envoyproxy · mattklein123 · May 31, 2019 · May 23, 2019 · May 24, 2019 · May 24, 2019
diff --git a/api/envoy/api/v2/listener/listener.proto b/api/envoy/api/v2/listener/listener.proto
@@ -64,6 +64,8 @@ message Filter {
 // 4. Transport protocol.
 // 5. Application protocols (e.g. ALPN for TLS protocol).
 // 6. Source type (e.g. any, local or external network).
+// 7. Source IP address.
+// 8. Source port.
 //
 // For criteria that allow ranges or wildcards, the most specific value in any
 // of the configured filter chains that matches the incoming connection is going
@@ -108,14 +110,12 @@ message FilterChainMatch {
   // connection is contained in at least one of the specified subnets. If the
   // parameter is not specified or the list is empty, the source IP address is
   // ignored.
-  // [#not-implemented-hide:]
   repeated core.CidrRange source_prefix_ranges = 6;
 
   // The criteria is satisfied if the source port of the downstream connection
   // is contained in at least one of the specified ports. If the parameter is
   // not specified, the source port is ignored.
-  // [#not-implemented-hide:]
-  repeated google.protobuf.UInt32Value source_ports = 7;
+  repeated uint32 source_ports = 7 [(validate.rules).repeated .items.uint32 = {gte: 1, lte: 65535}];
 
   // If non-empty, a list of server names (e.g. SNI for TLS protocol) to consider when determining
   // a filter chain match. Those values will be compared against the server names of a new

diff --git a/api/envoy/config/filter/network/tcp_proxy/v2/tcp_proxy.proto b/api/envoy/config/filter/network/tcp_proxy/v2/tcp_proxy.proto
@@ -30,25 +30,11 @@ message TcpProxy {
 
     // The upstream cluster to connect to.
     //
-    // .. note::
-    //
-    //  Complex routing (based on connection properties) is being implemented in listeners. Once
-    //  fully implemented, this field (or `weighted_clusters`) will be the only way to configure
-    //  the target cluster. In the interim, complex routing requires using a :ref:`deprecated_v1
-    //  <envoy_api_field_config.filter.network.tcp_proxy.v2.TcpProxy.deprecated_v1>` configuration.
-    //  This field is ignored if a `deprecated_v1` configuration is set.
-    //
     string cluster = 2;
 
     // Multiple upstream clusters can be specified for a given route. The
     // request is routed to one of the upstream clusters based on weights
     // assigned to each cluster.
-    //
-    // .. note::
-    //
-    //  This field is ignored if the :ref:`deprecated_v1
-    //  <envoy_api_field_config.filter.network.tcp_proxy.v2.TcpProxy.deprecated_v1>`
-    //  configuration is set.
     WeightedCluster weighted_clusters = 10;
   }
 
@@ -79,9 +65,8 @@ message TcpProxy {
   // emitted by the this tcp_proxy.
   repeated envoy.config.filter.accesslog.v2.AccessLog access_log = 5;
 
-  // TCP Proxy filter configuration using V1 format, until Envoy gets the
-  // ability to match source/destination at the listener level (called
-  // :ref:`filter chain match <envoy_api_msg_listener.FilterChainMatch>`).
+  // [#not-implemented-hide:] Deprecated.
+  // TCP Proxy filter configuration using V1 format.
   message DeprecatedV1 {
     // A TCP proxy route consists of a set of optional L4 criteria and the
     // name of a cluster. If a downstream connection matches all the
@@ -134,46 +119,8 @@ message TcpProxy {
     repeated TCPRoute routes = 1 [(validate.rules).repeated .min_items = 1];
   }
 
-  // TCP Proxy filter configuration using deprecated V1 format. This is required for complex
-  // routing until filter chain matching in the listener is implemented.
-  //
-  // Example:
-  //
-  // .. code-block:: yaml
-  //
-  //     - name: "envoy.tcp_proxy"
-  //       config:
-  //         deprecated_v1: true
-  //         value:
-  //           stat_prefix: "prefix"
-  //           access_log:
-  //             - ...
-  //           route_config:
-  //             routes:
-  //               - cluster: "cluster"
-  //                 destination_ip_list:
-  //                   - "10.1.0.0/8"
-  //                 destination_ports: "8080"
-  //                 source_ip_list:
-  //                   - "10.1.0.0/16"
-  //                   - "2001:db8::/32"
-  //                 source_ports: "8000,9000-9999"
-  //
-  // .. attention::
-  //
-  //   Using the deprecated V1 configuration excludes the use of any V2 configuration options. Only
-  //   the V1 configuration is used. All available fields are shown in the example, although the
-  //   access log configuration is omitted for simplicity. The access log configuration uses the
-  //   :repo:`deprecated V1 access log configuration<source/common/json/config_schemas.cc>`.
-  //
-  // .. attention::
-  //
-  //   In the deprecated V1 configuration, source and destination CIDR ranges are specified as a
-  //   list of strings with each string in CIDR notation. Source and destination ports are
-  //   specified as single strings containing a comma-separated list of ports and/or port ranges.
-  //
-  // Deprecation pending https://github.com/envoyproxy/envoy/issues/4457
-  DeprecatedV1 deprecated_v1 = 6;
+  // [#not-implemented-hide:] Deprecated.
+  DeprecatedV1 deprecated_v1 = 6 [deprecated = true];
 
   // The maximum number of unsuccessful connection attempts that will be made before
   // giving up. If the parameter is not specified, 1 connection attempt will be made.

diff --git a/docs/root/intro/deprecated.rst b/docs/root/intro/deprecated.rst
@@ -15,6 +15,9 @@ Version 1.11.0 (Pending)
 * The --max-stats and --max-obj-name-len flags no longer has any effect.
 * Use of :ref:`cluster <envoy_api_field_config.filter.network.redis_proxy.v2.RedisProxy.cluster>` in :ref:`redis_proxy.proto <envoy_api_file_envoy/config/filter/network/redis_proxy/v2/redis_proxy.proto>` is deprecated. Set a :ref:`catch_all_cluster <envoy_api_field_config.filter.network.redis_proxy.v2.RedisProxy.PrefixRoutes.catch_all_cluster>` instead.
 * Use of json based schema in router check tool tests. The tests should follow validation :repo:`schema<test/tools/router_check/validation.proto>`.
+* Use of the v1 style route configuration for the :ref:`TCP proxy filter <config_network_filters_tcp_proxy>`
+  is now fully replaced with listener :ref:`filter chain matching <envoy_api_msg_listener.FilterChainMatch>`.
+  Use this instead.
 * Use of :ref:`runtime <envoy_api_field_config.bootstrap.v2.Bootstrap.runtime>` in :ref:`Bootstrap
   <envoy_api_msg_config.bootstrap.v2.Bootstrap>`. Use :ref:`layered_runtime
   <envoy_api_field_config.bootstrap.v2.Bootstrap.layered_runtime>` instead.

diff --git a/docs/root/intro/version_history.rst b/docs/root/intro/version_history.rst
@@ -25,6 +25,9 @@ Version history
 * http: mitigated a race condition with the :ref:`delayed_close_timeout<envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.delayed_close_timeout>` where it could trigger while actively flushing a pending write buffer for a downstream connection.
 * http: changed `sendLocalReply` to send percent-encoded `GrpcMessage`.
 * jwt_authn: make filter's parsing of JWT more flexible, allowing syntax like ``jwt=eyJhbGciOiJS...ZFnFIw,extra=7,realm=123``
+* listener: added :ref:`source IP <envoy_api_field_listener.FilterChainMatch.source_prefix_ranges>`
+  and :ref:`source port <envoy_api_field_listener.FilterChainMatch.source_ports>` filter
+  chain matching.
 * original_src filter: added the :ref:`filter<config_http_filters_original_src>`.
 * rbac: migrated from v2alpha to v2.
 * redis: add support for Redis cluster custom cluster type.

diff --git a/source/common/network/utility.cc b/source/common/network/utility.cc
@@ -332,27 +332,30 @@ bool Utility::isLoopbackAddress(const Address::Instance& address) {
 }
 
 Address::InstanceConstSharedPtr Utility::getCanonicalIpv4LoopbackAddress() {
-  // Initialized on first call in a thread-safe manner.
-  static Address::InstanceConstSharedPtr loopback(new Address::Ipv4Instance("127.0.0.1", 0));
-  return loopback;
+  CONSTRUCT_ON_FIRST_USE(Address::InstanceConstSharedPtr,
+                         new Address::Ipv4Instance("127.0.0.1", 0));
 }
 
 Address::InstanceConstSharedPtr Utility::getIpv6LoopbackAddress() {
-  // Initialized on first call in a thread-safe manner.
-  static Address::InstanceConstSharedPtr loopback(new Address::Ipv6Instance("::1", 0));
-  return loopback;
+  CONSTRUCT_ON_FIRST_USE(Address::InstanceConstSharedPtr, new Address::Ipv6Instance("::1", 0));
 }
 
 Address::InstanceConstSharedPtr Utility::getIpv4AnyAddress() {
-  // Initialized on first call in a thread-safe manner.
-  static Address::InstanceConstSharedPtr any(new Address::Ipv4Instance(static_cast<uint32_t>(0)));
-  return any;
+  CONSTRUCT_ON_FIRST_USE(Address::InstanceConstSharedPtr,
+                         new Address::Ipv4Instance(static_cast<uint32_t>(0)));
 }
 
 Address::InstanceConstSharedPtr Utility::getIpv6AnyAddress() {
-  // Initialized on first call in a thread-safe manner.
-  static Address::InstanceConstSharedPtr any(new Address::Ipv6Instance(static_cast<uint32_t>(0)));
-  return any;
+  CONSTRUCT_ON_FIRST_USE(Address::InstanceConstSharedPtr,
+                         new Address::Ipv6Instance(static_cast<uint32_t>(0)));
+}
+
+const std::string& Utility::getIpv4CidrCatchAllAddress() {
+  CONSTRUCT_ON_FIRST_USE(std::string, "0.0.0.0/0");
+}
+
+const std::string& Utility::getIpv6CidrCatchAllAddress() {
+  CONSTRUCT_ON_FIRST_USE(std::string, "::/0");
 }
 
 Address::InstanceConstSharedPtr Utility::getAddressWithPort(const Address::Instance& address,

diff --git a/source/common/network/utility.h b/source/common/network/utility.h
@@ -179,6 +179,16 @@ class Utility {
    */
   static Address::InstanceConstSharedPtr getIpv6AnyAddress();
 
+  /**
+   * @return the IPv4 CIDR catch-all address (0.0.0.0/0).
+   */
+  static const std::string& getIpv4CidrCatchAllAddress();
+
+  /**
+   * @return the IPv6 CIDR catch-all address (::/0).
+   */
+  static const std::string& getIpv6CidrCatchAllAddress();
+
   /**
    * @param address IP address instance.
    * @param port to update.