.. _version_history_1.38.0: 1.38.0 (Pending) ================= Incompatible behavior changes ----------------------------- *Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required* * **tcp_proxy**: The TCP proxy filter now requires :ref:`max_early_data_bytes ` to be explicitly set when using :ref:`upstream_connect_mode ` modes other than ``IMMEDIATE`` (i.e., ``ON_DOWNSTREAM_DATA`` or ``ON_DOWNSTREAM_TLS_HANDSHAKE``). The field can be set to zero to disable early data buffering while still using delayed connection modes. Configurations using these modes without ``max_early_data_bytes`` will now fail validation at startup. Minor behavior changes ---------------------- *Changes that may cause incompatibilities for some users, but should not for most* * **histograms**: Update of libcircllhist to 0.3.2 has changed how bucket bounds are interpreted. This should not have an impact on production monitoring if the number of samples in the histograms is high. Affected tests were adjusted to account for histogram changes. Bug fixes --------- *Changes expected to improve the state of the world and are unlikely to have negative effects* * **drop_overload**: Fixed a bug that drop_overload failed to use cached EDS resources. * **ext_authz**: Fixed a bug where headers from a denied authorization response (non-200s) were not properly propagated to the client. * **http**: Fixed a potential file descriptor leak where HTTP/1.1 connections with zombie streams (waiting for codec completion) would not be properly closed when in draining state. This could occur when a response was sent before the request was fully received, causing connections to remain open indefinitely. This behavior change can be temporarily reverted by setting the runtime guard ``envoy.reloadable_features.http1_close_connection_on_zombie_stream_complete`` to ``false``. * **http**: Fixed upstream client to not close connection when idle timeout fires before the connection is established. This behavior can be reverted by setting the runtime guard ``envoy.reloadable_features.codec_client_enable_idle_timer_only_when_connected`` to ``false``. New features ------------ * **formatter**: Added the new access log formatter support of ``DOWNSTREAM_LOCAL_CLOSE_REASON``. * **formatter**: Extended ``*_WITHOUT_PORT`` address formatters to accept an optional ``MASK_PREFIX_LEN`` parameter that masks IP addresses and returns them in CIDR notation (e.g., ``%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT(16)%`` returns ``10.1.0.0/16`` for client IP ``10.1.10.23``). * **mcp_router**: Added support for MCP prompt methods ``prompts/list`` and ``prompts/get``. * **mcp_router**: Added support for MCP resource methods ``resources/list``, ``resources/read``, ``resources/subscribe``, and ``resources/unsubscribe``. * **tls**: Added support for fetching certificates on-demand via SDS in the upstream TLS transport socket using the extension :ref:`on-demand certificate selector `.