xds/third_party/envoy/src/main/proto/envoy/config/listener/v3/listener_components.proto - platform/external/grpc-grpc-java - Git at Google

 syntax = "proto3";

 package envoy.config.listener.v3;

 import "envoy/config/core/v3/address.proto";
 import "envoy/config/core/v3/base.proto";
 import "envoy/type/v3/range.proto";

 import "google/protobuf/any.proto";
 import "google/protobuf/duration.proto";
 import "google/protobuf/struct.proto";
 import "google/protobuf/wrappers.proto";

 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
 import "validate/validate.proto";

 option java_package = "io.envoyproxy.envoy.config.listener.v3";
 option java_outer_classname = "ListenerComponentsProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = ACTIVE;

 // [#protodoc-title: Listener components]
 // Listener :ref:`configuration overview <config_listeners>`

 message Filter {
   option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.listener.Filter";

   reserved 3, 2;

   reserved "config";

   // The name of the filter to instantiate. The name must match a
   // :ref:`supported filter <config_network_filters>`.
   string name = 1 [(validate.rules).string = {min_bytes: 1}];

   // Filter specific configuration which depends on the filter being
   // instantiated. See the supported filters for further documentation.
   oneof config_type {
     google.protobuf.Any typed_config = 4;
   }
 }

 // Specifies the match criteria for selecting a specific filter chain for a
 // listener.
 //
 // In order for a filter chain to be selected, *ALL* of its criteria must be
 // fulfilled by the incoming connection, properties of which are set by the
 // networking stack and/or listener filters.
 //
 // The following order applies:
 //
 // 1. Destination port.
 // 2. Destination IP address.
 // 3. Server name (e.g. SNI for TLS protocol),
 // 4. Transport protocol.
 // 5. Application protocols (e.g. ALPN for TLS protocol).
 // 6. Source type (e.g. any, local or external network).
 // 7. Source IP address.
 // 8. Source port.
 //
 // For criteria that allow ranges or wildcards, the most specific value in any
 // of the configured filter chains that matches the incoming connection is going
 // to be used (e.g. for SNI ``www.example.com`` the most specific match would be
 // ``www.example.com``, then ``*.example.com``, then ``*.com``, then any filter
 // chain without ``server_names`` requirements).
 //
 // [#comment: Implemented rules are kept in the preference order, with deprecated fields
 // listed at the end, because that's how we want to list them in the docs.
 //
 // [#comment:TODO(PiotrSikora): Add support for configurable precedence of the rules]
 // [#next-free-field: 13]
 message FilterChainMatch {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.api.v2.listener.FilterChainMatch";

   enum ConnectionSourceType {
     // Any connection source matches.
     ANY = 0;

     // Match a connection originating from the same host.
     SAME_IP_OR_LOOPBACK = 1;

     // Match a connection originating from a different host.
     EXTERNAL = 2;
   }

   reserved 1;

   // Optional destination port to consider when use_original_dst is set on the
   // listener in determining a filter chain match.
   google.protobuf.UInt32Value destination_port = 8 [(validate.rules).uint32 = {lte: 65535 gte: 1}];

   // If non-empty, an IP address and prefix length to match addresses when the
   // listener is bound to 0.0.0.0/:: or when use_original_dst is specified.
   repeated core.v3.CidrRange prefix_ranges = 3;

   // If non-empty, an IP address and suffix length to match addresses when the
   // listener is bound to 0.0.0.0/:: or when use_original_dst is specified.
   // [#not-implemented-hide:]
   string address_suffix = 4;

   // [#not-implemented-hide:]
   google.protobuf.UInt32Value suffix_len = 5;

   // Specifies the connection source IP match type. Can be any, local or external network.
   ConnectionSourceType source_type = 12 [(validate.rules).enum = {defined_only: true}];

   // The criteria is satisfied if the source IP address of the downstream
   // connection is contained in at least one of the specified subnets. If the
   // parameter is not specified or the list is empty, the source IP address is
   // ignored.
   repeated core.v3.CidrRange source_prefix_ranges = 6;

   // The criteria is satisfied if the source port of the downstream connection
   // is contained in at least one of the specified ports. If the parameter is
   // not specified, the source port is ignored.
   repeated uint32 source_ports = 7
       [(validate.rules).repeated = {items {uint32 {lte: 65535 gte: 1}}}];

   // If non-empty, a list of server names (e.g. SNI for TLS protocol) to consider when determining
   // a filter chain match. Those values will be compared against the server names of a new
   // connection, when detected by one of the listener filters.
   //
   // The server name will be matched against all wildcard domains, i.e. ``www.example.com``
   // will be first matched against ``www.example.com``, then ``*.example.com``, then ``*.com``.
   //
   // Note that partial wildcards are not supported, and values like ``*w.example.com`` are invalid.
   //
   // .. attention::
   //
   //   See the :ref:`FAQ entry <faq_how_to_setup_sni>` on how to configure SNI for more
   //   information.
   repeated string server_names = 11;

   // If non-empty, a transport protocol to consider when determining a filter chain match.
   // This value will be compared against the transport protocol of a new connection, when
   // it's detected by one of the listener filters.
   //
   // Suggested values include:
   //
   // * ``raw_buffer`` - default, used when no transport protocol is detected,
   // * ``tls`` - set by :ref:`envoy.filters.listener.tls_inspector <config_listener_filters_tls_inspector>`
   //   when TLS protocol is detected.
   string transport_protocol = 9;

   // If non-empty, a list of application protocols (e.g. ALPN for TLS protocol) to consider when
   // determining a filter chain match. Those values will be compared against the application
   // protocols of a new connection, when detected by one of the listener filters.
   //
   // Suggested values include:
   //
   // * ``http/1.1`` - set by :ref:`envoy.filters.listener.tls_inspector
   //   <config_listener_filters_tls_inspector>`,
   // * ``h2`` - set by :ref:`envoy.filters.listener.tls_inspector <config_listener_filters_tls_inspector>`
   //
   // .. attention::
   //
   //   Currently, only :ref:`TLS Inspector <config_listener_filters_tls_inspector>` provides
   //   application protocol detection based on the requested
   //   `ALPN <https://en.wikipedia.org/wiki/Application-Layer_Protocol_Negotiation>`_ values.
   //
   //   However, the use of ALPN is pretty much limited to the HTTP/2 traffic on the Internet,
   //   and matching on values other than ``h2`` is going to lead to a lot of false negatives,
   //   unless all connecting clients are known to use ALPN.
   repeated string application_protocols = 10;
 }

 // A filter chain wraps a set of match criteria, an option TLS context, a set of filters, and
 // various other parameters.
 // [#next-free-field: 9]
 message FilterChain {
   option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.listener.FilterChain";

   // The configuration for on-demand filter chain. If this field is not empty in FilterChain message,
   // a filter chain will be built on-demand.
   // On-demand filter chains help speedup the warming up of listeners since the building and initialization of
   // an on-demand filter chain will be postponed to the arrival of new connection requests that require this filter chain.
   // Filter chains that are not often used can be set as on-demand.
   message OnDemandConfiguration {
     // The timeout to wait for filter chain placeholders to complete rebuilding.
     // 1. If this field is set to 0, timeout is disabled.
     // 2. If not specified, a default timeout of 15s is used.
     // Rebuilding will wait until dependencies are ready, have failed, or this timeout is reached.
     // Upon failure or timeout, all connections related to this filter chain will be closed.
     // Rebuilding will start again on the next new connection.
     google.protobuf.Duration rebuild_timeout = 1;
   }

   reserved 2;

   reserved "tls_context";

   // The criteria to use when matching a connection to this filter chain.
   FilterChainMatch filter_chain_match = 1;

   // A list of individual network filters that make up the filter chain for
   // connections established with the listener. Order matters as the filters are
   // processed sequentially as connection events happen. Note: If the filter
   // list is empty, the connection will close by default.
   repeated Filter filters = 3;

   // Whether the listener should expect a PROXY protocol V1 header on new
   // connections. If this option is enabled, the listener will assume that that
   // remote address of the connection is the one specified in the header. Some
   // load balancers including the AWS ELB support this option. If the option is
   // absent or set to false, Envoy will use the physical peer address of the
   // connection as the remote address.
   google.protobuf.BoolValue use_proxy_proto = 4;

   // [#not-implemented-hide:] filter chain metadata.
   core.v3.Metadata metadata = 5;

   // Optional custom transport socket implementation to use for downstream connections.
   // To setup TLS, set a transport socket with name `tls` and
   // :ref:`DownstreamTlsContext <envoy_api_msg_extensions.transport_sockets.tls.v3.DownstreamTlsContext>` in the `typed_config`.
   // If no transport socket configuration is specified, new connections
   // will be set up with plaintext.
   core.v3.TransportSocket transport_socket = 6;

   // [#not-implemented-hide:] The unique name (or empty) by which this filter chain is known. If no
   // name is provided, Envoy will allocate an internal UUID for the filter chain. If the filter
   // chain is to be dynamically updated or removed via FCDS a unique name must be provided.
   string name = 7;

   // [#not-implemented-hide:] The configuration to specify whether the filter chain will be built on-demand.
   // If this field is not empty, the filter chain will be built on-demand.
   // Otherwise, the filter chain will be built normally and block listener warming.
   OnDemandConfiguration on_demand_configuration = 8;
 }

 // Listener filter chain match configuration. This is a recursive structure which allows complex
 // nested match configurations to be built using various logical operators.
 //
 // Examples:
 //
 // * Matches if the destination port is 3306.
 //
 // .. code-block:: yaml
 //
 //  destination_port_range:
 //   start: 3306
 //   end: 3307
 //
 // * Matches if the destination port is 3306 or 15000.
 //
 // .. code-block:: yaml
 //
 //  or_match:
 //    rules:
 //      - destination_port_range:
 //          start: 3306
 //          end: 3306
 //      - destination_port_range:
 //          start: 15000
 //          end: 15001
 //
 // [#next-free-field: 6]
 message ListenerFilterChainMatchPredicate {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.api.v2.listener.ListenerFilterChainMatchPredicate";

   // A set of match configurations used for logical operations.
   message MatchSet {
     option (udpa.annotations.versioning).previous_message_type =
         "envoy.api.v2.listener.ListenerFilterChainMatchPredicate.MatchSet";

     // The list of rules that make up the set.
     repeated ListenerFilterChainMatchPredicate rules = 1
         [(validate.rules).repeated = {min_items: 2}];
   }

   oneof rule {
     option (validate.required) = true;

     // A set that describes a logical OR. If any member of the set matches, the match configuration
     // matches.
     MatchSet or_match = 1;

     // A set that describes a logical AND. If all members of the set match, the match configuration
     // matches.
     MatchSet and_match = 2;

     // A negation match. The match configuration will match if the negated match condition matches.
     ListenerFilterChainMatchPredicate not_match = 3;

     // The match configuration will always match.
     bool any_match = 4 [(validate.rules).bool = {const: true}];

     // Match destination port. Particularly, the match evaluation must use the recovered local port if
     // the owning listener filter is after :ref:`an original_dst listener filter <config_listener_filters_original_dst>`.
     type.v3.Int32Range destination_port_range = 5;
   }
 }

 message ListenerFilter {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.api.v2.listener.ListenerFilter";

   reserved 2;

   reserved "config";

   // The name of the filter to instantiate. The name must match a
   // :ref:`supported filter <config_listener_filters>`.
   string name = 1 [(validate.rules).string = {min_bytes: 1}];

   // Filter specific configuration which depends on the filter being instantiated.
   // See the supported filters for further documentation.
   oneof config_type {
     google.protobuf.Any typed_config = 3;
   }

   // Optional match predicate used to disable the filter. The filter is enabled when this field is empty.
   // See :ref:`ListenerFilterChainMatchPredicate <envoy_api_msg_config.listener.v3.ListenerFilterChainMatchPredicate>`
   // for further examples.
   ListenerFilterChainMatchPredicate filter_disabled = 4;
 }
	syntax = "proto3";

	package envoy.config.listener.v3;

	import "envoy/config/core/v3/address.proto";
	import "envoy/config/core/v3/base.proto";
	import "envoy/type/v3/range.proto";

	import "google/protobuf/any.proto";
	import "google/protobuf/duration.proto";
	import "google/protobuf/struct.proto";
	import "google/protobuf/wrappers.proto";

	import "udpa/annotations/status.proto";
	import "udpa/annotations/versioning.proto";
	import "validate/validate.proto";

	option java_package = "io.envoyproxy.envoy.config.listener.v3";
	option java_outer_classname = "ListenerComponentsProto";
	option java_multiple_files = true;
	option (udpa.annotations.file_status).package_version_status = ACTIVE;

	// [#protodoc-title: Listener components]
	// Listener :ref:`configuration overview <config_listeners>`

	message Filter {
	option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.listener.Filter";

	reserved 3, 2;

	reserved "config";

	// The name of the filter to instantiate. The name must match a
	// :ref:`supported filter <config_network_filters>`.
	string name = 1 [(validate.rules).string = {min_bytes: 1}];

	// Filter specific configuration which depends on the filter being
	// instantiated. See the supported filters for further documentation.
	oneof config_type {
	google.protobuf.Any typed_config = 4;
	}
	}

	// Specifies the match criteria for selecting a specific filter chain for a
	// listener.
	//
	// In order for a filter chain to be selected, ALL of its criteria must be
	// fulfilled by the incoming connection, properties of which are set by the
	// networking stack and/or listener filters.
	//
	// The following order applies:
	//
	// 1. Destination port.
	// 2. Destination IP address.
	// 3. Server name (e.g. SNI for TLS protocol),
	// 4. Transport protocol.
	// 5. Application protocols (e.g. ALPN for TLS protocol).
	// 6. Source type (e.g. any, local or external network).
	// 7. Source IP address.
	// 8. Source port.
	//
	// For criteria that allow ranges or wildcards, the most specific value in any
	// of the configured filter chains that matches the incoming connection is going
	// to be used (e.g. for SNI ``www.example.com`` the most specific match would be
	// ``www.example.com``, then ``.example.com``, then ``.com``, then any filter
	// chain without ``server_names`` requirements).
	//
	// [#comment: Implemented rules are kept in the preference order, with deprecated fields
	// listed at the end, because that's how we want to list them in the docs.
	//
	// [#comment:TODO(PiotrSikora): Add support for configurable precedence of the rules]
	// [#next-free-field: 13]
	message FilterChainMatch {
	option (udpa.annotations.versioning).previous_message_type =
	"envoy.api.v2.listener.FilterChainMatch";

	enum ConnectionSourceType {
	// Any connection source matches.
	ANY = 0;

	// Match a connection originating from the same host.
	SAME_IP_OR_LOOPBACK = 1;

	// Match a connection originating from a different host.
	EXTERNAL = 2;
	}

	reserved 1;

	// Optional destination port to consider when use_original_dst is set on the
	// listener in determining a filter chain match.
	google.protobuf.UInt32Value destination_port = 8 [(validate.rules).uint32 = {lte: 65535 gte: 1}];

	// If non-empty, an IP address and prefix length to match addresses when the
	// listener is bound to 0.0.0.0/:: or when use_original_dst is specified.
	repeated core.v3.CidrRange prefix_ranges = 3;

	// If non-empty, an IP address and suffix length to match addresses when the
	// listener is bound to 0.0.0.0/:: or when use_original_dst is specified.
	// [#not-implemented-hide:]
	string address_suffix = 4;

	// [#not-implemented-hide:]
	google.protobuf.UInt32Value suffix_len = 5;

	// Specifies the connection source IP match type. Can be any, local or external network.
	ConnectionSourceType source_type = 12 [(validate.rules).enum = {defined_only: true}];

	// The criteria is satisfied if the source IP address of the downstream
	// connection is contained in at least one of the specified subnets. If the
	// parameter is not specified or the list is empty, the source IP address is
	// ignored.
	repeated core.v3.CidrRange source_prefix_ranges = 6;

	// The criteria is satisfied if the source port of the downstream connection
	// is contained in at least one of the specified ports. If the parameter is
	// not specified, the source port is ignored.
	repeated uint32 source_ports = 7
	[(validate.rules).repeated = {items {uint32 {lte: 65535 gte: 1}}}];

	// If non-empty, a list of server names (e.g. SNI for TLS protocol) to consider when determining
	// a filter chain match. Those values will be compared against the server names of a new
	// connection, when detected by one of the listener filters.
	//
	// The server name will be matched against all wildcard domains, i.e. ``www.example.com``
	// will be first matched against ``www.example.com``, then ``.example.com``, then ``.com``.
	//
	// Note that partial wildcards are not supported, and values like ``*w.example.com`` are invalid.
	//
	// .. attention::
	//
	// See the :ref:`FAQ entry <faq_how_to_setup_sni>` on how to configure SNI for more
	// information.
	repeated string server_names = 11;

	// If non-empty, a transport protocol to consider when determining a filter chain match.
	// This value will be compared against the transport protocol of a new connection, when
	// it's detected by one of the listener filters.
	//
	// Suggested values include:
	//
	// * ``raw_buffer`` - default, used when no transport protocol is detected,
	// * ``tls`` - set by :ref:`envoy.filters.listener.tls_inspector <config_listener_filters_tls_inspector>`
	// when TLS protocol is detected.
	string transport_protocol = 9;

	// If non-empty, a list of application protocols (e.g. ALPN for TLS protocol) to consider when
	// determining a filter chain match. Those values will be compared against the application
	// protocols of a new connection, when detected by one of the listener filters.
	//
	// Suggested values include:
	//
	// * ``http/1.1`` - set by :ref:`envoy.filters.listener.tls_inspector
	// <config_listener_filters_tls_inspector>`,
	// * ``h2`` - set by :ref:`envoy.filters.listener.tls_inspector <config_listener_filters_tls_inspector>`
	//
	// .. attention::
	//
	// Currently, only :ref:`TLS Inspector <config_listener_filters_tls_inspector>` provides
	// application protocol detection based on the requested
	// `ALPN <https://en.wikipedia.org/wiki/Application-Layer_Protocol_Negotiation>`_ values.
	//
	// However, the use of ALPN is pretty much limited to the HTTP/2 traffic on the Internet,
	// and matching on values other than ``h2`` is going to lead to a lot of false negatives,
	// unless all connecting clients are known to use ALPN.
	repeated string application_protocols = 10;
	}

	// A filter chain wraps a set of match criteria, an option TLS context, a set of filters, and
	// various other parameters.
	// [#next-free-field: 9]
	message FilterChain {
	option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.listener.FilterChain";

	// The configuration for on-demand filter chain. If this field is not empty in FilterChain message,
	// a filter chain will be built on-demand.
	// On-demand filter chains help speedup the warming up of listeners since the building and initialization of
	// an on-demand filter chain will be postponed to the arrival of new connection requests that require this filter chain.
	// Filter chains that are not often used can be set as on-demand.
	message OnDemandConfiguration {
	// The timeout to wait for filter chain placeholders to complete rebuilding.
	// 1. If this field is set to 0, timeout is disabled.
	// 2. If not specified, a default timeout of 15s is used.
	// Rebuilding will wait until dependencies are ready, have failed, or this timeout is reached.
	// Upon failure or timeout, all connections related to this filter chain will be closed.
	// Rebuilding will start again on the next new connection.
	google.protobuf.Duration rebuild_timeout = 1;
	}

	reserved 2;

	reserved "tls_context";

	// The criteria to use when matching a connection to this filter chain.
	FilterChainMatch filter_chain_match = 1;

	// A list of individual network filters that make up the filter chain for
	// connections established with the listener. Order matters as the filters are
	// processed sequentially as connection events happen. Note: If the filter
	// list is empty, the connection will close by default.
	repeated Filter filters = 3;

	// Whether the listener should expect a PROXY protocol V1 header on new
	// connections. If this option is enabled, the listener will assume that that
	// remote address of the connection is the one specified in the header. Some
	// load balancers including the AWS ELB support this option. If the option is
	// absent or set to false, Envoy will use the physical peer address of the
	// connection as the remote address.
	google.protobuf.BoolValue use_proxy_proto = 4;

	// [#not-implemented-hide:] filter chain metadata.
	core.v3.Metadata metadata = 5;

	// Optional custom transport socket implementation to use for downstream connections.
	// To setup TLS, set a transport socket with name `tls` and
	// :ref:`DownstreamTlsContext <envoy_api_msg_extensions.transport_sockets.tls.v3.DownstreamTlsContext>` in the `typed_config`.
	// If no transport socket configuration is specified, new connections
	// will be set up with plaintext.
	core.v3.TransportSocket transport_socket = 6;

	// [#not-implemented-hide:] The unique name (or empty) by which this filter chain is known. If no
	// name is provided, Envoy will allocate an internal UUID for the filter chain. If the filter
	// chain is to be dynamically updated or removed via FCDS a unique name must be provided.
	string name = 7;

	// [#not-implemented-hide:] The configuration to specify whether the filter chain will be built on-demand.
	// If this field is not empty, the filter chain will be built on-demand.
	// Otherwise, the filter chain will be built normally and block listener warming.
	OnDemandConfiguration on_demand_configuration = 8;
	}

	// Listener filter chain match configuration. This is a recursive structure which allows complex
	// nested match configurations to be built using various logical operators.
	//
	// Examples:
	//
	// * Matches if the destination port is 3306.
	//
	// .. code-block:: yaml
	//
	// destination_port_range:
	// start: 3306
	// end: 3307
	//
	// * Matches if the destination port is 3306 or 15000.
	//
	// .. code-block:: yaml
	//
	// or_match:
	// rules:
	// - destination_port_range:
	// start: 3306
	// end: 3306
	// - destination_port_range:
	// start: 15000
	// end: 15001
	//
	// [#next-free-field: 6]
	message ListenerFilterChainMatchPredicate {
	option (udpa.annotations.versioning).previous_message_type =
	"envoy.api.v2.listener.ListenerFilterChainMatchPredicate";

	// A set of match configurations used for logical operations.
	message MatchSet {
	option (udpa.annotations.versioning).previous_message_type =
	"envoy.api.v2.listener.ListenerFilterChainMatchPredicate.MatchSet";

	// The list of rules that make up the set.
	repeated ListenerFilterChainMatchPredicate rules = 1
	[(validate.rules).repeated = {min_items: 2}];
	}

	oneof rule {
	option (validate.required) = true;

	// A set that describes a logical OR. If any member of the set matches, the match configuration
	// matches.
	MatchSet or_match = 1;

	// A set that describes a logical AND. If all members of the set match, the match configuration
	// matches.
	MatchSet and_match = 2;

	// A negation match. The match configuration will match if the negated match condition matches.
	ListenerFilterChainMatchPredicate not_match = 3;

	// The match configuration will always match.
	bool any_match = 4 [(validate.rules).bool = {const: true}];

	// Match destination port. Particularly, the match evaluation must use the recovered local port if
	// the owning listener filter is after :ref:`an original_dst listener filter <config_listener_filters_original_dst>`.
	type.v3.Int32Range destination_port_range = 5;
	}
	}

	message ListenerFilter {
	option (udpa.annotations.versioning).previous_message_type =
	"envoy.api.v2.listener.ListenerFilter";

	reserved 2;

	reserved "config";

	// The name of the filter to instantiate. The name must match a
	// :ref:`supported filter <config_listener_filters>`.
	string name = 1 [(validate.rules).string = {min_bytes: 1}];

	// Filter specific configuration which depends on the filter being instantiated.
	// See the supported filters for further documentation.
	oneof config_type {
	google.protobuf.Any typed_config = 3;
	}

	// Optional match predicate used to disable the filter. The filter is enabled when this field is empty.
	// See :ref:`ListenerFilterChainMatchPredicate <envoy_api_msg_config.listener.v3.ListenerFilterChainMatchPredicate>`
	// for further examples.
	ListenerFilterChainMatchPredicate filter_disabled = 4;
	}