Fix: the inboundconnection limit filter should be placed in front of http co… (#14325)

* fix: the inboundconnection limit should be placed in front of http connection manager

Co-authored-by: Freddy <freddygv@users.noreply.github.com>
This commit is contained in:
cskh 2022-08-24 14:13:10 -04:00 committed by GitHub
parent 8f27a077cb
commit 41aea65214
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 36 additions and 23 deletions

View File

@ -1214,10 +1214,31 @@ func (s *ResourceGenerator) makeInboundListener(cfgSnap *proxycfg.ConfigSnapshot
filterOpts.forwardClientPolicy = envoy_http_v3.HttpConnectionManager_APPEND_FORWARD filterOpts.forwardClientPolicy = envoy_http_v3.HttpConnectionManager_APPEND_FORWARD
} }
} }
filter, err := makeListenerFilter(filterOpts)
// If an inbound connect limit is set, inject a connection limit filter on each chain.
if cfg.MaxInboundConnections > 0 {
connectionLimitFilter, err := makeConnectionLimitFilter(cfg.MaxInboundConnections)
if err != nil { if err != nil {
return nil, err return nil, err
} }
l.FilterChains = []*envoy_listener_v3.FilterChain{
{
Filters: []*envoy_listener_v3.Filter{
connectionLimitFilter,
},
},
}
}
filter, err := makeListenerFilter(filterOpts)
if err != nil {
return nil, err
}
if len(l.FilterChains) > 0 {
// The list of FilterChains has already been initialized
l.FilterChains[0].Filters = append(l.FilterChains[0].Filters, filter)
} else {
l.FilterChains = []*envoy_listener_v3.FilterChain{ l.FilterChains = []*envoy_listener_v3.FilterChain{
{ {
Filters: []*envoy_listener_v3.Filter{ Filters: []*envoy_listener_v3.Filter{
@ -1225,6 +1246,7 @@ func (s *ResourceGenerator) makeInboundListener(cfgSnap *proxycfg.ConfigSnapshot
}, },
}, },
} }
}
err = s.finalizePublicListenerFromConfig(l, cfgSnap, cfg, useHTTPFilter) err = s.finalizePublicListenerFromConfig(l, cfgSnap, cfg, useHTTPFilter)
if err != nil { if err != nil {
@ -1249,17 +1271,6 @@ func (s *ResourceGenerator) finalizePublicListenerFromConfig(l *envoy_listener_v
return nil return nil
} }
// If an inbound connect limit is set, inject a connection limit filter on each chain.
if proxyCfg.MaxInboundConnections > 0 {
filter, err := makeConnectionLimitFilter(proxyCfg.MaxInboundConnections)
if err != nil {
return nil
}
for idx := range l.FilterChains {
l.FilterChains[idx].Filters = append(l.FilterChains[idx].Filters, filter)
}
}
return nil return nil
} }
@ -1990,6 +2001,7 @@ func makeTCPProxyFilter(filterName, cluster, statPrefix string) (*envoy_listener
func makeConnectionLimitFilter(limit int) (*envoy_listener_v3.Filter, error) { func makeConnectionLimitFilter(limit int) (*envoy_listener_v3.Filter, error) {
cfg := &envoy_connection_limit_v3.ConnectionLimit{ cfg := &envoy_connection_limit_v3.ConnectionLimit{
StatPrefix: "inbound_connection_limit",
MaxConnections: wrapperspb.UInt64(uint64(limit)), MaxConnections: wrapperspb.UInt64(uint64(limit)),
} }
return makeFilter("envoy.filters.network.connection_limit", cfg) return makeFilter("envoy.filters.network.connection_limit", cfg)

View File

@ -73,6 +73,14 @@
"statPrefix": "connect_authz" "statPrefix": "connect_authz"
} }
}, },
{
"name": "envoy.filters.network.connection_limit",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.connection_limit.v3.ConnectionLimit",
"statPrefix": "inbound_connection_limit",
"maxConnections": "222"
}
},
{ {
"name": "envoy.filters.network.tcp_proxy", "name": "envoy.filters.network.tcp_proxy",
"typedConfig": { "typedConfig": {
@ -80,13 +88,6 @@
"statPrefix": "public_listener", "statPrefix": "public_listener",
"cluster": "local_app" "cluster": "local_app"
} }
},
{
"name": "envoy.filters.network.connection_limit",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.connection_limit.v3.ConnectionLimit",
"maxConnections": "222"
}
} }
], ],
"transportSocket": { "transportSocket": {