Listener#
A Listener
, as the name suggests, is a component that passively listens and accepts connections. Does every Listener listen to a socket? Let’s take a look at this question.
Before we start learning about Listener, let’s review the example in Envoy Configuration Example under Istio in the previous section.
Note
Download the Envoy configuration here yaml envoy@istio-conf-eg-inbound.envoy_conf.yaml
.
Listener example#
In the example above, the reader can see a number of Istio configured Listener’s in action: Inbound.
Port: 15006
Name: virtualInbound
Function: The main Inbound Listener
Port: 15090
Port: 15000
…
Outbound.
Listener for Bind socket
Port: 15001
Name: virtualOutbound
Duty: Main Outbound Listener. forwards iptable hijacked traffic to the following Listener
Listener that does not Bind socket
Name: 0.0.0.0_8080
Responsibility: All upstream cluster traffic listening on port 8080 will go out via this Listener.
Configuration
bind_to_port: false
As you can see, the name Istio gives to the Listener is a bit hard to understand. The ones that actually listen to TCP ports are called virtualInbound
/virtualOutbound
, while the ones that don’t listen to TCP ports don’t have the virtual
prefix.
Listener internal components#
Listener consists of Listener filters
, Network Filter Chains
.
The concepts of Listener Filter
and Network Filter
are easy to confuse. Let’s briefly explain them:
Listener Filter
: Collects the first few pieces of information on the connection at the beginning of the connection, and prepares the data for selecting theNetwork Filter Chain
.It can collect basic TCP data, such as src IP/port, dst IP/port, or the original dst IP/port before iptables forwarding.
It can be TLS handshake data, SNI / APLN.
Network Filter
:After TCP/TLS handshake, it will process higher layer protocols, such as TCP Proxy / HTTP Proxy.
Listener filters#
For example, in the Figure: Example of Envoy Inbound Configuration in Istio, you can see a few Listener filters.
envoy.filters.listener.original_dst
envoy.filters.listener.tls_inspector
envoy.filters.listener.http_inspector
The functionality has been stated in the diagram.
Network Filter Chains#
For example, in the Figure: Example of Envoy Inbound Configuration in Istio above, you can see several Network Filter Chains with repeatable names. Each of these has its own filter_chain_match
, which Envoy uses to match connections to different Network Filter Chains
.
Each Network Filter Chain
consists of sequentialized Network Filters
. The Network Filters
are described in a later section.
The proof process#
If you’re interested in looking at the details of Listener’s implementation, I recommend checking out my Blog post: