Major rewrite: use Netlink directly, drop IPT support

This is a major change in how nfprom works:

- we no longe rely on sudo and userspace utilities, instead talking to
  netlink directly, and expecting per-rule comments to determin the
  fields of Prometheus metrics.
- this means we need to run as root or with CAP_NET_ADMIN (connecting to
  NL and dropping privileges does not work, since receive() on NL
  sockets needs elevated privileges).
- The webserver portion runs as a non-privileged user (nobody/nogroup by
  default), reading a file that the elevated-privs process writes.
- There currenly is no staleness detection for the file, we may need to
  change that (and export add'l metrics about data age).
- The IPTables portion of nfprom is gone. Modern systems should use
  NFTables, and older systems can use the older version of nfprom.

Open issues:

- Staleness detection (see above)
- Process management is a little rough. Patches welcome.
- There likely are new and exciting bugs.

Signed-off-by: Tobias Klausmann <klausman@schwarzvogel.de>

Add Mode for NFTables

This restructures the source to split out IPTables-specific code, adds
similarly-separated NFTables code and does some cleanup. Also includes
corresponding documentation updates. The used port (9830) is now offical
and thus had to change.