http: removing the default trusted address list

Signed-off-by: Alyssa Wilk <alyssar@chromium.org>

api/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto

@@ -691,7 +691,7 @@ message HttpConnectionManager {
   // information about internal/external addresses.
   //
   // .. warning::
-  //     In the next release, no IP addresses will be considered trusted. If you have tooling such as probes
+  //     As of Envoy 1.33.0 no IP addresses will be considered trusted. If you have tooling such as probes
   //     on your private network which need to be treated as trusted (e.g. changing arbitrary x-envoy headers)
   //     you will have to manually include those addresses or CIDR ranges like:
   //

changelogs/current.yaml

@@ -2,6 +2,14 @@ date: Pending
 
 behavior_changes:
 # *Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required*
+- area: http
+  change: |
+    RFC1918 addresses are no longer considered to be internal addresses by default. This addresses a security
+    issue for Envoy's in multi-tenant mesh environments. Please explicit set :ref:`internal_address_config
+    <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.internal_address_config>` to retain the prior behavior.
+    This change can be temporarily reverted by setting runtime guard
+    ``envoy.reloadable_features.explicit_internal_address_config`` to ``false``.
+
 
 minor_behavior_changes:
 # *Changes that may cause incompatibilities for some users, but should not for most*

source/common/runtime/runtime_features.cc

@@ -45,6 +45,7 @@ RUNTIME_GUARD(envoy_reloadable_features_edf_lb_locality_scheduler_init_fix);
 RUNTIME_GUARD(envoy_reloadable_features_enable_compression_bomb_protection);
 RUNTIME_GUARD(envoy_reloadable_features_enable_include_histograms);
 RUNTIME_GUARD(envoy_reloadable_features_exclude_host_in_eds_status_draining);
+RUNTIME_GUARD(envoy_reloadable_features_explicit_internal_address_config);
 RUNTIME_GUARD(envoy_reloadable_features_ext_proc_timeout_error);
 RUNTIME_GUARD(envoy_reloadable_features_extend_h3_accept_untrusted);
 RUNTIME_GUARD(envoy_reloadable_features_filter_access_loggers_first);
@@ -155,8 +156,6 @@ FALSE_RUNTIME_GUARD(envoy_restart_features_xds_failover_support);
 FALSE_RUNTIME_GUARD(envoy_reloadable_features_dns_cache_set_ip_version_to_remove);
 // TODO(alyssawilk): evaluate and make this a config knob or remove.
 FALSE_RUNTIME_GUARD(envoy_reloadable_features_reset_brokenness_on_nework_change);
-// TODO(botengyao): this will be default true in the next release after this warning release.
-FALSE_RUNTIME_GUARD(envoy_reloadable_features_explicit_internal_address_config);
 
 // A flag to set the maximum TLS version for google_grpc client to TLS1.2, when needed for
 // compliance restrictions.