allow additional network filters for QUIC listeners

[pksohn]

Signed-off-by: Paul Sohn paulsohn@google.com

Commit Message: For QUIC listeners, allow network filters to be added before HTTP Connection Manager
Additional Description: Note that onData() is still never called on QUIC.
Risk Level: Low
Testing: Unit test
Docs Changes: N/A
Release Notes: N/A

[repokitteh-read-only]

As a reminder, PRs marked as draft will not be automatically assigned reviewers,
or be handled by maintainer-oncall triage.

Please mark your PR as ready when you want it to be reviewed!

🐱

Caused by: #22722 was opened by pksohn.

see: more, trace.

[danzh2010]

LGTM overall!
Can you document here

envoy/api/envoy/config/listener/v3/listener_components.proto

Line 230 in 02489bb

repeated Filter filters = 3;

that the filters in UDP connections will be created but not process payload as TCP connections do?

[danzh2010]

Plz also fix the clang-tidy CI

[repokitteh-read-only]

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to (api/envoy/|docs/root/api-docs/).
envoyproxy/api-shepherds assignee is @mattklein123
CC @envoyproxy/api-watchers: FYI only for changes made to (api/envoy/|docs/root/api-docs/).

🐱

Caused by: #22722 was synchronize by pksohn.

see: more, trace.

[mattklein123]

Thanks generally makes sense with a few comments.

/wait

[mattklein123]

What's the point of this? I assume just for things like RBAC where decisions can be made at the point of initial connection? If so can you clarify? Also, do you want to phrase it more like network filters do not currently process incoming network data? As we might fix this in the future?

Can you also add a release note about this?

[danzh2010]

Probably we shouldn't generalize it to all UDP-based connections, but be explicit about QUIC. Today QUIC doesn't pass the connection payload to network filter interface onData() because the connection itself handles multiplexing and HTTP parsing. QUIC may support non-http protocols in the future, but multiplexing always happens at L4. So QUIC L4 filters are very likely to have a different set of interfaces. So far we don't really need any L4 filter interfaces, that's why we have only allowed HCM to be installed. But we have a use case now where L4 filters can change the connection transport properties, like cwnd or socket options at the beginning of the connection. This still won't use any L4 interfaces other than the constructor. So we want to relax the constraint here.

[mattklein123]

OK makes sense. Yes let's please be much more clear about what is supported and also add an integration test. Thank you.

[pksohn]

Thanks both. I've added a release note and tried to clarify the wording (let me know if you have further suggestions). I'll add an integration test next.

[pksohn]

I've added an integration test; please take a look.

[soulxu]

it would be good to mention, the HCM required to be the last filter for udp.

[pksohn]

Done, thanks

[danzh2010]

LGTM!

[soulxu]

thanks for the update! one more small comment

[soulxu]

If there are multiple network filters this doesn't seems accurate, the HCM must be there and being the last one for QUIC, whatever there is only one filter or multiple filter

[pksohn]

Thanks, added another clarification.

[mattklein123]

Thanks, LGTM!