The sock and skb types permit matching on port numbers. The port numbers
were stored as a list in the kernel selectors, which forced an upper
limit on the number of ports that could be specified.

This commit stores the specified ports in an argfilter map so that
theoretically any number of ports could be specified without exceeding
any obvious limits. The map is a hash of port numbers instead of a list.

In addition, all value types, including SPort and DPort can now take a
range, specified as min:max.

Signed-off-by: Kevin Sheldrake <kevin.sheldrake@isovalent.com>

For sock and skb types it is possible to match on source and destination
ports. This commit adds the ability to match on the source or
destinations ports not being in a list or range.

Signed-off-by: Kevin Sheldrake <kevin.sheldrake@isovalent.com>

The socket matchers for sock and skb types can match on a set or range
of specified ports, for both membership and non-membership of the set,
and for both source and destination ports. One obvious use case would be
to match on the set of privileged ports, from 0 to 1023 inclusive. As
this is a common, unchanging set, it makes sense to provide options to
match on this set without having to specify it as a range. This will
reduce the number of ports needed to be set in a map, will reduce the
number of argfilter maps, and will reduce the complexity in the BPF code
by a map lookup.

This commit introduces the SPortPriv, NotSPortPriv, DPortPriv and
NotDPortPriv operators that match the sock and skb ports to the
privileged set. They do not take a value argument.

Signed-off-by: Kevin Sheldrake <kevin.sheldrake@isovalent.com>

We currently supply a list of IPv4 CIDRs to match sock and skb types on.
This is limited to a small number due to complexity reasons. There is a
desire to be able to match on any number of CIDRs. This commit moves the
specification of the CIDRs to a LPM TRIE map which allows longest prefix
matching (which was designed for CIDR lookups). Any number of CIDRs can
now be specified.

Also, check that protocol is only specified for sock/skb types.

Signed-off-by: Kevin Sheldrake <kevin.sheldrake@isovalent.com>

Given that we can match on IPv4 CIDRs, it makes sense that we should
also be able to match on address not being in the specified ranges.
These Not matchers can be combined with the existing ones to exclude
individual addresses or sub-ranges from larger ranges.

For example, DAddr: 192.168.1.0/24 would match everything in the given
subnet. But combined with NotDAddr: 192.168.1.1 would exclude this
specific IP address from the match.

Alternatively, just using NotDAddr: 127.0.0.0/8 would exclude all
localhost traffic from the match.

Signed-off-by: Kevin Sheldrake <kevin.sheldrake@isovalent.com>

This commit adds documentation for matching socks and skbs.

Signed-off-by: Kevin Sheldrake <kevin.sheldrake@isovalent.com>

This commit adds tests to confirm that the sock/skb operators are
working correctly. Limited the new tests to TCP sock only, because skb
works in exactly the same way and adding tests for UDP and/or skb would
only duplicate tests for little benefit.

Also, stop checking protocol on sock tests as this is unreliable.

Signed-off-by: Kevin Sheldrake <kevin.sheldrake@isovalent.com>