1.37.0 (Pending)

Incompatible behavior changes

Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required

  • dynamic modules: The dynamic module ABI has been updated to support streaming body manipulation. This change also fixed potential incorrect behavior when access or modify the request or response body. See https://github.com/envoyproxy/envoy/issues/40918 for more details.

  • http: Added runtime flag envoy.reloadable_features.reject_early_connect_data to reject CONNECT requests that receive data before Envoy sent a 200 response to the client. While this is not a strictly compliant behavior it is very common as a latency reducing measure. As such the option is disabled by default.

  • http: Changing the default reset code from NO_ERROR to INTERNAL_ERROR. This behavioral change can be reverted by setting runtime guard envoy.reloadable_features.reset_with_error to false.

  • server: Added container-aware CPU detection on Linux that respects cgroup CPU limits in addition to hardware thread count and CPU affinity. This change only affects behavior when the --concurrency flag is not explicitly set. Envoy now uses the minimum of hardware threads, CPU affinity, and cgroup CPU limits to determine the number of worker threads by default. This provides better resource utilization in containerized environments (Docker, Kubernetes) where CPU limits are set via cgroups. The new behavior is enabled by default and can be disabled by setting the ENVOY_CGROUP_CPU_DETECTION environment variable to false. When disabled, Envoy will fall back to the previous behavior of using only hardware thread count and CPU affinity for worker thread calculation. Uses conservative rounding (floor) to account for non-worker threads and prevent container throttling, which may reduce the total number of connections.

Minor behavior changes

Changes that may cause incompatibilities for some users, but should not for most

  • access_log: Fixed a bug where the truncation-length specifier for DYNAMIC_METADATA():Z was rejected in access log format strings. The length parameter is now accepted and truncates strings and other value types to the specified length. Structured data types are not truncated.

  • ext_authz: Check that the response header count and size is less than the configured limits after applying mutations and send a local reply if not.

  • ext_authz: Fixed HTTP ext_authz client to correctly respect user-configured retry_on configuration in the retry_policy. Previously, the configured retry_on value was being overridden with hardcoded defaults 5xx,gateway-error,connect-failure,reset, causing user-specified retry conditions to be ignored. This behavior is controlled by the runtime flag envoy.reloadable_features.ext_authz_http_client_retries_respect_user_retry_on which defaults to true. To preserve the old behavior, set this flag to false.

  • ext_authz: Fixed HTTP ext_authz service to properly propagate headers (such as set-cookie) back to clients. The filter now correctly uses allowed_client_headers for denied responses and allowed_client_headers_on_success for successful authorization responses.

  • ext_proc: Closing the gRPC stream if Envoy detects no more external processing needed. This doesn’t apply to BUFFERED and BUFFERED_PARTIAL mode and a few corner cases for now. For those cases, the stream will be closed during the filter destruction. This behavior can be reverted by setting the runtime guard envoy.reloadable_features.ext_proc_stream_close_optimization to false.

  • ext_proc: Use one of a hard-coded set of error messages when a HeaderMutation fails. Removing request-specific details allows grouping by similar failure types. Detailed messages remain available in debug logs.

  • mobile: Use mobile specific network observer registries to propagate network change signals. This behavior can be reverted by setting the runtime guard envoy.reloadable_features.mobile_use_network_observer_registry.

  • overload_manager: Fixed downstream connections monitor to correctly trigger configured actions, and create a pressure metric like other resource monitors. Previously, this extension would never trigger an action.

  • quic: Switch to use QUICHE provided migration logic to handle port migration upon path degrading and migration to Server Preferred Address. This behavior can be reverted by setting envoy.reloadable_features.use_migration_in_quiche.

  • router: Added host_rewrite to RouteAction to support substitution formatting for host header rewriting. Added path_rewrite to RouteAction to support substitution formatting for path header rewriting.

  • tracing: The request header custom tag now only support fetching header values from the HTTP request headers. Any non-HTTP protocols could only set custom tags using the substitution formatter based custom tag value. This behavior change could be reverted by setting the runtime guard envoy.reloadable_features.get_header_tag_from_header_map to false.

  • wasm: Foreign functions are executed on effective context, if such is defined. Effective context is set by wasm SDKs, but was not used when foreign function was called. This fixes an issue where a foreign function is called from HTTP or GRPC callback and that foreign function needs a stream context, not root context. This behavior can be reverted by setting the runtime guard envoy.reloadable_features.wasm_use_effective_ctx_for_foreign_functions to false.

Bug fixes

Changes expected to improve the state of the world and are unlikely to have negative effects

  • adaptive concurrency: Fixed a race condition in the gradient controller which would allow more outstanding requests than the concurrency limit, bounded by the number of worker threads.

  • aws: Changes web identity token file watching behavior in the aws signing common components. This ensures that if the token file is rotated, the new token will be picked up.

  • bootstrap: Fixed an issue where the custom header_prefix would result in a crash at startup.

  • composite: Fixed per-route configuration for composite filter to support matching on response headers and trailers. Previously, per-route matchers would silently fail when attempting to match on HttpResponseHeaderMatchInput or HttpResponseTrailerMatchInput, causing the delegated filter to be skipped without error.

  • connection: Fixed connection handling to properly propagate transport failure reasons to StreamInfo before raising close events. This ensures the connection.transport_failure_reason CEL attribute and DOWNSTREAM_TRANSPORT_FAILURE_REASON access log formatter are populated correctly for all connection types and available to all network filters.

  • connection pool: Fixed a crash in the TCP connection pool that occurs during downstream connection teardown when large requests or responses trigger flow control.

  • dns_resolver: Removes unnecessary getifaddrs() system calls when filter_unroutable_families is disabled.

  • ext_proc: Fixed a bug where attributes based on request headers (e.g. request.host) were not sent to the ext_proc server if ext_proc was configured to only run on the encode path.

  • http: Fixed shouldDrainConnectionUponCompletion() to properly send GOAWAY frames for HTTP/2 and HTTP/3 instead of aggressively closing connections. This prevents response body transmission interruption and ERR_DRAINING errors on the client side. HTTP/1.1 behavior remains unchanged.

  • http: Fixed a remote jwt_auth token fetch crash with two or more auth headers when allow_missing_or_failed is set.

  • http2: Fixed a bug where Envoy would leak memory if an HTTP/2 stream was reset before request headers were sent. For example, if an upstream HTTP filter sent a local reply after the connection was established but before request headers were sent, the memory allocated for the stream was not released.

  • http2: Optimized HTTP/2 header processing by avoiding memory allocations and string copies for well-known header names. For common HTTP/2 headers (such as :method, :path, :status, content-type, user-agent, etc.), Envoy now references static strings instead of copying header names. This reduces memory allocations and improves performance for typical HTTP/2 traffic.

  • http_11_proxy: Fixed a bug in http_11_proxy transport socket where bytes written to a connection after the initial HTTP CONNECT request is sent, but before the response is received can be buffered until connection timeout.

  • lua: Fixed a bug where Lua filters could cause Envoy to crash when setting the response body to a payload larger than the body buffer limit.

  • router: Fixed a regression where router-set headers (e.g., x-envoy-expected-rq-timeout-ms, x-envoy-attempt-count) were not accessible in request_headers_to_add configuration on the initial request. Headers configured via request_headers_to_add can now reference router-set headers using formatters like %REQ(x-envoy-expected-rq-timeout-ms)%.

  • router: Fixed an upstream HTTP filter issue if route retries on 5xx and the filter returns FilterHeadersStatus::StopIteration in its encodeHeaders() method.

  • tap: Add the missing conversion support to ensure tapped message are correctly handled for multi-event submissions.

  • tcp_proxy: Fixed a connection leak in the TCP proxy when the receive_before_connect feature is enabled and the downstream connection closes before the upstream connection is established.

  • tls: Fixed an issue where SANs of type OTHERNAME in a TLS cert were truncated if there was an embedded null octet, leading to incorrect SAN validation.

  • udp_proxy: Fixed a few areas where the addresses might be moved from the data packet being processed.

Removed config or runtime

Normally occurs at the end of the deprecation period

  • http: Removed runtime guard envoy.reloadable_features.http1_balsa_allow_cr_or_lf_at_request_start and legacy code paths.

  • http: Removed runtime guard envoy.reloadable_features.original_src_fix_port_exhaustion and legacy code paths.

  • jwt_authn: Removed runtime guard envoy.reloadable_features.jwt_fetcher_use_scheme_from_uri and legacy code paths.

  • quic: Removed runtime guard envoy.reloadable_features.http3_remove_empty_cookie and legacy code paths.

  • tcp: Removed runtime guard envoy.reloadable_features.tcp_proxy_retry_on_different_event_loop and legacy code paths.

  • xds: Removed runtime guard envoy.reloadable_features.report_load_with_rq_issued and legacy code paths.

New features

  • access_log: Added a new access logger which emits configurable metrics.

  • access_log: Support process-level rate limiting on access log emission by ProcessRateLimitFilter.

  • admin: Added /memory/tcmalloc admin endpoint that provides TCMalloc memory statistics.

  • attributes: added attributes for looking up request or response headers bytes.

  • aws: Added new feature match_included_headers to the request signing extension, that allows for a positive header match and excludes all other non-SigV4-required headers.

  • c-ares: Add an optional reinit_channel_on_timeout to the c-ares resolver to reinitialize the channel after DNS timeouts.

  • cel: Added per-expression configuration options for CEL evaluator to control string conversion, concatenation, and string extension functions. CEL expressions in RBAC policies and access logger filters can now enable string functions such as replace() and split() through the new cel_config and cel_config fields in their respective configurations. See CelExpressionConfig for details.

  • dns_filter: Added access_log for DNS filter.

  • dynamic modules: Added support for loading dynamic modules globally by setting load_globally to true.

  • dynamic modules: Added support for streamable HTTP callouts in dynamic modules. Modules can now create streaming HTTP connections to upstream clusters using start_http_stream, send request data and trailers incrementally, and receive streaming response headers, data, and trailers through dedicated callbacks.

  • dynamic modules: Enhanced dynamic module ABIs to support headers addition and body size retrieval. See the latest ABI header file for more details.

  • ext_authz: Add a new configuration field to the http ext authz filter enforce_response_header_limits that allows admins to enable / disable the behavior of dropping response headers once the header map count / size constraints have been reached.

  • ext_authz: Added support for metadata_context_namespaces and typed_metadata_context_namespaces in the ext-authz network filter. This allows passing connection metadata (such as proxy protocol TLV data) to the external authorization server for making authorization decisions.

  • ext_proc: Add support for forwarding cluster metadata to ext_proc server.

  • ext_proc: The MappedAttributeBuilder ext_proc extension now supports re-mapping response attributes (in addition to request attributes).

  • formatter: Added new US_RX_BODY_BEG time point to the %COMMON_DURATION% to indicate the time point of upstream response body receiving begin.

  • formatter: Added support for the following new access log formatters:

    1. %REQUEST_HEADER(X?Y):Z% as full name version of %REQ(X?Y):Z%.

    2. %RESPONSE_HEADER(X?Y):Z% as full name version of %RESP(X?Y):Z%.

    3. %RESPONSE_TRAILER(X?Y):Z% as full name version of %TRAILER(X?Y):Z%.

    This provides a more consistent naming scheme for users to understand and use.

  • generic_proxy: Added custom substitution format specifiers support in the tracing custom tags of the generic_proxy filter. Now the %REQUEST_PROPERTY%, %RESPONSE_PROPERTY% etc. can be used in the value field for generic proxy.

  • http: Added vhost_header to RouteConfiguration, allowing use of a different header for vhost matching.

  • http filter: Added transform http filter which adds the ability to modify request and response bodies in any position of HTTP filter chain. This also make it possible to refresh routes based on the attributes in the request body.

  • http2: Added new parameter to the sendGoAwayAndClose to support gracefully closing of HTTP/2 connection.

  • listener: Marked the filter_chain_matcher field as stable by removing the work-in-progress annotation. The xDS matcher API for filter chain selection has been thoroughly tested and should be ready for production use now.

  • listener_filters: Added Postgres Inspector listener filter for detecting PostgreSQL connections, extracting metadata and supporting SNI-based routing for PostgreSQL traffic.

  • logging: Added support for the not-equal operator in access log filter rules, in ComparisonFilter.

  • lua: Added drainConnectionUponCompletion() to the Lua filter stream info API. This allows Lua scripts to mark connections for draining, which adds a Connection: close header for HTTP/1.1 or sends a GOAWAY frame for HTTP/2 and HTTP/3.

  • lua: Added new executions counter to the Lua filter to track script execution count.

  • matcher: Removed work-in-progress annotations from RBAC filter matcher and shadow_matcher fields in both HTTP and network filters to reflect to mark this feature stable.

  • metrics_service: Added batch_size configuration to the Metrics Service to allow batching metrics into multiple gRPC messages. When set to a positive value, metrics will be batched with at most batch_size metric families per message. This helps avoid hitting gRPC message size limits (typically 4MB) when sending large numbers of metrics. If not set or set to 0, all metrics will be sent in a single message, preserving the current behavior.

  • network: Add logging info for network ext_proc to filter state.

  • network: Added a change to start populating the filter state envoy.network.network_namespace when a connection is accepted on a listener with network_namespace_filepath configured. This provides read-only access to the network namespace for filters, access logs, and other components.

  • on_demand: Added runtime guard envoy.reloadable_features.on_demand_track_end_stream. When enabled, the on_demand filter tracks downstream end_stream state to support stream recreation with fully read request bodies. Previously, the filter rejected all requests with bodies by checking for the presence of a decoding buffer, even when the body was complete.

  • otlp_stat_sink: Added support for dropping stats via DropAction during custom metric conversion.

  • otlp_stat_sink: Fix start_time_unix_nano for the metrics exported.

  • overload management: The fixed heap resource monitor can now calculate memory pressure as currently allocated memory divided by maximum heap size, giving more accurate and lower memory pressure values. This can avoid unnecessary load shedding or overload actions. To enable, set envoy.reloadable_features.fixed_heap_use_allocated to true. The default algorithm (heap_size - pageheap_unmapped - pageheap_free) does not discount for free memory in TCMalloc caches.

  • quic: Added QUIC protocol option max_sessions_per_event_loop to limit the maximum number of new QUIC sessions created per event loop. The default is 16, preserving the previous hardcoded limit.

  • redis: Added cluster-scoped command support with a flexible response handling framework.

  • redis: Added support for redis_proxy filter to use separate credentials for each upstream Redis cluster.

  • router: Added hash_policy to HttpProtocolOptions to support cluster-level hash policies.

  • router: Added request_mirror_policies to HttpProtocolOptions to support cluster-level request mirroring. Cluster-level policies override route-level policies when both are configured.

  • router: Added retry_policy to HttpProtocolOptions to support cluster-level retry policies.

  • router: Added support for substitution formatting in direct response bodies via the new body_format field in DirectResponseAction.

  • tcp_proxy: Added upstream_connect_mode and max_early_data_bytes to control when upstream connections are established and early data buffering behavior. This enables use cases like extracting TLS certificate information or SNI before establishing upstream connections.

  • tls_inspector: Add configuration parameter to TLS inspector for maximum acceptable client hello size.

  • tls_inspector: Propagate the transport error from the tls_inspector to the DownstreamTransportFailureReason in StreamInfo for access logging prior to the TLS handshake.

  • tracing: Added new value field and the substitution format specifier could be used to extract values from various parts of the request/response for custom tags.

  • udp_sink: Enhanced the UDP sink to support tapped messages larger than 64 KB.

  • upstream: Added transport_socket_matcher to clusters. This matcher uses the generic xDS matcher framework to select a named transport socket from transport_socket_matches based on endpoint metadata, locality metadata, and transport socket filter state.

  • upstream: Added an extension to override the upstream bind address Linux network namespace using a shared filter state object.

  • wasm: Added sign foreign function to create cryptographic signatures. See Wasm foreign functions for more details.

  • xds: Added runtime guard envoy.reloadable_features.report_load_when_rq_active_is_non_zero. When enabled, LRS continues to send locality_stats reoprt to config server when there is no request_issued in the poll cycle.