iptables: Keep old rules while adding new ones

[jrajahalme]

Keep old iptables rules by renaming Cilium chains so that new rules
can be added while old are still in use. Copy old TPROXY rules from
the renamed old rules. Remove the backups only after new rules have
been successfully added, but keep the copied TPROXY rules, as the
new ones may be installed considerably later.

On first initialization only copy over the DNS proxy TPROXY rules, as
other proxies can't reuse old proxy ports across restarts.

Pick the last applicable proxy port from iptables, if multiple are
present.

Remove stale TPROXY rules once the current port is known and allow
for the case where the TPROXY rule already exists (e.g., from the copy
done from old rules).

This change makes it possible to keep old rules in effect while adding
new ones without special consideration for transient rules.

Fixes: #16364

DNS proxy is now more available during Cilium restarts, including upgrades.

[jrajahalme]

test-me-please

[jrajahalme]

test-me-please

[jrajahalme]

test-1.21-4.9

[jrajahalme]

@borkmann Do you know how atomic the iptables chain rename operation is? Is there still a chance for a significant window where only some of the rules in the table have been updated with a renamed chain while others are maybe still referring to a non-existing chain? This could happen if rules internally refer to chains by name only. If the internal reference is something like a pointer to the chain then there should not be any chance for any connectivity gaps because of this?

[jrajahalme]

test-1.21-4.9 hit by known flake #14959

[jrajahalme]

Rebased to hopefully avoid test flakes fixed in master

[joestringer]

Confirmed that the issue we're hitting in CI here is present on master, so cannot be caused purely by these changes. Let's 🚢