add sanity check in case someone adds an RFC1918/RFC6598/etc address to loopback

includes/routeros-v7-aggregation-router/firewall.j2

@@ -65,7 +65,16 @@ add action=drop chain=input comment="protect router's control plane"
     {%- if interface.name in ('loopback',) %}
         {%- for address in interface|get_addresses %}
             {%- if address|ipv4 %}
-                {%- do nat_source_ips.append(address.address.split("/")[0]) %}
+                {#- sanity-check for public IPv4 addresses -#}
+                {%- set address0 = address.address.split(".",0)|int %}
+                {%- set address1 = address.address.split(".",1)|int %}
+                {%- if not ( ( address0 == 10 )
+                             or ( ( address0 == 172 ) and ( address1 >=16 ) and ( address1 <= 31 ) )
+                             or ( ( address0 == 192 ) and ( address1 == 168 ) )
+                             or ( ( address0 == 100 ) and ( address1 >= 64 ) and ( address1 <= 127 ) )
+                             or ( ( address0 == 169 ) and ( address1 == 254 ) ) ) %}
+                    {%- do nat_source_ips.append(address.address.split("/")[0]) %}
+                {%- endif %}
             {%- endif %}
         {%- endfor %}
     {%- endif %}