best_match_filter_chain =
+        findFilterChainForDestinationPort(connection_metadata_catchall_match->second, socket);
+  }
+
+  return best_match_filter_chain != nullptr
+             ? best_match_filter_chain
+             // Neither exact tenant ID nor catch-all tenant ID matches. Use fallback filter chain.
+             : default_filter_chain_.get();
+}
+
+const Network::FilterChain* FilterChainManagerImpl::findFilterChainForDestinationPort(
+    const DestinationPortsMap& destination_ports_map,
+    const Network::ConnectionSocket& socket) const {
   const auto& address = socket.connectionInfoProvider().localAddress();
 
   const Network::FilterChain* best_match_filter_chain = nullptr;
   // Match on destination port (only for IP addresses).
   if (address->type() == Network::Address::Type::Ip) {
-    const auto port_match = destination_ports_map_.find(address->ip()->port());
-    if (port_match != destination_ports_map_.end()) {
+    const auto port_match = destination_ports_map.find(address->ip()->port());
+    if (port_match != destination_ports_map.end()) {
       best_match_filter_chain = findFilterChainForDestinationIP(*port_match->second.second, socket);
       if (best_match_filter_chain != nullptr) {
         return best_match_filter_chain;
@@ -486,8 +538,8 @@ FilterChainManagerImpl::findFilterChain(const Network::ConnectionSocket& socket)
     }
   }
   // Match on catch-all port 0 if there is no specific port sub tree.
-  const auto port_match = destination_ports_map_.find(0);
-  if (port_match != destination_ports_map_.end()) {
+  const auto port_match = destination_ports_map.find(0);
+  if (port_match != destination_ports_map.end()) {
     best_match_filter_chain = findFilterChainForDestinationIP(*port_match->second.second, socket);
   }
   return best_match_filter_chain != nullptr
@@ -670,58 +722,60 @@ const Network::FilterChain* FilterChainManagerImpl::findFilterChainForSourceIpAn
 }
 
 void FilterChainManagerImpl::convertIPsToTries() {
-  for (auto& [destination_port, destination_ips_pair] : destination_ports_map_) {
-    UNREFERENCED_PARAMETER(destination_port);
-    // These variables are used as we build up the destination CIDRs used for the trie.
-    auto& [destination_ips_map, destination_ips_trie] = destination_ips_pair;
-    std::vector<std::pair<ServerNamesMapSharedPtr, std::vector<Network::Address::CidrRange>>>
-        destination_ips_list;
-    destination_ips_list.reserve(destination_ips_map.size());
-
-    for (const auto& [destination_ip, server_names_map_ptr] : destination_ips_map) {
-      destination_ips_list.push_back(makeCidrListEntry(destination_ip, server_names_map_ptr));
-
-      // This hugely nested for loop greatly pains me, but I'm not sure how to make it better.
-      // We need to get access to all of the source IP strings so that we can convert them into
-      // a trie like we did for the destination IPs above.
-      for (auto& [server_name, transport_protocols_map] : *server_names_map_ptr) {
-        UNREFERENCED_PARAMETER(server_name);
-        for (auto& [transport_protocol, application_protocols_map] : transport_protocols_map) {
-          UNREFERENCED_PARAMETER(transport_protocol);
-          for (auto& [application_protocol, direct_source_ips_pair] : application_protocols_map) {
-            UNREFERENCED_PARAMETER(application_protocol);
-            auto& [direct_source_ips_map, direct_source_ips_trie] = direct_source_ips_pair;
-
-            std::vector<
-                std::pair<SourceTypesArraySharedPtr, std::vector<Network::Address::CidrRange>>>
-                direct_source_ips_list;
-            direct_source_ips_list.reserve(direct_source_ips_map.size());
-
-            for (auto& [direct_source_ip, source_arrays_ptr] : direct_source_ips_map) {
-              direct_source_ips_list.push_back(
-                  makeCidrListEntry(direct_source_ip, source_arrays_ptr));
-
-              for (auto& [source_ips_map, source_ips_trie] : *source_arrays_ptr) {
-                std::vector<
-                    std::pair<SourcePortsMapSharedPtr, std::vector<Network::Address::CidrRange>>>
-                    source_ips_list;
-                source_ips_list.reserve(source_ips_map.size());
-
-                for (auto& [source_ip, source_port_map_ptr] : source_ips_map) {
-                  source_ips_list.push_back(makeCidrListEntry(source_ip, source_port_map_ptr));
+  for (auto& [connection_metadata, destination_ports_map] : connection_metadata_map_) {
+    for (auto& [destination_port, destination_ips_pair] : destination_ports_map) {
+      UNREFERENCED_PARAMETER(destination_port);
+      // These variables are used as we build up the destination CIDRs used for the trie.
+      auto& [destination_ips_map, destination_ips_trie] = destination_ips_pair;
+      std::vector<std::pair<ServerNamesMapSharedPtr, std::vector<Network::Address::CidrRange>>>
+          destination_ips_list;
+      destination_ips_list.reserve(destination_ips_map.size());
+
+      for (const auto& [destination_ip, server_names_map_ptr] : destination_ips_map) {
+        destination_ips_list.push_back(makeCidrListEntry(destination_ip, server_names_map_ptr));
+
+        // This hugely nested for loop greatly pains me, but I'm not sure how to make it better.
+        // We need to get access to all of the source IP strings so that we can convert them into
+        // a trie like we did for the destination IPs above.
+        for (auto& [server_name, transport_protocols_map] : *server_names_map_ptr) {
+          UNREFERENCED_PARAMETER(server_name);
+          for (auto& [transport_protocol, application_protocols_map] : transport_protocols_map) {
+            UNREFERENCED_PARAMETER(transport_protocol);
+            for (auto& [application_protocol, direct_source_ips_pair] : application_protocols_map) {
+              UNREFERENCED_PARAMETER(application_protocol);
+              auto& [direct_source_ips_map, direct_source_ips_trie] = direct_source_ips_pair;
+
+              std::vector<
+                  std::pair<SourceTypesArraySharedPtr, std::vector<Network::Address::CidrRange>>>
+                  direct_source_ips_list;
+              direct_source_ips_list.reserve(direct_source_ips_map.size());
+
+              for (auto& [direct_source_ip, source_arrays_ptr] : direct_source_ips_map) {
+                direct_source_ips_list.push_back(
+                    makeCidrListEntry(direct_source_ip, source_arrays_ptr));
+
+                for (auto& [source_ips_map, source_ips_trie] : *source_arrays_ptr) {
+                  std::vector<
+                      std::pair<SourcePortsMapSharedPtr, std::vector<Network::Address::CidrRange>>>
+                      source_ips_list;
+                  source_ips_list.reserve(source_ips_map.size());
+
+                  for (auto& [source_ip, source_port_map_ptr] : source_ips_map) {
+                    source_ips_list.push_back(makeCidrListEntry(source_ip, source_port_map_ptr));
+                  }
+
+                  source_ips_trie = std::make_unique<SourceIPsTrie>(source_ips_list, true);
                 }
-
-                source_ips_trie = std::make_unique<SourceIPsTrie>(source_ips_list, true);
               }
+              direct_source_ips_trie =
+                  std::make_unique<DirectSourceIPsTrie>(direct_source_ips_list, true);
             }
-            direct_source_ips_trie =
-                std::make_unique<DirectSourceIPsTrie>(direct_source_ips_list, true);
           }
         }
       }
-    }
 
-    destination_ips_trie = std::make_unique<DestinationIPsTrie>(destination_ips_list, true);
+      destination_ips_trie = std::make_unique<DestinationIPsTrie>(destination_ips_list, true);
+    }
   }
 }
 

source/server/filter_chain_manager_impl.h

@@ -277,7 +277,18 @@ class FilterChainManagerImpl : public Network::FilterChainManager,
   using DestinationIPsTriePtr = std::unique_ptr<DestinationIPsTrie>;
   using DestinationPortsMap =
       absl::flat_hash_map<uint16_t, std::pair<DestinationIPsMap, DestinationIPsTriePtr>>;
+  using ConnectionMetadataMap = absl::flat_hash_map<std::string, DestinationPortsMap>;
 
+  void addFilterChainForConnectionMetadata(
+      ConnectionMetadataMap& connection_metadata_map, const std::string& connection_metadata,
+      uint16_t destination_port, const std::vector<std::string>& destination_ips,
+      const absl::Span<const std::string> server_names, const std::string& transport_protocol,
+      const absl::Span<const std::string* const> application_protocols,
+      const std::vector<std::string>& direct_source_ips,
+      const envoy::config::listener::v3::FilterChainMatch::ConnectionSourceType source_type,
+      const std::vector<std::string>& source_ips,
+      const absl::Span<const Protobuf::uint32> source_ports,
+      const Network::FilterChainSharedPtr& filter_chain);
   void addFilterChainForDestinationPorts(
       DestinationPortsMap& destination_ports_map, uint16_t destination_port,
       const std::vector<std::string>& destination_ips,
@@ -334,6 +345,9 @@ class FilterChainManagerImpl : public Network::FilterChainManager,
                                     const Network::FilterChainSharedPtr& filter_chain);
 
   const Network::FilterChain*
+  findFilterChainForDestinationPort(const DestinationPortsMap& destination_ports_map,
+                                    const Network::ConnectionSocket& socket) const;
+  const Network::FilterChain*
   findFilterChainForDestinationIP(const DestinationIPsTrie& destination_ips_trie,
                                   const Network::ConnectionSocket& socket) const;
   const Network::FilterChain*
@@ -372,7 +386,11 @@ class FilterChainManagerImpl : public Network::FilterChainManager,
 
   // Mapping of FilterChain's configured destination ports, IPs, server names, transport protocols
   // and application protocols, using structures defined above.
-  DestinationPortsMap destination_ports_map_;
+  // DestinationPortsMap destination_ports_map_;
+
+  // Mapping of FilterChain's configured Connection Metadata, destination ports, IPs, server names,
+  // transport protocols and application protocols, using structures defined above.
+  ConnectionMetadataMap connection_metadata_map_;
 
   const Network::Address::InstanceConstSharedPtr address_;
   // This is the reference to a factory context which all the generations of listener share.

test/common/http/header_map_impl_test.cc

@@ -423,9 +423,8 @@ TEST_P(HeaderMapImplTest, AllInlineHeaders) {
     INLINE_REQ_RESP_STRING_HEADERS(TEST_INLINE_STRING_HEADER_FUNCS)
   }
   {
-    // No request trailer O(1) headers.
-  }
-  {
+      // No request trailer O(1) headers.
+  } {
     auto header_map = ResponseHeaderMapImpl::create();
     INLINE_RESP_STRING_HEADERS(TEST_INLINE_STRING_HEADER_FUNCS)
     INLINE_REQ_RESP_STRING_HEADERS(TEST_INLINE_STRING_HEADER_FUNCS)

test/mocks/network/mocks.h

@@ -332,6 +332,8 @@ class MockConnectionSocket : public ConnectionSocket {
   MOCK_METHOD(absl::string_view, requestedServerName, (), (const));
   MOCK_METHOD(void, setJA3Hash, (absl::string_view));
   MOCK_METHOD(absl::string_view, ja3Hash, (), (const));
+  MOCK_METHOD(void, setConnectionMetadata, (absl::string_view));
+  MOCK_METHOD(absl::string_view, connectionMetadata, (), (const));
   MOCK_METHOD(void, addOption_, (const Socket::OptionConstSharedPtr&));
   MOCK_METHOD(void, addOptions_, (const Socket::OptionsSharedPtr&));
   MOCK_METHOD(const Network::ConnectionSocket::OptionsSharedPtr&, options, (), (const));