feat: per-client NAT filtering via LWIP_HOOK_IP4_CANFORWARD

- Add lwip_tollgate_hooks.h defining LWIP_HOOK_IP4_CANFORWARD macro
- Inject hook into lwIP build via CMakeLists.txt ESP_IDF_LWIP_HOOK_FILENAME
- Filter forwarded packets by source IP against firewall allowed list
- Only filter packets from AP subnet (10.192.45.0/24), allow all others
- Fix byte order bug: use network byte order for firewall_is_client_allowed
- NAT always enabled, removed global NAT toggle functions
- Remove spent-secret tracking from session.c (mint is authority)
- Remove unused get_ap_netif() function
- Reduce API server stack from 32KB to 16KB (fixes ESP_ERR_HTTPD_TASK)
- Add esp_random.h stub for unit tests
- All 186 unit tests passing
- Verified on hardware: block->pay->allow->revoke->block E2E works

1 files changed, 4 insertions, 2 deletions

diff --git a/main/firewall.h b/main/firewall.h
index e5d492a..f177eaa 100644
--- a/main/firewall.h
+++ b/main/firewall.h
@@ -6,11 +6,11 @@
 #include <stdbool.h>
 #include <stdint.h>
 
+struct pbuf;
+
 #define FW_MAX_MAC_LEN 18
 
 esp_err_t firewall_init(esp_ip4_addr_t ap_ip);
-void firewall_enable_nat(void);
-void firewall_disable_nat(void);
 void firewall_grant_access(uint32_t client_ip);
 void firewall_revoke_access(uint32_t client_ip);
 void firewall_revoke_all(void);
@@ -20,4 +20,6 @@ int firewall_client_count(void);
 
 esp_err_t firewall_get_mac_for_ip(uint32_t client_ip, char *mac_out, size_t mac_out_size);
 
+int tollgate_ip4_canforward_filter(struct pbuf *p, uint32_t dest_addr_hostorder);
+
 #endif