[management, client] Add IPv6 overlay support (#5631)

shared/management/proto/management.proto

@@ -200,6 +200,18 @@ message Flags {
   bool enableSSHLocalPortForwarding = 13;
   bool enableSSHRemotePortForwarding = 14;
   bool disableSSHAuth = 15;
+
+  bool disableIPv6 = 16;
+}
+
+// PeerCapability represents a feature the client binary supports.
+// Reported in PeerSystemMeta.capabilities on every login/sync.
+enum PeerCapability {
+  PeerCapabilityUnknown = 0;
+  // Client reads SourcePrefixes instead of the deprecated PeerIP string.
+  PeerCapabilitySourcePrefixes = 1;
+  // Client handles IPv6 overlay addresses and firewall rules.
+  PeerCapabilityIPv6Overlay = 2;
 }
 
 // PeerSystemMeta is machine meta data like OS and version.
@@ -221,6 +233,8 @@ message PeerSystemMeta {
   Environment environment = 15;
   repeated File files = 16;
   Flags flags = 17;
+
+  repeated PeerCapability capabilities = 18;
 }
 
 message LoginResponse {
@@ -335,6 +349,9 @@ message PeerConfig {
 
   // Auto-update config
   AutoUpdateSettings autoUpdate = 8;
+
+  // IPv6 overlay address as compact bytes: 16 bytes IP + 1 byte prefix length.
+  bytes address_v6 = 9;
 }
 
 message AutoUpdateSettings {
@@ -567,7 +584,8 @@ enum RuleAction {
 
 // FirewallRule represents a firewall rule
 message FirewallRule {
-  string PeerIP = 1;
+  // Use sourcePrefixes instead.
+  string PeerIP = 1 [deprecated = true];
   RuleDirection Direction = 2;
   RuleAction Action = 3;
   RuleProtocol Protocol = 4;
@@ -576,6 +594,13 @@ message FirewallRule {
 
   // PolicyID is the ID of the policy that this rule belongs to
   bytes PolicyID = 7;
+
+  // CustomProtocol is a custom protocol ID when Protocol is CUSTOM.
+  uint32 customProtocol = 8;
+
+  // Compact source IP prefixes for this rule, supersedes PeerIP.
+  // Each entry is 5 bytes (v4) or 17 bytes (v6): [IP bytes][1 byte prefix_len].
+  repeated bytes sourcePrefixes = 9;
 }
 
 message NetworkAddress {