dynamic_modules: add dynamic modules support for Network filters (#42605)

## Description

This PR adds support for a new Network filter for Dynamic Modules. With
this it should be possible to write new Network Filters similar to HTTP
Filters in Go, RUST, etc.

--- 

**Commit Message:** dynamic_modules: add dynamic modules support for
Network filters
**Additional Description:** Adds support for a new Network filter for
Dynamic Modules.
**Risk Level:** Low
**Testing:** Added Unit + Integration Tests
**Docs Changes:** Added
**Release Notes:** Added

---------

Signed-off-by: Rohit Agrawal <[email protected]>

Author: agrawroh

CODEOWNERS

@@ -399,6 +399,7 @@ extensions/upstreams/tcp @ggreenway @mattklein123
 # Dynamic Modules
 /*/extensions/dynamic_modules @mattklein123 @mathetake @marc-barry
 /*/extensions/filters/http/dynamic_modules @mattklein123 @mathetake @marc-barry
+/*/extensions/filters/network/dynamic_modules @agrawroh @mathetake @wbpcode
 # Linux network namespace override
 /*/extensions/local_address_selectors/filter_state_override @tonya11en @kyessenov
 

api/BUILD

@@ -242,6 +242,7 @@ proto_library(
         "//envoy/extensions/filters/network/direct_response/v3:pkg",
         "//envoy/extensions/filters/network/dubbo_proxy/router/v3:pkg",
         "//envoy/extensions/filters/network/dubbo_proxy/v3:pkg",
+        "//envoy/extensions/filters/network/dynamic_modules/v3:pkg",
         "//envoy/extensions/filters/network/echo/v3:pkg",
         "//envoy/extensions/filters/network/ext_authz/v3:pkg",
         "//envoy/extensions/filters/network/ext_proc/v3:pkg",

api/envoy/extensions/filters/network/dynamic_modules/v3/BUILD

@@ -0,0 +1,12 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = [
+        "//envoy/extensions/dynamic_modules/v3:pkg",
+        "@com_github_cncf_xds//udpa/annotations:pkg",
+    ],
+)

api/envoy/extensions/filters/network/dynamic_modules/v3/dynamic_modules.proto

@@ -0,0 +1,71 @@
+syntax = "proto3";
+
+package envoy.extensions.filters.network.dynamic_modules.v3;
+
+import "envoy/extensions/dynamic_modules/v3/dynamic_modules.proto";
+
+import "google/protobuf/any.proto";
+
+import "udpa/annotations/status.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.filters.network.dynamic_modules.v3";
+option java_outer_classname = "DynamicModulesProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/dynamic_modules/v3;dynamic_modulesv3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: Network filter for dynamic modules]
+// [#extension: envoy.filters.network.dynamic_modules]
+
+// Configuration of the network filter for dynamic modules. This filter allows loading shared object
+// files that can be loaded via dlopen by the network filter.
+//
+// A module can be loaded by multiple network filters, hence the program can be structured in a way
+// that the module is loaded only once and shared across multiple filters providing multiple
+// functionalities.
+//
+// Unlike HTTP filters which operate on structured headers, body, and trailers, network filters
+// work with raw TCP byte streams. The filter can:
+//
+// * Inspect, modify, or inject data into the downstream connection.
+// * Access connection-level information such as addresses and TLS status.
+// * Control connection lifecycle (e.g., close the connection).
+//
+message DynamicModuleNetworkFilter {
+  // Specifies the shared-object level configuration.
+  envoy.extensions.dynamic_modules.v3.DynamicModuleConfig dynamic_module_config = 1;
+
+  // The name for this filter configuration. This can be used to distinguish between different
+  // filter implementations inside a dynamic module. For example, a module can have completely
+  // different filter implementations. When Envoy receives this configuration, it passes the
+  // ``filter_name`` to the dynamic module's network filter config init function together with
+  // the ``filter_config``. That way a module can decide which in-module filter implementation
+  // to use based on the name at load time.
+  string filter_name = 2;
+
+  // The configuration for the filter chosen by ``filter_name``. This is passed to the module's
+  // network filter initialization function. Together with the ``filter_name``, the module can
+  // decide which in-module filter implementation to use and fine-tune the behavior of the filter.
+  //
+  // For example, if a module has two filter implementations, one for echo and one for rate
+  // limiting, ``filter_name`` is used to choose either echo or rate limiting. The ``filter_config``
+  // can be used to configure the echo behavior or the rate limiting parameters.
+  //
+  // ``google.protobuf.Struct`` is serialized as JSON before passing it to the module.
+  // ``google.protobuf.BytesValue`` and ``google.protobuf.StringValue`` are passed directly
+  // without the wrapper.
+  //
+  // .. code-block:: yaml
+  //
+  //  # Passing a string value
+  //  filter_config:
+  //    "@type": "type.googleapis.com/google.protobuf.StringValue"
+  //    value: hello
+  //
+  //  # Passing raw bytes
+  //  filter_config:
+  //    "@type": "type.googleapis.com/google.protobuf.BytesValue"
+  //    value: aGVsbG8=  # echo -n "hello" | base64
+  //
+  google.protobuf.Any filter_config = 3;
+}

api/versioning/BUILD

@@ -181,6 +181,7 @@ proto_library(
         "//envoy/extensions/filters/network/direct_response/v3:pkg",
         "//envoy/extensions/filters/network/dubbo_proxy/router/v3:pkg",
         "//envoy/extensions/filters/network/dubbo_proxy/v3:pkg",
+        "//envoy/extensions/filters/network/dynamic_modules/v3:pkg",
         "//envoy/extensions/filters/network/echo/v3:pkg",
         "//envoy/extensions/filters/network/ext_authz/v3:pkg",
         "//envoy/extensions/filters/network/ext_proc/v3:pkg",

changelogs/current.yaml

@@ -264,6 +264,10 @@ new_features:
   change: |
     Added support for loading dynamic modules globally by setting :ref:`load_globally
     <envoy_v3_api_field_extensions.dynamic_modules.v3.DynamicModuleConfig.load_globally>` to ``true``.
+- area: dynamic modules
+  change: |
+    Added :ref:`network filter <envoy_v3_api_msg_extensions.filters.network.dynamic_modules.v3.DynamicModuleNetworkFilter>`
+    support for dynamic modules, enabling TCP stream processing with dynamic modules.
 - area: http filter
   change: |
     Added :ref:`transform http filter <config_http_filters_transform>` to modify request and response bodies in any

docs/root/intro/arch_overview/advanced/dynamic_modules.rst

@@ -19,9 +19,10 @@ official SDK that abstracts these details and provides a high-level API to imple
 available in Rust. In theory, any language that can produce a shared library can be used to implement dynamic modules.
 Future development may include support for other languages.
 
-Currently, dynamic modules are only supported at the following extension points:
+Currently, dynamic modules are supported at the following extension points:
 
-* As an :ref:`HTTP filter  <envoy_v3_api_msg_extensions.filters.http.dynamic_modules.v3.DynamicModuleFilter>`
+* As an :ref:`HTTP filter <envoy_v3_api_msg_extensions.filters.http.dynamic_modules.v3.DynamicModuleFilter>`.
+* As a :ref:`network filter <envoy_v3_api_msg_extensions.filters.network.dynamic_modules.v3.DynamicModuleNetworkFilter>`.
 
 There are a few design goals for the dynamic modules: