envoyproxy
diff --git a/‎CODEOWNERS‎
Lines changed: 2 additions & 0 deletions b/‎CODEOWNERS‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎api/BUILD‎
Lines changed: 2 additions & 0 deletions b/‎api/BUILD‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎api/envoy/extensions/matching/http/dynamic_modules/v3/BUILD‎
Lines changed: 9 additions & 0 deletions b/‎api/envoy/extensions/matching/http/dynamic_modules/v3/BUILD‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎api/envoy/extensions/matching/http/dynamic_modules/v3/dynamic_modules.proto‎
Lines changed: 24 additions & 0 deletions b/‎api/envoy/extensions/matching/http/dynamic_modules/v3/dynamic_modules.proto‎
Lines changed: 24 additions & 0 deletions
diff --git a/‎api/envoy/extensions/matching/input_matchers/dynamic_modules/v3/BUILD‎
Lines changed: 12 additions & 0 deletions b/‎api/envoy/extensions/matching/input_matchers/dynamic_modules/v3/BUILD‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎api/envoy/extensions/matching/input_matchers/dynamic_modules/v3/dynamic_modules.proto‎
Lines changed: 54 additions & 0 deletions b/‎api/envoy/extensions/matching/input_matchers/dynamic_modules/v3/dynamic_modules.proto‎
Lines changed: 54 additions & 0 deletions
diff --git a/‎api/versioning/BUILD‎
Lines changed: 2 additions & 0 deletions b/‎api/versioning/BUILD‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎changelogs/current.yaml‎
Lines changed: 4 additions & 0 deletions b/‎changelogs/current.yaml‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎docs/root/intro/arch_overview/advanced/dynamic_modules.rst‎
Lines changed: 1 addition & 0 deletions b/‎docs/root/intro/arch_overview/advanced/dynamic_modules.rst‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎source/common/router/BUILD‎
Lines changed: 1 addition & 0 deletions b/‎source/common/router/BUILD‎
Lines changed: 1 addition & 0 deletions
@@ -409,6 +409,8 @@ extensions/upstreams/tcp @ggreenway @mattklein123
 /*/extensions/filters/listener/dynamic_modules @agrawroh @mathetake @wbpcode
 /*/extensions/filters/udp/dynamic_modules @agrawroh @mathetake @wbpcode
 /*/extensions/load_balancing_policies/dynamic_modules @agrawroh @mathetake @wbpcode
+/*/extensions/matching/input_matchers/dynamic_modules @agrawroh @mathetake @wbpcode
+/*/extensions/matching/http/dynamic_modules @agrawroh @mathetake @wbpcode
 # Linux network namespace override
 /*/extensions/local_address_selectors/filter_state_override @tonya11en @kyessenov
 
 
@@ -348,7 +348,9 @@ proto_library(
         "//envoy/extensions/matching/common_inputs/network/v3:pkg",
         "//envoy/extensions/matching/common_inputs/ssl/v3:pkg",
         "//envoy/extensions/matching/common_inputs/stats/v3:pkg",
+        "//envoy/extensions/matching/http/dynamic_modules/v3:pkg",
         "//envoy/extensions/matching/input_matchers/consistent_hashing/v3:pkg",
+        "//envoy/extensions/matching/input_matchers/dynamic_modules/v3:pkg",
         "//envoy/extensions/matching/input_matchers/ip/v3:pkg",
         "//envoy/extensions/matching/input_matchers/metadata/v3:pkg",
         "//envoy/extensions/matching/input_matchers/runtime_fraction/v3:pkg",
 
@@ -0,0 +1,9 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = ["@xds//udpa/annotations:pkg"],
+)
@@ -0,0 +1,24 @@
+syntax = "proto3";
+
+package envoy.extensions.matching.http.dynamic_modules.v3;
+
+import "udpa/annotations/status.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.matching.http.dynamic_modules.v3";
+option java_outer_classname = "DynamicModulesProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/matching/http/dynamic_modules/v3;dynamic_modulesv3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: Dynamic Modules HTTP Match Input]
+// [#extension: envoy.matching.inputs.dynamic_module_data_input]
+
+// Configuration for the dynamic modules HTTP match input. This input extracts HTTP request and
+// response data from the matching context and makes it available to the dynamic module matcher
+// via ABI callbacks during match evaluation.
+//
+// This data input should be used together with the
+// :ref:`dynamic modules input matcher
+// <envoy_v3_api_msg_extensions.matching.input_matchers.dynamic_modules.v3.DynamicModuleMatcher>`.
+message HttpDynamicModuleMatchInput {
+}
@@ -0,0 +1,12 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = [
+        "//envoy/extensions/dynamic_modules/v3:pkg",
+        "@xds//udpa/annotations:pkg",
+    ],
+)
@@ -0,0 +1,54 @@
+syntax = "proto3";
+
+package envoy.extensions.matching.input_matchers.dynamic_modules.v3;
+
+import "envoy/extensions/dynamic_modules/v3/dynamic_modules.proto";
+
+import "google/protobuf/any.proto";
+
+import "udpa/annotations/status.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.matching.input_matchers.dynamic_modules.v3";
+option java_outer_classname = "DynamicModulesProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/matching/input_matchers/dynamic_modules/v3;dynamic_modulesv3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: Dynamic Modules Input Matcher]
+// [#extension: envoy.matching.matchers.dynamic_modules]
+
+// Configuration for the Dynamic Modules Input Matcher. This matcher allows loading shared object
+// files via ``dlopen`` to implement custom matching logic in dynamic modules (e.g. Rust, Go).
+//
+// A module can implement arbitrary matching logic by examining request headers and other HTTP
+// attributes during the match evaluation. This is useful for scenarios that require complex
+// matching beyond what built-in matchers provide, such as JWT/OAuth token analysis, custom
+// routing decisions, or integration with external data sources.
+message DynamicModuleMatcher {
+  // Specifies the shared-object level configuration. This field is required.
+  envoy.extensions.dynamic_modules.v3.DynamicModuleConfig dynamic_module_config = 1
+      [(validate.rules).message = {required: true}];
+
+  // The name for this matcher configuration. If not specified, defaults to an empty string.
+  //
+  // This can be used to distinguish between different matcher implementations inside a dynamic
+  // module. For example, a module can have completely different matcher implementations (e.g.,
+  // OAuth token matcher, geo-IP matcher). When Envoy receives this configuration, it passes
+  // the ``matcher_config_name`` to the dynamic module's matcher config init function together
+  // with the ``matcher_config``. That way a module can decide which in-module matcher
+  // implementation to use based on the name at load time.
+  string matcher_config_name = 2;
+
+  // The configuration for the matcher chosen by ``matcher_config_name``. If not specified, an
+  // empty configuration is passed to the module.
+  //
+  // This is passed to the module's matcher initialization function. Together with the
+  // ``matcher_config_name``, the module can decide which in-module matcher implementation to
+  // use and fine-tune the behavior of the matcher.
+  //
+  // ``google.protobuf.Struct`` is serialized as JSON before passing it to the module.
+  // ``google.protobuf.BytesValue`` and ``google.protobuf.StringValue`` are passed directly
+  // without the wrapper.
+  google.protobuf.Any matcher_config = 3;
+}
@@ -288,7 +288,9 @@ proto_library(
         "//envoy/extensions/matching/common_inputs/ssl/v3:pkg",
         "//envoy/extensions/matching/common_inputs/stats/v3:pkg",
         "//envoy/extensions/matching/common_inputs/transport_socket/v3:pkg",
+        "//envoy/extensions/matching/http/dynamic_modules/v3:pkg",
         "//envoy/extensions/matching/input_matchers/consistent_hashing/v3:pkg",
+        "//envoy/extensions/matching/input_matchers/dynamic_modules/v3:pkg",
         "//envoy/extensions/matching/input_matchers/ip/v3:pkg",
         "//envoy/extensions/matching/input_matchers/metadata/v3:pkg",
         "//envoy/extensions/matching/input_matchers/runtime_fraction/v3:pkg",
 
@@ -119,6 +119,10 @@ removed_config_or_runtime:
 # *Normally occurs at the end of the* :ref:`deprecation period <deprecated>`
 
 new_features:
+- area: dynamic_modules
+  change: |
+    Added dynamic module input matcher extension which would allow implementing custom matching logic
+    in external languages (Rust, Go, C) via dynamic modules.
 - area: ext_authz
   change: |
     Added support for the ``append_action`` enum in gRPC ext_authz ``OkHttpResponse.headers`` for upstream
 
@@ -27,6 +27,7 @@ Currently, dynamic modules are supported at the following extension points:
 * As an :ref:`access logger <envoy_v3_api_msg_extensions.access_loggers.dynamic_modules.v3.DynamicModuleAccessLog>`.
 * As a :ref:`network filter <envoy_v3_api_msg_extensions.filters.network.dynamic_modules.v3.DynamicModuleNetworkFilter>`.
 * As an :ref:`HTTP filter <envoy_v3_api_msg_extensions.filters.http.dynamic_modules.v3.DynamicModuleFilter>`.
+* As an :ref:`input matcher <envoy_v3_api_msg_extensions.matching.input_matchers.dynamic_modules.v3.DynamicModuleMatcher>`.
 
 There are a few design goals for the dynamic modules:
 
 
@@ -100,6 +100,7 @@ envoy_cc_library(
         "//source/common/matcher:matcher_lib",
         "//source/extensions/matching/network/common:inputs_lib",
         "@envoy_api//envoy/extensions/matching/common_inputs/network/v3:pkg_cc_proto",
+        "@envoy_api//envoy/extensions/matching/http/dynamic_modules/v3:pkg_cc_proto",
         "@envoy_api//envoy/type/matcher/v3:pkg_cc_proto",
     ],
     alwayslink = LEGACY_ALWAYSLINK,