This fixes a packet path vs. control plane race caused by a bogus optimization: When chain is going away we must not elide updating rules[next_generation]. If we do, then access to the 'next generation' really access an old (previous) generation that might reference rules that have already been free'd. Second patch adds a stress-testcase for this bug. I've added a new 'netfilter' directory for this so we can also add other test cases to e.g. exercise netns add/delete or module removal.
