Listener: Add listener filters.

DEPRECATED.md

@@ -14,7 +14,8 @@ The following features have been DEPRECATED and will be removed in the specified
   instead.
 * gRPC service configuration via the `cluster_names` field in `ApiConfigSource` is deprecated. Use
   `grpc_services` instead.
-
+* 'use_original_dst' field in the v2 LDS API is deprecated. Use listerner filters and filter chain
+  matching instead.
 
 ## Version 1.5.0
 

bazel/repository_locations.bzl

@@ -71,8 +71,8 @@ REPOSITORY_LOCATIONS = dict(
         urls = ["https://github.com/google/protobuf/archive/v3.5.0.tar.gz"],
     ),
     envoy_api = dict(
-        commit = "0811371f1738a2e5f0cb594b500e9db3b5bd8af8",
-        remote = "https://github.com/envoyproxy/data-plane-api",
+        commit = "362031f5b716b6019b1ec9c6df2bc41f0eec25a4",
+        remote = "https://github.com/jrajahalme/envoy-api",
     ),
     grpc_httpjson_transcoding = dict(
         commit = "e4f58aa07b9002befa493a0a82e10f2e98b51fc6",

include/envoy/event/dispatcher.h

@@ -38,6 +38,16 @@ class Dispatcher {
    */
   virtual void clearDeferredDeleteList() PURE;
 
+  /**
+   * Create a server connection.
+   * @param socket supplies an open file descriptor and connection metadata to use for the
+   *        connection. Takes ownership of the socket.
+   * @param ssl_ctx supplies the SSL context to use, if not nullptr.
+   * @return Network::ConnectionPtr a server connection that is owned by the caller.
+   */
+  virtual Network::ConnectionPtr createServerConnection(Network::ConnectionSocketPtr&& socket,
+                                                        Ssl::Context* ssl_ctx) PURE;
+
   /**
    * Create a client connection.
    * @param address supplies the address to connect to.
@@ -78,32 +88,16 @@ class Dispatcher {
 
   /**
    * Create a listener on a specific port.
-   * @param conn_handler supplies the handler for connections received by the listener
-   * @param socket supplies the socket to listen on.
-   * @param cb supplies the callbacks to invoke for listener events.
-   * @param scope supplies the Stats::Scope to use.
-   * @param listener_options listener configuration options.
-   * @return Network::ListenerPtr a new listener that is owned by the caller.
-   */
-  virtual Network::ListenerPtr
-  createListener(Network::ConnectionHandler& conn_handler, Network::ListenSocket& socket,
-                 Network::ListenerCallbacks& cb, Stats::Scope& scope,
-                 const Network::ListenerOptions& listener_options) PURE;
-
-  /**
-   * Create a listener on a specific port.
-   * @param conn_handler supplies the handler for connections received by the listener
-   * @param ssl_ctx supplies the SSL context to use.
    * @param socket supplies the socket to listen on.
    * @param cb supplies the callbacks to invoke for listener events.
-   * @param scope supplies the Stats::Scope to use.
-   * @param listener_options listener configuration options.
+   * @param bind_to_port controls whether the listener binds to a transport port or not.
+   * @param hand_off_restored_destinations controls whether the listener searches for another
+   *        listener after restoring the destination address of a new connection.
    * @return Network::ListenerPtr a new listener that is owned by the caller.
    */
-  virtual Network::ListenerPtr
-  createSslListener(Network::ConnectionHandler& conn_handler, Ssl::ServerContext& ssl_ctx,
-                    Network::ListenSocket& socket, Network::ListenerCallbacks& cb,
-                    Stats::Scope& scope, const Network::ListenerOptions& listener_options) PURE;
+  virtual Network::ListenerPtr createListener(Network::ListenSocket& socket,
+                                              Network::ListenerCallbacks& cb, bool bind_to_port,
+                                              bool hand_off_restored_destinations) PURE;
 
   /**
    * Allocate a timer. @see Event::Timer for docs on how to use the timer.

include/envoy/network/BUILD

@@ -73,6 +73,7 @@ envoy_cc_library(
 envoy_cc_library(
     name = "listener_interface",
     hdrs = ["listener.h"],
+    deps = ["//include/envoy/network:listen_socket_interface"],
 )
 
 envoy_cc_library(

include/envoy/network/connection.h

@@ -207,10 +207,10 @@ class Connection : public Event::DeferredDeletable, public FilterManager {
   virtual uint32_t bufferLimit() const PURE;
 
   /**
-   * @return boolean telling if the connection's local address is an original destination address,
-   * rather than the listener's address.
+   * @return boolean telling if the connection's local address has been restored to an original
+   *         destination address, rather than the address the connection was accepted at.
    */
-  virtual bool usingOriginalDst() const PURE;
+  virtual bool localAddressRestored() const PURE;
 
   /**
    * @return boolean telling if the connection is currently above the high watermark.

include/envoy/network/connection_handler.h

@@ -26,28 +26,9 @@ class ConnectionHandler {
 
   /**
    * Adds listener to the handler.
-   * @param factory supplies the configuration factory for new connections.
-   * @param socket supplies the already bound socket to listen on.
-   * @param scope supplies the stats scope to use for listener specific stats.
-   * @param listener_tag supplies an opaque tag that can be used to stop or remove the listener.
-   * @param listener_options listener configuration options.
+   * @param config listener configuration options.
    */
-  virtual void addListener(Network::FilterChainFactory& factory, Network::ListenSocket& socket,
-                           Stats::Scope& scope, uint64_t listener_tag,
-                           const Network::ListenerOptions& listener_options) PURE;
-
-  /**
-   * Adds listener to the handler.
-   * @param factory supplies the configuration factory for new connections.
-   * @param socket supplies the already bound socket to listen on.
-   * @param scope supplies the stats scope to use for listener specific stats.
-   * @param listener_tag supplies an opaque tag that can be used to stop or remove the listener.
-   * @param listener_options listener configuration options.
-   */
-  virtual void addSslListener(Network::FilterChainFactory& factory, Ssl::ServerContext& ssl_ctx,
-                              Network::ListenSocket& socket, Stats::Scope& scope,
-                              uint64_t listener_tag,
-                              const Network::ListenerOptions& listener_options) PURE;
+  virtual void addListener(ListenerConfig& config) PURE;
 
   /**
    * Find a listener based on the provided listener address value.

include/envoy/network/filter.h

@@ -9,6 +9,7 @@ namespace Envoy {
 namespace Network {
 
 class Connection;
+class ConnectionSocket;
 
 /**
  * Status codes returned by filters that can cause future filters to not get iterated to.
@@ -147,6 +148,67 @@ class FilterManager {
   virtual bool initializeReadFilters() PURE;
 };
 
+/**
+ * Callbacks used by individual listener filter instances to communicate with the listener filter
+ * manager.
+ */
+class ListenerFilterCallbacks {
+public:
+  virtual ~ListenerFilterCallbacks() {}
+
+  /**
+   * @return ConnectionSocket the socket the filter is operating on.
+   */
+  virtual ConnectionSocket& socket() PURE;
+
+  /**
+   * @return the Dispatcher for issuing events.
+   */
+  virtual Event::Dispatcher& dispatcher() PURE;
+
+  /**
+   * If a filter stopped filter iteration by returning FilterStatus::StopIteration,
+   * the filter should call continueFilterChain(true) when complete to continue the filter chain,
+   * or continueFilterChain(false) if the filter execution failed and the connection must be
+   * closed.
+   * @param success boolean telling whether the filter execution was successful or not.
+   */
+  virtual void continueFilterChain(bool success) PURE;
+};
+
+/**
+ * Listener Filter
+ */
+class ListenerFilter {
+public:
+  virtual ~ListenerFilter() {}
+
+  /**
+   * Called when a new connection is accepted, but before a Connection is created.
+   * Filter chain iteration can be stopped if needed.
+   * @param cb the callbacks the filter instance can use to communicate with the filter chain.
+   * @return status used by the filter manager to manage further filter iteration.
+   */
+  virtual FilterStatus onAccept(ListenerFilterCallbacks& cb) PURE;
+};
+
+typedef std::unique_ptr<ListenerFilter> ListenerFilterPtr;
+
+/**
+ * Interface for filter callbacks and adding listener filters to a manager.
+ */
+class ListenerFilterManager {
+public:
+  virtual ~ListenerFilterManager() {}
+
+  /**
+   * Add a filter to the listener. Filters are invoked in FIFO order (the filter added
+   * first is called first).
+   * @param filter supplies the filter being added.
+   */
+  virtual void addAcceptFilter(ListenerFilterPtr&& filter) PURE;
+};
+
 /**
  * Creates a chain of network filters for a new connection.
  */
@@ -155,12 +217,19 @@ class FilterChainFactory {
   virtual ~FilterChainFactory() {}
 
   /**
-   * Called to create the filter chain.
+   * Called to create the network filter chain.
    * @param connection supplies the connection to create the chain on.
    * @return true if filter chain was created successfully. Otherwise
    *   false, e.g. filter chain is empty.
    */
-  virtual bool createFilterChain(Connection& connection) PURE;
+  virtual bool createNetworkFilterChain(Connection& connection) PURE;
+
+  /**
+   * Called to create the listener filter chain.
+   * @param listener supplies the listener to create the chain on.
+   * @return true if filter chain was created successfully. Otherwise false.
+   */
+  virtual bool createListenerFilterChain(ListenerFilterManager& listener) PURE;
 };
 
 } // namespace Network

include/envoy/network/listen_socket.h

@@ -34,5 +34,65 @@ class ListenSocket {
 typedef std::unique_ptr<ListenSocket> ListenSocketPtr;
 typedef std::shared_ptr<ListenSocket> ListenSocketSharedPtr;
 
+/**
+ * A socket passed to a connection. For server connections this represents the accepted socket, and
+ * for client connections this represents the socket being connected to a remote address.
+ *
+ * TODO(jrajahalme): Hide internals (e.g., fd) from listener filters by providing callbacks filters
+ * may need (set/getsockopt(), peek(), recv(), etc.)
+ */
+class ConnectionSocket {
+public:
+  virtual ~ConnectionSocket() {}
+
+  /**
+   * @return the local address of the socket.
+   */
+  virtual const Address::InstanceConstSharedPtr& localAddress() const PURE;
+
+  /**
+   * @return the remote address of the socket.
+   */
+  virtual const Address::InstanceConstSharedPtr& remoteAddress() const PURE;
+
+  /**
+   * Set the local address of the socket. On accepted sockets the local address defaults to the
+   * one at which the connection was received at, which is the same as the listener's address, if
+   * the listener is bound to a specific address.
+   *
+   * @param local_address the new local address.
+   * @param restored a flag marking the local address as being restored to a value that is
+   *        different from the one the socket was initially accepted at. This should only be set
+   *        to 'true' when restoring the original destination address of a connection redirected
+   *        by iptables REDIRECT. The caller is responsible for making sure the new address is
+   *        actually different when passing restored as 'true'.
+   */
+  virtual void setLocalAddress(const Address::InstanceConstSharedPtr& local_address,
+                               bool restored = false) PURE;
+
+  /**
+   * Set the remote address of the socket.
+   */
+  virtual void setRemoteAddress(const Address::InstanceConstSharedPtr& remote_address) PURE;
+
+  /**
+   * @return true if the local address has been restored to a value that is different from the
+   *         address the socket was initially accepted at.
+   */
+  virtual bool localAddressRestored() const PURE;
+
+  /**
+   * @return fd the socket's file descriptor.
+   */
+  virtual int fd() const PURE;
+
+  /**
+   * Close the underlying socket.
+   */
+  virtual void close() PURE;
+};
+
+typedef std::unique_ptr<ConnectionSocket> ConnectionSocketPtr;
+
 } // namespace Network
 } // namespace Envoy

include/envoy/network/listener.h

@@ -6,39 +6,12 @@
 
 #include "envoy/common/exception.h"
 #include "envoy/network/connection.h"
+#include "envoy/network/listen_socket.h"
 #include "envoy/ssl/context.h"
 
 namespace Envoy {
 namespace Network {
 
-/**
- * Listener configurations options.
- */
-struct ListenerOptions {
-  // Specifies if the listener should actually bind to the port. A listener that doesn't bind can
-  // only receive connections redirected from other listeners that set use_origin_dst_ to true.
-  bool bind_to_port_;
-  // Whether to use the PROXY Protocol V1
-  // (http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt)
-  bool use_proxy_proto_;
-  // If a connection was redirected to this port using iptables, allow the listener to hand it off
-  // to the listener associated to the original port.
-  bool use_original_dst_;
-  // Soft limit on size of the listener's new connection read and write buffers.
-  uint32_t per_connection_buffer_limit_bytes_;
-
-  /**
-   * Factory for ListenerOptions with bind_to_port_ set.
-   * @return ListenerOptions object initialized with bind_to_port_ set.
-   */
-  static ListenerOptions listenerOptionsWithBindToPort() {
-    return {.bind_to_port_ = true,
-            .use_proxy_proto_ = false,
-            .use_original_dst_ = false,
-            .per_connection_buffer_limit_bytes_ = 0};
-  }
-};
-
 /**
  * A configuration for an individual listener.
  */
@@ -63,12 +36,6 @@ class ListenerConfig {
    */
   virtual Ssl::ServerContext* defaultSslContext() PURE;
 
-  /**
-   * @return bool whether to use the PROXY Protocol V1
-   * (http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt)
-   */
-  virtual bool useProxyProto() PURE;
-
   /**
    * @return bool specifies whether the listener should actually listen on the port.
    *         A listener that doesn't listen on a port can only receive connections
@@ -77,10 +44,12 @@ class ListenerConfig {
   virtual bool bindToPort() PURE;
 
   /**
-   * @return bool if a connection was redirected to this listener address using iptables,
-   *         allow the listener to hand it off to the listener associated to the original address
+   * @return bool if a connection should be handed off to another Listener after the original
+   *         destination address has been restored. 'true' when 'use_original_dst' flag in listener
+   *         configuration is set, false otherwise. Note that this flag will be removed from the v2
+   *         API.
    */
-  virtual bool useOriginalDst() PURE;
+  virtual bool handOffRestoredDestinations() const PURE;
 
   /**
    * @return uint32_t providing a soft limit on size of the listener's new connection read and write
@@ -96,7 +65,7 @@ class ListenerConfig {
   /**
    * @return uint64_t the tag the listener should use for connection handler tracking.
    */
-  virtual uint64_t listenerTag() PURE;
+  virtual uint64_t listenerTag() const PURE;
 
   /**
    * @return const std::string& the listener's name.
@@ -111,6 +80,16 @@ class ListenerCallbacks {
 public:
   virtual ~ListenerCallbacks() {}
 
+  /**
+   * Called when a new connection is accepted.
+   * @param socket supplies the socket that is moved into the callee.
+   * @param redirected is true when the socket was first accepted by another listener
+   * and is redirected to a new listener. The recipient should not redirect
+   * the socket any further.
+   */
+  virtual void onAccept(ConnectionSocketPtr&& socket,
+                        bool hand_off_restored_destinations = true) PURE;
+
   /**
    * Called when a new connection is accepted.
    * @param new_connection supplies the new connection that is moved into the callee.

include/envoy/network/transport_socket.h

@@ -40,7 +40,7 @@ class TransportSocketCallbacks {
   /**
    * @return int the file descriptor associated with the connection.
    */
-  virtual int fd() PURE;
+  virtual int fd() const PURE;
 
   /**
    * @return Network::Connection& the connection interface.