udp_session_filters: add HTTP capsule filter (resubmit) (envoyproxy#29716)

Signed-off-by: ohadvano <ohadvano@gmail.com>

Author: ohadvano

api/BUILD

@@ -236,6 +236,7 @@ proto_library(
         "//envoy/extensions/filters/network/wasm/v3:pkg",
         "//envoy/extensions/filters/network/zookeeper_proxy/v3:pkg",
         "//envoy/extensions/filters/udp/dns_filter/v3:pkg",
+        "//envoy/extensions/filters/udp/udp_proxy/session/http_capsule/v3:pkg",
         "//envoy/extensions/filters/udp/udp_proxy/v3:pkg",
         "//envoy/extensions/formatter/cel/v3:pkg",
         "//envoy/extensions/formatter/metadata/v3:pkg",

api/envoy/extensions/filters/udp/udp_proxy/session/http_capsule/v3/BUILD

@@ -0,0 +1,9 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = ["@com_github_cncf_udpa//udpa/annotations:pkg"],
+)

api/envoy/extensions/filters/udp/udp_proxy/session/http_capsule/v3/http_capsule.proto

@@ -0,0 +1,18 @@
+syntax = "proto3";
+
+package envoy.extensions.filters.udp.udp_proxy.session.http_capsule.v3;
+
+import "udpa/annotations/status.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.filters.udp.udp_proxy.session.http_capsule.v3";
+option java_outer_classname = "HttpCapsuleProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/udp/udp_proxy/session/http_capsule/v3;http_capsulev3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: UDP HTTP Capsule filter]
+// UDP to HTTP capsules :ref:`overview <config_udp_session_filters_http_capsule>`.
+// [#extension: envoy.filters.udp.session.http_capsule]
+
+message FilterConfig {
+}

api/envoy/extensions/filters/udp/udp_proxy/v3/udp_proxy.proto

@@ -127,5 +127,6 @@ message UdpProxyConfig {
 
   // Optional session filters that will run for each UDP session.
   // Only one of use_per_packet_load_balancing or session_filters can be used.
+  // [#extension-category: envoy.filters.udp.session]
   repeated SessionFilter session_filters = 11;
 }

api/versioning/BUILD

@@ -174,6 +174,7 @@ proto_library(
         "//envoy/extensions/filters/network/wasm/v3:pkg",
         "//envoy/extensions/filters/network/zookeeper_proxy/v3:pkg",
         "//envoy/extensions/filters/udp/dns_filter/v3:pkg",
+        "//envoy/extensions/filters/udp/udp_proxy/session/http_capsule/v3:pkg",
         "//envoy/extensions/filters/udp/udp_proxy/v3:pkg",
         "//envoy/extensions/formatter/cel/v3:pkg",
         "//envoy/extensions/formatter/metadata/v3:pkg",

changelogs/current.yaml

@@ -256,6 +256,10 @@ new_features:
   change: |
     added :ref:` stats prefix option<envoy_v3_api_field_extensions.stat_sinks.open_telemetry.v3.SinkConfig.stats_prefix>`
     to OTLP stats sink that enables adding a static prefix to all stats flushed by this sink.
+- area: udp_proxy
+  change: |
+    added :ref:`http_capsule <envoy_v3_api_msg_extensions.filters.udp.udp_proxy.session.http_capsule.v3.FilterConfig>` UDP session filter
+    that can be used to encapsule or decapsulate UDP datagrams in HTTP, when used for UDP tunneling.
 - area: tap
   change: |
     added :ref:`record_headers_received_time <envoy_v3_api_field_extensions.filters.http.tap.v3.Tap.record_headers_received_time>`

docs/root/api-v3/config/filter/filter.rst

@@ -8,6 +8,7 @@ Filters
   listener/listener
   network/network
   udp/udp
+  udp/session
   http/http
   dubbo/dubbo
   thrift/thrift

docs/root/api-v3/config/filter/udp/session.rst

@@ -0,0 +1,8 @@
+UDP session filters
+====================
+
+.. toctree::
+  :glob:
+  :maxdepth: 2
+
+  ../../../extensions/filters/udp/udp_proxy/session/*/v3/*

docs/root/configuration/listeners/udp_filters/session_filters/http_capsule.rst

@@ -0,0 +1,13 @@
+.. _config_udp_session_filters_http_capsule:
+
+HTTP Capsule filter
+==================================
+
+Tunneling UDP datagrams over HTTP (see `Proxying UDP in HTTP <https://www.rfc-editor.org/rfc/rfc9298.html>`_) requires an encapsulation mechanism to preserve the boundaries of the original datagram.
+This filter applies the `HTTP Datagrams and the Capsule Protocol <https://www.rfc-editor.org/rfc/rfc9297.html>`_ to downstream and upstream datagrams, so they are compliant with the Capsule Protocol.
+
+.. note::
+  This filter must be used last in the UDP session filter chain, and should only be used when tunneling UDP over HTTP streams.
+
+* This filter should be configured with the type URL ``type.googleapis.com/envoy.extensions.filters.udp.udp_proxy.session.http_capsule.v3.FilterConfig``.
+* :ref:`v3 API reference <envoy_v3_api_msg_extensions.filters.udp.udp_proxy.session.http_capsule.v3.FilterConfig>`

docs/root/configuration/listeners/udp_filters/udp_proxy.rst

@@ -89,6 +89,13 @@ upstream, similar to network filters.
   Additionally, since :ref:`per packet load balancing <envoy_v3_api_field_extensions.filters.udp.udp_proxy.v3.UdpProxyConfig.use_per_packet_load_balancing>` require
   choosing the upstream host for each received datagram, session filters can't be used when this option is enabled.
 
+Envoy has the following builtin UDP session filters.
+
+.. toctree::
+  :maxdepth: 2
+
+  session_filters/http_capsule
+
 Example configuration
 ---------------------
 

source/extensions/extensions_build_config.bzl

@@ -213,6 +213,12 @@ EXTENSIONS = {
     "envoy.filters.udp.dns_filter":                     "//source/extensions/filters/udp/dns_filter:config",
     "envoy.filters.udp_listener.udp_proxy":             "//source/extensions/filters/udp/udp_proxy:config",
 
+    #
+    # UDP Session filters
+    #
+
+    "envoy.filters.udp.session.http_capsule":           "//source/extensions/filters/udp/udp_proxy/session_filters/http_capsule:config",
+
     #
     # Resource monitors
     #

source/extensions/extensions_metadata.yaml

@@ -749,6 +749,13 @@ envoy.filters.udp_listener.udp_proxy:
   status: stable
   type_urls:
   - envoy.extensions.filters.udp.udp_proxy.v3.UdpProxyConfig
+envoy.filters.udp.session.http_capsule:
+  categories:
+  - envoy.filters.udp.session
+  security_posture: robust_to_untrusted_downstream
+  status: alpha
+  type_urls:
+  - envoy.extensions.filters.udp.udp_proxy.session.http_capsule.v3.FilterConfig
 envoy.formatter.cel:
   categories:
   - envoy.formatter

source/extensions/filters/udp/udp_proxy/session_filters/filter_config.h

@@ -33,7 +33,7 @@ class NamedUdpSessionFilterConfigFactory : public Envoy::Config::TypedFactory {
   createFilterFactoryFromProto(const Protobuf::Message& config,
                                Server::Configuration::FactoryContext& context) PURE;
 
-  std::string category() const override { return "envoy.udp.session_filters"; }
+  std::string category() const override { return "envoy.filters.udp.session"; }
 };
 
 } // namespace SessionFilters

source/extensions/filters/udp/udp_proxy/session_filters/http_capsule/BUILD

@@ -0,0 +1,36 @@
+load(
+    "//bazel:envoy_build_system.bzl",
+    "envoy_cc_extension",
+    "envoy_cc_library",
+    "envoy_extension_package",
+)
+
+licenses(["notice"])  # Apache 2
+
+envoy_extension_package()
+
+envoy_cc_library(
+    name = "http_capsule_filter_lib",
+    srcs = ["http_capsule.cc"],
+    hdrs = ["http_capsule.h"],
+    deps = [
+        "//source/common/buffer:buffer_lib",
+        "//source/common/common:assert_lib",
+        "//source/common/common:hex_lib",
+        "//source/extensions/filters/udp/udp_proxy/session_filters:filter_interface",
+        "@com_github_google_quiche//:quiche_common_capsule_lib",
+        "@com_github_google_quiche//:quiche_common_connect_udp_datagram_payload_lib",
+        "@envoy_api//envoy/extensions/filters/udp/udp_proxy/session/http_capsule/v3:pkg_cc_proto",
+    ],
+)
+
+envoy_cc_extension(
+    name = "config",
+    srcs = ["config.cc"],
+    hdrs = ["config.h"],
+    deps = [
+        ":http_capsule_filter_lib",
+        "//source/extensions/filters/udp/udp_proxy/session_filters:factory_base_lib",
+        "@envoy_api//envoy/extensions/filters/udp/udp_proxy/session/http_capsule/v3:pkg_cc_proto",
+    ],
+)

source/extensions/filters/udp/udp_proxy/session_filters/http_capsule/config.cc

@@ -0,0 +1,32 @@
+#include "source/extensions/filters/udp/udp_proxy/session_filters/http_capsule/config.h"
+
+#include "envoy/registry/registry.h"
+#include "envoy/server/filter_config.h"
+
+#include "source/extensions/filters/udp/udp_proxy/session_filters/http_capsule/http_capsule.h"
+
+namespace Envoy {
+namespace Extensions {
+namespace UdpFilters {
+namespace UdpProxy {
+namespace SessionFilters {
+namespace HttpCapsule {
+
+FilterFactoryCb HttpCapsuleFilterConfigFactory::createFilterFactoryFromProtoTyped(
+    const FilterConfig&, Server::Configuration::FactoryContext& context) {
+  return [&context](FilterChainFactoryCallbacks& callbacks) -> void {
+    callbacks.addFilter(std::make_shared<HttpCapsuleFilter>(context.timeSource()));
+  };
+}
+
+/**
+ * Static registration for the http_capsule filter. @see RegisterFactory.
+ */
+REGISTER_FACTORY(HttpCapsuleFilterConfigFactory, NamedUdpSessionFilterConfigFactory);
+
+} // namespace HttpCapsule
+} // namespace SessionFilters
+} // namespace UdpProxy
+} // namespace UdpFilters
+} // namespace Extensions
+} // namespace Envoy

source/extensions/filters/udp/udp_proxy/session_filters/http_capsule/config.h

@@ -0,0 +1,37 @@
+#pragma once
+
+#include "envoy/extensions/filters/udp/udp_proxy/session/http_capsule/v3/http_capsule.pb.h"
+#include "envoy/extensions/filters/udp/udp_proxy/session/http_capsule/v3/http_capsule.pb.validate.h"
+
+#include "source/extensions/filters/udp/udp_proxy/session_filters/factory_base.h"
+
+namespace Envoy {
+namespace Extensions {
+namespace UdpFilters {
+namespace UdpProxy {
+namespace SessionFilters {
+namespace HttpCapsule {
+
+using FilterConfig =
+    envoy::extensions::filters::udp::udp_proxy::session::http_capsule::v3::FilterConfig;
+
+/**
+ * Config registration for the http_capsule filter. @see
+ * NamedNetworkFilterConfigFactory.
+ */
+class HttpCapsuleFilterConfigFactory : public FactoryBase<FilterConfig> {
+public:
+  HttpCapsuleFilterConfigFactory() : FactoryBase("envoy.filters.udp.session.http_capsule"){};
+
+private:
+  FilterFactoryCb
+  createFilterFactoryFromProtoTyped(const FilterConfig& proto_config,
+                                    Server::Configuration::FactoryContext& context) override;
+};
+
+} // namespace HttpCapsule
+} // namespace SessionFilters
+} // namespace UdpProxy
+} // namespace UdpFilters
+} // namespace Extensions
+} // namespace Envoy

source/extensions/filters/udp/udp_proxy/session_filters/http_capsule/http_capsule.cc

@@ -0,0 +1,87 @@
+#include "source/extensions/filters/udp/udp_proxy/session_filters/http_capsule/http_capsule.h"
+
+#include "source/common/buffer/buffer_impl.h"
+#include "source/common/common/hex.h"
+
+#include "absl/strings/escaping.h"
+#include "quiche/common/masque/connect_udp_datagram_payload.h"
+#include "quiche/common/simple_buffer_allocator.h"
+
+namespace Envoy {
+namespace Extensions {
+namespace UdpFilters {
+namespace UdpProxy {
+namespace SessionFilters {
+namespace HttpCapsule {
+
+ReadFilterStatus HttpCapsuleFilter::onData(Network::UdpRecvData& data) {
+  std::string buffer = data.buffer_->toString();
+  quiche::ConnectUdpDatagramUdpPacketPayload payload(buffer);
+  quiche::QuicheBuffer serialized_capsule =
+      SerializeCapsule(quiche::Capsule::Datagram(payload.Serialize()), &capsule_buffer_allocator_);
+
+  data.buffer_->drain(data.buffer_->length());
+  data.buffer_->add(serialized_capsule.AsStringView());
+  return ReadFilterStatus::Continue;
+}
+
+WriteFilterStatus HttpCapsuleFilter::onWrite(Network::UdpRecvData& data) {
+  // TODO(ohadvano): add filter callbacks to get addresses instead of saving them.
+  local_address_ = data.addresses_.local_;
+  peer_address_ = data.addresses_.peer_;
+
+  for (const Buffer::RawSlice& slice : data.buffer_->getRawSlices()) {
+    absl::string_view mem_slice(reinterpret_cast<const char*>(slice.mem_), slice.len_);
+    if (!capsule_parser_.IngestCapsuleFragment(mem_slice)) {
+      ENVOY_LOG(error, "Capsule ingestion error occured: slice length = {}", slice.len_);
+      break;
+    }
+  }
+
+  // We always stop here as OnCapsule() callback will be responsible to inject
+  // datagrams to the filter chain once they are ready.
+  data.buffer_->drain(data.buffer_->length());
+  return WriteFilterStatus::StopIteration;
+}
+
+bool HttpCapsuleFilter::OnCapsule(const quiche::Capsule& capsule) {
+  quiche::CapsuleType capsule_type = capsule.capsule_type();
+  if (capsule_type != quiche::CapsuleType::DATAGRAM) {
+    // Silently drops capsules with an unknown type.
+    return true;
+  }
+
+  std::unique_ptr<quiche::ConnectUdpDatagramPayload> connect_udp_datagram_payload =
+      quiche::ConnectUdpDatagramPayload::Parse(capsule.datagram_capsule().http_datagram_payload);
+  if (!connect_udp_datagram_payload) {
+    // Indicates parsing failure to reset the data stream.
+    ENVOY_LOG(debug, "capsule parsing error");
+    return false;
+  }
+
+  if (connect_udp_datagram_payload->GetType() !=
+      quiche::ConnectUdpDatagramPayload::Type::kUdpPacket) {
+    // Silently drops Datagrams with an unknown Context ID.
+    return true;
+  }
+
+  Network::UdpRecvData datagram;
+  datagram.buffer_ = std::make_unique<Buffer::OwnedImpl>();
+  datagram.buffer_->add(connect_udp_datagram_payload->GetUdpProxyingPayload());
+  datagram.receive_time_ = time_source_.monotonicTime();
+  datagram.addresses_ = {local_address_, peer_address_};
+
+  write_callbacks_->injectDatagramToFilterChain(datagram);
+  return true;
+}
+
+void HttpCapsuleFilter::OnCapsuleParseFailure(absl::string_view reason) {
+  ENVOY_LOG(debug, "capsule parse failure: {}", reason);
+}
+
+} // namespace HttpCapsule
+} // namespace SessionFilters
+} // namespace UdpProxy
+} // namespace UdpFilters
+} // namespace Extensions
+} // namespace Envoy

source/extensions/filters/udp/udp_proxy/session_filters/http_capsule/http_capsule.h

@@ -0,0 +1,56 @@
+#pragma once
+
+#include "envoy/extensions/filters/udp/udp_proxy/session/http_capsule/v3/http_capsule.pb.h"
+
+#include "source/common/common/logger.h"
+#include "source/extensions/filters/udp/udp_proxy/session_filters/filter.h"
+
+#include "quiche/common/capsule.h"
+#include "quiche/common/simple_buffer_allocator.h"
+
+namespace Envoy {
+namespace Extensions {
+namespace UdpFilters {
+namespace UdpProxy {
+namespace SessionFilters {
+namespace HttpCapsule {
+
+class HttpCapsuleFilter : public Filter,
+                          public quiche::CapsuleParser::Visitor,
+                          Logger::Loggable<Logger::Id::http> {
+public:
+  HttpCapsuleFilter(TimeSource& time_source) : time_source_(time_source) {}
+
+  // ReadFilter
+  ReadFilterStatus onNewSession() override { return ReadFilterStatus::Continue; }
+  ReadFilterStatus onData(Network::UdpRecvData& data) override;
+  void initializeReadFilterCallbacks(ReadFilterCallbacks& callbacks) override {
+    read_callbacks_ = &callbacks;
+  }
+
+  // WriteFilter
+  WriteFilterStatus onWrite(Network::UdpRecvData& data) override;
+  void initializeWriteFilterCallbacks(WriteFilterCallbacks& callbacks) override {
+    write_callbacks_ = &callbacks;
+  }
+
+  // quiche::CapsuleParser::Visitor
+  bool OnCapsule(const quiche::Capsule& capsule) override;
+  void OnCapsuleParseFailure(absl::string_view error_message) override;
+
+private:
+  ReadFilterCallbacks* read_callbacks_{};
+  WriteFilterCallbacks* write_callbacks_{};
+  quiche::CapsuleParser capsule_parser_{this};
+  quiche::SimpleBufferAllocator capsule_buffer_allocator_;
+  Network::Address::InstanceConstSharedPtr local_address_;
+  Network::Address::InstanceConstSharedPtr peer_address_;
+  TimeSource& time_source_;
+};
+
+} // namespace HttpCapsule
+} // namespace SessionFilters
+} // namespace UdpProxy
+} // namespace UdpFilters
+} // namespace Extensions
+} // namespace Envoy