UDP proxy (proto)
This extension has the qualified name envoy.filters.udp_listener.udp_proxy
Note
This extension is intended to be robust against untrusted downstream traffic. It assumes that the upstream is trusted.
Tip
This extension extends and can be used with the following extension category:
This extension must be configured with one of the following type URLs:
UDP proxy configuration overview.
extensions.filters.udp.udp_proxy.v3.UdpProxyConfig
[extensions.filters.udp.udp_proxy.v3.UdpProxyConfig proto]
Configuration for the UDP proxy filter.
{
"stat_prefix": ...,
"cluster": ...,
"matcher": {...},
"idle_timeout": {...},
"use_original_src_ip": ...,
"hash_policies": [],
"upstream_socket_config": {...},
"use_per_packet_load_balancing": ...,
"access_log": [],
"proxy_access_log": [],
"session_filters": [],
"tunneling_config": {...},
"access_log_options": {...}
}
- stat_prefix
(string, REQUIRED) The stat prefix used when emitting UDP proxy filter stats.
- matcher
(.xds.type.matcher.v3.Matcher) The match tree to use when resolving route actions for incoming requests. See Routing for more information.
Warning
This API feature is currently work-in-progress. API features marked as work-in-progress are not considered stable, are not covered by the threat model, are not supported by the security team, and are subject to breaking changes. Do not use this feature without understanding each of the previous points.
- idle_timeout
(Duration) The idle timeout for sessions. Idle is defined as no datagrams between received or sent by the session. The default if not specified is 1 minute.
- use_original_src_ip
(bool) Use the remote downstream IP address as the sender IP address when sending packets to upstream hosts. This option requires Envoy to be run with the
CAP_NET_ADMINcapability on Linux. And the IPv6 stack must be enabled on Linux kernel. This option does not preserve the remote downstream port. If this option is enabled, the IP address of sent datagrams will be changed to the remote downstream IP address. This means that Envoy will not receive packets that are sent by upstream hosts because the upstream hosts will send the packets with the remote downstream IP address as the destination. All packets will be routed to the remote downstream directly if there are route rules on the upstream host side. There are two options to return the packets back to the remote downstream. The first one is to use DSR (Direct Server Return). The other one is to configure routing rules on the upstream hosts to forward all packets back to Envoy and configure iptables rules on the host running Envoy to forward all packets from upstream hosts to the Envoy process so that Envoy can forward the packets to the downstream. If the platform does not support this option, Envoy will raise a configuration error.
- hash_policies
(repeated extensions.filters.udp.udp_proxy.v3.UdpProxyConfig.HashPolicy) Optional configuration for UDP proxy hash policies. If hash_policies is not set, the hash-based load balancing algorithms will select a host randomly. Currently the number of hash policies is limited to 1.
- upstream_socket_config
(config.core.v3.UdpSocketConfig) UDP socket configuration for upstream sockets. The default for prefer_gro is true for upstream sockets as the assumption is datagrams will be received from a single source.
- use_per_packet_load_balancing
(bool) Perform per packet load balancing (upstream host selection) on each received data chunk. The default if not specified is false, that means each data chunk is forwarded to upstream host selected on first chunk receival for that “session” (identified by source IP/port and local IP/port). Only one of use_per_packet_load_balancing or session_filters can be used.
- access_log
(repeated config.accesslog.v3.AccessLog) Configuration for session access logs emitted by the UDP proxy. Note that certain UDP specific data is emitted as Dynamic Metadata.
- proxy_access_log
(repeated config.accesslog.v3.AccessLog) Configuration for proxy access logs emitted by the UDP proxy. Note that certain UDP specific data is emitted as Dynamic Metadata.
- session_filters
(repeated extensions.filters.udp.udp_proxy.v3.UdpProxyConfig.SessionFilter) Optional session filters that will run for each UDP session. Only one of use_per_packet_load_balancing or session_filters can be used.
Tip
This extension category has the following known extensions:
- tunneling_config
(extensions.filters.udp.udp_proxy.v3.UdpProxyConfig.UdpTunnelingConfig) If set, this configures UDP tunneling. See Proxying UDP in HTTP. More information can be found in the UDP Proxy and HTTP upgrade documentation.
- access_log_options
(extensions.filters.udp.udp_proxy.v3.UdpProxyConfig.UdpAccessLogOptions) Additional access log options for UDP Proxy.
extensions.filters.udp.udp_proxy.v3.UdpProxyConfig.HashPolicy
[extensions.filters.udp.udp_proxy.v3.UdpProxyConfig.HashPolicy proto]
Specifies the UDP hash policy. The packets can be routed by hash policy.
{
"source_ip": ...,
"key": ...
}
- source_ip
(bool) The source IP will be used to compute the hash used by hash-based load balancing algorithms.
- key
(string) A given key will be used to compute the hash used by hash-based load balancing algorithms. In certain cases there is a need to direct different UDP streams jointly towards the selected set of endpoints. A possible use-case is VoIP telephony, where media (RTP) and its corresponding control (RTCP) belong to the same logical session, although they travel in separate streams. To ensure that these pair of streams are load-balanced on session level (instead of individual stream level), dynamically created listeners can use the same hash key for each stream in the session.
extensions.filters.udp.udp_proxy.v3.UdpProxyConfig.SessionFilter
[extensions.filters.udp.udp_proxy.v3.UdpProxyConfig.SessionFilter proto]
Configuration for UDP session filters.
{
"name": ...,
"typed_config": {...}
}
- name
(string, REQUIRED) The name of the filter configuration.
- typed_config
(Any) Filter specific configuration which depends on the filter being instantiated. See the supported filters for further documentation.
extensions.filters.udp.udp_proxy.v3.UdpProxyConfig.UdpTunnelingConfig
[extensions.filters.udp.udp_proxy.v3.UdpProxyConfig.UdpTunnelingConfig proto]
Configuration for tunneling UDP over other transports or application layers. Tunneling is currently supported over HTTP/2.
{
"proxy_host": ...,
"proxy_port": {...},
"target_host": ...,
"default_target_port": ...,
"use_post": ...,
"post_path": ...,
"retry_options": {...},
"headers_to_add": [],
"buffer_options": {...},
"propagate_response_headers": ...,
"propagate_response_trailers": ...
}
- proxy_host
(string, REQUIRED) The hostname to send in the synthesized CONNECT headers to the upstream proxy. This field evaluates command operators if set, otherwise returns hostname as is.
Example: dynamically set hostname using filter state
tunneling_config: proxy_host: "%FILTER_STATE(proxy.host.key:PLAIN)%"
- proxy_port
(UInt32Value) Optional port value to add to the HTTP request URI. This value can be overridden per-session by setting the required port value for the filter state key
udp.connect.proxy_port.
- target_host
(string, REQUIRED) The target host to send in the synthesized CONNECT headers to the upstream proxy. This field evaluates command operators if set, otherwise returns hostname as is.
Example: dynamically set target host using filter state
tunneling_config: target_host: "%FILTER_STATE(target.host.key:PLAIN)%"
- default_target_port
(uint32) The default target port to send in the CONNECT headers to the upstream proxy. This value can be overridden per-session by setting the required port value for the filter state key
udp.connect.target_port.
- use_post
(bool) Use POST method instead of CONNECT method to tunnel the UDP stream.
Note
If use_post is set, the upstream stream does not comply with the connect-udp RFC, and instead it will be a POST request. the path used in the headers will be set from the post_path field, and the headers will not contain the target host and target port, as required by the connect-udp protocol. This flag should be used carefully.
- post_path
(string) The path used with POST method. Default path is
/. If post path is specified and use_post field isn’t true, it will be rejected.
- retry_options
(extensions.filters.udp.udp_proxy.v3.UdpProxyConfig.UdpTunnelingConfig.RetryOptions) Optional retry options, in case connecting to the upstream failed.
- headers_to_add
(repeated config.core.v3.HeaderValueOption) Additional request headers to upstream proxy. Neither
:-prefixedpseudo-headers nor the Host: header can be overridden. Values of the added headers evaluates command operators if they are set in the value template.Example: dynamically set a header with the local port
headers_to_add: - header: key: original_dst_port value: "%DOWNSTREAM_LOCAL_PORT%"
- buffer_options
(extensions.filters.udp.udp_proxy.v3.UdpProxyConfig.UdpTunnelingConfig.BufferOptions) If configured, the filter will buffer datagrams in case that it is waiting for the upstream to be ready, whether if it is during the connection process or due to upstream buffer watermarks. If this field is not configured, there will be no buffering and downstream datagrams that arrive while the upstream is not ready will be dropped. In case this field is set but the options are not configured, the default values will be applied as described in the
BufferOptions.
- propagate_response_headers
(bool) Save the response headers to the downstream info filter state for consumption by the session filters. The filter state key is
envoy.udp_proxy.propagate_response_headers.
- propagate_response_trailers
(bool) Save the response trailers to the downstream info filter state for consumption by the session filters. The filter state key is
envoy.udp_proxy.propagate_response_trailers.
extensions.filters.udp.udp_proxy.v3.UdpProxyConfig.UdpTunnelingConfig.BufferOptions
[extensions.filters.udp.udp_proxy.v3.UdpProxyConfig.UdpTunnelingConfig.BufferOptions proto]
Configuration for UDP datagrams buffering.
{
"max_buffered_datagrams": {...},
"max_buffered_bytes": {...}
}
- max_buffered_datagrams
(UInt32Value) If set, the filter will only buffer datagrams up to the requested limit, and will drop new UDP datagrams if the buffer contains the max_buffered_datagrams value at the time of a new datagram arrival. If not set, the default value is 1024 datagrams.
- max_buffered_bytes
(UInt64Value) If set, the filter will only buffer datagrams up to the requested total buffered bytes limit, and will drop new UDP datagrams if the buffer contains the max_buffered_datagrams value at the time of a new datagram arrival. If not set, the default value is 16,384 (16KB).
extensions.filters.udp.udp_proxy.v3.UdpProxyConfig.UdpTunnelingConfig.RetryOptions
[extensions.filters.udp.udp_proxy.v3.UdpProxyConfig.UdpTunnelingConfig.RetryOptions proto]
{
"max_connect_attempts": {...}
}
- max_connect_attempts
(UInt32Value) The maximum number of unsuccessful connection attempts that will be made before giving up. If the parameter is not specified, 1 connection attempt will be made.
extensions.filters.udp.udp_proxy.v3.UdpProxyConfig.UdpAccessLogOptions
[extensions.filters.udp.udp_proxy.v3.UdpProxyConfig.UdpAccessLogOptions proto]
{
"access_log_flush_interval": {...},
"flush_access_log_on_tunnel_connected": ...
}
- access_log_flush_interval
(Duration) The interval to flush access log. The UDP proxy will flush only one access log when the session is ended by default. If this field is set, the UDP proxy will flush access log periodically with the specified interval. This field does not require on-tunnel-connected access logging enabled, and the other way around. The interval must be at least 1ms.
- flush_access_log_on_tunnel_connected
(bool) If set to true and UDP tunneling is configured, access log will be flushed when the UDP proxy has successfully established a connection tunnel with the upstream. If the connection failed, the access log will not be flushed.