cmd/containerboot,kube/ingressservices: proxy VIPService TCP/UDP traffic to cluster Services (#15897)

cmd/containerboot,kube/ingressservices: proxy VIPService TCP/UDP traffic to cluster Services

This PR is part of the work to implement HA for Kubernetes Operator's
network layer proxy.
Adds logic to containerboot to monitor mounted ingress firewall configuration rules
and update iptables/nftables rules as the config changes.
Also adds new shared types for the ingress configuration.
The implementation is intentionally similar to that for HA for egress proxy.

Updates tailscale/tailscale#15895

Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
Signed-off-by: Irbe Krumina <irbe@tailscale.com>

util/linuxfw/fake_netfilter.go

@@ -16,8 +16,8 @@ type FakeNetfilterRunner struct {
 	// services is a map that tracks the firewall rules added/deleted via
 	// EnsureDNATRuleForSvc/DeleteDNATRuleForSvc.
 	services map[string]struct {
-		VIPServiceIP netip.Addr
-		ClusterIP    netip.Addr
+		TailscaleServiceIP netip.Addr
+		ClusterIP          netip.Addr
 	}
 }
 
@@ -25,16 +25,16 @@ type FakeNetfilterRunner struct {
 func NewFakeNetfilterRunner() *FakeNetfilterRunner {
 	return &FakeNetfilterRunner{
 		services: make(map[string]struct {
-			VIPServiceIP netip.Addr
-			ClusterIP    netip.Addr
+			TailscaleServiceIP netip.Addr
+			ClusterIP          netip.Addr
 		}),
 	}
 }
 
 func (f *FakeNetfilterRunner) EnsureDNATRuleForSvc(svcName string, origDst, dst netip.Addr) error {
 	f.services[svcName] = struct {
-		VIPServiceIP netip.Addr
-		ClusterIP    netip.Addr
+		TailscaleServiceIP netip.Addr
+		ClusterIP          netip.Addr
 	}{origDst, dst}
 	return nil
 }
@@ -45,8 +45,8 @@ func (f *FakeNetfilterRunner) DeleteDNATRuleForSvc(svcName string, origDst, dst
 }
 
 func (f *FakeNetfilterRunner) GetServiceState() map[string]struct {
-	VIPServiceIP netip.Addr
-	ClusterIP    netip.Addr
+	TailscaleServiceIP netip.Addr
+	ClusterIP          netip.Addr
 } {
 	return f.services
 }