[docs] original src listener filter docs#5539
[docs] original src listener filter docs#5539mattklein123 merged 7 commits intoenvoyproxy:masterfrom
Conversation
Signed-off-by: Kyle Larose <kyle@agilicus.com>
Signed-off-by: Kyle Larose <kyle@agilicus.com>
- Clean up formatting (100 column lines) - Fix some typos - Talk about ip version Signed-off-by: Kyle Larose <kyle@agilicus.com>
Signed-off-by: Kyle Larose <kyle@agilicus.com>
|
@mattklein123 Here's the docs you asked for. Hopefully the architecture section is sufficient. If it isn't, let me know and I can take another stab at it. |
This is needed so that we can force the non-local IPv4 addresses to route locally. Signed-off-by: Kyle Larose <kyle@agilicus.com>
|
/retest |
|
🔨 rebuilding |
|
@mattklein123 Any chance you'd be able to take a look at this in the next few days, please? Thanks! |
|
Yes I will take a look. |
mattklein123
left a comment
mattklein123
left a comment
There was a problem hiding this comment.
Thanks this is super awesome and exactly what I had in mind. A couple of small things. @lizan @jrajahalme can you take a quick read since you have been reviewing this feature?
/wait
Signed-off-by: Kyle Larose <kyle@agilicus.com>
Review requested that some references be added. This change does so. Signed-off-by: Kyle Larose <kyle@agilicus.com>
mattklein123
left a comment
mattklein123
left a comment
There was a problem hiding this comment.
Thanks! Will wait a bit to merge to see if anyone has any further comments.
| the downstream remote address for propagation into an | ||
| :ref:`x-forwarded-for <config_http_conn_man_headers_x-forwarded-for>` header. It can also be used in | ||
| conjunction with the | ||
| :ref:`Original Src Listener Filter <arch_overview_ip_transparency_original_src_listener>`. |
There was a problem hiding this comment.
nit: can we expand it to full name i.e Original Source Listener Filter?
Signed-off-by: Kyle Larose <kyle@agilicus.com> Signed-off-by: Fred Douglas <fredlas@google.com>
| this to *X* causes Envoy to *mark* all upstream packets originating from this listener with value | ||
| *X*. | ||
|
|
||
| We can use the following set of commands to ensure that all ipv4 and ipv6 traffic marked with *X* |
There was a problem hiding this comment.
Thank you for putting together these docs @klarose, they're very helpful.
Do you happen to know how the PREROUTING rule below works for local packets?
All the iptables diagrams seem to show no path from local process to PREROUTING so I'm having a hard time understanding how this rule applies to local traffic with the sidecar.
There was a problem hiding this comment.
It has been a while since I last did this, so I'm a little rusty. As some background, this configuration was inspired by mmproxy. They don't explain why exactly. :)
I think that it has to do with the fact that there is a separate routing table involved. Perhaps the system considers transit between different routing tables as transit between different networks?
It could also be that the kernel, seeing that the source IP isn't a local one, treats it as having come from an external network.
I'm sorry I don't have a better answer.
4 participants
Description:
This adds document for the original src listener filter, as well as some overarching documentation for how to achieve IP Transparency with Envoy.
Risk Level: Low. Just docs
Testing: Built and viewed the new docs
Docs Changes: