Extend network API to support basic input firewalling

[stgraber]

It would make sense to have a way to do basic input filtering to restrict access to the management port.

This will require moving nftables to the base image and have us generate the relevant nft rules directly, making sure they can't conflict with Incus' own rules.

[gibmat]

We should also probably have some sort of connectivity test and auto-revert if it fails after applying a new firewall rule to prevent accidental lockout if a bad/incorrect firewall ruleset is applied.