serviceability: restrict device tunnel block to private/link-local

[elitegreg]

Resolves: #3832

Summary of Changes

• Enforce that the global-config device_tunnel_block is a private (RFC1918) or link-local (RFC3927) prefix when set onchain, matching the restriction already applied to device interface IPs.
• Reject any out-of-range block (public, CGNAT, multicast, unspecified, etc.) with a new DoubleZeroError::InvalidDeviceTunnelBlock (custom code 88) instead of silently accepting it.
• Other global-config blocks (user_tunnel_block, multicastgroup_block, multicast_publisher_block) are intentionally left unchanged.

Diff Breakdown

Category	Files	Lines (+/-)	Net
Tests	1	+129 / -0	+129
Core logic	2	+30 / -2	+28
Scaffolding	1	+4 / -0	+4
Total	4	+163 / -2	+161

Small, focused enforcement change; the bulk of the line count is the new acceptance test.

Key files (click to expand)

• smartcontract/programs/doublezero-serviceability/tests/globalconfig_test.rs — new acceptance test: public block rejected with Custom(88); private and link-local blocks accepted.
• smartcontract/programs/doublezero-serviceability/src/helper.rs — adds is_private_or_link_local() helper plus unit test covering RFC1918/RFC3927 vs public/CGNAT/multicast/unspecified.
• smartcontract/programs/doublezero-serviceability/src/processors/globalconfig/set.rs — validates device_tunnel_block in process_set_globalconfig before writing state; un-gates the msg! import.
• smartcontract/programs/doublezero-serviceability/src/error.rs — adds the InvalidDeviceTunnelBlock variant and its From mappings.

Testing Verification

• New integration test globalconfig_test.rs asserts a public device_tunnel_block (8.8.8.0/24) fails with InvalidDeviceTunnelBlock, while 10.100.0.0/24 (private) and 169.254.0.0/24 (link-local) succeed.
• New unit test for is_private_or_link_local covers the allowed and rejected ranges.
• Full serviceability lib suite (257 tests) and clippy (-Dclippy::all -Dwarnings) pass.