feat(relay): filter invalid source MACs

PLAN.md requires rejecting broadcast, multicast, and otherwise invalid source
MACs. Client ingress already had a forged-source check against the registered
client identity, but gateway ingress could still forward Ethernet frames whose
source MAC was not valid unicast.

Add an explicit `InvalidSourceMac` drop reason and filter invalid Ethernet
source MACs before client source authorization and last-seen refresh. This keeps
invalid source addresses out of both remote-client and gateway forwarding paths
while preserving `UnauthorizedSourceMac` for valid unicast sources that simply
belong to another client identity.

Document the invalid-source filter in the relay README decomposition.

Test Plan:
- cargo fmt --check
- cargo test -p lanparty-obs -p lanparty-relay
- cargo test --workspace
- cargo clippy --workspace --all-targets -- -D warnings
- git diff --check

Refs: PLAN.md

crates/lanparty-obs/src/lib.rs

@@ -30,6 +30,7 @@ pub enum FrameAction {
 pub enum DropReason {
     Malformed,
     JumboFrame,
+    InvalidSourceMac,
     UnauthorizedSourceMac,
     DuplicateMac,
     ControlPlaneEtherType,