ip-restriction

This extension provides IP-based access control for your Envoy proxy using Rust and Envoy's dynamic module framework. It allows you to define allowlists or denylists of IP addresses, restricting access based on the client's source IP.

Features

• IP Allowlisting: Only permit requests from specific IP addresses or CIDR ranges
• IP Denylisting: Block requests from specific IP addresses or CIDR ranges
• CIDR Range Support: Match entire subnets (e.g. 192.168.1.0/24, 10.0.0.0/8, 2001:db8::/32)
• IPv4 and IPv6 Support: Handles both IPv4 and IPv6 addresses and CIDR ranges

How It Works

The filter examines the source IP address of incoming requests and compares it against the configured allow or deny list. Requests that don't match the policy receive a 403 Forbidden response.

Configuration

You must specify exactly one of:

• allow_addresses: Array of IP addresses or CIDR ranges to allow (all others blocked)
• deny_addresses: Array of IP addresses or CIDR ranges to deny (all others allowed)

Each entry can be an exact IPv4/IPv6 address or a CIDR range (e.g. 192.168.1.0/24, 10.0.0.0/8).

Building

This is a Rust dynamic module that must be compiled to a shared library (.so on Linux, .dylib on macOS). The compiled module is loaded by Envoy at runtime.

cargo build --release -p ip-restriction

The compiled library will be at target/release/libip_restriction.{so,dylib}

Note on Dynamic Modules

This extension requires Envoy to be built with dynamic module support. This feature is experimental and may not be available in all Envoy distributions.