work

Signed-off-by: Gal Ovadia <govadia@palantir.com>

Author: Gal Ovadia

envoy-1.37.0

@@ -0,0 +1,43 @@
+admin:
+  address:
+    socket_address:
+      address: 127.0.0.1
+      port_value: 9901
+
+static_resources:
+  listeners:
+  # TCP Listener only - for testing
+  - name: tcp_listener
+    address:
+      socket_address:
+        address: 0.0.0.0
+        port_value: 17100
+    filter_chains:
+    - filters:
+      - name: envoy.filters.network.dynamic_modules
+        typed_config:
+          "@type": type.googleapis.com/envoy.extensions.filters.network.dynamic_modules.v3.DynamicModuleNetworkFilter
+          dynamic_module_config:
+            name: rust_module
+            do_not_close: true
+          filter_name: hostname_lookup
+
+      - name: envoy.filters.network.tcp_proxy
+        typed_config:
+          "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
+          stat_prefix: egress_tcp
+          cluster: default_cluster
+
+  clusters:
+  - name: default_cluster
+    connect_timeout: 5s
+    type: STATIC
+    load_assignment:
+      cluster_name: default_cluster
+      endpoints:
+      - lb_endpoints:
+        - endpoint:
+            address:
+              socket_address:
+                address: 127.0.0.1
+                port_value: 8080

envoy-egress-test-tcp-only.yaml

@@ -6,54 +6,54 @@ admin:
 
 static_resources:
   listeners:
-  # DNS Gateway - Listens for DNS queries
   - name: dns_listener
     address:
       socket_address:
         address: 0.0.0.0
         port_value: 5353
         protocol: UDP
-    udp_listener_config:
-      listener_filters:
-      - name: envoy.filters.udp_listener.dynamic_modules
-        typed_config:
-          "@type": type.googleapis.com/envoy.extensions.dynamic_modules.v3.DynamicModuleConfig
-          name: dns_gateway
+    listener_filters:
+    - name: envoy.filters.udp_listener.dynamic_modules
+      typed_config:
+        "@type": type.googleapis.com/envoy.extensions.filters.udp.dynamic_modules.v3.DynamicModuleUdpListenerFilter
+        dynamic_module_config:
+          name: rust_module
           do_not_close: true
-          config:
+        filter_name: dns_gateway
+        filter_config:
+          "@type": type.googleapis.com/google.protobuf.Struct
+          value:
             base_ip: "10.10.0.0"
             policies:
-            - domain: "*.aws.com"
-              metadata:
-                upstream_cluster: "aws_cluster"
-                tunneling_hostname: "tunnel.aws.com"
-            - domain: "*.example.com"
-              metadata:
-                upstream_cluster: "example_cluster"
-                tunneling_hostname: "tunnel.example.com"
+              - domain: "*.aws.com"
+                metadata:
+                  my_arbitrary_key: some_value
 
-  # TCP Listener - Receives connections to virtual IPs
   - name: tcp_listener
     address:
       socket_address:
         address: 0.0.0.0
         port_value: 17100
     filter_chains:
     - filters:
-      # Hostname lookup filter - looks up policy from virtual IP
       - name: envoy.filters.network.dynamic_modules
         typed_config:
-          "@type": type.googleapis.com/envoy.extensions.dynamic_modules.v3.DynamicModuleConfig
-          name: hostname_lookup
-          do_not_close: true
-          config: {}
-
-      # TCP proxy - forwards traffic
+          "@type": type.googleapis.com/envoy.extensions.filters.network.dynamic_modules.v3.DynamicModuleNetworkFilter
+          dynamic_module_config:
+            name: rust_module
+            do_not_close: true
+          filter_name: hostname_lookup
       - name: envoy.filters.network.tcp_proxy
         typed_config:
           "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
           stat_prefix: egress_tcp
           cluster: default_cluster
+          access_log:
+          - name: envoy.access_loggers.stdout
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog
+              log_format:
+                text_format: "[TCP_PROXY_LOG] my_arbitrary_key=%FILTER_STATE(envoy.wildcard.metadata.my_arbitrary_key:PLAIN)%\n"
 
   clusters:
   - name: default_cluster
@@ -69,6 +69,20 @@ static_resources:
                 address: 127.0.0.1
                 port_value: 8080
 
+  # Upstream DNS server for unmatched DNS queries (udp_proxy fallback)
+  - name: upstream_dns
+    connect_timeout: 5s
+    type: STATIC
+    load_assignment:
+      cluster_name: upstream_dns
+      endpoints:
+      - lb_endpoints:
+        - endpoint:
+            address:
+              socket_address:
+                address: 8.8.8.8
+                port_value: 53
+
   - name: aws_cluster
     connect_timeout: 5s
     type: STATIC

envoy-egress-test.yaml

@@ -17,10 +17,11 @@ static_resources:
       # Hostname lookup filter - manually initialize cache for testing
       - name: envoy.filters.network.dynamic_modules
         typed_config:
-          "@type": type.googleapis.com/envoy.extensions.dynamic_modules.v3.DynamicModuleConfig
-          name: hostname_lookup
-          do_not_close: true
-          config: {}
+          "@type": type.googleapis.com/envoy.extensions.filters.network.dynamic_modules.v3.DynamicModuleNetworkFilter
+          dynamic_module_config:
+            name: rust_module
+            do_not_close: true
+          filter_name: hostname_lookup
 
       # TCP proxy - forwards traffic
       - name: envoy.filters.network.tcp_proxy

envoy-simple-test.yaml

@@ -3,7 +3,7 @@
 # Egress Policies Dynamic Module - Envoy Startup Script
 
 # Set the module search path
-export ENVOY_DYNAMIC_MODULES_SEARCH_PATH=/Users/govadia/Desktop/dynamic-modules-examples/rust/target/release
+export ENVOY_DYNAMIC_MODULES_SEARCH_PATH=/home/coder/git/dynamic-modules-examples/rust/target/release
 
 echo "=== Starting Envoy with Egress Policies Dynamic Module ==="
 echo ""
@@ -18,12 +18,6 @@ echo ""
 echo "Test with: ./test-egress.sh"
 echo ""
 
-# Check if envoy is installed
-if ! command -v envoy &> /dev/null; then
-    echo "ERROR: envoy command not found"
-    echo "Install with: brew install envoyproxy/envoy/envoy"
-    exit 1
-fi
 
 # Check if module exists
 if [ ! -f "$ENVOY_DYNAMIC_MODULES_SEARCH_PATH/librust_module.dylib" ] && [ ! -f "$ENVOY_DYNAMIC_MODULES_SEARCH_PATH/librust_module.so" ]; then
@@ -33,5 +27,5 @@ if [ ! -f "$ENVOY_DYNAMIC_MODULES_SEARCH_PATH/librust_module.dylib" ] && [ ! -f
 fi
 
 # Start Envoy
-cd /Users/govadia/Desktop/dynamic-modules-examples
-envoy -c envoy-egress-test.yaml --log-level info
+cd /home/coder/git/dynamic-modules-examples
+./envoy-1.37.0 -c envoy-egress-test.yaml --log-level info

run-envoy.sh

@@ -47,9 +47,21 @@ pub fn new_udp_filter_config<EC: EnvoyUdpListenerFilterConfig, ELF: EnvoyUdpList
     _name: &str,
     config: &[u8],
 ) -> Option<Box<dyn UdpListenerFilterConfig<ELF>>> {
-    // Parse config as JSON
+    // Parse config as JSON. The config arrives as a JSON-serialized google.protobuf.Any.
+    // Supported wrappers:
+    //   - StringValue: {"@type":"...StringValue", "value":"<json string>"}
+    //   - Struct:      {"@type":"...Struct", "value":{"base_ip":"...", ...}}
     let config_str = std::str::from_utf8(config).ok()?;
-    let config_json: serde_json::Value = serde_json::from_str(config_str).ok()?;
+    let outer_json: serde_json::Value = serde_json::from_str(config_str).ok()?;
+
+    let config_json: serde_json::Value = match &outer_json["value"] {
+        // StringValue: "value" is a JSON string that we parse again.
+        serde_json::Value::String(s) => serde_json::from_str(s).ok()?,
+        // Struct: "value" is already an object with our config fields.
+        serde_json::Value::Object(_) => outer_json["value"].clone(),
+        // Fallback: use the outer object directly.
+        _ => outer_json,
+    };
 
     // Parse base_ip from config (default: 10.10.0.0)
     let base_ip_str = config_json["base_ip"]
@@ -114,49 +126,63 @@ impl<ELF: EnvoyUdpListenerFilter> UdpListenerFilter<ELF> for DnsGatewayFilter {
         envoy_filter: &mut ELF,
     ) -> abi::envoy_dynamic_module_type_on_udp_listener_filter_status {
         // Get datagram data
-        let (chunks, _total_length) = envoy_filter.get_datagram_data();
+        let (chunks, total_length) = envoy_filter.get_datagram_data();
+        envoy_log_info!("dns_gateway: received UDP datagram, {} bytes, {} chunks", total_length, chunks.len());
         let mut data = Vec::new();
         for chunk in &chunks {
             data.extend_from_slice(chunk.as_slice());
         }
 
+        // Get peer address for sending the response back
+        let peer = envoy_filter.get_peer_address();
+        envoy_log_info!("dns_gateway: peer address: {:?}", peer);
+
         // Parse DNS query using hickory-dns
         let mut decoder = BinDecoder::new(&data);
         let query_message = match Message::read(&mut decoder) {
             Ok(msg) => msg,
             Err(e) => {
-                envoy_log_warn!("Failed to parse DNS query: {}", e);
+                envoy_log_warn!("dns_gateway: failed to parse DNS query: {}", e);
                 return abi::envoy_dynamic_module_type_on_udp_listener_filter_status::Continue;
             }
         };
 
+        envoy_log_info!("dns_gateway: parsed DNS message id={}, type={:?}, queries={}",
+            query_message.id(), query_message.message_type(), query_message.queries().len());
+
         // Validate it's a query and has at least one question
         if query_message.message_type() != MessageType::Query {
-            envoy_log_warn!("Received non-query DNS message");
+            envoy_log_warn!("dns_gateway: received non-query DNS message");
             return abi::envoy_dynamic_module_type_on_udp_listener_filter_status::Continue;
         }
 
         let question = match query_message.queries().first() {
             Some(q) => q,
             None => {
-                envoy_log_warn!("DNS query has no questions");
+                envoy_log_warn!("dns_gateway: DNS query has no questions");
                 return abi::envoy_dynamic_module_type_on_udp_listener_filter_status::Continue;
             }
         };
 
         // Only handle A record queries
         if question.query_type() != RecordType::A {
-            envoy_log_debug!("Ignoring non-A record query: {:?}", question.query_type());
+            envoy_log_info!("dns_gateway: ignoring non-A record query: {:?}", question.query_type());
             return abi::envoy_dynamic_module_type_on_udp_listener_filter_status::Continue;
         }
 
-        let domain = question.name().to_utf8();
-        envoy_log_debug!("DNS query for domain: {}", domain);
+        let domain_raw = question.name().to_utf8();
+        // DNS names are fully qualified with a trailing dot (e.g. "api.aws.com.").
+        // Strip it so our wildcard patterns like "*.aws.com" match correctly.
+        let domain = domain_raw.strip_suffix('.').unwrap_or(&domain_raw).to_string();
+        envoy_log_info!("dns_gateway: A record query for domain: {} (raw: {})", domain, domain_raw);
 
         // Match against policies
         let matched_policy = self.policies.iter().find(|p| p.matches(&domain));
 
         if let Some(policy_matcher) = matched_policy {
+            envoy_log_info!("dns_gateway: matched policy pattern '{}' for domain '{}'",
+                policy_matcher.domain_pattern, domain);
+
             // Create EgressPolicy from matcher
             let policy = EgressPolicy {
                 domain: domain.clone(),
@@ -168,28 +194,42 @@ impl<ELF: EnvoyUdpListenerFilter> UdpListenerFilter<ELF> for DnsGatewayFilter {
             let virtual_ip = cache.allocate(policy);
 
             envoy_log_info!(
-                "Allocated virtual IP {} for domain {}",
+                "dns_gateway: allocated virtual IP {} for domain {}",
                 virtual_ip,
                 domain
             );
 
             // Craft DNS A response using hickory-dns
             let response_bytes = match craft_dns_response(&query_message, question.name(), virtual_ip) {
-                Ok(bytes) => bytes,
+                Ok(bytes) => {
+                    envoy_log_info!("dns_gateway: crafted DNS response, {} bytes", bytes.len());
+                    bytes
+                }
                 Err(e) => {
-                    envoy_log_error!("Failed to craft DNS response: {}", e);
+                    envoy_log_error!("dns_gateway: failed to craft DNS response: {}", e);
                     return abi::envoy_dynamic_module_type_on_udp_listener_filter_status::Continue;
                 }
             };
 
-            // Set datagram data to response
-            if !envoy_filter.set_datagram_data(&response_bytes) {
-                envoy_log_error!("Failed to set datagram data");
+            // Send the DNS response back to the peer directly.
+            // Note: set_datagram_data() only modifies the buffer in-place but doesn't
+            // send it back. We must use send_datagram() to actually reply to the client.
+            if let Some((peer_addr, peer_port)) = peer {
+                envoy_log_info!("dns_gateway: sending {} byte response to {}:{}", response_bytes.len(), peer_addr, peer_port);
+                if !envoy_filter.send_datagram(&response_bytes, &peer_addr, peer_port) {
+                    envoy_log_error!("dns_gateway: failed to send datagram to {}:{}", peer_addr, peer_port);
+                }
+            } else {
+                envoy_log_error!("dns_gateway: no peer address available, cannot send response");
             }
+
+            // StopIteration prevents the udp_proxy filter from also forwarding this packet
+            return abi::envoy_dynamic_module_type_on_udp_listener_filter_status::StopIteration;
         } else {
-            envoy_log_debug!("No policy matched for domain: {}", domain);
+            envoy_log_info!("dns_gateway: no policy matched for domain: {}", domain);
         }
 
+        // No match — let the packet continue to the next filter (udp_proxy)
         abi::envoy_dynamic_module_type_on_udp_listener_filter_status::Continue
     }
 }

rust/src/egress_policies/dns_gateway.rs

@@ -42,41 +42,41 @@ impl<ENF: EnvoyNetworkFilter> NetworkFilter<ENF> for HostnameLookupFilter {
         &mut self,
         envoy_filter: &mut ENF,
     ) -> abi::envoy_dynamic_module_type_on_network_filter_data_status {
-        let (ip_str, _port) = envoy_filter.get_local_address();
+        let (ip_str, port) = envoy_filter.get_local_address();
+        envoy_log_info!("hostname_lookup: new connection, local_address={}:{}", ip_str, port);
 
         let ip: Ipv4Addr = match ip_str.parse() {
             Ok(ip) => ip,
             Err(_) => {
-                envoy_log_warn!("Failed to parse destination IP: {}", ip_str);
+                envoy_log_warn!("hostname_lookup: failed to parse destination IP: {}", ip_str);
                 return abi::envoy_dynamic_module_type_on_network_filter_data_status::Continue;
             }
         };
 
-        envoy_log_debug!("Looking up policy for virtual IP: {}", ip);
-
         let cache = get_cache();
         let policy = match cache.lookup(ip) {
             Some(p) => p,
             None => {
-                envoy_log_warn!("No policy found for virtual IP: {}", ip);
+                envoy_log_warn!("hostname_lookup: no policy found for virtual IP: {} (cache miss)", ip);
                 return abi::envoy_dynamic_module_type_on_network_filter_data_status::Continue;
             }
         };
 
         envoy_log_info!(
-            "Found policy for virtual IP {}: domain={}",
+            "hostname_lookup: cache hit for virtual IP {}: domain={}, metadata keys=[{}]",
             ip,
-            policy.domain
+            policy.domain,
+            policy.metadata.keys().cloned().collect::<Vec<_>>().join(", ")
         );
 
         let hostname_key = "envoy.wildcard.hostname";
         if !envoy_filter.set_filter_state_bytes(
             hostname_key.as_bytes(),
             policy.domain.as_bytes(),
         ) {
-            envoy_log_error!("Failed to set filter state for hostname");
+            envoy_log_error!("hostname_lookup: failed to set filter state for hostname");
         } else {
-            envoy_log_debug!("Set filter state: {} = {}", hostname_key, policy.domain);
+            envoy_log_info!("hostname_lookup: set filter state: {} = {}", hostname_key, policy.domain);
         }
 
         for (key, value) in &policy.metadata {
@@ -86,9 +86,9 @@ impl<ENF: EnvoyNetworkFilter> NetworkFilter<ENF> for HostnameLookupFilter {
                 filter_state_key.as_bytes(),
                 value.as_bytes(),
             ) {
-                envoy_log_error!("Failed to set filter state for key: {}", filter_state_key);
+                envoy_log_error!("hostname_lookup: failed to set filter state for key: {}", filter_state_key);
             } else {
-                envoy_log_debug!("Set filter state: {} = {}", filter_state_key, value);
+                envoy_log_info!("hostname_lookup: set filter state: {} = {}", filter_state_key, value);
             }
         }