proxy_protocol_filter: Add configuration to match only specific proxy protocol versions, new stats

[nareddyt]

Commit Message:
proxy_protocol_filter: Configuration to match only specific proxy protocol versions, new stats

Additional Description:
Currently the Proxy Protocol Listener filter will try to match incoming connections against both proxy protocol v1 and v2 signatures. While this is convenient, it:

• Increases the attack surface of the filter.
• (when allow_requests_without_proxy_protocol is enabled) Increases the chance of signature conflicts between proxy protocol v1 requests and non-proxy protocol requests.

This change adds a new config option disallowed_versions that scopes down the set of proxy protocol versions that the filter matches. The configuration is optional and defaults to current behavior when not specified.

This change also adds new statistics per matched proxy protocol version. See doc update for details.

downstream_cx_proxy_proto.not_found_disallowed
downstream_cx_proxy_proto.not_found_allowed
downstream_cx_proxy_proto.v1.found
downstream_cx_proxy_proto.v1.disallowed
downstream_cx_proxy_proto.v1.error
downstream_cx_proxy_proto.v2.found
downstream_cx_proxy_proto.v2.disallowed
downstream_cx_proxy_proto.v2.error

Pre-existing stat downstream_cx_proxy_proto_error is kept at it's own scope for backwards-compatibility.

Risk Level: Low

• All client-facing behavior changes are guarded by new filter config field.
• Only default behavior change is incrementing new counters.

Testing:

• Extensive unit tests
• Some integration tests

Docs Changes:
Updated proto and filter docs

Release Notes:
Updated

Platform Specific Features:
N/A

Fixes #32425

[repokitteh-read-only]

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to (api/envoy/|docs/root/api-docs/).
envoyproxy/api-shepherds assignee is @markdroth
CC @envoyproxy/api-watchers: FYI only for changes made to (api/envoy/|docs/root/api-docs/).

🐱

Caused by: #32861 was opened by nareddyt.

see: more, trace.

[nareddyt]

/review @fzhong-connect

[repokitteh-read-only]

nareddyt is not a collaborator, thus allowed to assign users.

🐱

Caused by: a #32861 (comment) was created by @nareddyt.

see: more, trace.

[nareddyt]

cc @fzhong-connect @jaysonjdmello

[nareddyt]

@markdroth or @envoyproxy/api-shepherds PTAL, we have a question for you in the comments.

[nareddyt]

PTAL

[nareddyt]

/retest

[ggreenway]

/wait

[nareddyt]

/retest

[nareddyt]

Ready for review @ggreenway . Not sure how to re-run the flaky CI failure

[ggreenway]

This mostly LGTM, aside from these small details.

I'm going to be out for awhile starting tomorrow, so one of the other maintainers will need to finish review of this and get it merged.

/wait

[nareddyt]

This mostly LGTM, aside from these small details.

I'm going to be out for awhile starting tomorrow, so one of the other maintainers will need to finish review of this and get it merged.

Thanks @ggreenway . If you have time, feel free to review today. Slightly worried Github may not let other reviewers merge as the status checks say:

1 review requesting changes by reviewers with write access. Merging can be performed automatically once the requested changes are addressed.

But no worries if you have taken off already, I can ping other reviewers tomorrow. Thanks for the thorough feedback!

[nareddyt]

/retest

Comments were addressed