honor remote_allow_ilst in hole punch response

When we receive a "hole punch notification" from a Lighthouse, we send
a hole punch packet to every remote of that host, even if we don't
include those remotes in our "remote_allow_list". Change the logic here
to check if the remote IP is in our allow list before sending the hole
punch packet.

lighthouse.go

@@ -1125,12 +1125,18 @@ func (lhh *LightHouseHandler) handleHostPunchNotification(n *NebulaMeta, vpnIp i
 		}
 	}
 
+	remoteVpnIp := iputil.VpnIp(n.Details.VpnIp)
+	remoteAllowList := lhh.lh.GetRemoteAllowList()
 	for _, a := range n.Details.Ip4AndPorts {
-		punch(NewUDPAddrFromLH4(a))
+		if remoteAllowList.AllowIpV4(remoteVpnIp, iputil.VpnIp(a.Ip)) {
+			punch(NewUDPAddrFromLH4(a))
+		}
 	}
 
 	for _, a := range n.Details.Ip6AndPorts {
-		punch(NewUDPAddrFromLH6(a))
+		if remoteAllowList.AllowIpV6(remoteVpnIp, a.Hi, a.Lo) {
+			punch(NewUDPAddrFromLH6(a))
+		}
 	}
 
 	// This sends a nebula test packet to the host trying to contact us. In the case