matchers: add input types for network streams

api/BUILD

@@ -219,6 +219,7 @@ proto_library(
         "//envoy/extensions/internal_redirect/safe_cross_scheme/v3:pkg",
         "//envoy/extensions/key_value/file_based/v3:pkg",
         "//envoy/extensions/matching/common_inputs/environment_variable/v3:pkg",
+        "//envoy/extensions/matching/common_inputs/network/v3:pkg",
         "//envoy/extensions/matching/input_matchers/consistent_hashing/v3:pkg",
         "//envoy/extensions/matching/input_matchers/ip/v3:pkg",
         "//envoy/extensions/network/dns_resolver/apple/v3:pkg",

api/envoy/extensions/matching/common_inputs/network/v3/BUILD

@@ -0,0 +1,9 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = ["@com_github_cncf_udpa//udpa/annotations:pkg"],
+)

api/envoy/extensions/matching/common_inputs/network/v3/network_inputs.proto

@@ -0,0 +1,88 @@
+syntax = "proto3";
+
+package envoy.extensions.matching.common_inputs.network.v3;
+
+import "udpa/annotations/status.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.matching.common_inputs.network.v3";
+option java_outer_classname = "NetworkInputsProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/matching/common_inputs/network/v3;networkv3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: Common Network Matching Inputs]
+
+// Specifies that matching should be performed by the destination IP address.
+message DestinationIPInput {
+}
+
+// Specifies that matching should be performed by the destination port.
+message DestinationPortInput {
+}
+
+// Specifies that matching should be performed by the source IP address.
+message SourceIPInput {
+}
+
+// Specifies that matching should be performed by the source port.
+message SourcePortInput {
+}
+
+// Input that matches by the directly connected source IP address (this
+// will only be different from the source IP address when using a listener
+// filter that overrides the source address, such as the :ref:`Proxy Protocol
+// listener filter <config_listener_filters_proxy_protocol>`).
+message DirectSourceIPInput {
+}
+
+// Input that matches by the source IP type.
+// Specifies the source IP match type. The values include:
+//
+// * ``local`` - matches a connection originating from the same host,
+message SourceTypeInput {
+}
+
+// Input that matches by the requested server name (e.g. SNI in TLS).
+//
+// :ref:`TLS Inspector <config_listener_filters_tls_inspector>` provides the requested server name based on SNI,
+// when TLS protocol is detected.
+message ServerNameInput {
+}
+
+// Input that matches by the transport protocol.
+//
+// Suggested values include:
+//
+// * ``raw_buffer`` - default, used when no transport protocol is detected,
+// * ``tls`` - set by :ref:`envoy.filters.listener.tls_inspector <config_listener_filters_tls_inspector>`
+//   when TLS protocol is detected.
+message TransportProtocolInput {
+}
+
+// List of quoted and comma-separated requested application protocols. The list consists of a
+// single negotiated application protocol once the network stream is established.
+//
+// Examples:
+//
+// * ``'h2','http/1.1'``
+// * ``'h2c'```
+//
+// Suggested values in the list include:
+//
+// * ``http/1.1`` - set by :ref:`envoy.filters.listener.tls_inspector
+//   <config_listener_filters_tls_inspector>` and :ref:`envoy.filters.listener.http_inspector
+//   <config_listener_filters_http_inspector>`,
+// * ``h2`` - set by :ref:`envoy.filters.listener.tls_inspector <config_listener_filters_tls_inspector>`
+// * ``h2c`` - set by :ref:`envoy.filters.listener.http_inspector <config_listener_filters_http_inspector>`
+//
+// .. attention::
+//
+//   Currently, :ref:`TLS Inspector <config_listener_filters_tls_inspector>` provides
+//   application protocol detection based on the requested
+//   `ALPN <https://en.wikipedia.org/wiki/Application-Layer_Protocol_Negotiation>`_ values.
+//
+//   However, the use of ALPN is pretty much limited to the HTTP/2 traffic on the Internet,
+//   and matching on values other than ``h2`` is going to lead to a lot of false negatives,
+//   unless all connecting clients are known to use ALPN.
+message ApplicationProtocolInput {
+}

api/versioning/BUILD

@@ -159,6 +159,7 @@ proto_library(
         "//envoy/extensions/load_balancing_policies/round_robin/v3:pkg",
         "//envoy/extensions/load_balancing_policies/wrr_locality/v3:pkg",
         "//envoy/extensions/matching/common_inputs/environment_variable/v3:pkg",
+        "//envoy/extensions/matching/common_inputs/network/v3:pkg",
         "//envoy/extensions/matching/input_matchers/consistent_hashing/v3:pkg",
         "//envoy/extensions/matching/input_matchers/ip/v3:pkg",
         "//envoy/extensions/network/dns_resolver/apple/v3:pkg",

docs/root/api-v3/common_messages/common_messages.rst

@@ -31,3 +31,4 @@ Common messages
   ../extensions/matching/input_matchers/consistent_hashing/v3/consistent_hashing.proto
   ../extensions/matching/input_matchers/ip/v3/ip.proto
   ../extensions/matching/common_inputs/environment_variable/v3/input.proto
+  ../extensions/matching/common_inputs/network/v3/network_inputs.proto

envoy/network/filter.h

@@ -525,6 +525,10 @@ class FilterChainFactory {
 class MatchingData {
 public:
   static absl::string_view name() { return "network"; }
+
+  virtual ~MatchingData() = default;
+
+  virtual const ConnectionSocket& socket() const PURE;
 };
 
 } // namespace Network

source/common/network/matching/BUILD

@@ -0,0 +1,30 @@
+load(
+    "//bazel:envoy_build_system.bzl",
+    "envoy_cc_library",
+    "envoy_package",
+)
+
+licenses(["notice"])  # Apache 2
+
+envoy_package()
+
+envoy_cc_library(
+    name = "data_impl_lib",
+    hdrs = ["data_impl.h"],
+    deps = [
+        "//envoy/network:filter_interface",
+    ],
+)
+
+envoy_cc_library(
+    name = "inputs_lib",
+    srcs = ["inputs.cc"],
+    hdrs = ["inputs.h"],
+    deps = [
+        "//envoy/matcher:matcher_interface",
+        "//envoy/network:filter_interface",
+        "//envoy/registry",
+        "//source/common/network:utility_lib",
+        "@envoy_api//envoy/extensions/matching/common_inputs/network/v3:pkg_cc_proto",
+    ],
+)

source/common/network/matching/data_impl.h

@@ -0,0 +1,24 @@
+#pragma once
+
+#include "envoy/network/filter.h"
+
+namespace Envoy {
+namespace Network {
+namespace Matching {
+
+/**
+ * Implementation of Network::MatchingData, providing connection-level data to
+ * the match tree.
+ */
+class MatchingDataImpl : public MatchingData {
+public:
+  explicit MatchingDataImpl(const ConnectionSocket& socket) : socket_(socket) {}
+  const ConnectionSocket& socket() const override { return socket_; }
+
+private:
+  const ConnectionSocket& socket_;
+};
+
+} // namespace Matching
+} // namespace Network
+} // namespace Envoy

source/common/network/matching/inputs.cc

@@ -0,0 +1,105 @@
+#include "source/common/network/matching/inputs.h"
+
+#include "envoy/registry/registry.h"
+
+#include "source/common/network/utility.h"
+
+#include "absl/strings/str_cat.h"
+
+namespace Envoy {
+namespace Network {
+namespace Matching {
+
+Matcher::DataInputGetResult DestinationIPInput::get(const MatchingData& data) const {
+  const auto& address = data.socket().connectionInfoProvider().localAddress();
+  if (address->type() != Network::Address::Type::Ip) {
+    return {Matcher::DataInputGetResult::DataAvailability::AllDataAvailable, absl::nullopt};
+  }
+  return {Matcher::DataInputGetResult::DataAvailability::AllDataAvailable,
+          address->ip()->addressAsString()};
+}
+
+Matcher::DataInputGetResult DestinationPortInput::get(const MatchingData& data) const {
+  const auto& address = data.socket().connectionInfoProvider().localAddress();
+  if (address->type() != Network::Address::Type::Ip) {
+    return {Matcher::DataInputGetResult::DataAvailability::AllDataAvailable, absl::nullopt};
+  }
+  return {Matcher::DataInputGetResult::DataAvailability::AllDataAvailable,
+          absl::StrCat(address->ip()->port())};
+}
+
+Matcher::DataInputGetResult SourceIPInput::get(const MatchingData& data) const {
+  const auto& address = data.socket().connectionInfoProvider().remoteAddress();
+  if (address->type() != Network::Address::Type::Ip) {
+    return {Matcher::DataInputGetResult::DataAvailability::AllDataAvailable, absl::nullopt};
+  }
+  return {Matcher::DataInputGetResult::DataAvailability::AllDataAvailable,
+          address->ip()->addressAsString()};
+}
+
+Matcher::DataInputGetResult SourcePortInput::get(const MatchingData& data) const {
+  const auto& address = data.socket().connectionInfoProvider().remoteAddress();
+  if (address->type() != Network::Address::Type::Ip) {
+    return {Matcher::DataInputGetResult::DataAvailability::AllDataAvailable, absl::nullopt};
+  }
+  return {Matcher::DataInputGetResult::DataAvailability::AllDataAvailable,
+          absl::StrCat(address->ip()->port())};
+}
+
+Matcher::DataInputGetResult DirectSourceIPInput::get(const MatchingData& data) const {
+  const auto& address = data.socket().connectionInfoProvider().directRemoteAddress();
+  if (address->type() != Network::Address::Type::Ip) {
+    return {Matcher::DataInputGetResult::DataAvailability::AllDataAvailable, absl::nullopt};
+  }
+  return {Matcher::DataInputGetResult::DataAvailability::AllDataAvailable,
+          address->ip()->addressAsString()};
+}
+
+Matcher::DataInputGetResult SourceTypeInput::get(const MatchingData& data) const {
+  const bool is_local_connection = Network::Utility::isSameIpOrLoopback(data.socket());
+  if (is_local_connection) {
+    return {Matcher::DataInputGetResult::DataAvailability::AllDataAvailable, "local"};
+  }
+  return {Matcher::DataInputGetResult::DataAvailability::AllDataAvailable, absl::nullopt};
+}
+
+Matcher::DataInputGetResult ServerNameInput::get(const MatchingData& data) const {
+  const auto server_name = data.socket().requestedServerName();
+  if (!server_name.empty()) {
+    return {Matcher::DataInputGetResult::DataAvailability::AllDataAvailable,
+            std::string(server_name)};
+  }
+  return {Matcher::DataInputGetResult::DataAvailability::AllDataAvailable, absl::nullopt};
+}
+
+Matcher::DataInputGetResult TransportProtocolInput::get(const MatchingData& data) const {
+  const auto transport_protocol = data.socket().detectedTransportProtocol();
+  if (!transport_protocol.empty()) {
+    return {Matcher::DataInputGetResult::DataAvailability::AllDataAvailable,
+            std::string(transport_protocol)};
+  }
+  return {Matcher::DataInputGetResult::DataAvailability::AllDataAvailable, absl::nullopt};
+}
+
+Matcher::DataInputGetResult ApplicationProtocolInput::get(const MatchingData& data) const {
+  const auto& protocols = data.socket().requestedApplicationProtocols();
+  if (!protocols.empty()) {
+    return {Matcher::DataInputGetResult::DataAvailability::AllDataAvailable,
+            absl::StrCat("'", absl::StrJoin(protocols, "','"), "'")};
+  }
+  return {Matcher::DataInputGetResult::DataAvailability::AllDataAvailable, absl::nullopt};
+}
+
+REGISTER_FACTORY(DestinationIPInputFactory, Matcher::DataInputFactory<MatchingData>);
+REGISTER_FACTORY(DestinationPortInputFactory, Matcher::DataInputFactory<MatchingData>);
+REGISTER_FACTORY(SourceIPInputFactory, Matcher::DataInputFactory<MatchingData>);
+REGISTER_FACTORY(SourcePortInputFactory, Matcher::DataInputFactory<MatchingData>);
+REGISTER_FACTORY(DirectSourceIPInputFactory, Matcher::DataInputFactory<MatchingData>);
+REGISTER_FACTORY(SourceTypeInputFactory, Matcher::DataInputFactory<MatchingData>);
+REGISTER_FACTORY(ServerNameInputFactory, Matcher::DataInputFactory<MatchingData>);
+REGISTER_FACTORY(TransportProtocolInputFactory, Matcher::DataInputFactory<MatchingData>);
+REGISTER_FACTORY(ApplicationProtocolInputFactory, Matcher::DataInputFactory<MatchingData>);
+
+} // namespace Matching
+} // namespace Network
+} // namespace Envoy