Add network route access control on client

[lixmal]

Describe your changes

Add:

• Methods to set up forward rules for routed traffic (network ACLs) according to the network map
  Modify:
• Apply ACLs in engine as early as possible to avoid security issues
• Insert instead of append all netbird rules in existing input/output/forward chains
• Rename existing ACLs to "peer ACLs"
• Use dedicated type for route ID where possible
• Use netip.Prefix instead of string where possible

Fix:

• Management proto and network map:
  • Add default return traffic permit when there's no ACL applied to the network route
  • Fix missing protocol in default rules
  • Partically add IPv6 rules to DNS routes

Remove:

• Default accept in forward chains
• Rules in prerouting chains
• Fwmark accept rules in output chains
• Src addresses in output chains
• Dst addresses in input chains
• Dysfunctional rule in output chains
• Accept traffic initiated by routed networks behind routing peers in input chains

The prerouting/fwmark parts were used as substitutes for route ACLs to prevent locally routed networks (e.g. containers) from bypassing the input rules (because forward rules match the traffic).

Issue ticket number and link

Checklist

• Is it a bug fix
• Is a typo/documentation fix
• Is a feature enhancement
• It is a refactor
• Created tests that fail without the change (if possible)
• Extended the README / documentation, if necessary

[CLAassistant]

All committers have signed the CLA.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
12 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
2.4% Duplication on New Code

See analysis details on SonarCloud