Skip to content

Commit 4fd833c

Browse files
stevenctlstevenctl
authored
multi-network: HBONE matching prefers hostname over VIP (#58512)
1 parent 19ba6ec commit 4fd833c

File tree

1 file changed

+36
-28
lines changed

1 file changed

+36
-28
lines changed

pilot/pkg/networking/core/listener_waypoint.go

Lines changed: 36 additions & 28 deletions
Original file line numberDiff line numberDiff line change
@@ -576,46 +576,54 @@ func (lb *ListenerBuilder) buildWaypointInternal(wls []model.WorkloadInfo, svcs
576576
return nil
577577
}()
578578

579-
l := &listener.Listener{
580-
Name: MainInternalName,
581-
ListenerSpecifier: &listener.Listener_InternalListener{InternalListener: &listener.Listener_InternalListenerConfig{}},
582-
ListenerFilters: []*listener.ListenerFilter{
583-
xdsfilters.OriginalDestination,
584-
httpInspector,
585-
},
586-
TrafficDirection: core.TrafficDirection_INBOUND,
587-
FilterChains: chains,
588-
FilterChainMatcher: &matcher.Matcher{
589-
MatcherType: &matcher.Matcher_MatcherTree_{
590-
MatcherTree: &matcher.Matcher_MatcherTree{
591-
Input: match.DestinationIP,
592-
TreeType: &matcher.Matcher_MatcherTree_CustomMatch{
593-
CustomMatch: &xds.TypedExtensionConfig{
594-
Name: "ip",
595-
TypedConfig: protoconv.MessageToAny(ipMatcher),
596-
},
579+
// by default match IPs first
580+
primaryMatcher := &matcher.Matcher{
581+
MatcherType: &matcher.Matcher_MatcherTree_{
582+
MatcherTree: &matcher.Matcher_MatcherTree{
583+
Input: match.DestinationIP,
584+
TreeType: &matcher.Matcher_MatcherTree_CustomMatch{
585+
CustomMatch: &xds.TypedExtensionConfig{
586+
Name: "ip",
587+
TypedConfig: protoconv.MessageToAny(ipMatcher),
597588
},
598589
},
599590
},
600591
},
601592
}
602593

594+
// when multi-network is enabled, prefer the hostnames for matching
595+
// VIPs may overlap across networks, especially auto-generated ServiceEntry VIPs
596+
// and if we hit an incorrect VIP match we may attempt to route to the wrong service
603597
if len(svcHostnameMap.Map) > 0 && features.EnableAmbientMultiNetwork {
604-
l.FilterChainMatcher.OnNoMatch = &matcher.Matcher_OnMatch{
605-
OnMatch: &matcher.Matcher_OnMatch_Matcher{
606-
Matcher: &matcher.Matcher{
607-
MatcherType: &matcher.Matcher_MatcherTree_{
608-
MatcherTree: &matcher.Matcher_MatcherTree{
609-
Input: match.AuthorityFilterStateInput,
610-
TreeType: &matcher.Matcher_MatcherTree_ExactMatchMap{
611-
ExactMatchMap: svcHostnameMap,
612-
},
613-
},
598+
primaryMatcher = &matcher.Matcher{
599+
OnNoMatch: &matcher.Matcher_OnMatch{
600+
OnMatch: &matcher.Matcher_OnMatch_Matcher{
601+
Matcher: primaryMatcher,
602+
},
603+
},
604+
MatcherType: &matcher.Matcher_MatcherTree_{
605+
MatcherTree: &matcher.Matcher_MatcherTree{
606+
Input: match.AuthorityFilterStateInput,
607+
TreeType: &matcher.Matcher_MatcherTree_ExactMatchMap{
608+
ExactMatchMap: svcHostnameMap,
614609
},
615610
},
616611
},
617612
}
618613
}
614+
615+
l := &listener.Listener{
616+
Name: MainInternalName,
617+
ListenerSpecifier: &listener.Listener_InternalListener{InternalListener: &listener.Listener_InternalListenerConfig{}},
618+
ListenerFilters: []*listener.ListenerFilter{
619+
xdsfilters.OriginalDestination,
620+
httpInspector,
621+
},
622+
TrafficDirection: core.TrafficDirection_INBOUND,
623+
FilterChains: chains,
624+
FilterChainMatcher: primaryMatcher,
625+
}
626+
619627
if tlsInspector != nil {
620628
l.ListenerFilters = append(l.ListenerFilters, tlsInspector)
621629
}

0 commit comments

Comments
 (0)