IP Tagging

The HTTP IP Tagging filter sets the header x-envoy-ip-tags with the string tags for the trusted address from x-forwarded-for. If there are no tags for an address, the header is not set.

The implementation for IP Tagging provides a scalable way to compare an IP address to a large list of CIDR ranges efficiently. The underlying algorithm for storing tags and IP address subnets is a Level-Compressed trie described in the paper IP-address lookup using LC-tries by S. Nilsson and G. Karlsson.

Configuration

Statistics

The IP Tagging filter outputs statistics in the http..ip_tagging. namespace. The stat prefix comes from the owning HTTP connection manager.

NameTypeDescription
<tag_name>.hitCounterTotal number of requests that have the <tag_name> applied to it
no_hitCounterTotal number of requests with no applicable IP tags
totalCounterTotal number of requests the IP Tagging Filter operated on

Runtime

The IP Tagging filter supports the following runtime settings:

ip_tagging.http_filter_enabled

The % of requests for which the filter is enabled. Default is 100.