prevent EasyTier-managed IPv6 from being used as underlay connections (#2181)

When a node has public IPv6 addresses allocated by EasyTier, those addresses
are installed on the host's network interfaces. The system would then pick
them up as candidate source/destination addresses for underlay connections
(direct peer, UDP hole punch, bind addresses), causing overlay traffic to
loop back into the overlay itself.

Add a central predicate is_ip_easytier_managed_ipv6() and apply it at every
point where IPv6 addresses are selected for underlay use:
- Filter managed IPv6 from DNS-resolved connector addresses, including a
  UDP socket getsockname check to detect whether the OS would route through
  the overlay to reach a destination
- Skip managed IPv6 in bind address selection and STUN candidate filtering
- Strip managed IPv6 from GetIpListResponse RPC so peers never learn them
- Pass pre-resolved addresses to tunnel connectors to avoid re-resolution

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

easytier/src/peers/public_ipv6.rs

@@ -243,6 +243,8 @@ impl PublicIpv6Service {
                 .copied()
                 .collect::<Vec<_>>();
             *cached_routes = routes;
+            self.global_ctx
+                .set_public_ipv6_routes(cached_routes.clone());
             self.global_ctx
                 .issue_event(GlobalCtxEvent::PublicIpv6RoutesUpdated(added, removed));
         }