diff --git a/envoy/COMMIT b/envoy/COMMIT
index 74da887882..57f6273192 100644
--- a/envoy/COMMIT
+++ b/envoy/COMMIT
@@ -1 +1 @@
-b6c24ab35f5227f3e524f3d77f3e2a8ff3e24a15
+88543c9c37f389ff6d2650bb7aae211563ab0485
diff --git a/envoy/config/listener/v3/quic_config.pb.go b/envoy/config/listener/v3/quic_config.pb.go
index 2a70107c3d..ea97b5987e 100755
--- a/envoy/config/listener/v3/quic_config.pb.go
+++ b/envoy/config/listener/v3/quic_config.pb.go
@@ -27,7 +27,7 @@ const (
 )
 
 // Configuration specific to the UDP QUIC listener.
-// [#next-free-field: 13]
+// [#next-free-field: 14]
 type QuicProtocolOptions struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
@@ -83,6 +83,10 @@ type QuicProtocolOptions struct {
 	// Cmsg may be truncated or omitted if expected size is not set.
 	// If not specified, no cmsg will be saved to QuicReceivedPacket.
 	SaveCmsgConfig []*v3.SocketCmsgHeaders `protobuf:"bytes,12,rep,name=save_cmsg_config,json=saveCmsgConfig,proto3" json:"save_cmsg_config,omitempty"`
+	// If true, the listener will reject connection-establishing packets at the
+	// QUIC layer by replying with an empty version negotiation packet to the
+	// client.
+	RejectNewConnections bool `protobuf:"varint,13,opt,name=reject_new_connections,json=rejectNewConnections,proto3" json:"reject_new_connections,omitempty"`
 }
 
 func (x *QuicProtocolOptions) Reset() {
@@ -201,6 +205,13 @@ func (x *QuicProtocolOptions) GetSaveCmsgConfig() []*v3.SocketCmsgHeaders {
 	return nil
 }
 
+func (x *QuicProtocolOptions) GetRejectNewConnections() bool {
+	if x != nil {
+		return x.RejectNewConnections
+	}
+	return false
+}
+
 var File_envoy_config_listener_v3_quic_config_proto protoreflect.FileDescriptor
 
 var file_envoy_config_listener_v3_quic_config_proto_rawDesc = []byte{
@@ -229,8 +240,8 @@ var file_envoy_config_listener_v3_quic_config_proto_rawDesc = []byte{
 	0x74, 0x6f, 0x1a, 0x21, 0x75, 0x64, 0x70, 0x61, 0x2f, 0x61, 0x6e, 0x6e, 0x6f, 0x74, 0x61, 0x74,
 	0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x69, 0x6e, 0x67, 0x2e,
 	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x17, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x2f,
-	0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xd3,
-	0x09, 0x0a, 0x13, 0x51, 0x75, 0x69, 0x63, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x4f,
+	0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x89,
+	0x0a, 0x0a, 0x13, 0x51, 0x75, 0x69, 0x63, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x4f,
 	0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x5d, 0x0a, 0x15, 0x71, 0x75, 0x69, 0x63, 0x5f, 0x70,
 	0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x5f, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18,
 	0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x29, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f,
@@ -304,19 +315,23 @@ var file_envoy_config_listener_v3_quic_config_proto_rawDesc = []byte{
 	0x6f, 0x72, 0x65, 0x2e, 0x76, 0x33, 0x2e, 0x53, 0x6f, 0x63, 0x6b, 0x65, 0x74, 0x43, 0x6d, 0x73,
 	0x67, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x73, 0x42, 0x08, 0xfa, 0x42, 0x05, 0x92, 0x01, 0x02,
 	0x10, 0x01, 0x52, 0x0e, 0x73, 0x61, 0x76, 0x65, 0x43, 0x6d, 0x73, 0x67, 0x43, 0x6f, 0x6e, 0x66,
-	0x69, 0x67, 0x3a, 0x30, 0x9a, 0xc5, 0x88, 0x1e, 0x2b, 0x0a, 0x29, 0x65, 0x6e, 0x76, 0x6f, 0x79,
-	0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x32, 0x2e, 0x6c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65, 0x72,
-	0x2e, 0x51, 0x75, 0x69, 0x63, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x4f, 0x70, 0x74,
-	0x69, 0x6f, 0x6e, 0x73, 0x42, 0x8f, 0x01, 0xba, 0x80, 0xc8, 0xd1, 0x06, 0x02, 0x10, 0x02, 0x0a,
-	0x26, 0x69, 0x6f, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x2e, 0x65,
-	0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x6c, 0x69, 0x73, 0x74,
-	0x65, 0x6e, 0x65, 0x72, 0x2e, 0x76, 0x33, 0x42, 0x0f, 0x51, 0x75, 0x69, 0x63, 0x43, 0x6f, 0x6e,
-	0x66, 0x69, 0x67, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x4a, 0x67, 0x69, 0x74, 0x68,
-	0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x70, 0x72, 0x6f, 0x78,
-	0x79, 0x2f, 0x67, 0x6f, 0x2d, 0x63, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x2d, 0x70, 0x6c, 0x61,
-	0x6e, 0x65, 0x2f, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2f,
-	0x6c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65, 0x72, 0x2f, 0x76, 0x33, 0x3b, 0x6c, 0x69, 0x73, 0x74,
-	0x65, 0x6e, 0x65, 0x72, 0x76, 0x33, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x69, 0x67, 0x12, 0x34, 0x0a, 0x16, 0x72, 0x65, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x6e, 0x65, 0x77,
+	0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x0d, 0x20, 0x01,
+	0x28, 0x08, 0x52, 0x14, 0x72, 0x65, 0x6a, 0x65, 0x63, 0x74, 0x4e, 0x65, 0x77, 0x43, 0x6f, 0x6e,
+	0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x3a, 0x30, 0x9a, 0xc5, 0x88, 0x1e, 0x2b, 0x0a,
+	0x29, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x32, 0x2e, 0x6c, 0x69,
+	0x73, 0x74, 0x65, 0x6e, 0x65, 0x72, 0x2e, 0x51, 0x75, 0x69, 0x63, 0x50, 0x72, 0x6f, 0x74, 0x6f,
+	0x63, 0x6f, 0x6c, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x42, 0x8f, 0x01, 0xba, 0x80, 0xc8,
+	0xd1, 0x06, 0x02, 0x10, 0x02, 0x0a, 0x26, 0x69, 0x6f, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x70,
+	0x72, 0x6f, 0x78, 0x79, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69,
+	0x67, 0x2e, 0x6c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65, 0x72, 0x2e, 0x76, 0x33, 0x42, 0x0f, 0x51,
+	0x75, 0x69, 0x63, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01,
+	0x5a, 0x4a, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x65, 0x6e, 0x76,
+	0x6f, 0x79, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x2f, 0x67, 0x6f, 0x2d, 0x63, 0x6f, 0x6e, 0x74, 0x72,
+	0x6f, 0x6c, 0x2d, 0x70, 0x6c, 0x61, 0x6e, 0x65, 0x2f, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2f, 0x63,
+	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2f, 0x6c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65, 0x72, 0x2f, 0x76,
+	0x33, 0x3b, 0x6c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65, 0x72, 0x76, 0x33, 0x62, 0x06, 0x70, 0x72,
+	0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (
diff --git a/envoy/config/listener/v3/quic_config.pb.validate.go b/envoy/config/listener/v3/quic_config.pb.validate.go
index b3077ab6c6..efd3db9c46 100755
--- a/envoy/config/listener/v3/quic_config.pb.validate.go
+++ b/envoy/config/listener/v3/quic_config.pb.validate.go
@@ -408,6 +408,8 @@ func (m *QuicProtocolOptions) validate(all bool) error {
 
 	}
 
+	// no validation rules for RejectNewConnections
+
 	if len(errors) > 0 {
 		return QuicProtocolOptionsMultiError(errors)
 	}
diff --git a/envoy/config/listener/v3/quic_config_vtproto.pb.go b/envoy/config/listener/v3/quic_config_vtproto.pb.go
index 22873d0e11..7dba379882 100755
--- a/envoy/config/listener/v3/quic_config_vtproto.pb.go
+++ b/envoy/config/listener/v3/quic_config_vtproto.pb.go
@@ -51,6 +51,16 @@ func (m *QuicProtocolOptions) MarshalToSizedBufferVTStrict(dAtA []byte) (int, er
 		i -= len(m.unknownFields)
 		copy(dAtA[i:], m.unknownFields)
 	}
+	if m.RejectNewConnections {
+		i--
+		if m.RejectNewConnections {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i--
+		dAtA[i] = 0x68
+	}
 	if len(m.SaveCmsgConfig) > 0 {
 		for iNdEx := len(m.SaveCmsgConfig) - 1; iNdEx >= 0; iNdEx-- {
 			if vtmsg, ok := interface{}(m.SaveCmsgConfig[iNdEx]).(interface {
@@ -376,6 +386,9 @@ func (m *QuicProtocolOptions) SizeVT() (n int) {
 			n += 1 + l + protohelpers.SizeOfVarint(uint64(l))
 		}
 	}
+	if m.RejectNewConnections {
+		n += 2
+	}
 	n += len(m.unknownFields)
 	return n
 }