Skip to content

fix(translator): avoid duplicate filter chain for TLS listener without routes#9342

Open
wiegandf wants to merge 1 commit into
envoyproxy:mainfrom
wiegandf:fix/tls-listener-no-routes-duplicate-filter-chain
Open

fix(translator): avoid duplicate filter chain for TLS listener without routes#9342
wiegandf wants to merge 1 commit into
envoyproxy:mainfrom
wiegandf:fix/tls-listener-no-routes-duplicate-filter-chain

Conversation

@wiegandf

Copy link
Copy Markdown

What type of PR is this?

fix(translator)

What this PR does / why we need it:

When a TLS protocol listener with a specific hostname has no routes attached, the translator generated an EmptyCluster placeholder filter chain with no FilterChainMatch. If an
HTTPS listener with wildcard hostname (*) shared the same port, both filter chains ended up with an empty matcher, causing Envoy to reject the xDS update with:

  filter chain 'EmptyCluster' has the same matching rules defined as '<name>/https'. duplicate matcher is: {}

This blocks all subsequent xDS updates to that listener until a route is manually added.

The fix stores the Gateway listener hostname on the TCPListener IR (for TLS protocol listeners only — TCP ignores hostnames per the Gateway API spec) and uses it as an SNI-based
FilterChainMatch on the empty placeholder filter chain, making it unique from any wildcard filter chains on the same xDS listener.

Which issue(s) this PR fixes:

Fixes #9341

Release Notes: Yes

@wiegandf wiegandf requested a review from a team as a code owner June 24, 2026 20:53
@netlify

netlify Bot commented Jun 24, 2026

Copy link
Copy Markdown

Deploy Preview for cerulean-figolla-1f9435 ready!

Name Link
🔨 Latest commit fe869ee
🔍 Latest deploy log https://app.netlify.com/projects/cerulean-figolla-1f9435/deploys/6a3cbe5e5014f90008ff0f35
😎 Deploy Preview https://deploy-preview-9342--cerulean-figolla-1f9435.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@zirain

zirain commented Jun 25, 2026

Copy link
Copy Markdown
Member

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 8408e88276

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment on lines +881 to +884
TLS: &ir.TLS{
TLSInspectorConfig: &ir.TLSInspectorConfig{
SNIs: tcpListener.Hostnames,
},

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Preserve fingerprint options when adding SNI placeholder

When a hostname-only, no-route TLS listener is processed before another TLS listener on the same address/port that enables JA3/JA4 fingerprints, this new synthetic SNI route causes addXdsTCPFilterChain to install tls_inspector for SNI only. addXdsTLSInspectorFilter returns immediately once an inspector exists, so the later listener's fingerprint flags are never enabled and configured %TLS_JA*_FINGERPRINT% values stay empty. Before this branch, a no-route listener without fingerprints did not install the inspector, so the later listener could enable it; please merge/update existing inspector options when adding this placeholder chain.

Useful? React with 👍 / 👎.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is that the desired behavior? As tls_inspector is a listener filter we can't have per filter chain scope? Maybe it's correct as it is to just install the first. @zirain

…t routes

When a TLS protocol listener with a specific hostname has no routes attached,
the translator generated an EmptyCluster placeholder filter chain with no
FilterChainMatch. If an HTTPS listener with wildcard hostname ('*') shared the
same port, both filter chains ended up with an empty matcher, causing Envoy to
reject the xDS update with:

  filter chain 'EmptyCluster' has the same matching rules defined as
  '<name>/https'. duplicate matcher is: {}

Fix: store the Gateway listener hostname on the TCPListener IR (for TLS
protocol listeners only, since TCP ignores hostnames) and use it as an SNI-
based FilterChainMatch on the empty placeholder filter chain, making it unique
among other wildcard filter chains on the same xDS listener.

Fixes envoyproxy#9341

Signed-off-by: Florian Wiegand <36593900+wiegandf@users.noreply.github.com>
@wiegandf wiegandf force-pushed the fix/tls-listener-no-routes-duplicate-filter-chain branch from 8408e88 to fe869ee Compare June 25, 2026 05:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Listener with no routes causes xDS rejection when sharing port with HTTPS listener

2 participants