http2: Flip the upstream H2 frame flood and abuse checks to ON by def…

…ault (#14443) Signed-off-by: Yan Avlasov <[email protected]>
envoyproxy · Jan 14, 2021 · fda60bb · fda60bb
1 parent cfd1532
commit fda60bb
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 7 deletions.
diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst
@@ -36,6 +36,7 @@ New Features
 ------------
 * access log: added the :ref:`formatters <envoy_v3_api_field_config.core.v3.SubstitutionFormatString.formatters>` extension point for custom formatters (command operators).
 * http: added support for :ref:`:ref:`preconnecting <envoy_v3_api_msg_config.cluster.v3.Cluster.PreconnectPolicy>`. Preconnecting is off by default, but recommended for clusters serving latency-sensitive traffic, especially if using HTTP/1.1.
+* http: change frame flood and abuse checks to the upstream HTTP/2 codec to ON by default. It can be disabled by setting the `envoy.reloadable_features.upstream_http2_flood_checks` runtime key to false.
 * tcp_proxy: add support for converting raw TCP streams into HTTP/1.1 CONNECT requests. See :ref:`upgrade documentation <tunneling-tcp-over-http>` for details.
 
 Deprecated

diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc
@@ -89,6 +89,7 @@ constexpr const char* runtime_features[] = {
     "envoy.reloadable_features.upstream_host_weight_change_causes_rebuild",
     "envoy.reloadable_features.vhds_heartbeats",
     "envoy.reloadable_features.unify_grpc_handling",
+    "envoy.reloadable_features.upstream_http2_flood_checks",
     "envoy.restart_features.use_apple_api_for_dns_lookups",
 };
 
@@ -108,8 +109,6 @@ constexpr const char* disabled_runtime_features[] = {
     "envoy.reloadable_features.enable_type_url_downgrade_and_upgrade",
     // TODO(alyssawilk) flip true after the release.
     "envoy.reloadable_features.new_tcp_connection_pool",
-    // TODO(yanavlasov) flip true after all tests for upstream flood checks are implemented
-    "envoy.reloadable_features.upstream_http2_flood_checks",
     // Sentinel and test flag.
     "envoy.reloadable_features.test_feature_false",
 };

diff --git a/test/integration/http2_flood_integration_test.cc b/test/integration/http2_flood_integration_test.cc
@@ -131,8 +131,6 @@ INSTANTIATE_TEST_SUITE_P(IpVersions, Http2FloodMitigationTest,
                          TestUtility::ipTestParamsToString);
 
 bool Http2FloodMitigationTest::initializeUpstreamFloodTest() {
-  config_helper_.addRuntimeOverride("envoy.reloadable_features.upstream_http2_flood_checks",
-                                    "true");
   setDownstreamProtocol(Http::CodecClient::Type::HTTP2);
   setUpstreamProtocol(FakeHttpConnection::Type::HTTP2);
   // set lower upstream outbound frame limits to make tests run faster
@@ -178,8 +176,6 @@ void Http2FloodMitigationTest::beginSession() {
 
 std::vector<char> Http2FloodMitigationTest::serializeFrames(const Http2Frame& frame,
                                                             uint32_t num_frames) {
-  // make sure all frames can fit into 16k buffer
-  ASSERT(num_frames <= ((16u * 1024u) / frame.size()));
   std::vector<char> buf(num_frames * frame.size());
   for (auto pos = buf.begin(); pos != buf.end();) {
     pos = std::copy(frame.begin(), frame.end(), pos);
@@ -1557,4 +1553,15 @@ TEST_P(Http2FloodMitigationTest, RequestMetadata) {
   EXPECT_EQ(1, test_server_->counter("cluster.cluster_0.http2.outbound_flood")->value());
 }
 
+// Validate that the default configuration has flood protection enabled.
+TEST_P(Http2FloodMitigationTest, UpstreamFloodDetectionIsOnByDefault) {
+  setDownstreamProtocol(Http::CodecClient::Type::HTTP2);
+  setUpstreamProtocol(FakeHttpConnection::Type::HTTP2);
+  initialize();
+
+  floodClient(Http2Frame::makePingFrame(),
+              Http2::Utility::OptionsLimits::DEFAULT_MAX_OUTBOUND_CONTROL_FRAMES + 1,
+              "cluster.cluster_0.http2.outbound_control_flood");
+}
+
 } // namespace Envoy
diff --git a/test/integration/http2_integration_test.cc b/test/integration/http2_integration_test.cc
@@ -111,7 +111,9 @@ TEST_P(Http2IntegrationTest, CodecStreamIdleTimeout) {
         hcm.mutable_stream_idle_timeout()->set_nanos(IdleTimeoutMs * 1000 * 1000);
       });
   initialize();
-  envoy::config::core::v3::Http2ProtocolOptions http2_options;
+  envoy::config::core::v3::Http2ProtocolOptions http2_options =
+      ::Envoy::Http2::Utility::initializeAndValidateOptions(
+          envoy::config::core::v3::Http2ProtocolOptions());
   http2_options.mutable_initial_stream_window_size()->set_value(65535);
   codec_client_ = makeRawHttpConnection(makeClientConnection(lookupPort("http")), http2_options);
   auto response = codec_client_->makeHeaderOnlyRequest(default_request_headers_);