dynamic_modules: add more methods to listener filters ABI (#42789)

agrawroh · web-flow · commit a07c95fbe3e1 · 2025-12-29T10:16:56.000-08:00
## Description

This PR adds support for more methods in Dynamic Modules for Listener
Filters to get Original Destination, Remote/Local Address, etc.

---

**Commit Message:** dynamic_modules: add more methods to listener
filters ABI
**Additional Description:** Adds support for more methods in Dynamic
Modules for Listener Filters to get Original Destination, Remote/Local
Address, etc.
**Risk Level:** Low
**Testing:** Added Tests
**Docs Changes:** Added
**Release Notes:** N/A

---------

Signed-off-by: Rohit Agrawal &lt;rohit.agrawal@databricks.com&gt;
diff --git a/source/extensions/dynamic_modules/abi.h b/source/extensions/dynamic_modules/abi.h
@@ -678,6 +678,16 @@ typedef enum envoy_dynamic_module_type_on_listener_filter_status {
   envoy_dynamic_module_type_on_listener_filter_status_StopIteration,
 } envoy_dynamic_module_type_on_listener_filter_status;
 
+/**
+ * envoy_dynamic_module_type_address_type represents the socket address type.
+ */
+typedef enum envoy_dynamic_module_type_address_type {
+  envoy_dynamic_module_type_address_type_Unknown = 0,
+  envoy_dynamic_module_type_address_type_Ip = 1,
+  envoy_dynamic_module_type_address_type_Pipe = 2,
+  envoy_dynamic_module_type_address_type_EnvoyInternal = 3,
+} envoy_dynamic_module_type_address_type;
+
 // -----------------------------------------------------------------------------
 // ------------------------------- Event Hooks ---------------------------------
 // -----------------------------------------------------------------------------
@@ -2842,6 +2852,20 @@ bool envoy_dynamic_module_callback_listener_filter_get_remote_address(
     envoy_dynamic_module_type_listener_filter_envoy_ptr filter_envoy_ptr,
     envoy_dynamic_module_type_envoy_buffer* address_out, uint32_t* port_out);
 
+/**
+ * envoy_dynamic_module_callback_listener_filter_get_direct_remote_address is called by the module
+ * to get the direct remote address which is the peer address before any listener filter
+ * modification.
+ *
+ * @param filter_envoy_ptr is the pointer to the DynamicModuleListenerFilter object.
+ * @param address_out is the output buffer where the address owned by Envoy will be stored.
+ * @param port_out is the output pointer to the port number.
+ * @return true if the address was found and is an IP address, false otherwise.
+ */
+bool envoy_dynamic_module_callback_listener_filter_get_direct_remote_address(
+    envoy_dynamic_module_type_listener_filter_envoy_ptr filter_envoy_ptr,
+    envoy_dynamic_module_type_envoy_buffer* address_out, uint32_t* port_out);
+
 /**
  * envoy_dynamic_module_callback_listener_filter_get_local_address is called by the module to get
  * the local address.
@@ -2855,6 +2879,54 @@ bool envoy_dynamic_module_callback_listener_filter_get_local_address(
     envoy_dynamic_module_type_listener_filter_envoy_ptr filter_envoy_ptr,
     envoy_dynamic_module_type_envoy_buffer* address_out, uint32_t* port_out);
 
+/**
+ * envoy_dynamic_module_callback_listener_filter_get_direct_local_address is called by the module to
+ * get the direct local address (the listener address before any restoration).
+ *
+ * @param filter_envoy_ptr is the pointer to the DynamicModuleListenerFilter object.
+ * @param address_out is the output buffer where the address owned by Envoy will be stored.
+ * @param port_out is the output pointer to the port number.
+ * @return true if the address was found and is an IP address, false otherwise.
+ */
+bool envoy_dynamic_module_callback_listener_filter_get_direct_local_address(
+    envoy_dynamic_module_type_listener_filter_envoy_ptr filter_envoy_ptr,
+    envoy_dynamic_module_type_envoy_buffer* address_out, uint32_t* port_out);
+
+/**
+ * envoy_dynamic_module_callback_listener_filter_get_original_dst is called by the module to get the
+ * original destination address obtained from the platform (e.g., iptables redirect).
+ *
+ * @param filter_envoy_ptr is the pointer to the DynamicModuleListenerFilter object.
+ * @param address_out is the output buffer where the address owned by Envoy will be stored.
+ * @param port_out is the output pointer to the port number.
+ * @return true if the original destination address was found and is an IP address, false otherwise.
+ */
+bool envoy_dynamic_module_callback_listener_filter_get_original_dst(
+    envoy_dynamic_module_type_listener_filter_envoy_ptr filter_envoy_ptr,
+    envoy_dynamic_module_type_envoy_buffer* address_out, uint32_t* port_out);
+
+/**
+ * envoy_dynamic_module_callback_listener_filter_get_address_type is called by the module to get the
+ * socket address type.
+ *
+ * @param filter_envoy_ptr is the pointer to the DynamicModuleListenerFilter object.
+ * @return the address type for the current socket.
+ */
+envoy_dynamic_module_type_address_type
+envoy_dynamic_module_callback_listener_filter_get_address_type(
+    envoy_dynamic_module_type_listener_filter_envoy_ptr filter_envoy_ptr);
+
+/**
+ * envoy_dynamic_module_callback_listener_filter_is_local_address_restored is called by the module
+ * to check whether the local address has been restored to a value different from the listener
+ * address.
+ *
+ * @param filter_envoy_ptr is the pointer to the DynamicModuleListenerFilter object.
+ * @return true if the local address has been restored, false otherwise.
+ */
+bool envoy_dynamic_module_callback_listener_filter_is_local_address_restored(
+    envoy_dynamic_module_type_listener_filter_envoy_ptr filter_envoy_ptr);
+
 /**
  * envoy_dynamic_module_callback_listener_filter_set_remote_address is called by the module to set
  * the remote address (for proxy protocol parsing).
@@ -2898,6 +2970,16 @@ bool envoy_dynamic_module_callback_listener_filter_restore_local_address(
 void envoy_dynamic_module_callback_listener_filter_continue_filter_chain(
     envoy_dynamic_module_type_listener_filter_envoy_ptr filter_envoy_ptr, bool success);
 
+/**
+ * envoy_dynamic_module_callback_listener_filter_use_original_dst is called by the module to control
+ * whether the listener should use the original destination for filter chain matching.
+ *
+ * @param filter_envoy_ptr is the pointer to the DynamicModuleListenerFilter object.
+ * @param use_original_dst indicates whether to enable original destination handling.
+ */
+void envoy_dynamic_module_callback_listener_filter_use_original_dst(
+    envoy_dynamic_module_type_listener_filter_envoy_ptr filter_envoy_ptr, bool use_original_dst);
+
 /**
  * envoy_dynamic_module_callback_listener_filter_close_socket is called by the module to close
  * the socket immediately.
@@ -2954,6 +3036,31 @@ bool envoy_dynamic_module_callback_listener_filter_get_filter_state(
     envoy_dynamic_module_type_listener_filter_envoy_ptr filter_envoy_ptr,
     envoy_dynamic_module_type_module_buffer key, envoy_dynamic_module_type_envoy_buffer* value_out);
 
+// -----------------------------------------------------------------------------
+// Stream Info Operations
+// -----------------------------------------------------------------------------
+
+/**
+ * envoy_dynamic_module_callback_listener_filter_set_downstream_transport_failure_reason is called
+ * by the module to set the downstream transport failure reason for logging and debugging.
+ *
+ * @param filter_envoy_ptr is the pointer to the DynamicModuleListenerFilter object.
+ * @param reason is the reason string owned by the module.
+ */
+void envoy_dynamic_module_callback_listener_filter_set_downstream_transport_failure_reason(
+    envoy_dynamic_module_type_listener_filter_envoy_ptr filter_envoy_ptr,
+    envoy_dynamic_module_type_module_buffer reason);
+
+/**
+ * envoy_dynamic_module_callback_listener_filter_get_connection_start_time_ms is called by the
+ * module to obtain the connection start time in milliseconds since Unix epoch.
+ *
+ * @param filter_envoy_ptr is the pointer to the DynamicModuleListenerFilter object.
+ * @return the start time in milliseconds since Unix epoch.
+ */
+uint64_t envoy_dynamic_module_callback_listener_filter_get_connection_start_time_ms(
+    envoy_dynamic_module_type_listener_filter_envoy_ptr filter_envoy_ptr);
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/source/extensions/dynamic_modules/abi_version.h b/source/extensions/dynamic_modules/abi_version.h
@@ -6,7 +6,7 @@ namespace DynamicModules {
 #endif
 // This is the ABI version calculated as a sha256 hash of the ABI header files. When the ABI
 // changes, this value must change, and the correctness of this value is checked by the test.
-const char* kAbiVersion = "b83111f4c9c8c5a9218e2b2f18d0a00be3a6747df2f3c182edf4c2ba4ccb7b0f";
+const char* kAbiVersion = "3fe64075e0a96694bcfc55111b047d3c9a62c46482f9e7c91159e12b9211ba96";
 
 #ifdef __cplusplus
 } // namespace DynamicModules
diff --git a/source/extensions/filters/listener/dynamic_modules/abi_impl.cc b/source/extensions/filters/listener/dynamic_modules/abi_impl.cc
@@ -1,4 +1,7 @@
+#include <chrono>
+
 #include "envoy/network/listen_socket.h"
+#include "envoy/stream_info/stream_info.h"
 
 #include "source/common/network/address_impl.h"
 #include "source/common/network/utility.h"
@@ -133,6 +136,34 @@ bool envoy_dynamic_module_callback_listener_filter_get_remote_address(
   return true;
 }
 
+bool envoy_dynamic_module_callback_listener_filter_get_direct_remote_address(
+    envoy_dynamic_module_type_listener_filter_envoy_ptr filter_envoy_ptr,
+    envoy_dynamic_module_type_envoy_buffer* address_out, uint32_t* port_out) {
+  auto* filter = static_cast<DynamicModuleListenerFilter*>(filter_envoy_ptr);
+  auto* callbacks = filter->callbacks();
+
+  if (callbacks == nullptr) {
+    address_out->ptr = nullptr;
+    address_out->length = 0;
+    *port_out = 0;
+    return false;
+  }
+
+  const auto& address = callbacks->socket().connectionInfoProvider().directRemoteAddress();
+  if (address == nullptr || address->ip() == nullptr) {
+    address_out->ptr = nullptr;
+    address_out->length = 0;
+    *port_out = 0;
+    return false;
+  }
+
+  const std::string& addr_str = address->ip()->addressAsString();
+  address_out->ptr = const_cast<char*>(addr_str.c_str());
+  address_out->length = addr_str.size();
+  *port_out = address->ip()->port();
+  return true;
+}
+
 bool envoy_dynamic_module_callback_listener_filter_get_local_address(
     envoy_dynamic_module_type_listener_filter_envoy_ptr filter_envoy_ptr,
     envoy_dynamic_module_type_envoy_buffer* address_out, uint32_t* port_out) {
@@ -161,6 +192,114 @@ bool envoy_dynamic_module_callback_listener_filter_get_local_address(
   return true;
 }
 
+bool envoy_dynamic_module_callback_listener_filter_get_direct_local_address(
+    envoy_dynamic_module_type_listener_filter_envoy_ptr filter_envoy_ptr,
+    envoy_dynamic_module_type_envoy_buffer* address_out, uint32_t* port_out) {
+  auto* filter = static_cast<DynamicModuleListenerFilter*>(filter_envoy_ptr);
+  auto* callbacks = filter->callbacks();
+
+  if (callbacks == nullptr) {
+    address_out->ptr = nullptr;
+    address_out->length = 0;
+    *port_out = 0;
+    return false;
+  }
+
+  const auto& address = callbacks->socket().connectionInfoProvider().directLocalAddress();
+  if (address == nullptr || address->ip() == nullptr) {
+    address_out->ptr = nullptr;
+    address_out->length = 0;
+    *port_out = 0;
+    return false;
+  }
+
+  const std::string& addr_str = address->ip()->addressAsString();
+  address_out->ptr = const_cast<char*>(addr_str.c_str());
+  address_out->length = addr_str.size();
+  *port_out = address->ip()->port();
+  return true;
+}
+
+bool envoy_dynamic_module_callback_listener_filter_get_original_dst(
+    envoy_dynamic_module_type_listener_filter_envoy_ptr filter_envoy_ptr,
+    envoy_dynamic_module_type_envoy_buffer* address_out, uint32_t* port_out) {
+  auto* filter = static_cast<DynamicModuleListenerFilter*>(filter_envoy_ptr);
+  auto* callbacks = filter->callbacks();
+
+  if (callbacks == nullptr) {
+    address_out->ptr = nullptr;
+    address_out->length = 0;
+    *port_out = 0;
+    return false;
+  }
+
+  if (callbacks->socket().addressType() != Network::Address::Type::Ip) {
+    address_out->ptr = nullptr;
+    address_out->length = 0;
+    *port_out = 0;
+    return false;
+  }
+
+  // Avoid calling getOriginalDst on an invalid handle.
+  if (callbacks->socket().ioHandle().fdDoNotUse() < 0) {
+    address_out->ptr = nullptr;
+    address_out->length = 0;
+    *port_out = 0;
+    return false;
+  }
+
+  const auto original_dst = Network::Utility::getOriginalDst(callbacks->socket());
+  if (original_dst == nullptr || original_dst->ip() == nullptr) {
+    address_out->ptr = nullptr;
+    address_out->length = 0;
+    *port_out = 0;
+    return false;
+  }
+
+  // Cache the address in the filter to ensure lifetime extends beyond this function.
+  filter->cachedOriginalDst() = original_dst;
+
+  const std::string& addr_str = original_dst->ip()->addressAsString();
+  address_out->ptr = const_cast<char*>(addr_str.c_str());
+  address_out->length = addr_str.size();
+  *port_out = original_dst->ip()->port();
+  return true;
+}
+
+envoy_dynamic_module_type_address_type
+envoy_dynamic_module_callback_listener_filter_get_address_type(
+    envoy_dynamic_module_type_listener_filter_envoy_ptr filter_envoy_ptr) {
+  auto* filter = static_cast<DynamicModuleListenerFilter*>(filter_envoy_ptr);
+  auto* callbacks = filter->callbacks();
+
+  if (callbacks == nullptr) {
+    return envoy_dynamic_module_type_address_type_Unknown;
+  }
+
+  switch (callbacks->socket().addressType()) {
+  case Network::Address::Type::Ip:
+    return envoy_dynamic_module_type_address_type_Ip;
+  case Network::Address::Type::Pipe:
+    return envoy_dynamic_module_type_address_type_Pipe;
+  case Network::Address::Type::EnvoyInternal:
+    return envoy_dynamic_module_type_address_type_EnvoyInternal;
+  }
+
+  return envoy_dynamic_module_type_address_type_Unknown;
+}
+
+bool envoy_dynamic_module_callback_listener_filter_is_local_address_restored(
+    envoy_dynamic_module_type_listener_filter_envoy_ptr filter_envoy_ptr) {
+  auto* filter = static_cast<DynamicModuleListenerFilter*>(filter_envoy_ptr);
+  auto* callbacks = filter->callbacks();
+
+  if (callbacks == nullptr) {
+    return false;
+  }
+
+  return callbacks->socket().connectionInfoProvider().localAddressRestored();
+}
+
 bool envoy_dynamic_module_callback_listener_filter_set_remote_address(
     envoy_dynamic_module_type_listener_filter_envoy_ptr filter_envoy_ptr,
     envoy_dynamic_module_type_module_buffer address, uint32_t port, bool is_ipv6) {
@@ -228,6 +367,15 @@ void envoy_dynamic_module_callback_listener_filter_continue_filter_chain(
   }
 }
 
+void envoy_dynamic_module_callback_listener_filter_use_original_dst(
+    envoy_dynamic_module_type_listener_filter_envoy_ptr filter_envoy_ptr, bool use_original_dst) {
+  auto* filter = static_cast<DynamicModuleListenerFilter*>(filter_envoy_ptr);
+  auto* callbacks = filter->callbacks();
+  if (callbacks != nullptr) {
+    callbacks->useOriginalDst(use_original_dst);
+  }
+}
+
 void envoy_dynamic_module_callback_listener_filter_close_socket(
     envoy_dynamic_module_type_listener_filter_envoy_ptr filter_envoy_ptr) {
   auto* filter = static_cast<DynamicModuleListenerFilter*>(filter_envoy_ptr);
@@ -308,6 +456,32 @@ bool envoy_dynamic_module_callback_listener_filter_get_filter_state(
   return true;
 }
 
+void envoy_dynamic_module_callback_listener_filter_set_downstream_transport_failure_reason(
+    envoy_dynamic_module_type_listener_filter_envoy_ptr filter_envoy_ptr,
+    envoy_dynamic_module_type_module_buffer reason) {
+  auto* filter = static_cast<DynamicModuleListenerFilter*>(filter_envoy_ptr);
+  auto* callbacks = filter->callbacks();
+  if (callbacks == nullptr || reason.ptr == nullptr || reason.length == 0) {
+    return;
+  }
+
+  callbacks->streamInfo().setDownstreamTransportFailureReason(
+      absl::string_view(reason.ptr, reason.length));
+}
+
+uint64_t envoy_dynamic_module_callback_listener_filter_get_connection_start_time_ms(
+    envoy_dynamic_module_type_listener_filter_envoy_ptr filter_envoy_ptr) {
+  auto* filter = static_cast<DynamicModuleListenerFilter*>(filter_envoy_ptr);
+  auto* callbacks = filter->callbacks();
+  if (callbacks == nullptr) {
+    return 0;
+  }
+
+  const auto start_time = callbacks->streamInfo().startTime();
+  const auto duration = start_time.time_since_epoch();
+  return std::chrono::duration_cast<std::chrono::milliseconds>(duration).count();
+}
+
 } // extern "C"
 
 } // namespace ListenerFilters
diff --git a/source/extensions/filters/listener/dynamic_modules/filter.h b/source/extensions/filters/listener/dynamic_modules/filter.h
@@ -35,6 +35,7 @@ class DynamicModuleListenerFilter : public Network::ListenerFilter,
   // Accessors for ABI callbacks.
   Network::ListenerFilterCallbacks* callbacks() { return callbacks_; }
   Network::ListenerFilterBuffer* currentBuffer() { return current_buffer_; }
+  Network::Address::InstanceConstSharedPtr& cachedOriginalDst() { return cached_original_dst_; }
 
   // Test-only setters.
   void setCallbacksForTest(Network::ListenerFilterCallbacks* callbacks) { callbacks_ = callbacks; }
@@ -71,6 +72,9 @@ class DynamicModuleListenerFilter : public Network::ListenerFilter,
   // Current buffer, only valid during onData callback.
   Network::ListenerFilterBuffer* current_buffer_ = nullptr;
 
+  // Cached original destination address to ensure lifetime extends beyond ABI callback.
+  Network::Address::InstanceConstSharedPtr cached_original_dst_;
+
   bool destroyed_ = false;
 };
 
diff --git a/test/extensions/dynamic_modules/listener/abi_impl_test.cc b/test/extensions/dynamic_modules/listener/abi_impl_test.cc
