auto-merge envoyproxy/envoy[main] into envoyproxy/envoy-openssl[main]

* upstream/main: syscalls: minor refactor, adding coverage (#36075) quic: Adding QUIC listener option to reject new connections (#36070) rlqs: Implement RLQS stream restarts if the stream goes down mid-use. (#36170) bump googleapis (#36182) docs: update owners to reflect RedHat access (#36183) formatter: removing exceptions from substitution format string (#36168) route: use reference wrapper for get all filter config (#36079)
envoyproxy · Sep 18, 2024 · 5862c3d · 5862c3d
2 parents 6a1f8d7 + c9ae398
commit 5862c3d
Show file tree

Hide file tree

Showing 48 changed files with 345 additions and 249 deletions.
diff --git a/OWNERS.md b/OWNERS.md
@@ -76,7 +76,6 @@ without further review.
 
 * All senior maintainers
 * Tony Allen ([tonya11en](https://github.com/tonya11en)) (tony@allen.gg)
-* Otto van der Schaaf ([oschaaf](https://github.com/oschaaf)) (oschaaf@redhat.com)
 * Tim Walsh ([twghu](https://github.com/twghu)) (twalsh@redhat.com)
 * Pradeep Rao ([pradeepcrao](https://github.com/pradeepcrao)) (pcrao@google.com)
 * Kateryna Nezdolii ([nezdolik](https://github.com/nezdolik)) (kateryna.nezdolii@gmail.com)

diff --git a/api/bazel/repository_locations.bzl b/api/bazel/repository_locations.bzl
@@ -79,9 +79,9 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "Google APIs",
         project_desc = "Public interface definitions of Google APIs",
         project_url = "https://github.com/googleapis/googleapis",
-        version = "114a745b2841a044e98cdbb19358ed29fcf4a5f1",
-        sha256 = "9b4e0d0a04a217c06b426aefd03b82581a9510ca766d2d1c70e52bb2ad4a0703",
-        release_date = "2023-01-10",
+        version = "fd52b5754b2b268bc3a22a10f29844f206abb327",
+        sha256 = "97fc354dddfd3ea03e7bf2ad74129291ed6fad7ff39d3bd8daec738a3672eb8a",
+        release_date = "2024-09-16",
         strip_prefix = "googleapis-{version}",
         urls = ["https://github.com/googleapis/googleapis/archive/{version}.tar.gz"],
         use_category = ["api"],

diff --git a/api/envoy/config/listener/v3/quic_config.proto b/api/envoy/config/listener/v3/quic_config.proto
@@ -25,7 +25,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#protodoc-title: QUIC listener config]
 
 // Configuration specific to the UDP QUIC listener.
-// [#next-free-field: 13]
+// [#next-free-field: 14]
 message QuicProtocolOptions {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.api.v2.listener.QuicProtocolOptions";
@@ -94,4 +94,9 @@ message QuicProtocolOptions {
   // If not specified, no cmsg will be saved to QuicReceivedPacket.
   repeated core.v3.SocketCmsgHeaders save_cmsg_config = 12
       [(validate.rules).repeated = {max_items: 1}];
+
+  // If true, the listener will reject connection-establishing packets at the
+  // QUIC layer by replying with an empty version negotiation packet to the
+  // client.
+  bool reject_new_connections = 13;
 }
diff --git a/changelogs/current.yaml b/changelogs/current.yaml
@@ -248,6 +248,11 @@ new_features:
     QUIC server and client support certificate compression, which can in some cases reduce the number of round trips
     required to setup a connection. This change temporarily disabled by setting the runtime flag
     ``envoy.reloadable_features.quic_support_certificate_compression`` to ``false``.
+- area: quic
+  change: |
+    Added QUIC protocol option :ref:`reject_new_connections
+    <envoy_v3_api_field_config.listener.v3.QuicProtocolOptions.reject_new_connections>` to reject connection-establishing
+    packets at the QUIC layer.
 - area: tls
   change: |
     Added an extension point :ref:`custom_tls_certificate_selector

diff --git a/contrib/golang/filters/http/source/golang_filter.cc b/contrib/golang/filters/http/source/golang_filter.cc
@@ -1377,16 +1377,13 @@ void Filter::deferredDeleteRequest(HttpRequestInternal* req) {
 uint64_t Filter::getMergedConfigId() {
   Http::StreamFilterCallbacks* callbacks = decoding_state_.getFilterCallbacks();
 
+  auto id = config_->getConfigId();
+
   // get all of the per route config
   auto route_config_list = Http::Utility::getAllPerFilterConfig<FilterConfigPerRoute>(callbacks);
-
   ENVOY_LOG(debug, "golang filter route config list length: {}.", route_config_list.size());
-
-  auto id = config_->getConfigId();
-  for (auto it : route_config_list) {
-    ASSERT(it != nullptr, "route config should not be null");
-    auto route_config = *it;
-    id = route_config.getPluginConfigId(id, config_->pluginName());
+  for (const FilterConfigPerRoute& typed_config : route_config_list) {
+    id = typed_config.getPluginConfigId(id, config_->pluginName());
   }
 
   return id;

diff --git a/source/common/api/posix/os_sys_calls_impl.cc b/source/common/api/posix/os_sys_calls_impl.cc
@@ -109,9 +109,6 @@ bool OsSysCallsImpl::supportsUdpGro() const {
 #else
   static const bool is_supported = [] {
     int fd = ::socket(AF_INET, SOCK_DGRAM | SOCK_NONBLOCK, IPPROTO_UDP);
-    if (fd < 0) {
-      return false;
-    }
     int val = 1;
     bool result = (0 == ::setsockopt(fd, IPPROTO_UDP, UDP_GRO, &val, sizeof(val)));
     ::close(fd);
@@ -127,9 +124,6 @@ bool OsSysCallsImpl::supportsUdpGso() const {
 #else
   static const bool is_supported = [] {
     int fd = ::socket(AF_INET, SOCK_DGRAM | SOCK_NONBLOCK, IPPROTO_UDP);
-    if (fd < 0) {
-      return false;
-    }
     int optval;
     socklen_t optlen = sizeof(optval);
     bool result = (0 <= ::getsockopt(fd, IPPROTO_UDP, UDP_SEGMENT, &optval, &optlen));
@@ -160,9 +154,6 @@ bool OsSysCallsImpl::supportsIpTransparent(Network::Address::IpVersion ip_versio
   static constexpr auto transparent_supported = [](int family) {
     auto opt_tp = family == AF_INET ? ENVOY_SOCKET_IP_TRANSPARENT : ENVOY_SOCKET_IPV6_TRANSPARENT;
     int fd = ::socket(family, SOCK_DGRAM | SOCK_NONBLOCK, IPPROTO_UDP);
-    if (fd < 0) {
-      return false;
-    }
     int val = 1;
     bool result = (0 == ::setsockopt(fd, opt_tp.level(), opt_tp.option(), &val, sizeof(val)));
     ::close(fd);
@@ -348,9 +339,9 @@ SysCallBoolResult OsSysCallsImpl::socketTcpInfo([[maybe_unused]] os_fd_t sockfd,
     tcp_info->tcpi_snd_cwnd = unix_tcp_info.tcpi_snd_cwnd * mss;
   }
   return {!SOCKET_FAILURE(result), !SOCKET_FAILURE(result) ? 0 : errno};
-#endif
-
+#else
   return {false, EOPNOTSUPP};
+#endif
 }
 
 bool OsSysCallsImpl::supportsGetifaddrs() const { return true; }

diff --git a/source/common/formatter/substitution_format_string.h b/source/common/formatter/substitution_format_string.h
@@ -29,21 +29,21 @@ class SubstitutionFormatStringUtils {
    * Parse list of formatter configurations to commands.
    */
   template <class FormatterContext = HttpFormatterContext>
-  static std::vector<CommandParserBasePtr<FormatterContext>>
+  static absl::StatusOr<std::vector<CommandParserBasePtr<FormatterContext>>>
   parseFormatters(const FormattersConfig& formatters,
                   Server::Configuration::GenericFactoryContext& context) {
     std::vector<CommandParserBasePtr<FormatterContext>> commands;
     for (const auto& formatter : formatters) {
       auto* factory =
           Envoy::Config::Utility::getFactory<CommandParserFactoryBase<FormatterContext>>(formatter);
       if (!factory) {
-        throwEnvoyExceptionOrPanic(absl::StrCat("Formatter not found: ", formatter.name()));
+        return absl::InvalidArgumentError(absl::StrCat("Formatter not found: ", formatter.name()));
       }
       auto typed_config = Envoy::Config::Utility::translateAnyToFactoryConfig(
           formatter.typed_config(), context.messageValidationVisitor(), *factory);
       auto parser = factory->createCommandParserFromProto(*typed_config, context);
       if (!parser) {
-        throwEnvoyExceptionOrPanic(
+        return absl::InvalidArgumentError(
             absl::StrCat("Failed to create command parser: ", formatter.name()));
       }
       commands.push_back(std::move(parser));
@@ -56,26 +56,28 @@ class SubstitutionFormatStringUtils {
    * Generate a formatter object from config SubstitutionFormatString.
    */
   template <class FormatterContext = HttpFormatterContext>
-  static FormatterBasePtr<FormatterContext>
+  static absl::StatusOr<FormatterBasePtr<FormatterContext>>
   fromProtoConfig(const envoy::config::core::v3::SubstitutionFormatString& config,
                   Server::Configuration::GenericFactoryContext& context) {
     // Instantiate formatter extensions.
     auto commands = parseFormatters<FormatterContext>(config.formatters(), context);
+    RETURN_IF_NOT_OK_REF(commands.status());
     switch (config.format_case()) {
     case envoy::config::core::v3::SubstitutionFormatString::FormatCase::kTextFormat:
       return std::make_unique<FormatterBaseImpl<FormatterContext>>(
-          config.text_format(), config.omit_empty_values(), commands);
+          config.text_format(), config.omit_empty_values(), *commands);
     case envoy::config::core::v3::SubstitutionFormatString::FormatCase::kJsonFormat:
       return createJsonFormatter<FormatterContext>(
           config.json_format(), true, config.omit_empty_values(),
           config.has_json_format_options() ? config.json_format_options().sort_properties() : false,
-          commands);
-    case envoy::config::core::v3::SubstitutionFormatString::FormatCase::kTextFormatSource:
+          *commands);
+    case envoy::config::core::v3::SubstitutionFormatString::FormatCase::kTextFormatSource: {
+      auto data_source_or_error = Config::DataSource::read(config.text_format_source(), true,
+                                                           context.serverFactoryContext().api());
+      RETURN_IF_NOT_OK(data_source_or_error.status());
       return std::make_unique<FormatterBaseImpl<FormatterContext>>(
-          THROW_OR_RETURN_VALUE(Config::DataSource::read(config.text_format_source(), true,
-                                                         context.serverFactoryContext().api()),
-                                std::string),
-          config.omit_empty_values(), commands);
+          *data_source_or_error, config.omit_empty_values(), *commands);
+    }
     case envoy::config::core::v3::SubstitutionFormatString::FormatCase::FORMAT_NOT_SET:
       PANIC_DUE_TO_PROTO_UNSET;
     }

diff --git a/source/common/http/utility.h b/source/common/http/utility.h
@@ -2,6 +2,7 @@
 
 #include <chrono>
 #include <cstdint>
+#include <functional>
 #include <memory>
 #include <string>
 #include <vector>
@@ -572,19 +573,19 @@ const ConfigType* resolveMostSpecificPerFilterConfig(const Http::StreamFilterCal
  * and their lifetime is the same as the matched route.
  */
 template <class ConfigType>
-absl::InlinedVector<const ConfigType*, 4>
+absl::InlinedVector<std::reference_wrapper<const ConfigType>, 4>
 getAllPerFilterConfig(const Http::StreamFilterCallbacks* callbacks) {
   ASSERT(callbacks != nullptr);
 
-  absl::InlinedVector<const ConfigType*, 4> all_configs;
+  absl::InlinedVector<std::reference_wrapper<const ConfigType>, 4> all_configs;
 
   for (const auto* config : callbacks->perFilterConfigs()) {
     const ConfigType* typed_config = dynamic_cast<const ConfigType*>(config);
     if (typed_config == nullptr) {
       ENVOY_LOG_MISC(debug, "Failed to retrieve the correct type of route specific filter config");
       continue;
     }
-    all_configs.push_back(typed_config);
+    all_configs.push_back(*typed_config);
   }
 
   return all_configs;

diff --git a/source/common/local_reply/local_reply.cc b/source/common/local_reply/local_reply.cc
@@ -22,7 +22,9 @@ class BodyFormatter {
 
   BodyFormatter(const envoy::config::core::v3::SubstitutionFormatString& config,
                 Server::Configuration::GenericFactoryContext& context)
-      : formatter_(Formatter::SubstitutionFormatStringUtils::fromProtoConfig(config, context)),
+      : formatter_(THROW_OR_RETURN_VALUE(
+            Formatter::SubstitutionFormatStringUtils::fromProtoConfig(config, context),
+            Formatter::FormatterBasePtr<Formatter::HttpFormatterContext>)),
         content_type_(
             !config.content_type().empty() ? config.content_type()
             : config.format_case() ==

diff --git a/source/common/quic/active_quic_listener.cc b/source/common/quic/active_quic_listener.cc
@@ -37,14 +37,17 @@ ActiveQuicListener::ActiveQuicListener(
     EnvoyQuicCryptoServerStreamFactoryInterface& crypto_server_stream_factory,
     EnvoyQuicProofSourceFactoryInterface& proof_source_factory,
     QuicConnectionIdGeneratorPtr&& cid_generator, QuicConnectionIdWorkerSelector worker_selector,
-    EnvoyQuicConnectionDebugVisitorFactoryInterfaceOptRef debug_visitor_factory)
+    EnvoyQuicConnectionDebugVisitorFactoryInterfaceOptRef debug_visitor_factory,
+    bool reject_new_connections)
     : Server::ActiveUdpListenerBase(
           worker_index, concurrency, parent, *listen_socket,
           std::make_unique<Network::UdpListenerImpl>(
               dispatcher, listen_socket, *this, dispatcher.timeSource(),
               listener_config.udpListenerConfig()->config().downstream_socket_config()),
           &listener_config),
-      dispatcher_(dispatcher), version_manager_(quic::CurrentSupportedHttp3Versions()),
+      dispatcher_(dispatcher),
+      version_manager_(reject_new_connections ? quic::ParsedQuicVersionVector()
+                                              : quic::CurrentSupportedHttp3Versions()),
       kernel_worker_routing_(kernel_worker_routing),
       packets_to_read_to_connection_count_ratio_(packets_to_read_to_connection_count_ratio),
       crypto_server_stream_factory_(crypto_server_stream_factory),
@@ -264,7 +267,7 @@ ActiveQuicListenerFactory::ActiveQuicListenerFactory(
           PROTOBUF_GET_WRAPPED_OR_DEFAULT(config, packets_to_read_to_connection_count_ratio,
                                           DEFAULT_PACKETS_TO_READ_PER_CONNECTION)),
       receive_ecn_(Runtime::runtimeFeatureEnabled("envoy.reloadable_features.quic_receive_ecn")),
-      context_(context) {
+      context_(context), reject_new_connections_(config.reject_new_connections()) {
   const int64_t idle_network_timeout_ms =
       config.has_idle_timeout() ? DurationUtil::durationToMilliseconds(config.idle_timeout())
                                 : 300000;
@@ -434,7 +437,7 @@ ActiveQuicListenerFactory::createActiveQuicListener(
       listener_config, quic_config, kernel_worker_routing, enabled, quic_stat_names,
       packets_to_read_to_connection_count_ratio, receive_ecn_, crypto_server_stream_factory,
       proof_source_factory, std::move(cid_generator), worker_selector_,
-      connection_debug_visitor_factory_);
+      connection_debug_visitor_factory_, reject_new_connections_);
 }
 
 } // namespace Quic

diff --git a/source/common/quic/active_quic_listener.h b/source/common/quic/active_quic_listener.h
@@ -41,7 +41,8 @@ class ActiveQuicListener : public Envoy::Server::ActiveUdpListenerBase,
                      EnvoyQuicProofSourceFactoryInterface& proof_source_factory,
                      QuicConnectionIdGeneratorPtr&& cid_generator,
                      QuicConnectionIdWorkerSelector worker_selector,
-                     EnvoyQuicConnectionDebugVisitorFactoryInterfaceOptRef debug_visitor_factory);
+                     EnvoyQuicConnectionDebugVisitorFactoryInterfaceOptRef debug_visitor_factory,
+                     bool reject_new_connections = false);
 
   ~ActiveQuicListener() override;
 
@@ -159,6 +160,7 @@ class ActiveQuicListenerFactory : public Network::ActiveUdpListenerFactory,
   QuicConnectionIdWorkerSelector worker_selector_;
   bool kernel_worker_routing_{};
   Server::Configuration::ServerFactoryContext& context_;
+  bool reject_new_connections_{};
 
   static bool disable_kernel_bpf_packet_routing_for_test_;
 };

diff --git a/source/common/tcp_proxy/tcp_proxy.cc b/source/common/tcp_proxy/tcp_proxy.cc
@@ -707,8 +707,10 @@ TunnelingConfigHelperImpl::TunnelingConfigHelperImpl(
   envoy::config::core::v3::SubstitutionFormatString substitution_format_config;
   substitution_format_config.mutable_text_format_source()->set_inline_string(
       config_message.tunneling_config().hostname());
-  hostname_fmt_ = Formatter::SubstitutionFormatStringUtils::fromProtoConfig(
-      substitution_format_config, context);
+  hostname_fmt_ =
+      THROW_OR_RETURN_VALUE(Formatter::SubstitutionFormatStringUtils::fromProtoConfig(
+                                substitution_format_config, context),
+                            Formatter::FormatterBasePtr<Formatter::HttpFormatterContext>);
 }
 
 std::string TunnelingConfigHelperImpl::host(const StreamInfo::StreamInfo& stream_info) const {

diff --git a/source/extensions/access_loggers/common/stream_access_log_common_impl.h b/source/extensions/access_loggers/common/stream_access_log_common_impl.h
@@ -18,8 +18,9 @@ createStreamAccessLogInstance(const Protobuf::Message& config, AccessLog::Filter
       MessageUtil::downcastAndValidate<const T&>(config, context.messageValidationVisitor());
   Formatter::FormatterPtr formatter;
   if (fal_config.access_log_format_case() == T::AccessLogFormatCase::kLogFormat) {
-    formatter =
-        Formatter::SubstitutionFormatStringUtils::fromProtoConfig(fal_config.log_format(), context);
+    formatter = THROW_OR_RETURN_VALUE(
+        Formatter::SubstitutionFormatStringUtils::fromProtoConfig(fal_config.log_format(), context),
+        Formatter::FormatterBasePtr<Formatter::HttpFormatterContext>);
   } else if (fal_config.access_log_format_case() ==
              T::AccessLogFormatCase::ACCESS_LOG_FORMAT_NOT_SET) {
     formatter = Formatter::HttpSubstitutionFormatUtils::defaultSubstitutionFormatter();

diff --git a/source/extensions/access_loggers/file/config.cc b/source/extensions/access_loggers/file/config.cc
@@ -35,7 +35,9 @@ FileAccessLogFactory::createAccessLogInstance(const Protobuf::Message& config,
     } else {
       envoy::config::core::v3::SubstitutionFormatString sff_config;
       sff_config.mutable_text_format_source()->set_inline_string(fal_config.format());
-      formatter = Formatter::SubstitutionFormatStringUtils::fromProtoConfig(sff_config, context);
+      formatter = THROW_OR_RETURN_VALUE(
+          Formatter::SubstitutionFormatStringUtils::fromProtoConfig(sff_config, context),
+          Formatter::FormatterBasePtr<Formatter::HttpFormatterContext>);
     }
     break;
   case envoy::extensions::access_loggers::file::v3::FileAccessLog::AccessLogFormatCase::kJsonFormat:
@@ -46,12 +48,15 @@ FileAccessLogFactory::createAccessLogInstance(const Protobuf::Message& config,
       kTypedJsonFormat: {
     envoy::config::core::v3::SubstitutionFormatString sff_config;
     *sff_config.mutable_json_format() = fal_config.typed_json_format();
-    formatter = Formatter::SubstitutionFormatStringUtils::fromProtoConfig(sff_config, context);
+    formatter = THROW_OR_RETURN_VALUE(
+        Formatter::SubstitutionFormatStringUtils::fromProtoConfig(sff_config, context),
+        Formatter::FormatterBasePtr<Formatter::HttpFormatterContext>);
     break;
   }
   case envoy::extensions::access_loggers::file::v3::FileAccessLog::AccessLogFormatCase::kLogFormat:
-    formatter =
-        Formatter::SubstitutionFormatStringUtils::fromProtoConfig(fal_config.log_format(), context);
+    formatter = THROW_OR_RETURN_VALUE(
+        Formatter::SubstitutionFormatStringUtils::fromProtoConfig(fal_config.log_format(), context),
+        Formatter::FormatterBasePtr<Formatter::HttpFormatterContext>);
     break;
   case envoy::extensions::access_loggers::file::v3::FileAccessLog::AccessLogFormatCase::
       ACCESS_LOG_FORMAT_NOT_SET:

diff --git a/source/extensions/access_loggers/fluentd/config.cc b/source/extensions/access_loggers/fluentd/config.cc
@@ -60,8 +60,10 @@ FluentdAccessLogFactory::createAccessLogInstance(const Protobuf::Message& config
   // payload.
   // TODO(ohadvano): Improve the formatting operation by creating a dedicated formatter that
   //                 will directly serialize the record to msgpack payload.
-  auto commands =
-      Formatter::SubstitutionFormatStringUtils::parseFormatters(proto_config.formatters(), context);
+  auto commands = THROW_OR_RETURN_VALUE(
+      Formatter::SubstitutionFormatStringUtils::parseFormatters(proto_config.formatters(), context),
+      std::vector<Formatter::CommandParserBasePtr<Formatter::HttpFormatterContext>>);
+
   Formatter::FormatterPtr json_formatter =
       Formatter::SubstitutionFormatStringUtils::createJsonFormatter(proto_config.record(), true,
                                                                     false, false, commands);

diff --git a/source/extensions/access_loggers/open_telemetry/config.cc b/source/extensions/access_loggers/open_telemetry/config.cc
@@ -41,8 +41,9 @@ AccessLogFactory::createAccessLogInstance(const Protobuf::Message& config,
       const envoy::extensions::access_loggers::open_telemetry::v3::OpenTelemetryAccessLogConfig&>(
       config, context.messageValidationVisitor());
 
-  auto commands =
-      Formatter::SubstitutionFormatStringUtils::parseFormatters(proto_config.formatters(), context);
+  auto commands = THROW_OR_RETURN_VALUE(
+      Formatter::SubstitutionFormatStringUtils::parseFormatters(proto_config.formatters(), context),
+      std::vector<Formatter::CommandParserBasePtr<Formatter::HttpFormatterContext>>);
 
   return std::make_shared<AccessLog>(
       std::move(filter), proto_config, context.serverFactoryContext().threadLocal(),

diff --git a/source/extensions/filters/common/set_filter_state/filter_config.cc b/source/extensions/filters/common/set_filter_state/filter_config.cc
@@ -50,8 +50,10 @@ Config::parse(const Protobuf::RepeatedPtrField<FilterStateValueProto>& proto_val
       break;
     }
     value.skip_if_empty_ = proto_value.skip_if_empty();
-    value.value_ = Formatter::SubstitutionFormatStringUtils::fromProtoConfig(
-        proto_value.format_string(), context);
+    value.value_ =
+        THROW_OR_RETURN_VALUE(Formatter::SubstitutionFormatStringUtils::fromProtoConfig(
+                                  proto_value.format_string(), context),
+                              Formatter::FormatterBasePtr<Formatter::HttpFormatterContext>);
     values.push_back(std::move(value));
   }
   return values;