diff --git a/api/envoy/config/listener/v3/BUILD b/api/envoy/config/listener/v3/BUILD
index c2d6c133a73a..75f6e10c7e4f 100644
--- a/api/envoy/config/listener/v3/BUILD
+++ b/api/envoy/config/listener/v3/BUILD
@@ -12,5 +12,6 @@ api_proto_package(
         "//envoy/type/v3:pkg",
         "@com_github_cncf_udpa//udpa/annotations:pkg",
         "@com_github_cncf_udpa//xds/core/v3:pkg",
+        "@com_github_cncf_udpa//xds/type/matcher/v3:pkg",
     ],
 )
diff --git a/api/envoy/config/listener/v3/listener.proto b/api/envoy/config/listener/v3/listener.proto
index df64bb8e5002..e1da21b518d4 100644
--- a/api/envoy/config/listener/v3/listener.proto
+++ b/api/envoy/config/listener/v3/listener.proto
@@ -14,6 +14,7 @@ import "google/protobuf/duration.proto";
 import "google/protobuf/wrappers.proto";
 
 import "xds/core/v3/collection_entry.proto";
+import "xds/type/matcher/v3/matcher.proto";
 
 import "envoy/annotations/deprecation.proto";
 import "udpa/annotations/security.proto";
@@ -36,7 +37,7 @@ message ListenerCollection {
   repeated xds.core.v3.CollectionEntry entries = 1;
 }
 
-// [#next-free-field: 32]
+// [#next-free-field: 33]
 message Listener {
   option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.Listener";
 
@@ -120,6 +121,74 @@ message Listener {
   // :ref:`FAQ entry <faq_how_to_setup_sni>`.
   repeated FilterChain filter_chains = 3;
 
+  // [#not-implemented-hide:]
+  // Unified matcher resolving the filter chain name from the network properties. This matcher is used as a replacement
+  // for the per-filter chain match condition
+  // `filter_chain_match <envoy_v3_api_msg_config.listener.v3.FilterChain.filter_chain_match>`.
+  // If specified, all :ref:`filter_chains <envoy_v3_api_field_config.listener.v3.Listener.filter_chains>` must
+  // have non-empty and unique :ref:`name <envoy_v3_api_field_config.listener.v3.FilterChain.name>` fields and omit
+  // `filter_chain_match <envoy_v3_api_msg_config.listener.v3.FilterChain.filter_chain_match>` field.
+  //
+  // Example 1: The following matcher selects three filter chains as follows:
+  //
+  // * if the destination port is 80, then the filter chain "http" is selected;
+  // * if the destination port is 443 and the source IP is in the range 192.0.0.0/2, then the filter chain "internal" is selected;
+  // * otherwise, if the destination port is 443, then the filter chain "https" is selected;
+  // * otherwise, the default filter chain is selected (or the connection is rejected without the default filter chain).
+  //
+  // .. validated-code-block:: yaml
+  //   :type-name: envoy.config.listener.v3.Listener
+  //
+  //   filter_chain_matcher:
+  //     matcher_tree:
+  //       input:
+  //         typed_config:
+  //           "@type": type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.DestinationPortInput
+  //       exact_match_map:
+  //         map:
+  //           "80":
+  //             action:
+  //               name: http
+  //               typed_config:
+  //                 "@type": type.googleapis.com/google.protobuf.StringValue
+  //                 value: http
+  //           "443":
+  //             matcher:
+  //               matcher_tree:
+  //                 input:
+  //                   typed_config:
+  //                     "@type": type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.SourceIPInput
+  //                 custom_match:
+  //                   typed_config:
+  //                     "@type": type.googleapis.com/xds.type.matcher.v3.IPMatcher
+  //                     range_matchers:
+  //                     - ranges:
+  //                       - address_prefix: 192.0.0.0
+  //                         prefix_len: 2
+  //                       on_match:
+  //                         action:
+  //                           name: internal
+  //                           typed_config:
+  //                             "@type": type.googleapis.com/google.protobuf.StringValue
+  //                             value: internal
+  //                     - ranges:
+  //                       - address_prefix: 0.0.0.0
+  //                       on_match:
+  //                         action:
+  //                           name: https
+  //                           typed_config:
+  //                             "@type": type.googleapis.com/google.protobuf.StringValue
+  //                             value: https
+  //
+  // .. note::
+  //
+  //  Once matched, each connection is permanently bound to its filter chain.
+  //  If the matcher changes but the filter chain remains the same, the
+  //  connections bound to the filter chain are not drained. If, however, the
+  //  filter chain is removed or structurally modified, then the drain for its
+  //  connections is initiated.
+  xds.type.matcher.v3.Matcher filter_chain_matcher = 32;
+
   // If a connection is redirected using *iptables*, the port on which the proxy
   // receives it might be different from the original destination address. When this flag is set to
   // true, the listener hands off redirected connections to the listener associated with the
diff --git a/api/envoy/config/listener/v3/listener_components.proto b/api/envoy/config/listener/v3/listener_components.proto
index 710ac7ab7595..535d18140546 100644
--- a/api/envoy/config/listener/v3/listener_components.proto
+++ b/api/envoy/config/listener/v3/listener_components.proto
@@ -262,6 +262,9 @@ message FilterChain {
   // [#not-implemented-hide:] The unique name (or empty) by which this filter chain is known. If no
   // name is provided, Envoy will allocate an internal UUID for the filter chain. If the filter
   // chain is to be dynamically updated or removed via FCDS a unique name must be provided.
+  // Note: :ref:`filter_chain_matcher
+  // <envoy_v3_api_field_config.listener.v3.Listener.filter_chain_matcher>`
+  // requires that filter chains are uniquely named.
   string name = 7;
 
   // [#not-implemented-hide:] The configuration to specify whether the filter chain will be built on-demand.