remove DFP filter

zhaohuabing · zhaohuabing · commit f53b0dcfd992 · 2026-04-02T10:29:11.000+08:00
Signed-off-by: Huabing (Robin) Zhao &lt;zhaohuabing@gmail.com&gt;
diff --git a/internal/xds/translator/dynamic_forward_proxy.go b/internal/xds/translator/dynamic_forward_proxy.go
@@ -7,21 +7,16 @@ package translator
 
 import (
 	"errors"
-	"fmt"
-	"sort"
 
 	cncfv3 "github.com/cncf/xds/go/xds/core/v3"
 	matcherv3 "github.com/cncf/xds/go/xds/type/matcher/v3"
 	rbacconfigv3 "github.com/envoyproxy/go-control-plane/envoy/config/rbac/v3"
 	routev3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3"
-	commondfpv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/common/dynamic_forward_proxy/v3"
-	dfpv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/dynamic_forward_proxy/v3"
 	rbacv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/rbac/v3"
 	hcmv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3"
 	envoymatcherv3 "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3"
 	"google.golang.org/protobuf/types/known/anypb"
 
-	egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1"
 	"github.com/envoyproxy/gateway/internal/ir"
 	"github.com/envoyproxy/gateway/internal/utils/proto"
 	"github.com/envoyproxy/gateway/internal/xds/types"
@@ -39,7 +34,7 @@ type dynamicForwardProxy struct{}
 
 var _ httpFilter = &dynamicForwardProxy{}
 
-// patchHCM appends the Dynamic Forward Proxy filter to the HTTP Connection Manager if applicable.
+// patchHCM appends the loopback protection filter to the HTTP Connection Manager if applicable.
 func (*dynamicForwardProxy) patchHCM(mgr *hcmv3.HttpConnectionManager, irListener *ir.HTTPListener) error {
 	if mgr == nil {
 		return errors.New("hcm is nil")
@@ -49,7 +44,7 @@ func (*dynamicForwardProxy) patchHCM(mgr *hcmv3.HttpConnectionManager, irListene
 		return errors.New("ir listener is nil")
 	}
 
-	// Add the RBAC filter once (no-op by default); per-route config will enable it only for DFP routes.
+	// Add the RBAC filter once (no-op by default); per-route config will enable it only for dynamic resolver routes.
 	if listenerHasDynamicResolverRoute(irListener) {
 		loopbackRBAC, err := buildDFPLoopbackRBAC()
 		if err != nil {
@@ -60,47 +55,9 @@ func (*dynamicForwardProxy) patchHCM(mgr *hcmv3.HttpConnectionManager, irListene
 		}
 	}
 
-	if !listenerRequireDFP(irListener) {
-		return nil
-	}
-
-	// Create a DFP filter for each unique DNS cache config needed by the listener's routes.
-	// This is because DFP filter and Cluster must have consistent cache config.
-	// Reference: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/clusters/dynamic_forward_proxy/v3/cluster.proto
-	cacheCfgs := dfpCacheConfigs(irListener.Routes)
-
-	for _, cacheCfg := range cacheCfgs {
-		cacheName := cacheCfg.GetName()
-		filterName := dfpFilterName(cacheName)
-		if hcmContainsFilter(mgr, filterName) {
-			continue
-		}
-
-		filterCfg := &dfpv3.FilterConfig{
-			ImplementationSpecifier: &dfpv3.FilterConfig_DnsCacheConfig{
-				DnsCacheConfig: cacheCfg,
-			},
-		}
-
-		filterAny, err := anypb.New(filterCfg)
-		if err != nil {
-			return err
-		}
-
-		mgr.HttpFilters = append(mgr.HttpFilters, &hcmv3.HttpFilter{
-			Name: filterName,
-			ConfigType: &hcmv3.HttpFilter_TypedConfig{
-				TypedConfig: filterAny,
-			},
-			Disabled: true,
-		})
-	}
-
 	return nil
 }
 
-// patchRoute adds per-route host rewrite configuration so DNS resolution can
-// use rewritten hostnames when configured.
 func (*dynamicForwardProxy) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute, _ *ir.HTTPListener) error {
 	if route == nil {
 		return errors.New("xds route is nil")
@@ -131,50 +88,13 @@ func (*dynamicForwardProxy) patchRoute(route *routev3.Route, irRoute *ir.HTTPRou
 		}
 	}
 
-	if !routeRequireDFP(irRoute) {
-		return nil
-	}
-
-	perRouteCfg := buildDFPPerRouteConfig(irRoute)
-	if perRouteCfg == nil {
-		return nil
-	}
-
-	perRouteAny, err := anypb.New(perRouteCfg)
-	if err != nil {
-		return err
-	}
-
-	if route.TypedPerFilterConfig == nil {
-		route.TypedPerFilterConfig = make(map[string]*anypb.Any)
-	}
-	filterName := dfpFilterName(dfpCacheName(determineIPFamily(irRoute.Destination.Settings), routeDNS(irRoute)))
-	route.TypedPerFilterConfig[filterName] = perRouteAny
-
-	// Clear out any existing host rewrite specifier to avoid conflicts.
-	routeAction := route.GetRoute()
-	if routeAction != nil {
-		routeAction.HostRewriteSpecifier = nil
-		routeAction.AppendXForwardedHost = false
-	}
-
 	return nil
 }
 
 func (*dynamicForwardProxy) patchResources(_ *types.ResourceVersionTable, _ []*ir.HTTPRoute) error {
 	return nil
 }
 
-// listenerRequireDFP checks if a given listener requires the dynamic forward proxy filter.
-func listenerRequireDFP(listener *ir.HTTPListener) bool {
-	for _, route := range listener.Routes {
-		if routeRequireDFP(route) {
-			return true
-		}
-	}
-	return false
-}
-
 // listenerHasDynamicResolverRoute checks if a given listener has any route with a dynamic resolver backend.
 func listenerHasDynamicResolverRoute(listener *ir.HTTPListener) bool {
 	for _, route := range listener.Routes {
@@ -185,97 +105,6 @@ func listenerHasDynamicResolverRoute(listener *ir.HTTPListener) bool {
 	return false
 }
 
-// routeRequireDFP check if a given route requires the dynamic forward proxy filter.
-// A dynamic forward proxy is required when:
-// * The route has a dynamic resolver backend.
-// * The route needs DFP to rewrite the host header based on a header or literal name.
-func routeRequireDFP(route *ir.HTTPRoute) bool {
-	if route == nil || route.Destination == nil {
-		return false
-	}
-
-	if !route.IsDynamicResolverRoute() {
-		return false
-	}
-
-	if route.URLRewrite != nil && route.URLRewrite.Host != nil &&
-		(route.URLRewrite.Host.Header != nil || route.URLRewrite.Host.Name != nil) {
-		return true
-	}
-
-	return false
-}
-
-// dfpCacheConfigs builds a sorted list of unique DFP DNS cache configs needed by the given routes.
-func dfpCacheConfigs(routes []*ir.HTTPRoute) []*commondfpv3.DnsCacheConfig {
-	cacheCfgs := make(map[string]*commondfpv3.DnsCacheConfig)
-
-	for _, route := range routes {
-		if !routeRequireDFP(route) {
-			continue
-		}
-
-		dns := routeDNS(route)
-		ipFamily := determineIPFamily(route.Destination.Settings)
-		cacheName := dfpCacheName(ipFamily, dns)
-		if _, existing := cacheCfgs[cacheName]; existing {
-			continue
-		}
-
-		routeCfg := buildDFPDNSCacheConfig(cacheName, dns, computeDNSLookupFamily(ipFamily, dns))
-		cacheCfgs[cacheName] = routeCfg
-	}
-
-	if len(cacheCfgs) == 0 {
-		return nil
-	}
-
-	cfgs := make([]*commondfpv3.DnsCacheConfig, 0, len(cacheCfgs))
-	for _, cfg := range cacheCfgs {
-		cfgs = append(cfgs, cfg)
-	}
-
-	// Sort the configs by name to ensure deterministic order for xDS generation.
-	sort.Slice(cfgs, func(i, j int) bool {
-		return cfgs[i].GetName() < cfgs[j].GetName()
-	})
-
-	return cfgs
-}
-
-func buildDFPPerRouteConfig(irRoute *ir.HTTPRoute) *dfpv3.PerRouteConfig {
-	switch {
-	case irRoute.URLRewrite == nil || irRoute.URLRewrite.Host == nil:
-		return nil
-	case irRoute.URLRewrite.Host.Header != nil:
-		return &dfpv3.PerRouteConfig{
-			HostRewriteSpecifier: &dfpv3.PerRouteConfig_HostRewriteHeader{
-				HostRewriteHeader: *irRoute.URLRewrite.Host.Header,
-			},
-		}
-	case irRoute.URLRewrite.Host.Name != nil:
-		return &dfpv3.PerRouteConfig{
-			HostRewriteSpecifier: &dfpv3.PerRouteConfig_HostRewriteLiteral{
-				HostRewriteLiteral: *irRoute.URLRewrite.Host.Name,
-			},
-		}
-	default:
-		return nil
-
-	}
-}
-
-func routeDNS(route *ir.HTTPRoute) *ir.DNS {
-	if route == nil || route.Traffic == nil {
-		return nil
-	}
-	return route.Traffic.DNS
-}
-
-func dfpFilterName(cacheName string) string {
-	return fmt.Sprintf("%s.%s", string(egv1a1.EnvoyFilterDynamicForwardProxy), cacheName)
-}
-
 func buildDFPLoopbackRBAC() (*hcmv3.HttpFilter, error) {
 	rbac := &rbacv3.RBAC{
 		// No policies: acts as a placeholder; per-route config enables denial.
diff --git a/internal/xds/translator/route.go b/internal/xds/translator/route.go
@@ -578,24 +578,19 @@ func buildXdsURLRewriteAction(route *ir.HTTPRoute, urlRewrite *ir.URLRewrite, pa
 	}
 
 	if urlRewrite.Host != nil {
-		// For DFP use cases, route-level host literal/header rewrites are not used, and instead DFP per-filter config is used, see here:
-		// https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/dynamic_forward_proxy/v3/dynamic_forward_proxy.proto#envoy-v3-api-msg-extensions-filters-http-dynamic-forward-proxy-v3-perrouteconfig
-		// Auto Host rewrites are only supported for strict/logical DNS clusters, so not relevant for DFP, see here:
-		// https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-routeaction-auto-host-rewrite
-		if !route.IsDynamicResolverRoute() {
-			switch {
-			case urlRewrite.Host.Name != nil:
-				routeAction.HostRewriteSpecifier = &routev3.RouteAction_HostRewriteLiteral{
-					HostRewriteLiteral: *urlRewrite.Host.Name,
-				}
-			case urlRewrite.Host.Header != nil:
-				routeAction.HostRewriteSpecifier = &routev3.RouteAction_HostRewriteHeader{
-					HostRewriteHeader: *urlRewrite.Host.Header,
-				}
-			case urlRewrite.Host.Backend != nil:
-				routeAction.HostRewriteSpecifier = &routev3.RouteAction_AutoHostRewrite{
-					AutoHostRewrite: wrapperspb.Bool(true),
-				}
+		switch {
+		case urlRewrite.Host.Name != nil:
+			routeAction.HostRewriteSpecifier = &routev3.RouteAction_HostRewriteLiteral{
+				HostRewriteLiteral: *urlRewrite.Host.Name,
+			}
+		case urlRewrite.Host.Header != nil:
+			routeAction.HostRewriteSpecifier = &routev3.RouteAction_HostRewriteHeader{
+				HostRewriteHeader: *urlRewrite.Host.Header,
+			}
+		case urlRewrite.Host.Backend != nil && !route.IsDynamicResolverRoute():
+			// Auto Host rewrite is only supported for non-dynamic resolver routes.
+			routeAction.HostRewriteSpecifier = &routev3.RouteAction_AutoHostRewrite{
+				AutoHostRewrite: wrapperspb.Bool(true),
 			}
 		}
 
diff --git a/internal/xds/translator/route_test.go b/internal/xds/translator/route_test.go
@@ -309,3 +309,82 @@ func TestBuildXdsURLRewriteAction_AppendXForwardedHost(t *testing.T) {
 		})
 	}
 }
+
+func TestBuildXdsURLRewriteAction_DynamicResolverHostRewrite(t *testing.T) {
+	baseRoute := &ir.HTTPRoute{
+		Name: "test-route",
+		Destination: &ir.RouteDestination{
+			Name: "test-dest",
+			Settings: []*ir.DestinationSetting{
+				{
+					IsDynamicResolver: true,
+				},
+			},
+		},
+	}
+
+	tests := []struct {
+		name                     string
+		urlRewrite               *ir.URLRewrite
+		wantSpecifier            *routev3.RouteAction
+		wantAppendXForwardedHost bool
+	}{
+		{
+			name: "header rewrite uses route action",
+			urlRewrite: &ir.URLRewrite{
+				Host: &ir.HTTPHostModifier{
+					Header: ptr.To("x-dynamic-host"),
+				},
+			},
+			wantSpecifier: &routev3.RouteAction{
+				HostRewriteSpecifier: &routev3.RouteAction_HostRewriteHeader{
+					HostRewriteHeader: "x-dynamic-host",
+				},
+				AppendXForwardedHost: true,
+			},
+			wantAppendXForwardedHost: true,
+		},
+		{
+			name: "literal rewrite uses route action",
+			urlRewrite: &ir.URLRewrite{
+				Host: &ir.HTTPHostModifier{
+					Name: ptr.To("rewritten.example.com"),
+				},
+			},
+			wantSpecifier: &routev3.RouteAction{
+				HostRewriteSpecifier: &routev3.RouteAction_HostRewriteLiteral{
+					HostRewriteLiteral: "rewritten.example.com",
+				},
+				AppendXForwardedHost: true,
+			},
+			wantAppendXForwardedHost: true,
+		},
+		{
+			name: "append x-forwarded-host respects explicit false",
+			urlRewrite: &ir.URLRewrite{
+				Host: &ir.HTTPHostModifier{
+					Header: ptr.To("x-dynamic-host"),
+				},
+				AppendXForwardedHost: ptr.To(false),
+			},
+			wantSpecifier: &routev3.RouteAction{
+				HostRewriteSpecifier: &routev3.RouteAction_HostRewriteHeader{
+					HostRewriteHeader: "x-dynamic-host",
+				},
+			},
+			wantAppendXForwardedHost: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := buildXdsURLRewriteAction(baseRoute, tt.urlRewrite, nil)
+			if !reflect.DeepEqual(got.HostRewriteSpecifier, tt.wantSpecifier.HostRewriteSpecifier) {
+				t.Fatalf("HostRewriteSpecifier = %#v, want %#v", got.HostRewriteSpecifier, tt.wantSpecifier.HostRewriteSpecifier)
+			}
+			if got.AppendXForwardedHost != tt.wantAppendXForwardedHost {
+				t.Fatalf("AppendXForwardedHost = %v, want %v", got.AppendXForwardedHost, tt.wantAppendXForwardedHost)
+			}
+		})
+	}
+}
diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-dynamic-resolver-with-host-rewriting.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-dynamic-resolver-with-host-rewriting.listeners.yaml
@@ -20,22 +20,6 @@
         - name: envoy.filters.http.rbac.dfp_loopback_deny
           typedConfig:
             '@type': type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC
-        - disabled: true
-          name: envoy.filters.http.dynamic_forward_proxy.envoy-gateway-dfp-cache-all-1000ms-default/dns-policy-for-httproute-2
-          typedConfig:
-            '@type': type.googleapis.com/envoy.extensions.filters.http.dynamic_forward_proxy.v3.FilterConfig
-            dnsCacheConfig:
-              dnsLookupFamily: ALL
-              dnsRefreshRate: 1s
-              name: envoy-gateway-dfp-cache-all-1000ms-default/dns-policy-for-httproute-2
-        - disabled: true
-          name: envoy.filters.http.dynamic_forward_proxy.envoy-gateway-dfp-cache-v4_preferred-30000ms-default
-          typedConfig:
-            '@type': type.googleapis.com/envoy.extensions.filters.http.dynamic_forward_proxy.v3.FilterConfig
-            dnsCacheConfig:
-              dnsLookupFamily: V4_PREFERRED
-              dnsRefreshRate: 30s
-              name: envoy-gateway-dfp-cache-v4_preferred-30000ms-default
         - name: envoy.filters.http.router
           typedConfig:
             '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-dynamic-resolver-with-host-rewriting.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-dynamic-resolver-with-host-rewriting.routes.yaml
