api: support rate limit action based on cidr match#42845
Merged
wbpcode merged 1 commit intoenvoyproxy:mainfrom Feb 4, 2026
Merged
api: support rate limit action based on cidr match#42845wbpcode merged 1 commit intoenvoyproxy:mainfrom
wbpcode merged 1 commit intoenvoyproxy:mainfrom
Conversation
|
CC @envoyproxy/api-shepherds: Your approval is needed for changes made to |
agrawroh
reviewed
Jan 4, 2026
Member
agrawroh
left a comment
agrawroh
left a comment
There was a problem hiding this comment.
Just curios, why can't we use the existing Dynamic Metadata for this? It should be trivial to write Dynamic Metadata for Remote Address and use that instead right?
Member
Author
|
@agrawroh the challenge here is not to apply rate limits to remote address ,in fact we already have the RemoteAddress rate limit action for this and can also use GenericKey with CEL without any dynamic metadata. But the usecase here is to apply different rate limits to remote addresses matching on some CIDRs. See the referred issue #36442 and also the related envoyproxy/gateway#4385 issue. |
rudrakhp
force-pushed
the
api_cidr_matcher
branch
from
75d5207 to
42e82a7
Compare
wbpcode
reviewed
Jan 5, 2026
Member
wbpcode
left a comment
wbpcode
left a comment
There was a problem hiding this comment.
Thanks for the contribution and some comments are added.
rudrakhp
force-pushed
the
api_cidr_matcher
branch
from
42e82a7 to
82f2214
Compare
Member
Author
|
/retest |
adisuissa
reviewed
Jan 14, 2026
Contributor
adisuissa
left a comment
adisuissa
left a comment
There was a problem hiding this comment.
Thanks!
I think that matching is a good feature to have, I just wonder whether it could be more generic.
|
|
||
| // [#not-implemented-hide:] | ||
| // Rate limit on remote address match. | ||
| RemoteAddressMatch remote_address_match = 13; |
Contributor
There was a problem hiding this comment.
I think this new field is confusing because there are already remote_address and remote_address_match. I think calrifying the reasoning behind this feature is the first step. I'm not an expert in this domain, but I would suggest one of the following:
- consider adding options to
RemoteAddressandMaskedRemoteAddressthat enables the matching (the reasoning behind this is that I think that matching is more generic and orthogonal to whether the matched object is a remote address, a request header, etc). - See if this should be a typed-extension (using the
extensionfield).
cc @wbpcode due to the comment in #36442
Member
Author
There was a problem hiding this comment.
@adisuissa thanks for the comment. This is supposed to handle all the remote address matching usecases in a generic way by leveraging CEL and substitution formatting in descriptor_value. For example:
- Using
%DOWNSTREAM_REMOTE_ADDRESS%here will handle the existingRemoteAddressusecase with CIDR matching. - We might need to introduce formatter like
%MASKED_DOWNSTREAM_REMOTE_ADDRESS(len)%to handleMaskedRemoteAddressusecase with CIDR matching. See feat: add formatters for masked IP addresses #42969 .
@wbpcode is aligned with the RemoteAddressMatch approach (see comments above), if the name is confusing I will think of some alternatives.
Member
Author
There was a problem hiding this comment.
^ bump @adisuissa @wbpcode
How does remote_address_range_match / remote_address_value_match sound instead of remote_address_match?
Contributor
There was a problem hiding this comment.
@wbpcode is the expert on substitution formatters. I'm just presenting my thoughts on design and combination of features.
Member
Author
There was a problem hiding this comment.
Sure, thanks for your inputs!
Member
There was a problem hiding this comment.
There are some similar patterns:
request_headers vs header_value_match, query_parameters vs query_parameter_value_match, the former will use the content of header/query as the descriptor value, the latter use a matcher to match the header/query's content and use some other unrelated values as descriptor value.
This is the same pattern for RemoteAddress and RemoteAddressMatch
It's hard to add match option in the RemoteAddress and get similar result.
Contributor
There was a problem hiding this comment.
Whatever you decide.
My 2cents is that if there are repeated sub-configurations that will be needed in different places, then it suggests a design smell, but I'm not against the current suggestion.
Member
Author
There was a problem hiding this comment.
IMO we must mark the RemoteAddress and MaskedRemoteAddress as deprecated options after this implementation goes in. CEL should be the way forward instead of having dedicated rate limit actions for each usecase. That should also help address @adisuissa's comment regarding repeated sub-configurations.
wbpcode
pushed a commit
that referenced
this pull request
Jan 20, 2026
<!-- !!!ATTENTION!!! If you are fixing *any* crash or *any* potential security issue, *do not* open a pull request in this repo. Please report the issue via emailing envoy-security@googlegroups.com where the issue will be triaged appropriately. Thank you in advance for helping to keep Envoy secure. !!!ATTENTION!!! For an explanation of how to fill out the fields, please see the relevant section in [PULL_REQUESTS.md](https://github.com/envoyproxy/envoy/blob/main/PULL_REQUESTS.md) !!!ATTENTION!!! Please check the [use of generative AI policy](https://github.com/envoyproxy/envoy/blob/main/CONTRIBUTING.md?plain=1#L41). You may use generative AI only if you fully understand the code. You need to disclose this usage in the PR description to ensure transparency. --> Commit Message: Add formatters for masked IP addresses Additional Description: Added masked alternatives for supported substitution formatters that return IP addresses today Risk Level: Low Testing: Unit testing Docs Changes: Added the new substitution formatters to docs Release Notes: Yes Platform Specific Features: N/A Related: #42845 (comment) Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com>
wbpcode
previously approved these changes
Feb 3, 2026
rudrakhp
force-pushed
the
api_cidr_matcher
branch
from
82f2214 to
7df230d
Compare
Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com>
rudrakhp
force-pushed
the
api_cidr_matcher
branch
from
7df230d to
43251ef
Compare
Member
Author
|
/retest |
wbpcode
approved these changes
Feb 4, 2026
wbpcode
pushed a commit
that referenced
this pull request
Feb 11, 2026
<!-- !!!ATTENTION!!! If you are fixing *any* crash or *any* potential security issue, *do not* open a pull request in this repo. Please report the issue via emailing envoy-security@googlegroups.com where the issue will be triaged appropriately. Thank you in advance for helping to keep Envoy secure. !!!ATTENTION!!! For an explanation of how to fill out the fields, please see the relevant section in [PULL_REQUESTS.md](https://github.com/envoyproxy/envoy/blob/main/PULL_REQUESTS.md) !!!ATTENTION!!! Please check the [use of generative AI policy](https://github.com/envoyproxy/envoy/blob/main/CONTRIBUTING.md?plain=1#L41). You may use generative AI only if you fully understand the code. You need to disclose this usage in the PR description to ensure transparency. --> Commit Message: Additional Description: Support rate limit actions on remote address match. Includes implementation `invert_match` for address matcher. Risk Level: Low Testing: Unit testing Docs Changes: n/a Release Notes: Yes Platform Specific Features: [Optional Runtime guard:] Fixes #36442 Implements API introduced in #42845 Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com>
shane-yuan
pushed a commit
to shane-yuan/envoy
that referenced
this pull request
Feb 11, 2026
<!-- !!!ATTENTION!!! If you are fixing *any* crash or *any* potential security issue, *do not* open a pull request in this repo. Please report the issue via emailing envoy-security@googlegroups.com where the issue will be triaged appropriately. Thank you in advance for helping to keep Envoy secure. !!!ATTENTION!!! For an explanation of how to fill out the fields, please see the relevant section in [PULL_REQUESTS.md](https://github.com/envoyproxy/envoy/blob/main/PULL_REQUESTS.md) !!!ATTENTION!!! Please check the [use of generative AI policy](https://github.com/envoyproxy/envoy/blob/main/CONTRIBUTING.md?plain=1#L41). You may use generative AI only if you fully understand the code. You need to disclose this usage in the PR description to ensure transparency. --> Commit Message: Add formatters for masked IP addresses Additional Description: Added masked alternatives for supported substitution formatters that return IP addresses today Risk Level: Low Testing: Unit testing Docs Changes: Added the new substitution formatters to docs Release Notes: Yes Platform Specific Features: N/A Related: envoyproxy#42845 (comment) Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com>
shane-yuan
pushed a commit
to shane-yuan/envoy
that referenced
this pull request
Feb 11, 2026
Commit Message: [api] support rate limit action based on cidr match Additional Description: Proposed API changes to support rate limit actions on remote address match. This includes additions of a new rate limit action `RemoteAddressMatch` as well as inclusion of a CIDR matcher in the `MaskedRemoteAddress` action. Risk Level: Low (doesn't break/affect existing usecases) Testing: N/A (API changes only) Docs Changes: N/A Release Notes: N/A Platform Specific Features: N/A [Optional Runtime guard:] Related envoyproxy#36442 [Optional Fixes commit #PR or SHA] [Optional Deprecated:] Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md): * `RemoteAddressMatch` rate limit action will cater to usecases that need to match on remote address. * Need to enhance substitution formatter to support `%MASKED_REMOTE_ADDRESS(prefix_len)%`. * Reusing existing `type.matcher.v3.AddressMatcher`. Need to implement `invert_match` in existing usage at `FilterStateIpRangeMatcher::match`. Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com>
shane-yuan
pushed a commit
to shane-yuan/envoy
that referenced
this pull request
Feb 11, 2026
<!-- !!!ATTENTION!!! If you are fixing *any* crash or *any* potential security issue, *do not* open a pull request in this repo. Please report the issue via emailing envoy-security@googlegroups.com where the issue will be triaged appropriately. Thank you in advance for helping to keep Envoy secure. !!!ATTENTION!!! For an explanation of how to fill out the fields, please see the relevant section in [PULL_REQUESTS.md](https://github.com/envoyproxy/envoy/blob/main/PULL_REQUESTS.md) !!!ATTENTION!!! Please check the [use of generative AI policy](https://github.com/envoyproxy/envoy/blob/main/CONTRIBUTING.md?plain=1#L41). You may use generative AI only if you fully understand the code. You need to disclose this usage in the PR description to ensure transparency. --> Commit Message: Additional Description: Support rate limit actions on remote address match. Includes implementation `invert_match` for address matcher. Risk Level: Low Testing: Unit testing Docs Changes: n/a Release Notes: Yes Platform Specific Features: [Optional Runtime guard:] Fixes envoyproxy#36442 Implements API introduced in envoyproxy#42845 Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com>
nickshokri
pushed a commit
to nickshokri/envoy
that referenced
this pull request
Mar 17, 2026
Commit Message: [api] support rate limit action based on cidr match Additional Description: Proposed API changes to support rate limit actions on remote address match. This includes additions of a new rate limit action `RemoteAddressMatch` as well as inclusion of a CIDR matcher in the `MaskedRemoteAddress` action. Risk Level: Low (doesn't break/affect existing usecases) Testing: N/A (API changes only) Docs Changes: N/A Release Notes: N/A Platform Specific Features: N/A [Optional Runtime guard:] Related envoyproxy#36442 [Optional Fixes commit #PR or SHA] [Optional Deprecated:] Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md): * `RemoteAddressMatch` rate limit action will cater to usecases that need to match on remote address. * Need to enhance substitution formatter to support `%MASKED_REMOTE_ADDRESS(prefix_len)%`. * Reusing existing `type.matcher.v3.AddressMatcher`. Need to implement `invert_match` in existing usage at `FilterStateIpRangeMatcher::match`. Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> Signed-off-by: nick <nickshokri@google.com>
nickshokri
pushed a commit
to nickshokri/envoy
that referenced
this pull request
Mar 17, 2026
<!-- !!!ATTENTION!!! If you are fixing *any* crash or *any* potential security issue, *do not* open a pull request in this repo. Please report the issue via emailing envoy-security@googlegroups.com where the issue will be triaged appropriately. Thank you in advance for helping to keep Envoy secure. !!!ATTENTION!!! For an explanation of how to fill out the fields, please see the relevant section in [PULL_REQUESTS.md](https://github.com/envoyproxy/envoy/blob/main/PULL_REQUESTS.md) !!!ATTENTION!!! Please check the [use of generative AI policy](https://github.com/envoyproxy/envoy/blob/main/CONTRIBUTING.md?plain=1#L41). You may use generative AI only if you fully understand the code. You need to disclose this usage in the PR description to ensure transparency. --> Commit Message: Additional Description: Support rate limit actions on remote address match. Includes implementation `invert_match` for address matcher. Risk Level: Low Testing: Unit testing Docs Changes: n/a Release Notes: Yes Platform Specific Features: [Optional Runtime guard:] Fixes envoyproxy#36442 Implements API introduced in envoyproxy#42845 Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> Signed-off-by: nick <nickshokri@google.com>
nickshokri
pushed a commit
to nickshokri/envoy
that referenced
this pull request
Mar 17, 2026
Commit Message: [api] support rate limit action based on cidr match Additional Description: Proposed API changes to support rate limit actions on remote address match. This includes additions of a new rate limit action `RemoteAddressMatch` as well as inclusion of a CIDR matcher in the `MaskedRemoteAddress` action. Risk Level: Low (doesn't break/affect existing usecases) Testing: N/A (API changes only) Docs Changes: N/A Release Notes: N/A Platform Specific Features: N/A [Optional Runtime guard:] Related envoyproxy#36442 [Optional Fixes commit #PR or SHA] [Optional Deprecated:] Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md): * `RemoteAddressMatch` rate limit action will cater to usecases that need to match on remote address. * Need to enhance substitution formatter to support `%MASKED_REMOTE_ADDRESS(prefix_len)%`. * Reusing existing `type.matcher.v3.AddressMatcher`. Need to implement `invert_match` in existing usage at `FilterStateIpRangeMatcher::match`. Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> Signed-off-by: nick <nickshokri@google.com>
nickshokri
pushed a commit
to nickshokri/envoy
that referenced
this pull request
Mar 17, 2026
<!-- !!!ATTENTION!!! If you are fixing *any* crash or *any* potential security issue, *do not* open a pull request in this repo. Please report the issue via emailing envoy-security@googlegroups.com where the issue will be triaged appropriately. Thank you in advance for helping to keep Envoy secure. !!!ATTENTION!!! For an explanation of how to fill out the fields, please see the relevant section in [PULL_REQUESTS.md](https://github.com/envoyproxy/envoy/blob/main/PULL_REQUESTS.md) !!!ATTENTION!!! Please check the [use of generative AI policy](https://github.com/envoyproxy/envoy/blob/main/CONTRIBUTING.md?plain=1#L41). You may use generative AI only if you fully understand the code. You need to disclose this usage in the PR description to ensure transparency. --> Commit Message: Additional Description: Support rate limit actions on remote address match. Includes implementation `invert_match` for address matcher. Risk Level: Low Testing: Unit testing Docs Changes: n/a Release Notes: Yes Platform Specific Features: [Optional Runtime guard:] Fixes envoyproxy#36442 Implements API introduced in envoyproxy#42845 Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> Signed-off-by: nick <nickshokri@google.com>
grnmeira
pushed a commit
to grnmeira/envoy
that referenced
this pull request
Mar 20, 2026
<!-- !!!ATTENTION!!! If you are fixing *any* crash or *any* potential security issue, *do not* open a pull request in this repo. Please report the issue via emailing envoy-security@googlegroups.com where the issue will be triaged appropriately. Thank you in advance for helping to keep Envoy secure. !!!ATTENTION!!! For an explanation of how to fill out the fields, please see the relevant section in [PULL_REQUESTS.md](https://github.com/envoyproxy/envoy/blob/main/PULL_REQUESTS.md) !!!ATTENTION!!! Please check the [use of generative AI policy](https://github.com/envoyproxy/envoy/blob/main/CONTRIBUTING.md?plain=1#L41). You may use generative AI only if you fully understand the code. You need to disclose this usage in the PR description to ensure transparency. --> Commit Message: Add formatters for masked IP addresses Additional Description: Added masked alternatives for supported substitution formatters that return IP addresses today Risk Level: Low Testing: Unit testing Docs Changes: Added the new substitution formatters to docs Release Notes: Yes Platform Specific Features: N/A Related: envoyproxy#42845 (comment) Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> Signed-off-by: Gustavo <grnmeira@gmail.com>
grnmeira
pushed a commit
to grnmeira/envoy
that referenced
this pull request
Mar 20, 2026
Commit Message: [api] support rate limit action based on cidr match Additional Description: Proposed API changes to support rate limit actions on remote address match. This includes additions of a new rate limit action `RemoteAddressMatch` as well as inclusion of a CIDR matcher in the `MaskedRemoteAddress` action. Risk Level: Low (doesn't break/affect existing usecases) Testing: N/A (API changes only) Docs Changes: N/A Release Notes: N/A Platform Specific Features: N/A [Optional Runtime guard:] Related envoyproxy#36442 [Optional Fixes commit #PR or SHA] [Optional Deprecated:] Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md): * `RemoteAddressMatch` rate limit action will cater to usecases that need to match on remote address. * Need to enhance substitution formatter to support `%MASKED_REMOTE_ADDRESS(prefix_len)%`. * Reusing existing `type.matcher.v3.AddressMatcher`. Need to implement `invert_match` in existing usage at `FilterStateIpRangeMatcher::match`. Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> Signed-off-by: Gustavo <grnmeira@gmail.com>
fishcakez
pushed a commit
to fishcakez/envoy
that referenced
this pull request
Mar 25, 2026
<!-- !!!ATTENTION!!! If you are fixing *any* crash or *any* potential security issue, *do not* open a pull request in this repo. Please report the issue via emailing envoy-security@googlegroups.com where the issue will be triaged appropriately. Thank you in advance for helping to keep Envoy secure. !!!ATTENTION!!! For an explanation of how to fill out the fields, please see the relevant section in [PULL_REQUESTS.md](https://github.com/envoyproxy/envoy/blob/main/PULL_REQUESTS.md) !!!ATTENTION!!! Please check the [use of generative AI policy](https://github.com/envoyproxy/envoy/blob/main/CONTRIBUTING.md?plain=1#L41). You may use generative AI only if you fully understand the code. You need to disclose this usage in the PR description to ensure transparency. --> Commit Message: Additional Description: Support rate limit actions on remote address match. Includes implementation `invert_match` for address matcher. Risk Level: Low Testing: Unit testing Docs Changes: n/a Release Notes: Yes Platform Specific Features: [Optional Runtime guard:] Fixes envoyproxy#36442 Implements API introduced in envoyproxy#42845 Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com>
krinkinmu
pushed a commit
to grnmeira/envoy
that referenced
this pull request
Apr 20, 2026
<!-- !!!ATTENTION!!! If you are fixing *any* crash or *any* potential security issue, *do not* open a pull request in this repo. Please report the issue via emailing envoy-security@googlegroups.com where the issue will be triaged appropriately. Thank you in advance for helping to keep Envoy secure. !!!ATTENTION!!! For an explanation of how to fill out the fields, please see the relevant section in [PULL_REQUESTS.md](https://github.com/envoyproxy/envoy/blob/main/PULL_REQUESTS.md) !!!ATTENTION!!! Please check the [use of generative AI policy](https://github.com/envoyproxy/envoy/blob/main/CONTRIBUTING.md?plain=1#L41). You may use generative AI only if you fully understand the code. You need to disclose this usage in the PR description to ensure transparency. --> Commit Message: Additional Description: Support rate limit actions on remote address match. Includes implementation `invert_match` for address matcher. Risk Level: Low Testing: Unit testing Docs Changes: n/a Release Notes: Yes Platform Specific Features: [Optional Runtime guard:] Fixes envoyproxy#36442 Implements API introduced in envoyproxy#42845 Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Commit Message: [api] support rate limit action based on cidr match
Additional Description: Proposed API changes to support rate limit actions on remote address match. This includes additions of a new rate limit action
RemoteAddressMatchas well as inclusion of a CIDR matcher in theMaskedRemoteAddressaction.Risk Level: Low (doesn't break/affect existing usecases)
Testing: N/A (API changes only)
Docs Changes: N/A
Release Notes: N/A
Platform Specific Features: N/A
[Optional Runtime guard:]
Related #36442
[Optional Fixes commit #PR or SHA]
[Optional Deprecated:]
Optional API Considerations:
RemoteAddressMatchrate limit action will cater to usecases that need to match on remote address.%MASKED_REMOTE_ADDRESS(prefix_len)%.type.matcher.v3.AddressMatcher. Need to implementinvert_matchin existing usage atFilterStateIpRangeMatcher::match.