IP Tagging

The HTTP IP Tagging filter sets the header x-envoy-ip-tags with the string tags for the trusted address from x-forwarded-for. If there are no tags for an address, the header is not set.

The implementation for IP Tagging provides a scalable way to compare an IP address to a large list of CIDR ranges efficiently. The underlying algorithm for storing tags and IP address subnets is a Level-Compressed trie described in the paper IP-address lookup using LC-tries by S. Nilsson and G. Karlsson.

Configuration

  • v2 API reference

  • This filter should be configured with the name envoy.ip_tagging.

Statistics

The IP Tagging filter outputs statistics in the http.<stat_prefix>.ip_tagging. namespace. The stat prefix comes from the owning HTTP connection manager.

Name

Type

Description

<tag_name>.hit

Counter

Total number of requests that have the <tag_name> applied to it

no_hit

Counter

Total number of requests with no applicable IP tags

total

Counter

Total number of requests the IP Tagging Filter operated on

Runtime

The IP Tagging filter supports the following runtime settings:

ip_tagging.http_filter_enabled

The % of requests for which the filter is enabled. Default is 100.