diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 5ee8949f06cc8..fff9b0569eee4 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -32,9 +32,6 @@ behavior_changes: fixed metric tag extraction so that :ref:`stat_prefix ` is properly extracted. This changes the Prometheus name from envoy_redis_myprefix_command_pttl_latency_sum{} to envoy_redis_command_pttl_latency_sum{envoy_redis_prefix="myprefix"}. -- area: tcp_proxy - change: | - added support for command operators in :ref:`TunnelingConfig hostname ` to dynamically set upstream hostname. - area: router change: | updated all HTTP filters to get per-filter config by the :ref:`HTTP filter config name @@ -44,7 +41,7 @@ behavior_changes: compatibility. - area: router change: | - Weighted cluster's :ref:`total_weight ` is now + weighted cluster's :ref:`total_weight ` is now optional. If not set, Envoy will no longer validate that all weights add up to 100. The sum of :ref:`weights ` across all entries in the clusters array must add up to the @@ -133,6 +130,9 @@ minor_behavior_changes: - area: network change: | the :ref:`client ssl auth filter ` has been moved to :ref:`contrib images `. +- area: tcp_proxy + change: | + added support for command operators in :ref:`TunnelingConfig hostname ` to dynamically set upstream hostname. bug_fixes: - area: grpc_json_transcoder @@ -144,31 +144,31 @@ bug_fixes: This behavioral change can be reverted by setting runtime guard ``envoy.reloadable_features.use_rfc_connect`` to false. - area: decompression change: | - Fixed CVE-2022-29225: Decompressors can be zip bombed. Previously decompressors were + fixed CVE-2022-29225: Decompressors can be zip bombed. Previously decompressors were susceptible to memory inflation in takes in which specially crafted payloads could cause a large amount of memory usage by Envoy. The max inflation payload size is now limited. This change can be reverted via the ``envoy.reloadable_features.enable_compression_bomb_protection`` runtime flag. - area: router change: | - Fixed CVE-2022-29227: Internal redirect crash for requests with body/trailers. Envoy would + fixed CVE-2022-29227: Internal redirect crash for requests with body/trailers. Envoy would previously crash in some cases when processing internal redirects for requests with bodies or trailers if the redirect prompts an Envoy-generated local reply. - area: oauth change: | - Fixed CVE-2022-29226: oauth filter allows trivial bypass. The OAuth filter implementation does + fixed CVE-2022-29226: oauth filter allows trivial bypass. The OAuth filter implementation does not include a mechanism for validating access tokens, so by design when the HMAC signed cookie is missing a full authentication flow should be triggered. However, the current implementation assumes that access tokens are always validated thus allowing access in the presence of any access token attached to the request. - area: oauth change: | - Fixed CVE-2022-29228: oauth filter calls continueDecoding() from within decodeHeaders(). The + fixed CVE-2022-29228: oauth filter calls continueDecoding() from within decodeHeaders(). The OAuth filter would try to invoke the remaining filters in the chain after emitting a local response, which triggers an ASSERT() in newer versions and corrupts memory on earlier versions. - area: health_check change: | - Fixed CVE-2022-29224: Segfault in GrpcHealthCheckerImpl. An attacker-controlled upstream server + fixed CVE-2022-29224: Segfault in GrpcHealthCheckerImpl. An attacker-controlled upstream server that is health checked using gRPC health checking can crash Envoy via a null pointer dereference in certain circumstances. - area: runtime @@ -213,11 +213,17 @@ removed_config_or_runtime: - area: runtime change: | removed ``envoy.restart_features.no_runtime_singleton`` and replaced with ``envoy.restart_features.remove_runtime_singleton``. +- area: udp listener + change: | + removed ``envoy.reloadable_features.udp_listener_updates_filter_chain_in_place`` and legacy code paths. +- area: http + change: | + removed ``envoy.reloadable_features.skip_dispatching_frames_for_closed_connection`` and legacy code paths. new_features: - area: lua change: | - added new function ``timestampString`` returning the time since epoch as a string. Supported + added new function :ref:`timestampString ` returning the time since epoch as a string. Supported resolutions are millisecond and microsecond. - area: access_log change: | @@ -234,6 +240,7 @@ new_features: - area: dns_resolver change: | added support for multiple addresses. This is most valuable when used in conjunction with :ref:`ALL ` enabling full happy eyeballs support for Envoy (see detailed documentation :ref:`here ` but will also result in trying multiple addresses for resolvers doing only IPv4 or IPv6. This behavioral change can be temporarily disabled by setting runtime guard ``envoy.restart_features.remove_runtime_singleton`` to false. +- area: dns_resolver change: | added :ref:`GetAddrInfoDnsResolverConfig `, a new DNS resolver that uses the system's getaddrinfo() function to resolve DNS. This was primarily added for use on Android but can also be used in other situations in which the system resolver is desired. - area: dubbo_proxy @@ -253,10 +260,10 @@ new_features: preserve case header formatter support innner formatter on Envoy headers in :ref:`formatter_type_on_envoy_headers `. - area: http3 change: | - added :ref:`early_data_policy ` extension to allow upstream HTTP/3 sending requests over early data. If no extension is configured, HTTP/3 pool will send safe requests as early data to the host if the pool already cached 0-RTT credentials of that host. If those requests fail and the underlying connection pool supports TCP fallback, the request may be retried automatically. If the :ref:`default extension ` is configured, no requests are allowed to be sent as early data. Note that if any customized extension configures non-safe requests to be allowed over early data, the Envoy will not automatically retry them. If desired, explicitly config their :ref:`retry_policy `. This feature requires both ``envoy.reloadable_features.conn_pool_new_stream_with_early_data_and_http3`` and ``envoy.reloadable_features.http3_sends_early_data`` to be turned on. + added :ref:`early_data_policy ` extension to allow upstream HTTP/3 sending requests over early data. If no extension is configured, HTTP/3 pool will send safe requests as early data to the host if the pool already cached 0-RTT credentials of that host. If those requests fail and the underlying connection pool supports TCP fallback, the request may be retried automatically. If the :ref:`default extension ` is configured, no requests are allowed to be sent as early data. Note that if any customized extension configures non-safe requests to be allowed over early data, the Envoy will not automatically retry them. If desired, explicitly config their :ref:`retry_policy `. Sending early data requires both ``envoy.reloadable_features.conn_pool_new_stream_with_early_data_and_http3`` and ``envoy.reloadable_features.http3_sends_early_data`` runtime flags to be set to true. - area: listener change: | - added :ref:`dynamic listener filter re-configuration` for listener filters. This dynamic listener filter configuration is only supported by TCP listeners. + added :ref:`dynamic listener filter configuration` for listener filters. This dynamic listener filter configuration is only supported by TCP listeners. - area: redis change: | added support for multiple passwords to the redis proxy. See :ref:`downstream_auth_passwords `. @@ -265,16 +272,16 @@ new_features: added :ref:`close_downstream_on_upstream_error ` flag to router to control downstream local close. - area: thrift change: | - added support for access logging. + added support for access logging for :ref:`Thrift Proxy `. - area: thrift change: | - added support for preserving header keys. + added support for preserving header keys. See :ref:`header_keys_preserve_case `. - area: thrift change: | - added support for propogating connection draining if local replies try to end downstream. + added support for propogating connection draining if local replies try to end downstream. Can be enabled by setting the runtime flag ``envoy.reloadable_features.thrift_connection_draining`` to true. - area: thrift change: | - added onLocalReply support to inform filters of local replies. + added ``onLocalReply`` support to inform filters of local replies. - area: thrift change: | introduced thrift configurable encoder and bidirectional filters, which allows peeking and modifying the thrift response message. @@ -296,9 +303,6 @@ new_features: - area: ratelimit change: | added support for :ref:`HTTP matching input functions ` as descriptor producers. -- area: build - change: | - official released binary is now built with Clang 14.0.0. - area: http change: | added :ref:`cluster_header ` in :ref:`request_mirror_policies ` to allow routing shadow request to the cluster specified in the request_header. @@ -306,7 +310,7 @@ new_features: change: | added :ref:`internal upstream transport ` for passing metadata and filter state across the user space sockets and the internal listeners. - area: router - change: + change: | added :ref:`keep_empty_value ` to allow keeping empty values in custom headers. - area: dubbo_proxy change: | @@ -319,7 +323,7 @@ new_features: added :ref:`stat_prefix ` support to generate route level statistics. - area: router change: | - Add an :ref:`option + added :ref:`INTERNAL_SERVER_ERROR option ` to return status code 500 when the configured cluster is not found. - area: matching @@ -339,30 +343,26 @@ new_features: added :ref:`ignore_port_in_host_matching `. When set to true, port number (if any) in host header is ignored during host matching. - area: router change: | - added :ref:`ignore_path_parameters_in_path_matching `. When set to true, path-parameters(rfc1808) is ignored during path matching. + added :ref:`ignore_path_parameters_in_path_matching `. When set to true, path-parameters(`rfc1808 `_) is ignored during path matching. deprecated: - area: dubbo_proxy change: | deprecated :ref:`old dubbo route config `. Please use :ref:`multiple route config ` or - :ref:`multiple route config ` first. + :ref:`DRDS ` first. - area: http change: | - deprecated ``envoy.reloadable_features.skip_dispatching_frames_for_closed_connection`` and legacy code paths. - change: | - deprecate the short name ``preserve_case`` for the header formatter extension in favor of the fully-qualified name + deprecated the short name ``preserve_case`` for the header formatter extension in favor of the fully-qualified name ``envoy.http.stateful_header_formatters.preserve_case``. - change: | - deprecated ``envoy.reloadable_features.udp_listener_updates_filter_chain_in_place`` and legacy code paths. - area: matching change: | - :ref:`google_re2 ` has been deprecated. + :ref:`google_re2 ` has been deprecated. A default regex engine can be set using :ref:`default_regex_engine `. - area: redis change: | - :ref:`downstream_auth_password ` has been deprecated. Please use + deprecated :ref:`downstream_auth_password `. Please use :ref:`downstream_auth_passwords `. - area: lua change: | - :ref:`inline_code ` has been deprecated. Please use + deprecated :ref:`inline_code `. Please use :ref:`default_source_code `. diff --git a/docs/root/configuration/http/http_filters/lua_filter.rst b/docs/root/configuration/http/http_filters/lua_filter.rst index 9ed78e36b0fff..a2c35f2e6b9ef 100644 --- a/docs/root/configuration/http/http_filters/lua_filter.rst +++ b/docs/root/configuration/http/http_filters/lua_filter.rst @@ -515,6 +515,8 @@ High resolution timestamp function. *format* is an optional enum parameter to in *EnvoyTimestampResolution.MILLISECOND* is supported The function returns timestamp in milliseconds since epoch by default if format is not set. +.. _config_http_filters_lua_stream_handle_api_timestamp_string: + timestampString() ^^^^^^^^^^^^^^^^^