geoip: add a new Network GeoIP filter (#42564)

## Description

Today we have an [HTTP GeoLocation
filter](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/geoip_filter)
which could use providers like MaxMind to fetch the Geo details of the
incoming traffic using the Client IP. We have mixed traffic where we
also receive a lot of Postgres, Kafka and other protocols in addition to
HTTP.

We need a holistic approach to fetch the Geo details for all the
incoming traffic and log it in access logs.

This PR adds a new Network Geolocation filter which could use the same
providers that HTTP use and save the Geo details associated with the
incoming traffic using Filter State.

Fix envoyproxy/envoy#42493

---

**Commit Message:** geoip: add a new Network GeoIP filter
**Additional Description:** Adds a new Network Geolocation filter which
could use the same providers that HTTP use and save the Geo details
associated with the incoming traffic using Filter State.
**Risk Level:** Low
**Testing:** Added Unit & Integration Tests
**Docs Changes:** Added
**Release Notes:** Added

---------

Signed-off-by: Rohit Agrawal <[email protected]>

Mirrored from https://github.com/envoyproxy/envoy @ ef2e3fbf2fe3333f082402b08552f859d36b9e0d

Author: update-envoy[bot]

BUILD

@@ -251,6 +251,7 @@ proto_library(
         "//envoy/extensions/filters/network/generic_proxy/matcher/v3:pkg",
         "//envoy/extensions/filters/network/generic_proxy/router/v3:pkg",
         "//envoy/extensions/filters/network/generic_proxy/v3:pkg",
+        "//envoy/extensions/filters/network/geoip/v3:pkg",
         "//envoy/extensions/filters/network/http_connection_manager/v3:pkg",
         "//envoy/extensions/filters/network/local_ratelimit/v3:pkg",
         "//envoy/extensions/filters/network/mongo_proxy/v3:pkg",

envoy/extensions/filters/network/geoip/v3/BUILD

@@ -0,0 +1,13 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = [
+        "//envoy/config/core/v3:pkg",
+        "@com_github_cncf_xds//udpa/annotations:pkg",
+        "@com_github_cncf_xds//xds/annotations/v3:pkg",
+    ],
+)

envoy/extensions/filters/network/geoip/v3/geoip.proto

@@ -0,0 +1,40 @@
+syntax = "proto3";
+
+package envoy.extensions.filters.network.geoip.v3;
+
+import "envoy/config/core/v3/extension.proto";
+
+import "xds/annotations/v3/status.proto";
+
+import "udpa/annotations/status.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.filters.network.geoip.v3";
+option java_outer_classname = "GeoipProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/geoip/v3;geoipv3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+option (xds.annotations.v3.file_status).work_in_progress = true;
+
+// [#protodoc-title: Geoip]
+// Geoip :ref:`configuration overview <config_network_filters_geoip>`.
+// [#extension: envoy.filters.network.geoip]
+
+// The network geolocation filter performs IP geolocation lookups on incoming connections
+// and stores the results in the connection's filter state under the well-known key
+// ``envoy.geoip``. The stored data is a ``GeoipInfo`` object that supports
+// serialization for access logging and field-level access.
+//
+// See :ref:`well known filter state <well_known_filter_state>` for details on accessing
+// the geolocation data.
+message Geoip {
+  // The prefix to use when emitting statistics. This is useful when there are multiple
+  // listeners configured with geoip filters, allowing stats to be grouped per listener.
+  // For example, with ``stat_prefix: "listener_1."``, stats would be emitted as
+  // ``listener_1.geoip.total``.
+  string stat_prefix = 1;
+
+  // Geoip driver specific configuration which depends on the driver being instantiated.
+  // [#extension-category: envoy.geoip_providers]
+  config.core.v3.TypedExtensionConfig provider = 2 [(validate.rules).message = {required: true}];
+}

envoy/extensions/geoip_providers/common/v3/common.proto

@@ -17,9 +17,13 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // Common configuration shared across geolocation providers.
 
 message CommonGeoipProviderConfig {
-  // The set of geolocation headers to add to the request. If any of the configured headers is present
-  // in the incoming request, it will be overridden by the :ref:`GeoIP filter <config_http_filters_geoip>`.
+  // The set of geolocation headers to add to request. If any of the configured headers is present
+  // in the incoming request, it will be overridden by the :ref:`HTTP GeoIP filter <config_http_filters_geoip>`.
   // [#next-free-field: 13]
+  //
+  // .. attention::
+  //   This field is deprecated in favor of :ref:`geo_field_keys
+  //   <envoy_v3_api_field_extensions.geoip_providers.common.v3.CommonGeoipProviderConfig.geo_field_keys>`.
   message GeolocationHeadersToAdd {
     // If set, the header will be used to populate the country ISO code associated with the IP address.
     string country = 1
@@ -80,6 +84,69 @@ message CommonGeoipProviderConfig {
         [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}];
   }
 
-  // Configuration for geolocation headers to add to the request.
-  GeolocationHeadersToAdd geo_headers_to_add = 1 [(validate.rules).message = {required: true}];
+  // The set of geolocation field keys to use for storing lookup results.
+  // These keys define how the geolocation lookup results will be stored. The actual storage
+  // mechanism depends on the filter using the provider:
+  //
+  // - The :ref:`HTTP GeoIP filter <config_http_filters_geoip>` stores results as HTTP request headers.
+  // - The :ref:`Network GeoIP filter <config_network_filters_geoip>` stores results in the
+  //   connection's filter state under the well-known key ``envoy.geoip``.
+  //
+  // [#next-free-field: 12]
+  message GeolocationFieldKeys {
+    // If set, the key will be used to populate the country ISO code associated with the IP address.
+    string country = 1;
+
+    // If set, the key will be used to populate the city associated with the IP address.
+    string city = 2;
+
+    // If set, the key will be used to populate the region ISO code associated with the IP address.
+    // The least specific subdivision will be selected as the region value.
+    string region = 3;
+
+    // If set, the key will be used to populate the ASN associated with the IP address.
+    string asn = 4;
+
+    // If set, the IP address will be checked if it belongs to any type of anonymization network
+    // (e.g., VPN, public proxy). The result will be stored with this key. Value will be set to
+    // either ``true`` or ``false`` depending on the check result.
+    string anon = 5;
+
+    // If set, the IP address will be checked if it belongs to a VPN and the result will be stored
+    // with this key. Value will be set to either ``true`` or ``false`` depending on the check result.
+    string anon_vpn = 6;
+
+    // If set, the IP address will be checked if it belongs to a hosting provider and the result
+    // will be stored with this key. Value will be set to either ``true`` or ``false`` depending on
+    // the check result.
+    string anon_hosting = 7;
+
+    // If set, the IP address will be checked if it belongs to a TOR exit node and the result will
+    // be stored with this key. Value will be set to either ``true`` or ``false`` depending on the
+    // check result.
+    string anon_tor = 8;
+
+    // If set, the IP address will be checked if it belongs to a public proxy and the result will
+    // be stored with this key. Value will be set to either ``true`` or ``false`` depending on the
+    // check result.
+    string anon_proxy = 9;
+
+    // If set, the key will be used to populate the ISP associated with the IP address.
+    string isp = 10;
+
+    // If set, the IP address will be checked if it belongs to the ISP named iCloud Private Relay
+    // and the result will be stored with this key. Value will be set to either ``true`` or ``false``
+    // depending on the check result.
+    string apple_private_relay = 11;
+  }
+
+  // Configuration for geolocation headers to add to HTTP requests.
+  // This field is deprecated in favor of ``geo_field_keys``. If both are set, ``geo_field_keys``
+  // takes precedence.
+  GeolocationHeadersToAdd geo_headers_to_add = 1
+      [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"];
+
+  // Configuration for geolocation field keys.
+  // At least one of ``geo_headers_to_add`` or ``geo_field_keys`` must be set.
+  GeolocationFieldKeys geo_field_keys = 3;
 }

versioning/BUILD

@@ -190,6 +190,7 @@ proto_library(
         "//envoy/extensions/filters/network/generic_proxy/matcher/v3:pkg",
         "//envoy/extensions/filters/network/generic_proxy/router/v3:pkg",
         "//envoy/extensions/filters/network/generic_proxy/v3:pkg",
+        "//envoy/extensions/filters/network/geoip/v3:pkg",
         "//envoy/extensions/filters/network/http_connection_manager/v3:pkg",
         "//envoy/extensions/filters/network/local_ratelimit/v3:pkg",
         "//envoy/extensions/filters/network/mongo_proxy/v3:pkg",