control: Prefer nftables for the network driver

Now that the remaining known issues with the nftables backend
have been resolved, it's time to switch away from iptables.

There are a couple of remaining caveats, which are listed in
the NEWS file. Most deployment will realistically end up using
iptables even after this change on account of the nwfilter
driver, which hasn't been converted to nftables yet, being
installed as a (weak) dependency, but at least it's now
possible, with some care, to create a deployment with a
working network driver and no iptables installed.

Note that, even though it's configured at build time to prefer
nftables, libvirt will transparently fall back to iptables if
the former is not available at runtime.

Closes: #938929