line · github-actions · Apr 6, 2026
@@ -59,7 +59,7 @@ message ServerInfo {
   config.core.v3.Node node = 7;
 }
 
-// [#next-free-field: 42]
+// [#next-free-field: 43]
 message CommandLineOptions {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.admin.v2alpha.CommandLineOptions";
@@ -161,6 +161,9 @@ message CommandLineOptions {
   // See :option:`--file-flush-interval-msec` for details.
   google.protobuf.Duration file_flush_interval = 16;
 
+  // See :option:`--file-flush-min-size-kb` for details.
+  uint32 file_flush_min_size = 42;
+
   // See :option:`--drain-time-s` for details.
   google.protobuf.Duration drain_time = 17;
 

@@ -108,6 +108,9 @@ message ComparisonFilter {
 
     // <=
     LE = 2;
+
+    // !=
+    NE = 3;
   }
 
   // Comparison operator.

@@ -22,6 +22,7 @@ import "google/protobuf/struct.proto";
 import "google/protobuf/wrappers.proto";
 
 import "xds/core/v3/collection_entry.proto";
+import "xds/type/matcher/v3/matcher.proto";
 
 import "envoy/annotations/deprecation.proto";
 import "udpa/annotations/migrate.proto";
@@ -45,7 +46,7 @@ message ClusterCollection {
 }
 
 // Configuration for a single upstream cluster.
-// [#next-free-field: 59]
+// [#next-free-field: 60]
 message Cluster {
   option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.Cluster";
 
@@ -747,6 +748,9 @@ message Cluster {
     // If both this and preconnect_ratio are set, Envoy will make sure both predicted needs are met,
     // basically preconnecting max(predictive-preconnect, per-upstream-preconnect), for each
     // upstream.
+    //
+    // This is limited somewhat arbitrarily to 3 because preconnecting too aggressively can
+    // harm latency more than the preconnecting helps.
     google.protobuf.DoubleValue predictive_preconnect_ratio = 2
         [(validate.rules).double = {lte: 3.0 gte: 1.0}];
   }
@@ -809,6 +813,41 @@ message Cluster {
   // [#comment:TODO(incfly): add a detailed architecture doc on intended usage.]
   repeated TransportSocketMatch transport_socket_matches = 43;
 
+  // Optional matcher that selects a transport socket from
+  // :ref:`transport_socket_matches <envoy_v3_api_field_config.cluster.v3.Cluster.transport_socket_matches>`.
+  //
+  // This matcher uses the generic xDS matcher framework to select a named transport socket
+  // based on various inputs available at transport socket selection time.
+  //
+  // Supported matching inputs:
+  //
+  // * ``endpoint_metadata``: Extract values from the selected endpoint's metadata.
+  // * ``locality_metadata``: Extract values from the endpoint's locality metadata.
+  // * ``transport_socket_filter_state``: Extract values from filter state that was explicitly shared from
+  //   downstream to upstream via ``TransportSocketOptions``. This enables flexible
+  //   downstream-connection-based matching, such as:
+  //
+  //   - Network namespace matching.
+  //   - Custom connection attributes.
+  //   - Any data explicitly passed via filter state.
+  //
+  // .. note::
+  //   Filter state sharing follows the same pattern as tunneling in Envoy. Filters must explicitly
+  //   share data by setting filter state with the appropriate sharing mode. The filter state is
+  //   then accessible via the ``transport_socket_filter_state`` input during transport socket selection.
+  //
+  // If this field is set, it takes precedence over legacy metadata-based selection
+  // performed by :ref:`transport_socket_matches
+  // <envoy_v3_api_field_config.cluster.v3.Cluster.transport_socket_matches>` alone.
+  // If the matcher does not yield a match, Envoy uses the default transport socket
+  // configured for the cluster.
+  //
+  // When using this field, each entry in
+  // :ref:`transport_socket_matches <envoy_v3_api_field_config.cluster.v3.Cluster.transport_socket_matches>`
+  // must have a unique ``name``. The matcher outcome is expected to reference one of
+  // these names.
+  xds.type.matcher.v3.Matcher transport_socket_matcher = 59;
+
   // Supplies the name of the cluster which must be unique across all clusters.
   // The cluster name is used when emitting
   // :ref:`statistics <config_cluster_manager_cluster_stats>` if :ref:`alt_stat_name

@@ -115,16 +115,18 @@ message TcpKeepalive {
 
   // Maximum number of keepalive probes to send without response before deciding
   // the connection is dead. Default is to use the OS level configuration (unless
-  // overridden, Linux defaults to 9.)
+  // overridden, Linux defaults to 9.) Setting this to ``0`` disables TCP keepalive.
   google.protobuf.UInt32Value keepalive_probes = 1;
 
   // The number of seconds a connection needs to be idle before keep-alive probes
   // start being sent. Default is to use the OS level configuration (unless
-  // overridden, Linux defaults to 7200s (i.e., 2 hours.)
+  // overridden, Linux defaults to 7200s (i.e., 2 hours.) Setting this to ``0`` disables
+  // TCP keepalive.
   google.protobuf.UInt32Value keepalive_time = 2;
 
   // The number of seconds between keep-alive probes. Default is to use the OS
-  // level configuration (unless overridden, Linux defaults to 75s.)
+  // level configuration (unless overridden, Linux defaults to 75s.) Setting this to
+  // ``0`` disables TCP keepalive.
   google.protobuf.UInt32Value keepalive_interval = 3;
 }
 

@@ -0,0 +1,63 @@
+syntax = "proto3";
+
+package envoy.config.core.v3;
+
+import "udpa/annotations/status.proto";
+
+option java_package = "io.envoyproxy.envoy.config.core.v3";
+option java_outer_classname = "CelProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: CEL Expression Configuration]
+
+// CEL expression evaluation configuration.
+// These options control the behavior of the Common Expression Language runtime for
+// individual CEL expressions.
+message CelExpressionConfig {
+  // Enable string conversion functions for CEL expressions. When enabled, CEL expressions
+  // can convert values to strings using the ``string()`` function.
+  //
+  // .. attention::
+  //
+  //   This option is disabled by default to avoid unbounded memory allocation.
+  //   CEL evaluation cost is typically bounded by the expression size, but converting
+  //   arbitrary values (e.g., large messages, lists, or maps) to strings may allocate
+  //   memory proportional to input data size, which can be unbounded and lead to
+  //   memory exhaustion.
+  bool enable_string_conversion = 1;
+
+  // Enable string concatenation for CEL expressions. When enabled, CEL expressions
+  // can concatenate strings using the ``+`` operator.
+  //
+  // .. attention::
+  //
+  //   This option is disabled by default to avoid unbounded memory allocation.
+  //   While CEL normally bounds evaluation by expression size, enabling string
+  //   concatenation allows building outputs whose size depends on input data,
+  //   potentially causing large intermediate allocations and memory exhaustion.
+  bool enable_string_concat = 2;
+
+  // Enable string manipulation functions for CEL expressions. When enabled, CEL
+  // expressions can use additional string functions:
+  //
+  // * ``replace(old, new)`` - Replaces all occurrences of ``old`` with ``new``.
+  // * ``split(separator)`` - Splits a string into a list of substrings.
+  // * ``lowerAscii()`` - Converts ASCII characters to lowercase.
+  // * ``upperAscii()`` - Converts ASCII characters to uppercase.
+  //
+  // .. note::
+  //
+  //   Standard CEL string functions like ``contains()``, ``startsWith()``, and
+  //   ``endsWith()`` are always available regardless of this setting.
+  //
+  // .. attention::
+  //
+  //   This option is disabled by default to avoid unbounded memory allocation.
+  //   Although CEL generally bounds evaluation by expression size, functions such as
+  //   ``replace``, ``split``, ``lowerAscii()``, and ``upperAscii()`` can allocate memory
+  //   proportional to input data size. Under adversarial inputs this can lead to
+  //   unbounded allocations and memory exhaustion.
+  bool enable_string_functions = 3;
+}
@@ -45,10 +45,20 @@ message GrpcService {
         [(validate.rules).string =
              {min_len: 0 max_bytes: 16384 well_known_regex: HTTP_HEADER_VALUE strict: false}];
 
-    // Indicates the retry policy for re-establishing the gRPC stream
-    // This field is optional. If max interval is not provided, it will be set to ten times the provided base interval.
-    // Currently only supported for xDS gRPC streams.
-    // If not set, xDS gRPC streams default base interval:500ms, maximum interval:30s will be applied.
+    // Specifies the retry backoff policy for re-establishing long‑lived xDS gRPC streams.
+    //
+    // This field is optional. If ``retry_back_off.max_interval`` is not provided, it will be set to
+    // ten times the configured ``retry_back_off.base_interval``.
+    //
+    // .. note::
+    //
+    //   This field is only honored for management‑plane xDS gRPC streams created from
+    //   :ref:`ApiConfigSource <envoy_v3_api_msg_config.core.v3.ApiConfigSource>` that use
+    //   ``envoy_grpc``. Data‑plane gRPC clients (for example external authorization or external
+    //   processing filters) must use :ref:`GrpcService.retry_policy
+    //   <envoy_v3_api_field_config.core.v3.GrpcService.retry_policy>` instead.
+    //
+    // If not set, xDS gRPC streams default to a base interval of 500ms and a maximum interval of 30s.
     RetryPolicy retry_policy = 3;
 
     // Maximum gRPC message size that is allowed to be received.
@@ -329,7 +339,17 @@ message GrpcService {
   // <config_http_conn_man_headers_custom_request_headers>`.
   repeated HeaderValue initial_metadata = 5;
 
-  // Optional default retry policy for streams toward the service.
-  // If an async stream doesn't have retry policy configured in its stream options, this retry policy is used.
+  // Optional default retry policy for RPCs or streams initiated toward this gRPC service.
+  //
+  // If an async stream does not have a retry policy configured in its per‑stream options, this
+  // policy is used as the default.
+  //
+  // .. note::
+  //
+  //   This field is only applied by Envoy gRPC (``envoy_grpc``) clients. Google gRPC
+  //   (``google_grpc``) clients currently ignore this field.
+  //
+  // If not specified, no default retry policy is applied at the client level and retries only occur
+  // when explicitly configured in per‑stream options.
   RetryPolicy retry_policy = 6;
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -108,6 +108,9 @@ message ComparisonFilter { @@
         // <=
         LE = 2;
+        // !=
+        NE = 3;
       }
       // Comparison operator.
@@ Expand Down @@