security: document threat model. (#8906)

* Add an explicit threat model to the end user facing docs, link to this from SECURITY.md * Switch all Envoy extensions to use a new macro `envoy_cc_extension`, mandating that extensions declare a security posture. Extensions can also optionally declare `alpha` or `wip` status. * Tag all documentation sites with their well-known Envoy names. * Introduce tooling to automagically populate a list of known trusted/untrusted extensions in the threat model docs. * Generate API docs for extensions that depend on `google.protobuf.Empty`. This pattern is deprecated as per envoyproxy/envoy#8933, but we need these for tooling support meanwhile. This work was motivated by oss-fuzz issue https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18370 Signed-off-by: Harvey Tuch <[email protected]> Mirrored from https://github.com/envoyproxy/envoy @ 90d1094b32aa017f90cc8efcd379aeb143acabfc
envoyproxy · Nov 11, 2019 · a3a9012 · a3a9012
1 parent cd96bf6
commit a3a9012
Show file tree

Hide file tree

Showing 84 changed files with 104 additions and 3 deletions.
diff --git a/docs/BUILD b/docs/BUILD
@@ -56,11 +56,13 @@ proto_library(
         "//envoy/config/filter/network/ext_authz/v2:pkg",
         "//envoy/config/filter/network/http_connection_manager/v2:pkg",
         "//envoy/config/filter/network/mongo_proxy/v2:pkg",
+        "//envoy/config/filter/network/mysql_proxy/v1alpha1:pkg",
         "//envoy/config/filter/network/rate_limit/v2:pkg",
         "//envoy/config/filter/network/rbac/v2:pkg",
         "//envoy/config/filter/network/redis_proxy/v2:pkg",
         "//envoy/config/filter/network/tcp_proxy/v2:pkg",
         "//envoy/config/filter/network/thrift_proxy/v2alpha1:pkg",
+        "//envoy/config/filter/network/zookeeper_proxy/v1alpha1:pkg",
         "//envoy/config/filter/thrift/rate_limit/v2alpha1:pkg",
         "//envoy/config/filter/thrift/router/v2alpha1:pkg",
         "//envoy/config/grpc_credential/v2alpha:pkg",
@@ -72,6 +74,7 @@ proto_library(
         "//envoy/config/rbac/v2:pkg",
         "//envoy/config/resource_monitor/fixed_heap/v2alpha:pkg",
         "//envoy/config/resource_monitor/injected_resource/v2alpha:pkg",
+        "//envoy/config/retry/previous_priorities:pkg",
         "//envoy/config/trace/v2:pkg",
         "//envoy/config/transport_socket/alts/v2alpha:pkg",
         "//envoy/config/transport_socket/tap/v2alpha:pkg",

diff --git a/envoy/config/accesslog/v2/als.proto b/envoy/config/accesslog/v2/als.proto
@@ -19,6 +19,7 @@ import "validate/validate.proto";
 // :ref:`AccessLog <envoy_api_msg_config.filter.accesslog.v2.AccessLog>`. This configuration will
 // populate :ref:`StreamAccessLogsMessage.http_logs
 // <envoy_api_field_service.accesslog.v2.StreamAccessLogsMessage.http_logs>`.
+// [#extension: envoy.access_loggers.http_grpc]
 message HttpGrpcAccessLogConfig {
   CommonGrpcAccessLogConfig common_config = 1 [(validate.rules).message = {required: true}];
 
@@ -37,6 +38,7 @@ message HttpGrpcAccessLogConfig {
 
 // Configuration for the built-in *envoy.tcp_grpc_access_log* type. This configuration will
 // populate *StreamAccessLogsMessage.tcp_logs*.
+// [#extension: envoy.access_loggers.tcp_grpc]
 message TcpGrpcAccessLogConfig {
   CommonGrpcAccessLogConfig common_config = 1 [(validate.rules).message = {required: true}];
 }

diff --git a/envoy/config/accesslog/v2/file.proto b/envoy/config/accesslog/v2/file.proto
@@ -11,6 +11,7 @@ import "google/protobuf/struct.proto";
 import "validate/validate.proto";
 
 // [#protodoc-title: File access log]
+// [#extension: envoy.access_loggers.file]
 
 // Custom configuration for an :ref:`AccessLog <envoy_api_msg_config.filter.accesslog.v2.AccessLog>`
 // that writes log entries directly to a file. Configures the built-in *envoy.file_access_log*

diff --git a/envoy/config/accesslog/v3alpha/als.proto b/envoy/config/accesslog/v3alpha/als.proto
@@ -19,6 +19,7 @@ import "validate/validate.proto";
 // :ref:`AccessLog <envoy_api_msg_config.filter.accesslog.v3alpha.AccessLog>`. This configuration
 // will populate :ref:`StreamAccessLogsMessage.http_logs
 // <envoy_api_field_service.accesslog.v3alpha.StreamAccessLogsMessage.http_logs>`.
+// [#extension: envoy.access_loggers.http_grpc]
 message HttpGrpcAccessLogConfig {
   CommonGrpcAccessLogConfig common_config = 1 [(validate.rules).message = {required: true}];
 
@@ -37,6 +38,7 @@ message HttpGrpcAccessLogConfig {
 
 // Configuration for the built-in *envoy.tcp_grpc_access_log* type. This configuration will
 // populate *StreamAccessLogsMessage.tcp_logs*.
+// [#extension: envoy.access_loggers.tcp_grpc]
 message TcpGrpcAccessLogConfig {
   CommonGrpcAccessLogConfig common_config = 1 [(validate.rules).message = {required: true}];
 }

diff --git a/envoy/config/accesslog/v3alpha/file.proto b/envoy/config/accesslog/v3alpha/file.proto
@@ -11,6 +11,7 @@ import "google/protobuf/struct.proto";
 import "validate/validate.proto";
 
 // [#protodoc-title: File access log]
+// [#extension: envoy.access_loggers.file]
 
 // Custom configuration for an :ref:`AccessLog
 // <envoy_api_msg_config.filter.accesslog.v3alpha.AccessLog>` that writes log entries directly to a

diff --git a/envoy/config/cluster/dynamic_forward_proxy/v2alpha/cluster.proto b/envoy/config/cluster/dynamic_forward_proxy/v2alpha/cluster.proto
@@ -14,6 +14,7 @@ import "validate/validate.proto";
 
 // Configuration for the dynamic forward proxy cluster. See the :ref:`architecture overview
 // <arch_overview_http_dynamic_forward_proxy>` for more information.
+// [#extension: envoy.clusters.dynamic_forward_proxy]
 message ClusterConfig {
   // The DNS cache configuration that the cluster will attach to. Note this configuration must
   // match that of associated :ref:`dynamic forward proxy HTTP filter configuration

diff --git a/envoy/config/cluster/dynamic_forward_proxy/v3alpha/cluster.proto b/envoy/config/cluster/dynamic_forward_proxy/v3alpha/cluster.proto
@@ -14,6 +14,7 @@ import "validate/validate.proto";
 
 // Configuration for the dynamic forward proxy cluster. See the :ref:`architecture overview
 // <arch_overview_http_dynamic_forward_proxy>` for more information.
+// [#extension: envoy.clusters.dynamic_forward_proxy]
 message ClusterConfig {
   // The DNS cache configuration that the cluster will attach to. Note this configuration must
   // match that of associated :ref:`dynamic forward proxy HTTP filter configuration

diff --git a/envoy/config/cluster/redis/redis_cluster.proto b/envoy/config/cluster/redis/redis_cluster.proto
@@ -48,6 +48,7 @@ import "validate/validate.proto";
 //         cluster_refresh_timeout: 0.5s
 //         redirect_refresh_interval: 10s
 //         redirect_refresh_threshold: 10
+// [#extension: envoy.clusters.redis]
 
 message RedisClusterConfig {
   // Interval between successive topology refresh requests. If not set, this defaults to 5s.

diff --git a/envoy/config/filter/http/adaptive_concurrency/v2alpha/adaptive_concurrency.proto b/envoy/config/filter/http/adaptive_concurrency/v2alpha/adaptive_concurrency.proto
@@ -18,6 +18,7 @@ import "validate/validate.proto";
 // [#protodoc-title: Adaptive Concurrency]
 // Adaptive Concurrency Control :ref:`configuration overview
 // <config_http_filters_adaptive_concurrency>`.
+// [#extension: envoy.filters.http.adaptive_concurrency]
 
 // Configuration parameters for the gradient controller.
 message GradientControllerConfig {

diff --git a/envoy/config/filter/http/adaptive_concurrency/v3alpha/adaptive_concurrency.proto b/envoy/config/filter/http/adaptive_concurrency/v3alpha/adaptive_concurrency.proto
@@ -18,6 +18,7 @@ import "validate/validate.proto";
 // [#protodoc-title: Adaptive Concurrency]
 // Adaptive Concurrency Control :ref:`configuration overview
 // <config_http_filters_adaptive_concurrency>`.
+// [#extension: envoy.filters.http.adaptive_concurrency]
 
 // Configuration parameters for the gradient controller.
 message GradientControllerConfig {

diff --git a/envoy/config/filter/http/buffer/v2/buffer.proto b/envoy/config/filter/http/buffer/v2/buffer.proto
@@ -12,6 +12,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: Buffer]
 // Buffer :ref:`configuration overview <config_http_filters_buffer>`.
+// [#extension: envoy.filters.http.buffer]
 
 message Buffer {
   reserved 2;

diff --git a/envoy/config/filter/http/csrf/v2/csrf.proto b/envoy/config/filter/http/csrf/v2/csrf.proto
@@ -13,6 +13,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: CSRF]
 // Cross-Site Request Forgery :ref:`configuration overview <config_http_filters_csrf>`.
+// [#extension: envoy.filters.http.csrf]
 
 // CSRF filter config.
 message CsrfPolicy {

diff --git a/envoy/config/filter/http/csrf/v3alpha/csrf.proto b/envoy/config/filter/http/csrf/v3alpha/csrf.proto
@@ -13,6 +13,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: CSRF]
 // Cross-Site Request Forgery :ref:`configuration overview <config_http_filters_csrf>`.
+// [#extension: envoy.filters.http.csrf]
 
 // CSRF filter config.
 message CsrfPolicy {

diff --git a/envoy/config/filter/http/dynamic_forward_proxy/v2alpha/dynamic_forward_proxy.proto b/envoy/config/filter/http/dynamic_forward_proxy/v2alpha/dynamic_forward_proxy.proto
@@ -14,6 +14,7 @@ import "validate/validate.proto";
 
 // Configuration for the dynamic forward proxy HTTP filter. See the :ref:`architecture overview
 // <arch_overview_http_dynamic_forward_proxy>` for more information.
+// [#extension: envoy.filters.http.dynamic_forward_proxy]
 message FilterConfig {
   // The DNS cache configuration that the filter will attach to. Note this configuration must
   // match that of associated :ref:`dynamic forward proxy cluster configuration

diff --git a/envoy/config/filter/http/dynamic_forward_proxy/v3alpha/dynamic_forward_proxy.proto b/envoy/config/filter/http/dynamic_forward_proxy/v3alpha/dynamic_forward_proxy.proto
@@ -14,6 +14,7 @@ import "validate/validate.proto";
 
 // Configuration for the dynamic forward proxy HTTP filter. See the :ref:`architecture overview
 // <arch_overview_http_dynamic_forward_proxy>` for more information.
+// [#extension: envoy.filters.http.dynamic_forward_proxy]
 message FilterConfig {
   // The DNS cache configuration that the filter will attach to. Note this configuration must
   // match that of associated :ref:`dynamic forward proxy cluster configuration

diff --git a/envoy/config/filter/http/ext_authz/v2/ext_authz.proto b/envoy/config/filter/http/ext_authz/v2/ext_authz.proto
@@ -16,6 +16,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: External Authorization]
 // External Authorization :ref:`configuration overview <config_http_filters_ext_authz>`.
+// [#extension: envoy.filters.http.ext_authz]
 
 // [#next-free-field: 11]
 message ExtAuthz {

diff --git a/envoy/config/filter/http/ext_authz/v3alpha/ext_authz.proto b/envoy/config/filter/http/ext_authz/v3alpha/ext_authz.proto
@@ -16,6 +16,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: External Authorization]
 // External Authorization :ref:`configuration overview <config_http_filters_ext_authz>`.
+// [#extension: envoy.filters.http.ext_authz]
 
 // [#next-free-field: 11]
 message ExtAuthz {

diff --git a/envoy/config/filter/http/fault/v2/fault.proto b/envoy/config/filter/http/fault/v2/fault.proto
@@ -16,6 +16,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: Fault Injection]
 // Fault Injection :ref:`configuration overview <config_http_filters_fault_injection>`.
+// [#extension: envoy.filters.http.fault]
 
 message FaultAbort {
   reserved 1;

diff --git a/envoy/config/filter/http/fault/v3alpha/fault.proto b/envoy/config/filter/http/fault/v3alpha/fault.proto
@@ -16,6 +16,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: Fault Injection]
 // Fault Injection :ref:`configuration overview <config_http_filters_fault_injection>`.
+// [#extension: envoy.filters.http.fault]
 
 message FaultAbort {
   reserved 1;

diff --git a/envoy/config/filter/http/grpc_http1_reverse_bridge/v2alpha1/config.proto b/envoy/config/filter/http/grpc_http1_reverse_bridge/v2alpha1/config.proto
@@ -11,6 +11,7 @@ import "validate/validate.proto";
 // [#protodoc-title: gRPC HTTP/1.1 Reverse Bridge]
 // gRPC HTTP/1.1 Reverse Bridge :ref:`configuration overview
 // <config_http_filters_grpc_http1_reverse_bridge>`.
+// [#extension: envoy.filters.http.grpc_http1_reverse_bridge]
 
 // gRPC reverse bridge filter configuration
 message FilterConfig {

diff --git a/envoy/config/filter/http/grpc_stats/v2alpha/config.proto b/envoy/config/filter/http/grpc_stats/v2alpha/config.proto
@@ -10,6 +10,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: gRPC statistics] gRPC statistics filter
 // :ref:`configuration overview <config_http_filters_grpc_stats>`.
+// [#extension: envoy.filters.http.grpc_stats]
 
 // gRPC statistics filter configuration
 message FilterConfig {

diff --git a/envoy/config/filter/http/gzip/v2/gzip.proto b/envoy/config/filter/http/gzip/v2/gzip.proto
@@ -12,6 +12,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: Gzip]
 // Gzip :ref:`configuration overview <config_http_filters_gzip>`.
+// [#extension: envoy.filters.http.gzip]
 
 // [#next-free-field: 10]
 message Gzip {

diff --git a/envoy/config/filter/http/header_to_metadata/v2/header_to_metadata.proto b/envoy/config/filter/http/header_to_metadata/v2/header_to_metadata.proto
@@ -14,6 +14,7 @@ import "validate/validate.proto";
 // for matching load balancer subsets, logging, etc.
 //
 // Header to Metadata :ref:`configuration overview <config_http_filters_header_to_metadata>`.
+// [#extension: envoy.filters.http.header_to_metadata]
 
 message Config {
   enum ValueType {

diff --git a/envoy/config/filter/http/health_check/v2/health_check.proto b/envoy/config/filter/http/health_check/v2/health_check.proto
@@ -16,6 +16,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: Health check]
 // Health check :ref:`configuration overview <config_http_filters_health_check>`.
+// [#extension: envoy.filters.http.health_check]
 
 // [#next-free-field: 6]
 message HealthCheck {

diff --git a/envoy/config/filter/http/health_check/v3alpha/health_check.proto b/envoy/config/filter/http/health_check/v3alpha/health_check.proto
@@ -16,6 +16,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: Health check]
 // Health check :ref:`configuration overview <config_http_filters_health_check>`.
+// [#extension: envoy.filters.http.health_check]
 
 // [#next-free-field: 6]
 message HealthCheck {

diff --git a/envoy/config/filter/http/ip_tagging/v2/ip_tagging.proto b/envoy/config/filter/http/ip_tagging/v2/ip_tagging.proto
@@ -12,6 +12,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: IP tagging]
 // IP tagging :ref:`configuration overview <config_http_filters_ip_tagging>`.
+// [#extension: envoy.filters.http.ip_tagging]
 
 message IPTagging {
   // The type of requests the filter should apply to. The supported types

diff --git a/envoy/config/filter/http/ip_tagging/v3alpha/ip_tagging.proto b/envoy/config/filter/http/ip_tagging/v3alpha/ip_tagging.proto
@@ -12,6 +12,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: IP tagging]
 // IP tagging :ref:`configuration overview <config_http_filters_ip_tagging>`.
+// [#extension: envoy.filters.http.ip_tagging]
 
 message IPTagging {
   // The type of requests the filter should apply to. The supported types

diff --git a/envoy/config/filter/http/jwt_authn/v2alpha/config.proto b/envoy/config/filter/http/jwt_authn/v2alpha/config.proto
@@ -17,6 +17,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: JWT Authentication]
 // JWT Authentication :ref:`configuration overview <config_http_filters_jwt_authn>`.
+// [#extension: envoy.filters.http.jwt_authn]
 
 // Please see following for JWT authentication flow:
 //

diff --git a/envoy/config/filter/http/jwt_authn/v3alpha/config.proto b/envoy/config/filter/http/jwt_authn/v3alpha/config.proto
@@ -17,6 +17,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: JWT Authentication]
 // JWT Authentication :ref:`configuration overview <config_http_filters_jwt_authn>`.
+// [#extension: envoy.filters.http.jwt_authn]
 
 // Please see following for JWT authentication flow:
 //

diff --git a/envoy/config/filter/http/lua/v2/lua.proto b/envoy/config/filter/http/lua/v2/lua.proto
@@ -10,6 +10,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: Lua]
 // Lua :ref:`configuration overview <config_http_filters_lua>`.
+// [#extension: envoy.filters.http.lua]
 
 message Lua {
   // The Lua code that Envoy will execute. This can be a very small script that

diff --git a/envoy/config/filter/http/original_src/v2alpha1/original_src.proto b/envoy/config/filter/http/original_src/v2alpha1/original_src.proto
@@ -14,6 +14,7 @@ import "validate/validate.proto";
 // The Original Src filter binds upstream connections to the original source address determined
 // for the request. This address could come from something like the Proxy Protocol filter, or it
 // could come from trusted http headers.
+// [#extension: envoy.filters.http.original_src]
 message OriginalSrc {
   // Sets the SO_MARK option on the upstream connection's socket to the provided value. Used to
   // ensure that non-local addresses may be routed back through envoy when binding to the original

diff --git a/envoy/config/filter/http/rate_limit/v2/rate_limit.proto b/envoy/config/filter/http/rate_limit/v2/rate_limit.proto
@@ -14,6 +14,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: Rate limit]
 // Rate limit :ref:`configuration overview <config_http_filters_rate_limit>`.
+// [#extension: envoy.filters.http.ratelimit]
 
 // [#next-free-field: 8]
 message RateLimit {

diff --git a/envoy/config/filter/http/rate_limit/v3alpha/rate_limit.proto b/envoy/config/filter/http/rate_limit/v3alpha/rate_limit.proto
@@ -14,6 +14,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: Rate limit]
 // Rate limit :ref:`configuration overview <config_http_filters_rate_limit>`.
+// [#extension: envoy.filters.http.ratelimit]
 
 // [#next-free-field: 8]
 message RateLimit {

diff --git a/envoy/config/filter/http/rbac/v2/rbac.proto b/envoy/config/filter/http/rbac/v2/rbac.proto
@@ -12,6 +12,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: RBAC]
 // Role-Based Access Control :ref:`configuration overview <config_http_filters_rbac>`.
+// [#extension: envoy.filters.http.rbac]
 
 // RBAC filter config.
 message RBAC {

diff --git a/envoy/config/filter/http/rbac/v3alpha/rbac.proto b/envoy/config/filter/http/rbac/v3alpha/rbac.proto
@@ -12,6 +12,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: RBAC]
 // Role-Based Access Control :ref:`configuration overview <config_http_filters_rbac>`.
+// [#extension: envoy.filters.http.rbac]
 
 // RBAC filter config.
 message RBAC {

diff --git a/envoy/config/filter/http/router/v2/router.proto b/envoy/config/filter/http/router/v2/router.proto
@@ -14,6 +14,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: Router]
 // Router :ref:`configuration overview <config_http_filters_router>`.
+// [#extension: envoy.filters.http.router]
 
 // [#next-free-field: 7]
 message Router {

diff --git a/envoy/config/filter/http/router/v3alpha/router.proto b/envoy/config/filter/http/router/v3alpha/router.proto
@@ -14,6 +14,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: Router]
 // Router :ref:`configuration overview <config_http_filters_router>`.
+// [#extension: envoy.filters.http.router]
 
 // [#next-free-field: 7]
 message Router {

diff --git a/envoy/config/filter/http/squash/v2/squash.proto b/envoy/config/filter/http/squash/v2/squash.proto
@@ -13,6 +13,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: Squash]
 // Squash :ref:`configuration overview <config_http_filters_squash>`.
+// [#extension: envoy.filters.http.squash]
 
 // [#next-free-field: 6]
 message Squash {

diff --git a/envoy/config/filter/http/tap/v2alpha/tap.proto b/envoy/config/filter/http/tap/v2alpha/tap.proto
@@ -12,6 +12,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: Tap]
 // Tap :ref:`configuration overview <config_http_filters_tap>`.
+// [#extension: envoy.filters.http.tap]
 
 // Top level configuration for the tap filter.
 message Tap {

diff --git a/envoy/config/filter/http/tap/v3alpha/tap.proto b/envoy/config/filter/http/tap/v3alpha/tap.proto
@@ -12,6 +12,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: Tap]
 // Tap :ref:`configuration overview <config_http_filters_tap>`.
+// [#extension: envoy.filters.http.tap]
 
 // Top level configuration for the tap filter.
 message Tap {

diff --git a/envoy/config/filter/http/transcoder/v2/transcoder.proto b/envoy/config/filter/http/transcoder/v2/transcoder.proto
@@ -10,6 +10,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: gRPC-JSON transcoder]
 // gRPC-JSON transcoder :ref:`configuration overview <config_http_filters_grpc_json_transcoder>`.
+// [#extension: envoy.filters.http.grpc_json_transcoder]
 
 // [#next-free-field: 10]
 message GrpcJsonTranscoder {

diff --git a/envoy/config/filter/listener/original_src/v2alpha1/original_src.proto b/envoy/config/filter/listener/original_src/v2alpha1/original_src.proto
@@ -10,6 +10,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: Original Src Filter]
 // Use the Original source address on upstream connections.
+// [#extension: envoy.filters.listener.original_src]
 
 // The Original Src filter binds upstream connections to the original source address determined
 // for the connection. This address could come from something like the Proxy Protocol filter, or it

diff --git a/envoy/config/filter/network/client_ssl_auth/v2/client_ssl_auth.proto b/envoy/config/filter/network/client_ssl_auth/v2/client_ssl_auth.proto
@@ -15,6 +15,7 @@ import "validate/validate.proto";
 // [#protodoc-title: Client TLS authentication]
 // Client TLS authentication
 // :ref:`configuration overview <config_network_filters_client_ssl_auth>`.
+// [#extension: envoy.filters.network.client_ssl_auth]
 
 message ClientSSLAuth {
   // The :ref:`cluster manager <arch_overview_cluster_manager>` cluster that runs

diff --git a/envoy/config/filter/network/client_ssl_auth/v3alpha/client_ssl_auth.proto b/envoy/config/filter/network/client_ssl_auth/v3alpha/client_ssl_auth.proto
@@ -15,6 +15,7 @@ import "validate/validate.proto";
 // [#protodoc-title: Client TLS authentication]
 // Client TLS authentication
 // :ref:`configuration overview <config_network_filters_client_ssl_auth>`.
+// [#extension: envoy.filters.network.client_ssl_auth]
 
 message ClientSSLAuth {
   // The :ref:`cluster manager <arch_overview_cluster_manager>` cluster that runs

diff --git a/envoy/config/filter/network/dubbo_proxy/v2alpha1/dubbo_proxy.proto b/envoy/config/filter/network/dubbo_proxy/v2alpha1/dubbo_proxy.proto
@@ -14,6 +14,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: Dubbo Proxy]
 // Dubbo Proxy :ref:`configuration overview <config_network_filters_dubbo_proxy>`.
+// [#extension: envoy.filters.network.dubbo_proxy]
 
 // Dubbo Protocol types supported by Envoy.
 enum ProtocolType {

diff --git a/envoy/config/filter/network/dubbo_proxy/v3alpha/dubbo_proxy.proto b/envoy/config/filter/network/dubbo_proxy/v3alpha/dubbo_proxy.proto
@@ -14,6 +14,7 @@ import "validate/validate.proto";
 
 // [#protodoc-title: Dubbo Proxy]
 // Dubbo Proxy :ref:`configuration overview <config_network_filters_dubbo_proxy>`.
+// [#extension: envoy.filters.network.dubbo_proxy]
 
 // Dubbo Protocol types supported by Envoy.
 enum ProtocolType {