Add TCP rerouting example with dynamic cluster selection

Introduce a new Proxy-Wasm TCP filter example that demonstrates dynamic
routing of TCP connections based on source IP addresses. This example
showcases TCP-level filtering, filling a gap in the existing HTTP-focused
examples.

Key features:
- Dynamic cluster selection based on source IP last octet (even/odd)
- Uses Envoy's set_envoy_filter_state foreign function with protobuf encoding
- Includes comprehensive Docker Compose setup for testing
- Full documentation with usage examples and expected output

Implementation details:
- Protobuf definitions for Envoy's filter state API
- Build script for code generation from proto files
- Unit tests for IP parsing and routing logic
- Envoy configuration with dual upstream clusters

Author: SiiiTschiii

examples/tcp_rerouting/Cargo.toml

@@ -0,0 +1,19 @@
+[package]
+publish = false
+name = "proxy-wasm-example-tcp-rerouting"
+version = "0.0.1"
+authors = ["Proxy-Wasm contributors"]
+description = "Proxy-Wasm plugin example: TCP Rerouting based on source IP"
+license = "Apache-2.0"
+edition = "2021"
+
+[lib]
+crate-type = ["cdylib"]
+
+[dependencies]
+log = "0.4"
+proxy-wasm = { path = "../../" }
+prost = "0.12"
+
+[build-dependencies]
+prost-build = "0.12"

examples/tcp_rerouting/README.md

@@ -0,0 +1,81 @@
+## Proxy-Wasm plugin example: TCP Rerouting
+
+Proxy-Wasm TCP filter that dynamically routes connections to different upstream clusters based on the source IP address.
+
+Most WASM filter examples focus on HTTP, but this example shows how to work at the TCP/IP level.
+
+This example is inspired by the [wasmerang](https://github.com/SiiiTschiii/wasmerang) project, which demonstrates advanced TCP routing patterns in Envoy/Istio/K8s using WASM filters.
+
+### Overview
+
+This example demonstrates how to build a TCP filter that:
+
+- Intercepts incoming TCP connections
+- Extracts the source IP address
+- Routes traffic to different upstream clusters based on whether the last octet is even or odd
+  - **Even last octet** → routes to `egress-router1`
+  - **Odd last octet** → routes to `egress-router2`
+
+The filter uses Envoy's `set_envoy_filter_state` foreign function to dynamically override the TCP proxy cluster at runtime, requiring proper protobuf encoding via the included `set_envoy_filter_state.proto` file.
+
+### Building
+
+Build the WASM plugin from the example directory:
+
+```sh
+$ cargo build --target wasm32-wasip1 --release
+```
+
+### Running with Docker Compose
+
+This example can be run with [`docker compose`](https://docs.docker.com/compose/install/) and has a matching Envoy configuration.
+
+From the example directory:
+
+```sh
+$ docker compose up
+```
+
+### Test the Routing
+
+In separate terminals, test the routing behavior with different source IP addresses:
+
+```bash
+# Even IP (last octet 10) → routes to egress-router1
+docker run --rm -it --network tcp_rerouting_envoymesh --ip 172.22.0.10 curlimages/curl curl http://proxy:10000/ip -H "Host: httpbin.org"
+
+# Odd IP (last octet 11) → routes to egress-router2
+docker run --rm -it --network tcp_rerouting_envoymesh --ip 172.22.0.11 curlimages/curl curl http://proxy:10000/ip -H "Host: httpbin.org"
+```
+
+### Expected Output
+
+Check the Docker Compose logs to see the WASM filter in action:
+
+```console
+$ docker compose logs -f
+```
+
+**For even IP (last octet 10) → routes to egress-router1:**
+
+```
+proxy-1  | [TCP WASM] Source address: 172.22.0.10:39484
+proxy-1  | [TCP WASM] Source IP last octet: 10, intercepting ALL traffic
+proxy-1  | [TCP WASM] Routing to egress-router1
+proxy-1  | [TCP WASM] set_envoy_filter_state status (envoy.tcp_proxy.cluster): Ok(None)
+proxy-1  | [TCP WASM] Rerouting to egress-router1 via filter state
+proxy-1  | [2025-11-20T03:08:18.423Z] cluster=egress-router1 src=172.22.0.10:39484 dst=172.22.0.2:10000 -> 35.170.145.70:80
+```
+
+**For odd IP (last octet 11) → routes to egress-router2:**
+
+```
+proxy-1  | [TCP WASM] Source address: 172.22.0.11:55320
+proxy-1  | [TCP WASM] Source IP last octet: 11, intercepting ALL traffic
+proxy-1  | [TCP WASM] Routing to egress-router2
+proxy-1  | [TCP WASM] set_envoy_filter_state status (envoy.tcp_proxy.cluster): Ok(None)
+proxy-1  | [TCP WASM] Rerouting to egress-router2 via filter state
+proxy-1  | [2025-11-20T03:08:39.974Z] cluster=egress-router2 src=172.22.0.11:55320 dst=172.22.0.2:10000 -> 52.44.182.178:80
+```
+
+The `Ok(None)` status confirms that the filter state was successfully set, and you can see in the access logs that traffic is being routed to the correct clusters (`egress-router1` for even IPs, `egress-router2` for odd IPs).

examples/tcp_rerouting/build.rs

@@ -0,0 +1,11 @@
+use std::fs;
+
+fn main() {
+    let out_dir = "src/generated";
+    fs::create_dir_all(out_dir).unwrap();
+    prost_build::Config::new()
+        .out_dir(out_dir)
+        .compile_protos(&["src/set_envoy_filter_state.proto"], &["src/"])
+        .unwrap();
+    println!("cargo:rerun-if-changed=src/set_envoy_filter_state.proto");
+}

examples/tcp_rerouting/docker-compose.yaml

@@ -0,0 +1,18 @@
+services:
+  proxy:
+    image: envoyproxy/envoy:v1.34.1
+    entrypoint: /usr/local/bin/envoy -c /etc/envoy.yaml -l info --service-cluster proxy
+    volumes:
+      - ./envoy/envoy.yaml:/etc/envoy.yaml
+      - ./target/wasm32-wasip1/release/proxy_wasm_example_tcp_rerouting.wasm:/etc/tcp_rerouting.wasm
+    networks:
+      - envoymesh
+    ports:
+      - "10000:10000"
+      - "8001:8001"
+
+networks:
+  envoymesh:
+    ipam:
+      config:
+        - subnet: 172.22.0.0/16

examples/tcp_rerouting/envoy/envoy.yaml

@@ -0,0 +1,76 @@
+# Envoy configuration for TCP rerouting example
+static_resources:
+  listeners:
+    - name: main
+      address:
+        socket_address:
+          address: 0.0.0.0
+          port_value: 10000
+      filter_chains:
+        - filters:
+            # WASM filter for TCP rerouting
+            - name: envoy.filters.network.wasm
+              typed_config:
+                "@type": type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm
+                config:
+                  name: tcp_rerouting_filter
+                  root_id: tcp_rerouting_filter
+                  configuration:
+                    "@type": type.googleapis.com/google.protobuf.StringValue
+                    value: "standalone"
+                  vm_config:
+                    vm_id: vm.tcp_rerouting
+                    runtime: envoy.wasm.runtime.v8
+                    code:
+                      local:
+                        filename: /etc/tcp_rerouting.wasm
+                    allow_precompiled: true
+            # TCP proxy filter
+            - name: envoy.filters.network.tcp_proxy
+              typed_config:
+                "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
+                stat_prefix: destination
+                cluster: egress-router1 # Default cluster, overridden by WASM filter
+                access_log:
+                  - name: envoy.access_loggers.file
+                    typed_config:
+                      "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
+                      path: /dev/stdout
+                      log_format:
+                        text_format: "[%START_TIME%] cluster=%UPSTREAM_CLUSTER% src=%DOWNSTREAM_REMOTE_ADDRESS% dst=%DOWNSTREAM_LOCAL_ADDRESS% -> %UPSTREAM_HOST%\n"
+
+  clusters:
+    - name: egress-router1
+      connect_timeout: 30s
+      type: LOGICAL_DNS
+      dns_lookup_family: V4_ONLY
+      load_assignment:
+        cluster_name: egress-router1
+        endpoints:
+          - lb_endpoints:
+              - endpoint:
+                  address:
+                    socket_address:
+                      address: httpbin.org
+                      port_value: 80
+
+    - name: egress-router2
+      connect_timeout: 30s
+      type: LOGICAL_DNS
+      dns_lookup_family: V4_ONLY
+      load_assignment:
+        cluster_name: egress-router2
+        endpoints:
+          - lb_endpoints:
+              - endpoint:
+                  address:
+                    socket_address:
+                      address: httpbin.org
+                      port_value: 80
+
+admin:
+  access_log_path: "/dev/null"
+  address:
+    socket_address:
+      address: 0.0.0.0
+      port_value: 8001

examples/tcp_rerouting/src/generated/envoy.source.extensions.common.wasm.rs

@@ -0,0 +1,42 @@
+// This file is @generated by prost-build.
+/// Argument expected by set_envoy_filter_state in envoy
+/// <https://github.com/envoyproxy/envoy/blob/d741713c376d1e024236519fb59406c05702ad77/source/extensions/common/wasm/foreign.cc#L116>
+#[allow(clippy::derive_partial_eq_without_eq)]
+#[derive(Clone, PartialEq, ::prost::Message)]
+pub struct SetEnvoyFilterStateArguments {
+    #[prost(string, tag = "1")]
+    pub path: ::prost::alloc::string::String,
+    #[prost(string, tag = "2")]
+    pub value: ::prost::alloc::string::String,
+    #[prost(enumeration = "LifeSpan", tag = "3")]
+    pub span: i32,
+}
+#[derive(Clone, Copy, Debug, PartialEq, Eq, Hash, PartialOrd, Ord, ::prost::Enumeration)]
+#[repr(i32)]
+pub enum LifeSpan {
+    FilterChain = 0,
+    DownstreamRequest = 1,
+    DownstreamConnection = 2,
+}
+impl LifeSpan {
+    /// String value of the enum field names used in the ProtoBuf definition.
+    ///
+    /// The values are not transformed in any way and thus are considered stable
+    /// (if the ProtoBuf definition does not change) and safe for programmatic use.
+    pub fn as_str_name(&self) -> &'static str {
+        match self {
+            LifeSpan::FilterChain => "FilterChain",
+            LifeSpan::DownstreamRequest => "DownstreamRequest",
+            LifeSpan::DownstreamConnection => "DownstreamConnection",
+        }
+    }
+    /// Creates an enum from field names used in the ProtoBuf definition.
+    pub fn from_str_name(value: &str) -> ::core::option::Option<Self> {
+        match value {
+            "FilterChain" => Some(Self::FilterChain),
+            "DownstreamRequest" => Some(Self::DownstreamRequest),
+            "DownstreamConnection" => Some(Self::DownstreamConnection),
+            _ => None,
+        }
+    }
+}