Implement IP deny/allow ACL rules

[zetaab]

What type of PR is this?
feat: add Support for Allow/Deny IP Subnets

What this PR does / why we need it:

Usually there needs to be way to deny / allow subnets for single routes / entire gateway.

Which issue(s) this PR fixes:
Fixes #2462

Notes to reviewers

disclaimer: This is my first bigger PR to this repository

Questions

• Gateway level ACL definitions works. However, if route do have any ACL rules the route will override the Gateway ACL settings. Like mentioned in Support Allow/Deny IP Subnets #2462 (comment) how this should work? Is this behavior ok?
• This applies rules only to http, there is RBAC policy for network level as well (but those cannot be applied to route level). It might be needed if envoy gateway is used for tcp stuff? That is perhaps task to another PR?
• Not sure does it work out of the box with ipv6, I do not have k8s with ipv6 to verify it.

I have verified this PR manually by following test cases:

route: allow ip - ok (allowed ip works and others not)
route: deny ip - ok (denied ip does not work and others will work)
route: allow big cidr, deny single ip(s) from allowed cidr - ok (big cidr works except denied ips)
route: deny big cidr, allow single ip(s) from denied cidr - not working, but it should not either? (whole big cidr does not work, no matter is there something in allow)

gateway: allow ip - ok (allowed ip works and others not)
gateway: deny ip - ok (denied ip does not work and others will work)
gateway: allow big cidr, deny single ip(s) from allowed cidr - ok (big cidr works except denied ips)
gateway: deny big cidr, allow single ip(s) from denied cidr - not working, but it should not either? (whole big cidr does not work, no matter is there something in allow)

[codecov]

Codecov Report

Attention: 92 lines in your changes are missing coverage. Please review.

Comparison is base (a5125bf) 63.41% compared to head (8d67476) 63.33%.

Files	Patch %	Lines
internal/ir/zz_generated.deepcopy.go	0.00%	32 Missing and 1 partial ⚠️
internal/xds/translator/acl.go	76.76%	22 Missing and 11 partials ⚠️
internal/gatewayapi/securitypolicy.go	18.75%	24 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2639      +/-   ##
==========================================
- Coverage   63.41%   63.33%   -0.08%     
==========================================
  Files         119      120       +1     
  Lines       19227    19436     +209     
==========================================
+ Hits        12193    12310     +117     
- Misses       6222     6300      +78     
- Partials      812      826      +14     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[zirain]

is there a common struct from upstream(gateway api or kubernetes)? maybe use a.b.c.d/24 for better UX?

[zirain]

Please submit the API design first, otherwise there may be a lot of waste.

[zetaab]

separate PR opened about apis first #2652