Original source IP for UDP protocol #12277

marcin54321 · 2020-07-24T14:27:21Z

Description:
I need to configure Envoy UDP listeners which prereserve original source IP address of a client.

Repro steps:
Use the following config:

  access_log_path: /var/log/admin_access.log
static_resources:
  listeners:
  - name: listener_172.16.0.26_80_v4
    address:
      socket_address: { address: 172.16.0.26, port_value: 80, protocol: UDP }
    reuse_port: true
    listener_filters:
    - name: envoy.filters.listener.original_src
      typed_config:
        "@type": type.googleapis.com/envoy.extensions.filters.listener.original_src.v3.OriginalSrc
        mark: 1
    - name: envoy.filters.udp_listener.udp_proxy
      typed_config:
        "@type": type.googleapis.com/envoy.config.filter.udp.udp_proxy.v2alpha.UdpProxyConfig
        stat_prefix: ingress_udp
        cluster: local_service_80
  - name: listener_172.16.0.25_80_v4
    address:
      socket_address: { address: 172.16.0.25, port_value: 80, protocol: UDP }
    reuse_port: true
    listener_filters:
    - name: envoy.filters.udp_listener.udp_proxy
      typed_config:
        "@type": type.googleapis.com/envoy.config.filter.udp.udp_proxy.v2alpha.UdpProxyConfig
        stat_prefix: ingress_udp
        cluster: local_service_80
  clusters:
  - name: local_service_80
    connect_timeout: 0.25s
    type: STATIC
    dns_lookup_family: V4_ONLY
    lb_policy: MAGLEV
    load_assignment:
      cluster_name: local_service_80
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address: { address: 10.101.10.15, port_value: 80 }
        - endpoint:
            address:
              socket_address: { address: 10.101.10.16, port_value: 80 }

Logs:

[2020-07-24 14:21:13.066][63][info][main] [source/server/server.cc:295] initializing epoch 0 (base id=0, hot restart version=11.104)
[2020-07-24 14:21:13.066][63][info][main] [source/server/server.cc:297] statically linked extensions:
[2020-07-24 14:21:13.066][63][info][main] [source/server/server.cc:299]   envoy.access_loggers: envoy.access_loggers.file, envoy.access_loggers.http_grpc, envoy.access_loggers.tcp_grpc, envoy.file_access_log, envoy.http_grpc_access_log, envoy.tcp_grpc_access_log
[2020-07-24 14:21:13.066][63][info][main] [source/server/server.cc:299]   http_cache_factory: envoy.extensions.http.cache.simple
[2020-07-24 14:21:13.066][63][info][main] [source/server/server.cc:299]   envoy.upstreams: envoy.filters.connection_pools.http.generic, envoy.filters.connection_pools.http.http, envoy.filters.connection_pools.http.tcp
[2020-07-24 14:21:13.066][63][info][main] [source/server/server.cc:299]   envoy.dubbo_proxy.route_matchers: default
[2020-07-24 14:21:13.066][63][info][main] [source/server/server.cc:299]   envoy.resolvers: envoy.ip
[2020-07-24 14:21:13.066][63][info][main] [source/server/server.cc:299]   envoy.thrift_proxy.protocols: auto, binary, binary/non-strict, compact, twitter
[2020-07-24 14:21:13.066][63][info][main] [source/server/server.cc:299]   envoy.udp_listeners: raw_udp_listener
[2020-07-24 14:21:13.066][63][info][main] [source/server/server.cc:299]   envoy.filters.http: envoy.buffer, envoy.cors, envoy.csrf, envoy.ext_authz, envoy.fault, envoy.filters.http.adaptive_concurrency, envoy.filters.http.admission_control, envoy.filters.http.aws_lambda, envoy.filters.http.aws_request_signing, envoy.filters.http.buffer, envoy.filters.http.cache, envoy.filters.http.compressor, envoy.filters.http.cors, envoy.filters.http.csrf, envoy.filters.http.decompressor, envoy.filters.http.dynamic_forward_proxy, envoy.filters.http.dynamo, envoy.filters.http.ext_authz, envoy.filters.http.fault, envoy.filters.http.grpc_http1_bridge, envoy.filters.http.grpc_http1_reverse_bridge, envoy.filters.http.grpc_json_transcoder, envoy.filters.http.grpc_stats, envoy.filters.http.grpc_web, envoy.filters.http.gzip, envoy.filters.http.header_to_metadata, envoy.filters.http.health_check, envoy.filters.http.ip_tagging, envoy.filters.http.jwt_authn, envoy.filters.http.lua, envoy.filters.http.on_demand, envoy.filters.http.original_src, envoy.filters.http.ratelimit, envoy.filters.http.rbac, envoy.filters.http.router, envoy.filters.http.squash, envoy.filters.http.tap, envoy.grpc_http1_bridge, envoy.grpc_json_transcoder, envoy.grpc_web, envoy.gzip, envoy.health_check, envoy.http_dynamo_filter, envoy.ip_tagging, envoy.lua, envoy.rate_limit, envoy.router, envoy.squash
[2020-07-24 14:21:13.066][63][info][main] [source/server/server.cc:299]   envoy.filters.udp_listener: envoy.filters.udp.dns_filter, envoy.filters.udp_listener.udp_proxy
[2020-07-24 14:21:13.066][63][info][main] [source/server/server.cc:299]   envoy.dubbo_proxy.serializers: dubbo.hessian2
[2020-07-24 14:21:13.066][63][info][main] [source/server/server.cc:299]   envoy.dubbo_proxy.filters: envoy.filters.dubbo.router
[2020-07-24 14:21:13.066][63][info][main] [source/server/server.cc:299]   envoy.transport_sockets.upstream: envoy.transport_sockets.alts, envoy.transport_sockets.quic, envoy.transport_sockets.raw_buffer, envoy.transport_sockets.tap, envoy.transport_sockets.tls, raw_buffer, tls
[2020-07-24 14:21:13.066][63][info][main] [source/server/server.cc:299]   envoy.retry_host_predicates: envoy.retry_host_predicates.omit_canary_hosts, envoy.retry_host_predicates.omit_host_metadata, envoy.retry_host_predicates.previous_hosts
[2020-07-24 14:21:13.066][63][info][main] [source/server/server.cc:299]   envoy.health_checkers: envoy.health_checkers.redis
[2020-07-24 14:21:13.066][63][info][main] [source/server/server.cc:299]   envoy.transport_sockets.downstream: envoy.transport_sockets.alts, envoy.transport_sockets.quic, envoy.transport_sockets.raw_buffer, envoy.transport_sockets.tap, envoy.transport_sockets.tls, raw_buffer, tls
[2020-07-24 14:21:13.066][63][info][main] [source/server/server.cc:299]   envoy.clusters: envoy.cluster.eds, envoy.cluster.logical_dns, envoy.cluster.original_dst, envoy.cluster.static, envoy.cluster.strict_dns, envoy.clusters.aggregate, envoy.clusters.dynamic_forward_proxy, envoy.clusters.redis
[2020-07-24 14:21:13.066][63][info][main] [source/server/server.cc:299]   envoy.tracers: envoy.dynamic.ot, envoy.lightstep, envoy.tracers.datadog, envoy.tracers.dynamic_ot, envoy.tracers.lightstep, envoy.tracers.opencensus, envoy.tracers.xray, envoy.tracers.zipkin, envoy.zipkin
[2020-07-24 14:21:13.066][63][info][main] [source/server/server.cc:299]   envoy.internal_redirect_predicates: envoy.internal_redirect_predicates.allow_listed_routes, envoy.internal_redirect_predicates.previous_routes, envoy.internal_redirect_predicates.safe_cross_scheme
[2020-07-24 14:21:13.066][63][info][main] [source/server/server.cc:299]   envoy.stats_sinks: envoy.dog_statsd, envoy.metrics_service, envoy.stat_sinks.dog_statsd, envoy.stat_sinks.hystrix, envoy.stat_sinks.metrics_service, envoy.stat_sinks.statsd, envoy.statsd
[2020-07-24 14:21:13.066][63][info][main] [source/server/server.cc:299]   envoy.thrift_proxy.filters: envoy.filters.thrift.rate_limit, envoy.filters.thrift.router
[2020-07-24 14:21:13.066][63][info][main] [source/server/server.cc:299]   envoy.filters.listener: envoy.filters.listener.http_inspector, envoy.filters.listener.original_dst, envoy.filters.listener.original_src, envoy.filters.listener.proxy_protocol, envoy.filters.listener.tls_inspector, envoy.listener.http_inspector, envoy.listener.original_dst, envoy.listener.original_src, envoy.listener.proxy_protocol, envoy.listener.tls_inspector
[2020-07-24 14:21:13.066][63][info][main] [source/server/server.cc:299]   envoy.dubbo_proxy.protocols: dubbo
[2020-07-24 14:21:13.066][63][info][main] [source/server/server.cc:299]   envoy.retry_priorities: envoy.retry_priorities.previous_priorities
[2020-07-24 14:21:13.066][63][info][main] [source/server/server.cc:299]   envoy.compression.decompressor: envoy.compression.gzip.decompressor
[2020-07-24 14:21:13.066][63][info][main] [source/server/server.cc:299]   envoy.resource_monitors: envoy.resource_monitors.fixed_heap, envoy.resource_monitors.injected_resource
[2020-07-24 14:21:13.066][63][info][main] [source/server/server.cc:299]   envoy.compression.compressor: envoy.compression.gzip.compressor
[2020-07-24 14:21:13.066][63][info][main] [source/server/server.cc:299]   envoy.grpc_credentials: envoy.grpc_credentials.aws_iam, envoy.grpc_credentials.default, envoy.grpc_credentials.file_based_metadata
[2020-07-24 14:21:13.066][63][info][main] [source/server/server.cc:299]   envoy.thrift_proxy.transports: auto, framed, header, unframed
[2020-07-24 14:21:13.066][63][info][main] [source/server/server.cc:299]   envoy.filters.network: envoy.client_ssl_auth, envoy.echo, envoy.ext_authz, envoy.filters.network.client_ssl_auth, envoy.filters.network.direct_response, envoy.filters.network.dubbo_proxy, envoy.filters.network.echo, envoy.filters.network.ext_authz, envoy.filters.network.http_connection_manager, envoy.filters.network.kafka_broker, envoy.filters.network.local_ratelimit, envoy.filters.network.mongo_proxy, envoy.filters.network.mysql_proxy, envoy.filters.network.postgres_proxy, envoy.filters.network.ratelimit, envoy.filters.network.rbac, envoy.filters.network.redis_proxy, envoy.filters.network.rocketmq_proxy, envoy.filters.network.sni_cluster, envoy.filters.network.sni_dynamic_forward_proxy, envoy.filters.network.tcp_proxy, envoy.filters.network.thrift_proxy, envoy.filters.network.zookeeper_proxy, envoy.http_connection_manager, envoy.mongo_proxy, envoy.ratelimit, envoy.redis_proxy, envoy.tcp_proxy
[2020-07-24 14:21:13.073][63][info][main] [source/server/server.cc:315] HTTP header map info:
[2020-07-24 14:21:13.075][63][info][main] [source/server/server.cc:318]   request header map: 496 bytes: :authority,:method,:path,:protocol,:scheme,accept,accept-encoding,access-control-request-method,authorization,cache-control,connection,content-encoding,content-length,content-type,expect,grpc-accept-encoding,grpc-timeout,keep-alive,origin,proxy-connection,referer,te,transfer-encoding,upgrade,user-agent,via,x-client-trace-id,x-envoy-attempt-count,x-envoy-decorator-operation,x-envoy-downstream-service-cluster,x-envoy-downstream-service-node,x-envoy-expected-rq-timeout-ms,x-envoy-external-address,x-envoy-force-trace,x-envoy-hedge-on-per-try-timeout,x-envoy-internal,x-envoy-ip-tags,x-envoy-max-retries,x-envoy-original-path,x-envoy-original-url,x-envoy-retriable-header-names,x-envoy-retriable-status-codes,x-envoy-retry-grpc-on,x-envoy-retry-on,x-envoy-upstream-alt-stat-name,x-envoy-upstream-rq-per-try-timeout-ms,x-envoy-upstream-rq-timeout-alt-response,x-envoy-upstream-rq-timeout-ms,x-forwarded-client-cert,x-forwarded-for,x-forwarded-proto,x-ot-span-context,x-request-id
[2020-07-24 14:21:13.075][63][info][main] [source/server/server.cc:318]   request trailer map: 72 bytes:
[2020-07-24 14:21:13.075][63][info][main] [source/server/server.cc:318]   response header map: 352 bytes: :status,access-control-allow-credentials,access-control-allow-headers,access-control-allow-methods,access-control-allow-origin,access-control-expose-headers,access-control-max-age,cache-control,connection,content-encoding,content-length,content-type,date,etag,grpc-message,grpc-status,keep-alive,location,proxy-connection,referer,server,transfer-encoding,upgrade,vary,via,x-envoy-attempt-count,x-envoy-decorator-operation,x-envoy-degraded,x-envoy-immediate-health-check-fail,x-envoy-ratelimited,x-envoy-upstream-canary,x-envoy-upstream-healthchecked-cluster,x-envoy-upstream-service-time,x-request-id
[2020-07-24 14:21:13.075][63][info][main] [source/server/server.cc:318]   response trailer map: 96 bytes: grpc-message,grpc-status
[2020-07-24 14:21:13.077][63][warning][main] [source/server/server.cc:395] No admin address given, so no admin HTTP server started.
[2020-07-24 14:21:13.077][63][info][main] [source/server/server.cc:555] runtime: layers:
  - name: base
    static_layer:
      {}
  - name: admin
    admin_layer:
      {}
[2020-07-24 14:21:13.077][63][info][config] [source/server/configuration_impl.cc:103] loading tracing configuration
[2020-07-24 14:21:13.077][63][info][config] [source/server/configuration_impl.cc:69] loading 0 static secret(s)
[2020-07-24 14:21:13.077][63][info][config] [source/server/configuration_impl.cc:75] loading 1 cluster(s)
[2020-07-24 14:21:13.083][63][info][config] [source/server/configuration_impl.cc:79] loading 2 listener(s)
[2020-07-24 14:21:13.083][63][critical][main] [source/server/server.cc:101] error initializing configuration '/tmp/envoy.yaml': error adding listener '172.16.0.26:80': Only 1 UDP listener filter per listener supported
[2020-07-24 14:21:13.084][63][info][main] [source/server/server.cc:704] exiting
error adding listener '172.16.0.26:80': Only 1 UDP listener filter per listener supported

The text was updated successfully, but these errors were encountered:

There is a similar feature for no snat but it only works for tcp case. The envoy supports filter structure so that we can add or remove the filter dynamically. But the udp load banalcer has a limitation that can have only one filter. So, we cannot add more filters on udp load banalcer. So, the new option is introduced that name is use_original_src_ip on udp_proxy filter. If it is set as true, all packets that start from envoy can have original source ip address that same as sender's ip address. Fixes envoyproxy#12513, envoyproxy#12277 Signed-off-by: DongRyeol Cha <dr83.cha@samsung.com>

mattklein123 added area/udp help wanted Needs help! labels Jul 24, 2020

chadr123 mentioned this issue Aug 11, 2020

udp: Add use_original_src_ip feature on udp proxy #12586

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Original source IP for UDP protocol #12277

Original source IP for UDP protocol #12277

marcin54321 commented Jul 24, 2020

Original source IP for UDP protocol #12277

Original source IP for UDP protocol #12277

Comments

marcin54321 commented Jul 24, 2020