Support explicit, partial flushing of iptables chains

Some software (for example Docker) add their own iptables rules directly at runtime, based on their current configuration. This approach is incompatible with using something like netfilter-persistent to manage other rules: when the system rules need to be replaced, the runtime-generated rules will be destroyed. Trying to use the --noflush option through the *_RESTORE_NOFLUSH variables will lead to rule duplication in system-managed chains.

This patch introduces a new pair of options, IPTABLES_EXPLICIT_FLUSH and its IPv6 equivalent IP6TABLES_EXPLICIT_FLUSH. These options have no effect unless the matching _RESTORE_NOFLUSH is set to yes. When their value is auto, the current rules file will be read and all chains for which rules are defined will be flushed. It is possible to use the yes:... value, followed by a comma-separated list of <table>.<chain> values, to specify which chains to flush directly. The options are disabled by default.

The new options are managed by a single script which is then symlinked from the plugins.d directory; it will determine which iptables rules to apply to based on the name it is called with.