envoyproxy
diff --git a/‎internal/gatewayapi/backend.go‎
Lines changed: 10 additions & 8 deletions b/‎internal/gatewayapi/backend.go‎
Lines changed: 10 additions & 8 deletions
diff --git a/‎internal/gatewayapi/listener.go‎
Lines changed: 3 additions & 1 deletion b/‎internal/gatewayapi/listener.go‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎internal/gatewayapi/runner/runner.go‎
Lines changed: 11 additions & 11 deletions b/‎internal/gatewayapi/runner/runner.go‎
Lines changed: 11 additions & 11 deletions
diff --git a/‎internal/gatewayapi/testdata/backend-invalid-hostname-address.out.yaml‎
Lines changed: 1 addition & 1 deletion b/‎internal/gatewayapi/testdata/backend-invalid-hostname-address.out.yaml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎internal/gatewayapi/testdata/backend-with-localhost-host-infra.in.yaml‎
Lines changed: 21 additions & 0 deletions b/‎internal/gatewayapi/testdata/backend-with-localhost-host-infra.in.yaml‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎internal/gatewayapi/testdata/backend-with-localhost-host-infra.out.yaml‎
Lines changed: 37 additions & 0 deletions b/‎internal/gatewayapi/testdata/backend-with-localhost-host-infra.out.yaml‎
Lines changed: 37 additions & 0 deletions
diff --git a/‎internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-backendref-host-infra.in.yaml‎
Lines changed: 156 additions & 0 deletions b/‎internal/gatewayapi/testdata/httproute-attaching-to-listener-with-backend-backendref-host-infra.in.yaml‎
Lines changed: 156 additions & 0 deletions
@@ -17,6 +17,7 @@ import (
 
 	egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1"
 	"github.com/envoyproxy/gateway/internal/gatewayapi/status"
+	"github.com/envoyproxy/gateway/internal/utils/net"
 )
 
 func (t *Translator) ProcessBackends(backends []*egv1a1.Backend, backendTLSPolicies []*gwapiv1.BackendTLSPolicy) []*egv1a1.Backend {
@@ -27,7 +28,7 @@ func (t *Translator) ProcessBackends(backends []*egv1a1.Backend, backendTLSPolic
 			status.UpdateBackendStatusAcceptedCondition(backend, false,
 				"The Backend was not accepted since Backend is not enabled in Envoy Gateway Config")
 		} else {
-			if err := validateBackend(backend, backendTLSPolicies); err != nil {
+			if err := validateBackend(backend, backendTLSPolicies, t.RunningOnHost); err != nil {
 				status.UpdateBackendStatusAcceptedCondition(backend, false, fmt.Sprintf("The Backend was not accepted: %s", err.Error()))
 			} else {
 				status.UpdateBackendStatusAcceptedCondition(backend, true, "The Backend was accepted")
@@ -40,7 +41,7 @@ func (t *Translator) ProcessBackends(backends []*egv1a1.Backend, backendTLSPolic
 	return res
 }
 
-func validateBackend(backend *egv1a1.Backend, backendTLSPolicies []*gwapiv1.BackendTLSPolicy) status.Error {
+func validateBackend(backend *egv1a1.Backend, backendTLSPolicies []*gwapiv1.BackendTLSPolicy, runningOnHost bool) status.Error {
 	if backend.Spec.Type != nil && *backend.Spec.Type == egv1a1.BackendTypeDynamicResolver {
 		if len(backend.Spec.Endpoints) > 0 {
 			return status.NewRouteStatusError(
@@ -57,13 +58,13 @@ func validateBackend(backend *egv1a1.Backend, backendTLSPolicies []*gwapiv1.Back
 
 	for _, ep := range backend.Spec.Endpoints {
 		if ep.Hostname != nil {
-			routeErr := validateHostname(*ep.Hostname, "hostname")
+			routeErr := validateHostname(*ep.Hostname, "hostname", runningOnHost)
 			if routeErr != nil {
 				return routeErr
 			}
 		}
 		if ep.FQDN != nil {
-			routeErr := validateHostname(ep.FQDN.Hostname, "FQDN")
+			routeErr := validateHostname(ep.FQDN.Hostname, "FQDN", runningOnHost)
 			if routeErr != nil {
 				return routeErr
 			}
@@ -74,9 +75,9 @@ func validateBackend(backend *egv1a1.Backend, backendTLSPolicies []*gwapiv1.Back
 					fmt.Errorf("IP address %s is invalid", ep.IP.Address),
 					status.RouteReasonInvalidAddress,
 				)
-			} else if ip.IsLoopback() {
+			} else if ip.IsLoopback() && !runningOnHost {
 				return status.NewRouteStatusError(
-					fmt.Errorf("IP address %s in the loopback range is not supported", ep.IP.Address),
+					fmt.Errorf("IP address %s in the loopback range is only supported when using the Host infrastructure", ep.IP.Address),
 					status.RouteReasonInvalidAddress,
 				)
 			}
@@ -169,15 +170,16 @@ func validateBackendTLSSettings(backend *egv1a1.Backend, backendTLSPolicies []*g
 	return nil
 }
 
-func validateHostname(hostname, typeName string) *status.RouteStatusError {
+func validateHostname(hostname, typeName string, allowLocalhost bool) *status.RouteStatusError {
 	// must be a valid hostname
 	if errs := validation.IsDNS1123Subdomain(hostname); errs != nil {
 		return status.NewRouteStatusError(
 			fmt.Errorf("hostname %s is not a valid %s", hostname, typeName),
 			status.RouteReasonInvalidAddress,
 		)
 	}
-	if len(strings.Split(hostname, ".")) < 2 {
+	isLocalHostname := allowLocalhost && hostname == net.DefaultLocalAddress
+	if !isLocalHostname && len(strings.Split(hostname, ".")) < 2 {
 		return status.NewRouteStatusError(
 			fmt.Errorf("hostname %s should be a domain with at least two segments separated by dots", hostname),
 			status.RouteReasonInvalidAddress,
 
@@ -891,7 +891,9 @@ func validCELExpression(expr string) bool {
 // servicePortToContainerPort translates a service port into an ephemeral
 // container port.
 func (t *Translator) servicePortToContainerPort(servicePort int32, envoyProxy *egv1a1.EnvoyProxy) int32 {
-	if t.ListenerPortShiftDisabled {
+	// When running on the local host using the Host infrastructure provider, disable translating the
+	// gateway listener port into a non-privileged port and reuse the specified value.
+	if t.RunningOnHost {
 		return servicePort
 	}
 
 
@@ -146,17 +146,17 @@ func (r *Runner) subscribeAndTranslate(sub <-chan watchable.Snapshot[string, *re
 			for _, resources := range *val {
 				// Translate and publish IRs.
 				t := &gatewayapi.Translator{
-					GatewayControllerName:     r.EnvoyGateway.Gateway.ControllerName,
-					GatewayClassName:          gwapiv1.ObjectName(resources.GatewayClass.Name),
-					GlobalRateLimitEnabled:    r.EnvoyGateway.RateLimit != nil,
-					EnvoyPatchPolicyEnabled:   r.EnvoyGateway.ExtensionAPIs != nil && r.EnvoyGateway.ExtensionAPIs.EnableEnvoyPatchPolicy,
-					BackendEnabled:            r.EnvoyGateway.ExtensionAPIs != nil && r.EnvoyGateway.ExtensionAPIs.EnableBackend,
-					ControllerNamespace:       r.ControllerNamespace,
-					GatewayNamespaceMode:      r.EnvoyGateway.GatewayNamespaceMode(),
-					MergeGateways:             gatewayapi.IsMergeGatewaysEnabled(resources),
-					WasmCache:                 r.wasmCache,
-					ListenerPortShiftDisabled: r.EnvoyGateway.Provider != nil && r.EnvoyGateway.Provider.IsRunningOnHost(),
-					Logger:                    r.Logger,
+					GatewayControllerName:   r.EnvoyGateway.Gateway.ControllerName,
+					GatewayClassName:        gwapiv1.ObjectName(resources.GatewayClass.Name),
+					GlobalRateLimitEnabled:  r.EnvoyGateway.RateLimit != nil,
+					EnvoyPatchPolicyEnabled: r.EnvoyGateway.ExtensionAPIs != nil && r.EnvoyGateway.ExtensionAPIs.EnableEnvoyPatchPolicy,
+					BackendEnabled:          r.EnvoyGateway.ExtensionAPIs != nil && r.EnvoyGateway.ExtensionAPIs.EnableBackend,
+					ControllerNamespace:     r.ControllerNamespace,
+					GatewayNamespaceMode:    r.EnvoyGateway.GatewayNamespaceMode(),
+					MergeGateways:           gatewayapi.IsMergeGatewaysEnabled(resources),
+					WasmCache:               r.wasmCache,
+					RunningOnHost:           r.EnvoyGateway.Provider != nil && r.EnvoyGateway.Provider.IsRunningOnHost(),
+					Logger:                  r.Logger,
 				}
 
 				// If an extension is loaded, pass its supported groups/kinds to the translator
 
@@ -48,7 +48,7 @@ backends:
     conditions:
     - lastTransitionTime: null
       message: 'The Backend was not accepted: IP address 127.0.0.3 in the loopback
-        range is not supported'
+        range is only supported when using the Host infrastructure'
       reason: Accepted
       status: "False"
       type: Invalid
 
@@ -0,0 +1,21 @@
+backends:
+  - apiVersion: gateway.envoyproxy.io/v1alpha1
+    kind: Backend
+    metadata:
+      name: backend-fqdn
+      namespace: default
+    spec:
+      endpoints:
+        - fqdn:
+            hostname: 'localhost'
+            port: 3000
+  - apiVersion: gateway.envoyproxy.io/v1alpha1
+    kind: Backend
+    metadata:
+      name: backend-fqdn
+      namespace: default
+    spec:
+      endpoints:
+        - ip:
+            address: '127.0.0.3'
+            port: 3000
@@ -0,0 +1,37 @@
+backends:
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+  kind: Backend
+  metadata:
+    name: backend-fqdn
+    namespace: default
+  spec:
+    endpoints:
+    - fqdn:
+        hostname: localhost
+        port: 3000
+  status:
+    conditions:
+    - lastTransitionTime: null
+      message: The Backend was accepted
+      reason: Accepted
+      status: "True"
+      type: Accepted
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+  kind: Backend
+  metadata:
+    name: backend-fqdn
+    namespace: default
+  spec:
+    endpoints:
+    - ip:
+        address: 127.0.0.3
+        port: 3000
+  status:
+    conditions:
+    - lastTransitionTime: null
+      message: The Backend was accepted
+      reason: Accepted
+      status: "True"
+      type: Accepted
+infraIR: {}
+xdsIR: {}
@@ -0,0 +1,156 @@
+gateways:
+  - apiVersion: gateway.networking.k8s.io/v1
+    kind: Gateway
+    metadata:
+      namespace: envoy-gateway
+      name: gateway-1
+    spec:
+      gatewayClassName: envoy-gateway-class
+      listeners:
+        - name: http
+          protocol: HTTP
+          port: 80
+          allowedRoutes:
+            namespaces:
+              from: All
+httpRoutes:
+  - apiVersion: gateway.networking.k8s.io/v1
+    kind: HTTPRoute
+    metadata:
+      namespace: default
+      name: httproute-1
+    spec:
+      parentRefs:
+        - namespace: envoy-gateway
+          name: gateway-1
+          sectionName: http
+      rules:
+        - matches:
+            - path:
+                value: "/1"
+          backendRefs:
+            - group: gateway.envoyproxy.io
+              kind: Backend
+              name: backend-uds
+  - apiVersion: gateway.networking.k8s.io/v1
+    kind: HTTPRoute
+    metadata:
+      namespace: default
+      name: httproute-3
+    spec:
+      parentRefs:
+        - namespace: envoy-gateway
+          name: gateway-1
+          sectionName: http
+      rules:
+        - matches:
+            - path:
+                value: "/3"
+          backendRefs:
+            - group: gateway.envoyproxy.io
+              kind: Backend
+              name: backend-fqdn
+  - apiVersion: gateway.networking.k8s.io/v1
+    kind: HTTPRoute
+    metadata:
+      namespace: default
+      name: httproute-2
+    spec:
+      parentRefs:
+        - namespace: envoy-gateway
+          name: gateway-1
+          sectionName: http
+      rules:
+        - matches:
+            - path:
+                value: "/2"
+          backendRefs:
+            - group: gateway.envoyproxy.io
+              kind: Backend
+              name: backend-ip
+  - apiVersion: gateway.networking.k8s.io/v1
+    kind: HTTPRoute
+    metadata:
+      namespace: default
+      name: httproute-4
+    spec:
+      parentRefs:
+        - namespace: envoy-gateway
+          name: gateway-1
+          sectionName: http
+      rules:
+        - matches:
+            - path:
+                value: "/4"
+          backendRefs:
+            - group: gateway.envoyproxy.io
+              kind: Backend
+              name: backend-ip-localhost
+  - apiVersion: gateway.networking.k8s.io/v1
+    kind: HTTPRoute
+    metadata:
+      namespace: default
+      name: httproute-5
+    spec:
+      parentRefs:
+        - namespace: envoy-gateway
+          name: gateway-1
+          sectionName: http
+      rules:
+        - matches:
+            - path:
+                value: "/5"
+          backendRefs:
+            - group: gateway.envoyproxy.io
+              kind: Backend
+              name: backend-fqdn-localhost
+backends:
+  - apiVersion: gateway.envoyproxy.io/v1alpha1
+    kind: Backend
+    metadata:
+      name: backend-uds
+      namespace: default
+    spec:
+      endpoints:
+        - unix:
+            path: /var/run/backend.sock
+  - apiVersion: gateway.envoyproxy.io/v1alpha1
+    kind: Backend
+    metadata:
+      name: backend-fqdn
+      namespace: default
+    spec:
+      endpoints:
+        - fqdn:
+            hostname: primary.foo.com
+            port: 3000
+  - apiVersion: gateway.envoyproxy.io/v1alpha1
+    kind: Backend
+    metadata:
+      name: backend-ip
+      namespace: default
+    spec:
+      endpoints:
+        - ip:
+            address: 1.1.1.1
+            port: 3001
+  - apiVersion: gateway.envoyproxy.io/v1alpha1
+    kind: Backend
+    metadata:
+      name: backend-ip-localhost
+      namespace: default
+    spec:
+      endpoints:
+        - ip:
+            address: 127.0.0.1
+            port: 3001
+  - apiVersion: gateway.envoyproxy.io/v1alpha1
+    kind: Backend
+    metadata:
+      name: backend-fqdn-localhost
+      namespace: default
+    spec:
+      endpoints:
+        - fqdn:
+            hostname: localhost
+            port: 3001