# Network For a list of available Network filters, see [Envoy Network Filters](https://github.com/greymatter-io/gm-gitbook-sync/tree/a36d354058c7abbfff58b20908ff27c2ed1c6077/reference/api/fabric-api/filters/network/network.md#available-network-filters). ## Configuration Overview Network filters are configured in Grey Matter Control API on a per-Listener basis. Unlike HTTP filters, Network filters may not be configured in a Proxy object in order to apply to multiple listeners. Instead, each Listener must have its own Network filter configuration. ## Example Configuration To edit the Listener object, run: ```bash greymatter edit listener ``` The following is an example of configuring a Network filter in a Listener object by specifying values in two of its fields -- the `active_network_filters` field and the `network_filters` field: ```javascript { "zone_key": "default-zone", "listener_key": "listener2", "name": "listener2", "domain_keys": [ "domain1" ], "ip": "0.0.0.0", "port": 8080, "protocol": "http_auto", "active_network_filters": [ "envoy.tcp_proxy" ], "network_filters": { "envoy_tcp_proxy": { "stat_prefix": "tcp_proxy", "cluster": "tcp_proxy" } } } ``` This configuration tells the corresponding Grey Matter Proxy to enable the `envoy.tcp_proxy` filter for its `listener2` Listener only. Note that the keys in the `active_network_filters` array use a period following their prefix, while the `network_filters` object uses underscores all the way through. ## Known Ordering Dependencies The following Network filters must not be configured together, and the one that is selected must be configured **last** in the `active_network_filters` array: * TCP Proxy Filter * Dubbo Proxy Filter * Echo Filter Otherwise, Grey Matter Proxy will reject the Listener configuration update. ## Envoy Network Filters To learn how to enable any of the Envoy Network filters in the Fabric mesh, refer to the [Network Filters configuration overview](https://greymatter.gitbook.io/grey-matter-documentation/1.7-beta/reference/api/fabric-api/filters/network). The following table lists all Envoy Network filters that may be configured. Some general information on each filter is available; otherwise please refer to the Envoy documentation. Also, some Envoy filters have been excluded due to being marked by Envoy as experimental. Note that the **Active Filter Name** is a simplified form of the name used in Grey Matter Proxy (e.g. `envoy.header_to_metadata` is used in place of `envoy.filters.http.header_to_metadata`). ### Available Network Filters | Filter | Active Filter Name | Guide | Envoy documentation | | ------------------------- | ------------------------ | -------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | JWT Security | `gm.jwt_security_tcp` | [#jwt-security](#jwt-security) | | | Mongo Proxy | `envoy.mongo_proxy` | [#mongo-proxy](#mongo-proxy) | [External Link](https://www.envoyproxy.io/docs/envoy/v1.15.0/configuration/listeners/network_filters/mongo_proxy_filter#config-network-filters-mongo-proxy) | | Rate Limit | `envoy.rate_limit` | [#rate-limit](#rate-limit) | [External Link](https://www.envoyproxy.io/docs/envoy/v1.15.0/configuration/listeners/network_filters/rate_limit_filter#config-network-filters-rate-limit) | | Redis Proxy | `envoy.redis_proxy` | [#redis-proxy](#redis-proxy) | [External Link](https://www.envoyproxy.io/docs/envoy/v1.15.0/configuration/listeners/network_filters/redis_proxy_filter#config-network-filters-redis-proxy) | | Role Based Access Control | `envoy.rbac` | [#role-based-access-control](#role-based-access-control) | [External Link](https://www.envoyproxy.io/docs/envoy/v1.15.0/configuration/listeners/network_filters/rbac_filter#config-network-filters-rbac) | | TCP Proxy | `envoy.tcp_proxy` | [#tcp-proxy](#tcp-proxy) | [External Link](https://www.envoyproxy.io/docs/envoy/v1.15.0/configuration/listeners/network_filters/tcp_proxy_filter#config-network-filters-tcp-proxy) | | SNI Cluster | `envoy.sni_cluster` | [#sni-cluster](#sni-cluster) | [External Link](https://www.envoyproxy.io/docs/envoy/v1.15.0/api-v3/extensions/filters/network/sni_cluster/v3/sni_cluster.proto) | | Client TLS | `envoy.client_ssl_auth` | [#client-tls](#client-tls) | [External Link](https://www.envoyproxy.io/docs/envoy/v1.15.0/configuration/listeners/network_filters/client_ssl_auth_filter#config-network-filters-client-ssl-auth) | | External Authorization | `envoy.ext_authz` | [#ext-authz](#ext-authz) | [External Link](https://www.envoyproxy.io/docs/envoy/v1.15.0/configuration/listeners/network_filters/ext_authz_filter#config-network-filters-ext-authz) | | Local Rate Limit | `envoy.local_rate_limit` | [#local-rate-limit](#local-rate-limit) | [External Link](https://www.envoyproxy.io/docs/envoy/v1.15.0/configuration/listeners/network_filters/local_rate_limit_filter#config-network-filters-local-rate-limit) | | Dubbo Proxy | `envoy.dubbo_proxy` | [#dubbo-proxy](#dubbo-proxy) | [External Link](https://www.envoyproxy.io/docs/envoy/v1.15.0/configuration/listeners/network_filters/dubbo_proxy_filter#config-network-filters-dubbo-proxy) | | Kafka Broker | `envoy.kafka_broker` | [#kafka-broker](#kafka-broker) | [External Link](https://www.envoyproxy.io/docs/envoy/v1.15.0/configuration/listeners/network_filters/kafka_broker_filter#config-network-filters-kafka-broker) | | Echo | `envoy.echo` | [#echo](#echo) | [External Link](https://www.envoyproxy.io/docs/envoy/v1.15.0/configuration/listeners/network_filters/echo_filter#config-network-filters-echo) | | Mysql | `envoy.mysql_proxy` | [#Mysql](#mysql-proxy) | [External Link](https://www.envoyproxy.io/docs/envoy/v1.15.0/configuration/listeners/network_filters/mysql_proxy_filter#config-network-filters-mysql-proxy) | | Zookeeper | `envoy.zookeeper_proxy` | [#zookeeper-proxy](#zookeeper-proxy) | [External Link](https://www.envoyproxy.io/docs/envoy/v1.15.0/configuration/listeners/network_filters/zookeeper_proxy_filter#config-network-filters-zookeeper-proxy) | | Thrift | `envoy.thrift_proxy` | [#thrift-proxy](#thrift-proxy) | [External Link](https://www.envoyproxy.io/docs/envoy/v1.15.0/configuration/listeners/network_filters/thrift_proxy_filter#config-network-filters-thrift-proxy) | | Direct Response | `envoy.direct_response` | [#direct-response](#direct-response) | [External Link](https://www.envoyproxy.io/docs/envoy/v1.15.0/configuration/listeners/network_filters/direct_response_filter#config-network-filters-direct-response) | | Postgres | `envoy.postgres_proxy` | [#postgres-proxy](#postgres-proxy) | [External Link](https://www.envoyproxy.io/docs/envoy/v1.15.0/configuration/listeners/network_filters/postgres_proxy_filter#config-network-filters-postgres-proxy) | | RocketMQ | `envoy.rocketmq_proxy` | [#rocketmq-proxy](#rocketmq-proxy) | [External Link](https://www.envoyproxy.io/docs/envoy/v1.15.0/configuration/listeners/network_filters/rocketmq_proxy_filter#config-network-filters-rocketmq-proxy) | #### JWT Security [Full Configuration](https://github.com/greymatter-io/gm-gitbook-sync/tree/a36d354058c7abbfff58b20908ff27c2ed1c6077/reference/api/fabric-api/filters/network/gm-jwt-security-tcp.md) On incoming requests, the `gm-jwt-security` filter retrieves a [jwt token](http://jwt.io/) from the [gm-jwt-security service](https://greymatter.gitbook.io/grey-matter-documentation/1.7-beta/usage/security/jwt) "/policies" endpoint using the incoming distinguished name of the PKI Certificate. It then decodes the JWT token and inserts it into filter metadata for use in subsequent filters in the chain. ## Mongo Proxy A MongoDB sniffing filter that does MongoDB wire format BSON parsing and provides detailed MongoDB operation statistics. It also supports fault injection. It relies on the TCP Proxy filter for its connection. ## Rate Limit Integrates with a global gRPC rate limiting service such as [Envoy's reference implementation](https://github.com/envoyproxy/ratelimit) to control throughput throughout the Fabric mesh by preventing downstream hosts from overwhelming upstream clusters. It relies on the TCP Proxy filter for its connection. ## Redis Proxy Enables Envoy as a Redis proxy, partitioning commands among instances in a Redis cluster. It also supports active and passive health checking, hash tagging, prefix routing, downstream client and upstream server authentication, and request mirroring. Many future enhancements are also being planned. ## Role Based Access Control Allows or denies actions (permissions) by identified downstream clients (principals). It supports configuration using either a safe-list (ALLOW) or block-list (DENY) set of policies based on properties of the connection (IPs, ports, SSL subject, etc). Unlike the [HTTP RBAC filter](https://github.com/greymatter-io/gm-gitbook-sync/tree/a36d354058c7abbfff58b20908ff27c2ed1c6077/reference/api/fabric-api/filters/network/envoy-rbac.md), policies may not allow or deny a request based on its HTTP headers since this filter operates at the Network level. ## TCP Proxy Enables basic L3/L4 proxying for 1:1 network connections between downstream clients and upstream clusters. It can be used by itself as an stunnel replacement, or in conjunction with several other network filters. ## SNI Cluster Uses the SNI value in a TLS connection as the upstream cluster name. The filter will not modify the upstream cluster for non-TLS connections. ## Client TLS Performs TLS client authentication via principals fetched from a REST VPN service. This filter matches the presented client certificate hash against the principal list to determine whether the connection should be allowed or not. Optional IP white listing can also be configured. ## External Authorization Calls an external authorization service to check if the incoming request is authorized or not. If the request is deemed unauthorized by the network filter then the connection will be closed. ## Local Rate Limit Applies a token bucket rate limit to incoming connections that are processed by the filter’s filter chain. Each connection processed by the filter utilizes a single token, and if no tokens are available, the connection will be immediately closed without further filter iteration. ## Dubbo Proxy Decodes the RPC protocol between dubbo clients and servers. The decoded RPC information is converted to metadata. The metadata includes the basic request ID, request type, serialization type, and the required service name, method name, parameter name, and parameter value for routing. ## Kafka Broker Decodes the client protocol for Apache Kafka, both the requests and responses in the payload. ## Echo A trivial network filter meant to demonstrate the network filter API. If installed it will echo (write) all received data back to the connected downstream client. ## Mysql Proxy > Note: currently experimental only Decodes the wire protocol between the MySQL client and server. It decodes the SQL queries in the payload (SQL99 format only). ## Zookeeper Proxy > Note: currently experimental only Decodes the client protocol for Apache ZooKeeper. It decodes the requests, responses and events in the payload. ## Thrift Proxy > Note: currently experimental only Decodes the client protocol for Twitter's [Thrift Protocol](https://twitter.github.io/finagle/docs/com/twitter/finagle/Thrift$). ## Direct Response Responds to new downstream connections immediately with an optional canned response. Can be used as terminal filter in chain to collect telemetry for blocked traffic. ## Postgres Proxy > Note: currently experimental only Decodes the wire protocol between the Postgres client and server. It decodes the request to produce Postgres level statistics. The current version does not decode SQL queries. ## RocketMQ Proxy Proxies requests and responses between [Apache RocketMQ](https://rocketmq.apache.org/) producers/consumers and brokers.