DRAFT: Proxy Protocol Transport Socket

[wez470]

I opened this because I wanted to discuss / get some feedback on a few things. I am thinking I can split the rest of this work into 2 PRs (Maybe 3?). Contents would be as follows:

PR 1:

• Transport socket class
• Transport socket unit tests / test utils
• DownstreamAddresses transport socket option struct
• Refactor of listener filter to use common constants

PR 2:

• Transport socket config / config factory
• Transport socket API
• Transport socket Integration tests (Not in this PR yet)
• TCP Proxy API update for option to set down addrs socket option (Not in this PR yet)
• TCP Proxy update to set downstream addr option (Just hacked in for now so I could test things out)
• Any needed TCP Proxy integration / unit tests (Not in this PR yet)
• Documentation (Not in this PR yet)

PR 3:

• Performance pass?

This branch currently has PR 1 and some parts of what would be PR 2 in it. I'd just move the PR 1 pieces to a separate branch. Thoughts? I've also left a comment with a question on some code.

@alyssawilk @mattklein123

edit - Just noticed that v2 xDS is now frozen. So I'll have to update that.

[repokitteh-read-only]

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to api/.

🐱

Caused by: #10682 was opened by wez470.

see: more, trace.

[wez470]

Looking at the raw buffer socket, it also checks if the res.err is an Api::IoError::IoErrorCode::Again, and returns KeepOpen if it is. I wasn't sure if when receiving the Again error, it was a possibility that the header was partially sent. Handling that would complicate the logic so for now I'm just returning Close on any error. Let me know what you think is the right thing to do here is.

[wez470]

@lizan, do you know? Should this do a similar thing to the raw buffer socket, or is it fine to Close on any error?

[alyssawilk]

I'm inclined to have @lizan lead first pass on this one as I think he's done more of the socket level API work, but here's some thoughts in passing :-)

[alyssawilk]

@envoyproxy/maintainers for future-proofing sanity check
We use our own custom proxy proto header equivalent in-house as we add some non-standard fields IMO are fairly generically useful. Do y'all know if anyone else does this? I already have some ideas of how we can do our custom stuff with stock Envoy but if we're not the only ones who play around this way I'd be inclined to do a review pass with generic extensibility in mind.

[ggreenway]

proxy protocol v2 has support to extensions. Can your internal version be mapped on this?

https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt

If the length specified in the PROXY protocol header indicates that additional
bytes are part of the header beyond the address information, a receiver may
choose to skip over and ignore those bytes, or attempt to interpret those
bytes.

The information in those bytes will be arranged in Type-Length-Value (TLV
vectors) in the following format.  The first byte is the Type of the vector.
The second two bytes represent the length in bytes of the value (not included
the Type and Length bytes), and following the length field is the number of
bytes specified by the length.

        struct pp2_tlv {
            uint8_t type;
            uint8_t length_hi;
            uint8_t length_lo;
            uint8_t value[0];
        };

A receiver may choose to skip over and ignore the TLVs he is not interested in
or he does not understand. Senders can generate the TLVs only for
the information they choose to publish.

The following types have already been registered for the <type> field :

        #define PP2_TYPE_ALPN           0x01
        #define PP2_TYPE_AUTHORITY      0x02
        #define PP2_TYPE_CRC32C         0x03
        #define PP2_TYPE_NOOP           0x04
        #define PP2_TYPE_UNIQUE_ID      0x05
        #define PP2_TYPE_SSL            0x20
        #define PP2_SUBTYPE_SSL_VERSION 0x21
        #define PP2_SUBTYPE_SSL_CN      0x22
        #define PP2_SUBTYPE_SSL_CIPHER  0x23
        #define PP2_SUBTYPE_SSL_SIG_ALG 0x24
        #define PP2_SUBTYPE_SSL_KEY_ALG 0x25
        #define PP2_TYPE_NETNS          0x30

[alyssawilk]

Possibly, but if other folks are likely to use the extension I think that answers my question - that should be good enough for the common case. Thanks!

[alyssawilk]

Actually can we do one more split, which is trying to land the APIs first?

I've got a WIP patch using your utilities (yay!) and I think I have a handle on API work now:
https://github.com/envoyproxy/envoy/compare/master...alyssawilk:shinkansen_next?expand=1

I think basically it'd be nice to have a standalone message for proxy proto config which has the version, and can optionally be extended later for extensions. Then in my PR for translating CONNECT I can just pull that whole proto in the ProxyConfig. Alternately I can land the API with my PR, but I figure you've done all the hard work, might as well get the git blame credit :-P

[wez470]

Yeah, that sounds good to me. I'm fine if that change happens in your PR. If you need it right away, it's probably best. If it can wait a couple days, I'm happy to do it.

[stale]

This pull request has been automatically marked as stale because it has not had activity in the last 7 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions!

[azure-pipelines]

Command 'rerun' is not supported by Azure Pipelines.

Supported commands

• help:
• Get descriptions, examples and documentation about supported commands
• Example: help "command_name"
• list:
• List all pipelines for this repository using a comment.
• Example: "list"
• run:
• Run all pipelines or specific pipelines for this repository using a comment. Use this command by itself to trigger all related pipelines, or specify specific pipelines to run.
• Example: "run" or "run pipeline_name, pipeline_name, pipeline_name"
• where:
• Report back the Azure DevOps orgs that are related to this repository and org
• Example: "where"

See additional documentation.

[wez470]

Okay, thanks for the initial feedback here, everyone 🙂. Since there were no objections, I'm going to split out the first PR (as mentioned in the description).

[stale]

This pull request has been automatically marked as stale because it has not had activity in the last 7 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions!

[wez470]

Closing as I'm just going to work on making PRs for the individual pieces

[surki]

@wez470 wondering if you have other PRs opened, if so please share them

[wez470]

Hi, sorry for the delay. I plan to have PR 1 out this weekend.