feat: add L4 load balancer backed by nftables DNAT

The balancer reuses the router's IX IP as the VIP. Each balancer
occupies a distinct port. Backends are private devices behind the
router; nftables `numgen inc mod N` distributes connections
round-robin while masquerade ensures return traffic routes through
the router.

New public types: `Balancer`, `BalancerBuilder`, `LbAlgorithm`,
`LbProtocol`. Builder created via `Router::add_balancer(name, port)`.
Runtime `add_backend`/`remove_backend` regenerate rules in place.
IPv6 rules are generated when the router has a dual-stack uplink.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: Frando