Original Source

    The original source listener filter replicates the downstream remote address of the connection on the upstream side of Envoy. For example, if a downstream connection connects to Envoy with IP address , then Envoy will connect to the upstream with source IP 10.1.2.3.

    The filter supports both IPv4 and IPv6 as addresses. Note that the upstream connection must support the version used.

    The downstream remote address used will likely be globally routable. By default, packets returning from the upstream host to that address will not route through Envoy. The network must be configured to forcefully route any traffic whose IP was replicated by Envoy back through the Envoy host.

    We can use the following set of commands to ensure that all ipv4 and ipv6 traffic marked with X (assumed to be 123 in the example) routes correctly. Note that this example assumes that eth0 is the default outbound interface.

    The following example configures Envoy to use the original source for all connections made on port 8888. It uses Proxy Protocol to determine the downstream remote address. All upstream packets are marked with 123.

    1. listeners:
    2. - address:
    4.       address: 0.0.0.0
    5.       port_value: 8888
    7.     - name: envoy.filters.listener.original_src
    8.       typed_config:
    9.         "@type": type.googleapis.com/envoy.config.filter.listener.original_src.v2alpha1.OriginalSrc