xds: replace net with netip in xds/xdsclient and xds/server (#8909)

Updates #8884

This PR replace `net.IP` and `net.IPNet` with `netip.Addr` and
`netip.Prefix` in directories `internal/xds/xdsclient` and
`internal/xds/server`

RELEASE NOTES: 
- TBD

Author: chengxilo

internal/xds/server/filter_chain_manager.go

@@ -21,7 +21,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"net"
+	"net/netip"
 	"slices"
 	"strings"
 	"sync/atomic"
@@ -67,7 +67,7 @@ func newFilterChainManager(filterChainConfigs *xdsresource.NetworkFilterChainMap
 
 	if filterChainConfigs != nil {
 		for _, entry := range filterChainConfigs.DstPrefixes {
-			dstEntry := &destPrefixEntry{net: entry.Prefix}
+			dstEntry := &destPrefixEntry{prefix: entry.Prefix}
 
 			for i, srcPrefixes := range entry.SourceTypeArr {
 				if len(srcPrefixes.Entries) == 0 {
@@ -77,7 +77,7 @@ func newFilterChainManager(filterChainConfigs *xdsresource.NetworkFilterChainMap
 				dstEntry.srcTypeArr[i] = stDest
 				for _, srcEntryConfig := range srcPrefixes.Entries {
 					srcEntry := &sourcePrefixEntry{
-						net:        srcEntryConfig.Prefix,
+						prefix:     srcEntryConfig.Prefix,
 						srcPortMap: make(map[int]*filterChain, len(srcEntryConfig.PortMap)),
 					}
 					stDest.srcPrefixes = append(stDest.srcPrefixes, srcEntry)
@@ -140,7 +140,7 @@ func (fcm *filterChainManager) stop() {
 // destPrefixEntry contains a destination prefix entry and associated source
 // type matchers.
 type destPrefixEntry struct {
-	net        *net.IPNet
+	prefix     netip.Prefix
 	srcTypeArr sourceTypesArray
 }
 
@@ -164,7 +164,7 @@ type sourcePrefixes struct {
 // sourcePrefixEntry contains a source prefix entry and associated source port
 // matchers.
 type sourcePrefixEntry struct {
-	net        *net.IPNet
+	prefix     netip.Prefix
 	srcPortMap map[int]*filterChain
 }
 
@@ -204,10 +204,10 @@ type routeWithInterceptors struct {
 }
 
 type lookupParams struct {
-	isUnspecifiedListener bool   // Whether the server is listening on a wildcard address.
-	dstAddr               net.IP // dstAddr is the local address of an incoming connection.
-	srcAddr               net.IP // srcAddr is the remote address of an incoming connection.
-	srcPort               int    // srcPort is the remote port of an incoming connection.
+	isUnspecifiedListener bool       // Whether the server is listening on a wildcard address.
+	dstAddr               netip.Addr // dstAddr is the local address of an incoming connection.
+	srcAddr               netip.Addr // srcAddr is the remote address of an incoming connection.
+	srcPort               int        // srcPort is the remote port of an incoming connection.
 }
 
 // lookup returns the most specific matching filter chain to be used for an
@@ -223,7 +223,7 @@ func (fcm *filterChainManager) lookup(params lookupParams) (*filterChain, error)
 	}
 
 	srcType := sourceTypeExternal
-	if params.srcAddr.Equal(params.dstAddr) || params.srcAddr.IsLoopback() {
+	if params.srcAddr == params.dstAddr || params.srcAddr.IsLoopback() {
 		srcType = sourceTypeSameOrLoopback
 	}
 	srcPrefixes := filterBySourceType(dstPrefixes, srcType)
@@ -250,7 +250,7 @@ func (fcm *filterChainManager) lookup(params lookupParams) (*filterChain, error)
 // matching algorithm. It takes the complete set of configured filter chain
 // matchers and returns the most specific matchers based on the destination
 // prefix match criteria (the prefixes which match the most number of bits).
-func filterByDestinationPrefixes(dstPrefixes []*destPrefixEntry, isUnspecified bool, dstAddr net.IP) []*destPrefixEntry {
+func filterByDestinationPrefixes(dstPrefixes []*destPrefixEntry, isUnspecified bool, dstAddr netip.Addr) []*destPrefixEntry {
 	if !isUnspecified {
 		// Destination prefix matchers are considered only when the listener is
 		// bound to the wildcard address.
@@ -259,18 +259,18 @@ func filterByDestinationPrefixes(dstPrefixes []*destPrefixEntry, isUnspecified b
 
 	var matchingDstPrefixes []*destPrefixEntry
 	maxSubnetMatch := noPrefixMatch
-	for _, prefix := range dstPrefixes {
-		if prefix.net != nil && !prefix.net.Contains(dstAddr) {
+	for _, entry := range dstPrefixes {
+		if entry.prefix.IsValid() && !entry.prefix.Contains(dstAddr) {
 			// Skip prefixes which don't match.
 			continue
 		}
-		// For unspecified prefixes, since we do not store a real net.IPNet
+		// For unspecified prefixes, since we do not store a real netip.Prefix
 		// inside prefix, we do not perform a match. Instead we simply set
 		// the matchSize to -1, which is less than the matchSize (0) for a
 		// wildcard prefix.
 		matchSize := unspecifiedPrefixMatch
-		if prefix.net != nil {
-			matchSize, _ = prefix.net.Mask.Size()
+		if entry.prefix.IsValid() {
+			matchSize = entry.prefix.Bits()
 		}
 		if matchSize < maxSubnetMatch {
 			continue
@@ -279,7 +279,7 @@ func filterByDestinationPrefixes(dstPrefixes []*destPrefixEntry, isUnspecified b
 			maxSubnetMatch = matchSize
 			matchingDstPrefixes = make([]*destPrefixEntry, 0, 1)
 		}
-		matchingDstPrefixes = append(matchingDstPrefixes, prefix)
+		matchingDstPrefixes = append(matchingDstPrefixes, entry)
 	}
 	return matchingDstPrefixes
 }
@@ -293,12 +293,12 @@ func filterBySourceType(dstPrefixes []*destPrefixEntry, srcType sourceType) []*s
 		srcPrefixes      []*sourcePrefixes
 		bestSrcTypeMatch sourceType
 	)
-	for _, prefix := range dstPrefixes {
+	for _, entry := range dstPrefixes {
 		match := srcType
-		srcPrefix := prefix.srcTypeArr[srcType]
+		srcPrefix := entry.srcTypeArr[srcType]
 		if srcPrefix == nil {
 			match = sourceTypeAny
-			srcPrefix = prefix.srcTypeArr[sourceTypeAny]
+			srcPrefix = entry.srcTypeArr[sourceTypeAny]
 		}
 		if match < bestSrcTypeMatch {
 			continue
@@ -319,22 +319,22 @@ func filterBySourceType(dstPrefixes []*destPrefixEntry, srcType sourceType) []*s
 // filterBySourcePrefixes is the third stage of the filter chain matching
 // algorithm. It trims the filter chains based on the source prefix. At most one
 // filter chain with the most specific match progress to the next stage.
-func filterBySourcePrefixes(srcPrefixes []*sourcePrefixes, srcAddr net.IP) (*sourcePrefixEntry, error) {
+func filterBySourcePrefixes(srcPrefixes []*sourcePrefixes, srcAddr netip.Addr) (*sourcePrefixEntry, error) {
 	var matchingSrcPrefixes []*sourcePrefixEntry
 	maxSubnetMatch := noPrefixMatch
 	for _, sp := range srcPrefixes {
-		for _, prefix := range sp.srcPrefixes {
-			if prefix.net != nil && !prefix.net.Contains(srcAddr) {
+		for _, entry := range sp.srcPrefixes {
+			if entry.prefix.IsValid() && !entry.prefix.Contains(srcAddr) {
 				// Skip prefixes which don't match.
 				continue
 			}
-			// For unspecified prefixes, since we do not store a real net.IPNet
+			// For unspecified prefixes, since we do not store a real netip.Prefix
 			// inside prefix, we do not perform a match. Instead we simply set
 			// the matchSize to -1, which is less than the matchSize (0) for a
 			// wildcard prefix.
 			matchSize := unspecifiedPrefixMatch
-			if prefix.net != nil {
-				matchSize, _ = prefix.net.Mask.Size()
+			if entry.prefix.IsValid() {
+				matchSize = entry.prefix.Bits()
 			}
 			if matchSize < maxSubnetMatch {
 				continue
@@ -343,7 +343,7 @@ func filterBySourcePrefixes(srcPrefixes []*sourcePrefixes, srcAddr net.IP) (*sou
 				maxSubnetMatch = matchSize
 				matchingSrcPrefixes = make([]*sourcePrefixEntry, 0, 1)
 			}
-			matchingSrcPrefixes = append(matchingSrcPrefixes, prefix)
+			matchingSrcPrefixes = append(matchingSrcPrefixes, entry)
 		}
 	}
 	if len(matchingSrcPrefixes) == 0 {

internal/xds/server/filter_chain_manager_test.go

@@ -21,7 +21,6 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"net"
 	"net/netip"
 	"strings"
 	"testing"
@@ -219,7 +218,7 @@ func (s) TestLookup_Failures(t *testing.T) {
 			},
 			params: lookupParams{
 				isUnspecifiedListener: true,
-				dstAddr:               net.IPv4(10, 1, 1, 1),
+				dstAddr:               netip.AddrFrom4([4]byte([]byte{10, 1, 1, 1})),
 			},
 			wantErr: "no matching filter chain based on destination prefix match",
 		},
@@ -238,8 +237,8 @@ func (s) TestLookup_Failures(t *testing.T) {
 			},
 			params: lookupParams{
 				isUnspecifiedListener: true,
-				dstAddr:               net.IPv4(192, 168, 100, 1),
-				srcAddr:               net.IPv4(192, 168, 100, 2),
+				dstAddr:               netip.AddrFrom4([4]byte([]byte{192, 168, 100, 1})),
+				srcAddr:               netip.AddrFrom4([4]byte([]byte{192, 168, 100, 2})),
 			},
 			wantErr: "no matching filter chain based on source type match",
 		},
@@ -258,8 +257,8 @@ func (s) TestLookup_Failures(t *testing.T) {
 			},
 			params: lookupParams{
 				isUnspecifiedListener: true,
-				dstAddr:               net.IPv4(192, 168, 100, 1),
-				srcAddr:               net.IPv4(192, 168, 100, 1),
+				dstAddr:               netip.AddrFrom4([4]byte([]byte{192, 168, 100, 1})),
+				srcAddr:               netip.AddrFrom4([4]byte([]byte{192, 168, 100, 1})),
 			},
 			wantErr: "no matching filter chain after all match criteria",
 		},
@@ -283,8 +282,8 @@ func (s) TestLookup_Failures(t *testing.T) {
 			params: lookupParams{
 				// IsUnspecified is not set. This means that the destination
 				// prefix matchers will be ignored.
-				dstAddr: net.IPv4(192, 168, 100, 1),
-				srcAddr: net.IPv4(192, 168, 100, 1),
+				dstAddr: netip.AddrFrom4([4]byte([]byte{192, 168, 100, 1})),
+				srcAddr: netip.AddrFrom4([4]byte([]byte{192, 168, 100, 1})),
 				srcPort: 1,
 			},
 			wantErr: "multiple matching filter chains",
@@ -301,8 +300,8 @@ func (s) TestLookup_Failures(t *testing.T) {
 			},
 			params: lookupParams{
 				isUnspecifiedListener: true,
-				dstAddr:               net.IPv4(192, 168, 100, 1),
-				srcAddr:               net.IPv4(192, 168, 100, 1),
+				dstAddr:               netip.AddrFrom4([4]byte([]byte{192, 168, 100, 1})),
+				srcAddr:               netip.AddrFrom4([4]byte([]byte{192, 168, 100, 1})),
 				srcPort:               80,
 			},
 			wantErr: "no matching filter chain after all match criteria",
@@ -419,7 +418,7 @@ func (s) TestLookup_Successes(t *testing.T) {
 			lis:  lisWithDefaultChain,
 			params: lookupParams{
 				isUnspecifiedListener: true,
-				dstAddr:               net.IPv4(10, 1, 1, 1),
+				dstAddr:               netip.AddrFrom4([4]byte([]byte{10, 1, 1, 1})),
 			},
 			wantFC: &filterChain{
 				securityCfg:       &xdsresource.SecurityConfig{IdentityInstanceName: "default"},
@@ -432,8 +431,8 @@ func (s) TestLookup_Successes(t *testing.T) {
 			lis:  lisWithoutDefaultChain,
 			params: lookupParams{
 				isUnspecifiedListener: true,
-				dstAddr:               netip.MustParseAddr("2001:68::db8").AsSlice(),
-				srcAddr:               net.IPv4(10, 1, 1, 1),
+				dstAddr:               netip.MustParseAddr("2001:68::db8"),
+				srcAddr:               netip.AddrFrom4([4]byte([]byte{10, 1, 1, 1})),
 				srcPort:               1,
 			},
 			wantFC: &filterChain{
@@ -447,8 +446,8 @@ func (s) TestLookup_Successes(t *testing.T) {
 			lis:  lisWithoutDefaultChain,
 			params: lookupParams{
 				isUnspecifiedListener: true,
-				dstAddr:               net.IPv4(10, 1, 1, 1),
-				srcAddr:               net.IPv4(10, 1, 1, 1),
+				dstAddr:               netip.AddrFrom4([4]byte([]byte{10, 1, 1, 1})),
+				srcAddr:               netip.AddrFrom4([4]byte([]byte{10, 1, 1, 1})),
 				srcPort:               1,
 			},
 			wantFC: &filterChain{
@@ -462,8 +461,8 @@ func (s) TestLookup_Successes(t *testing.T) {
 			lis:  lisWithoutDefaultChain,
 			params: lookupParams{
 				isUnspecifiedListener: true,
-				dstAddr:               netip.MustParseAddr("2001:68::1").AsSlice(),
-				srcAddr:               netip.MustParseAddr("2001:68::2").AsSlice(),
+				dstAddr:               netip.MustParseAddr("2001:68::1"),
+				srcAddr:               netip.MustParseAddr("2001:68::2"),
 				srcPort:               1,
 			},
 			wantFC: &filterChain{
@@ -477,8 +476,8 @@ func (s) TestLookup_Successes(t *testing.T) {
 			lis:  lisWithoutDefaultChain,
 			params: lookupParams{
 				isUnspecifiedListener: true,
-				dstAddr:               net.IPv4(192, 168, 100, 1),
-				srcAddr:               net.IPv4(192, 168, 100, 1),
+				dstAddr:               netip.AddrFrom4([4]byte([]byte{192, 168, 100, 1})),
+				srcAddr:               netip.AddrFrom4([4]byte([]byte{192, 168, 100, 1})),
 				srcPort:               80,
 			},
 			wantFC: &filterChain{
@@ -492,8 +491,8 @@ func (s) TestLookup_Successes(t *testing.T) {
 			lis:  lisWithoutDefaultChain,
 			params: lookupParams{
 				isUnspecifiedListener: true,
-				dstAddr:               net.IPv4(192, 168, 1, 1),
-				srcAddr:               net.IPv4(10, 1, 1, 1),
+				dstAddr:               netip.AddrFrom4([4]byte([]byte{192, 168, 1, 1})),
+				srcAddr:               netip.AddrFrom4([4]byte([]byte{10, 1, 1, 1})),
 				srcPort:               80,
 			},
 			wantFC: &filterChain{
@@ -507,8 +506,8 @@ func (s) TestLookup_Successes(t *testing.T) {
 			lis:  lisWithoutDefaultChain,
 			params: lookupParams{
 				isUnspecifiedListener: true,
-				dstAddr:               net.IPv4(192, 168, 1, 1),
-				srcAddr:               net.IPv4(192, 168, 92, 100),
+				dstAddr:               netip.AddrFrom4([4]byte([]byte{192, 168, 1, 1})),
+				srcAddr:               netip.AddrFrom4([4]byte([]byte{192, 168, 92, 100})),
 				srcPort:               70,
 			},
 			wantFC: &filterChain{
@@ -522,8 +521,8 @@ func (s) TestLookup_Successes(t *testing.T) {
 			lis:  lisWithoutDefaultChain,
 			params: lookupParams{
 				isUnspecifiedListener: true,
-				dstAddr:               net.IPv4(192, 168, 1, 1),
-				srcAddr:               net.IPv4(192, 168, 92, 100),
+				dstAddr:               netip.AddrFrom4([4]byte([]byte{192, 168, 1, 1})),
+				srcAddr:               netip.AddrFrom4([4]byte([]byte{192, 168, 92, 100})),
 				srcPort:               80,
 			},
 			wantFC: &filterChain{
@@ -779,8 +778,8 @@ func (s) TestLookup_DroppedChainFallback(t *testing.T) {
 	}
 	params := lookupParams{
 		isUnspecifiedListener: true,
-		dstAddr:               net.IPv4(192, 168, 100, 1),
-		srcAddr:               net.IPv4(192, 168, 100, 1),
+		dstAddr:               netip.AddrFrom4([4]byte([]byte{192, 168, 100, 1})),
+		srcAddr:               netip.AddrFrom4([4]byte([]byte{192, 168, 100, 1})),
 		srcPort:               80,
 	}
 

internal/xds/server/listener_wrapper.go

@@ -23,6 +23,7 @@ package server
 import (
 	"fmt"
 	"net"
+	"net/netip"
 	"sync"
 	"time"
 
@@ -307,10 +308,12 @@ func (l *listenerWrapper) Accept() (net.Conn, error) {
 			continue
 		}
 
+		destIP, _ := netip.AddrFromSlice(destAddr.IP)
+		srcIP, _ := netip.AddrFromSlice(srcAddr.IP)
 		fc, err := l.activeFilterChainManager.lookup(lookupParams{
 			isUnspecifiedListener: l.isUnspecifiedAddr,
-			dstAddr:               destAddr.IP,
-			srcAddr:               srcAddr.IP,
+			dstAddr:               destIP.Unmap(),
+			srcAddr:               srcIP.Unmap(),
 			srcPort:               srcAddr.Port,
 		})
 		if err != nil {

internal/xds/xdsclient/xdsresource/filter_chain.go

@@ -19,7 +19,7 @@ package xdsresource
 
 import (
 	"fmt"
-	"net"
+	"net/netip"
 
 	"google.golang.org/grpc/internal/xds/xdsclient/xdsresource/version"
 
@@ -40,7 +40,7 @@ type NetworkFilterChainMap struct {
 // source type matchers.
 type DestinationPrefixEntry struct {
 	// Prefix is the destination IP prefix.
-	Prefix *net.IPNet
+	Prefix netip.Prefix
 	// SourceTypeArr contains the source type matchers. The supported source
 	// types and their associated indices in the array are:
 	//   - 0: Any: matches connection attempts from any source.
@@ -59,7 +59,7 @@ type SourcePrefixes struct {
 // port matchers.
 type SourcePrefixEntry struct {
 	// Prefix is the source IP prefix.
-	Prefix *net.IPNet
+	Prefix netip.Prefix
 	// PortMap contains the matchers for source ports.
 	PortMap map[int]NetworkFilterChainConfig
 }