xds: move the unsupported filterChainMatch matchers to the ranking stage for correct outcomes (#8219)

xds/src/main/java/io/grpc/xds/EnvoyServerProtoData.java

@@ -228,6 +228,8 @@ public final class EnvoyServerProtoData {
     private final List<CidrRange> sourcePrefixRanges;
     private final ConnectionSourceType sourceType;
     private final List<Integer> sourcePorts;
+    private final List<String> serverNames;
+    private final String transportProtocol;
 
     @VisibleForTesting
     FilterChainMatch(
@@ -236,13 +238,17 @@ public final class EnvoyServerProtoData {
         List<String> applicationProtocols,
         List<CidrRange> sourcePrefixRanges,
         ConnectionSourceType sourceType,
-        List<Integer> sourcePorts) {
+        List<Integer> sourcePorts,
+        List<String> serverNames,
+        String transportProtocol) {
       this.destinationPort = destinationPort;
       this.prefixRanges = Collections.unmodifiableList(prefixRanges);
       this.applicationProtocols = Collections.unmodifiableList(applicationProtocols);
       this.sourcePrefixRanges = sourcePrefixRanges;
       this.sourceType = sourceType;
       this.sourcePorts = sourcePorts;
+      this.serverNames = Collections.unmodifiableList(serverNames);
+      this.transportProtocol = transportProtocol;
     }
 
     static FilterChainMatch fromEnvoyProtoFilterChainMatch(
@@ -274,13 +280,19 @@ public final class EnvoyServerProtoData {
         default:
           throw new InvalidProtocolBufferException("Unknown source-type:" + proto.getSourceType());
       }
+      List<String> serverNames = new ArrayList<>();
+      for (String serverName : proto.getServerNamesList()) {
+        serverNames.add(serverName);
+      }
       return new FilterChainMatch(
           proto.getDestinationPort().getValue(),
           prefixRanges,
           applicationProtocols,
           sourcePrefixRanges,
           sourceType,
-          proto.getSourcePortsList());
+          proto.getSourcePortsList(),
+          serverNames,
+          proto.getTransportProtocol());
     }
 
     public int getDestinationPort() {
@@ -307,6 +319,14 @@ public final class EnvoyServerProtoData {
       return sourcePorts;
     }
 
+    public List<String> getServerNames() {
+      return serverNames;
+    }
+
+    public String getTransportProtocol() {
+      return transportProtocol;
+    }
+
     @Override
     public boolean equals(Object o) {
       if (this == o) {
@@ -321,7 +341,9 @@ public final class EnvoyServerProtoData {
           && Objects.equals(applicationProtocols, that.applicationProtocols)
           && Objects.equals(sourcePrefixRanges, that.sourcePrefixRanges)
           && sourceType == that.sourceType
-          && Objects.equals(sourcePorts, that.sourcePorts);
+          && Objects.equals(sourcePorts, that.sourcePorts)
+          && Objects.equals(serverNames, that.serverNames)
+          && Objects.equals(transportProtocol, that.transportProtocol);
     }
 
     @Override
@@ -332,7 +354,9 @@ public final class EnvoyServerProtoData {
           applicationProtocols,
           sourcePrefixRanges,
           sourceType,
-          sourcePorts);
+          sourcePorts,
+          serverNames,
+          transportProtocol);
     }
 
     @Override
@@ -344,6 +368,8 @@ public final class EnvoyServerProtoData {
               .add("sourcePrefixRanges", sourcePrefixRanges)
               .add("sourceType", sourceType)
               .add("sourcePorts", sourcePorts)
+              .add("serverNames", serverNames)
+              .add("transportProtocol", transportProtocol)
               .toString();
     }
   }
@@ -559,32 +585,12 @@ public final class EnvoyServerProtoData {
       List<FilterChain> filterChains = new ArrayList<>(inputFilterChains.size());
       for (io.envoyproxy.envoy.config.listener.v3.FilterChain filterChain :
           inputFilterChains) {
-        if (isAcceptable(filterChain.getFilterChainMatch())) {
         filterChains
             .add(FilterChain.fromEnvoyProtoFilterChain(filterChain, tlsContextManager, false));
       }
-      }
       return filterChains;
     }
 
-    // check if a filter is acceptable for gRPC server side processing
-    private static boolean isAcceptable(
-        io.envoyproxy.envoy.config.listener.v3.FilterChainMatch filterChainMatch) {
-      // reject if filer-chain-match
-      // - has server_name
-      // - transport protocol is other than "raw_buffer"
-      // - application_protocols is non-empty
-      if (!filterChainMatch.getServerNamesList().isEmpty()) {
-        return false;
-      }
-      String transportProtocol = filterChainMatch.getTransportProtocol();
-      if (!transportProtocol.isEmpty() && !"raw_buffer".equals(transportProtocol)) {
-        return false;
-      }
-      List<String> appProtocols = filterChainMatch.getApplicationProtocolsList();
-      return appProtocols.isEmpty();
-    }
-
     public String getName() {
       return name;
     }

xds/src/main/java/io/grpc/xds/XdsClientWrapperForServerSds.java

@@ -20,6 +20,7 @@ import static com.google.common.base.Preconditions.checkNotNull;
 import static com.google.common.base.Preconditions.checkState;
 
 import com.google.common.annotations.VisibleForTesting;
+import com.google.common.base.Strings;
 import com.google.common.collect.ImmutableSet;
 import com.google.protobuf.UInt32Value;
 import io.grpc.Internal;
@@ -223,6 +224,9 @@ public final class XdsClientWrapperForServerSds {
 
     filterChains = filterOnDestinationPort(filterChains);
     filterChains = filterOnIpAddress(filterChains, localInetAddr.getAddress(), true);
+    filterChains = filterOnServerNames(filterChains);
+    filterChains = filterOnTransportProtocol(filterChains);
+    filterChains = filterOnApplicationProtocols(filterChains);
     filterChains =
         filterOnSourceType(filterChains, remoteInetAddr.getAddress(), localInetAddr.getAddress());
     filterChains = filterOnIpAddress(filterChains, remoteInetAddr.getAddress(), false);
@@ -237,6 +241,46 @@ public final class XdsClientWrapperForServerSds {
     return listener.getDefaultFilterChain().getSslContextProviderSupplier();
   }
 
+  // reject if filer-chain-match has non-empty application_protocols
+  private static List<FilterChain> filterOnApplicationProtocols(List<FilterChain> filterChains) {
+    ArrayList<FilterChain> filtered = new ArrayList<>(filterChains.size());
+    for (FilterChain filterChain : filterChains) {
+      FilterChainMatch filterChainMatch = filterChain.getFilterChainMatch();
+
+      if (filterChainMatch.getApplicationProtocols().isEmpty()) {
+        filtered.add(filterChain);
+      }
+    }
+    return filtered;
+  }
+
+  // reject if filer-chain-match has non-empty transport protocol other than "raw_buffer"
+  private static List<FilterChain> filterOnTransportProtocol(List<FilterChain> filterChains) {
+    ArrayList<FilterChain> filtered = new ArrayList<>(filterChains.size());
+    for (FilterChain filterChain : filterChains) {
+      FilterChainMatch filterChainMatch = filterChain.getFilterChainMatch();
+
+      String transportProtocol = filterChainMatch.getTransportProtocol();
+      if ( Strings.isNullOrEmpty(transportProtocol) || "raw_buffer".equals(transportProtocol)) {
+        filtered.add(filterChain);
+      }
+    }
+    return filtered;
+  }
+
+  // reject if filer-chain-match has server_name(s)
+  private static List<FilterChain> filterOnServerNames(List<FilterChain> filterChains) {
+    ArrayList<FilterChain> filtered = new ArrayList<>(filterChains.size());
+    for (FilterChain filterChain : filterChains) {
+      FilterChainMatch filterChainMatch = filterChain.getFilterChainMatch();
+
+      if (filterChainMatch.getServerNames().isEmpty()) {
+        filtered.add(filterChain);
+      }
+    }
+    return filtered;
+  }
+
   // destination_port present => Always fail match
   private static List<FilterChain> filterOnDestinationPort(List<FilterChain> filterChains) {
     ArrayList<FilterChain> filtered = new ArrayList<>(filterChains.size());

xds/src/test/java/io/grpc/xds/EnvoyServerProtoDataTest.java

@@ -36,6 +36,7 @@ import io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext;
 import io.grpc.xds.EnvoyServerProtoData.Listener;
 import io.grpc.xds.internal.sds.CommonTlsContextTestsUtil;
 import io.grpc.xds.internal.sds.SslContextProviderSupplier;
+import java.util.Arrays;
 import java.util.List;
 import org.junit.Test;
 import org.junit.runner.RunWith;
@@ -75,7 +76,11 @@ public class EnvoyServerProtoDataTest {
     EnvoyServerProtoData.FilterChainMatch inFilterChainMatch = inFilter.getFilterChainMatch();
     assertThat(inFilterChainMatch).isNotNull();
     assertThat(inFilterChainMatch.getDestinationPort()).isEqualTo(8000);
-    assertThat(inFilterChainMatch.getApplicationProtocols()).isEmpty();
+    assertThat(inFilterChainMatch.getApplicationProtocols())
+        .containsExactlyElementsIn(Arrays.asList("managed-mtls", "h2"));
+    assertThat(inFilterChainMatch.getServerNames())
+        .containsExactlyElementsIn(Arrays.asList("server1", "server2"));
+    assertThat(inFilterChainMatch.getTransportProtocol()).isEqualTo("tls");
     assertThat(inFilterChainMatch.getPrefixRanges())
         .containsExactly(new EnvoyServerProtoData.CidrRange("10.20.0.15", 32));
     assertThat(inFilterChainMatch.getSourcePrefixRanges())
@@ -111,6 +116,9 @@ public class EnvoyServerProtoDataTest {
             .setFilterChainMatch(
                 FilterChainMatch.newBuilder()
                     .setDestinationPort(UInt32Value.of(8000))
+                    .addAllServerNames(Arrays.asList("server1", "server2"))
+                    .setTransportProtocol("tls")
+                    .addAllApplicationProtocols(Arrays.asList("managed-mtls", "h2"))
                     .addPrefixRanges(CidrRange.newBuilder()
                         .setAddressPrefix("10.20.0.15")
                         .setPrefixLen(UInt32Value.of(32))

xds/src/test/java/io/grpc/xds/FilterChainMatchTest.java

@@ -18,9 +18,20 @@ package io.grpc.xds;
 
 import static com.google.common.truth.Truth.assertThat;
 import static org.junit.Assert.fail;
+import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 
+import com.google.protobuf.Any;
 import com.google.protobuf.InvalidProtocolBufferException;
+import com.google.protobuf.UInt32Value;
+import io.envoyproxy.envoy.config.core.v3.Address;
+import io.envoyproxy.envoy.config.core.v3.CidrRange;
+import io.envoyproxy.envoy.config.core.v3.SocketAddress;
+import io.envoyproxy.envoy.config.core.v3.TrafficDirection;
+import io.envoyproxy.envoy.config.core.v3.TransportSocket;
+import io.envoyproxy.envoy.config.listener.v3.Filter;
+import io.envoyproxy.envoy.config.listener.v3.FilterChain;
+import io.envoyproxy.envoy.config.listener.v3.FilterChainMatch;
 import io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext;
 import io.grpc.xds.internal.sds.CommonTlsContextTestsUtil;
 import io.grpc.xds.internal.sds.SslContextProviderSupplier;
@@ -87,7 +98,9 @@ public class FilterChainMatchTest {
             Arrays.<String>asList(),
             Arrays.<EnvoyServerProtoData.CidrRange>asList(),
             EnvoyServerProtoData.ConnectionSourceType.ANY,
-            Arrays.<Integer>asList());
+            Arrays.<Integer>asList(),
+            Arrays.<String>asList(),
+            null);
     DownstreamTlsContext tlsContext =
         CommonTlsContextTestsUtil.buildTestInternalDownstreamTlsContext("CERT1", "VA1");
     EnvoyServerProtoData.FilterChain filterChain =
@@ -110,17 +123,24 @@ public class FilterChainMatchTest {
             Arrays.asList("managed-mtls"),
             Arrays.<EnvoyServerProtoData.CidrRange>asList(),
             EnvoyServerProtoData.ConnectionSourceType.ANY,
-            Arrays.<Integer>asList());
+            Arrays.<Integer>asList(),
+            Arrays.<String>asList(),
+            null);
     DownstreamTlsContext tlsContext =
         CommonTlsContextTestsUtil.buildTestInternalDownstreamTlsContext("CERT1", "VA1");
     EnvoyServerProtoData.FilterChain filterChain =
         new EnvoyServerProtoData.FilterChain(filterChainMatch, tlsContext, tlsContextManager);
+    DownstreamTlsContext defaultTlsContext =
+        CommonTlsContextTestsUtil.buildTestInternalDownstreamTlsContext("CERT2", "VA2");
+    EnvoyServerProtoData.FilterChain defaultFilterChain =
+        new EnvoyServerProtoData.FilterChain(null, defaultTlsContext, tlsContextManager);
     EnvoyServerProtoData.Listener listener =
-        new EnvoyServerProtoData.Listener("listener1", LOCAL_IP, Arrays.asList(filterChain), null);
+        new EnvoyServerProtoData.Listener("listener1", LOCAL_IP, Arrays.asList(filterChain),
+            defaultFilterChain);
     XdsClient.LdsUpdate listenerUpdate = new XdsClient.LdsUpdate(listener);
     registeredWatcher.onChanged(listenerUpdate);
     DownstreamTlsContext tlsContext1 = getDownstreamTlsContext();
-    assertThat(tlsContext1).isSameInstanceAs(tlsContext);
+    assertThat(tlsContext1).isSameInstanceAs(defaultTlsContext);
   }
 
   @Test
@@ -151,7 +171,9 @@ public class FilterChainMatchTest {
             Arrays.asList("managed-mtls"),
             Arrays.<EnvoyServerProtoData.CidrRange>asList(),
             EnvoyServerProtoData.ConnectionSourceType.ANY,
-            Arrays.<Integer>asList());
+            Arrays.<Integer>asList(),
+            Arrays.<String>asList(),
+            null);
     EnvoyServerProtoData.FilterChain filterChainWithDestPort =
         new EnvoyServerProtoData.FilterChain(filterChainMatchWithDestPort, tlsContextWithDestPort,
             tlsContextManager);
@@ -181,7 +203,9 @@ public class FilterChainMatchTest {
             Arrays.<String>asList(),
             Arrays.<EnvoyServerProtoData.CidrRange>asList(),
             EnvoyServerProtoData.ConnectionSourceType.ANY,
-            Arrays.<Integer>asList());
+            Arrays.<Integer>asList(),
+            Arrays.<String>asList(),
+            null);
     EnvoyServerProtoData.FilterChain filterChainWithMatch =
         new EnvoyServerProtoData.FilterChain(filterChainMatchWithMatch, tlsContextMatch,
             tlsContextManager);
@@ -213,7 +237,9 @@ public class FilterChainMatchTest {
             Arrays.<String>asList(),
             Arrays.<EnvoyServerProtoData.CidrRange>asList(),
             EnvoyServerProtoData.ConnectionSourceType.ANY,
-            Arrays.<Integer>asList());
+            Arrays.<Integer>asList(),
+            Arrays.<String>asList(),
+            null);
     EnvoyServerProtoData.FilterChain filterChainWithMismatch =
         new EnvoyServerProtoData.FilterChain(filterChainMatchWithMismatch, tlsContextMismatch,
             tlsContextManager);
@@ -245,7 +271,9 @@ public class FilterChainMatchTest {
             Arrays.<String>asList(),
             Arrays.<EnvoyServerProtoData.CidrRange>asList(),
             EnvoyServerProtoData.ConnectionSourceType.ANY,
-            Arrays.<Integer>asList());
+            Arrays.<Integer>asList(),
+            Arrays.<String>asList(),
+            null);
     EnvoyServerProtoData.FilterChain filterChain0Length =
         new EnvoyServerProtoData.FilterChain(filterChainMatch0Length, tlsContext0Length,
             tlsContextManager);
@@ -276,7 +304,9 @@ public class FilterChainMatchTest {
             Arrays.<String>asList(),
             Arrays.<EnvoyServerProtoData.CidrRange>asList(),
             EnvoyServerProtoData.ConnectionSourceType.ANY,
-            Arrays.<Integer>asList());
+            Arrays.<Integer>asList(),
+            Arrays.<String>asList(),
+            null);
     EnvoyServerProtoData.FilterChain filterChainLessSpecific =
         new EnvoyServerProtoData.FilterChain(filterChainMatchLessSpecific, tlsContextLessSpecific,
             tlsContextManager);
@@ -290,7 +320,9 @@ public class FilterChainMatchTest {
             Arrays.<String>asList(),
             Arrays.<EnvoyServerProtoData.CidrRange>asList(),
             EnvoyServerProtoData.ConnectionSourceType.ANY,
-            Arrays.<Integer>asList());
+            Arrays.<Integer>asList(),
+            Arrays.<String>asList(),
+            null);
     EnvoyServerProtoData.FilterChain filterChainMoreSpecific =
         new EnvoyServerProtoData.FilterChain(filterChainMatchMoreSpecific, tlsContextMoreSpecific,
             tlsContextManager);
@@ -321,7 +353,9 @@ public class FilterChainMatchTest {
             Arrays.<String>asList(),
             Arrays.<EnvoyServerProtoData.CidrRange>asList(),
             EnvoyServerProtoData.ConnectionSourceType.ANY,
-            Arrays.<Integer>asList());
+            Arrays.<Integer>asList(),
+            Arrays.<String>asList(),
+            null);
     EnvoyServerProtoData.FilterChain filterChainLessSpecific =
         new EnvoyServerProtoData.FilterChain(filterChainMatchLessSpecific, tlsContextLessSpecific,
             tlsContextManager);
@@ -335,7 +369,9 @@ public class FilterChainMatchTest {
             Arrays.<String>asList(),
             Arrays.<EnvoyServerProtoData.CidrRange>asList(),
             EnvoyServerProtoData.ConnectionSourceType.ANY,
-            Arrays.<Integer>asList());
+            Arrays.<Integer>asList(),
+            Arrays.<String>asList(),
+            null);
     EnvoyServerProtoData.FilterChain filterChainMoreSpecific =
         new EnvoyServerProtoData.FilterChain(filterChainMatchMoreSpecific, tlsContextMoreSpecific,
             tlsContextManager);
@@ -366,7 +402,9 @@ public class FilterChainMatchTest {
             Arrays.<String>asList(),
             Arrays.<EnvoyServerProtoData.CidrRange>asList(),
             EnvoyServerProtoData.ConnectionSourceType.ANY,
-            Arrays.<Integer>asList());
+            Arrays.<Integer>asList(),
+            Arrays.<String>asList(),
+            null);
     EnvoyServerProtoData.FilterChain filterChainLessSpecific =
         new EnvoyServerProtoData.FilterChain(filterChainMatchLessSpecific, tlsContextLessSpecific,
             tlsContextManager);
@@ -380,7 +418,9 @@ public class FilterChainMatchTest {
             Arrays.<String>asList(),
             Arrays.<EnvoyServerProtoData.CidrRange>asList(),
             EnvoyServerProtoData.ConnectionSourceType.ANY,
-            Arrays.<Integer>asList());
+            Arrays.<Integer>asList(),
+            Arrays.<String>asList(),
+            null);
     EnvoyServerProtoData.FilterChain filterChainMoreSpecific =
         new EnvoyServerProtoData.FilterChain(filterChainMatchMoreSpecific, tlsContextMoreSpecific,
             tlsContextManager);
@@ -413,7 +453,9 @@ public class FilterChainMatchTest {
             Arrays.<String>asList(),
             Arrays.<EnvoyServerProtoData.CidrRange>asList(),
             EnvoyServerProtoData.ConnectionSourceType.ANY,
-            Arrays.<Integer>asList());
+            Arrays.<Integer>asList(),
+            Arrays.<String>asList(),
+            null);
     EnvoyServerProtoData.FilterChain filterChainMoreSpecificWith2 =
         new EnvoyServerProtoData.FilterChain(
             filterChainMatchMoreSpecificWith2, tlsContextMoreSpecificWith2, tlsContextManager);
@@ -427,7 +469,9 @@ public class FilterChainMatchTest {
             Arrays.<String>asList(),
             Arrays.<EnvoyServerProtoData.CidrRange>asList(),
             EnvoyServerProtoData.ConnectionSourceType.ANY,
-            Arrays.<Integer>asList());
+            Arrays.<Integer>asList(),
+            Arrays.<String>asList(),
+            null);
     EnvoyServerProtoData.FilterChain filterChainLessSpecific =
         new EnvoyServerProtoData.FilterChain(filterChainMatchLessSpecific, tlsContextLessSpecific,
             tlsContextManager);
@@ -457,7 +501,9 @@ public class FilterChainMatchTest {
             Arrays.<String>asList(),
             Arrays.<EnvoyServerProtoData.CidrRange>asList(),
             EnvoyServerProtoData.ConnectionSourceType.SAME_IP_OR_LOOPBACK,
-            Arrays.<Integer>asList());
+            Arrays.<Integer>asList(),
+            Arrays.<String>asList(),
+            null);
     EnvoyServerProtoData.FilterChain filterChainWithMismatch =
         new EnvoyServerProtoData.FilterChain(filterChainMatchWithMismatch, tlsContextMismatch,
             tlsContextManager);
@@ -487,7 +533,9 @@ public class FilterChainMatchTest {
             Arrays.<String>asList(),
             Arrays.<EnvoyServerProtoData.CidrRange>asList(),
             EnvoyServerProtoData.ConnectionSourceType.SAME_IP_OR_LOOPBACK,
-            Arrays.<Integer>asList());
+            Arrays.<Integer>asList(),
+            Arrays.<String>asList(),
+            null);
     EnvoyServerProtoData.FilterChain filterChainWithMatch =
         new EnvoyServerProtoData.FilterChain(filterChainMatchWithMatch, tlsContextMatch,
             tlsContextManager);
@@ -520,7 +568,9 @@ public class FilterChainMatchTest {
                 new EnvoyServerProtoData.CidrRange("10.4.2.0", 24),
                 new EnvoyServerProtoData.CidrRange(REMOTE_IP, 32)),
             EnvoyServerProtoData.ConnectionSourceType.ANY,
-            Arrays.<Integer>asList());
+            Arrays.<Integer>asList(),
+            Arrays.<String>asList(),
+            null);
     EnvoyServerProtoData.FilterChain filterChainMoreSpecificWith2 =
         new EnvoyServerProtoData.FilterChain(
             filterChainMatchMoreSpecificWith2, tlsContextMoreSpecificWith2, tlsContextManager);
@@ -534,7 +584,9 @@ public class FilterChainMatchTest {
             Arrays.<String>asList(),
             Arrays.asList(new EnvoyServerProtoData.CidrRange("10.4.2.2", 31)),
             EnvoyServerProtoData.ConnectionSourceType.ANY,
-            Arrays.<Integer>asList());
+            Arrays.<Integer>asList(),
+            Arrays.<String>asList(),
+            null);
     EnvoyServerProtoData.FilterChain filterChainLessSpecific =
         new EnvoyServerProtoData.FilterChain(filterChainMatchLessSpecific, tlsContextLessSpecific,
             tlsContextManager);
@@ -567,7 +619,9 @@ public class FilterChainMatchTest {
                 new EnvoyServerProtoData.CidrRange("10.4.2.0", 24),
                 new EnvoyServerProtoData.CidrRange("192.168.10.2", 32)),
             EnvoyServerProtoData.ConnectionSourceType.ANY,
-            Arrays.<Integer>asList());
+            Arrays.<Integer>asList(),
+            Arrays.<String>asList(),
+            null);
     EnvoyServerProtoData.FilterChain filterChain1 =
         new EnvoyServerProtoData.FilterChain(filterChainMatch1, tlsContext1, tlsContextManager);
 
@@ -580,7 +634,9 @@ public class FilterChainMatchTest {
             Arrays.<String>asList(),
             Arrays.asList(new EnvoyServerProtoData.CidrRange("10.4.2.0", 24)),
             EnvoyServerProtoData.ConnectionSourceType.ANY,
-            Arrays.<Integer>asList());
+            Arrays.<Integer>asList(),
+            Arrays.<String>asList(),
+            null);
     EnvoyServerProtoData.FilterChain filterChain2 =
         new EnvoyServerProtoData.FilterChain(filterChainMatch2, tlsContext2, tlsContextManager);
     EnvoyServerProtoData.FilterChain defaultFilterChain =
@@ -613,7 +669,9 @@ public class FilterChainMatchTest {
                 new EnvoyServerProtoData.CidrRange("10.4.2.0", 24),
                 new EnvoyServerProtoData.CidrRange("10.4.2.2", 31)),
             EnvoyServerProtoData.ConnectionSourceType.ANY,
-            Arrays.<Integer>asList());
+            Arrays.<Integer>asList(),
+            Arrays.<String>asList(),
+            null);
     EnvoyServerProtoData.FilterChain filterChainEmptySourcePorts =
         new EnvoyServerProtoData.FilterChain(
             filterChainMatchEmptySourcePorts, tlsContextEmptySourcePorts, tlsContextManager);
@@ -627,7 +685,9 @@ public class FilterChainMatchTest {
             Arrays.<String>asList(),
             Arrays.asList(new EnvoyServerProtoData.CidrRange("10.4.2.2", 31)),
             EnvoyServerProtoData.ConnectionSourceType.ANY,
-            Arrays.asList(7000, 15000));
+            Arrays.asList(7000, 15000),
+            Arrays.<String>asList(),
+            null);
     EnvoyServerProtoData.FilterChain filterChainSourcePortMatch =
         new EnvoyServerProtoData.FilterChain(
             filterChainMatchSourcePortMatch, tlsContextSourcePortMatch, tlsContextManager);
@@ -676,7 +736,9 @@ public class FilterChainMatchTest {
             Arrays.<String>asList(),
             Arrays.asList(new EnvoyServerProtoData.CidrRange(REMOTE_IP, 32)),
             EnvoyServerProtoData.ConnectionSourceType.ANY,
-            Arrays.<Integer>asList());
+            Arrays.<Integer>asList(),
+            Arrays.<String>asList(),
+            null);
     EnvoyServerProtoData.FilterChain filterChain1 =
         new EnvoyServerProtoData.FilterChain(filterChainMatch1, tlsContext1, tlsContextManager);
 
@@ -690,7 +752,9 @@ public class FilterChainMatchTest {
             Arrays.<String>asList(),
             Arrays.asList(new EnvoyServerProtoData.CidrRange("10.4.0.0", 16)),
             EnvoyServerProtoData.ConnectionSourceType.ANY,
-            Arrays.<Integer>asList());
+            Arrays.<Integer>asList(),
+            Arrays.<String>asList(),
+            null);
     EnvoyServerProtoData.FilterChain filterChain2 =
         new EnvoyServerProtoData.FilterChain(filterChainMatch2, tlsContext2, tlsContextManager);
 
@@ -704,7 +768,9 @@ public class FilterChainMatchTest {
             Arrays.<String>asList(),
             Arrays.<EnvoyServerProtoData.CidrRange>asList(),
             EnvoyServerProtoData.ConnectionSourceType.SAME_IP_OR_LOOPBACK,
-            Arrays.<Integer>asList());
+            Arrays.<Integer>asList(),
+            Arrays.<String>asList(),
+            null);
     EnvoyServerProtoData.FilterChain filterChain3 =
         new EnvoyServerProtoData.FilterChain(filterChainMatch3, tlsContext3, tlsContextManager);
 
@@ -719,7 +785,9 @@ public class FilterChainMatchTest {
             Arrays.<String>asList(),
             Arrays.asList(new EnvoyServerProtoData.CidrRange("10.4.2.0", 24)),
             EnvoyServerProtoData.ConnectionSourceType.EXTERNAL,
-            Arrays.asList(16000, 9000));
+            Arrays.asList(16000, 9000),
+            Arrays.<String>asList(),
+            null);
     EnvoyServerProtoData.FilterChain filterChain4 =
         new EnvoyServerProtoData.FilterChain(filterChainMatch4, tlsContext4, tlsContextManager);
 
@@ -736,7 +804,9 @@ public class FilterChainMatchTest {
                 new EnvoyServerProtoData.CidrRange("10.4.2.0", 24),
                 new EnvoyServerProtoData.CidrRange("192.168.2.0", 24)),
             EnvoyServerProtoData.ConnectionSourceType.ANY,
-            Arrays.asList(15000, 8000));
+            Arrays.asList(15000, 8000),
+            Arrays.<String>asList(),
+            null);
     EnvoyServerProtoData.FilterChain filterChain5 =
         new EnvoyServerProtoData.FilterChain(filterChainMatch5, tlsContext5, tlsContextManager);
 
@@ -748,7 +818,9 @@ public class FilterChainMatchTest {
             Arrays.<String>asList(),
             Arrays.<EnvoyServerProtoData.CidrRange>asList(),
             EnvoyServerProtoData.ConnectionSourceType.ANY,
-            Arrays.<Integer>asList());
+            Arrays.<Integer>asList(),
+            Arrays.<String>asList(),
+            null);
     EnvoyServerProtoData.FilterChain filterChain6 =
         new EnvoyServerProtoData.FilterChain(filterChainMatch6, tlsContext6, tlsContextManager);
 
@@ -767,6 +839,108 @@ public class FilterChainMatchTest {
     assertThat(tlsContextPicked).isSameInstanceAs(tlsContext5);
   }
 
+  @Test
+  public void filterChainMatch_unsupportedMatchers()
+      throws InvalidProtocolBufferException, UnknownHostException {
+    setupChannel(LOCAL_IP, REMOTE_IP, 15000);
+    io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext tlsContext1 =
+        CommonTlsContextTestsUtil.buildTestDownstreamTlsContext(
+            "CERT1", "ROOTCA");
+    io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext tlsContext2 =
+        CommonTlsContextTestsUtil.buildTestDownstreamTlsContext(
+            "CERT2", "ROOTCA");
+    io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext tlsContext3 =
+        CommonTlsContextTestsUtil.buildTestDownstreamTlsContext(
+            "CERT3", "ROOTCA");
+
+    FilterChainMatch filterChainMatch1 =
+        FilterChainMatch.newBuilder()
+            .addAllServerNames(Arrays.asList("server1", "server2"))
+            .setTransportProtocol("tls")
+            .addAllApplicationProtocols(Arrays.asList("managed-mtls", "h2"))
+            .addPrefixRanges(CidrRange.newBuilder()
+                .setAddressPrefix("10.1.0.0")
+                .setPrefixLen(UInt32Value.of(16))
+                .build())
+            .build();
+
+    FilterChainMatch filterChainMatch2 =
+        FilterChainMatch.newBuilder()
+            .addPrefixRanges(CidrRange.newBuilder()
+                .setAddressPrefix("10.0.0.0")
+                .setPrefixLen(UInt32Value.of(8))
+                .build())
+            .build();
+
+    FilterChain filterChain1 =
+        FilterChain.newBuilder()
+            .setFilterChainMatch(filterChainMatch1)
+            .setTransportSocket(TransportSocket.newBuilder().setName("envoy.transport_sockets.tls")
+                .setTypedConfig(Any.pack(tlsContext1))
+                .build())
+            .addFilters(Filter.newBuilder()
+                .setName("envoy.http_connection_manager")
+                .setTypedConfig(Any.newBuilder()
+                    .setTypeUrl(
+                        "type.googleapis.com/"
+                            + "envoy.extensions.filters.network.http_connection_manager"
+                            + ".v3.HttpConnectionManager"))
+                .build())
+            .build();
+    FilterChain filterChain2 =
+        FilterChain.newBuilder()
+            .setFilterChainMatch(filterChainMatch2)
+            .setTransportSocket(TransportSocket.newBuilder().setName("envoy.transport_sockets.tls")
+                .setTypedConfig(Any.pack(tlsContext2))
+                .build())
+            .addFilters(Filter.newBuilder()
+                .setName("envoy.http_connection_manager")
+                .setTypedConfig(Any.newBuilder()
+                    .setTypeUrl(
+                        "type.googleapis.com/"
+                            + "envoy.extensions.filters.network.http_connection_manager"
+                            + ".v3.HttpConnectionManager"))
+                .build())
+            .build();
+    FilterChain defaultFilterChain =
+        FilterChain.newBuilder()
+            .setTransportSocket(TransportSocket.newBuilder().setName("envoy.transport_sockets.tls")
+                .setTypedConfig(Any.pack(tlsContext3))
+                .build())
+            .addFilters(Filter.newBuilder()
+                .setName("envoy.http_connection_manager")
+                .setTypedConfig(Any.newBuilder()
+                    .setTypeUrl(
+                        "type.googleapis.com/"
+                            + "envoy.extensions.filters.network.http_connection_manager"
+                            + ".v3.HttpConnectionManager"))
+                .build())
+            .build();
+    Address address =
+        Address.newBuilder()
+            .setSocketAddress(
+                SocketAddress.newBuilder().setPortValue(8000).setAddress("10.2.1.34").build())
+            .build();
+    io.envoyproxy.envoy.config.listener.v3.Listener listener =
+        io.envoyproxy.envoy.config.listener.v3.Listener.newBuilder()
+            .setName("8000")
+            .setAddress(address)
+            .addFilterChains(filterChain1)
+            .addFilterChains(filterChain2)
+            .setDefaultFilterChain(defaultFilterChain)
+            .setTrafficDirection(TrafficDirection.INBOUND)
+            .build();
+
+    EnvoyServerProtoData.Listener xdsListener = EnvoyServerProtoData.Listener
+        .fromEnvoyProtoListener(listener, mock(TlsContextManager.class));
+    XdsClient.LdsUpdate listenerUpdate = new XdsClient.LdsUpdate(xdsListener);
+    registeredWatcher.onChanged(listenerUpdate);
+    DownstreamTlsContext tlsContextPicked = getDownstreamTlsContext();
+    // assert defaultFilterChain match
+    assertThat(tlsContextPicked.getCommonTlsContext().getTlsCertificateSdsSecretConfigsList().get(0)
+        .getName()).isEqualTo("CERT3");
+  }
+
   private void setupChannel(String localIp, String remoteIp, int remotePort)
       throws UnknownHostException {
     when(channel.localAddress())

xds/src/test/java/io/grpc/xds/XdsSdsClientServerTest.java

@@ -374,7 +374,9 @@ public class XdsSdsClientServerTest {
             Arrays.<String>asList(),
             Arrays.<EnvoyServerProtoData.CidrRange>asList(),
             null,
-            Arrays.<Integer>asList());
+            Arrays.<Integer>asList(),
+            Arrays.<String>asList(),
+            null);
     EnvoyServerProtoData.FilterChain defaultFilterChain =
         new EnvoyServerProtoData.FilterChain(filterChainMatch, tlsContext, tlsContextManager);
     EnvoyServerProtoData.Listener listener =

xds/src/test/java/io/grpc/xds/XdsServerTestHelper.java

@@ -155,7 +155,9 @@ class XdsServerTestHelper {
             Arrays.<String>asList(),
             Arrays.<EnvoyServerProtoData.CidrRange>asList(),
             null,
-            sourcePorts);
+            sourcePorts,
+            Arrays.<String>asList(),
+            null);
     EnvoyServerProtoData.FilterChain filterChain1 =
         new EnvoyServerProtoData.FilterChain(filterChainMatch1, tlsContext, tlsContextManager);
     EnvoyServerProtoData.FilterChain defaultFilterChain =