feat(ip-restriction): Add TCP support (#6679)

[merusso]

Summary

This change adds TCP support to the ip-restriction plugin by implementing the Stream module's preread function.

When a TCP connection is rejected due to IP restriction rules, a JSON error response is written to the stream and the connection is closed.

Note: This change is based on branch release/2.8.x so it targets this branch. However, since it is a new feature, it would probably be added in a 2.9.x release instead. There isn't currently a release/2.9.x or release/2.x branch.

Checklist

• The Pull Request has tests
• There's an entry in the CHANGELOG
• There is a user-facing docs PR against https://github.com/Kong/docs.konghq.com - PUT DOCS PR HERE

Full changelog

• Add protocols to schema: "tcp", "tls", "grpc", "grpcs"
• Implement preread function
• Make handler logic generic to be shared by HTTP and TCP

Issue reference

Fix #6679

[CLAassistant]

All committers have signed the CLA.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

---

Michael Russo seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[merusso]

I forgot to note that we updated the rejection message format also. This is causing tests to fail.

Will this string format change be accepted? It is technically unrelated to enabling TCP, but it helps us troubleshoot issues with rejected requests.

[hbagdi]

Can you please rebase this on top of 'master' and target it for 'master'?
New features always go into the mainline development branch (named master) first.

[scrudge]

Can you please rebase this on top of 'master' and target it for 'master'? New features always go into the mainline development branch (named master) first.

We have a separate PR for master. The code has changed a bit between the 2 versions.

[hbagdi]

In that case, please get the other PR merged first and then we will move forward with this.
We don't ship features in patch releases so I'm not sure if we can even move forward with this or not.
cc @dndx

[locao]

Why does this line overwrite the conf.status value?

[merusso]

Good question. This preserves the existing behavior which also uses a hardcoded status 403 instead of conf.status.

[merusso]

In that case, please get the other PR merged first and then we will move forward with this.
We don't ship features in patch releases so I'm not sure if we can even move forward with this or not.

I'm happy to target a 2.9.x or 2.x branch for this feature change if one becomes available.

[hbagdi]

Let's first get the PR targeting the master branch merged. We can then cherry-pick it back.

[merusso]

Sounds good. We'll continue working on PR #10245.

[hanshuebner]

Closing as we intend to backport #10245 instead.