“Expose” objects should be considered directional (at the moment, in NAT, they are not). When processing a packet that does not have an entry in the session table yet, we should only accept it if the source VPC for the packet has associated NAT-ing rules, in its configuration; and we should drop it otherwise.

This requires marking from what Expose rules originate in the NAT context object. This also likely requires reconsidering what happens for IPs that are outside of exposed ranges (currently treated as simply non-NATed IPs).