Merge branch 'main' of https://github.com/envoyproxy/envoy into dev-g…

…eneric-proxy-timeout

.github/workflows/_precheck_deps.yml

@@ -50,7 +50,7 @@ jobs:
     if: ${{ inputs.dependency-review }}
     steps:
     - name: Checkout Repository
-      uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f  # v4.1.3
+      uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b  # v4.1.4
       with:
         ref: ${{ fromJSON(inputs.request).request.sha }}
         persist-credentials: false

.github/workflows/codeql-daily.yml

@@ -27,7 +27,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f  # v4.1.3
+      uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b  # v4.1.4
 
     - name: Free disk space
       uses: envoyproxy/toolshed/gh-actions/diskspace@actions-v0.2.30

.github/workflows/codeql-push.yml

@@ -32,7 +32,7 @@ jobs:
     if: github.repository == 'envoyproxy/envoy'
     steps:
     - name: Checkout repository
-      uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f  # v4.1.3
+      uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b  # v4.1.4
       with:
         fetch-depth: 2
 

.github/workflows/envoy-dependency.yml

@@ -143,7 +143,7 @@ jobs:
           path: envoy
           fetch-depth: 0
         token: ${{ steps.appauth.outputs.token }}
-    - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f  # v4.1.3
+    - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b  # v4.1.4
       name: Checkout Envoy build tools repository
       with:
         repository: envoyproxy/envoy-build-tools
@@ -235,7 +235,7 @@ jobs:
       issues: write
     steps:
     - name: Checkout repository
-      uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f  # v4.1.3
+      uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b  # v4.1.4
     - name: Run dependency checker
       run: |
         TODAY_DATE=$(date -u -I"date")

.github/workflows/mobile-release.yml

@@ -94,12 +94,12 @@ jobs:
         - output: envoy
         - output: envoy_xds
     steps:
-    - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f  # v4.1.3
+    - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b  # v4.1.4
       with:
         fetch-depth: 0
     - name: Add safe directory
       run: git config --global --add safe.directory /__w/envoy/envoy
-    - uses: actions/download-artifact@9c19ed7fe5d278cd354c7dfd5d3b88589c7e2395  # v4.1.6
+    - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e  # v4.1.7
       with:
         name: ${{ matrix.output }}_android_aar_sources
         path: .

.github/workflows/mobile-traffic_director.yml

@@ -30,7 +30,7 @@ jobs:
     timeout-minutes: 120
     steps:
     - name: Checkout repository
-      uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f  # v4.1.3
+      uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b  # v4.1.4
     - name: Add safe directory
       run: git config --global --add safe.directory /__w/envoy/envoy
     - name: 'Run GcpTrafficDirectorIntegrationTest'

.github/workflows/pr_notifier.yml

@@ -22,7 +22,7 @@ jobs:
               || !contains(github.actor, '[bot]'))
       }}
     steps:
-    - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f  # v4.1.3
+    - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b  # v4.1.4
     - name: Notify about PRs
       run: |
         ARGS=()

.github/workflows/scorecard.yml

@@ -21,7 +21,7 @@ jobs:
 
     steps:
     - name: "Checkout code"
-      uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f  # v4.1.3
+      uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b  # v4.1.4
       with:
         persist-credentials: false
 

README.md

@@ -20,9 +20,6 @@ involved and how Envoy plays a role, read the CNCF
 * [Official documentation](https://www.envoyproxy.io/)
 * [FAQ](https://www.envoyproxy.io/docs/envoy/latest/faq/overview)
 * [Unofficial Chinese documentation](https://cloudnative.to/envoy/)
-* Watch [a video overview of Envoy](https://www.youtube.com/watch?v=RVZX4CwKhGE)
-([transcript](https://www.microservices.com/talks/lyfts-envoy-monolith-service-mesh-matt-klein/))
-to find out more about the origin story and design philosophy of Envoy
 * [Blog](https://medium.com/@mattklein123/envoy-threading-model-a8d44b922310) about the threading model
 * [Blog](https://medium.com/@mattklein123/envoy-hot-restart-1d16b14555b5) about hot restart
 * [Blog](https://medium.com/@mattklein123/envoy-stats-b65c7f363342) about stats architecture

api/envoy/extensions/filters/http/ext_proc/v3/ext_proc.proto

@@ -11,6 +11,7 @@ import "envoy/type/matcher/v3/string.proto";
 import "google/protobuf/duration.proto";
 import "google/protobuf/struct.proto";
 
+import "udpa/annotations/migrate.proto";
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 
@@ -97,8 +98,27 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // <arch_overview_advanced_filter_state_sharing>` object in a namespace matching the filter
 // name.
 //
-// [#next-free-field: 18]
+// [#next-free-field: 19]
 message ExternalProcessor {
+  // Describes the route cache action to be taken when an external processor response
+  // is received in response to request headers.
+  enum RouteCacheAction {
+    // The default behavior is to clear the route cache only when the
+    // :ref:`clear_route_cache <envoy_v3_api_field_service.ext_proc.v3.CommonResponse.clear_route_cache>`
+    // field is set in an external processor response.
+    DEFAULT = 0;
+
+    // Always clear the route cache irrespective of the clear_route_cache bit in
+    // the external processor response.
+    CLEAR = 1;
+
+    // Do not clear the route cache irrespective of the clear_route_cache bit in
+    // the external processor response. Setting to RETAIN is equivalent to set the
+    // :ref:`disable_clear_route_cache <envoy_v3_api_field_extensions.filters.http.ext_proc.v3.ExternalProcessor.disable_clear_route_cache>`
+    // to true.
+    RETAIN = 2;
+  }
+
   reserved 4;
 
   reserved "async_mode";
@@ -172,11 +192,6 @@ message ExternalProcessor {
     gte {}
   }];
 
-  // Prevents clearing the route-cache when the
-  // :ref:`clear_route_cache <envoy_v3_api_field_service.ext_proc.v3.CommonResponse.clear_route_cache>`
-  // field is set in an external processor response.
-  bool disable_clear_route_cache = 11;
-
   // Allow headers matching the ``forward_rules`` to be forwarded to the external processing server.
   // If not set, all headers are forwarded to the external processing server.
   HeaderForwardingRules forward_rules = 12;
@@ -226,6 +241,22 @@ message ExternalProcessor {
   //    This work is currently tracked under https://github.com/envoyproxy/envoy/issues/33319.
   //
   bool observability_mode = 17;
+
+  // Prevents clearing the route-cache when the
+  // :ref:`clear_route_cache <envoy_v3_api_field_service.ext_proc.v3.CommonResponse.clear_route_cache>`
+  // field is set in an external processor response.
+  // Only one of ``disable_clear_route_cache`` or ``route_cache_action`` can be set.
+  // It is recommended to set ``route_cache_action`` which supersedes ``disable_clear_route_cache``.
+  bool disable_clear_route_cache = 11
+      [(udpa.annotations.field_migrate).oneof_promotion = "clear_route_cache_type"];
+
+  // [#not-implemented-hide:]
+  // Specifies the action to be taken when an external processor response is
+  // received in response to request headers. It is recommended to set this field than set
+  // :ref:`disable_clear_route_cache <envoy_v3_api_field_extensions.filters.http.ext_proc.v3.ExternalProcessor.disable_clear_route_cache>`.
+  // Only one of ``disable_clear_route_cache`` or ``route_cache_action`` can be set.
+  RouteCacheAction route_cache_action = 18
+      [(udpa.annotations.field_migrate).oneof_promotion = "clear_route_cache_type"];
 }
 
 // The MetadataOptions structure defines options for the sending and receiving of

api/envoy/extensions/network/dns_resolver/cares/v3/cares_dns_resolver.proto

@@ -5,6 +5,8 @@ package envoy.extensions.network.dns_resolver.cares.v3;
 import "envoy/config/core/v3/address.proto";
 import "envoy/config/core/v3/resolver.proto";
 
+import "google/protobuf/wrappers.proto";
+
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 
@@ -18,6 +20,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#extension: envoy.network.dns_resolver.cares]
 
 // Configuration for c-ares DNS resolver.
+// [#next-free-field: 6]
 message CaresDnsResolverConfig {
   // A list of dns resolver addresses.
   // :ref:`use_resolvers_as_fallback<envoy_v3_api_field_extensions.network.dns_resolver.cares.v3.CaresDnsResolverConfig.use_resolvers_as_fallback>`
@@ -41,4 +44,8 @@ message CaresDnsResolverConfig {
 
   // Configuration of DNS resolver option flags which control the behavior of the DNS resolver.
   config.core.v3.DnsResolverOptions dns_resolver_options = 2;
+
+  // This option allows for number of UDP based DNS queries to be capped. Note, this
+  // is only applicable to c-ares DNS resolver currently.
+  google.protobuf.UInt32Value udp_max_queries = 5;
 }

bazel/external/quiche.BUILD

@@ -44,7 +44,6 @@ src_files = glob([
 test_suite(
     name = "ci_tests",
     tests = [
-        "http2_adapter_callback_visitor_test",
         "http2_adapter_event_forwarder_test",
         "http2_adapter_header_validator_test",
         "http2_adapter_impl_comparison_test",
@@ -77,35 +76,25 @@ envoy_cc_test_library(
 )
 
 envoy_cc_library(
-    name = "http2_adapter_callback_visitor",
-    srcs = ["quiche/http2/adapter/callback_visitor.cc"],
-    hdrs = ["quiche/http2/adapter/callback_visitor.h"],
+    name = "http2_adapter_chunked_buffer",
+    srcs = ["quiche/http2/adapter/chunked_buffer.cc"],
+    hdrs = ["quiche/http2/adapter/chunked_buffer.h"],
     copts = quiche_copts,
-    local_defines = ["NGHTTP2_16"],
     repository = "@envoy",
     deps = [
-        ":http2_adapter_http2_util",
-        ":http2_adapter_http2_visitor_interface",
-        ":http2_adapter_nghttp2_include",
-        ":http2_adapter_nghttp2_util",
-        ":quiche_common_callbacks",
+        ":quiche_common_circular_deque_lib",
         ":quiche_common_platform_export",
     ],
 )
 
 envoy_cc_test(
-    name = "http2_adapter_callback_visitor_test",
-    srcs = ["quiche/http2/adapter/callback_visitor_test.cc"],
+    name = "http2_adapter_chunked_buffer_test",
+    srcs = ["quiche/http2/adapter/chunked_buffer_test.cc"],
     copts = quiche_copts,
     repository = "@envoy",
     deps = [
-        ":http2_adapter_callback_visitor",
-        ":http2_adapter_mock_nghttp2_callbacks",
-        ":http2_adapter_nghttp2_adapter",
-        ":http2_adapter_nghttp2_test_utils",
-        ":http2_adapter_test_frame_sequence",
-        ":http2_adapter_test_utils",
         ":quiche_common_platform_test",
+        "@com_google_absl//absl/strings",
     ],
 )
 
@@ -285,7 +274,6 @@ envoy_cc_library(
     copts = quiche_copts,
     repository = "@envoy",
     deps = [
-        ":http2_adapter_callback_visitor",
         ":http2_adapter_data_source",
         ":http2_adapter_http2_protocol",
         ":http2_adapter_http2_util",
@@ -450,7 +438,7 @@ envoy_cc_library(
     ],
     repository = "@envoy",
     deps = [
-        ":http2_adapter_callback_visitor",
+        ":http2_adapter_chunked_buffer",
         ":http2_adapter_data_source",
         ":http2_adapter_event_forwarder",
         ":http2_adapter_header_validator",
@@ -2023,6 +2011,31 @@ envoy_quic_cc_library(
     deps = [":quic_platform_export"],
 )
 
+envoy_quic_cc_library(
+    name = "quic_core_blocked_writer_list_lib",
+    srcs = ["quiche/quic/core/quic_blocked_writer_list.cc"],
+    hdrs = ["quiche/quic/core/quic_blocked_writer_list.h"],
+    deps = [
+        ":quic_core_blocked_writer_interface_lib",
+        ":quic_platform_base",
+        ":quic_platform_bug_tracker",
+        ":quiche_common_lib",
+    ],
+)
+
+envoy_cc_test(
+    name = "quic_core_blocked_writer_list_test",
+    srcs = ["quiche/quic/core/quic_blocked_writer_list_test.cc"],
+    copts = quiche_copts,
+    repository = "@envoy",
+    tags = ["nofips"],
+    deps = [
+        ":quic_core_blocked_writer_interface_lib",
+        ":quic_core_blocked_writer_list_lib",
+        ":quic_platform_test",
+    ],
+)
+
 envoy_quic_cc_library(
     name = "quic_core_arena_scoped_ptr_lib",
     hdrs = ["quiche/quic/core/quic_arena_scoped_ptr.h"],
@@ -3904,6 +3917,7 @@ envoy_quic_cc_library(
         ":quic_core_alarm_factory_lib",
         ":quic_core_alarm_lib",
         ":quic_core_blocked_writer_interface_lib",
+        ":quic_core_blocked_writer_list_lib",
         ":quic_core_connection_id_generator_interface_lib",
         ":quic_core_connection_lib",
         ":quic_core_crypto_crypto_handshake_lib",

bazel/repository_locations.bzl

@@ -218,12 +218,12 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "c-ares",
         project_desc = "C library for asynchronous DNS requests",
         project_url = "https://c-ares.haxx.se/",
-        version = "1.19.1",
-        sha256 = "321700399b72ed0e037d0074c629e7741f6b2ec2dda92956abe3e9671d3e268e",
+        version = "1.20.1",
+        sha256 = "de24a314844cb157909730828560628704f4f896d167dd7da0fa2fb93ea18b10",
         strip_prefix = "c-ares-{version}",
         urls = ["https://github.com/c-ares/c-ares/releases/download/cares-{underscore_version}/c-ares-{version}.tar.gz"],
         use_category = ["dataplane_core", "controlplane"],
-        release_date = "2023-05-22",
+        release_date = "2023-10-08",
         cpe = "cpe:2.3:a:c-ares_project:c-ares:*",
         license = "c-ares",
         license_url = "https://github.com/c-ares/c-ares/blob/cares-{underscore_version}/LICENSE.md",
@@ -1192,12 +1192,12 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "QUICHE",
         project_desc = "QUICHE (QUIC, HTTP/2, Etc) is Google‘s implementation of QUIC and related protocols",
         project_url = "https://github.com/google/quiche",
-        version = "62f5f6c9caabe019240b2a4377090bb657012c3f",
-        sha256 = "d4d976917b173167a8d600b87f01a4b9c169d15b92625894bfce2802362c76ad",
+        version = "e08f8dde2d09ad28f0c3458be3703cb1c8a9c9fb",
+        sha256 = "749752c27151ba9dfef1676866178131bc6abb4ff9a8360e12789732ab738544",
         urls = ["https://github.com/google/quiche/archive/{version}.tar.gz"],
         strip_prefix = "quiche-{version}",
         use_category = ["controlplane", "dataplane_core"],
-        release_date = "2024-04-19",
+        release_date = "2024-04-24",
         cpe = "N/A",
         license = "BSD-3-Clause",
         license_url = "https://github.com/google/quiche/blob/{version}/LICENSE",

changelogs/current.yaml

@@ -13,6 +13,11 @@ minor_behavior_changes:
 - area: tracers
   change: |
     Set status code for OpenTelemetry tracers (previously unset).
+- area: udp
+  change: |
+    Change GRO read buffer to 64kB to avoid MSG_TRUNC. And change the way to limit the number of packets processed per event
+    loop to work with GRO. This behavior can be reverted by setting runtime guard
+    ``envoy.reloadable_features.udp_socket_apply_aggregated_read_limit`` to false.
 
 bug_fixes:
 # *Changes expected to improve the state of the world and are unlikely to have negative effects*
@@ -25,7 +30,14 @@ bug_fixes:
   change: |
     Fix a RELEASE_ASSERT when using :ref:`auto_sni <envoy_v3_api_field_config.core.v3.UpstreamHttpProtocolOptions.auto_sni>`
     if the downstream request ``:authority`` was longer than 255 characters.
-
+- area: http
+  change: |
+    Fix a crash when reloading the HTTP Connection Manager via ECDS.
+- area: cares
+  change: |
+    Upgraded c-ares library to 1.20.1 and added fix to c-ares DNS implementation to additionally check for ``ARES_EREFUSED``,
+    ``ARES_ESERVFAIL``and ``ARES_ENOTIMP`` status. Without this fix, ``DestroyChannelOnRefused`` and
+    ``CustomResolverValidAfterChannelDestruction`` unit test will break.
 
 removed_config_or_runtime:
 # *Normally occurs at the end of the* :ref:`deprecation period <deprecated>`
@@ -41,11 +53,18 @@ removed_config_or_runtime:
 - area: http
   change: |
     Removed ``envoy.reloadable_features.lowercase_scheme`` runtime flag and lagacy code paths.
+- area: router
+  change: |
+    Removed ``envoy.reloadable_features.copy_response_code_to_downstream_stream_info`` runtime flag and legacy code paths.
 
 new_features:
 - area: matching
   change: |
     Added :ref:`Filter State Input <envoy_v3_api_msg_extensions.matching.common_inputs.network.v3.FilterStateInput>`
     for matching http input based on filter state objects.
+- area: cares
+  change: |
+    Added :ref:`udp_max_queries<envoy_v3_api_field_extensions.network.dns_resolver.cares.v3.CaresDnsResolverConfig.udp_max_queries>`
+    option to limit the number of UDP queries.
 
 deprecated:

contrib/dlb/source/BUILD

@@ -15,6 +15,7 @@ envoy_contrib_package()
 
 make(
     name = "dlb",
+    env = {"DLB_DISABLE_DOMAIN_SERVER": "TRUE"},
     includes = [],
     lib_source = "@intel_dlb//:libdlb",
     out_static_libs = ["libdlb.a"],

contrib/kafka/filters/network/source/broker/config.cc

@@ -20,7 +20,7 @@ Network::FilterFactoryCb KafkaConfigFactory::createFilterFactoryFromProtoTyped(
       std::make_shared<BrokerFilterConfig>(proto_config);
   return [&context, filter_config](Network::FilterManager& filter_manager) -> void {
     Network::FilterSharedPtr filter = std::make_shared<KafkaBrokerFilter>(
-        context.scope(), context.serverFactoryContext().timeSource(), *filter_config);
+        context.scope(), context.serverFactoryContext().timeSource(), filter_config);
     filter_manager.addFilter(filter);
   };
 }