listener: filter chain selection based on destination IP/port.#3851
listener: filter chain selection based on destination IP/port.#3851mattklein123 merged 10 commits intoenvoyproxy:masterfrom
Conversation
*Risk Level*: Medium *Testing*: bazel test //test/... *Docs Changes*: Minimal *Release Notes*: Added Signed-off-by: Piotr Sikora <piotrsikora@google.com>
| } | ||
|
|
||
| void ListenerImpl::addFilterChainForDestinationPorts( | ||
| DestinationPortsMap& destination_ports_map, uint16_t destination_port, |
There was a problem hiding this comment.
filter_chains_ is converted to destination_ports_map ?
There was a problem hiding this comment.
Not converted, filter_chains_ is of the DestinationPortsMap type.
There was a problem hiding this comment.
is it possible to rename it for clarity? :).
| filter_chain_match.application_protocols().end()); | ||
|
|
||
| addFilterChain(server_names, filter_chain_match.transport_protocol(), application_protocols, | ||
| addFilterChain(filter_chain_match.destination_port().value(), destination_ips, server_names, |
There was a problem hiding this comment.
what if destination_port is missing?
There was a problem hiding this comment.
It's 0 by default.
Omitting those fields in configuration didn't affect existing tests, and we have pretty good coverage there.
There was a problem hiding this comment.
Other places in the codebase use PROTOBUF_GET_WRAPPED_OR_DEFAULT() for this behavior. I think this is a special case because the default for this type is 0, but it feels weird to me to get thing() when has_thing()== false.
rshriram
left a comment
rshriram
left a comment
There was a problem hiding this comment.
Looks good. Thanks for the PR.
ggreenway
left a comment
ggreenway
left a comment
There was a problem hiding this comment.
This looks great overall. A few minor nits.
Also, I didn't see a test for clients connecting via UDS; please add one (or point me to it if I missed it).
| std::vector<std::pair<ServerNamesMapSharedPtr, std::vector<Network::Address::CidrRange>>> list; | ||
| for (const auto& entry : destination_ips_map) { | ||
| std::vector<Network::Address::CidrRange> subnets; | ||
| if (entry.first == EMPTY_STRING) { |
There was a problem hiding this comment.
Done, although I feel that the old check was a bit more correct, since we're checking if it's the map[EMPTY_STRING] entry.
There was a problem hiding this comment.
Oh, right, I forgot that's what it is doing. In that case, I'd be ok with putting it back to how you had it.
| } | ||
| } | ||
| destination_ips_pair.second.reset( | ||
| new Network::LcTrie::LcTrie<ServerNamesMapSharedPtr>(list, true)); |
|
|
||
| // Use invalid IP address (matching only filter chains without IP requirements) for UDS. | ||
| if (address->type() != Network::Address::Type::Ip) { | ||
| address = Network::Utility::parseInternetAddress("255.255.255.255"); |
There was a problem hiding this comment.
Can we create a static object to use for this, instead of parsing and allocating for each connection?
| filter_chains_; | ||
| // Mapping of FilterChain's configured destination ports, IPs, server names, transport protocols | ||
| // and application protocols, using structures defined above. | ||
| DestinationPortsMap filter_chains_; |
There was a problem hiding this comment.
Maybe rename to destination_ports_map_? I both like the current name, and dislike it. From a high level, filter_chains_ feels like the right name, but when reading the functions that use it, it is hard to follow. So, I'm not sure what I'm suggesting with this comment.
There was a problem hiding this comment.
As I commented above, the code would read better if we simply called this destination_ports_map (in the filter chain match section, which is the crux of this entire thing)
| filter_chain_match.application_protocols().end()); | ||
|
|
||
| addFilterChain(server_names, filter_chain_match.transport_protocol(), application_protocols, | ||
| addFilterChain(filter_chain_match.destination_port().value(), destination_ips, server_names, |
There was a problem hiding this comment.
Other places in the codebase use PROTOBUF_GET_WRAPPED_OR_DEFAULT() for this behavior. I think this is a special case because the default for this type is 0, but it feels weird to me to get thing() when has_thing()== false.
| } | ||
| } | ||
|
|
||
| void ListenerImpl::finishFilterChain() { |
There was a problem hiding this comment.
This function needs a more descriptive name. Maybe convert the comment above into the name:
// Convert DestinationIPsMap to DestinationIPsTrie for faster lookups.
There was a problem hiding this comment.
Renamed to convertDestinationIPsMapToTrie().
I originally called it finishFilterChain(), since we'll need to convert more stuff in the future, if we're going to use LcTrie for source IPs, etc., but I guess we can rename it when needed.
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
|
@ggreenway all nits addressed. I'll add test for UDS shortly (there isn't explicit one, but since |
This reverts commit 4cd5313. Signed-off-by: Piotr Sikora <piotrsikora@google.com>
PiotrSikora
force-pushed
the
filter_chain_destination
branch
from
567bb68 to
019a602
Compare
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
|
@ggreenway tests for UDS clients added, they all fail (well, Envoy is crashing when calling |
|
@ggreenway by "fake address workaround" I mean using |
|
@PiotrSikora can you merge master to see if it fixes the flakes? |
…chain_destination
|
@mattklein123 yay, flakes fixed! |
|
I'm still digging into this, but it seems that the overhead of I'd rather not revert this right away (but it's understandable if that's going to happen) and try to figure out whether: cc @rshriram @mattklein123 @ggreenway @ccaraman @brian-pane @htuch |
|
If I remember correctly, there's still a step in the If that's the problem, it's definitely fixable. I can set aside some time to work on it this weekend if nobody else gets to it first. |
|
@brian-pane yeah, the leak appears to originate in |
|
@brian-pane |
5 participants
Risk Level: Medium
Testing: bazel test //test/...
Docs Changes: Minimal
Release Notes: Added
Signed-off-by: Piotr Sikora piotrsikora@google.com