Firewall: Add support for arbitrary rules for input, output and forward #12940
This extends the firewall to support arbitrary rules for the INPUT, OUTPUT and FORWARD chains. All the rules are placed in nixos-fw-[input|output|forward] chains. It also adds support to define the default policies of the chains. Logging works as special target. When hits for a rule should be logged, this rule has to be defined twice, once with the LOG target and once with the actual action. Or you just rely on logRejectedPackets. The old nixos-fw chain is deleted first. This is only really needed when switching to this new feature-branch and activiting the config the first time. But for this one case its needed as otherwise the accept and refuse chains can't be deleted. Also delete the invalid chain to allow reload to work. For debugging its now possible to run only the ipv6 tests or only the ipv4 tests. Maybe this should even be extracted into a parameter before including this in nixos.
Please don't merge this - it conflict's with #22586 and there hasn't been any discussion yet!
Just wanted to make sure anyone is aware of this as I can't see how we (currently) can merge them both. I encourage anyone to compare them and decide which one we use (or we could probably use parts from both). I don't really have much time ATM but I created the following issue to share some of my thought/ideas: #23181