Support for kube-proxy nftables backend (KEP-3866)

[twz123]

Tracking issue for supporting the new nftables backend described in KEP-3866 which landed as an alpha feature in Kubernetes 1.29.

Excerpt from the 1.29 changelog:

kube-proxy now has a new nftables-based mode, available by running

kube-proxy --feature-gates NFTablesProxyMode=true --proxy-mode nftables

This is currently an alpha-level feature and while it probably will not eat your data, it may nibble at it a bit. (It passes e2e testing but has not yet seen real-world use.)

At this point it should be functionally mostly identical to the iptables mode, except that it does not (and will not) support Service NodePorts on 127.0.0.1. (Also note that there are currently no command-line arguments for the nftables-specific config; you will need to use a config file if you want to set the equivalent of any of the --iptables-xxx options.)

As this code is still very new, it has not been heavily optimized yet; while it is expected to eventually have better performance than the iptables backend, very little performance testing has been done so far.

NB: The kube-proxy image will most likely need to include the nft binary for this.