iptables: Enable nftables.

[Sumynwa]

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

This PR enables nftables in iptables to provide iptables-nft (default) & iptables-legacy commands.

This PR fixes https://microsoft.visualstudio.com/OS/_workitems/edit/53647336.

• When upgrading iptables to this variant, introduction of alternatives provides nft variant as default for iptables | ip6tables | ebtables | arptables.
  The legacy iptables is installed as -legacy variant
  

• The upgrade of iptables will start the iptables service and use the nft variant to restore the ipv4|ipv6 configs (by default the one provided as part of the package)
  

• The equivalent nft ruleset can be seen by using nft provided by nftables.
  nft_ruleset.txt

• Without reboot, the old legacy iptables tables and chains will exist. A reboot will clear the legacy iptables rules.

• Adding new rules will correctly update the nft table.
  

• A warning exists when looking at the rules list using iptables-nft (even when the legacy rules are empty):

  Warning: iptables-legacy tables present, use iptables-legacy to see them

  This is due to still loaded kernel modules which were loaded by the legacy iptables, namely:
  iptable_filter
  iptable_nat
  iptable_mangle
  iptable_raw
  iptable_security
  [and their ip6 variants]

Change Log

• Build iptables with nftables enabled and use alternatives to install the variants
• Update ebtables to use alternatives to provide legacy variant

Does this affect the toolchain?

NO

Associated issues

• #xxxx

Links to CVEs

• https://nvd.nist.gov/vuln/detail/CVE-YYYY-XXXX

Test Methodology

• Pipeline build id:

• Delta Dev-Build
  Verified BuildImage - cvm logs to confirm iptables is installed correctly without any warnings/errors.

• Buddy Build