What's the difference between local rate limiting at the listener filter level and the network filter level?
77 views
Skip to first unread message
henry zhu
Nov 6, 2023, 2:39:27 PM11/6/23
to envoy-users
There's a short blurb in the architecture overview section
"Envoy supports local (non-distributed) rate limiting of L4 connections via the local rate limit listener filter and local rate limit network filter. The difference is local rate limit listener filter <config_listener_filters_local_rate_limit> processes the sockets before TLS handshake and filter chain matching."
I assume "sockets" here is supposed to be "packets"? Doing my own testing, I found that when rate limited at the listener filter level envoy responds to a Client Hello with a RST. When rate limited at the network filter level envoy responds to a Client Hello with a Fin, then a RST. So it seems that both short circuit before the TLS handshake and filter chain matching, the difference is in the response. Listener terminates the connection immediately with a RST, while Network terminates gracefully with a FIN (Is it really graceful though if a RST is sent immediately afterwards? I'm not familiar with this.)
I assume "sockets" here is supposed to be "packets"? Doing my own testing, I found that when rate limited at the listener filter level envoy responds to a Client Hello with a RST. When rate limited at the network filter level envoy responds to a Client Hello with a Fin, then a RST. So it seems that both short circuit before the TLS handshake and filter chain matching, the difference is in the response. Listener terminates the connection immediately with a RST, while Network terminates gracefully with a FIN (Is it really graceful though if a RST is sent immediately afterwards? I'm not familiar with this.)
Am I correct, or am I totally off the mark? Where can I find more on the difference between these two levels and how rate limiting works in them?
Yan Avlasov
Nov 9, 2023, 1:01:39 PM11/9/23
to henry zhu, envoy-users
When rate limiting via network filter the TLS handshake should complete. If it does not, it means your TLS is not configured correctly.
--
You received this message because you are subscribed to the Google Groups "envoy-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to envoy-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/envoy-users/5600ff6e-74b6-4a1a-94f2-bf49f74ffa2dn%40googlegroups.com.
henry zhu
Nov 13, 2023, 3:33:55 PM11/13/23
to envoy-users
Are you sure? In my testing I had the max_tokens for the network level set to 1, and the fill_interval at 600s. For the first request I sent, I could see the TLS handshake complete between the client the Envoy, and then Envoy's TLS handshake with the upstream cluster. For subsequent requests, I saw Envoy respond to the Client Hello with a FIN then a RST. Since the TLS handshake went fine in the first request, it seems like TLS is configured properly.
Reply all
Reply to author
Forward
0 new messages