feat: support rate limit action based on cidr match

Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com>

Author: rudrakhp

api/envoy/config/route/v3/route_components.proto

@@ -2492,7 +2492,6 @@ message RateLimit {
     // .. code-block:: cpp
     //
     //   ("remote_address_match", "<descriptor_value>")
-    // [#not-implemented-hide:]
     message RemoteAddressMatch {
       // Descriptor value of entry.
       //
@@ -2502,13 +2501,13 @@ message RateLimit {
       //
       // .. note::
       //
-      //   The format string can contain multiple valid substitution fields. If multiple substitution
-      //   fields are present, their results will be concatenated to form the final descriptor value.
-      //   If it contains no substitution fields, the value will be used as is.
-      //   All substitution fields will be evaluated and their results concatenated.
-      //   If the final concatenated result is empty and ``default_value`` is set, the ``default_value`` will be used.
-      //   If ``default_value`` is not set and the result is empty, this descriptor will be skipped
-      //   and not included in the rate limit call.
+      //   The format string can contain multiple valid substitution fields. If multiple
+      //   substitution fields are present, their results will be concatenated to form the
+      //   final descriptor value. If it contains no substitution fields, the value will be
+      //   used as is. All substitution fields will be evaluated and their results concatenated.
+      //   If the final concatenated result is empty and ``default_value`` is set, the
+      //   ``default_value`` will be used. If ``default_value`` is not set and the result is
+      //   empty, this descriptor will be skipped and not included in the rate limit call.
       //
       // For example, ``static_value`` will be used as is since there are no substitution fields.
       // ``%REQ(:method)%`` will be replaced with the HTTP method, and
@@ -2588,7 +2587,6 @@ message RateLimit {
       // Rate limit on the existence of query parameters.
       QueryParameterValueMatch query_parameter_value_match = 11;
 
-      // [#not-implemented-hide:]
       // Rate limit on remote address match.
       RemoteAddressMatch remote_address_match = 13;
     }

api/envoy/type/matcher/v3/address.proto

@@ -20,7 +20,9 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 message AddressMatcher {
   repeated xds.core.v3.CidrRange ranges = 1;
 
-  // [#not-implemented-hide:]
   // If true, the match result will be inverted. Defaults to false.
+  //
+  // * If set to false (default), the matcher will return true if the IP matches any of the CIDR ranges.
+  // * If set to true, the matcher will return true if the IP does NOT match any of the CIDR ranges.
   bool invert_match = 2;
 }

changelogs/current.yaml

@@ -126,6 +126,10 @@ new_features:
     Added per-descriptor ``x-ratelimit-*`` headers support. See the
     :ref:`x_ratelimit_option <envoy_v3_api_field_config.route.v3.RateLimit.x_ratelimit_option>`
     field documentation for more details.
+- area: ratelimit
+  change: |
+    Added ``RemoteAddressMatch`` action to the rate limit filter. This action matches remote addresses against 
+    CIDR ranges with support for ``invert_match`` to match addresses outside specified ranges.
 - area: mcp_router
   change: |
     Added support for MCP client-to-server notification methods ``notifications/cancelled``

source/common/common/filter_state_object_matchers.cc

@@ -13,16 +13,17 @@ namespace Envoy {
 namespace Matchers {
 
 FilterStateIpRangeMatcher::FilterStateIpRangeMatcher(
-    std::unique_ptr<Network::Address::IpList>&& ip_list)
-    : ip_list_(std::move(ip_list)) {}
+    std::unique_ptr<Network::Address::IpList>&& ip_list, bool invert_match)
+    : ip_list_(std::move(ip_list)), invert_match_(invert_match) {}
 
 bool FilterStateIpRangeMatcher::match(const StreamInfo::FilterState::Object& object) const {
   const Network::Address::InstanceAccessor* ip =
       dynamic_cast<const Network::Address::InstanceAccessor*>(&object);
   if (ip == nullptr) {
     return false;
   }
-  return ip_list_->contains(*ip->getIp());
+  const bool matches = ip_list_->contains(*ip->getIp());
+  return invert_match_ ? !matches : matches;
 }
 
 FilterStateStringMatcher::FilterStateStringMatcher(StringMatcherPtr&& string_matcher)

source/common/common/filter_state_object_matchers.h

@@ -21,11 +21,13 @@ using FilterStateObjectMatcherPtr = std::unique_ptr<FilterStateObjectMatcher>;
 
 class FilterStateIpRangeMatcher : public FilterStateObjectMatcher {
 public:
-  FilterStateIpRangeMatcher(std::unique_ptr<Network::Address::IpList>&& ip_list);
+  FilterStateIpRangeMatcher(std::unique_ptr<Network::Address::IpList>&& ip_list,
+                            bool invert_match = false);
   bool match(const StreamInfo::FilterState::Object& object) const override;
 
 private:
   std::unique_ptr<Envoy::Network::Address::IpList> ip_list_;
+  const bool invert_match_;
 };
 
 class FilterStateStringMatcher : public FilterStateObjectMatcher {

source/common/common/matchers.cc

@@ -182,7 +182,8 @@ filterStateObjectMatcherFromProto(const envoy::type::matcher::v3::FilterStateMat
   case envoy::type::matcher::v3::FilterStateMatcher::MatcherCase::kAddressMatch: {
     auto ip_list = Network::Address::IpList::create(matcher.address_match().ranges());
     RETURN_IF_NOT_OK_REF(ip_list.status());
-    return std::make_unique<FilterStateIpRangeMatcher>(std::move(*ip_list));
+    return std::make_unique<FilterStateIpRangeMatcher>(std::move(*ip_list),
+                                                       matcher.address_match().invert_match());
     break;
   }
   default:

source/common/router/router_ratelimit.cc

@@ -342,6 +342,47 @@ QueryParameterValueMatchAction::buildQueryParameterMatcherVector(
   return ret;
 }
 
+RemoteAddressMatchAction::RemoteAddressMatchAction(
+    const envoy::config::route::v3::RateLimit::Action::RemoteAddressMatch& action,
+    Server::Configuration::CommonFactoryContext&)
+    : descriptor_value_(action.descriptor_value()),
+      descriptor_key_(!action.descriptor_key().empty() ? action.descriptor_key()
+                                                       : "remote_address_match"),
+      default_value_(action.default_value()),
+      ip_list_(Network::Address::IpList::create(action.address_matcher().ranges()).value()),
+      invert_match_(action.address_matcher().invert_match()),
+      descriptor_formatter_(Formatter::FormatterImpl::create(descriptor_value_, true).value()) {}
+
+bool RemoteAddressMatchAction::populateDescriptor(RateLimit::DescriptorEntry& descriptor_entry,
+                                                  const std::string&,
+                                                  const Http::RequestHeaderMap& headers,
+                                                  const StreamInfo::StreamInfo& info) const {
+  // Check if remote address matches the address matcher
+  const Network::Address::InstanceConstSharedPtr& remote_address =
+      info.downstreamAddressProvider().remoteAddress();
+  if (remote_address->type() != Network::Address::Type::Ip) {
+    return false;
+  }
+
+  const bool matches = ip_list_->contains(*remote_address);
+  const bool should_apply = invert_match_ ? !matches : matches;
+  if (!should_apply) {
+    return false;
+  }
+
+  // Format the descriptor value
+  const std::string formatted_value = descriptor_formatter_->format({&headers}, info);
+  if (!formatted_value.empty()) {
+    descriptor_entry = {descriptor_key_, formatted_value};
+  } else if (!default_value_.empty()) {
+    descriptor_entry = {descriptor_key_, default_value_};
+  } else {
+    // If formatting resulted in empty string and no default_value, skip this descriptor
+    return false;
+  }
+  return true;
+}
+
 RateLimitPolicyEntryImpl::RateLimitPolicyEntryImpl(
     const envoy::config::route::v3::RateLimit& config,
     Server::Configuration::CommonFactoryContext& context, absl::Status& creation_status)
@@ -453,8 +494,7 @@ RateLimitPolicyEntryImpl::RateLimitPolicyEntryImpl(
       break;
     }
     case envoy::config::route::v3::RateLimit::Action::ActionSpecifierCase::kRemoteAddressMatch:
-      // [#not-implemented-hide:] RemoteAddressMatch is not yet implemented.
-      PANIC("RemoteAddressMatch rate limit action is not yet implemented");
+      actions_.emplace_back(new RemoteAddressMatchAction(action.remote_address_match(), context));
       break;
     case envoy::config::route::v3::RateLimit::Action::ActionSpecifierCase::ACTION_SPECIFIER_NOT_SET:
       PANIC_DUE_TO_CORRUPT_ENUM;

source/common/router/router_ratelimit.h

@@ -238,6 +238,30 @@ class QueryParameterValueMatchAction : public RateLimit::DescriptorProducer {
   const std::unique_ptr<Formatter::FormatterImpl> descriptor_formatter_;
 };
 
+/**
+ * Action for remote address match rate limiting.
+ */
+class RemoteAddressMatchAction : public RateLimit::DescriptorProducer {
+public:
+  RemoteAddressMatchAction(
+      const envoy::config::route::v3::RateLimit::Action::RemoteAddressMatch& action,
+      Server::Configuration::CommonFactoryContext& context);
+
+  // Ratelimit::DescriptorProducer
+  bool populateDescriptor(RateLimit::DescriptorEntry& descriptor_entry,
+                          const std::string& local_service_cluster,
+                          const Http::RequestHeaderMap& headers,
+                          const StreamInfo::StreamInfo& info) const override;
+
+private:
+  const std::string descriptor_value_;
+  const std::string descriptor_key_;
+  const std::string default_value_;
+  const std::unique_ptr<Network::Address::IpList> ip_list_;
+  const bool invert_match_;
+  const std::unique_ptr<Formatter::FormatterImpl> descriptor_formatter_;
+};
+
 class RateLimitDescriptorValidationVisitor
     : public Matcher::MatchTreeValidationVisitor<Http::HttpMatchingData> {
 public:

source/extensions/filters/common/ratelimit_config/ratelimit_config.cc

@@ -161,6 +161,10 @@ RateLimitPolicy::RateLimitPolicy(const ProtoRateLimit& config,
           action.query_parameter_value_match(), context, std::move(formatter_or_error.value())));
       break;
     }
+    case ProtoRateLimit::Action::ActionSpecifierCase::kRemoteAddressMatch:
+      actions_.emplace_back(
+          new Router::RemoteAddressMatchAction(action.remote_address_match(), context));
+      break;
     default:
       creation_status = absl::InvalidArgumentError(fmt::format(
           "Unsupported rate limit action: {}", static_cast<int>(action.action_specifier_case())));

test/common/common/matchers_test.cc

@@ -788,6 +788,162 @@ TEST_F(FilterStateMatcher, NoMatchFilterStateAddressMatchIpv6) {
   EXPECT_FALSE((*filter_state_matcher)->match(filter_state));
 }
 
+TEST_F(FilterStateMatcher, MatchFilterStateAddressMatchIpv4InvertMatch) {
+  const std::string key = "test.key";
+  envoy::type::matcher::v3::FilterStateMatcher matcher;
+  matcher.set_key(key);
+  auto* cidrv4 = matcher.mutable_address_match()->add_ranges();
+  cidrv4->set_address_prefix("10.0.0.0");
+  cidrv4->mutable_prefix_len()->set_value(8);
+  matcher.mutable_address_match()->set_invert_match(true);
+
+  StreamInfo::FilterStateImpl filter_state(StreamInfo::FilterState::LifeSpan::Connection);
+  filter_state.setData(
+      key,
+      std::make_shared<Network::Address::InstanceAccessor>(
+          Envoy::Network::Utility::parseInternetAddressNoThrow("192.168.1.1", 456, false)),
+      StreamInfo::FilterState::StateType::Mutable);
+
+  auto filter_state_matcher = Matchers::FilterStateMatcher::create(matcher, context_);
+  ASSERT_TRUE(filter_state_matcher.ok());
+  EXPECT_TRUE((*filter_state_matcher)->match(filter_state));
+}
+
+TEST_F(FilterStateMatcher, NoMatchFilterStateAddressMatchIpv4InvertMatch) {
+  const std::string key = "test.key";
+  envoy::type::matcher::v3::FilterStateMatcher matcher;
+  matcher.set_key(key);
+  auto* cidrv4 = matcher.mutable_address_match()->add_ranges();
+  cidrv4->set_address_prefix("10.0.0.0");
+  cidrv4->mutable_prefix_len()->set_value(8);
+  matcher.mutable_address_match()->set_invert_match(true);
+
+  StreamInfo::FilterStateImpl filter_state(StreamInfo::FilterState::LifeSpan::Connection);
+  filter_state.setData(
+      key,
+      std::make_shared<Network::Address::InstanceAccessor>(
+          Envoy::Network::Utility::parseInternetAddressNoThrow("10.0.0.1", 456, false)),
+      StreamInfo::FilterState::StateType::Mutable);
+
+  auto filter_state_matcher = Matchers::FilterStateMatcher::create(matcher, context_);
+  ASSERT_TRUE(filter_state_matcher.ok());
+  EXPECT_FALSE((*filter_state_matcher)->match(filter_state));
+}
+
+TEST_F(FilterStateMatcher, MatchFilterStateAddressMatchIpv6InvertMatch) {
+  const std::string key = "test.key";
+  envoy::type::matcher::v3::FilterStateMatcher matcher;
+  matcher.set_key(key);
+  auto* cidrv6 = matcher.mutable_address_match()->add_ranges();
+  cidrv6->set_address_prefix("2001:db8::");
+  cidrv6->mutable_prefix_len()->set_value(32);
+  matcher.mutable_address_match()->set_invert_match(true);
+
+  StreamInfo::FilterStateImpl filter_state(StreamInfo::FilterState::LifeSpan::Connection);
+  filter_state.setData(
+      key,
+      std::make_shared<Network::Address::InstanceAccessor>(
+          Envoy::Network::Utility::parseInternetAddressNoThrow("2001:db7::1", 8080, false)),
+      StreamInfo::FilterState::StateType::Mutable);
+
+  auto filter_state_matcher = Matchers::FilterStateMatcher::create(matcher, context_);
+  ASSERT_TRUE(filter_state_matcher.ok());
+  EXPECT_TRUE((*filter_state_matcher)->match(filter_state));
+}
+
+TEST_F(FilterStateMatcher, NoMatchFilterStateAddressMatchIpv6InvertMatch) {
+  const std::string key = "test.key";
+  envoy::type::matcher::v3::FilterStateMatcher matcher;
+  matcher.set_key(key);
+  auto* cidrv6 = matcher.mutable_address_match()->add_ranges();
+  cidrv6->set_address_prefix("2001:db8::");
+  cidrv6->mutable_prefix_len()->set_value(32);
+  matcher.mutable_address_match()->set_invert_match(true);
+
+  StreamInfo::FilterStateImpl filter_state(StreamInfo::FilterState::LifeSpan::Connection);
+  filter_state.setData(
+      key,
+      std::make_shared<Network::Address::InstanceAccessor>(
+          Envoy::Network::Utility::parseInternetAddressNoThrow("2001:db8::1", 8080, false)),
+      StreamInfo::FilterState::StateType::Mutable);
+
+  auto filter_state_matcher = Matchers::FilterStateMatcher::create(matcher, context_);
+  ASSERT_TRUE(filter_state_matcher.ok());
+  EXPECT_FALSE((*filter_state_matcher)->match(filter_state));
+}
+
+TEST_F(FilterStateMatcher, MatchFilterStateAddressMatchMultipleRangesInvertMatch) {
+  const std::string key = "test.key";
+  envoy::type::matcher::v3::FilterStateMatcher matcher;
+  matcher.set_key(key);
+  auto* cidrv4_1 = matcher.mutable_address_match()->add_ranges();
+  cidrv4_1->set_address_prefix("10.0.0.0");
+  cidrv4_1->mutable_prefix_len()->set_value(8);
+  auto* cidrv4_2 = matcher.mutable_address_match()->add_ranges();
+  cidrv4_2->set_address_prefix("192.168.0.0");
+  cidrv4_2->mutable_prefix_len()->set_value(16);
+  matcher.mutable_address_match()->set_invert_match(true);
+
+  StreamInfo::FilterStateImpl filter_state(StreamInfo::FilterState::LifeSpan::Connection);
+  filter_state.setData(
+      key,
+      std::make_shared<Network::Address::InstanceAccessor>(
+          Envoy::Network::Utility::parseInternetAddressNoThrow("172.16.0.1", 456, false)),
+      StreamInfo::FilterState::StateType::Mutable);
+
+  auto filter_state_matcher = Matchers::FilterStateMatcher::create(matcher, context_);
+  ASSERT_TRUE(filter_state_matcher.ok());
+  EXPECT_TRUE((*filter_state_matcher)->match(filter_state));
+}
+
+TEST_F(FilterStateMatcher, NoMatchFilterStateAddressMatchMultipleRangesInvertMatchFirstRange) {
+  const std::string key = "test.key";
+  envoy::type::matcher::v3::FilterStateMatcher matcher;
+  matcher.set_key(key);
+  auto* cidrv4_1 = matcher.mutable_address_match()->add_ranges();
+  cidrv4_1->set_address_prefix("10.0.0.0");
+  cidrv4_1->mutable_prefix_len()->set_value(8);
+  auto* cidrv4_2 = matcher.mutable_address_match()->add_ranges();
+  cidrv4_2->set_address_prefix("192.168.0.0");
+  cidrv4_2->mutable_prefix_len()->set_value(16);
+  matcher.mutable_address_match()->set_invert_match(true);
+
+  StreamInfo::FilterStateImpl filter_state(StreamInfo::FilterState::LifeSpan::Connection);
+  filter_state.setData(
+      key,
+      std::make_shared<Network::Address::InstanceAccessor>(
+          Envoy::Network::Utility::parseInternetAddressNoThrow("10.0.0.1", 456, false)),
+      StreamInfo::FilterState::StateType::Mutable);
+
+  auto filter_state_matcher = Matchers::FilterStateMatcher::create(matcher, context_);
+  ASSERT_TRUE(filter_state_matcher.ok());
+  EXPECT_FALSE((*filter_state_matcher)->match(filter_state));
+}
+
+TEST_F(FilterStateMatcher, NoMatchFilterStateAddressMatchMultipleRangesInvertMatchSecondRange) {
+  const std::string key = "test.key";
+  envoy::type::matcher::v3::FilterStateMatcher matcher;
+  matcher.set_key(key);
+  auto* cidrv4_1 = matcher.mutable_address_match()->add_ranges();
+  cidrv4_1->set_address_prefix("10.0.0.0");
+  cidrv4_1->mutable_prefix_len()->set_value(8);
+  auto* cidrv4_2 = matcher.mutable_address_match()->add_ranges();
+  cidrv4_2->set_address_prefix("192.168.0.0");
+  cidrv4_2->mutable_prefix_len()->set_value(16);
+  matcher.mutable_address_match()->set_invert_match(true);
+
+  StreamInfo::FilterStateImpl filter_state(StreamInfo::FilterState::LifeSpan::Connection);
+  filter_state.setData(
+      key,
+      std::make_shared<Network::Address::InstanceAccessor>(
+          Envoy::Network::Utility::parseInternetAddressNoThrow("192.168.1.1", 456, false)),
+      StreamInfo::FilterState::StateType::Mutable);
+
+  auto filter_state_matcher = Matchers::FilterStateMatcher::create(matcher, context_);
+  ASSERT_TRUE(filter_state_matcher.ok());
+  EXPECT_FALSE((*filter_state_matcher)->match(filter_state));
+}
+
 } // namespace
 } // namespace Matcher
 } // namespace Envoy