feat: Add IPv6 support for ingress and egress firewall rules

[saiaunghlyanhtet]

This patch implements dual-stack IPv6/IPv4 support with separate BPF maps for each IP version, allowing both IPv4 and IPv6 rules to coexist and be processed efficiently.

Userspace changes:

• models/rule.rs: Add IpAddr enum (V4/V6) support to PolicyRule
• bpf_user/maps.rs: Implement dual-stack BPF map management
  • Add RuleEntryV6 and RuleMetadataV6 structs (matching C layout)
  • Create separate IPv6 maps (rules_v6, metadata_v6, rule_stats_v6)
  • Update list_all_metadata() to query both IPv4 and IPv6 maps
  • Update get_rule_metadata() to search both maps, return PolicyRule
  • Update delete_rule_metadata() to handle both IP versions
  • Fix struct sizes: RuleEntryV6=28 bytes, RuleMetadataV6=216 bytes
• policy/parser.rs: Add IPv6 CIDR parsing and validation
• state.rs: Update for dual-stack PolicyRule handling
• tests: Add 5 new IPv6-specific test cases (111 total tests passing)

Kernel-side (BPF) changes:

• bpf/firebee_common.h: Define IPv6 structures and maps
  • Add rule_entry_v6, rule_metadata_v6, rule_stats_v6 structs
  • Create rules_v6_map, metadata_v6_map, rule_stats_v6_map
  • Add MAX_ACTIVE_RULES=128 (separate from MAX_RULES=1024 storage) to avoid BPF verifier 1M instruction limit
• bpf/firebee_helpers.h: Implement ipv6_matches() function
  • Use explicit array indexing (no loops) to avoid variable-offset stack reads that trigger BPF verifier errors
  • Support IPv6 CIDR prefix matching with /0 to /128 ranges
• bpf/firebee.bpf.c: Add XDP ingress IPv6 packet processing
  • Parse IPv6 headers and extract src/dst addresses
  • Check both IPv4 and IPv6 rule sets
  • Support ICMPv6 (protocol 58) in addition to TCP/UDP/ICMP
• bpf/firebee_egress.bpf.c: Add TC egress IPv6 packet processing
  • Mirror ingress implementation for egress direction
  • Track statistics in rule_stats_v6_map