prevent EasyTier-managed IPv6 from being used as underlay connections (#2181)

When a node has public IPv6 addresses allocated by EasyTier, those addresses
are installed on the host's network interfaces. The system would then pick
them up as candidate source/destination addresses for underlay connections
(direct peer, UDP hole punch, bind addresses), causing overlay traffic to
loop back into the overlay itself.

Add a central predicate is_ip_easytier_managed_ipv6() and apply it at every
point where IPv6 addresses are selected for underlay use:
- Filter managed IPv6 from DNS-resolved connector addresses, including a
  UDP socket getsockname check to detect whether the OS would route through
  the overlay to reach a destination
- Skip managed IPv6 in bind address selection and STUN candidate filtering
- Strip managed IPv6 from GetIpListResponse RPC so peers never learn them
- Pass pre-resolved addresses to tunnel connectors to avoid re-resolution

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

easytier/src/connector/udp_hole_punch/common.rs

@@ -719,25 +719,31 @@ async fn check_udp_socket_local_addr(
 ) -> Result<(), Error> {
     let socket = UdpSocket::bind("0.0.0.0:0").await?;
     socket.connect(remote_mapped_addr).await?;
-    if let Ok(local_addr) = socket.local_addr() {
-        // local_addr should not be equal to an EasyTier-managed virtual/public address.
-        match local_addr.ip() {
-            IpAddr::V4(ip) => {
-                if global_ctx.get_ipv4().map(|ip| ip.address()) == Some(ip) {
-                    return Err(anyhow::anyhow!("local address is virtual ipv4").into());
-                }
-            }
-            IpAddr::V6(ip) => {
-                if global_ctx.is_ip_local_ipv6(&ip) {
-                    return Err(anyhow::anyhow!("local address is easytier-managed ipv6").into());
-                }
-            }
-        }
+    if let Ok(local_addr) = socket.local_addr()
+        && let Some(err) = easytier_managed_local_addr_error(&global_ctx, local_addr)
+    {
+        return Err(anyhow::anyhow!(err).into());
     }
 
     Ok(())
 }
 
+fn easytier_managed_local_addr_error(
+    global_ctx: &ArcGlobalCtx,
+    local_addr: SocketAddr,
+) -> Option<&'static str> {
+    // local_addr should not be equal to an EasyTier-managed virtual/public address.
+    match local_addr.ip() {
+        IpAddr::V4(ip) if global_ctx.get_ipv4().map(|ip| ip.address()) == Some(ip) => {
+            Some("local address is virtual ipv4")
+        }
+        IpAddr::V6(ip) if global_ctx.is_ip_easytier_managed_ipv6(&ip) => {
+            Some("local address is easytier-managed ipv6")
+        }
+        _ => None,
+    }
+}
+
 pub(crate) async fn try_connect_with_socket(
     global_ctx: ArcGlobalCtx,
     socket: Arc<UdpSocket>,
@@ -763,11 +769,29 @@ pub(crate) async fn try_connect_with_socket(
 
 #[cfg(test)]
 mod tests {
+    use std::{collections::BTreeSet, net::SocketAddr};
+
+    use crate::common::global_ctx::tests::get_mock_global_ctx;
+
     use super::{
-        MAX_PUBLIC_UDP_HOLE_PUNCH_LISTENERS, should_create_public_listener,
-        should_retry_public_listener_selection,
+        MAX_PUBLIC_UDP_HOLE_PUNCH_LISTENERS, easytier_managed_local_addr_error,
+        should_create_public_listener, should_retry_public_listener_selection,
     };
 
+    #[tokio::test]
+    async fn local_addr_check_rejects_easytier_public_ipv6_route() {
+        let global_ctx = get_mock_global_ctx();
+        let public_route: cidr::Ipv6Inet = "2001:db8::4/128".parse().unwrap();
+        global_ctx.set_public_ipv6_routes(BTreeSet::from([public_route]));
+
+        let local_addr: SocketAddr = "[2001:db8::4]:1234".parse().unwrap();
+
+        assert_eq!(
+            easytier_managed_local_addr_error(&global_ctx, local_addr),
+            Some("local address is easytier-managed ipv6")
+        );
+    }
+
     #[test]
     fn listener_selection_prefers_reuse_before_cap() {
         assert!(!should_create_public_listener(1, true, true, false, false));