feat: add support to enable IP Transparency for TCP via Original Source listener filter

[aoledk]

Description:

With current EG, in order to enable IP Transparency for TCP (not HTTP), Proxy Protocol is the only way, it requires upstream host should support Proxy Protocol too.

I propose to support another option that Envoy has already implemented to enable IP Transparency for TCP: Original Source listener filter. It doesn't require upstream host should support Proxy Protocol, but require appropriate network routing rules.

[optional Relevant Links:]

https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/other_features/ip_transparency https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/listener_filters/original_src_filter

[zufardhiyaulhaq]

+1, this is enabled in Istio gateway, so we have 2 options to do IP whitelisting

1. XFF
2. source IP

@arkodg can we consider this?

[arkodg]

sure this makes sense, we enable this by default if listener protocol is TCP ?

[aoledk]

sure this makes sense, we enable this by default if listener protocol is TCP ?

That should be an opt-in feature for TCP listener, because Envoy requires user to setup appropriate route rules to make Original Source listener filter to work correctly ^1.

[zufardhiyaulhaq]

@arkodg nvm, seems like RBAC remote_ip on Envoy doesn't required this plugin. https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/rbac/v3/rbac.proto#envoy-v3-api-msg-config-rbac-v3-principal

[bjlhlin]

/assign

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had activity in the last 30 days.

[davem-git]

would this be to allow us to filter on source IP?