feat(server): add PROXY protocol v2 support for real client IP handling and connection ACLs

rust/src/acl.rs

@@ -11,6 +11,30 @@ pub enum AclResult {
     DenyDst,
 }
 
+/// Check whether a connection source IP is in a server-level block list.
+/// Used for pre-handshake rejection of known-bad IPs.
+pub fn is_connection_blocked(ip: Ipv4Addr, block_list: &[String]) -> bool {
+    ip_matches_any(ip, block_list)
+}
+
+/// Check whether a source IP is allowed by allow/block lists.
+/// Returns true if the IP is permitted (not blocked and passes allow check).
+pub fn is_source_allowed(ip: Ipv4Addr, allow_list: Option<&[String]>, block_list: Option<&[String]>) -> bool {
+    // Deny overrides allow
+    if let Some(bl) = block_list {
+        if ip_matches_any(ip, bl) {
+            return false;
+        }
+    }
+    // If allow list exists and is non-empty, IP must match
+    if let Some(al) = allow_list {
+        if !al.is_empty() && !ip_matches_any(ip, al) {
+            return false;
+        }
+    }
+    true
+}
+
 /// Check whether a packet from `src_ip` to `dst_ip` is allowed by the client's security policy.
 ///
 /// Evaluation order (deny overrides allow):