fix(networkproxy): translate catch-all host "*" to match-any everywhere#338
Merged
Conversation
A catch-all host ("*") in an egress httpRule was handled as a literal string
instead of "match any host", so catch-all rules silently matched nothing and
produced no enforcement or audit records. The defect had three independent
locations:
1. SNI matcher (tls_chain): httpRuleToSNIPermissions emitted
`requested_server_name: {exact: "*"}`. Envoy compares that literally
against the SNI, which never equals "*", so the shadow_rules produced no
metadata and the access_log CEL
(`'shadow_effective_policy_id' in metadata.filter_metadata[...]`) never
fired for TLS traffic.
2. :authority matcher (http_chain): authorityMatcherForHostPort and
portAgnosticHostRules emitted exact/prefix string matchers on "*", which
likewise never match a real :authority, so plaintext HTTP catch-all rules
produced no audit records either.
3. MITM chain rule scoping (mitm_tls_dns_chain / mitm_tls_ip_chain):
filterHTTPRulesForDomains did an exact domainSet lookup on each host. The
literal "*" was never in a MITM chain's domain set, so the whole rule was
dropped and the MITM HCM emitted no shadow RBAC and no access_log. As a
result, a domain that is both a MITM target and covered by a "*" rule
(e.g. httpbin.org) was audited nowhere: the MITM chain steals its TLS
traffic by SNI, but that chain had no audit rule.
This broke the intended workflow of defaultAction: allow + qualifiers:
[audit] + hosts: ["*"], which is used to discover the set of domains a
legitimate application talks to. The defect is independent of defaultAction
(allow and deny behave identically) and the L7 route virtual_host already
used domains: ["*"] correctly; only RBAC matcher generation and MITM rule
scoping were wrong.
Fix: add isMatchAllHost() and special-case "*" before the suffix-wildcard
(`*.example.com`) and exact-host branches in httpRuleToSNIPermissions,
authorityMatcherForHostPort and portAgnosticHostRules, emitting a match-any
rule (any: true). When an explicit port accompanies "*", the port is still
enforced via the separate destination_port rule. In filterHTTPRulesForDomains
keep a "*" host verbatim so the catch-all rule survives onto every MITM
chain; the reverse pruning (filterHTTPRulesForTLSChain) already keeps "*"
since it matches no MITM target, so the rule also stays on tls_chain/http_chain
for non-MITM domains.
Tests: add TestWildcardHostMatchAll (allow/deny defaults, audit variants),
TestWildcardHostMatchAllWithPort and TestMITMWildcardHostAudit, asserting no
literal exact:"*" matcher is generated, that a match-any rule is present, and
that MITM chains carry shadow RBAC + access_log for catch-all audit rules.
nicke1wh
approved these changes
Jun 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fix a bug where egress
httpRulehosts["*"](catch-all) were translated into literalexact: "*"string matchers instead of Envoy'sany: truematcher. This caused catch-all rules to silently match nothing, producing no enforcement or audit records for both plaintext HTTP and TLS traffic.The defect affected three independent code paths:
httpRuleToSNIPermissions): emittedrequested_server_name: {exact: "*"}, which never matches real SNI values.authorityMatcherForHostPort,portAgnosticHostRules): emitted exact/prefix matchers on"*", which never match real:authorityvalues.filterHTTPRulesForDomains): dropped"*"rules from MITM chains because"*"was not in the MITM domain set, so MITM-terminated TLS traffic produced no audit records.Fix
isMatchAllHost()helper to distinguish"*"from suffix wildcards like"*.example.com"."*"before suffix/exact branches in SNI and authority matcher generation, emittingPermissionRule{Type: "any", Value: true}."*"hosts infilterHTTPRulesForDomainsso catch-all rules survive onto every MITM chain; downstream matchers correctly render them as match-any."*"rules are still enforced via the separatedestination_portrule.Tests
TestWildcardHostMatchAll: verifiesany: trueand no literalexact: "*"for allow/deny defaults and audit variants.TestWildcardHostMatchAllWithPort: verifies port binding viadestination_portwhile authority matches any.TestMITMWildcardHostAudit: verifies MITM chains carry shadow RBAC + access_log for catch-all audit rules.Also includes a minor
gofmtalignment fix inpkg/lsm/bpfenforcer/enforcer.go.Impact
Restores the intended behavior of
defaultAction: allow+qualifiers: [audit]+hosts: ["*"]for domain discovery, and ensures catch-all allow/deny rules correctly match all egress HTTP/HTTPS traffic.