auto-merge envoyproxy/envoy[main] into envoyproxy/envoy-openssl[main]

* upstream/main:
  deps: Bump `bazel_features` -> 1.17.0 (#36195)
  deps: Bump `proxy_wasm_rust_sdk` -> 0.2.2 (#35323)
  syscalls: minor refactor, adding coverage (#36075)
  quic: Adding QUIC listener option to reject new connections (#36070)
  rlqs: Implement RLQS stream restarts if the stream goes down mid-use. (#36170)
  bump googleapis (#36182)
  docs: update owners to reflect RedHat access (#36183)
  formatter: removing exceptions from substitution format string (#36168)
  route: use reference wrapper for get all filter config (#36079)

.bazelrc

@@ -25,6 +25,7 @@ build --copt=-DABSL_MIN_LOG_LEVEL=4
 build --define envoy_mobile_listener=enabled
 build --experimental_repository_downloader_retries=2
 build --enable_platform_specific_config
+build --incompatible_merge_fixed_and_default_shell_env
 
 # Pass CC, CXX and LLVM_CONFIG variables from the environment.
 # We assume they have stable values, so this won't cause action cache misses.

OWNERS.md

@@ -76,7 +76,6 @@ without further review.
 
 * All senior maintainers
 * Tony Allen ([tonya11en](https://github.com/tonya11en)) (tony@allen.gg)
-* Otto van der Schaaf ([oschaaf](https://github.com/oschaaf)) (oschaaf@redhat.com)
 * Tim Walsh ([twghu](https://github.com/twghu)) (twalsh@redhat.com)
 * Pradeep Rao ([pradeepcrao](https://github.com/pradeepcrao)) (pcrao@google.com)
 * Kateryna Nezdolii ([nezdolik](https://github.com/nezdolik)) (kateryna.nezdolii@gmail.com)

api/bazel/repository_locations.bzl

@@ -79,9 +79,9 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "Google APIs",
         project_desc = "Public interface definitions of Google APIs",
         project_url = "https://github.com/googleapis/googleapis",
-        version = "114a745b2841a044e98cdbb19358ed29fcf4a5f1",
-        sha256 = "9b4e0d0a04a217c06b426aefd03b82581a9510ca766d2d1c70e52bb2ad4a0703",
-        release_date = "2023-01-10",
+        version = "fd52b5754b2b268bc3a22a10f29844f206abb327",
+        sha256 = "97fc354dddfd3ea03e7bf2ad74129291ed6fad7ff39d3bd8daec738a3672eb8a",
+        release_date = "2024-09-16",
         strip_prefix = "googleapis-{version}",
         urls = ["https://github.com/googleapis/googleapis/archive/{version}.tar.gz"],
         use_category = ["api"],

api/envoy/config/listener/v3/quic_config.proto

@@ -25,7 +25,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#protodoc-title: QUIC listener config]
 
 // Configuration specific to the UDP QUIC listener.
-// [#next-free-field: 13]
+// [#next-free-field: 14]
 message QuicProtocolOptions {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.api.v2.listener.QuicProtocolOptions";
@@ -94,4 +94,9 @@ message QuicProtocolOptions {
   // If not specified, no cmsg will be saved to QuicReceivedPacket.
   repeated core.v3.SocketCmsgHeaders save_cmsg_config = 12
       [(validate.rules).repeated = {max_items: 1}];
+
+  // If true, the listener will reject connection-establishing packets at the
+  // QUIC layer by replying with an empty version negotiation packet to the
+  // client.
+  bool reject_new_connections = 13;
 }

bazel/external/cargo/remote/BUILD.protobuf-2.24.1.bazel

@@ -33,7 +33,7 @@ licenses([
 # buildifier: disable=out-of-order-load
 # buildifier: disable=load-on-top
 load(
-    "@rules_rust//cargo:cargo_build_script.bzl",
+    "@rules_rust//cargo:defs.bzl",
     "cargo_build_script",
 )
 

bazel/repository_locations.bzl

@@ -33,11 +33,11 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "Bazel features",
         project_desc = "Support Bazel feature detection from starlark",
         project_url = "https://github.com/bazel-contrib/bazel_features",
-        version = "1.15.0",
-        sha256 = "ba1282c1aa1d1fffdcf994ab32131d7c7551a9bc960fbf05f42d55a1b930cbfb",
+        version = "1.17.0",
+        sha256 = "bdc12fcbe6076180d835c9dd5b3685d509966191760a0eb10b276025fcb76158",
         urls = ["https://github.com/bazel-contrib/bazel_features/releases/download/v{version}/bazel_features-v{version}.tar.gz"],
         strip_prefix = "bazel_features-{version}",
-        release_date = "2024-08-09",
+        release_date = "2024-09-13",
         use_category = ["build"],
         license = "Apache-2.0",
         license_url = "https://github.com/bazel-contrib/bazel_features/blob/v{version}/LICENSE",
@@ -1424,12 +1424,12 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "WebAssembly for Proxies (Rust SDK)",
         project_desc = "WebAssembly for Proxies (Rust SDK)",
         project_url = "https://github.com/proxy-wasm/proxy-wasm-rust-sdk",
-        version = "0.2.1",
-        sha256 = "23f3f2d8c4c8069a2e72693b350d7442b7722d334f73169eea78804ff70cde20",
+        version = "0.2.2",
+        sha256 = "3d9e8f39f0356016c8ae6c74c0224eae1b44168be0ddf79e387d918a8f2cb4c6",
         strip_prefix = "proxy-wasm-rust-sdk-{version}",
         urls = ["https://github.com/proxy-wasm/proxy-wasm-rust-sdk/archive/v{version}.tar.gz"],
         use_category = ["test_only"],
-        release_date = "2022-11-22",
+        release_date = "2024-07-21",
         cpe = "N/A",
         license = "Apache-2.0",
         license_url = "https://github.com/proxy-wasm/proxy-wasm-rust-sdk/blob/v{version}/LICENSE",
@@ -1452,9 +1452,9 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "Bazel rust rules",
         project_desc = "Bazel rust rules (used by Wasm)",
         project_url = "https://github.com/bazelbuild/rules_rust",
-        version = "0.35.0",
+        version = "0.48.0",
         strip_prefix = "rules_rust-{version}",
-        sha256 = "3120c7aa3a146dfe6be8d5f23f4cf10af7d0f74a5aed8b94a818f88643bd24c3",
+        sha256 = "a4b8ede7723088dff1e909632c4282e51ddbe0e44c38eea013ee0f12d348b1c7",
         urls = ["https://github.com/bazelbuild/rules_rust/archive/{version}.tar.gz"],
         use_category = [
             "controlplane",
@@ -1463,7 +1463,7 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         ],
         implied_untracked_deps = ["rules_cc"],
         extensions = ["envoy.wasm.runtime.wasmtime"],
-        release_date = "2023-12-27",
+        release_date = "2024-07-19",
         cpe = "N/A",
         license = "Apache-2.0",
         license_url = "https://github.com/bazelbuild/rules_rust/blob/{version}/LICENSE.txt",

changelogs/current.yaml

@@ -248,6 +248,11 @@ new_features:
     QUIC server and client support certificate compression, which can in some cases reduce the number of round trips
     required to setup a connection. This change temporarily disabled by setting the runtime flag
     ``envoy.reloadable_features.quic_support_certificate_compression`` to ``false``.
+- area: quic
+  change: |
+    Added QUIC protocol option :ref:`reject_new_connections
+    <envoy_v3_api_field_config.listener.v3.QuicProtocolOptions.reject_new_connections>` to reject connection-establishing
+    packets at the QUIC layer.
 - area: tls
   change: |
     Added an extension point :ref:`custom_tls_certificate_selector

contrib/golang/filters/http/source/golang_filter.cc

@@ -1377,16 +1377,13 @@ void Filter::deferredDeleteRequest(HttpRequestInternal* req) {
 uint64_t Filter::getMergedConfigId() {
   Http::StreamFilterCallbacks* callbacks = decoding_state_.getFilterCallbacks();
 
+  auto id = config_->getConfigId();
+
   // get all of the per route config
   auto route_config_list = Http::Utility::getAllPerFilterConfig<FilterConfigPerRoute>(callbacks);
-
   ENVOY_LOG(debug, "golang filter route config list length: {}.", route_config_list.size());
-
-  auto id = config_->getConfigId();
-  for (auto it : route_config_list) {
-    ASSERT(it != nullptr, "route config should not be null");
-    auto route_config = *it;
-    id = route_config.getPluginConfigId(id, config_->pluginName());
+  for (const FilterConfigPerRoute& typed_config : route_config_list) {
+    id = typed_config.getPluginConfigId(id, config_->pluginName());
   }
 
   return id;

source/common/api/posix/os_sys_calls_impl.cc

@@ -109,9 +109,6 @@ bool OsSysCallsImpl::supportsUdpGro() const {
 #else
   static const bool is_supported = [] {
     int fd = ::socket(AF_INET, SOCK_DGRAM | SOCK_NONBLOCK, IPPROTO_UDP);
-    if (fd < 0) {
-      return false;
-    }
     int val = 1;
     bool result = (0 == ::setsockopt(fd, IPPROTO_UDP, UDP_GRO, &val, sizeof(val)));
     ::close(fd);
@@ -127,9 +124,6 @@ bool OsSysCallsImpl::supportsUdpGso() const {
 #else
   static const bool is_supported = [] {
     int fd = ::socket(AF_INET, SOCK_DGRAM | SOCK_NONBLOCK, IPPROTO_UDP);
-    if (fd < 0) {
-      return false;
-    }
     int optval;
     socklen_t optlen = sizeof(optval);
     bool result = (0 <= ::getsockopt(fd, IPPROTO_UDP, UDP_SEGMENT, &optval, &optlen));
@@ -160,9 +154,6 @@ bool OsSysCallsImpl::supportsIpTransparent(Network::Address::IpVersion ip_versio
   static constexpr auto transparent_supported = [](int family) {
     auto opt_tp = family == AF_INET ? ENVOY_SOCKET_IP_TRANSPARENT : ENVOY_SOCKET_IPV6_TRANSPARENT;
     int fd = ::socket(family, SOCK_DGRAM | SOCK_NONBLOCK, IPPROTO_UDP);
-    if (fd < 0) {
-      return false;
-    }
     int val = 1;
     bool result = (0 == ::setsockopt(fd, opt_tp.level(), opt_tp.option(), &val, sizeof(val)));
     ::close(fd);
@@ -348,9 +339,9 @@ SysCallBoolResult OsSysCallsImpl::socketTcpInfo([[maybe_unused]] os_fd_t sockfd,
     tcp_info->tcpi_snd_cwnd = unix_tcp_info.tcpi_snd_cwnd * mss;
   }
   return {!SOCKET_FAILURE(result), !SOCKET_FAILURE(result) ? 0 : errno};
-#endif
-
+#else
   return {false, EOPNOTSUPP};
+#endif
 }
 
 bool OsSysCallsImpl::supportsGetifaddrs() const { return true; }

source/common/formatter/substitution_format_string.h

@@ -29,21 +29,21 @@ class SubstitutionFormatStringUtils {
    * Parse list of formatter configurations to commands.
    */
   template <class FormatterContext = HttpFormatterContext>
-  static std::vector<CommandParserBasePtr<FormatterContext>>
+  static absl::StatusOr<std::vector<CommandParserBasePtr<FormatterContext>>>
   parseFormatters(const FormattersConfig& formatters,
                   Server::Configuration::GenericFactoryContext& context) {
     std::vector<CommandParserBasePtr<FormatterContext>> commands;
     for (const auto& formatter : formatters) {
       auto* factory =
           Envoy::Config::Utility::getFactory<CommandParserFactoryBase<FormatterContext>>(formatter);
       if (!factory) {
-        throwEnvoyExceptionOrPanic(absl::StrCat("Formatter not found: ", formatter.name()));
+        return absl::InvalidArgumentError(absl::StrCat("Formatter not found: ", formatter.name()));
       }
       auto typed_config = Envoy::Config::Utility::translateAnyToFactoryConfig(
           formatter.typed_config(), context.messageValidationVisitor(), *factory);
       auto parser = factory->createCommandParserFromProto(*typed_config, context);
       if (!parser) {
-        throwEnvoyExceptionOrPanic(
+        return absl::InvalidArgumentError(
             absl::StrCat("Failed to create command parser: ", formatter.name()));
       }
       commands.push_back(std::move(parser));
@@ -56,26 +56,28 @@ class SubstitutionFormatStringUtils {
    * Generate a formatter object from config SubstitutionFormatString.
    */
   template <class FormatterContext = HttpFormatterContext>
-  static FormatterBasePtr<FormatterContext>
+  static absl::StatusOr<FormatterBasePtr<FormatterContext>>
   fromProtoConfig(const envoy::config::core::v3::SubstitutionFormatString& config,
                   Server::Configuration::GenericFactoryContext& context) {
     // Instantiate formatter extensions.
     auto commands = parseFormatters<FormatterContext>(config.formatters(), context);
+    RETURN_IF_NOT_OK_REF(commands.status());
     switch (config.format_case()) {
     case envoy::config::core::v3::SubstitutionFormatString::FormatCase::kTextFormat:
       return std::make_unique<FormatterBaseImpl<FormatterContext>>(
-          config.text_format(), config.omit_empty_values(), commands);
+          config.text_format(), config.omit_empty_values(), *commands);
     case envoy::config::core::v3::SubstitutionFormatString::FormatCase::kJsonFormat:
       return createJsonFormatter<FormatterContext>(
           config.json_format(), true, config.omit_empty_values(),
           config.has_json_format_options() ? config.json_format_options().sort_properties() : false,
-          commands);
-    case envoy::config::core::v3::SubstitutionFormatString::FormatCase::kTextFormatSource:
+          *commands);
+    case envoy::config::core::v3::SubstitutionFormatString::FormatCase::kTextFormatSource: {
+      auto data_source_or_error = Config::DataSource::read(config.text_format_source(), true,
+                                                           context.serverFactoryContext().api());
+      RETURN_IF_NOT_OK(data_source_or_error.status());
       return std::make_unique<FormatterBaseImpl<FormatterContext>>(
-          THROW_OR_RETURN_VALUE(Config::DataSource::read(config.text_format_source(), true,
-                                                         context.serverFactoryContext().api()),
-                                std::string),
-          config.omit_empty_values(), commands);
+          *data_source_or_error, config.omit_empty_values(), *commands);
+    }
     case envoy::config::core::v3::SubstitutionFormatString::FormatCase::FORMAT_NOT_SET:
       PANIC_DUE_TO_PROTO_UNSET;
     }

source/common/http/utility.h

@@ -2,6 +2,7 @@
 
 #include <chrono>
 #include <cstdint>
+#include <functional>
 #include <memory>
 #include <string>
 #include <vector>
@@ -572,19 +573,19 @@ const ConfigType* resolveMostSpecificPerFilterConfig(const Http::StreamFilterCal
  * and their lifetime is the same as the matched route.
  */
 template <class ConfigType>
-absl::InlinedVector<const ConfigType*, 4>
+absl::InlinedVector<std::reference_wrapper<const ConfigType>, 4>
 getAllPerFilterConfig(const Http::StreamFilterCallbacks* callbacks) {
   ASSERT(callbacks != nullptr);
 
-  absl::InlinedVector<const ConfigType*, 4> all_configs;
+  absl::InlinedVector<std::reference_wrapper<const ConfigType>, 4> all_configs;
 
   for (const auto* config : callbacks->perFilterConfigs()) {
     const ConfigType* typed_config = dynamic_cast<const ConfigType*>(config);
     if (typed_config == nullptr) {
       ENVOY_LOG_MISC(debug, "Failed to retrieve the correct type of route specific filter config");
       continue;
     }
-    all_configs.push_back(typed_config);
+    all_configs.push_back(*typed_config);
   }
 
   return all_configs;

source/common/local_reply/local_reply.cc

@@ -22,7 +22,9 @@ class BodyFormatter {
 
   BodyFormatter(const envoy::config::core::v3::SubstitutionFormatString& config,
                 Server::Configuration::GenericFactoryContext& context)
-      : formatter_(Formatter::SubstitutionFormatStringUtils::fromProtoConfig(config, context)),
+      : formatter_(THROW_OR_RETURN_VALUE(
+            Formatter::SubstitutionFormatStringUtils::fromProtoConfig(config, context),
+            Formatter::FormatterBasePtr<Formatter::HttpFormatterContext>)),
         content_type_(
             !config.content_type().empty() ? config.content_type()
             : config.format_case() ==

source/common/quic/active_quic_listener.cc

@@ -37,14 +37,17 @@ ActiveQuicListener::ActiveQuicListener(
     EnvoyQuicCryptoServerStreamFactoryInterface& crypto_server_stream_factory,
     EnvoyQuicProofSourceFactoryInterface& proof_source_factory,
     QuicConnectionIdGeneratorPtr&& cid_generator, QuicConnectionIdWorkerSelector worker_selector,
-    EnvoyQuicConnectionDebugVisitorFactoryInterfaceOptRef debug_visitor_factory)
+    EnvoyQuicConnectionDebugVisitorFactoryInterfaceOptRef debug_visitor_factory,
+    bool reject_new_connections)
     : Server::ActiveUdpListenerBase(
           worker_index, concurrency, parent, *listen_socket,
           std::make_unique<Network::UdpListenerImpl>(
               dispatcher, listen_socket, *this, dispatcher.timeSource(),
               listener_config.udpListenerConfig()->config().downstream_socket_config()),
           &listener_config),
-      dispatcher_(dispatcher), version_manager_(quic::CurrentSupportedHttp3Versions()),
+      dispatcher_(dispatcher),
+      version_manager_(reject_new_connections ? quic::ParsedQuicVersionVector()
+                                              : quic::CurrentSupportedHttp3Versions()),
       kernel_worker_routing_(kernel_worker_routing),
       packets_to_read_to_connection_count_ratio_(packets_to_read_to_connection_count_ratio),
       crypto_server_stream_factory_(crypto_server_stream_factory),
@@ -264,7 +267,7 @@ ActiveQuicListenerFactory::ActiveQuicListenerFactory(
           PROTOBUF_GET_WRAPPED_OR_DEFAULT(config, packets_to_read_to_connection_count_ratio,
                                           DEFAULT_PACKETS_TO_READ_PER_CONNECTION)),
       receive_ecn_(Runtime::runtimeFeatureEnabled("envoy.reloadable_features.quic_receive_ecn")),
-      context_(context) {
+      context_(context), reject_new_connections_(config.reject_new_connections()) {
   const int64_t idle_network_timeout_ms =
       config.has_idle_timeout() ? DurationUtil::durationToMilliseconds(config.idle_timeout())
                                 : 300000;
@@ -434,7 +437,7 @@ ActiveQuicListenerFactory::createActiveQuicListener(
       listener_config, quic_config, kernel_worker_routing, enabled, quic_stat_names,
       packets_to_read_to_connection_count_ratio, receive_ecn_, crypto_server_stream_factory,
       proof_source_factory, std::move(cid_generator), worker_selector_,
-      connection_debug_visitor_factory_);
+      connection_debug_visitor_factory_, reject_new_connections_);
 }
 
 } // namespace Quic

source/common/quic/active_quic_listener.h

@@ -41,7 +41,8 @@ class ActiveQuicListener : public Envoy::Server::ActiveUdpListenerBase,
                      EnvoyQuicProofSourceFactoryInterface& proof_source_factory,
                      QuicConnectionIdGeneratorPtr&& cid_generator,
                      QuicConnectionIdWorkerSelector worker_selector,
-                     EnvoyQuicConnectionDebugVisitorFactoryInterfaceOptRef debug_visitor_factory);
+                     EnvoyQuicConnectionDebugVisitorFactoryInterfaceOptRef debug_visitor_factory,
+                     bool reject_new_connections = false);
 
   ~ActiveQuicListener() override;
 
@@ -159,6 +160,7 @@ class ActiveQuicListenerFactory : public Network::ActiveUdpListenerFactory,
   QuicConnectionIdWorkerSelector worker_selector_;
   bool kernel_worker_routing_{};
   Server::Configuration::ServerFactoryContext& context_;
+  bool reject_new_connections_{};
 
   static bool disable_kernel_bpf_packet_routing_for_test_;
 };

source/common/tcp_proxy/tcp_proxy.cc

@@ -707,8 +707,10 @@ TunnelingConfigHelperImpl::TunnelingConfigHelperImpl(
   envoy::config::core::v3::SubstitutionFormatString substitution_format_config;
   substitution_format_config.mutable_text_format_source()->set_inline_string(
       config_message.tunneling_config().hostname());
-  hostname_fmt_ = Formatter::SubstitutionFormatStringUtils::fromProtoConfig(
-      substitution_format_config, context);
+  hostname_fmt_ =
+      THROW_OR_RETURN_VALUE(Formatter::SubstitutionFormatStringUtils::fromProtoConfig(
+                                substitution_format_config, context),
+                            Formatter::FormatterBasePtr<Formatter::HttpFormatterContext>);
 }
 
 std::string TunnelingConfigHelperImpl::host(const StreamInfo::StreamInfo& stream_info) const {

source/extensions/access_loggers/common/stream_access_log_common_impl.h

@@ -18,8 +18,9 @@ createStreamAccessLogInstance(const Protobuf::Message& config, AccessLog::Filter
       MessageUtil::downcastAndValidate<const T&>(config, context.messageValidationVisitor());
   Formatter::FormatterPtr formatter;
   if (fal_config.access_log_format_case() == T::AccessLogFormatCase::kLogFormat) {
-    formatter =
-        Formatter::SubstitutionFormatStringUtils::fromProtoConfig(fal_config.log_format(), context);
+    formatter = THROW_OR_RETURN_VALUE(
+        Formatter::SubstitutionFormatStringUtils::fromProtoConfig(fal_config.log_format(), context),
+        Formatter::FormatterBasePtr<Formatter::HttpFormatterContext>);
   } else if (fal_config.access_log_format_case() ==
              T::AccessLogFormatCase::ACCESS_LOG_FORMAT_NOT_SET) {
     formatter = Formatter::HttpSubstitutionFormatUtils::defaultSubstitutionFormatter();