Add dedicated nftables provider

[jvdsn]

Arch Linux finally removed the iptables-nft package, completing the migration away from iptables. Most distros have supported nftables for more than 5 years.

This commit adds a provider for nftables that replicates the existing iptables functionality: accept established traffic, drop all other incoming traffic. With iptables-nft, the iptables rules get translated to the following table:

# Warning: table ip filter is managed by iptables-nft, do not touch!
table ip filter {
        chain INPUT {
                type filter hook input priority filter; policy accept;
                iifname "tun0" xt match "conntrack" counter packets 62004 bytes 34716696 accept
                iifname "tun0" counter packets 0 bytes 0 drop
        }
}

Now, the dedicated nftables provider produces the following table:

table inet vpn-slice {
        chain input {
                type filter hook input priority filter; policy accept;
                iifname "tun0" ct state { established, related } counter packets 524 bytes 111788 accept
                iifname "tun0" counter packets 0 bytes 0 drop
        }
}

The only functional difference is that the new inet table family will match both IPv4 and IPv6.

The script will try the nftables provider by default, and fall back to the iptables provider if /sbin/nft does not exist.

[gmacon]

This looks fine to me. Thanks!